Re: LOCAL USERS and Groups in Domain
- From: "Ken Aldrich" <supportw@xxxxxxxxxxxxxxx>
- Date: Fri, 1 Dec 2006 12:59:54 -0600
Hello,
DSRAZOR for Windows can generate reports showing all local groups and local
users. This is very useful for regulatory compliance. Not only can you
show your auditors the local administrators on your Exchange, SQL, and
application servers, you can do it for all of your workstations just as
easily. No scripting required! The applet is already created.
Additionally, DSRAZOR will allow you to reset the local administrator
password on all of your workstations and servers... even if the
administrator accounts have been renamed!
It will also log the changes, which is very handy for showing your auditors.
Take a look at our website to download a free evaluation copy and/or sign up
for a free one-on-one web presentation of how DSRAZOR works.
www.visualclick.com/?source=localgrp12012006
--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com
"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OZLMBR1BHHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
Abhishek wrote:
I need a script script which runs once a quarter which gets the user and
groups in the local administrators group on all the servers in the domain
A VBScript program can do this. Because the local SAM account database is
not LDAP compliant, you must use the WinNT provider. For each computer,
the steps are to bind to the local Administrators group, then use the
Members method to enumerate the direct members. In brief:
=========
strComputer = "RemoteComputer"
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
For Each objMember In objLocalGroup.Members
Wscript.Echo objMember.Name & " (" & objMember.Class & ")"
Next
=========
You could code a program to loop through server names, perhaps in an
array. Or, you can modify this sample program that enumerates all servers
in a domain:
http://www.rlmueller.net/Enumerate%20Servers.htm
For your purpose, you would add sAMAccountName to the comma delimited list
of attribute values to retrieve. The value of sAMAccountName is the
NetBIOS name of the machine with a "$" appended on the end. You would
retrieve sAMAccountName for each computer, strip of the trailing "$", and
use this value to bind to the local Administrators group on each machine.
The query you would need would be revised as follows to add
sAMAccountName:
============
strQuery = "<LDAP://"; & strDNSDomain _
& ">;(objectCategory=computer);" _
& "distinguishedName,sAMAccountName,operatingSystem;subtree"
=============
Then, you could revise the enumeration of servers as follows:
=============
' Declare new variables.
Dim strComputer, objLocalGroup, objMember
' Enumerate computer objects with server operating systems.
Do Until objRecordSet.EOF
strOS = objRecordSet.Fields("operatingSystem")
If InStr(UCase(strOS), "SERVER") > 0 Then
' Retrieve NT name of computer.
strComputer = objRecordSet.Fields("sAMAccountName")
' Strip off trailing "$" for NetBIOS name of server.
strComputer = Left(strComputer, Len(strComputer) - 1)
Wscript.Echo "Server: " & strComputer
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "-- not available"
Else
On Error GoTo 0
For Each objMember In objLocalGroup.Members
Wscript.Echo "-- " & objMember.Name _
& " (" & objMember.Class & ")"
Next
End If
End If
objRecordSet.MoveNext
Loop
=========
Format the output as desired. You can run the program at a command prompt
and redirect the output to a text file. I added error trapping in case any
machines are off line.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
.
- Prev by Date: Re: Bulk import of users
- Next by Date: Re: remove-item with special characters
- Previous by thread: Re: Bulk import of users
- Next by thread: Re: remove-item with special characters
- Index(es):
Relevant Pages
|
