|
Posted by Per-Torben Sørensen on June 15, 2007, 2:13 am
Please log in for more thread options
Good morning.
I have about 400 clietns in a domain-based network. Some users have local
admin rights so don't.
Does anyone have any suggestions about how I easily find those users with
local administrator rights?
Regards
Per-Torben Sørensen
|
|
Posted by jwgoerlich on June 15, 2007, 9:12 am
Please log in for more thread options
Per-Torben S=F8rensen wrote:
> Does anyone have any suggestions about how I easily find those users with
> local administrator rights?
You can use the script below to generate a report on local
Administrators and Power Users. Copy it into a text file and rename it
with the .vbs extension. Run it from the domain controller. For the
computers you are auditing, you must have Administrator privileges and
be able to access the computer's RPC ports. The output is tab
delimited and can be opened in Excel.
Hope this helps,
J Wolfgang Goerlich
'--------------------------------------------------------------------------=
------
Set oADInfo =3D CreateObject("ADSystemInfo")
Set oFso =3D WScript.CreateObject("Scripting.Filesystemobject")
Set oShell =3D WScript.CreateObject("Wscript.Shell")
LogPath =3D oShell.SpecialFolders("MyDocuments") + "\Privileged Local
User Audit.txt"
AdsiPath =3D "WinNT://" + oADInfo.DomainShortName
tab =3D Chr(9)
' Connect to Active Directory
Set ADComputers =3D GetObject(AdsiPath)
ADComputers.Filter =3D Array("Computer")
' Open the log file
Set oLog =3D oFso.CreateTextfile(LogPath, true)
oLog.WriteLine "Privileged Local Users on Computers in the " + _
oADInfo.DomainDNSName + _
" domain."
oLog.WriteLine Now
oLog.WriteLine ""
oLog.WriteLine "Computer" + tab + _
"Administrators" + tab + _
"Administrators Groups" + tab + _
"Power Users" + tab + _
"Power Users Groups"
' Check each computer
For Each oComputer in ADComputers
' Trap any errors in case the user is unauthorized, the computer is
inaccessible, etc.
On Error Resume Next
' Get the Administrators users and groups
AdminUsers =3D ""
AdminGroups =3D ""
Set objGroup =3D GetObject("WinNT://" & oComputer.Name & "/
Administrators")
If Not(Err.Number =3D 0) Then
AdminUsers =3D Err.Number
AdminGroups =3D Err.Number
End If
For Each objUser In objGroup.Members
If objUser.Class =3D "User" Then
AdminUsers =3D AdminUsers + objUser.Name + "; "
else
AdminGroups =3D AdminGroups + objUser.Name + "; "
end if
Next
' Get the Power Users users and groups
PowerUsers =3D ""
PowerGroups =3D ""
Set objGroup =3D GetObject("WinNT://" & oComputer.Name & "/Power
Users")
If Not(Err.Number =3D 0) Then
PowerUsers =3D Err.Number
PowerGroups =3D Err.Number
End If
For Each objUser In objGroup.Members
If objUser.Class =3D "User" Then
PowerUsers =3D PowerUsers + objUser.Name + "; "
else
PowerGroups =3D PowerGroups + objUser.Name + "; "
end if
Next
' Output to the log
oLog.WriteLine oComputer.Name + tab + _
AdminUsers + tab + _
AdminGroups + tab + _
PowerUsers + tab + _
PowerGroups
Next
' Close log file handle, open the log in Notepad
oLog.Close
oShell.Run "notepad.exe """ + LogPath + """"
' Clean up
Set ADComputers =3D Nothing
Set oADInfo =3D Nothing
Set oFso =3D Nothing
Set oLog =3D Nothing
Set oLog =3D Nothing
Set oShell =3D Nothing
'--------------------------------------------------------------------------=
------
|
|
Posted by Per-Torben Sørensen on June 21, 2007, 8:00 am
Please log in for more thread options Nothing less than AWSOME! :) (sorry caps)
Would it be possible to add the OU-structure in the output as well so we can
filter/sort by OU? It's a rather large amount of computers involved.
Regards
Per-Torben Sørensen
Per-Torben Sørensen wrote:
> Does anyone have any suggestions about how I easily find those users with
> local administrator rights?
You can use the script below to generate a report on local
Administrators and Power Users. Copy it into a text file and rename it
with the .vbs extension. Run it from the domain controller. For the
computers you are auditing, you must have Administrator privileges and
be able to access the computer's RPC ports. The output is tab
delimited and can be opened in Excel.
