Last active
November 9, 2016 09:54
-
-
Save ScriptAutomate/376fc9ba9e96e0e28fed to your computer and use it in GitHub Desktop.
Create AD Auditable Local Admins
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| break # To prevent accidental example script execution | |
| Import-Module ActiveDirectory | |
| # Create all groups for serverset1 | |
| $FirstServerSet = Get-Content "serverset1.txt" | |
| $FirstOU = "OU=Loc1,OU=Groups,DC=contoso,DC=com" | |
| foreach ($Server in $FirstServerSet) { | |
| New-ADGroup "$Server.AdminGroup" -Path $FirstOU -GroupScope Global | |
| } | |
| # Create all groups for serverset2 | |
| $SecondServerSet = Get-Content "serverset2.txt" | |
| $SecondOU = "OU=Loc2,OU=Groups,DC=contoso,DC=com" | |
| foreach ($Server in $SecondServerSet) { | |
| New-ADGroup "$Server.AdminGroup" -Path $SecondOU -GroupScope Global | |
| } | |
| # Add members to all groups, and all groups to appropriate servers | |
| $AllServers = $FirstServerSet | |
| $AllServers += $SecondServerSet | |
| $Members = "serviceaccount1","serviceaccount2" | |
| foreach ($Server in $AllServers) { | |
| Add-ADGroupMember -Identity "$Server.AdminGroup" -Members $Members | |
| Invoke-Command -ComputerName $Server -ScriptBlock { | |
| $LocalAdmin = [ADSI]"WinNT://$($ENV:ComputerName)/Administrators,group" | |
| $LocalAdmin.psbase.Invoke("Add",([ADSI]"WinNT://CONTOSO/$($ENV:ComputerName).AdminGroup").path) | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment