Finding all administrators in a domain/ OU

Posted on 2006-04-18
Last Modified: 2010-04-18
I have a requirement to find and justify all domain administrators / users with domain administrative permissions in my three domains to SOX auditors.  I must be able to prove that there are no other administrative priveleged accounts that have access to my financial data other than the ones that I document.  Is there an easy way to accomplish this?

Using Windows 2003 Server
Question by:rosenblumm
    LVL 51

    Expert Comment

    You have to start with the folders where the data is stored.  You can look at the NTFS security on the folder then look at the group membership for the groups that have Read/Write or Admin privledges.

    There are Resource Kit tools to dump the ACL's on the folder and one to show membership of groups you find.


    Author Comment

    Perhaps you're not understanding the question.  Folder permissions will only show users who have permissions to a folder.  I need to have users who are domain admins.  Domain admins by default will have "Full Control" in NTFS unless they are specifically removed.  However, that doesn't find all administrators, just domain admins.  

    Many service accounts and other specific accounts must have administrative rights to all domain computers to function correctly (SMS, ePO, backup software, etc).  I need to be able to show the auditors a AD generated list.  I could make a list myself ( I do know all of my admin accounts), but that would defeat the purpose of the audit, as I could easily modify any data I wanted to.

    If you know of a resource kit tool that will accomplish this, please let me know.

    Thank you,
    LVL 51

    Assisted Solution

    That's correct - but Domain Admins will show up in the ACLs on that specific folder as being inherited.  You can specifically add Deny to Read rights to prevent them from accessing the folder.

    Every ACL on the folder will reflect what groups have access - you cannot hide that fact - they will be present on the Security tab of the folder.

    Showacls.exe will show all permissions on whatever you specify.
    There was a Group tool, but I can't seem to find it.  DSQUERY will work.

    LVL 6

    Assisted Solution

    Hi Michael

    So do you just want to do a dump of all accounts in the domain that are a member of the Domain Admins group?  Its easily achievalbe via scripting, but will this fit the requirements of the audit?  If so, let me know, and I'll write it up for you.  Something aong the lines of recursively going thro0ugh your AD structure, and listing all user accounts that are members of the administrator groups, such as schema admins, enterprise admins, and so  on.  

    Have a look at this document for common SIDs you may want to query on:


    Author Comment

    How about an LDAP query looking for SIDs with all admins in it.  I'm horrible at scripting, but I'll see if I can get that to work.  
    LVL 23

    Accepted Solution

    Simplest way would be a dsquery dsget...

    make a batch file with the following:

    dsquery group -name "domain admins" | dsget group -members -expand >> c:\AdminsOnDomainA.txt
    dsquery group -name "administrators" | dsget group -members -expand >> c:\AdminsOnDomainA.txt
    dsquery group -name "Enterprise Admins" | dsget group -members -expand >> c:\AdminsOnDomainA.txt

    That would basically give you all the real admin accounts on the domainA and throw them into the text file.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now