# ==============================================================================================
# 
# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2009
# 
# NAME: Get-LocalMember.ps1
# 
# AUTHOR: Jeffery Hicks
# DATE  : 4/8/2009
# 
# COMMENT: Return member information for local groups. If the member belongs to the domain,
# Active Directory information will be pulled for the account.

# Returns information like this:
# Computer    : XP01
# Account     : WinNT://MYCOMPANY/XP01/svcaccount
# Name        : svcaccount
# DisplayName :
# Description : test service acount
# Disabled    : False
# Domain      : XP01
# IsLocal     : True
# Class       : User
# 
# Computer    : XP01
# Account     : CN=Domain Admins,CN=Users,DC=MYCOMPANY,DC=LOCAL
# Name        : Domain Admins
# DisplayName :
# Description : Designated administrators of the domain
# Disabled    : False
# Domain      : MYCOMPANY
# IsLocal     : False
# Class       : group
# 
# Computer    : XP01
# Account     : CN=Jeffery Hicks,OU=IT,OU=Employees,DC=MYCOMPANY,DC=LOCAL
# Name        : jhicks
# DisplayName : Jeffery Hicks
# Description : Company admin
# Disabled    : False
# Domain      : MYCOMPANY
# IsLocal     : False
# Class       : User

# DISCLAIMER AND WARNING:
# 	THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY
# 	KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
# 	IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
#   TEST THOROUGHLY IN A NON-PRODUCTION ENVIRONMENT. IF YOU DON'T KNOW WHAT THIS
#   SCRIPT WILL DO...DO NOT RUN IT!
# 
# ==============================================================================================
    
 Param(  
 	[string]$computername=$env:Computername,
 	[string]$group="Administrators"
     )
       
 	Function Get-DomainUser {
 		Param([string]$sam="Administrator")
 		#return the domain user's distinguished name from their samaccountname
 		
 		$searcher=New-Object system.DirectoryServices.DirectorySearcher
 		$searcher.PageSize=100
 		$searcher.filter="samaccountname=$sam"
 	    $user=$searcher.findone()
 	    write $user
 	}

 $errorActionPreference="SilentlyContinue"
 New-Variable ADS_UF_ACCOUNTDISABLE 0x0002 -Option Constant
 
 trap {
    Write-Warning ("Oops.  Something happened trying to return group membership for {0} on {1}." -f $group,$computername.ToUpper())
 }
 
 [ADSI]$LocalGroup="WinNT://$computername/$group,group"

 #enumerate group members and for each one get information
 #and create a custom object.
 $LocalGroup.psbase.invoke("Members") | ForEach-Object {

	 #get ADS Path of member
	 $ADSPath=$_.GetType().InvokeMember("ADSPath", 'GetProperty', `
	 $null, $_, $null)
	
	 #get the member class, ie user or group
	 $class=$_.GetType().InvokeMember("Class", 'GetProperty', `
	 $null, $_, $null)
	
	 #Get the name property
	 $name=$_.GetType().InvokeMember("Name", 'GetProperty', `
	 $null, $_, $null)
	
	 #if computer name is found between two /, then assume
	 #the ADSPath reflects a local object
	 if ($ADSPath -match "$computername") 
	 {
	     $local=$True
	     $domain=$computername.ToUpper()
	     $description=$_.GetType().InvokeMember("Description", 'GetProperty', `
	 $null, $_, $null)
	     $displayname=$_.GetType().InvokeMember("FullName", 'GetProperty', `
	 $null, $_, $null)
	 	 $account=$ADSPath
	 	 $flag=$_.GetType().InvokeMember("userflags", 'GetProperty', `
	 $null, $_, $null)
	 	  if ($flag -band $ADS_UF_ACCOUNTDISABLE) 
	 	  {
		     $disabled=$True
		  }
		  else 
		  {
		     $disabled=$False
		  }
 	 	 
	  } #end if $ADSPath -match $computername
	 else  #account is a domain member
	 {
	     $local=$False
	     #Domain members will have an ADSPath like
	 	 #WinNT://MYDomain/Domain Users.  Local accounts will 
	     #be like WinNT://MYDomain/Computername/Administrator
	 
	     #using regular expressions create a named match for the domain name
	     #the pattern assumes you only have alphabetic characters in
	     #the domain name.
	     $ADSPath -match "(?<domain>//\w+)" | Out-Null
	 
	     #strip off the leading //
	     $domain=$matches.domain.Replace("//","")
	     $domainuser=Get-DomainUser $name
	     if ($domainuser) 
	     {
	     	$description=$domainuser.properties.item("description")[0]
	     	$displayname=$domainuser.properties.item("displayname")[0]
	     	$account=$domainuser.properties.item("distinguishedname")[0]
	     	if ($domainuser.properties.item("useraccountcontrol")[0] -band $ADS_UF_ACCOUNTDISABLE ) 
		 	  {
			     $disabled=$True
			  }
			  else 
			  {
			     $disabled=$False
			  }
	     } #end if $domainuser
	    else 
	    {
	    	$description="not found"
	    	$displayname="not found"
	    	$disabled=$null
	    	$account=$ADSPath
	    }
	} #end else domain user
	
	 #create a custom object
	 $obj = New-Object PSObject
	
	 #define custom object properties
	 $obj | Add-Member -MemberType NoteProperty -Name "Computer" -Value $computername.toUpper()
	 $obj | Add-Member -MemberType NoteProperty -Name "Account" -Value $account
	 $obj | Add-Member -MemberType NoteProperty -Name "Name" -Value $name
	 $obj | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value $displayname
	 $obj | Add-Member -MemberType NoteProperty -Name "Description" -Value $description
	 $obj | Add-Member -MemberType NoteProperty -Name "Disabled" -Value $disabled
	 $obj | Add-Member -MemberType NoteProperty -Name "Domain" -Value $domain
	 $obj | Add-Member -MemberType NoteProperty -Name "IsLocal" -Value $local
	 $obj | Add-Member -MemberType NoteProperty -Name "Class" -Value $class
	
	 #write the result to the pipeline
	 write $obj
	
} #end foreach