Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Check domain users that have Local Admin rights on their PC.

Posted on 2009-05-20
7
Medium Priority
?
1,166 Views
Last Modified: 2012-05-07
I am trying to find a program or another easy way to display domain users with local admin rights on their machines.  We recently migrated to Active directory and had lots of consultants helping.  Some of them gave the local user admin rights to their PC.  Our policy is that no one can have local admin rights.  I know about using group policy to change local administrator account name.  The only way that I can check this right now is to use MMC and check the Administrators group for domain credentials on every PC.
I currently use LANDESK for inventory but it only displays local admin accounts, not domain users added to the Administrators group.  For example, I check the Administrators group under Local User and Groups and find DOMAIN\CURRENT.USER
I don't need to automatically remove these accounts.  Just need to figure out who has these rights.
Server 2008 Active Directory
All Client PCs have XP Pro Sp3
0
Comment
Question by:stcharlescity
  • 4
  • 3
7 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24433270

I have a (pretty complex) script that will output the contents of all local groups (including Administrators) to an XML file if it's any help? It runs multiple threads so is perhaps useful if you have a medium / large domain.

Chris
0
 

Author Comment

by:stcharlescity
ID: 24433314
I need this to be invisible to the user.  I assume this is a script that I could deploy with Group Policy?  I have about 500 PCs and am trying to avoid checking each one manually.
If this script will satisfy those requirements, how can I get it from you?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24433468

It runs from the server side, nothing that a client would notice.

It's actually 3 scripts (just to make life complicated :)). Rename each to .vbs, saving each in the same folder.

Multithread echoes usage if you run it with no parameters, but this is probably what you need:

cscript Multithread.vbs /ChildScript:"LocalGroupsChild.vbs" /FinalCommand:"cscript LocalGroupsFinal.vbs" /NumThreads:20

There are also options for LDAPFilter (defaults to find computer accounts) and BaseDN (defaults to the root of your domain) if you need it to run on only specific operating systems, or on a specific group of computers.

It'll do 20 computers at a time with "NumThreads" set to 20 (if you run task manager you'll see it start 20 more cscript processes).  When it's done it'll run LocalGroupsFinal.vbs and pull the output together into a pair of XML files, one with group members as they appear on each computer, the other expanding any domain groups into individuals.

Chris
Multithread.txt
LocalGroupsChild.txt
LocalGroupsFinal.txt
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:stcharlescity
ID: 24435385
I renamed the files and created a batch file with the above command.  It ran correctly, created a lot of results files and created two xml files.  The XML files have a lot of information.  It has all the computers but i don't see a clear description of groups.  I know of a couple PCs that admin rights and haven't gotten a clear response.  Is there a way to sort these or am I opening it incorrectly?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24435414

Internet Explorer will display it in a manner of speaking, or that what you were using?

Chris
0
 

Author Comment

by:stcharlescity
ID: 24435484
I am viewing it correctly.  I got a lot of "No response" or "alive" as status.  I know the PCs are not just turned off.  Should I run the scripts again?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24440083

It gets that by attempting to ping the PC. If the PC doesn't reply it gives up on trying to connect to it. Is it likely they would have failed to reply to a ping?

This is the ping command it runs for each PC:

Ping -n 3 -w 1000 computername

Chris
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question