Local Admins

Is there any easy way from within AD to produce a report that lists all users with local admin rights on there workstations, within all our domains in our AD setup? If so please detail how.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

so you don't have a group that indicates this ? :) hm, if so you can probably  check witch users that have "local admins" membership or something.

Its a bit hard to know if we don't know your policy setup and group management in AD.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:

You can have the chunk of my inventory script that deals with this if it helps and if you don't mind a bit of PowerShell (requires the management framework from http://support.microsoft.com/kb/968929).

Copy and paste into the PowerShell prompt, multi-threaded otherwise it's a bit too slow for larger domains.

The systems it checks are defined by this filter:

$LdapFilter = "(&(objectClass=computer)(!pwdLastSet=0)(operatingSystem=*))"

A search base can be set if you wish to limit that, let me know if you do and I'll tell you how, at the moment it searches all of the current domain. If I'm testing it I normally change the filter to this:

$LdapFilter = "(&(objectClass=computer)(!pwdLastSet=0)(operatingSystem=*)(name=SomeComputer))"

# Max Threads

$MaxThreads = 10

# Get a list of computers

$LdapFilter = "(&(objectClass=computer)(!pwdLastSet=0)(operatingSystem=*))"
$Searcher = New-Object DirectoryServices.DirectorySearcher($Null, $LdapFilter)
$Searcher.PageSize = 1000

$SearchResults = $Searcher.FindAll() | Select-Object `
  @{n='DN';e={ $_.Properties["distinguishedname"] }},
  @{n='ComputerName';e={ $_.Properties["name"] }},
  @{n='LastLogon';e={ (Get-Date "01/01/1601").AddTicks($($_.Properties["lastlogontimestamp"])) }}, 
  @{n='PasswordLastSet';e={ (Get-Date "01/01/1601").AddTicks($($_.Properties["pwdlastset"])) }},
  @{n='Created';e={ $_.Properties["whencreated"] }}

$SearchResults | %{

  $ScriptBlock = {
    $ComputerName = $Args[0]  
    ([ADSI]"WinNT://$ComputerName/Administrators").Members() | Select-Object `
      @{n='ComputerName';e={ $ComputerName }},
      @{n='Name';e={ $_.GetType().PsBase.InvokeMember("Name", "GetProperty", $Null, $_, $Null) }},
      @{n='ADSPath';e={ $_.GetType().PsBase.InvokeMember("ADSPath", "GetProperty", $Null, $_, $Null) }},
      @{n='Class';e={ $_.GetType().Psbase.InvokeMember("Class", "GetProperty", $Null, $_, $Null) }}
  $HasStarted = $False
  While (!$HasStarted)
    If ((Get-Job -State Running | Measure-Object).Count -lt $MaxThreads)
      Write-Host "Starting Job for $($_.ComputerName)"
      Start-Job $ScriptBlock -ArgumentList $_.ComputerName
      $HasStarted = $True
      Write-Host "Sleeping"
      Start-Sleep -Seconds 20

While (Get-Job -State Running) { Start-Sleep -Seconds 5 }

Get-Job | Receive-Job | Export-CSV "SomeFile.csv"

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.