LocalGroupRemediate.ps1

function AddGroupMember($lf, $dom, $grp, $newMbr)
{

    Add-Content -path $lf -value "`t++ Adding member: $newMbr"
    try
    {
        $grp.Add("WinNT://" + $dom + "/" + $newMbr)
        Add-Content -path $lf -value "`t`t++ Successfuly added member."
    }
    catch
    {
        Add-Content -path $lf -value "`t`t++ Failed to add member: $_.Exception.Message"
    }
}

$logfile = "C:\Windows\Temp\LocalGroupRemediate.log"

Add-Content -path $logfile -value "`n`r******** Start: [$([DateTime]::Now)]. ********"

if ((Test-Connection -ComputerName "cm1.lab1.configmgrftw.com" -Quiet) -eq $true)
{
    $domainName = "lab1"

    $localSystemName = $env:computername
    $localAdminGroupName = "Administrators"

    $validLocalAdminName = "vanpersie"
    $validLocalCSTName = "fifa"
    $validDomainAdmins = "Domain Admins"
    $validAdminSuffix = "_local"

    $validLocalAdminGroupLookup = @{
                                "OU=Computers,OU=Region1,DC=lab1,DC=configmgrftw,DC=com" = "rg1_local_admin";
                                "OU=Computers,OU=Region2,DC=lab1,DC=configmgrftw,DC=com" = "rg2_local_admin";
                                "OU=Workstations,OU=Region3,DC=lab1,DC=configmgrftw,DC=com" = "rg3_local_admins";
                                "OU=Workstations,OU=Region4,DC=lab1,DC=configmgrftw,DC=com" = "rg4_local_admins";
								"OU=Workstations,OU=LAB1,DC=lab1,DC=configmgrftw,DC=com" = "lab1_local_admins";
                                }

    $validLocalServiceGroupLookup = @{
                                "OU=Computers,OU=Region1,DC=lab1,DC=configmgrftw,DC=com" = "rg1_Local_Admin_Service_Accounts";
                                "OU=Computers,OU=Region2,DC=lab1,DC=configmgrftw,DC=com" = "rg2_Local_Admin_Service_Accounts";
                                "OU=Workstations,OU=Region3,DC=lab1,DC=configmgrftw,DC=com" = "rg3_Local_Admin_Service_Accounts";
                                "OU=Workstations,OU=Region4,DC=lab1,DC=configmgrftw,DC=com" = "rg4_Local_Admin_Service_Accounts";
								"OU=Workstations,OU=LAB1,DC=lab1,DC=configmgrftw,DC=com" = "lab1_Local_Admin_Service_Accounts";
                                }


    $systemDistinguishedName = (Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" -Name Distinguished-Name).'Distinguished-Name'

    $systemOU = $systemDistinguishedName.Substring($systemDistinguishedName.IndexOf(",") + 1)

    $validLocalAdminGroupLookup.keys | ForEach-Object {
        if($systemOU.contains($_))
        {
            $validLocalAdminGroup = $validLocalAdminGroupLookup[$_]
        }
    }

    $validLocalServiceGroupLookup.keys | ForEach-Object {
        if($systemOU.contains($_))
        {
            $validLocalServiceGroup = $validLocalServiceGroupLookup[$_]
        }
    }

    Add-Content -path $logfile -value "System DN: $systemDistinguishedName"
    Add-Content -path $logfile -value "Expected local admin name: $validLocalAdminName"
    Add-Content -path $logfile -value "Expected local cs group name: $validLocalCSTName"
    Add-Content -path $logfile -value "Expected local admin group name: $validLocalAdminGroup"
    Add-Content -path $logfile -value "Expected local service group name: $validLocalServiceGroup"
    Add-Content -path $logfile -value "Examining local admin group `"$localAdminGroupName`" ..."

    $group = [ADSI]"WinNT://$localSystemName/$localAdminGroupName,group"

    $members = @($group.psbase.Invoke("Members"))

    $memberNames = @()

    $members | ForEach-Object {

        $mbrName = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
        $mbrPath = $_.GetType().InvokeMember("AdsPath", 'GetProperty', $null, $_, $null)

	    $memberNames = $memberNames + $mbrName

        if($mbrName -eq $validLocalAdminName -or
            $mbrName -eq $validDomainAdmins -or
            $mbrName -eq $validLocalCSTName -or
            $mbrName -eq $validLocalAdminGroup -or
            $mbrName -eq $validLocalServiceGroup)

        {
            Add-Content -path $logfile -value "`t-- Found valid core member: $mbrName"
        }
        elseif($mbrName.EndsWith($validAdminSuffix))
        {
            Add-Content -path $logfile -value "`t-- Found valid member: $mbrName"
        }
        else
        {
            Add-Content -path $logfile -value "`t-- Found invalid member: $mbrName"

            try
            {
                $group.Remove($mbrPath)
                Add-Content -path $logfile -value "`t`txx Successfully removed invalid member"
            }
            catch
            {
                Add-Content -path $logfile -value "`t`txx Failed to remove invalid member: $_.Exception.Message"
            }
        }

    }

    AddGroupMember $logfile $domainName $group $validDomainAdmins

    AddGroupMember $logfile $domainName $group $validLocalAdminName

    AddGroupMember $logfile $domainName $group $validLocalCSTName

    AddGroupMember $logfile $domainName $group $validLocalAdminGroup

    AddGroupMember $logfile $domainName $group $validLocalServiceGroup
}
else
{
    Add-Content -path $logfile -value "Not connected to internal network."
}

Add-Content -path $logfile -value "******** Finish: [$([DateTime]::Now)]. ********`n`r`n`r"
	function AddGroupMember($lf, $dom, $grp, $newMbr)
	{

