EnumLocalGroup - fails when "NT AUTORITY/SYSTEM" is member of group

---

• From: Mack <mbarss@xxxxxxx>
• Date: Tue, 22 Jul 2008 10:18:43 -0700 (PDT)

---

Hello Group,

I am using modified version of Richard Muellars script to enumerate
members of the local group.
What I am finding is the the script fails when it hits a server that
has "NT AUTHORITY/SYSTEM" indicated in the local Administrators
group.

Is there anyway to have the script either to ignore the entry and go
on to the next entry in the local administartor group?

The script fails in the EnumDomainGroup routine for

objTrans.Set ADS_NAME_TYPE_NT4, strNTName


' NameTranslate already setup. Check if objDomainGroup
' bound with WinNT.
If (blnNT = True) Then
' Convert NetBIOS name of group to Distinguished Name.
strNTName = strNetBIOSDomain & "\" & objDomainGroup.Name

objTrans.Set ADS_NAME_TYPE_NT4, strNTName

strGroupDN = objTrans.Get(ADS_NAME_TYPE_1779)
Else
' objDomainGroup bound with LDAP. Retrieve Distinguished
Name.
strGroupDN = objDomainGroup.distinguishedName
End If


Any help is greatly appreciated as I am not skilled with vbs
scripting.

Malcolm


==== Full script below =======


Option Explicit

Dim objNetwork, objLocalGroup, strFile, objFSO, objFile


' These attributes must be declared in the main program,
' so they are global in scope.
Dim objTrans, strComputer, strNetBIOSDomain


' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1


Const ForReading = 1


' Specify file with NetBIOS names of computers.
strFile = "Servers.lst"


' Open the text file for read access.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, ForReading)


' Determine NetBIOS name of domain.
Set objNetwork = CreateObject("Wscript.Network")
strNetBIOSDomain = objNetwork.UserDomain


' Read computer names from the file.
Do Until objFile.AtEndOfStream
strComputer = Trim(objFile.ReadLine)
' Skip blank lines.
If (strComputer <> "") Then
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Administrators group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Administrators group on
" & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Backup Operators group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Backup Operators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Backup Operators group
on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Power Users group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Power Users,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Power Users group on "
& strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Account Operators group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Account Operators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Account Operators group
on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Pre-Windows 2000 Compatible Access group on
remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Pre-Windows 2000 Compatible Access,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Pre-Windows 2000
Compatible Access group on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Print Operators group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Print Operators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Print Operators group
on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Server Operators group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Server Operators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Server Operators group
on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Domain Admins group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Domain Admins,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Domain Admins group on
" & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Domain Administrators group on remote
computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Domain Administrators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Domain Administrators
group on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Enterprise Admins group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Enterprise Admins,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Enterprise Admins group
on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Enterprise Administrators group on remote
computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Enterprise Administrators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Enterprise
Administrators group on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Group Policy Creator Owners group on remote
computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Group Policy Creator Owners,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Group Policy Creator
Owners group on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Schema Admins group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Schema Admins,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Schema Admins group on
" & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local Network Configuration Operators group on
remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Network Configuration Operators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to Network Configuration
Operators group on " & strComputer
End If
' Output computer name.
' Wscript.Echo "Computer: " & strComputer
' Bind to local DHCP Administrators group on remote computer.
' Trap error if computer not available (or group does not
exist).
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/DHCP Administrators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' No Error. Enumerate members of the local group.
' Wscript.Echo "Members of group " & objLocalGroup.Name
Call EnumLocalGroup(objLocalGroup)
Else
On Error GoTo 0
' Error attempting to bind to group.
Wscript.Echo "Unable to connect to DHCP Administrators
group on " & strComputer
End If
End If
Loop


' Clean up.
objFile.Close


Sub EnumLocalGroup(ByVal objGroup)
' Subroutine to enumerate members of local group.
' The variable strComputer has global scope.


