用于将AD组添加到多个服务器上的本地管理组的脚本

时间:2015-05-16 04:52:29

标签: powershell 

##Roji P Rajan

$ErrorActionPreference = "silentlycontinue"

$Domain = Read-Host "`nEnter Domain name to connect"
$UserName = Read-Host "`nEnter AD Group name to add "
$DomName = $domain + "/" + $username
write-host "`n"
foreach($server in (gc .\servers.txt)){
$i= 0
$Boo= 0
if (Test-Connection $server -Count 1 -Quiet) {

$computer = [ADSI](”WinNT://” + $server + “,computer”)
$Group = $computer.psbase.children.find(”Administrators”)   
$members = @($group.psbase.Invoke("Members"))

$Check =($members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}) -contains "$UserName"

If ($Check -eq $True) {
write-host "$server`t- Already Member" -foregroundcolor "yellow" }

else {

    $computer = [ADSI](”WinNT://” + $server + “,computer”)
    $Group = $computer.psbase.children.find(”Administrators”)
    $Group.Add("WinNT://" + $domain + "/" + $username)

    $mem = ($Group.psbase.invoke(”Members”) | %{$_.GetType().InvokeMember(”Adspath”, ‘GetProperty’, $null, $_, $null)}) `
    -replace ('WinNT://DOMAIN/' + $server + '/'), '' -replace ('WinNT://DOMAIN/', 'DOMAIN\') -replace ('WinNT://', '')
    $total = $mem.count

        Foreach ($member in $mem) {
            if ("$member" -eq "$Domain/$UserName"){
                write-host "$server`t- Successfully Updated" -foregroundcolor "green"
                $Boo = 1 }
            $i=$i+1

            If ($total -eq $i -And $Boo -eq 0) {
            write-host "$server`t- Failed - User not exist or the server is not ready" -foregroundcolor "magenta" }

        }       
}

}
else {
write-host "$server `t- Failed to connect the Host Name" -foregroundcolor "Red" }   


}
write-host "`n"

通过使用上面的powershell代码集,我可以将特定域组添加到多个服务器中的本地管理组。但是,如果我从已经在servers.txt中的任何一个服务器运行脚本,那个特定的服务器无法更新..任何人都可以指导我错过了什么.. 提前谢谢..

3 个答案:

答案 0 :(得分:1)

这是一个简单脚本的链接: https://deepakkhare.azurewebsites.net/powershell-add-remove-multiple-security-groups-on-multiple-windows-servers/

# This script will add multiple groups on multiple servers
# Make sure you have one server in each row in the servers text file
# you must have administrator access on the server

$ServersList = “D:\ServersList.txt”

$ServerNames = get-content $ServersList

$UserGroupFilePath = “D:\SecurityGroup.txt”

$UserGroupList = get-content $UserGroupFilePath

$DomainName =”Enter your domain name here”

foreach ($name in $ServerNames)

    {

        $localAdminGroup = [ADSI](“WinNT://$name/Administrators”)

        # Add all the groups in text file to the current server

        foreach ($UserGroupName in $UserGroupList)

            {

                $AdminsG = [ADSI] “WinNT://$DomainName/$UserGroupName”

                $localAdminGroup.Add($AdminsG.PSBase.Path)

                Write-Host “Adding” $AdminsG.PSBase.Path “to” $name

            } # End of User Group Loop

    } # End of Server List Loop

Remove multiple security groups on multiple servers

# This script will delete multiple security groups on multiple servers
# Make sure you have one server in each row in the servers text file
# you must have administrator access on the server
$ServersList = “D:\ServersList.txt”

$ServerNames = get-content $ServersList

$UserGroupFilePath = “D:\SecurityGroup.txt”

$UserGroupList = get-content $UserGroupFilePath

$DomainName =”Enter your domain name here”

foreach ($name in $ServerNames)

    {

        $localAdminGroup = [ADSI](“WinNT://$name/Administrators”)

        # Add all the groups in text file to the current server

        foreach ($UserGroupName in $UserGroupList)

            {

                $AdminsG = [ADSI] “WinNT://$DomainName/$UserGroupName”

                $localAdminGroup.remove($AdminsG.PSBase.Path)

                Write-Host “remove” $AdminsG.PSBase.Path “to” $name

            } # End of User Group Loop

    } # End of Server List Loop

答案 1 :(得分:0)

为所有服务器上的本地组创建服务器管理员安全组。例如。 " ServerAdmins @域"

使用GPO强制执行和限制本地管理员组成员身份。

如果确定某个角色(RBA)需要在所有服务器(例如Windows Server Admins)上使用ServerAdmin,请将该组添加到ServerAdmins组。例如。 Windows管理员团队。将您的管理员放在管理员组中。

如果它是RBA组需要访问的较小服务器子集,请创建ExchangeServerAdmins组,将其添加到这些服务器的GPO。 Exchange管理员将在Exchange管理员组中。 Exchange Admin Team进入ExchangeServerAdmins组。

通过这种方式,您可以控制由基于角色的访问权所选择的GPO访问服务器的组。通过对适当人员可以编辑它的那些组进行存储来控制对组中成员资格的控制。您也可以通过建立团队的团队主管来委派此事。

这也允许临时权利。如果您引入了需要Exchange和Lync访问权限的顾问,则可以将他添加到这些团队中。当他离开时,你把他带出去。一个编辑即将开始,一个进行,都在组成员级别完成,很容易。

当您开始讨论企业级管理时,这也会大大减少维护工作。如果你有10-20甚至200台服务器,你可以编写这些更改的脚本,但是如果你有1000台或更多服务器呢?

答案 2 :(得分:0)

我通过更新我正在使用的服务器的本地管理员组进行了快速测试。什么是错误消息?你能删除$ ErrorActionPreference ="默默地继续"查看是否生成错误?

以下是示例代码:

#Set variables
$Domain = "Contoso"
$UserName = "JohnSmith"
$server = $env:COMPUTERNAME
#Get local admin group
$computer = [ADSI](”WinNT://” + $server + “,computer”)
$Group = $computer.psbase.children.find(”Administrators”)  
$CurrentMembers = $Group.PSbase.Invoke("Members") | foreach  {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}

#Add user to local admin group
$Group.Add("WinNT://" + $domain + "/" + $username)

#verify add
$VerifyComputer = [ADSI](”WinNT://” + $server + “,computer”)
$VerifyGroup = $VerifyComputer.psbase.children.find(”Administrators”)   
$VerifyMembers= $VerifyGroup.PSbase.Invoke("Members") | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
相关问题
最新问题