Finding all administrators in a domain/ OU

I have a requirement to find and justify all domain administrators / users with domain administrative permissions in my three domains to SOX auditors.  I must be able to prove that there are no other administrative priveleged accounts that have access to my financial data other than the ones that I document.  Is there an easy way to accomplish this?

Using Windows 2003 Server
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have to start with the folders where the data is stored.  You can look at the NTFS security on the folder then look at the group membership for the groups that have Read/Write or Admin privledges.

There are Resource Kit tools to dump the ACL's on the folder and one to show membership of groups you find.

rosenblummAuthor Commented:
Perhaps you're not understanding the question.  Folder permissions will only show users who have permissions to a folder.  I need to have users who are domain admins.  Domain admins by default will have "Full Control" in NTFS unless they are specifically removed.  However, that doesn't find all administrators, just domain admins.  

Many service accounts and other specific accounts must have administrative rights to all domain computers to function correctly (SMS, ePO, backup software, etc).  I need to be able to show the auditors a AD generated list.  I could make a list myself ( I do know all of my admin accounts), but that would defeat the purpose of the audit, as I could easily modify any data I wanted to.

If you know of a resource kit tool that will accomplish this, please let me know.

Thank you,
That's correct - but Domain Admins will show up in the ACLs on that specific folder as being inherited.  You can specifically add Deny to Read rights to prevent them from accessing the folder.

Every ACL on the folder will reflect what groups have access - you cannot hide that fact - they will be present on the Security tab of the folder.

Showacls.exe will show all permissions on whatever you specify.
There was a Group tool, but I can't seem to find it.  DSQUERY will work.

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Hi Michael

So do you just want to do a dump of all accounts in the domain that are a member of the Domain Admins group?  Its easily achievalbe via scripting, but will this fit the requirements of the audit?  If so, let me know, and I'll write it up for you.  Something aong the lines of recursively going thro0ugh your AD structure, and listing all user accounts that are members of the administrator groups, such as schema admins, enterprise admins, and so  on.  

Have a look at this document for common SIDs you may want to query on:

rosenblummAuthor Commented:
How about an LDAP query looking for SIDs with all admins in it.  I'm horrible at scripting, but I'll see if I can get that to work.  
Simplest way would be a dsquery dsget...

make a batch file with the following:

dsquery group -name "domain admins" | dsget group -members -expand >> c:\AdminsOnDomainA.txt
dsquery group -name "administrators" | dsget group -members -expand >> c:\AdminsOnDomainA.txt
dsquery group -name "Enterprise Admins" | dsget group -members -expand >> c:\AdminsOnDomainA.txt

That would basically give you all the real admin accounts on the domainA and throw them into the text file.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.