Solved

Check domain users that have Local Admin rights on their PC.

Posted on 2009-05-20
7
1,118 Views
Last Modified: 2012-05-07
I am trying to find a program or another easy way to display domain users with local admin rights on their machines.  We recently migrated to Active directory and had lots of consultants helping.  Some of them gave the local user admin rights to their PC.  Our policy is that no one can have local admin rights.  I know about using group policy to change local administrator account name.  The only way that I can check this right now is to use MMC and check the Administrators group for domain credentials on every PC.
I currently use LANDESK for inventory but it only displays local admin accounts, not domain users added to the Administrators group.  For example, I check the Administrators group under Local User and Groups and find DOMAIN\CURRENT.USER
I don't need to automatically remove these accounts.  Just need to figure out who has these rights.
Server 2008 Active Directory
All Client PCs have XP Pro Sp3
0
Comment
Question by:stcharlescity
  • 4
  • 3
7 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24433270

I have a (pretty complex) script that will output the contents of all local groups (including Administrators) to an XML file if it's any help? It runs multiple threads so is perhaps useful if you have a medium / large domain.

Chris
0
 

Author Comment

by:stcharlescity
ID: 24433314
I need this to be invisible to the user.  I assume this is a script that I could deploy with Group Policy?  I have about 500 PCs and am trying to avoid checking each one manually.
If this script will satisfy those requirements, how can I get it from you?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24433468

It runs from the server side, nothing that a client would notice.

It's actually 3 scripts (just to make life complicated :)). Rename each to .vbs, saving each in the same folder.

Multithread echoes usage if you run it with no parameters, but this is probably what you need:

cscript Multithread.vbs /ChildScript:"LocalGroupsChild.vbs" /FinalCommand:"cscript LocalGroupsFinal.vbs" /NumThreads:20

There are also options for LDAPFilter (defaults to find computer accounts) and BaseDN (defaults to the root of your domain) if you need it to run on only specific operating systems, or on a specific group of computers.

It'll do 20 computers at a time with "NumThreads" set to 20 (if you run task manager you'll see it start 20 more cscript processes).  When it's done it'll run LocalGroupsFinal.vbs and pull the output together into a pair of XML files, one with group members as they appear on each computer, the other expanding any domain groups into individuals.

Chris
Multithread.txt
LocalGroupsChild.txt
LocalGroupsFinal.txt
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:stcharlescity
ID: 24435385
I renamed the files and created a batch file with the above command.  It ran correctly, created a lot of results files and created two xml files.  The XML files have a lot of information.  It has all the computers but i don't see a clear description of groups.  I know of a couple PCs that admin rights and haven't gotten a clear response.  Is there a way to sort these or am I opening it incorrectly?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24435414

Internet Explorer will display it in a manner of speaking, or that what you were using?

Chris
0
 

Author Comment

by:stcharlescity
ID: 24435484
I am viewing it correctly.  I got a lot of "No response" or "alive" as status.  I know the PCs are not just turned off.  Should I run the scripts again?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24440083

It gets that by attempting to ping the PC. If the PC doesn't reply it gives up on trying to connect to it. Is it likely they would have failed to reply to a ping?

This is the ping command it runs for each PC:

Ping -n 3 -w 1000 computername

Chris
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question