	Add-Content -path $lf -value "`t++ Adding member: $newMbr"
	try
	{
	$grp.Add("WinNT://" + $dom + "/" + $newMbr)
	Add-Content -path $lf -value "`t`t++ Successfuly added member."
	}
	catch
	{
	Add-Content -path $lf -value "`t`t++ Failed to add member: $_.Exception.Message"
	}
	}

	$logfile = "C:\Windows\Temp\LocalGroupRemediate.log"

	Add-Content -path $logfile -value "`n`r****** Start: [$([DateTime]::Now)]. ******"

	if ((Test-Connection -ComputerName "cm1.lab1.configmgrftw.com" -Quiet) -eq $true)
	{
	$domainName = "lab1"

	$localSystemName = $env:computername
	$localAdminGroupName = "Administrators"

	$validLocalAdminName = "vanpersie"
	$validLocalCSTName = "fifa"
	$validDomainAdmins = "Domain Admins"
	$validAdminSuffix = "_local"

	$validLocalAdminGroupLookup = @{
	"OU=Computers,OU=Region1,DC=lab1,DC=configmgrftw,DC=com" = "rg1_local_admin";
	"OU=Computers,OU=Region2,DC=lab1,DC=configmgrftw,DC=com" = "rg2_local_admin";
	"OU=Workstations,OU=Region3,DC=lab1,DC=configmgrftw,DC=com" = "rg3_local_admins";
	"OU=Workstations,OU=Region4,DC=lab1,DC=configmgrftw,DC=com" = "rg4_local_admins";
	"OU=Workstations,OU=LAB1,DC=lab1,DC=configmgrftw,DC=com" = "lab1_local_admins";
	}

	$validLocalServiceGroupLookup = @{
	"OU=Computers,OU=Region1,DC=lab1,DC=configmgrftw,DC=com" = "rg1_Local_Admin_Service_Accounts";
	"OU=Computers,OU=Region2,DC=lab1,DC=configmgrftw,DC=com" = "rg2_Local_Admin_Service_Accounts";
	"OU=Workstations,OU=Region3,DC=lab1,DC=configmgrftw,DC=com" = "rg3_Local_Admin_Service_Accounts";
	"OU=Workstations,OU=Region4,DC=lab1,DC=configmgrftw,DC=com" = "rg4_Local_Admin_Service_Accounts";
	"OU=Workstations,OU=LAB1,DC=lab1,DC=configmgrftw,DC=com" = "lab1_Local_Admin_Service_Accounts";
	}


	$systemDistinguishedName = (Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" -Name Distinguished-Name).'Distinguished-Name'

	$systemOU = $systemDistinguishedName.Substring($systemDistinguishedName.IndexOf(",") + 1)

	$validLocalAdminGroupLookup.keys \| ForEach-Object {
	if($systemOU.contains($_))
	{
	$validLocalAdminGroup = $validLocalAdminGroupLookup[$_]
	}
	}

	$validLocalServiceGroupLookup.keys \| ForEach-Object {
	if($systemOU.contains($_))
	{
	$validLocalServiceGroup = $validLocalServiceGroupLookup[$_]
	}
	}

	Add-Content -path $logfile -value "System DN: $systemDistinguishedName"
	Add-Content -path $logfile -value "Expected local admin name: $validLocalAdminName"
	Add-Content -path $logfile -value "Expected local cs group name: $validLocalCSTName"
	Add-Content -path $logfile -value "Expected local admin group name: $validLocalAdminGroup"
	Add-Content -path $logfile -value "Expected local service group name: $validLocalServiceGroup"
	Add-Content -path $logfile -value "Examining local admin group `"$localAdminGroupName`" ..."

	$group = [ADSI]"WinNT://$localSystemName/$localAdminGroupName,group"

	$members = @($group.psbase.Invoke("Members"))

	$memberNames = @()

	$members \| ForEach-Object {

	$mbrName = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
	$mbrPath = $_.GetType().InvokeMember("AdsPath", 'GetProperty', $null, $_, $null)

	$memberNames = $memberNames + $mbrName

	if($mbrName -eq $validLocalAdminName -or
	$mbrName -eq $validDomainAdmins -or
	$mbrName -eq $validLocalCSTName -or
	$mbrName -eq $validLocalAdminGroup -or
	$mbrName -eq $validLocalServiceGroup)

	{
	Add-Content -path $logfile -value "`t-- Found valid core member: $mbrName"
	}
	elseif($mbrName.EndsWith($validAdminSuffix))
	{
	Add-Content -path $logfile -value "`t-- Found valid member: $mbrName"
	}
	else
	{
	Add-Content -path $logfile -value "`t-- Found invalid member: $mbrName"

	try
	{
	$group.Remove($mbrPath)
	Add-Content -path $logfile -value "`t`txx Successfully removed invalid member"
	}
	catch
	{
	Add-Content -path $logfile -value "`t`txx Failed to remove invalid member: $_.Exception.Message"
	}
	}

	}

	AddGroupMember $logfile $domainName $group $validDomainAdmins

	AddGroupMember $logfile $domainName $group $validLocalAdminName

	AddGroupMember $logfile $domainName $group $validLocalCSTName

	AddGroupMember $logfile $domainName $group $validLocalAdminGroup

	AddGroupMember $logfile $domainName $group $validLocalServiceGroup
	}
	else
	{
	Add-Content -path $logfile -value "Not connected to internal network."
	}

	Add-Content -path $logfile -value "****** Finish: [$([DateTime]::Now)]. ******`n`r`n`r"