How to Find Domain users with Local Administrator Rights
Hello Friends,

We have found some of the domain users are having local admin rights on their PCs.

We need to find out the users those who are member of Administrator Account & remove them

Is there any tool to find out...???

Our Domain is Windows 2003 Enterprize R2.

Kindly help me ..Thanks in Advanced.
November 23rd, 2009 11:07am

One approachis to create a logonscriptfor your clients. That script would enumerate members of the Local Administrators group.You couldwrite your results to a logfile per computer on a shared folder

Another way is to run a script against a list of computers and enumerate their Local Admin members and write to a log file, here is a script I used few years ago. You should make adjustments to it so it would fit your needs:

' *******************************************************************************************************
' * *
' * Script name:ListLocalAdmin1.0.vbs *
' * Description: Lists all members of local administrators group of computers located in list *
' * *
' * Author: Konr Hall *
' * *
' * Platforms/Req: Windows 2000 or newer *
' * *
' *******************************************************************************************************
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDictionary = CreateObject("Scripting.Dictionary")
Set objNetwork = CreateObject("Wscript.Network")

strLogFolder= "c:\Logs"
strInputfile = "C:\Logs\Comp.txt"
strLogfile = "c:\Logs\listlocaladmin"&date()&".log"
strComputer = objNetwork.ComputerName
Const ForReading = 1

On Error Resume Next

If ReportFileStatus(strInputfile)="False" Then
Wscript.Echo "Input file not found"
WScript.Quit
End If

If ReportFolderStatus(strLogFolder) = False Then
objFSO.CreateFolder(strLogFolder)
End If

If ReportFileStatus(strLogfile)="False" Then
Set logs = objFso.CreateTextFile(strLogfile)
logs.close
End If

Set objTextFile = objFSO.OpenTextFile (strInputFile, ForReading)
i = 0

Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
If Not Left(strNextLine, 1) = "#" Then
objDictionary.Add i, strNextLine
i = i + 1
End If
Loop


For Each objItem in objDictionary
StrComputerName = objDictionary.Item(objItem)
If DeadOrAlive(StrComputerName) = "True" Then
Set objGroup = GetObject("WinNT://" & StrComputerName & "/Administrators,group")
For Each objUser in objGroup.Members
members = members & ";" & objUser.Name
Next
Set logs = objFso.OpenTextFile(strLogfile, 8)
logs.writeline(" "& now() & ";"& "Alive;" & StrComputerName & members)
logs.close
members = " "
Else
Set logs = objFso.OpenTextFile(strLogfile, 8)
logs.writeline(" "& now() & ";"& "Dead;" & strComputerName)
logs.close
End If
Next

'*****************************
'*** Check if log file exists
'*****************************

Function ReportFileStatus(filespec)
Dim fso, msg
Set objfso = CreateObject("Scripting.FileSystemObject")
If (objfso.FileExists(filespec)) Then
ReportFileStatus = True
Exit Function
Else
ReportFileStatus = False
Exit Function
End If
End Function

'*****************************
'*** Check if computer is alive
'*****************************
Function DeadOrAlive(ComputerName)
Set objShell = CreateObject("Wscript.Shell")
Set objScriptExec = objShell.Exec("ping -n 2 -w 1000 " & ComputerName)

If InStr(objScriptExec.StdOut.ReadAll, "Reply") > 0 Then
DeadOrAlive = True
Else
DeadOrAlive = False
End If
End Function

'Function wich returns either true or False
Function ReportFolderStatus(folderspec)
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
If (fso.FolderExists(folderspec)) Then
ReportFolderStatus = True
Exit Function
Else
ReportFolderStatus = False
Exit Function
End If
End Function

Free Windows Admin Tool Kit Click here and download it now
November 24th, 2009 2:14am

Dear Konrad,

Thanks for the help let me try.
November 24th, 2009 10:47am

Hi,

Thank you for your post here.

From the description, you want to remove the domain users from local Administrators group on domain clients.

If you want to remove any other domain users and keep a identical membership of the local Administrators group, you may create a GPO with Restricted Groups setting in the domain.

Description of Group Policy Restricted Groups

http://support.microsoft.com/kb/279301

Restricted Groups

http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

If you have Windows Vista/Windows 7 clients in the domain, you may install the RAST tool and configure the Group Policy Preference Local Users and Groups to add/remove member in local groups.

If you have any questions or concerns, please do not hesitate to let me know.

Free Windows Admin Tool Kit Click here and download it now
November 24th, 2009 1:57pm

hi,

Miles Li solution is ofcourse the correct way to go to restrict the local admin membership.

The scripting solution might be useful to document and geta picture of how widespread the Local Admin usage is.
November 24th, 2009 3:57pm

Konrad,

Your script helped me out alot.
:-)

Thanks for sharing....
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2010 1:14pm

Konrad,
           Would the script work if it was added to a group policy within and OU?

March 18th, 2010 6:36pm

With some modification it would be possible

Instead of reading the computers name from a input file you would just be working with localhost and then write to a logfile wich would be centrally located.

 

Free Windows Admin Tool Kit Click here and download it now
March 19th, 2010 5:38pm

Hallo, i'm not a programmer, but the script is still writing to output log file that the computers from Comp.txt is dead.

 10.3.2011 15:18:59;Dead;nb-dlesk
 10.3.2011 15:19:00;Dead;nb-ddemjanovic
 10.3.2011 15:20:16;Dead;kmv-auditpro;kmv-utilpha;
 10.3.2011 15:20:42;Dead;kmv-auditpro
 10.3.2011 15:22:30;Dead;kmv-auditpro
 10.3.2011 15:25:32;Dead;localhost
 10.3.2011 15:33:23;Dead;kmv-auditpro

Could you help the right input format of Comp.txt. Now i haveonly:

nb-dlesk
kmv-utilpha
kmv-auditpro

Thank you for your help.

Vladimir D.

 

March 10th, 2011 5:49pm

On Tue, 27 Nov 2012 14:58:04 +0000, Devendra patel wrote:

i am getting ?error input file not found ?when i try to run in .vbs

This file needs to exist:

strInputfile="C:\Logs\Comp.txt

Free Windows Admin Tool Kit Click here and download it now
November 27th, 2012 6:00pm

That is a nice VBScript.  I would just run a single cmd line from sccm or login script to write to a share.

net localgroup Administrators>>\\server\share\%computername%.txt

Paul J.

July 2nd, 2013 11:49am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics