By: Matt Wisor
PowerShell to the Rescue
Carrying out server maintenance on a regular basis can be challenging, especially if users are working in the application being serviced. Applying a Visual Studio update, for example, may corrupt the application if a user is actively working in it. While rebooting the server does sign users off the machine, those who are diligent may simply log right back on and resume their work.
One way to prevent this problematic scenario from happening is to remove everyone from the “Remote Desktop Users” local group on the server. Doing so sounds simple but isn’t as easy as you’d think. Adding hundreds of users back to the local group manually can be quite cumbersome!
Fortunately, we have a solution: PowerShell. With a simple command, a list of all group members can be exported to a CSV file. After that, all group members may be safely removed to prevent remote access. Following maintenance, another PowerShell script makes adding the users back to the group easy. (Need help logging scripts in PowerShell? We explain how in this blog post.)
Prerequisites
1. If PowerShell has not already been installed on your machine, Microsoft has provided a download here.
2. Windows Management Framework (WMF) v5.1 must also be installed. This framework contains the Microsoft.Powershell.LocalAccounts module required to interact with local machine groups. WMF 5.1 is available for download here.
Exporting Group Members
Once PowerShell and WMF 5.1 have been installed, run the PowerShell ISE as administrator to begin.
First, the Microsoft.Powershell.LocalAccounts module must be loaded into the current session. Loading the module enables access to the Get-LocalGroupMember cdmlet necessary to retrieve all of the users in the group. In this instance, the group we are retrieving members from is the Remote Desktop Users group, which grants users remote access to the server.
As shown below, the group name is being passed into the group parameter as in string in quotation marks. Next, type in the commands shown in the image below to export users in a local group to a CSV file. Finally, specify the NoTypeInformation parameter to remove the #Type information header that is returned by default in all versions prior to PowerShell 6.
|
1 2 3 |
Import-Module Microsoft.PowerShell.LocalAccounts Get-LocalGroupMember -Group "Remote Desktop Users" | select Name | Export-csv -path "D:\Temp\GroupMembers.csv" -NoTypeInformation` |
The resulting output file will look something like this below. Notice the District1 group is also included, so the output may be a mix of both user names and user groups.
Removing Group Members
Now that we have a complete list of all members from the Remote Desktop Users, all members may be safely removed to prevent unwanted server access during the maintenance window. A simple way to accomplish this is through local computer management.
To open up computer management, go to the start menu, scroll down to Windows Administrative Tools, and choose Computer Management. On the left side of the computer management window, expand Local Users and Groups and click on Group.
A list of all local groups will appear on the right side of the management window. Locate the Remote Desktop Users group and double click on it. The Properties window will pop up for the Remote Desktop Users group. To remove all the group members, highlight them and then click on the Remove button.
Importing Group Members from the CSV File
Once the server maintenance has completed, members of the Remote Desktop Users group may be re-added using the CSV file we exported earlier. Again, the Microsoft.PowerShell.LocalAccounts module must be loaded into the session first to access the Add-LocalGroupMember cmdlet. As shown in the code below, the Path parameter is being used to pass the location of the CSV file into the Import-CSV cmdlet. Then a ForEach-Object cmdlet is used to loop through each group member from the CSV file and add it back to the Remote Desktop Users group.
|
1 2 3 |
Import-Module Microsoft.PowerShell.LocalAccounts Import-csv -Path "D:\Temp\GroupMembers.csv" ForEach-Object {Add-LocalGroupMember-Group "Remote Desktop Users" -Member $_.'Name'} |
Questions?
Thanks for reading! We hope you found this blog post to be useful. Do let us know if you have any questions or topic ideas related to BI, analytics, the cloud, machine learning, SQL Server, (Star Wars), or anything else of the like that you’d like us to write about. Simply leave us a comment below, and we’ll see what we can do!
Keep your data analytics sharp by subscribing to our mailing list
Get fresh Key2 content around Business Intelligence, Data Warehousing, Analytics, and more delivered right to your inbox!
Key2 Consulting is a data warehousing and business intelligence company located in Atlanta, Georgia. We create and deliver custom data warehouse solutions, business intelligence solutions, and custom applications.
Dear Matt Wisor,
Two things are missing from your Import command.
A pipe before ForEach-Object, and a space before -Group
Import-csv -Path “D:\Temp\GroupMembers.csv” | ForEach-Object {Add-LocalGroupMember -Group “Remote Desktop Users” -Member $_.’Name’}
Nevertheless, thank you for the article. It sent us down the right path. 🙂
*Sorry for double posting. First comment had some gramatical errors which I wanted to correct.
Sincerely,
David Jerkovic
Hello, I want to retrieve list of users/groups who are part of Remote Desktop Users group, but not on a single server, but around 200+ servers. Can you please tell the script for the same. Also, if a particular user has access, it should be removed from the Remote Desktop Users group on all servers.