• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 371
  • Last Modified:

Local Admins

Is there any easy way from within AD to produce a report that lists all users with local admin rights on there workstations, within all our domains in our AD setup? If so please detail how.
2 Solutions
so you don't have a group that indicates this ? :) hm, if so you can probably  check witch users that have "local admins" membership or something.

Its a bit hard to know if we don't know your policy setup and group management in AD.
Chris DentPowerShell DeveloperCommented:

You can have the chunk of my inventory script that deals with this if it helps and if you don't mind a bit of PowerShell (requires the management framework from http://support.microsoft.com/kb/968929).

Copy and paste into the PowerShell prompt, multi-threaded otherwise it's a bit too slow for larger domains.

The systems it checks are defined by this filter:

$LdapFilter = "(&(objectClass=computer)(!pwdLastSet=0)(operatingSystem=*))"

A search base can be set if you wish to limit that, let me know if you do and I'll tell you how, at the moment it searches all of the current domain. If I'm testing it I normally change the filter to this:

$LdapFilter = "(&(objectClass=computer)(!pwdLastSet=0)(operatingSystem=*)(name=SomeComputer))"

# Max Threads

$MaxThreads = 10

# Get a list of computers

$LdapFilter = "(&(objectClass=computer)(!pwdLastSet=0)(operatingSystem=*))"
$Searcher = New-Object DirectoryServices.DirectorySearcher($Null, $LdapFilter)
$Searcher.PageSize = 1000

$SearchResults = $Searcher.FindAll() | Select-Object `
  @{n='DN';e={ $_.Properties["distinguishedname"] }},
  @{n='ComputerName';e={ $_.Properties["name"] }},
  @{n='LastLogon';e={ (Get-Date "01/01/1601").AddTicks($($_.Properties["lastlogontimestamp"])) }}, 
  @{n='PasswordLastSet';e={ (Get-Date "01/01/1601").AddTicks($($_.Properties["pwdlastset"])) }},
  @{n='Created';e={ $_.Properties["whencreated"] }}

$SearchResults | %{

  $ScriptBlock = {
    $ComputerName = $Args[0]  
    ([ADSI]"WinNT://$ComputerName/Administrators").Members() | Select-Object `
      @{n='ComputerName';e={ $ComputerName }},
      @{n='Name';e={ $_.GetType().PsBase.InvokeMember("Name", "GetProperty", $Null, $_, $Null) }},
      @{n='ADSPath';e={ $_.GetType().PsBase.InvokeMember("ADSPath", "GetProperty", $Null, $_, $Null) }},
      @{n='Class';e={ $_.GetType().Psbase.InvokeMember("Class", "GetProperty", $Null, $_, $Null) }}
  $HasStarted = $False
  While (!$HasStarted)
    If ((Get-Job -State Running | Measure-Object).Count -lt $MaxThreads)
      Write-Host "Starting Job for $($_.ComputerName)"
      Start-Job $ScriptBlock -ArgumentList $_.ComputerName
      $HasStarted = $True
      Write-Host "Sleeping"
      Start-Sleep -Seconds 20

While (Get-Job -State Running) { Start-Sleep -Seconds 5 }

Get-Job | Receive-Job | Export-CSV "SomeFile.csv"

Open in new window

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now