Admin rights

I need to know if there is a utility to check remotely if users has local admin rights in domain
alaayehyaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gavincr001Commented:
you can use Psexec from Microsoft Sysinternals to remotely run this command against a list of machines.

You'll need to be loggon on with an admin account which can read all the computers you checking.

Psexec \\computername net localgroup "administrators"
or
Psexec \\computers.txt net localgroup "administrators"
Krzysztof PytkoSenior Active Directory EngineerCommented:
Or download MBSA (Microsoft Baseline Security Analyzer) which allows you local administrators group checking and also evaluates other security risks. It's free Microsoft tool, you can download it from

http://technet.microsoft.com/en-us/security/cc184924

Regards,
Krzysztof
alaayehyaAuthor Commented:
how to work with psexec because i install ps tools but i didnot know how to run it or use it?should we write a script or what?

what I need is to check for example 20 pcs to know which domain username has local admin on the pc logging to.

thanks
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

alaayehyaAuthor Commented:
how to work with psexec because i install ps tools but i didnot know how to run it or use it?should we write a script or what?

what I need is to check for example 20 pcs to know which domain username has local admin rights on the pc logging to.

for example:
username :alaay(domain user)
pc name :pc210
does alaa have local admin rights on pc210?
that what I want to know on all the pcs

thanks
arnoldCommented:
Gavincr001 provided an example.

In your case the format will be:

psexec \\pc210 net localgroup "Administrators"

There are vbscrips that do the same using WMI or directly querying the remote computer.
The scripts are a good starting point
http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_24754216.html
http://www.visualbasicscript.com/Listing-local-group-users-with-WMI-m2048.aspx
http://stackoverflow.com/questions/21514/enumerate-windows-user-group-members-on-remote-system-using-c
alaayehyaAuthor Commented:
thanks arnold but I need to know where can I run psexec.
where should I put it.I am not expert in scripting would you please give me a script for doing that and tell me where should I apply it.
arnoldCommented:
psexec can be obtained from sysinternals.com technet.micrsoft.com/sysinternals.

in a batch script
You have a file with the hosts named: hostsfile
http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/other/textfiles/

A simpler method is to use a GPO for the startup script or shutdown script
that will executed a script
(echo "%COMPUTERNAME"
net localgroup "ADMINISTRATORS"
echo "Done %COMPUTERNAME") >> \\server\sharename\file_for_list_of_users_in_local_system_administrators.txt

Additionally, you can use GPO with restricted groups to control and limit the users who can be members of the local Administrators group.
Even if an admin adds a user to the administrators group, when the GPO refreshes, that username will be kicked out.  Configuring system audit with a centralized event log collection, you can see who and when a user was added to the administrators group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gavincr001Commented:
Hi alaayehya,

Do you have a domain admin acocunt you can use:

On your own PC or server try the following:

- Create a folder called c:\localadmin
- open psexec.exe to this folder
- open a command promot then type cd c:\localadmin
- type the following and use a domain admin account for user and password, or any account which is local admin on all  your PC's
- Psexec -u domain\username -p password \\pc201 net localgroup "administrators"

you can also create a text file with all the PC names and save the file to c:\localadmin then type the following:
- Psexec -u domain\username -p password \\computers.txt net localgroup "administrators"
make sure your command promt is in this folder  c:\localadmin

Let us know how it went.


alaayehyaAuthor Commented:
part of the question is answered
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.