0

Utilizing PowerShell I'm trying to get a list of users/group which have Remote Desktop User permissions to be able to log onto a Server.

I can utilise "net localgroup" to get a list of the groups/users with Remote Desktop User Permissions:

PS C:\Users\pal.test> net localgroup "Remote Desktop Users" Alias name Remote Desktop Users Comment Members in this group are granted the right to logon remotely

Members

PAL\kron.pal
PAL\PAL-VPN-Clients
The command completed successfully.

However if I run this command and output to a variable I get all the headings included:

PS C:\Users\pal.test> $RDPUsers = net localgroup "Remote Desktop Users"

PS C:\Users\pal.test> write-host $RDPUsers

Alias name Remote Desktop Users Comment Members in this group are granted the right to logon remotely Member s ------------------------------------------------------------------------------- PAL\kron.pal PAL\PAL-VPN-Client
The command completed successfully.

For other commands like "Get-WMIObject" I would utilise "| Select-Object -ExpandProperty Members to filter the property and select only the property values. However if I use this get either a blank output or an error when I try to use -ExpandProperty:

PS C:\Users\pal.test> net localgroup "Remote Desktop Users" | Select-Object -ExpandProperty Members

Select-Object : Property "Members" cannot be found.

At line:1 char:41

  • net localgroup "Remote Desktop Users" | Select-Object -ExpandProperty Members

  • + CategoryInfo          : InvalidArgument: (Alias name     Remote Desktop Users:PSObject) [Select-Object], PSArgumentException

+ FullyQualifiedErrorId ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

Is there a better way to list the users/groups in Windows Server 2008/2012/2016 than using "net localgroup"?

If not how do you filter the output of "net localgroup"?

Improve this question
4
  • Could you please edit your question and format the code as code? Thanks. Commented Feb 14, 2019 at 2:25
  • For Windows Server 2016 you could use Get-LocalGroup. Commented Feb 14, 2019 at 2:30
  • Thanks Olaf the "Get-LocalGroup" works on Windows Server 2016 however the cmdlet doesn't appear to be available in Windows Server 2008 and 2012. I get a "is not the name of a recognised cmdlet". I'll user the Windows version to create an if statement and use the "Get-LocalGroup" for Windows Server 2016. Commented Feb 14, 2019 at 2:49
  • Anyone know of any other options for Windows Server 2008 and 2012? Thanks. Commented Feb 14, 2019 at 2:52

4 Answers 4

Reset to default
1

This too is untested by me on Server 2008/2012/2016 but it may help:

function Get-LocalGroupMembers {
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory = $true, Position = 0)]
        [String]$Identity,
        [String]$ComputerName = $env:COMPUTERNAME
    )

    Add-Type -AssemblyName System.DirectoryServices.AccountManagement 
    $context = New-Object DirectoryServices.AccountManagement.PrincipalContext('Machine', $ComputerName)

    try {
        if (!([string]::IsNullOrEmpty($Identity))) {
            # search a specific group
            [DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($context, $Identity)
        }
        else {
            # search all local groups
            $groupPrincipal    = New-Object DirectoryServices.AccountManagement.GroupPrincipal($context)
            $principalSearcher = New-Object DirectoryServices.AccountManagement.PrincipalSearcher($groupPrincipal)
        }
    }
    catch {
        throw "Error searching group(s) on '$ComputerName'. $($_.Exception.Message)"
    }
    finally {
        if ($groupPrincipal)    {$groupPrincipal.Dispose()}
        if ($principalSearcher) {$principalSearcher.FindAll()}
    }
}

(Get-LocalGroupMembers -Identity "Remote Desktop Users").Members | Select-Object -ExpandProperty Name

With the above function you will get objects returned with various properties. In this example I selected only the Name property. If you want to look at all properties, just remove the | Select-Object -ExpandProperty Name

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

i THINK this will work on 2008, but cannot test it. [blush] 

$NET_LocalGroupInfo = net localgroup users |
    Select-Object -Skip 6 |
    Select-Object -SkipLast 2 |
    ForEach-Object {
        $_.Trim()
        }

$NET_LocalGroupInfo

i don't know when the -Skip* parameters were added. if that fails on your target systems, try using array indexing to get only the ones you want.

Improve this answer

Comments

0

Thanks Lee_Dailey; your solution was very close to what I needed. I found however that PowerShell 2.0 on Windows 2008 doesn't have the 'skiplast' option as part of the "Select-Object" option.

I did use your code as the basis of alternative solution to avoid the 'skiplast' option no being available in PowerShell 2.0 on Windows 2008.

PS C:\Users\pal.test> net localgroup "Remote Desktop Users" | where {$_ -AND $_ -notmatch "command completed successfully"} | select -skip 4
PAL\kron.pal
PAL\PAL-VPN-Client
Improve this answer

Comments

0

You can also use the cmdlet Get-LocalGroupMember in PowerShell 7:

Get-LocalGroupMember "Remote Desktop Users"
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.