Afin de désactiver le compte Administrateur local par défaut dans Windows, ceci peut être simple en utilisant un script de remédiation Intune.
Script de détection :
$user = (Get-WmiObject -Class Win32_UserAccount -Filter 'LocalAccount = True ' | Where-Object SID -Like 'S-1-5-*-500').Name
$Status= (Get-WmiObject -Class Win32_UserAccount -Filter 'LocalAccount = True ' | Where-Object SID -Like 'S-1-5-*-500').Disabled
if ($Status -eq $false)
{
Write-Host "$user is Enabled"
Exit 1
}
Else {
Write-Host "$user is not Enabled"
Exit 0
}
Script de remédiation :
$user = (Get-WmiObject -Class Win32_UserAccount -Filter 'LocalAccount = True ' | Where-Object SID -Like 'S-1-5-*-500').Name
$Status= (Get-WmiObject -Class Win32_UserAccount -Filter 'LocalAccount = True ' | Where-Object SID -Like 'S-1-5-*-500').Disabled
if ($Status -eq $false)
{
try{
NET USER $user /active:No
Exit 0
}
Catch {
Write-Host "$user is already Disabled"
Write-error $_
Exit 1
}
}
Else {
Write-Host "$user is already Disabled"
Exit 1
}
Problème :
Il existe une limitation à la commande "Get-ADGroupMember" et cette dernière est de 5000, ce qui veut dire que si le groupe détient plus de 5000 membres vous obtiendrez un joli message d'erreur du type :
Get-ADGroupMember : The size limit for this resquest was exceeded
Solution :
Voici une fonction Powershell qui vous permettra de récupérer l'intégralité des membres d'un groupe même s'il y en a 10 000 dedans.
Vous pourrez choisir de retourner :
- Les utilisateurs
- Les groupes
- Le tout
Function Get-AllMembers {
<#
.SYNOPSIS
Return a list of members for a group.
.DESCRIPTION
Get-AllMembers is a function that returns a list of members for a specific group.
.PARAMETER Name
The name of the group you want to get the member list.
.EXAMPLE
Get-AllMembers "Domain Admins", "DNS Admins"
.INPUTS
String
.OUTPUTS
PSCustomObject
.NOTES
Author: ADELAIDE Mathieu
#>
PARAM (
[Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
[STRING]$Name,
[Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 1)]
[ValidateSet("UsersOnly","GroupsOnly","All")]
[STRING]$Return
)
Process {
$Name | Foreach {
$GroupName = $_
$ArrayUsers = @()
$ArrayGroups = @()
$ArrayAll = @()
Try {
$DistinguishedName = Get-ADGroup -Identity $GroupName -ErrorAction Stop | select -ExpandProperty DistinguishedName
# Searching all Users who's member of current Group
Try {
$AllUsersMembers = Get-ADUser -LDAPFilter "(&(objectCategory=user)(memberOf=$DistinguishedName))" -ErrorAction Stop
$AllUsersMembers | foreach {
$ArrayUsers += New-Object psobject -Property @{
GroupName = $GroupName
DistinguishedName = $_.DistinguishedName
Enabled = $_.Enabled
GivenName = $_.GivenName
Name = $_.Name
ObjectClass = $_.ObjectClass
ObjectGUID = $_.ObjectGUID
SamAccountName = $_.SamAccountName
SID = $_.SID
Surname = $_.Surname
UserPrincipalName = $_.UserPrincipalName
}
# Collect All
$ArrayAll += New-Object psobject -Property @{
GroupName = $GroupName
DistinguishedName = $_.DistinguishedName
Enabled = $_.Enabled
GivenName = $_.GivenName
Name = $_.Name
ObjectClass = $_.ObjectClass
ObjectGUID = $_.ObjectGUID
SamAccountName = $_.SamAccountName
SID = $_.SID
Surname = $_.Surname
UserPrincipalName = $_.UserPrincipalName
}
}
}
Catch {
Write-Warning -Message "Unable to find all users member of $Name"
}
# Searching all Groups who's member of current Group
Try {
$AllGroupsMembers = Get-ADGroup -LDAPFilter "(&(objectCategory=group)(memberOf=$DistinguishedName))" -ErrorAction Stop
$AllGroupsMembers | foreach {
$ArrayGroups += New-Object psobject -Property @{
GroupName = $GroupName
DistinguishedName = $_.DistinguishedName
GroupCategory = $_.GroupCategory
GroupScope = $_.GroupScope
Name = $_.Name
ObjectClass = $_.ObjectClass
ObjectGUID = $_.ObjectGUID
SamAccountName = $_.SamAccountName
SID = $_.SID
}
# Collect All
$ArrayAll += New-Object psobject -Property @{
GroupName = $GroupName
DistinguishedName = $_.DistinguishedName
Enabled = $_.Enabled
GivenName = $_.GivenName
Name = $_.Name
ObjectClass = $_.ObjectClass
ObjectGUID = $_.ObjectGUID
SamAccountName = $_.SamAccountName
SID = $_.SID
Surname = $_.Surname
UserPrincipalName = $_.UserPrincipalName
}
}
}
Catch {
# Return an error message if member not found.
Write-Warning -Message "Unable to find all groups member of $Name"
}
}
Catch {
# Return an error message if Group was not found.
Write-Warning -Message "Unable to find $Name"
}
Switch ($Return) {
"UsersOnly" {Return $ArrayUsers}
"GroupsOnly" {Return $ArrayGroups}
"All" {Return $ArrayAll}
}
# Release
$GroupName = $null
$DistinguishedName = $null
$AllUsersMembers = $null
$AllGroupsMembers = $null
}
}
}
