Solved

Check domain users that have Local Admin rights on their PC.

Posted on 2009-05-20
7
1,102 Views
Last Modified: 2012-05-07
I am trying to find a program or another easy way to display domain users with local admin rights on their machines.  We recently migrated to Active directory and had lots of consultants helping.  Some of them gave the local user admin rights to their PC.  Our policy is that no one can have local admin rights.  I know about using group policy to change local administrator account name.  The only way that I can check this right now is to use MMC and check the Administrators group for domain credentials on every PC.
I currently use LANDESK for inventory but it only displays local admin accounts, not domain users added to the Administrators group.  For example, I check the Administrators group under Local User and Groups and find DOMAIN\CURRENT.USER
I don't need to automatically remove these accounts.  Just need to figure out who has these rights.
Server 2008 Active Directory
All Client PCs have XP Pro Sp3
0
Comment
Question by:stcharlescity
  • 4
  • 3
7 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24433270

I have a (pretty complex) script that will output the contents of all local groups (including Administrators) to an XML file if it's any help? It runs multiple threads so is perhaps useful if you have a medium / large domain.

Chris
0
 

Author Comment

by:stcharlescity
ID: 24433314
I need this to be invisible to the user.  I assume this is a script that I could deploy with Group Policy?  I have about 500 PCs and am trying to avoid checking each one manually.
If this script will satisfy those requirements, how can I get it from you?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24433468

It runs from the server side, nothing that a client would notice.

It's actually 3 scripts (just to make life complicated :)). Rename each to .vbs, saving each in the same folder.

Multithread echoes usage if you run it with no parameters, but this is probably what you need:

cscript Multithread.vbs /ChildScript:"LocalGroupsChild.vbs" /FinalCommand:"cscript LocalGroupsFinal.vbs" /NumThreads:20

There are also options for LDAPFilter (defaults to find computer accounts) and BaseDN (defaults to the root of your domain) if you need it to run on only specific operating systems, or on a specific group of computers.

It'll do 20 computers at a time with "NumThreads" set to 20 (if you run task manager you'll see it start 20 more cscript processes).  When it's done it'll run LocalGroupsFinal.vbs and pull the output together into a pair of XML files, one with group members as they appear on each computer, the other expanding any domain groups into individuals.

Chris
Multithread.txt
LocalGroupsChild.txt
LocalGroupsFinal.txt
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:stcharlescity
ID: 24435385
I renamed the files and created a batch file with the above command.  It ran correctly, created a lot of results files and created two xml files.  The XML files have a lot of information.  It has all the computers but i don't see a clear description of groups.  I know of a couple PCs that admin rights and haven't gotten a clear response.  Is there a way to sort these or am I opening it incorrectly?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24435414

Internet Explorer will display it in a manner of speaking, or that what you were using?

Chris
0
 

Author Comment

by:stcharlescity
ID: 24435484
I am viewing it correctly.  I got a lot of "No response" or "alive" as status.  I know the PCs are not just turned off.  Should I run the scripts again?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24440083

It gets that by attempting to ping the PC. If the PC doesn't reply it gives up on trying to connect to it. Is it likely they would have failed to reply to a ping?

This is the ping command it runs for each PC:

Ping -n 3 -w 1000 computername

Chris
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now