A small project just came along. Access to Windows servers had to be restricted by user groups. Two types of users should be served: those needing admin rights, and those needing RDP permission. Management should be done from a central location (= Active Directory).
I wrote a simple script that does the following:
- Harvest all Windows servers, filtered by name
- For each server, check whether Active Directory groups for permissions (Admin and RDP) already exist
- If so, do nothing
- If not
- create the Active Directory Groups in the right OU
- add the AD Groups to the local groups of the specific server. In my case: local group “Administrators” and local group “Remote Desktop Users”
CLS Import-Module ActiveDirectory # Setting default values $OUpathRDPGroups = "OU=Servers-RDP,OU=Groups,DC=domain,DC=LOCAL" $OUPathADMGroups = "OU=Servers-ADM,OU=Groups,DC=domain,DC=LOCAL" #query all servers starting with WIN-. For testing purposes, fill in a full server name $queriedservers = "WIN-*" $servers = $null $servers = Get-ADComputer -Filter {OperatingSystem -like "Windows Server*" -and Name -like $queriedservers} -Properties * #start the group check and create groups ForEach ($server in $servers) { $ADMgroupname = "Group-ADM-" + $server.Name if (Get-ADGroup -Filter {Name -eq $ADMgroupname} ) { $ADMGroup = get-adgroup $ADMgroupname -Properties * Write-Host "Group $ADMgroupname already exists. Distinguished Name is $admgroup" } else { write-host "Group $ADMgroupname does not exist. Group will be created in $OUPathADMGroups" new-ADGroup –name $ADMgroupname –groupscope Global –path $OUPathADMGroups Start-Sleep 4 invoke-command -computername $server.name -scriptblock {net localgroup "Administrators" /add domain.local\$ADMgroupname} } $RDPgroupname = "Group-RDP-" + $server.Name if (Get-ADGroup -Filter {Name -eq $RDPgroupname} ) { $RDPGroup = get-adgroup $RDPgroupname -Properties * Write-Host "Group $RDPgroupname already exists. Distinguished Name is $rdpgroup" } else { write-host "Group $RDPgroupname does not exist. Group will be created in $OUPathRDPGroups" new-ADGroup –name $RDPgroupname –groupscope Global –path $OUPathRDPGroups Start-Sleep 4 invoke-command -computername $server.name -scriptblock {net localgroup "Remote desktop users" /add domain.local\$RDPgroupname} } }