Ask Your Question

Updating Local Administrators group using powershell

asked 2016-01-13 20:14:02 -0500

jamStrong gravatar image

Purpose: To use an access control list to regulate which users should have Local Administrator accounts on a server. If a Local Admin is on a server that isn't on the ACL, that account is deleted.

Set up: I'm using an EPP template and the powershell module to execute code to compare a formatted list of Local Administrators on the machine against an interpolated $acl variable containing the list of authorized users.

I have a hash containing usernames and initial passwords, e.g:
$credentials = { "test" => "t3st!!", "test2" => "t3st3r!" }
along with an array containing just the usernames, to be used as an access control list of users that should be authorized, e.g:
$acl = $credentials.keys

<-- Other code here, other functions work properly, variables import correctly -->
exec { "Removing unauthorized Local Administrators":
command => epp('usermgmt_test/remove-user.epp'),
provider => powershell,

$adminList = Get-LocalAdmin
$acl = Get-ACL

function Get-LocalAdmin {
# Get the list of local Administrators, format it, and convert to an array for later iteration
$list = net localgroup 'Administrators' | Select-Object -Skip 6
$list = $list | Select-Object -First ($list.Count - 2)
$list = $list.Trim()
$list.Split(" ")

function Get-ACL {
# Import the $acl variable from puppet, convert to string, format for powershell, convert to array for later iteration
$puppet = "<%= $acl %>"
$puppet = $puppet.Trim('[',']')

ForEach ($user in $adminList) {
if (($acl -notcontains $user) -and ($user -ne 'Administrator')) {
net user $user /delete

The manifest on the test server applies without errors, but does not actually delete any users and returns this confusing statement:
$list.Split(" ")$puppet.Split(',')}Notice: /Stage[main]/Usermgmt_test/Exec[Removing unauthorized local Administrators]/returns: executed successfully

I've checked that the $acl variable is interpolating properly into the EPP template and my test code in powershell works properly. I thought that it might be that Puppet was trying to interpolate the powershell variables, so I tried escaping those (\$) but that just threw a bunch of powershell errors. I'm kind of at a loss as to what I'm missing here. Any help would be greatly appreciated!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-01-15 00:07:34 -0500

jamStrong gravatar image

Turns out that Puppet templates get a little hinky when it comes to interpreting whitespace for powershell. Once I removed the whitespace the return values started making more sense and I was able to go from there in resolving the rest of the hiccups that cropped up.

edit flag offensive delete link more


This is a side effect of how the Powershell module invokes the script. In order for lines to be run properly they need the standard line ending for windows \r\n. I find that at times the Powershell module lands scripts with mangled line endings which causes scripts to run oddly or not at all.

Areson gravatar imageAreson ( 2016-01-17 23:48:55 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-01-13 20:03:35 -0500

Seen: 133 times

Last updated: Jan 15 '16