Dim objMember


' Enumerate direct members of group.
For Each objMember In objGroup.Members
On Error Resume Next
If (InStr(LCase(objMember.AdsPath), "/" _
& LCase(strComputer) & "/") > 0) Then
Wscript.Echo strComputer & vbTab & objLocalGroup.Name &
vbTab & "Local " & objMember.Class & vbTab & objMember.Name & vbTab &
objMember.description
Else
Wscript.Echo strComputer & vbTab & objLocalGroup.Name &
vbTab & "Domain " & objMember.Class & vbTab & objMember.Name & vbTab &
objMember.description & vbTab & objMember.AdsPath
End If
On Error GoTo 0

' Test if member is a group.
If (LCase(objMember.Class) = "group") Then
' Nested group. Test if objMember is a local group.
If (InStr(LCase(objMember.AdsPath), "/" _
& LCase(strComputer) & "/") > 0) Then
' objMember is a local group.
' Call sub recursively to enumerate nested local
group.
Call EnumLocalGroup(objMember)
Else
' objMember is a domain group.
' Call sub that uses LDAP provider to enumerate
' nested domain group. objMember is bound with
' WinNT provider.
Call EnumDomainGroup(objMember, True)
End If
End If
Next


End Sub


Sub EnumDomainGroup(ByVal objDomainGroup, ByVal blnNT)
' Subroutine to enumerate members of domain group.
' blnNT is True if objDomainGroup is bound with WinNT,
' False if bound with LDAP.
' The variables objTrans and strNetBIOSDomain have global scope.


Dim strNTName, strGroupDN, objGroup, objMember


' Check if this function called before.
If (IsEmpty(objTrans) = True) Then
' objDomainGroup must be bound with WinNT.
' Setup NameTranslate. Connect to Global Catalog.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""


' Convert NetBIOS name of group to Distinguished Name.
strNTName = strNetBIOSDomain & "\" & objDomainGroup.Name
objTrans.Set ADS_NAME_TYPE_NT4, strNTName
strGroupDN = objTrans.Get(ADS_NAME_TYPE_1779)
Else
' NameTranslate already setup. Check if objDomainGroup
' bound with WinNT.
If (blnNT = True) Then
' Convert NetBIOS name of group to Distinguished Name.
strNTName = strNetBIOSDomain & "\" & objDomainGroup.Name
objTrans.Set ADS_NAME_TYPE_NT4, strNTName
strGroupDN = objTrans.Get(ADS_NAME_TYPE_1779)
Else
' objDomainGroup bound with LDAP. Retrieve Distinguished
Name.
strGroupDN = objDomainGroup.distinguishedName
End If
End If
' Bind to group with the LDAP provider, if required.
If (blnNT = True) Then
Set objGroup = GetObject("LDAP://"; & strGroupDN)
Else
Set objGroup = objDomainGroup
End If
' Enumerate direct members of objDomainGroup (bound with LDAP).
For Each objMember In objGroup.Members
Wscript.Echo strComputer & vbTab & objLocalGroup.Name & vbTab
& "Domain " & objMember.Class & vbTab & objMember.sAMAccountName &
vbTab & objMember.description & vbTab & strNetBIOSDomain
' Check if objMember is a group.
If (LCase(objMember.Class) = "group") Then
' Call sub recursively. objMember bound with LDAP.
Call EnumDomainGroup(objMember, False)
End If
Next


End Sub
.

---

• Follow-Ups:
  • Re: EnumLocalGroup - fails when "NT AUTORITY/SYSTEM" is member of group
    • From: Richard Mueller [MVP]

• Prev by Date: Re: One user out of 40 gets LDAP operations error
• Next by Date: Login Script to Read AD First and Last Name
• Previous by thread: One user out of 40 gets LDAP operations error
• Next by thread: Re: EnumLocalGroup - fails when "NT AUTORITY/SYSTEM" is member of group
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How to configure local PC group membership via Group Policy? ... key the name of the Domain group you ... want to added to the local group. ... Don't put anything in the "Members of this group" box. ... > First is Add Group (I'm assuming I need to create a security group ... (microsoft.public.windows.group_policy) Re: Breaking Ground - the 70-290 ... Add the Univ groups is added to each domain local group. ... Global catalog bandwidth utilization should be minimal transfering ... The goal is to minimize replicating changes between forest members so you ... Universal Group impacts the Global Catalog I would put the individual ... (microsoft.public.cert.exam.mcse) Re: Manage computers ... > using Restrictive Groups that all 'current' members of the local group ... rights for the OU's in which these computers reside. ... (microsoft.public.win2000.active_directory) Re: User list in a lcl group ... Check SHOWMBRS and SHOWGRPS in the W2K Resource kit. ... a list of users in local group in windows explorer? ... ask for "members" and see names of users that were members ... I am not in domain admin group, but a member of local PC admins group. ... (microsoft.public.win2000.general) Re: User list in a lcl group ... Check SHOWMBRS and SHOWGRPS in the W2K Resource kit. ... a list of users in local group in windows explorer? ... ask for "members" and see names of users that were members ... I am not in domain admin group, but a member of local PC admins group. ... (microsoft.public.win2000.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)