Tracking domain accounts in the administrator group

Hello

Is there a tool/method to track a domain account that appears several times in the administrator groups on servers ?

Thanks
nico-Asked:
Who is Participating?
 
stu29Commented:
Try using powershell

PS C:\> invoke-command {
>> net localgroup administrators |
>> where {$_ -AND $_ -notmatch "command completed successfully"} |
>> select -skip 4
>> } -computer chi-fp01
>>
Administrator
GLOBOMANTICS\Chicago IT
GLOBOMANTICS\Domain Admins

Let’s go one more level and write an object to the pipeline and be better at handling output from multiple computers.

$members = net localgroup administrators |
 where {$_ -AND $_ -notmatch "command completed successfully"} |
 select -skip 4
New-Object PSObject -Property @{
 Computername = $env:COMPUTERNAME
 Group = "Administrators"
 Members=$members
 }

This will create a simple object with a properties for the computername, group name and members. Here’s how I can use it with Invoke-Command.

invoke-command {
$members = net localgroup administrators |
 where {$_ -AND $_ -notmatch "command completed successfully"} |
 select -skip 4
New-Object PSObject -Property @{
 Computername = $env:COMPUTERNAME
 Group = "Administrators"
 Members=$members
 }
} -computer chi-fp01,chi-win8-01,chi-ex01 -HideComputerName |
Select * -ExcludeProperty RunspaceID
0
 
stu29Commented:
Set up Audit logging in your security policy (either local or Group Policy), then check your Security logs.

4727 – A security-enabled global group was created.

4728 – A member was added to a security-enabled global group.

4730 – A security-enabled global group was deleted.

4731 – A security-enabled local group was created.

4732 – A member was added to a security-enabled local group.

4733 – A member was removed from a security-enabled local group.

4734 – A security-enabled local group was deleted.

4735 – A security-enabled local group was changed.

4737 – A security-enabled global group was changed.

4754 – A security-enabled universal group was created.

4755 – A security-enabled universal group was changed.

4756 – A member was added to a security-enabled universal group.

4757 – A member was removed from a security-enabled universal group.

4758 – A security-enabled universal group was deleted.
0
 
SandeshdubeySenior Server EngineerCommented:
You can use below command to list members of groups.

dsget group "CN=GroupName,DC=domainame,DC=local" -members


In order to find out changes, creation or deletion events, you must keep the “Account Management” auditing enabled.


Apart from the auditing, you can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships.
 
NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html
 
Quest: http://www.quest.com/changeauditor-for-active-directory/
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
stu29Commented:
If these are domain groups you can check the metadata also

repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=techevan,DC=lab"

You will see something like

Type     Attribute     Last Mod Time         Originating DSA         Loc.USN          Org.USN Ver        Distinguished Name
===  ========  ===========      =================   ======= ======= === =========================
ABSENT   member        2010-11-05 16:55:28 TestSiteTEST-DC01  749327  749327   2  CN=Rick Sheikh,OU=Users,DC=techevan,DC=lab
0
 
nico-Author Commented:
Hello

Other way around.  Need to know how many times a domain account appears in the local administrators group in the server estate.

I've seen this done before but can't remember how.  Maybe a tool like AD Manager ?
0
 
nico-Author Commented:
way over my head that :) but it looks good.
0
 
nico-Author Commented:
No idea if that was right :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.