Re: Looking for way to enumerate members of local administrators group

Mark wrote:

Hi, I have a difficult WMI/VBScript question.

My goal is to list the membership of the local Administrators group on a
series of servers. Normally this would be easy and I could use the code:

Set objGroup = GetObject("WinNT://" & ComputerName &
"/Administrators,group")
For Each objUser in objGroup.Members
Wscript.Echo objUser.Name
Next

under normal circumstances... my problem is that my id doesn't have
permission and I need to authenticate the call, that is I have a list of
servers and domain id's that have permissions to make the call.

For all other WMI calls (like win32_Disk), I would use an authenticated
call:

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
"root\CIMV2", _
strCredentials, _
strPassword)


But the "WinNT:" GetObject call does not seem to support a set of
credentials. So I am looking for a way to solve this. I think I am looking
at two possibilities:

1 - find a syntax that permits the "WinNT://" GetObject call to use
credentials
2 - use similar WIN32 WMI calls to achieve the same thing. I know that
WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I can
see a list of id's and a list of groups using them but I can't make out how
to connect the two.
-----

You can use the OpenDSObject method with the WinNT provider. For example:
============
Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_USE_ENCRYPTION = &H2

strUserName = "JSmith"
strPassword = "xzy312q"
strComputer = "TestComputer"

Set objNS = GetObject("WinNT:")
Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
& "/Administrators,group", _
strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
ADS_USE_ENCRYPTION)
For Each objMember In objGroup.Members
Wscript.Echo objMember.Name
Next

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: LOCAL USERS and Groups in Domain
    ... DSRAZOR for Windows can generate reports showing all local groups and local ... password on all of your workstations and servers... ... groups in the local administrators group on all the servers in the domain ...
    (microsoft.public.windows.server.scripting)
  • Re: Tighten Security
    ... out of the local Administrators group, ... on Windows 2000 you generally next use gpedit.msc or the ... > Windows 2000 Servers. ... modify NTFS permissions, create shares, manage ...
    (microsoft.public.win2000.security)
  • Site Policies and Domain Controllers
    ... We would like to create a site policy that adds a domain global group ... to the local administrators group of all servers on a specific subnet, ...
    (microsoft.public.windows.server.active_directory)
  • Finding multiple memgers of a group
    ... I am working on a script that will determin if three different ID's ... are in the local Administrators group on a long list of servers. ... Dim objGroup, strComputer, objFSO, objTextFile ... Wscript.Echo "Members of local Administrators group on computer " & ...
    (microsoft.public.scripting.vbscript)
  • Re: Site Policies and Domain Controllers
    ... to the local administrators group of all servers on a specific subnet, ... You could try to create the Group Policy linked to the site and then deny the specific domain controller the "Read" and "Apply Group Policy" permission on the GP: ...
    (microsoft.public.windows.server.active_directory)