none
VB Scipt to list all users in the local administrators Group on a member server

    Question

  • Hello. I am new to scripts and would like to know if the following is possible:

    I need a list of users, groups and details of all nested groups and it's members who belong to the local administrators group of a given AD member server. I would like these details exported to a csv file.

    Thanks.

    Friday, February 25, 2011 11:43 AM

Answers

  • I have an example VBScript program to document membership in a local group here:

    http://www.rlmueller.net/Enumerate%20Local%20Group.htm

    This program documents all members due to nesting, including local and domain users. As written it documents the local Administrators group. You can assign the NetBIOS name of a remote computer to the variable strComputer in the program, to document membership in the local Administrators group on the remote machine. You can run the script at a command prompt using the cscript host, so you can redirect the output to a text file.

    Richard Mueller


    MVP ADSI
    Friday, February 25, 2011 12:46 PM
    Moderator

All replies

  • '=====================
    '= Gets Local Admins =
    '=====================
    Sub GetLocalAdmins (Computer)
    Dim objComp
    strComputer = Computer
    Set objComp = GetObject("WinNT://" & strComputer) 'seems to have issues here.
    objComp.GetInfo 'or here....
    If objComp.PropertyCount > 0 Then
      Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
      If objGroup.PropertyCount > 0 Then
        WScript.Echo "The members of the local Administrators group on " & strComputer & " 
    
    are:"
        For Each mem In objGroup.Members
          WScript.echo vbTab & Right(mem.adsPath,Len(mem.adsPath) - 8)
        Next
      Else
        WScript.echo "** Connecting to the local Administrators group on " & strComputer & " 
    
    failed."
        WScript.Quit 1
      End If
    Else
      WScript.Echo "** Connecting to " & strComputer & " failed."
      WScript.Quit 1
    End If
    End Sub

    or just use the following command from batch:

    net localgroup administrators

    Friday, February 25, 2011 12:09 PM
  • I have an example VBScript program to document membership in a local group here:

    http://www.rlmueller.net/Enumerate%20Local%20Group.htm

    This program documents all members due to nesting, including local and domain users. As written it documents the local Administrators group. You can assign the NetBIOS name of a remote computer to the variable strComputer in the program, to document membership in the local Administrators group on the remote machine. You can run the script at a command prompt using the cscript host, so you can redirect the output to a text file.

    Richard Mueller


    MVP ADSI
    Friday, February 25, 2011 12:46 PM
    Moderator
  • Thanks for the script, but I get the following error when I try to run the script:

    get_admin_members.vbs(107, 13) (null): Name translation: Could not find the name or insufficient right to see name.

    I run the script with domain admin rights and the script stops when it finds another group within a group.

    Tuesday, March 01, 2011 1:58 PM
  • If your copy of the script is the same as mine, line 107 should be the following:

    objTrans.Set ADS_NAME_TYPE_NT4, strNTName

    The script has determined that the member is a domain group and is attempting  to convert the NetBIOS name of the group into the Distinguished Name, so it can enumerate its members. Either the script is mistaken and the group is not a domain group (which I have not seen before), or you lack permission to query for objects in Active Directory. When you run the script, are you authenticated to the domain? Does the ADsPath of the group, which should be the last member reported, confirm that it is a domain group? The ADsPath of a local local group includes the NetBIOS name of the local machine. The ADsPath of a domain group includes the NetBIOS name of the domain.

    Richard Mueller


    MVP ADSI
    Tuesday, March 01, 2011 3:11 PM
    Moderator
  • Thanks for your reply.

    I can confirm that I run the script with domain admin privileges.

    I also checked that the adspath of the group confirms that it is a domain group.

    Tuesday, March 01, 2011 3:32 PM
  • You shouldn't need even Domain Admin privileges. I've never seen NameTranslate fail to convert a NetBIOS name into a Distinguished Name, unless the name does not exist in the domain. The code could bind to the domain group with the WinNT provider, using the NetBIOS name, but WinNT does not reveal nested domain groups. In case the domain group has members that are groups, we need to use the LDAP provider to reveal the nesting, which requires the Distinguished Name. Another method to retrieve the DN would be to use ADO to search AD, but if NameTranslate fails I would expect ADO to also fail. Given the NetBIOS name of the group, does the following retrieve the DN?

    dsquery * -filter "(sAMAccountName=GroupName)"
    Richard Mueller
    MVP ADSI
    Wednesday, March 02, 2011 4:49 AM
    Moderator
  • This is a very old thread, but i'm having this same issue with all of the scripts that i can find to do this function. The scripts take the current domain and then use that with each domain group to find the members "recursively". HOWEVER, when there are groups from other domains present in the local admins group, the scripts choke.

    We need a script that uses the domain OF THE GROUP that it finds present.


    Tony Auby

    Monday, September 30, 2013 4:50 PM
  • Hi Richard,

    I tried to use this script but I get this error:

    PS C:\Users\alex.cook\Desktop> .\PSEnumLocalGroup.ps1
    Computer: MyComputer
    Group: Administrators
    Error: The network path was not found.

    Exception calling "Invoke" with "2" argument(s): "The network path was not found.
    "
    At C:\Users\alex.cook\Desktop\PSEnumLocalGroup.ps1:25 char:42
    +     $Members= @($LocalGroup.psbase.Invoke <<<< ("Members"))
        + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException
        + FullyQualifiedErrorId : DotNetMethodException

    Can you please help?

    Friday, December 13, 2013 1:11 PM
  • Hi,

    First, Richard's script was written in VBScript, not PowerShell. 'PSEnumLocalGroup.ps1' is a PowerShell script.

    Second, this question is already marked answered. If you still need help, please start a new question.

    Bill

    Friday, December 13, 2013 3:06 PM
    Moderator
  • The PS script has the computer name "MyComputer" hard coded. You need to change this to the NetBIOS name of a computer in your network (that is online and accessible). If you need the group membership of the local Administrators group of your local computer, you can either hard code the name of your local computer, or use $env:ComputerName to retrieve the name from the environment. The problem statement is:

    $strComputer = "MyComputer"

    Either change the hard coded name, or use the following to retrieve the name of the local computer:

    $strComputer = $env:ComputerName


    Richard Mueller - MVP Directory Services

    Friday, December 13, 2013 6:00 PM
    Moderator