How to Find Domain users with Local Administrator Rights
Hello Friends, We have found some of the domain users are having local admin rights on their PCs. We need to find out the users those who are member of Administrator Account & remove them Is there any tool to find out...??? Our Domain is Windows 2003 Enterprize R2. Kindly help me ..Thanks in Advanced.Regards,
Amjad
November 23rd, 2009 11:07am
One approachis to create a logonscriptfor your clients. That script would enumerate members of the Local Administrators group.You couldwrite your results to a logfile per computer on a shared folderAnother way is to run a script against a list of computers and enumerate their Local Admin members and write to a log file, here is a script I used few years ago. You should make adjustments to it so it would fit your needs:' *******************************************************************************************************' * *' * Script name:ListLocalAdmin1.0.vbs *' * Description: Lists all members of local administrators group of computers located in list *' * *' * Author: Konr Hall *' * *' * Platforms/Req: Windows 2000 or newer *' * *' *******************************************************************************************************Set objFSO = CreateObject("Scripting.FileSystemObject")Set objDictionary = CreateObject("Scripting.Dictionary")Set objNetwork = CreateObject("Wscript.Network")
strLogFolder= "c:\Logs"strInputfile = "C:\Logs\Comp.txt"strLogfile = "c:\Logs\listlocaladmin"&date()&".log"strComputer = objNetwork.ComputerNameConst ForReading = 1
On Error Resume Next
If ReportFileStatus(strInputfile)="False" ThenWscript.Echo "Input file not found"WScript.QuitEnd IfIf ReportFolderStatus(strLogFolder) = False Then objFSO.CreateFolder(strLogFolder)End If
If ReportFileStatus(strLogfile)="False" ThenSet logs = objFso.CreateTextFile(strLogfile)logs.closeEnd If Set objTextFile = objFSO.OpenTextFile (strInputFile, ForReading)i = 0Do Until objTextFile.AtEndOfStreamstrNextLine = objTextFile.ReadlineIf Not Left(strNextLine, 1) = "#" Then objDictionary.Add i, strNextLine i = i + 1End IfLoop
For Each objItem in objDictionaryStrComputerName = objDictionary.Item(objItem)If DeadOrAlive(StrComputerName) = "True" ThenSet objGroup = GetObject("WinNT://" & StrComputerName & "/Administrators,group")For Each objUser in objGroup.Members members = members & ";" & objUser.NameNextSet logs = objFso.OpenTextFile(strLogfile, 8)logs.writeline(" "& now() & ";"& "Alive;" & StrComputerName & members)logs.closemembers = " "Else Set logs = objFso.OpenTextFile(strLogfile, 8)logs.writeline(" "& now() & ";"& "Dead;" & strComputerName)logs.closeEnd IfNext
'*****************************'*** Check if log file exists'*****************************
Function ReportFileStatus(filespec)Dim fso, msgSet objfso = CreateObject("Scripting.FileSystemObject")If (objfso.FileExists(filespec)) ThenReportFileStatus = TrueExit Function ElseReportFileStatus = FalseExit Function End If End Function
'*****************************'*** Check if computer is alive'*****************************Function DeadOrAlive(ComputerName)Set objShell = CreateObject("Wscript.Shell")Set objScriptExec = objShell.Exec("ping -n 2 -w 1000 " & ComputerName)If InStr(objScriptExec.StdOut.ReadAll, "Reply") > 0 Then DeadOrAlive = TrueElseDeadOrAlive = FalseEnd IfEnd Function
'Function wich returns either true or FalseFunction ReportFolderStatus(folderspec)Dim fsoSet fso = CreateObject("Scripting.FileSystemObject")If (fso.FolderExists(folderspec)) ThenReportFolderStatus = TrueExit FunctionElseReportFolderStatus = FalseExit FunctionEnd IfEnd FunctionKonr Hall
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2009 2:14am
Dear Konrad,Thanks for the help let me try.Regards,
Amjad
November 24th, 2009 10:47am
Hi,
Thank you for your post here.
From the description, you want to remove the domain users from local Administrators group on domain clients.
If you want to remove any other domain users and keep a identical membership of the local Administrators group, you may create a GPO with Restricted Groups setting in the domain.
Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301
Restricted Groups
http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx
If you have Windows Vista/Windows 7 clients in the domain, you may install the RAST tool and configure the Group Policy Preference Local Users and Groups to add/remove member in local groups.
If you have any questions or concerns, please do not hesitate to let me know.
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2009 1:57pm
hi, Miles Li solution is ofcourse the correct way to go to restrict the local admin membership.The scripting solution might be useful to document and geta picture of how widespread the Local Admin usage is. Konr Hall
November 24th, 2009 3:57pm
Konrad, Your script helped me out alot. :-) Thanks for sharing....
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2010 1:14pm
Konrad, Would the script work if it was added to a group policy within and OU?
March 18th, 2010 6:36pm
With some modification it would be possible
Instead of reading the computers name from a input file you would just be working with localhost and then write to a logfile wich would be centrally located.
Konráð Hall
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2010 5:38pm
Hallo, i'm not a programmer, but the script is still writing to output log file that the computers from Comp.txt is dead.
10.3.2011 15:18:59;Dead;nb-dlesk
10.3.2011 15:19:00;Dead;nb-ddemjanovic
10.3.2011 15:20:16;Dead;kmv-auditpro;kmv-utilpha;
10.3.2011 15:20:42;Dead;kmv-auditpro
10.3.2011 15:22:30;Dead;kmv-auditpro
10.3.2011 15:25:32;Dead;localhost
10.3.2011 15:33:23;Dead;kmv-auditpro
Could you help the right input format of Comp.txt. Now i haveonly:
nb-dlesk
kmv-utilpha
kmv-auditpro
Thank you for your help.
Vladimir D.
March 10th, 2011 9:57am