locked
In search for tool..... RRS feed

  • Question

  • Hello All,

    I'm in search for tool that can capture and report the number of direct, and nested, members of a systems admin group across any/all Windows Server 2k3/8 servers in a 3000 system environment. All servers are members of the same domain under Active Directory. I would like to stay clear of agent based solutions. My first requirement for the tool is to gather a server count of all systems that have an alarming amount of admin group members (have yet to set a specific threshold). From that, I will take the necessary steps to minimize this count. The second requirement for the tool would be to monitor and alert any changes of the admins group for all systems in the environment. Is there tool that can perform both, or either?

    You input is appreciated. Thank you

    Espazito  

    Friday, April 1, 2011 10:29 PM

Answers

  • Here is a PowerShell Script.  You can read more info at

    http://portal.sivarajan.com/2011/04/list-local-administrator-group-members.html

    http://gallery.technet.microsoft.com/scriptcenter/f99a701a-a8f5-489f-8c30-77b6bf1e8ffd

     

    $From = "santhosh@sanlab.com"
    $To = "santhosh@sanlab.com"
    $SMTPServer = "mail.sanlab.com"
    $SMTP = new-object Net.Mail.SmtpClient($SMTPServer)
    $GFile = New-Item -type file -force "C:\Scripts\SGroupMemberDetails.csv"
    Import-CSV "C:\Scripts\Servers.csv" | ForEach-Object {
    $N = 0
    $SName = $_.ServerName
    "Server Name -  $SName" | Out-File $GFile -encoding ASCII -append
    $group = [ADSI]("WinNT://$SName/Administrators,group") 
    $GMembers = $group.psbase.invoke("Members")
    $GMembers | ForEach-Object {$_.GetType().InvokeMember("Name",'GetProperty', $null, $_, $null) | Out-File $GFile -encoding ASCII -append
    $N++
    }
        If ($N -gt 5)
            {
            $Sub = "Administrator Group Details on $SName Server"
            $Ebody = "Administrator Group on $SName Server has $N members."
            $SMTP.Send($From, $To, $Sub, $Ebody)
            #Add specific details/function here. 
            }
        Else
            {
            $Sub = "Administrator Group Details on $SName Server"
            $Ebody = "Administrator Group on $SName Server has $N members."
            $SMTP.Send($From, $To, $Sub, $Ebody)
            #Add specific details/function here. 
            }

    }

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Monday, April 4, 2011 1:40 AM
  • Are you taking about local admin group on the member servers or groups in Active Directory?

    If you don’t want to install agent on servers, my recommendation is to create a script to achieve this goal.  Here is an example:

    http://portal.sivarajan.com/2010/08/list-group-members-in-active.html

    You can modify this script to search Amin group on servers.  Schedule to run this script. 

    Admin group member modification can be monitored using any monitoring solutions like Microsoft SCOM.  But you need to install agent.

    Another option is to enable Auditing and generate an alert based on event log details.  Take a look at the following blog:

    http://portal.sivarajan.com/2010/04/generate-email-alert-to-event-attach.html

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Saturday, April 2, 2011 12:11 AM
  • A VBScript program can loop through a list of computers and for each computer enumerate the direct members of the local Administrators group. This can be done from any client, as long as you are a member of "Domain Admins" (and this group is still a member of all local Administrators groups). For example:

     

    Option Explicit
    
    Dim arrServers, strServer, objLocalAdms, objMember, blnFound
    
    arrServers = Array("Server1", "Server2", "Server3")
    
    ' Enumerate servers.
    For Each strServer In arrServers
      ' Bind to local Administrators group.
      On Error Resume Next
      Set objLocalAdms = GetObject("WinNT://" & strServer & "/Administrators,group")
      If (Err.Number = 0) Then
        On Error GoTo 0
        ' Enumerate all direct members.
        blnFound = False
        For Each objMember In objLocalAdms.Members
          ' Look for "Domain Admins".
          If (InStr(LCase(objMember.Name), "domain admins") > 0) then
            blnFound = True
            Exit For
          End If
        Next
        If (blnFound = True) Then
          Wscript.Echo "Domain Admins found on " & strServer
        Else
          Wscript.Echo "Domain Admins NOT found on " & strServer
        End If
      Else
        On Error GoTo 0
        Wscript.Echo "Computer " & strServer & " NOT found"
      End If
    Next

     

    You can also use ADO to retrieve info on all servers in your domain. This example retrieves the distinguishedName of all servers:

    http://www.rlmueller.net/Enumerate%20Servers.htm

    This could be modified to retrieve the sAMAccountName instead, which is the NetBIOS name with a "$" appended on the end. You could add code similar to above in the loop where you enumerate all servers.

    However, the best way to manage membership in the local Administrators group is to use the Restricted Groups feature of Group Policy. See these links:

    http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

    http://support.microsoft.com/kb/279301

    This feature enforces membership. However, you may not be able to use this if you are not aware of all memberships and their purpose. Once you enable this feature, all members of the groups not specified in your policy will be removed.

