Re: Looking for way to enumerate members of local administrators group

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I don't have an untrusted domain to test with, but if you authenicate to a
computer object, you can see objects in the computer, but you have not
authenticated to the domain. You can see a local group, but if a member of
the local group is a domain object, like "Domain Admins", I don't know what
you will see. The Members method of the group object returns a collection of
member objects, and it makes sense that you cannot include references to
domain objects in this collection if you are not authenticated to the
domain.

If you are authenticated as a member of the "Domain Admins" group in the
other domain, there would be no problem, as this group by default is a
member of the local Administrators group for all computers joined to the
domain. Maybe you can authenticate to the local group with credentials of a
member of the "Domain Admins" group (in the untrusted domain). Maybe you
need to use something similar to:
========
strDomainAdmName = "JSmith"
strPassword = "xzy312q"
strComputer = "TestComputer"
strDomain = "MyDomain"

Set objNS = GetObject("WinNT:")
Set objGroup = objNS.OpenDSObject("WintNT://" & strDomain & "/" &
strComputer _
& "/Administrators,group", _
strDomainAdmName, strPassword, ADS_SECURE_AUTHENTICATION Or
ADS_USE_ENCRYPTION)

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Mark" <mark_butler@xxxxxxxxxxx> wrote in message
news:5DF1B796-D11C-427C-8C82-E3EE66FA49CC@xxxxxxxxxxxxxxxx
Thank you very much Richard, I was unable to find anything that referenced
the ability to add in credentials to the call. It works quite well!

One thing that is strange, when going across untrusted domains, I am only
retrieving local id/groups on the servers, but no domain groups. Is that a
feature of how it works?

Mark




"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23SRleS$fIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
Mark wrote:

Hi, I have a difficult WMI/VBScript question.

My goal is to list the membership of the local Administrators group on a
series of servers. Normally this would be easy and I could use the code:

Set objGroup = GetObject("WinNT://" & ComputerName &
"/Administrators,group")
For Each objUser in objGroup.Members
Wscript.Echo objUser.Name
Next

under normal circumstances... my problem is that my id doesn't have
permission and I need to authenticate the call, that is I have a list of
servers and domain id's that have permissions to make the call.

For all other WMI calls (like win32_Disk), I would use an authenticated
call:

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
"root\CIMV2", _
strCredentials, _
strPassword)


But the "WinNT:" GetObject call does not seem to support a set of
credentials. So I am looking for a way to solve this. I think I am
looking at two possibilities:

1 - find a syntax that permits the "WinNT://" GetObject call to use
credentials
2 - use similar WIN32 WMI calls to achieve the same thing. I know that
WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
can see a list of id's and a list of groups using them but I can't make
out how to connect the two.
-----

You can use the OpenDSObject method with the WinNT provider. For example:
============
Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_USE_ENCRYPTION = &H2

strUserName = "JSmith"
strPassword = "xzy312q"
strComputer = "TestComputer"

Set objNS = GetObject("WinNT:")
Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
& "/Administrators,group", _
strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
ADS_USE_ENCRYPTION)
For Each objMember In objGroup.Members
Wscript.Echo objMember.Name
Next

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--





.

Relevant Pages

  • Re: KERB_SMART_CARD_LOGON
    ... the smart card reader name, ... This member must be set to 1. ... The number of characters in the bBuffer buffer that precede the name ... The domain name of the user to authenticate. ...
    (microsoft.public.platformsdk.security)
  • Re: KERB_SMART_CARD_LOGON
    ... the smart card reader name, ... This member must be set to 1. ... The number of characters in the bBuffer buffer that precede the name ... The domain name of the user to authenticate. ...
    (microsoft.public.platformsdk.security)
  • Re: AD Security Groups break Authentication
    ... authenticate to AD if they are added to too many security groups. ... users no longer seem to authenticate to the ... that has the SID of all security groups the user is a member of. ... Another consideration is Universal Group membership, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Controller location by clients
    ... When a member of a site attempts to ... authenticate to a DC within its site and is unable to gain access to any DC ... any questions should be posted in the NewsGroup ...
    (microsoft.public.windows.server.active_directory)
  • Re: PEAP (MSCHAPV2) - Confusion over User vs. Computer Authentication
    ... > authenticate WLAN clients via Cisco 1200 APs. ... > somewhere that you could configure IAS to ENFORCE the rule ... If you deploy EAP-TLS without smart cards you can prevent non-domain member ... that the user cert that your CA issues goes only to machines that are ...
    (microsoft.public.internet.radius)