Granting access rights to local servers by using AD groups

A small project just came along. Access to Windows servers had to be restricted by user groups. Two types of users should be served: those needing admin rights, and those needing RDP permission. Management should be done from a central location (= Active Directory).

I wrote a simple script that does the following:

  1. Harvest all Windows servers, filtered by name
  2. For each server, check whether Active Directory groups for permissions (Admin and RDP) already exist
    1. If so, do nothing
    2. If not
      • create the Active Directory Groups in the right OU
      • add the AD Groups to the local groups of the specific server. In my case: local group “Administrators” and local group “Remote Desktop Users”
CLS
Import-Module ActiveDirectory

# Setting default values
$OUpathRDPGroups = "OU=Servers-RDP,OU=Groups,DC=domain,DC=LOCAL"
$OUPathADMGroups = "OU=Servers-ADM,OU=Groups,DC=domain,DC=LOCAL"

#query all servers starting with WIN-. For testing purposes, fill in a full server name
$queriedservers = "WIN-*"
$servers = $null
$servers = Get-ADComputer -Filter {OperatingSystem -like "Windows Server*" -and Name -like $queriedservers} -Properties *

#start the group check and create groups
ForEach ($server in $servers) {
    $ADMgroupname = "Group-ADM-" + $server.Name
    if (Get-ADGroup -Filter {Name -eq $ADMgroupname} ) {
            $ADMGroup = get-adgroup $ADMgroupname -Properties *
            Write-Host "Group $ADMgroupname already exists. Distinguished Name is $admgroup"
            }
        else { 
            write-host "Group $ADMgroupname does not exist. Group will be created in $OUPathADMGroups"
            new-ADGroup –name $ADMgroupname –groupscope Global –path $OUPathADMGroups
            Start-Sleep 4
            invoke-command -computername $server.name -scriptblock {net localgroup "Administrators" /add domain.local\$ADMgroupname}
        }

    $RDPgroupname = "Group-RDP-" + $server.Name
    if (Get-ADGroup -Filter {Name -eq $RDPgroupname} ) {
            $RDPGroup = get-adgroup $RDPgroupname -Properties *
            Write-Host "Group $RDPgroupname already exists. Distinguished Name is $rdpgroup"
            }
        else { 
            write-host "Group $RDPgroupname does not exist. Group will be created in $OUPathRDPGroups"
            new-ADGroup –name $RDPgroupname –groupscope Global –path $OUPathRDPGroups
            Start-Sleep 4
            invoke-command -computername $server.name -scriptblock {net localgroup "Remote desktop users" /add domain.local\$RDPgroupname}
        }

} 

 

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x