Solved

Query all machines in a Domain for Local Group Membership

Posted on 2011-02-18
9
1,092 Views
Last Modified: 2012-05-11
Can someone help please. I have been asked to create a list of all users with RDP and Local Admin access by machine in our Domain.

I would like to run this as an LDAP query. Our OU system is pretty well organised. So I could run this against an OU rather than the entire Domain if that is easier to code.
The results need to be in the format:

Machine Name - Local Group Name - Username

Many Thanks

0
Comment
Question by:mikevr6
  • 4
  • 3
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34926543
There is no LDAP query you can use to give the local group memberships on servers and workstations.  That info is not stored in AD.

You would need some sort of script like in this question  

http://www.experts-exchange.com/Programming/System/Windows__Programming/Q_24405443.html

Thanks

Mike
0
 

Author Comment

by:mikevr6
ID: 34926696
Thanks Mike.

I found some code which is suitable in that thread. It will read in the Computer names by OU and query the Local Administrators Group. I have also created a second Script that will read the Remote Desktop Users membership. I would like to combine these into one and crucially, not quit when it cannot connect to a computer.

Const ADS_SCOPE_ONELEVEL = 1
 
Set oConn = CreateObject("ADODB.Connection")
Set oCommand = CreateObject("ADODB.Command")
oConn.Provider = "ADsDSOObject"
oConn.Open "Active Directory Provider"
Set oCommand.ActiveConnection = oConn
 
oCommand.Properties("Page Size") = 1000
oCommand.Properties("Searchscope") = ADS_SCOPE_ONELEVEL
 
sOU = "'LDAP://ou=Servers,dc=test,dc=example,dc=com'"
 
oCommand.CommandText = "SELECT Name, ADsPath FROM " & sOU & _
" WHERE objectCategory ='computer'"
Set oRecordSet = oCommand.Execute
oRecordSet.MoveFirst
Do Until oRecordSet.EOF
WScript.Echo "List of member of local Administrators group for " & oRecordSet.Fields("Name").Value
Set oLocalAdmins = GetObject("WinNT://" & oRecordSet.Fields("Name").Value & "/Administrators")
For Each oLocalAdmin in oLocalAdmins.Members
WScript.Echo oLocalAdmin.Name
Next
oRecordSet.MoveNext
Loop
0
 

Author Comment

by:mikevr6
ID: 34941614
A quick 500 points for someone who can add the "Remote Desktop Users" group to the output and stop the script quitting when it can't contact a machine.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 65

Expert Comment

by:RobSampson
ID: 34947646
Hi there, see if this works for you.

Regards,

Rob.
arrGroups = Array("Administrators", "Remote Desktop Users")
strOutput = "GroupMembers.csv"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutput = objFSO.CreateTextFile(strOutput, True)
objOutput.WriteLine """COMPUTER"",""GROUP NAME"",""MEMBER NAME"""

Const ADS_SCOPE_ONELEVEL = 1 
 
Set oConn = CreateObject("ADODB.Connection") 
Set oCommand = CreateObject("ADODB.Command") 
oConn.Provider = "ADsDSOObject" 
oConn.Open "Active Directory Provider" 
Set oCommand.ActiveConnection = oConn 
 
oCommand.Properties("Page Size") = 1000 
oCommand.Properties("Searchscope") = ADS_SCOPE_ONELEVEL 
 
sOU = "'LDAP://ou=Servers,dc=test,dc=example,dc=com'"
 
For Each strGroup In arrGroups
	oCommand.CommandText = "SELECT Name, ADsPath FROM " & sOU & " WHERE objectCategory ='computer'" 
	Set oRecordSet = oCommand.Execute
	oRecordSet.MoveFirst
	Do Until oRecordSet.EOF
		'WScript.Echo "List of member of local Administrators group for " & oRecordSet.Fields("Name").Value 
		Set oLocalAdmins = GetObject("WinNT://" & oRecordSet.Fields("Name").Value & "/" & strGroup) 
		For Each oLocalAdmin in oLocalAdmins.Members 
			objOutput.WriteLine """" & oRecordSet.Fields("Name").Value & """,""" & strGroup & """,""" & oLocalAdmin.Name
		Next 
		oRecordSet.MoveNext
	Loop
Next
objOutput.Close

MsgBox "Done. Please see " & strOutput

Open in new window

0
 

Author Comment

by:mikevr6
ID: 34950210
Hi Rob,

Thanks very much. This is checking the Admin and RDP users fine.
However, when I run it against our test OU, which contains 3 servers, it stops after checking the first server.
Can you also change the formatting of the report, so it uses the Group Name and Member name columns correctly? We're nearly there :)
I've attached the output of my test.
Many Thanks GroupMembers.csv
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 34957379
Hi, try this. It should work much better.

Regards,

Rob.
arrGroups = Array("Administrators", "Remote Desktop Users")
strOutput = "GroupMembers.csv"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutput = objFSO.CreateTextFile(strOutput, True)
objOutput.WriteLine """COMPUTER"",""GROUP NAME"",""MEMBER NAME"""

Const ADS_SCOPE_ONELEVEL = 1 
 
Set oConn = CreateObject("ADODB.Connection") 
Set oCommand = CreateObject("ADODB.Command") 
oConn.Provider = "ADsDSOObject" 
oConn.Open "Active Directory Provider" 
Set oCommand.ActiveConnection = oConn 
 
oCommand.Properties("Page Size") = 1000 
oCommand.Properties("Searchscope") = ADS_SCOPE_ONELEVEL 
 
sOU = "'LDAP://ou=Servers,dc=test,dc=example,dc=com'"

oCommand.CommandText = "SELECT Name, ADsPath FROM " & sOU & " WHERE objectCategory ='computer'" 
Set oRecordSet = oCommand.Execute
oRecordSet.MoveFirst
Do Until oRecordSet.EOF
	strComputer = oRecordSet.Fields("Name").Value
	If Ping(strComputer) = True Then
		For Each strGroup In arrGroups
			'WScript.Echo "List of member of local Administrators group for " & strComputer
			On Error Resume Next
			Set oLocalAdmins = GetObject("WinNT://" & strComputer & "/" & strGroup) 
			If Err.Number = 0 Then
				On Error GoTo 0
				For Each oLocalAdmin in oLocalAdmins.Members 
					objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""" & oLocalAdmin.Name & """"
				Next
			Else
				objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""Error " & Err.Number & ": " & Err.Description & """"
				Err.Clear
				On Error GoTo 0
			End If
		Next
	Else
		objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""OFFLINE"""
	End If
	oRecordSet.MoveNext
Loop
objOutput.Close

MsgBox "Done. Please see " & strOutput

Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Open in new window

0
 

Author Closing Comment

by:mikevr6
ID: 34958933
Fantastic! Thanks for your efforts Mike and especially Rob! Genius!!
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 34958981
No worries. Thanks for the grade.

Regards,

Rob.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question