Hello Friends, We have found some of the domain users are having local admin rights on their PCs. We need to find out the users those who are member of Administrator Account & remove them Is there any tool to find out...??? Our Domain is Windows 2003 Enterprize R2. Kindly help me ..Thanks in Advanced.Regards, Amjad

One approachis to create a logonscriptfor your clients. That script would enumerate members of the Local Administrators group.You couldwrite your results to a logfile per computer on a shared folderAnother way is to run a script against a list of computers and enumerate their Local Admin members and write to a log file, here is a script I used few years ago. You should make adjustments to it so it would fit your needs:' *******************************************************************************************************' * *' * Script name:ListLocalAdmin1.0.vbs *' * Description: Lists all members of local administrators group of computers located in list *' * *' * Author: Konr Hall *' * *' * Platforms/Req: Windows 2000 or newer *' * *' *******************************************************************************************************Set objFSO = CreateObject("Scripting.FileSystemObject")Set objDictionary = CreateObject("Scripting.Dictionary")Set objNetwork = CreateObject("Wscript.Network") strLogFolder= "c:\Logs"strInputfile = "C:\Logs\Comp.txt"strLogfile = "c:\Logs\listlocaladmin"&date()&".log"strComputer = objNetwork.ComputerNameConst ForReading = 1 On Error Resume Next If ReportFileStatus(strInputfile)="False" ThenWscript.Echo "Input file not found"WScript.QuitEnd IfIf ReportFolderStatus(strLogFolder) = False Then objFSO.CreateFolder(strLogFolder)End If If ReportFileStatus(strLogfile)="False" ThenSet logs = objFso.CreateTextFile(strLogfile)logs.closeEnd If Set objTextFile = objFSO.OpenTextFile (strInputFile, ForReading)i = 0Do Until objTextFile.AtEndOfStreamstrNextLine = objTextFile.ReadlineIf Not Left(strNextLine, 1) = "#" Then objDictionary.Add i, strNextLine i = i + 1End IfLoop For Each objItem in objDictionaryStrComputerName = objDictionary.Item(objItem)If DeadOrAlive(StrComputerName) = "True" ThenSet objGroup = GetObject("WinNT://" & StrComputerName & "/Administrators,group")For Each objUser in objGroup.Members members = members & ";" & objUser.NameNextSet logs = objFso.OpenTextFile(strLogfile, 8)logs.writeline(" "& now() & ";"& "Alive;" & StrComputerName & members)logs.closemembers = " "Else Set logs = objFso.OpenTextFile(strLogfile, 8)logs.writeline(" "& now() & ";"& "Dead;" & strComputerName)logs.closeEnd IfNext '*****************************'*** Check if log file exists'***************************** Function ReportFileStatus(filespec)Dim fso, msgSet objfso = CreateObject("Scripting.FileSystemObject")If (objfso.FileExists(filespec)) ThenReportFileStatus = TrueExit Function ElseReportFileStatus = FalseExit Function End If End Function '*****************************'*** Check if computer is alive'*****************************Function DeadOrAlive(ComputerName)Set objShell = CreateObject("Wscript.Shell")Set objScriptExec = objShell.Exec("ping -n 2 -w 1000 " & ComputerName)If InStr(objScriptExec.StdOut.ReadAll, "Reply") > 0 Then DeadOrAlive = TrueElseDeadOrAlive = FalseEnd IfEnd Function 'Function wich returns either true or FalseFunction ReportFolderStatus(folderspec)Dim fsoSet fso = CreateObject("Scripting.FileSystemObject")If (fso.FolderExists(folderspec)) ThenReportFolderStatus = TrueExit FunctionElseReportFolderStatus = FalseExit FunctionEnd IfEnd FunctionKonr Hall

Dear Konrad,Thanks for the help let me try.Regards, Amjad

Hi, Thank you for your post here. From the description, you want to remove the domain users from local Administrators group on domain clients. If you want to remove any other domain users and keep a identical membership of the local Administrators group, you may create a GPO with Restricted Groups setting in the domain. Description of Group Policy Restricted Groups http://support.microsoft.com/kb/279301 Restricted Groups http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx If you have Windows Vista/Windows 7 clients in the domain, you may install the RAST tool and configure the Group Policy Preference Local Users and Groups to add/remove member in local groups. If you have any questions or concerns, please do not hesitate to let me know.

hi, Miles Li solution is ofcourse the correct way to go to restrict the local admin membership.The scripting solution might be useful to document and geta picture of how widespread the Local Admin usage is. Konr Hall

Konrad, Your script helped me out alot. :-) Thanks for sharing....

Konrad, Would the script work if it was added to a group policy within and OU?

With some modification it would be possible Instead of reading the computers name from a input file you would just be working with localhost and then write to a logfile wich would be centrally located. Konráð Hall

Hallo, i'm not a programmer, but the script is still writing to output log file that the computers from Comp.txt is dead. 10.3.2011 15:18:59;Dead;nb-dlesk 10.3.2011 15:19:00;Dead;nb-ddemjanovic 10.3.2011 15:20:16;Dead;kmv-auditpro;kmv-utilpha; 10.3.2011 15:20:42;Dead;kmv-auditpro 10.3.2011 15:22:30;Dead;kmv-auditpro 10.3.2011 15:25:32;Dead;localhost 10.3.2011 15:33:23;Dead;kmv-auditpro Could you help the right input format of Comp.txt. Now i haveonly: nb-dlesk kmv-utilpha kmv-auditpro Thank you for your help. Vladimir D.