How to Find Domain users with Local Administrator Rights
-
Monday, November 23, 2009 8:07 AMHello Friends,
We have found some of the domain users are having local admin rights on their PCs.
We need to find out the users those who are member of Administrator Account & remove them
Is there any tool to find out...???
Our Domain is Windows 2003 Enterprize R2.
Kindly help me ..Thanks in Advanced.
Regards, Amjad
All Replies
-
Monday, November 23, 2009 11:14 PM
One approach is to create a logonscript for your clients. That script would enumerate members of the Local Administrators group. You could write your results to a logfile per computer on a shared folder
Another way is to run a script against a list of computers and enumerate their Local Admin members and write to a log file, here is a script I used few years ago. You should make adjustments to it so it would fit your needs:
' *******************************************************************************************************
' * *
' * Script name: ListLocalAdmin1.0.vbs *
' * Description: Lists all members of local administrators group of computers located in list *
' * *
' * Author: Konráð Hall *
' * *
' * Platforms/Req: Windows 2000 or newer *
' * *
' *******************************************************************************************************
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDictionary = CreateObject("Scripting.Dictionary")
Set objNetwork = CreateObject("Wscript.Network")strLogFolder = "c:\Logs"
strInputfile = "C:\Logs\Comp.txt"
strLogfile = "c:\Logs\listlocaladmin"&date()&".log"
strComputer = objNetwork.ComputerName
Const ForReading = 1On Error Resume Next
If ReportFileStatus(strInputfile)="False" Then
Wscript.Echo "Input file not found"
WScript.Quit
End If
If ReportFolderStatus(strLogFolder) = False Then
objFSO.CreateFolder(strLogFolder)
End IfIf ReportFileStatus(strLogfile)="False" Then
Set logs = objFso.CreateTextFile(strLogfile)
logs.close
End If
Set objTextFile = objFSO.OpenTextFile (strInputFile, ForReading)
i = 0
Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
If Not Left(strNextLine, 1) = "#" Then
objDictionary.Add i, strNextLine
i = i + 1
End If
Loop
For Each objItem in objDictionary
StrComputerName = objDictionary.Item(objItem)
If DeadOrAlive(StrComputerName) = "True" Then
Set objGroup = GetObject("WinNT://" & StrComputerName & "/Administrators,group")
For Each objUser in objGroup.Members
members = members & ";" & objUser.Name
Next
Set logs = objFso.OpenTextFile(strLogfile, 8)
logs.writeline(" "& now() & ";"& "Alive;" & StrComputerName & members)
logs.close
members = " "
Else
Set logs = objFso.OpenTextFile(strLogfile, 8)
logs.writeline(" "& now() & ";"& "Dead;" & strComputerName)
logs.close
End If
Next'*****************************
'*** Check if log file exists
'*****************************Function ReportFileStatus(filespec)
Dim fso, msg
Set objfso = CreateObject("Scripting.FileSystemObject")
If (objfso.FileExists(filespec)) Then
ReportFileStatus = True
Exit Function
Else
ReportFileStatus = False
Exit Function
End If
End Function'*****************************
'*** Check if computer is alive
'*****************************
Function DeadOrAlive(ComputerName)
Set objShell = CreateObject("Wscript.Shell")
Set objScriptExec = objShell.Exec("ping -n 2 -w 1000 " & ComputerName)
If InStr(objScriptExec.StdOut.ReadAll, "Reply") > 0 Then
DeadOrAlive = True
Else
DeadOrAlive = False
End If
End Function'Function wich returns either true or False
Function ReportFolderStatus(folderspec)
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
If (fso.FolderExists(folderspec)) Then
ReportFolderStatus = True
Exit Function
Else
ReportFolderStatus = False
Exit Function
End If
End Function
Konráð Hall- Marked As Answer by Miles LiModerator Friday, November 27, 2009 2:15 AM
-
Tuesday, November 24, 2009 7:47 AMDear Konrad,
Thanks for the help let me try.
Regards, Amjad -
Tuesday, November 24, 2009 10:57 AMModerator
Hi,
Thank you for your post here.
From the description, you want to remove the domain users from local Administrators group on domain clients.
If you want to remove any other domain users and keep a identical membership of the local Administrators group, you may create a GPO with Restricted Groups setting in the domain.
Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301
Restricted Groups
http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx
If you have Windows Vista/Windows 7 clients in the domain, you may install the RAST tool and configure the Group Policy Preference Local Users and Groups to add/remove member in local groups.
If you have any questions or concerns, please do not hesitate to let me know.
-
Tuesday, November 24, 2009 12:57 PMhi,
Miles Li solution is ofcourse the correct way to go to restrict the local admin membership.
The scripting solution might be useful to document and get a picture of how widespread the Local Admin usage is.
Konráð Hall -
Tuesday, March 09, 2010 10:14 AMKonrad,
Your script helped me out alot.
:-)
Thanks for sharing.... -
Thursday, March 18, 2010 3:36 PM
Konrad,
Would the script work if it was added to a group policy within and OU? -
Friday, March 19, 2010 2:38 PM
With some modification it would be possible
Instead of reading the computers name from a input file you would just be working with localhost and then write to a logfile wich would be centrally located.
Konráð Hall -
Thursday, March 10, 2011 2:49 PM
Hallo, i'm not a programmer, but the script is still writing to output log file that the computers from Comp.txt is dead.
10.3.2011 15:18:59;Dead;nb-dlesk
10.3.2011 15:19:00;Dead;nb-ddemjanovic
10.3.2011 15:20:16;Dead;kmv-auditpro;kmv-utilpha;
10.3.2011 15:20:42;Dead;kmv-auditpro
10.3.2011 15:22:30;Dead;kmv-auditpro
10.3.2011 15:25:32;Dead;localhost
10.3.2011 15:33:23;Dead;kmv-auditproCould you help the right input format of Comp.txt. Now i haveonly:
nb-dlesk
kmv-utilpha
kmv-auditproThank you for your help.
Vladimir D.
-
Tuesday, November 27, 2012 3:00 PM
On Tue, 27 Nov 2012 14:58:04 +0000, Devendra patel wrote:
i am getting ?error input file not found ?when i try to run in .vbs
This file needs to exist:
strInputfile="C:\Logs\Comp.txt"
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
To be, or not to be, those are the parameters.- Edited by Paul AdareMVP Tuesday, November 27, 2012 3:03 PM
- Proposed As Answer by Devendra patel Wednesday, November 28, 2012 4:55 AM
.png)
