VB Scipt to list all users in the local administrators Group on a member server

Hello. I am new to scripts and would like to know if the following is possible:

I need a list of users, groups and details of all nested groups and it's members who belong to the local administrators group of a given AD member server. I would like these details exported to a csv file.

Thanks.

February 25th, 2011 2:43pm

'=====================
'= Gets Local Admins =
'=====================
Sub GetLocalAdmins (Computer)
Dim objComp
strComputer = Computer
Set objComp = GetObject("WinNT://" & strComputer) 'seems to have issues here.
objComp.GetInfo 'or here....
If objComp.PropertyCount > 0 Then
  Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
  If objGroup.PropertyCount > 0 Then
    WScript.Echo "The members of the local Administrators group on " & strComputer & " 

are:"
    For Each mem In objGroup.Members
      WScript.echo vbTab & Right(mem.adsPath,Len(mem.adsPath) - 8)
    Next
  Else
    WScript.echo "** Connecting to the local Administrators group on " & strComputer & " 

failed."
    WScript.Quit 1
  End If
Else
  WScript.Echo "** Connecting to " & strComputer & " failed."
  WScript.Quit 1
End If
End Sub

or just use the following command from batch:

net localgroup administrators

Free Windows Admin Tool Kit Click here and download it now
February 25th, 2011 3:09pm

I have an example VBScript program to document membership in a local group here:

http://www.rlmueller.net/Enumerate%20Local%20Group.htm

This program documents all members due to nesting, including local and domain users. As written it documents the local Administrators group. You can assign the NetBIOS name of a remote computer to the variable strComputer in the program, to document membership in the local Administrators group on the remote machine. You can run the script at a command prompt using the cscript host, so you can redirect the output to a text file.

Richard Mueller

February 25th, 2011 3:46pm

Thanks for the script, but I get the following error when I try to run the script:

get_admin_members.vbs(107, 13) (null): Name translation: Could not find the name or insufficient right to see name.

I run the script with domain admin rights and the script stops when it finds another group within a group.

Free Windows Admin Tool Kit Click here and download it now
March 1st, 2011 4:58pm

If your copy of the script is the same as mine, line 107 should be the following:

objTrans.Set ADS_NAME_TYPE_NT4, strNTName

The script has determined that the member is a domain group and is attempting  to convert the NetBIOS name of the group into the Distinguished Name, so it can enumerate its members. Either the script is mistaken and the group is not a domain group (which I have not seen before), or you lack permission to query for objects in Active Directory. When you run the script, are you authenticated to the domain? Does the ADsPath of the group, which should be the last member reported, confirm that it is a domain group? The ADsPath of a local local group includes the NetBIOS name of the local machine. The ADsPath of a domain group includes the NetBIOS name of the domain.

Richard Mueller

March 1st, 2011 6:11pm

Thanks for your reply.

I can confirm that I run the script with domain admin privileges.

I also checked that the adspath of the group confirms that it is a domain group.

Free Windows Admin Tool Kit Click here and download it now
March 1st, 2011 6:32pm

You shouldn't need even Domain Admin privileges. I've never seen NameTranslate fail to convert a NetBIOS name into a Distinguished Name, unless the name does not exist in the domain. The code could bind to the domain group with the WinNT provider, using the NetBIOS name, but WinNT does not reveal nested domain groups. In case the domain group has members that are groups, we need to use the LDAP provider to reveal the nesting, which requires the Distinguished Name. Another method to retrieve the DN would be to use ADO to search AD, but if NameTranslate fails I would expect ADO to also fail. Given the NetBIOS name of the group, does the following retrieve the DN?

dsquery * -filter "(sAMAccountName=GroupName)"
Richard Mueller
March 2nd, 2011 7:49am

This is a very old thread, but i'm having this same issue with all of the scripts that i can find to do this function. The scripts take the current domain and then use that with each domain group to find the members "recursively". HOWEVER, when there are groups from other domains present in the local admins group, the scripts choke.

We need a script that uses the domain OF THE GROUP that it finds present.

Free Windows Admin Tool Kit Click here and download it now
September 30th, 2013 12:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics