mikevr6
asked on
Query all machines in a Domain for Local Group Membership
Can someone help please. I have been asked to create a list of all users with RDP and Local Admin access by machine in our Domain.
I would like to run this as an LDAP query. Our OU system is pretty well organised. So I could run this against an OU rather than the entire Domain if that is easier to code.
The results need to be in the format:
Machine Name - Local Group Name - Username
Many Thanks
I would like to run this as an LDAP query. Our OU system is pretty well organised. So I could run this against an OU rather than the entire Domain if that is easier to code.
The results need to be in the format:
Machine Name - Local Group Name - Username
Many Thanks
ASKER
Thanks Mike.
I found some code which is suitable in that thread. It will read in the Computer names by OU and query the Local Administrators Group. I have also created a second Script that will read the Remote Desktop Users membership. I would like to combine these into one and crucially, not quit when it cannot connect to a computer.
Const ADS_SCOPE_ONELEVEL = 1
Set oConn = CreateObject("ADODB.Connec tion")
Set oCommand = CreateObject("ADODB.Comman d")
oConn.Provider = "ADsDSOObject"
oConn.Open "Active Directory Provider"
Set oCommand.ActiveConnection = oConn
oCommand.Properties("Page Size") = 1000
oCommand.Properties("Searc hscope") = ADS_SCOPE_ONELEVEL
sOU = "'LDAP://ou=Servers,dc=tes t,dc=examp le,dc=com' "
oCommand.CommandText = "SELECT Name, ADsPath FROM " & sOU & _
" WHERE objectCategory ='computer'"
Set oRecordSet = oCommand.Execute
oRecordSet.MoveFirst
Do Until oRecordSet.EOF
WScript.Echo "List of member of local Administrators group for " & oRecordSet.Fields("Name"). Value
Set oLocalAdmins = GetObject("WinNT://" & oRecordSet.Fields("Name"). Value & "/Administrators")
For Each oLocalAdmin in oLocalAdmins.Members
WScript.Echo oLocalAdmin.Name
Next
oRecordSet.MoveNext
Loop
I found some code which is suitable in that thread. It will read in the Computer names by OU and query the Local Administrators Group. I have also created a second Script that will read the Remote Desktop Users membership. I would like to combine these into one and crucially, not quit when it cannot connect to a computer.
Const ADS_SCOPE_ONELEVEL = 1
Set oConn = CreateObject("ADODB.Connec
Set oCommand = CreateObject("ADODB.Comman
oConn.Provider = "ADsDSOObject"
oConn.Open "Active Directory Provider"
Set oCommand.ActiveConnection = oConn
oCommand.Properties("Page Size") = 1000
oCommand.Properties("Searc
sOU = "'LDAP://ou=Servers,dc=tes
oCommand.CommandText = "SELECT Name, ADsPath FROM " & sOU & _
" WHERE objectCategory ='computer'"
Set oRecordSet = oCommand.Execute
oRecordSet.MoveFirst
Do Until oRecordSet.EOF
WScript.Echo "List of member of local Administrators group for " & oRecordSet.Fields("Name").
Set oLocalAdmins = GetObject("WinNT://" & oRecordSet.Fields("Name").
For Each oLocalAdmin in oLocalAdmins.Members
WScript.Echo oLocalAdmin.Name
Next
oRecordSet.MoveNext
Loop
ASKER
A quick 500 points for someone who can add the "Remote Desktop Users" group to the output and stop the script quitting when it can't contact a machine.
Hi there, see if this works for you.
Regards,
Rob.
Regards,
Rob.
arrGroups = Array("Administrators", "Remote Desktop Users")
strOutput = "GroupMembers.csv"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutput = objFSO.CreateTextFile(strOutput, True)
objOutput.WriteLine """COMPUTER"",""GROUP NAME"",""MEMBER NAME"""
Const ADS_SCOPE_ONELEVEL = 1
Set oConn = CreateObject("ADODB.Connection")
Set oCommand = CreateObject("ADODB.Command")
oConn.Provider = "ADsDSOObject"
oConn.Open "Active Directory Provider"
Set oCommand.ActiveConnection = oConn
oCommand.Properties("Page Size") = 1000
oCommand.Properties("Searchscope") = ADS_SCOPE_ONELEVEL
sOU = "'LDAP://ou=Servers,dc=test,dc=example,dc=com'"
For Each strGroup In arrGroups
oCommand.CommandText = "SELECT Name, ADsPath FROM " & sOU & " WHERE objectCategory ='computer'"
Set oRecordSet = oCommand.Execute
oRecordSet.MoveFirst
Do Until oRecordSet.EOF
'WScript.Echo "List of member of local Administrators group for " & oRecordSet.Fields("Name").Value
Set oLocalAdmins = GetObject("WinNT://" & oRecordSet.Fields("Name").Value & "/" & strGroup)
For Each oLocalAdmin in oLocalAdmins.Members
objOutput.WriteLine """" & oRecordSet.Fields("Name").Value & """,""" & strGroup & """,""" & oLocalAdmin.Name
Next
oRecordSet.MoveNext
Loop
Next
objOutput.Close
MsgBox "Done. Please see " & strOutput
ASKER
Hi Rob,
Thanks very much. This is checking the Admin and RDP users fine.
However, when I run it against our test OU, which contains 3 servers, it stops after checking the first server.
Can you also change the formatting of the report, so it uses the Group Name and Member name columns correctly? We're nearly there :)
I've attached the output of my test.
Many Thanks GroupMembers.csv
Thanks very much. This is checking the Admin and RDP users fine.
However, when I run it against our test OU, which contains 3 servers, it stops after checking the first server.
Can you also change the formatting of the report, so it uses the Group Name and Member name columns correctly? We're nearly there :)
I've attached the output of my test.
Many Thanks GroupMembers.csv
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Fantastic! Thanks for your efforts Mike and especially Rob! Genius!!
No worries. Thanks for the grade.
Regards,
Rob.
Regards,
Rob.
You would need some sort of script like in this question
https://www.experts-exchange.com/questions/24405443/VBSCRIPT-Check-who-is-member-of-local-Admin-group-on-a-list-of-windows-servers.html
Thanks
Mike