Solved

Check domain users that have Local Admin rights on their PC.

Posted on 2009-05-20
7
1,145 Views
Last Modified: 2012-05-07
I am trying to find a program or another easy way to display domain users with local admin rights on their machines.  We recently migrated to Active directory and had lots of consultants helping.  Some of them gave the local user admin rights to their PC.  Our policy is that no one can have local admin rights.  I know about using group policy to change local administrator account name.  The only way that I can check this right now is to use MMC and check the Administrators group for domain credentials on every PC.
I currently use LANDESK for inventory but it only displays local admin accounts, not domain users added to the Administrators group.  For example, I check the Administrators group under Local User and Groups and find DOMAIN\CURRENT.USER
I don't need to automatically remove these accounts.  Just need to figure out who has these rights.
Server 2008 Active Directory
All Client PCs have XP Pro Sp3
0
Comment
Question by:stcharlescity
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24433270

I have a (pretty complex) script that will output the contents of all local groups (including Administrators) to an XML file if it's any help? It runs multiple threads so is perhaps useful if you have a medium / large domain.

Chris
0
 

Author Comment

by:stcharlescity
ID: 24433314
I need this to be invisible to the user.  I assume this is a script that I could deploy with Group Policy?  I have about 500 PCs and am trying to avoid checking each one manually.
If this script will satisfy those requirements, how can I get it from you?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24433468

It runs from the server side, nothing that a client would notice.

It's actually 3 scripts (just to make life complicated :)). Rename each to .vbs, saving each in the same folder.

Multithread echoes usage if you run it with no parameters, but this is probably what you need:

cscript Multithread.vbs /ChildScript:"LocalGroupsChild.vbs" /FinalCommand:"cscript LocalGroupsFinal.vbs" /NumThreads:20

There are also options for LDAPFilter (defaults to find computer accounts) and BaseDN (defaults to the root of your domain) if you need it to run on only specific operating systems, or on a specific group of computers.

It'll do 20 computers at a time with "NumThreads" set to 20 (if you run task manager you'll see it start 20 more cscript processes).  When it's done it'll run LocalGroupsFinal.vbs and pull the output together into a pair of XML files, one with group members as they appear on each computer, the other expanding any domain groups into individuals.

Chris
Multithread.txt
LocalGroupsChild.txt
LocalGroupsFinal.txt
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:stcharlescity
ID: 24435385
I renamed the files and created a batch file with the above command.  It ran correctly, created a lot of results files and created two xml files.  The XML files have a lot of information.  It has all the computers but i don't see a clear description of groups.  I know of a couple PCs that admin rights and haven't gotten a clear response.  Is there a way to sort these or am I opening it incorrectly?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24435414

Internet Explorer will display it in a manner of speaking, or that what you were using?

Chris
0
 

Author Comment

by:stcharlescity
ID: 24435484
I am viewing it correctly.  I got a lot of "No response" or "alive" as status.  I know the PCs are not just turned off.  Should I run the scripts again?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24440083

It gets that by attempting to ping the PC. If the PC doesn't reply it gives up on trying to connect to it. Is it likely they would have failed to reply to a ping?

This is the ping command it runs for each PC:

Ping -n 3 -w 1000 computername

Chris
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question