Tag Archives: ADSI

Get Local Group Members Revisited

The other day I posted an article and function that used ADSI and PowerShell to list members of a local group. I had a few people report an unusual error that I couldn’t replicate. During the course of troubleshooting, I made a few changes to the original function to at least better handle the mysterious error. Those changes were updated to GitHub and as version 1.5 of the function.

But during testing and revising, I decided I might as well really improve this command and incorporate an option to use PowerShell remoting, without having to jump through all the hoops in the previous version.

Version 2 of the function includes a few parameters for remoting. This meant defining a few parameter sets. I also turned the bulk of the ADSI code into a scriptblock which can by invoked normally using the & operator. Or run remotely with Invoke-Command. One tricky thing with scriptblocks is being able to flip on Verbose output.  My solution is to add a parameter to the scriptblock that essentially inherits the VerbosePreference of the local machine.


I also realized it might be helpful to include the group name in the results in case you want to export the information.

You can still use the command without remoting, which assumes you can create a legacy connection to the computer.


But I think you’ll find the remoting option better performing.


You can also use alternate credentials and SSL, although I haven’t tested using SSL or certificates since I don’t have that setup on my network.

Version 2 and later of the function can be found on Github:

Let me know if this works better for you.

Get Local Group Members with PowerShell

Recently I posted a function to get information about local user accounts. I received a lot of positive feedback so it seemed natural to take this the next step and create a similar function to enumerate or list members of a local group, such as Administrators.

The function, Get-LocalGroupMember, also relies on ADSI and is similar to my local user function so I won’t repeat the details.  Since I assume most of the time the only local group that matters is Administrators I made that the default.  I also set the computer default to the local host. But it is simple enough to query another computer.


You can pipe in computer names and use the object properties to do additional filtering, sorting or grouping.


In this example I wanted to search a group of computers and identify local members of Administrators that were not the Administrator account.

As with my previous function, I think you’ll find it better to use PowerShell remoting if you plan on querying multiple remote servers or need to use alternate credentials. You can read function help for more details.

You can always find the most current version of the function in my Github library.

I hope you find this useful. Comments are welcome here, but please post bugs or suggestions on GitHub.

Getting Local User Accounts the PowerShell Way

It seems I’m always seeing requests and problems on getting local user accounts using PowerShell.  However, even though we are at PowerShell 5.0,  Microsoft has never released a set of cmdlets for managing local user accounts. So many of us have resorted to creating our own tools. I now have my latest iteration of a function to get local user account information from remote computers.

The function takes a shortcut of sorts by using the ADSI type accelerator to connect to a remote computer. This is the same technique we used back in the VBScript days. However, this technique isn’t conducive to alternate credentials and requires legacy protocols like RPC and DCOM.  But that isn’t necessarily an issue as I’ll show you in a few minutes.

The function connects to the remote computer and then uses some COM object voodoo, to enumerate local account information. By default, the command will list all user accounts.


Or you can specify a single user account name.


The function accepts pipeline input making it easy to check multiple servers at once.


On important note: if you query a domain controller you will get domain accounts.

Remember I mentioned this command uses legacy protocols. One alternative is to use PowerShell remoting and Invoke-Command. First, create the necessary PSSessions, using alternate credentials if necessary.

Then get the function’s scriptblock.

Now you can use this with Invoke-Command:


Or query for a specify account:


You can find the complete script, which includes an alias on Github.

I hope you’ll let me know what you think and that you find this a useful addition to your PowerShell toolbox. If you run into problems, please post them on the Gist page.