Hope this helps,
J Wolfgang Goerlich
'--------------------------------------------------------------------------------
Set oADInfo = CreateObject("ADSystemInfo")
Set oFso = WScript.CreateObject("Scripting.Filesystemobject")
Set oShell = WScript.CreateObject("Wscript.Shell")
LogPath = oShell.SpecialFolders("MyDocuments") + "\Privileged Local
User Audit.txt"
AdsiPath = "WinNT://" + oADInfo.DomainShortName
tab = Chr(9)
' Connect to Active Directory
Set ADComputers = GetObject(AdsiPath)
ADComputers.Filter = Array("Computer")
' Open the log file
Set oLog = oFso.CreateTextfile(LogPath, true)
oLog.WriteLine "Privileged Local Users on Computers in the " + _
oADInfo.DomainDNSName + _
" domain."
oLog.WriteLine Now
oLog.WriteLine ""
oLog.WriteLine "Computer" + tab + _
"Administrators" + tab + _
"Administrators Groups" + tab + _
"Power Users" + tab + _
"Power Users Groups"
' Check each computer
For Each oComputer in ADComputers
' Trap any errors in case the user is unauthorized, the computer is
inaccessible, etc.
On Error Resume Next
' Get the Administrators users and groups
AdminUsers = ""
AdminGroups = ""
Set objGroup = GetObject("WinNT://" & oComputer.Name & "/
Administrators")
If Not(Err.Number = 0) Then
AdminUsers = Err.Number
AdminGroups = Err.Number
End If
For Each objUser In objGroup.Members
If objUser.Class = "User" Then
AdminUsers = AdminUsers + objUser.Name + "; "
else
AdminGroups = AdminGroups + objUser.Name + "; "
end if
Next
' Get the Power Users users and groups
PowerUsers = ""
PowerGroups = ""
Set objGroup = GetObject("WinNT://" & oComputer.Name & "/Power
Users")
If Not(Err.Number = 0) Then
PowerUsers = Err.Number
PowerGroups = Err.Number
End If
For Each objUser In objGroup.Members
If objUser.Class = "User" Then
PowerUsers = PowerUsers + objUser.Name + "; "
else
PowerGroups = PowerGroups + objUser.Name + "; "
end if
Next
' Output to the log
oLog.WriteLine oComputer.Name + tab + _
AdminUsers + tab + _
AdminGroups + tab + _
PowerUsers + tab + _
PowerGroups
Next
' Close log file handle, open the log in Notepad
oLog.Close
oShell.Run "notepad.exe """ + LogPath + """"
' Clean up
Set ADComputers = Nothing
Set oADInfo = Nothing
Set oFso = Nothing
Set oLog = Nothing
Set oLog = Nothing
Set oShell = Nothing
'--------------------------------------------------------------------------------
|
|
Posted by jwgoerlich on June 21, 2007, 3:30 pm
Please log in for more thread options Hey, glad that script is of use! Do you want the OU for the person or
for the computer?
J Wolfgang Goerlich
> Nothing less than AWSOME! :) (sorry caps)
>
> Would it be possible to add the OU-structure in the output as well so we =
can
> filter/sort by OU? It's a rather large amount of computers involved.
>
> Regards
> Per-Torben S=F8rensen
|
|
Posted by Per-Torben Sørensen on June 22, 2007, 4:47 am
Please log in for more thread options OU for the computer please. We have spread the computer members in an OU
structure that represent our Site structure. So far the only way to keep
track of things as we have merged with a few other companies who didn't have
a naming structure on their computers or servers. So we're working on
sorting out the chaos.
Yes, that script was like sent from above. If you're in Norway sometime I'll
buy you a beer ;)
Regards
Per-Torben Sørensen
Hey, glad that script is of use! Do you want the OU for the person or
for the computer?
J Wolfgang Goerlich
> Nothing less than AWSOME! :) (sorry caps)
>
> Would it be possible to add the OU-structure in the output as well so we
> can
> filter/sort by OU? It's a rather large amount of computers involved.
>
> Regards
> Per-Torben Sørensen
|
| Similar Threads | Posted | | log onto a DC for non domain admins | November 15, 2005, 9:25 am |
| Domain admins | October 12, 2007, 9:38 am |
| Restricting Domain Admins | June 1, 2005, 5:32 pm |
| Admins acount policy | June 7, 2007, 9:15 am |
| protect admins account | June 7, 2007, 10:19 am |
| AD administrators and domain admins groups | April 25, 2006, 12:26 pm |
| "Best Practices" Guidelines for New Network Admins | December 26, 2006, 1:59 pm |
| Rules for admins group accounts&passwords | June 7, 2007, 8:15 am |
| Added to Domain Admins but removed again automatically | March 7, 2008, 1:53 pm |
| Restricting RDP to 2k3 DCs to only specific admins and not the entire admin group | May 29, 2008, 11:39 am |
|
XML Sitemap