    To retrieve nested local group memberships is more difficult. I have an example VBScript program linked here, but it only targets the local computer:

    http://www.rlmueller.net/Enumerate%20Local%20Group.htm

    This could be revised to loop through an array of computer names, similar to the first example I posted above.

     


    Richard Mueller - MVP Directory Services
    Saturday, April 2, 2011 12:59 AM

All replies

  • Are you taking about local admin group on the member servers or groups in Active Directory?

    If you don’t want to install agent on servers, my recommendation is to create a script to achieve this goal.  Here is an example:

    http://portal.sivarajan.com/2010/08/list-group-members-in-active.html

    You can modify this script to search Amin group on servers.  Schedule to run this script. 

    Admin group member modification can be monitored using any monitoring solutions like Microsoft SCOM.  But you need to install agent.

    Another option is to enable Auditing and generate an alert based on event log details.  Take a look at the following blog:

    http://portal.sivarajan.com/2010/04/generate-email-alert-to-event-attach.html

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Saturday, April 2, 2011 12:11 AM
  • A VBScript program can loop through a list of computers and for each computer enumerate the direct members of the local Administrators group. This can be done from any client, as long as you are a member of "Domain Admins" (and this group is still a member of all local Administrators groups). For example:

     

    Option Explicit
    
    Dim arrServers, strServer, objLocalAdms, objMember, blnFound
    
    arrServers = Array("Server1", "Server2", "Server3")
    
    ' Enumerate servers.
    For Each strServer In arrServers
      ' Bind to local Administrators group.
      On Error Resume Next
      Set objLocalAdms = GetObject("WinNT://" & strServer & "/Administrators,group")
      If (Err.Number = 0) Then
        On Error GoTo 0
        ' Enumerate all direct members.
        blnFound = False
        For Each objMember In objLocalAdms.Members
          ' Look for "Domain Admins".
          If (InStr(LCase(objMember.Name), "domain admins") > 0) then
            blnFound = True
            Exit For
          End If
        Next
        If (blnFound = True) Then
          Wscript.Echo "Domain Admins found on " & strServer
        Else
          Wscript.Echo "Domain Admins NOT found on " & strServer
        End If
      Else
        On Error GoTo 0
        Wscript.Echo "Computer " & strServer & " NOT found"
      End If
    Next

     

    You can also use ADO to retrieve info on all servers in your domain. This example retrieves the distinguishedName of all servers:

    http://www.rlmueller.net/Enumerate%20Servers.htm

    This could be modified to retrieve the sAMAccountName instead, which is the NetBIOS name with a "$" appended on the end. You could add code similar to above in the loop where you enumerate all servers.

    However, the best way to manage membership in the local Administrators group is to use the Restricted Groups feature of Group Policy. See these links:

    http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

    http://support.microsoft.com/kb/279301

    This feature enforces membership. However, you may not be able to use this if you are not aware of all memberships and their purpose. Once you enable this feature, all members of the groups not specified in your policy will be removed.

    To retrieve nested local group memberships is more difficult. I have an example VBScript program linked here, but it only targets the local computer:

    http://www.rlmueller.net/Enumerate%20Local%20Group.htm

    This could be revised to loop through an array of computer names, similar to the first example I posted above.

     


    Richard Mueller - MVP Directory Services
    Saturday, April 2, 2011 12:59 AM
  • Here is a PowerShell Script.  You can read more info at

    http://portal.sivarajan.com/2011/04/list-local-administrator-group-members.html

    http://gallery.technet.microsoft.com/scriptcenter/f99a701a-a8f5-489f-8c30-77b6bf1e8ffd

     

    $From = "santhosh@sanlab.com"
    $To = "santhosh@sanlab.com"
    $SMTPServer = "mail.sanlab.com"
    $SMTP = new-object Net.Mail.SmtpClient($SMTPServer)
    $GFile = New-Item -type file -force "C:\Scripts\SGroupMemberDetails.csv"
    Import-CSV "C:\Scripts\Servers.csv" | ForEach-Object {
    $N = 0
    $SName = $_.ServerName
    "Server Name -  $SName" | Out-File $GFile -encoding ASCII -append
    $group = [ADSI]("WinNT://$SName/Administrators,group") 
    $GMembers = $group.psbase.invoke("Members")
    $GMembers | ForEach-Object {$_.GetType().InvokeMember("Name",'GetProperty', $null, $_, $null) | Out-File $GFile -encoding ASCII -append
    $N++
    }
        If ($N -gt 5)
            {
            $Sub = "Administrator Group Details on $SName Server"
            $Ebody = "Administrator Group on $SName Server has $N members."
            $SMTP.Send($From, $To, $Sub, $Ebody)
            #Add specific details/function here. 
            }
        Else
            {
            $Sub = "Administrator Group Details on $SName Server"
            $Ebody = "Administrator Group on $SName Server has $N members."
            $SMTP.Send($From, $To, $Sub, $Ebody)
            #Add specific details/function here. 
            }

    }

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Monday, April 4, 2011 1:40 AM