I'm trying to find/write a script that can return the members of the Local
Administrator group on Win 2K/XP machines. I have an active directory 2003
domain environment and basically want to be able to generate a text file that
lists the computers in my domain with the Domain users that belong to those
computers' local Administrator group. Very new to Windows scripting, and I
can't figure out how to pull the users from the local administrator group.
I'm thinking I need to use WMI which is new to me as well. Any help is most
appreciated.
Hi,
I suggest you configure a computer startup script that runs the script
below. This will then be done each time the computer starts up.
A computer startup script (started with a GPO) runs as part of the
boot up process (before the user logs in). It runs under the system
context and has admin rights.
Create a share where the log files from the computers is to be put, and
grant write access for the AD group "Domain Computers" to the share.
Adjust the server/share name in the sOutFile variable in the script.
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oWshNet = CreateObject("WScript.Network")
' get name of local computer
sNode = oWshNet.ComputerName
' file where result is written to
sOutFile = "\\server\share\logs\AdminList_" & sNode & ".txt"
' connect to the Administrators group using ADSI
Set oGroup = GetObject("WinNT://" & sNode & "/Administrators")
' loop through all members of the group
For Each oMember In oGroup.Members
If oMember.Class = "User" Then
On Error Resume Next ' implicit Err.Clear
' try to connect to user object to see if account is a local user
Set oUser = GetObject("WinNT://" & sNode & "/" _
& oMember.Name & ",user")
If Err.Number <> 0 Then
' user is not local!
sUsers = sUsers & Mid(oMember.ADsPath, 9) & vbCrLf
End If
Else
' Group or builtin
' Do not include The Enterprise and Domain admins groups
If LCase(oMember.Name) <> "enterprise admins" _
And LCase(oMember.Name) <> "domain admins" Then
sOthers = sOthers & Mid(oMember.ADsPath, 9) & vbCrLf
End If
End If
Next
Set fOutFile = oFSO.CreateTextFile _
(sOutFile, OverwriteIfExist, OpenAsASCII)
fOutFile.WriteLine "Administrators group enumeration done at " & Now
fOutFile.WriteLine vbCrlF & "Domain user accounts:"
fOutFile.WriteLine sUsers
fOutFile.WriteLine vbCrlF & "Other accounts:"
fOutFile.WriteLine sOthers
fOutFile.Close
Re: Add global security group to local administrators group ... security group to my local administrator group on my Windows 2000 / XP machines, any ideas, as always thanks in advance.. ... you will need to hard code the domain name the group belongs to in the ... torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ... (microsoft.public.scripting.vbscript)
Re: script to check username rights on local machine ... > to see if any usersnames are in the local administrator group can ... Assuming you have a Active Directory domain,...Const OpenAsASCII = 0 ... torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ... (microsoft.public.scripting.vbscript)
Re: Escalation of privilege ...Temporary Administrator group memberships... run a process under a non-privileged user account,...Microsoft MVP Scripting and WMI, ... (microsoft.public.security)
Re: script to add a user to the local administrators group ... > add a single user to the local administrator group?... the user belongs to in the variable "sNetBIOSDomain".... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ... (microsoft.public.scripting.vbscript)
Re: Cannot ad domain users to local administrators ... > administrator group on a windows xp prof sp2 machine i can't see the domain. ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ... (microsoft.public.windowsxp.general)
