1

I need to generate a report that shows the guest account is disabled for a given list of computers.

How can I use net user, powershell, or any other commonly used tool for this purpose?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196

3 Answers3

2

Here's a little PowerShell function to check for this.

function Test-LocalAccountDisabled
{
    param (
        [string]
        $AccountName = 'Guest',
        [string[]]
        $ComputerName = $env:COMPUTERNAME
    )

    $AccountDisable=0x0002
    foreach ($Computer in $ComputerName)
    {
        [ADSI]$Guest="WinNT://$Computer/$AccountName,User"
        if ($Guest -ne $null)
        {
            New-Object PSObject -Property @{
                Disabled = ($Guest.UserFlags.Value -band $AccountDisable) -as [boolean]
                AccountName = $AccountName
                ComputerName = $Computer
            }
        }
        else
        {
            Write-Error "Unable to find $AccountName on $Computer."
        }
    }
}

If you have a list of computers in a text file separated by line breaks, you could do something like

Test-LocalAccountDisabled -ComputerName (get-content computers.txt)
Steven Murawski
  • 1,570
  • 3
  • 14
  • 25
1

PowerShell is probably the easiest way:

foreach ( $computer in (Get-Content computers.txt) ) {
  Get-WmiObject Win32_UserAccount -Computer $computer -Filter "Name = 'guest'" `
    | Select-Object __Server, Disabled
}

Using wmic in batch is ugly, but will work as well:

set query=useraccount where name^^="guest" get disabled

for /f %c in ('computers.txt') do (
  for /f "delims== tokens=2" %a in ('wmic /node:%c %query% /value') do (
    echo %c %a
  )
)
Ansgar Wiechers
  • 4,197
  • 2
  • 17
  • 26
  • 1
    Nice solution. I suggested a couple of edits (adding __Server to know what machine the account status was coming from in the case of checking multiples and using the pipe as the line continuation rather than the backtick. – Steven Murawski Sep 19 '12 at 21:29
  • @StevenMurawski Thanks. I'm aware that a pipe at the end of the line would automatically continue the line, but I prefer to escape the line break and put the pipe at the beginning of the next line. That way I can see immediately where a command is continued from the previous line. I didn't know about `__Server`, though. Thanks for the tip, that's much more convenient than `@{n=computer;e={$computer}}`. – Ansgar Wiechers Sep 19 '12 at 21:46
  • 2
    You bet. The backtick at the end of the line can sometimes throw people off, so that's why I recommended that change. No worries. Rather than using the foreach, you could just pass the whole (Get-Content computers.txt) to the -computername parameter. That would let all the queries go at once rather than queuing them up in a line. If you have a number of machines, that will perform better. – Steven Murawski Sep 19 '12 at 21:52
  • This doesn't work for me. When I manually type `Get-WmiObject Win32_UserAccount -Computer nycexhc01 -Filter "Name = 'guest'" | fl` there is no "disabled" property, and I also get the local machine and domain guest account for each query. – makerofthings7 Sep 20 '12 at 16:26
0

A Powershell script with something like this should do the trick:

$Servers = Get-Content "C:\Path\To\File\With\Servers.txt"

foreach ($Server in $Servers)
{
    Get-WmiObject Win32_UserAccount -computername $Server -filter "LocalAccount=True AND` 
    Name='Guest'" | Select-Object Domain,Name,Disabled
}

This will read in a list of server names from a text file, and loop through them displaying an entry for each disabled guest account. If you take out AND Name=Guest, it will show you all disabled accounts on each machine.

Steve G
  • 231
  • 1
  • 11