Re: Enumerate Admins

---

• From: COT-AD <COTAD@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 8 Feb 2006 07:11:29 -0800

---

Ok. What would I need to do to get the list of administrators once I have
the list of domains?

"Richard Mueller" wrote:

Hi,

If all domains are in the same forest, you can use a recursive subroutine.
The one below simply displays all domain names:

Set objRootDSE = GetObject("LDAP://RootDSE";)
Set objRootDomain = GetObject("LDAP://"; &
objRootDSE.Get("rootDomainNamingContext"))

Call EnumDomains(objRootDomain, "")

Sub EnumDomains(objParent, strOffset)
' Subroutine to document domains.
Dim objChild

' Document domain.
Wscript.Echo strOffset & obParent.Name

' Enumerate child domains.
objParent.Filter = Array("domain")
For Each objChild in objParent
Call EnumDomains(objChild, "--" & strOffset)
Next
End Sub

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"COT-AD" <COTAD@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7E125F7-1B45-4869-9B39-174E10E7C89C@xxxxxxxxxxxxxxxx

I would like to have a script that would run through every domain in the
forest without any user interaction. Do you know of a way to accomplish
this
task?

"Richard Mueller" wrote:

Hi,

Finding all users with admin privileges can be a challenge. I thought I
saw
a third party tool for this some time ago. If I find it, I'll post again.
In
the meantime I have a sample VBScript program that displays all members
of a
specified group linked here:

http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm

It reveals membership due to group nesting, plus the "Primary" group
membership. You can specify the Distinguished Name of the Administrators
group (in the Builtin container), the "Domain Admins" group, the
"Enterprise
Admins" group, etc. The Administrators group should includes "Domain
Admins"
and "Enterprise Admins". At a command prompt, you could create a text
file
report of admin membership with:

cscript //nologo EnumGroup.vbs
"cn=Administrators,cn=Builtin,dc=MyDomain,dc=com" > AdmReport.txt

You would have to repeat this for each domain.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"COT-AD" <COTAD@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:90ACB021-773A-4DF3-8CE4-9C8AEC87118E@xxxxxxxxxxxxxxxx

I only need to dump information about Domain Admins and Builtin
Administrators for every domain in the forest. It appears this script
dumps
every user account in every domain.

"deckhopper" wrote:

Try this?

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

objCommand.CommandText = _
"<GC://dc=fabrikam,dc=com>;" & _
"(&(objectCategory=person)(objectClass=user));" & _
"name;subtree"

Set objRecordSet = objCommand.Execute

While Not objRecordset.EOF
Wscript.Echo objRecordset.Fields("name")
objRecordset.MoveNext
Wend

objConnection.Close

.

---

• Follow-Ups:
  • Re: Enumerate Admins
    • From: Richard Mueller

• References:
  • Re: Enumerate Admins
    • From: Richard Mueller

• Prev by Date: Re: Copy Env variable into a different reg key val
• Next by Date: Re: Zip a file programatically
• Previous by thread: Re: Enumerate Admins
• Next by thread: Re: Enumerate Admins
• Index(es):
  • Date
  • Thread

---

Relevant Pages What am I missing with the "Restricted Groups" GPO setting? ... a domain local group called "DOM\Desktop Admins" ... "Administrators" group of the workstation. ... REPLACE the existing group membership. ... Group Membership configuration was completed successfully. ... (microsoft.public.windows.group_policy) Re: Error installing SBS SP1 - Admin Groups ... Now look 'under' each group category....some membership group has some membership added to them that is denying. ... Administrators ... You have a funky group membership in your Admin account and it's causing the install not to run. ... Administrator user must be a member of the Domain Admins, Enterprise Admins, and Schema Admins group. ... (microsoft.public.windows.server.sbs) Re: User/Group Administration ... Desktop Support Admins, Hardware Admins, that ... > connecting to the workstations remotely, ... > systems administrators and our efficient helpdesk guys. ... the membership of the Administrators group and into what ... (microsoft.public.windowsxp.security_admin) Re: Error installing SBS SP1 - Admin Groups ... Administrators ... > Enterprise Admins ... > Then you've added a membership under one of those that is denying you. ... >> Domain Admins ... (microsoft.public.windows.server.sbs) RE: Automating Local Computer Admin Rights ... groups the first box that pops up add administrators. ... add domain admins because they are there by deafult and add adminstrators. ... gpo settings will not tricly down or inherit the settings just from a child ... members of the administrators group on the local machine. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Scripting  > microsoft.public.scripting.vbscript  > 2006-02