Solved

Check domain users that have Local Admin rights on their PC.

Posted on 2009-05-20
7
1,107 Views
Last Modified: 2012-05-07
I am trying to find a program or another easy way to display domain users with local admin rights on their machines.  We recently migrated to Active directory and had lots of consultants helping.  Some of them gave the local user admin rights to their PC.  Our policy is that no one can have local admin rights.  I know about using group policy to change local administrator account name.  The only way that I can check this right now is to use MMC and check the Administrators group for domain credentials on every PC.
I currently use LANDESK for inventory but it only displays local admin accounts, not domain users added to the Administrators group.  For example, I check the Administrators group under Local User and Groups and find DOMAIN\CURRENT.USER
I don't need to automatically remove these accounts.  Just need to figure out who has these rights.
Server 2008 Active Directory
All Client PCs have XP Pro Sp3
0
Comment
Question by:stcharlescity
  • 4
  • 3
7 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24433270

I have a (pretty complex) script that will output the contents of all local groups (including Administrators) to an XML file if it's any help? It runs multiple threads so is perhaps useful if you have a medium / large domain.

Chris
0
 

Author Comment

by:stcharlescity
ID: 24433314
I need this to be invisible to the user.  I assume this is a script that I could deploy with Group Policy?  I have about 500 PCs and am trying to avoid checking each one manually.
If this script will satisfy those requirements, how can I get it from you?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24433468

It runs from the server side, nothing that a client would notice.

It's actually 3 scripts (just to make life complicated :)). Rename each to .vbs, saving each in the same folder.

Multithread echoes usage if you run it with no parameters, but this is probably what you need:

cscript Multithread.vbs /ChildScript:"LocalGroupsChild.vbs" /FinalCommand:"cscript LocalGroupsFinal.vbs" /NumThreads:20

There are also options for LDAPFilter (defaults to find computer accounts) and BaseDN (defaults to the root of your domain) if you need it to run on only specific operating systems, or on a specific group of computers.

It'll do 20 computers at a time with "NumThreads" set to 20 (if you run task manager you'll see it start 20 more cscript processes).  When it's done it'll run LocalGroupsFinal.vbs and pull the output together into a pair of XML files, one with group members as they appear on each computer, the other expanding any domain groups into individuals.

Chris
Multithread.txt
LocalGroupsChild.txt
LocalGroupsFinal.txt
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:stcharlescity
ID: 24435385
I renamed the files and created a batch file with the above command.  It ran correctly, created a lot of results files and created two xml files.  The XML files have a lot of information.  It has all the computers but i don't see a clear description of groups.  I know of a couple PCs that admin rights and haven't gotten a clear response.  Is there a way to sort these or am I opening it incorrectly?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24435414

Internet Explorer will display it in a manner of speaking, or that what you were using?

Chris
0
 

Author Comment

by:stcharlescity
ID: 24435484
I am viewing it correctly.  I got a lot of "No response" or "alive" as status.  I know the PCs are not just turned off.  Should I run the scripts again?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24440083

It gets that by attempting to ping the PC. If the PC doesn't reply it gives up on trying to connect to it. Is it likely they would have failed to reply to a ping?

This is the ping command it runs for each PC:

Ping -n 3 -w 1000 computername

Chris
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now