0

I would like to inventory the users and groups that are allowed to connect to a computer (interactively or remotely). The computer can be either in a workgroup or in an active directory but primarily in an active directory. If a group has access, I would also like to know which users are members of that group so that I can determine if the user has access granted directly or thanks to a role.

I would like to do it using PowerShell and remotely but I don't know from where to start.

NB: Part of the solution can be found here (who has logged on?)

Community
  • 1
Jefferson B. Elias
  • 131
  • 5
  • Sure, it's (to me) an indication to see if the ones who have access have recently used their account. – Jefferson B. Elias Apr 26 '16 at 12:19
  • there's a `logonworkstations` property foreach user in `get-aduser`. that should be your starting point. – SimonS Apr 26 '16 at 15:42
  • It's not clear if you want a list of users/groups that CAN connect or user/groups that HAVE connected? If it's the former then group policy RSOP would help. Defaults here - https://technet.microsoft.com/en-us/library/dn221980%28v=ws.11%29.aspx – smwk May 13 '16 at 21:14
  • Hi smwk, it's the first one that I want... As the server OS is not on my charge but the RDBMS is, I want to know who possibly can access to it... Once I have the answer to who can connect, I may be interested by the when they connect... – Jefferson B. Elias May 14 '16 at 11:04
  • It doesn't look easy to do with Powershell: http://stackoverflow.com/questions/934156/setting-log-on-as-a-service-and-allow-logon-locally-with-adsi . If it's just one server then use group policy RSOP, this can be done remotely. – smwk May 17 '16 at 15:22

1 Answers1

0

Default groups that can logon locally on a server:

  • Administrators

  • Backup Operators

  • Users

Reference: https://technet.microsoft.com/en-us/library/dn221980%28v=ws.11%29.aspx

Doing it with PowerShell is not easy, a few options listed here: https://stackoverflow.com/questions/934156/setting-log-on-as-a-service-and-allow-logon-locally-with-adsi

Community
  • 1
smwk
  • 197
  • 7