domain admins report

Posted on 2012-08-31
Last Modified: 2012-09-05
1) Are there any free tools to produce a report to list ONLY members of the domain admins group, and in tabular format, per account in the domain admins report the following fields:

account active
account expires
password last set
password expires
user may change password
last logon

I know you can get this from net user commands but theres 50 to go through so would prefer one tool to provide one report for all memebers of domain admins....

2) Also, there any other default AD groups that give strong/powerful permissions in a domain? Is domain admins the top one? Could you list perhaps the top 5 - and some discussion what rights they give people?
Question by:pma111
    LVL 57

    Accepted Solution

    A few ways you could do it, some command line methods include adfind, powershell, and dsquery

    adfind -default -f "(memoberof=DN of domain admins)" samaccountname pwdlastset....

    I only outputted two attributes, you can see a good list of attributes here

    if you prefer a free GUI tool then try adinfo

    you can select users and then "users that are direct members of specified group"

    List of default groups here  

    many have elevated rights as you can see (enterprise admins, schema admins, account operators, and server operators just to name a few)


    LVL 3

    Author Comment

    Cheers mike
    LVL 3

    Author Comment

    For some reason though returns 0 results.....
    LVL 57

    Expert Comment

    by:Mike Kline
    can you copy the command you used?


    LVL 3

    Author Comment

    adfind -default -f "(memoberof=DN of domain admins)" samaccountname pwdlastset


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Want to promote your upcoming event?

    Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now