Find all members of local groups (Local Administrators in all doma

Find all members of local groups (Local Administrators in all doma
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Find all members of local groups (Local Administrators in all doma Stoopit 06-06-2007
Posted by =?Utf-8?B?U3Rvb3BpdA==?= on June 6, 2007, 5:55 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm trying to reduce the number of users that have elevated rights to their
computers, and be able to audit regularly to keep it in check.

I would like to have an easy way to query every member computer in my Active
Directory domain, to get a single list of all members in local groups on each
computer - Local Administrators, Power Users especially). I don't know an
easy way to do this and get a list.

I have an SMS 2003 infrastructure too, if that can help.

I could figure out how to use the command line and psexec to remotely run on
all computers or something, but that would take some learnin' - I'm hoping
there's an easier way. I would appreciate any help!!

Posted by msnews mvp on June 6, 2007, 6:42 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> I'm trying to reduce the number of users that have elevated rights to
> their
> computers, and be able to audit regularly to keep it in check.
>
> I would like to have an easy way to query every member computer in my
> Active
> Directory domain, to get a single list of all members in local groups on
> each
> computer - Local Administrators, Power Users especially). I don't know an
> easy way to do this and get a list.
>
> I have an SMS 2003 infrastructure too, if that can help.
>
> I could figure out how to use the command line and psexec to remotely run
> on
> all computers or something, but that would take some learnin' - I'm hoping
> there's an easier way. I would appreciate any help!!

Do your target machines run the Windows (or any other) firewall?
And if so, is there a Management exception defined so that you could
run a script with WMI methods against the machines ??

Roger



Posted by on June 7, 2007, 8:11 am
If you were  Registered and logged in, you could reply and use other advanced thread options
See if the following script fits your needs. Run it from the domain
controller. For the computers you are auditing, you must have
Administrator privileges and be able to access the computer's RPC
ports. The output is tab delimited and can be opened in Excel.

Hope this helps,

J Wolfgang Goerlich


Set oADInfo = CreateObject("ADSystemInfo")
Set oFso = WScript.CreateObject("Scripting.Filesystemobject")
Set oShell = WScript.CreateObject("Wscript.Shell")

LogPath = oShell.SpecialFolders("MyDocuments") + "\Privileged Local
User Audit.txt"
AdsiPath = "WinNT://" + oADInfo.DomainShortName
tab = Chr(9)

' Connect to Active Directory

Set ADComputers = GetObject(AdsiPath)
ADComputers.Filter = Array("Computer")

' Open the log file

Set oLog = oFso.CreateTextfile(LogPath, true)
oLog.WriteLine "Privileged Local Users on Computers in the " + _
oADInfo.DomainDNSName + _
" domain."
oLog.WriteLine Now
oLog.WriteLine ""
oLog.WriteLine "Computer" + tab + _
"Administrators" + tab + _
"Administrators Groups" + tab + _
"Power Users" + tab + _
"Power Users Groups"

' Check each computer

For Each oComputer in ADComputers

' Trap any errors in case the user is unauthorized, the computer is
inaccessible, etc.
On Error Resume Next

' Get the Administrators users and groups

AdminUsers = ""
AdminGroups = ""

Set objGroup = GetObject("WinNT://" & oComputer.Name & "/
Administrators")
If Not(Err.Number = 0) Then
AdminUsers = Err.Number
AdminGroups = Err.Number
End If

For Each objUser In objGroup.Members
If objUser.Class = "User" Then
AdminUsers = AdminUsers + objUser.Name + "; "
else
AdminGroups = AdminGroups + objUser.Name + "; "
end if
Next

' Get the Power Users users and groups

PowerUsers = ""
PowerGroups = ""
Set objGroup = GetObject("WinNT://" & oComputer.Name & "/Power
Users")
If Not(Err.Number = 0) Then
PowerUsers = Err.Number
PowerGroups = Err.Number
End If

For Each objUser In objGroup.Members
If objUser.Class = "User" Then
PowerUsers = PowerUsers + objUser.Name + "; "
else
PowerGroups = PowerGroups + objUser.Name + "; "
end if
Next

' Output to the log

oLog.WriteLine oComputer.Name + tab + _
AdminUsers + tab + _
AdminGroups + tab + _
PowerUsers + tab + _
PowerGroups

Next

' Close log file handle, open the log in Notepad

oLog.Close
oShell.Run "notepad.exe """ + LogPath + """"

' Clean up

Set ADComputers = Nothing
Set oADInfo = Nothing
Set oFso = Nothing
Set oLog = Nothing
Set oLog = Nothing
Set oShell = Nothing


Posted by =?Utf-8?B?U3Rvb3BpdA==?= on June 26, 2007, 5:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
How is this script normally run? Do you put it in a file with a particular
extension then run from command line? I noticed "WinNT://" referenced - does
that need to correspond to a particular folder name on a particular computer?
thanks

"jwgoerlich@gmail.com" wrote:

> See if the following script fits your needs. Run it from the domain
> controller. For the computers you are auditing, you must have
> Administrator privileges and be able to access the computer's RPC
> ports. The output is tab delimited and can be opened in Excel.
>
> Hope this helps,
>
> J Wolfgang Goerlich
>
>
> Set oADInfo = CreateObject("ADSystemInfo")
> Set oFso = WScript.CreateObject("Scripting.Filesystemobject")
> Set oShell = WScript.CreateObject("Wscript.Shell")
>
> LogPath = oShell.SpecialFolders("MyDocuments") + "\Privileged Local
> User Audit.txt"
> AdsiPath = "WinNT://" + oADInfo.DomainShortName
> tab = Chr(9)
>
> ' Connect to Active Directory
>
> Set ADComputers = GetObject(AdsiPath)
> ADComputers.Filter = Array("Computer")
>
> ' Open the log file
>
> Set oLog = oFso.CreateTextfile(LogPath, true)
> oLog.WriteLine "Privileged Local Users on Computers in the " + _
> oADInfo.DomainDNSName + _
> " domain."
> oLog.WriteLine Now
> oLog.WriteLine ""
> oLog.WriteLine "Computer" + tab + _
> "Administrators" + tab + _
> "Administrators Groups" + tab + _
> "Power Users" + tab + _
> "Power Users Groups"
>
> ' Check each computer
>
> For Each oComputer in ADComputers
>
> ' Trap any errors in case the user is unauthorized, the computer is
> inaccessible, etc.
> On Error Resume Next
>
> ' Get the Administrators users and groups
>
> AdminUsers = ""
> AdminGroups = ""
>
> Set objGroup = GetObject("WinNT://" & oComputer.Name & "/
> Administrators")
> If Not(Err.Number = 0) Then
> AdminUsers = Err.Number
> AdminGroups = Err.Number
> End If
>
> For Each objUser In objGroup.Members
> If objUser.Class = "User" Then
> AdminUsers = AdminUsers + objUser.Name + "; "
> else
> AdminGroups = AdminGroups + objUser.Name + "; "
> end if
> Next
>
> ' Get the Power Users users and groups
>
> PowerUsers = ""
> PowerGroups = ""
> Set objGroup = GetObject("WinNT://" & oComputer.Name & "/Power
> Users")
> If Not(Err.Number = 0) Then
> PowerUsers = Err.Number
> PowerGroups = Err.Number
> End If
>
> For Each objUser In objGroup.Members
> If objUser.Class = "User" Then
> PowerUsers = PowerUsers + objUser.Name + "; "
> else
> PowerGroups = PowerGroups + objUser.Name + "; "
> end if
> Next
>
> ' Output to the log
>
> oLog.WriteLine oComputer.Name + tab + _
> AdminUsers + tab + _
> AdminGroups + tab + _
> PowerUsers + tab + _
> PowerGroups
>
> Next
>
> ' Close log file handle, open the log in Notepad
>
> oLog.Close
> oShell.Run "notepad.exe """ + LogPath + """"
>
> ' Clean up
>
> Set ADComputers = Nothing
> Set oADInfo = Nothing
> Set oFso = Nothing
> Set oLog = Nothing
> Set oLog = Nothing
> Set oShell = Nothing
>
>

Posted by =?Utf-8?B?U3Rvb3BpdA==?= on June 26, 2007, 5:38 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I was in no man's land - sorry I lost touch for a while!
The target machines have the Windows Firewall disabled, but do run McAfee
Anti-Virus via ePO which may interfere?

"msnews mvp" wrote:

> > I'm trying to reduce the number of users that have elevated rights to
> > their
> > computers, and be able to audit regularly to keep it in check.
> >
> > I would like to have an easy way to query every member computer in my
> > Active
> > Directory domain, to get a single list of all members in local groups on
> > each
> > computer - Local Administrators, Power Users especially). I don't know an
> > easy way to do this and get a list.
> >
> > I have an SMS 2003 infrastructure too, if that can help.
> >
> > I could figure out how to use the command line and psexec to remotely run
> > on
> > all computers or something, but that would take some learnin' - I'm hoping
> > there's an easier way. I would appreciate any help!!
>
> Do your target machines run the Windows (or any other) firewall?
> And if so, is there a Management exception defined so that you could
> run a script with WMI methods against the machines ??
>
> Roger
>
>
>

Similar ThreadsPosted
Nesting domain groups under local groups March 18, 2007, 3:53 am
domain users added to local administrators cannot use the IPSEC certification of administrator? February 9, 2006, 12:26 am
Domain users members of local administrator March 14, 2006, 3:00 am
Re: looking for individuals to run local security groups March 4, 2008, 5:17 pm
What accounts/groups in Local Admin group June 16, 2008, 9:34 am
can not edit Local Users and Groups in safe mode October 14, 2007, 5:38 pm
accounts in two groups - Administrators and Power Users - who wins September 19, 2005, 7:28 pm
Local Caching July 29, 2005, 3:28 pm
local group from AD September 5, 2005, 7:10 pm
Local admin right September 27, 2005, 9:39 am

The site map in XML format XML site map

Contact Us | Privacy Policy