I have been given the task to find a way to check who has local admin rights on our workstations. I have done some research and there are bits of code which can accomplish this. I must admit scripting is not one of my strengths. Here are a few approaches I am pondering on:

- VB script, set as a computer startup script in AD. Whenever the computer starts up, it will run the script and dump out the results on the local drive and on a network share (just like the MS04-028 scanning tool w/o SMS does).

- KIX script/Logon script, dump the results to the network share

- VB script to do online scanning of a list of PC names or the domain
0 Comments   [ + ] Show Comments

Comments

  • This content is currently hidden from public view.
    Reason: Member has been banned from the site
    For more information, visit our FAQ's.
Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Here is what we came up with this afternoon, that I would like to share. This script can scan all computers which are currently online in a specified OU.

You will see the progress in the DOS box while the script is running. The log file is created in the same directory as where the script is run.

Once you have the log file, you can open it in Excel and manipulate the data. (Tip: use AutoFilter in Excel)


Dim sTrComputer
Dim colPingedComputers
' Change this to the OU you would like to check
strComputerContainer = "ou=computers,dc=domain,dc=com"
Set objContainer = GetObject("LDAP://" & strComputerContainer)
objContainer.Filter = Array("Computer")
' The log file will be created in the same location as the script
strLogFile = "LocalAdmins.LOG"
' Emunerate the local group 'Administrators'. This can be changed. ie: Power Users, Network Configuration Operations
strLocalAdminGroup = "Administrators"
Set objFSO = CreateObject("Scripting.FileSystemObject")
on error resume next
Set objLogFile = objFSO.CreateTextFile(strLogFile, NO_OVERWRITE)
If Err.Number <> 0 Then
' Before running the script, make sure the log file does NOT exisit otherwise the script will stop
WScript.Echo "Cannot create " & strLogFile & " -OR- " & strLogFile & " already exists."
WScript.Quit
End If
On Error GoTo 0
objLogFile.WriteLine("**************** Started at " & Now() & "****************")
objLogFile.WriteLine()
objLogFile.WriteLine("Machine Name,Local Administrators")
On Error Resume Next
For Each objComputer In objContainer
strComputer = Split(objComputer.Name, "=")(1)
Call GetLocalAdmins(strComputer)
Next
objLogFile.WriteLine()
objLogFile.WriteLine("**************** Finished at " & Now() & "****************")
objLogFile.Close
'-=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=-
' SUB GetLocalAdmins
' purpose: Retrieve list of local administrators from online machines
' input: strComputer (a machine name)
' output: results are echoed on screen and saved in strLogFile
' notes: uses Win32_PingStatus class ("strPinger" must be XP or 2003)
'-=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=-
Sub GetLocalAdmins(HostName)
strPinger = "."
Set colPingedComputers = GetObject("winmgmts:{impersonationLevel=impersonate}//" & strPinger & "/root/cimv2"). ExecQuery("SELECT * FROM Win32_PingStatus " & "WHERE Address = '" + strComputer + "'")
For each objComputer in colPingedComputers
If objComputer.StatusCode = 0 Then
WScript.Echo "Processing " & strComputer
Set objLocalAdminGroup = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)
For Each objLocalAdmin In objLocalAdminGroup.Members
objLogFile.WriteLine(strComputer & "," & objLocalAdmin.Name)
Next
Set objLocalAdminGroup = Nothing
Else
WScript.Echo strComputer & " Offline"
objLogFile.WriteLine(strComputer & " Offline")
End If
Next
End Sub
Answered 11/19/2004 by: pjohnson
Orange Belt

Please log in to comment
0
Thank you!

nice script works fine

I have had this anoying issue for some time to. Users have been given administrative rights and some one has forgotten to remove
them afterwards.

[;)]

I will make som changes to meet my needs


Sweede ;-)
Answered 12/17/2004 by: Sweede
Second Degree Green Belt

Please log in to comment
0
How would I go about specifing my ou? When I look at the domain I see domain, then group x and under x is my group. then computers. So I have...

blah.blah.domain.com
|
|_Group X
..............|_Group 1
..............|_Group 2
..............|_Group 3
...........................|_Computers
Answered 01/21/2005 by: Akkadian
Yellow Belt

Please log in to comment
0
Edit this line to point to the OU you want to grab the computer names from:

' Change this to the OU you would like to check
strComputerContainer = "ou=computers,dc=domain,dc=com"
Answered 01/23/2005 by: pjohnson
Orange Belt

Please log in to comment
0
So is this right for mine?

strComputerContainer = "ou=groupx/group1/computers,dc=domain,dc=com"


Sorry... I'm new at this...
Answered 01/26/2005 by: Akkadian
Yellow Belt

Please log in to comment
0
Try this:

strComputerContainer = "ou=groupx,ou=group1,ou=computers,dc=domain,dc=com"

ORIGINAL: Akkadian

So is this right for mine?

strComputerContainer = "ou=groupx/group1/computers,dc=domain,dc=com"


Sorry... I'm new at this...
strComputerContainer = "ou=groupx/group1/computers,dc=domain,dc=com"
Answered 01/26/2005 by: pjohnson
Orange Belt

Please log in to comment
0
Hopefully this thread isn't abandoned.....

HOwever when I try to modify the script I get an error 'There is no such object on server'

My hierarchy is as such:

OU=MyBusiness
|
|
----OU=Computers
|
|
-------OU=SBSComputers

Here is what I have in my script: (may wrap)

' Change this to the OU you would like to check
strComputerContainer = "ou=MyBusiness,ou=computers,ou=SBScomputers,dc=houston,dc=local"

What am I doing wrong here?
Answered 02/02/2005 by: ehammett
Yellow Belt

Please log in to comment
0
Looks like you got the OU's the wrong way around.

Try this:

' Change this to the OU you would like to check
strComputerContainer = "ou=SBScomputers,ou=computers,ou=MyBusiness,dc=houston,dc=local"


ORIGINAL: ehammett

Hopefully this thread isn't abandoned.....

HOwever when I try to modify the script I get an error 'There is no such object on server'

My hierarchy is as such:

OU=MyBusiness
|
|
----OU=Computers
|
|
-------OU=SBSComputers

Here is what I have in my script: (may wrap)

' Change this to the OU you would like to check
strComputerContainer = "ou=MyBusiness,ou=computers,ou=SBScomputers,dc=houston,dc=local"

What am I doing wrong here?
Answered 02/02/2005 by: pjohnson
Orange Belt

Please log in to comment
0
Thanks PJ. you were right I had it backwards! Worked just fine

Another question however. I was trying it at another client of mine who has a domain of something like apples.com however thier display name is 'oranges'.

They have all their computer accounts in the default 'Computers' OU, however when I change the script to

strComputerContainer = "ou=computers,dc=apples,dc=com"

It erros out saying 'There is no such object on server'

However when I changed it to "ou=computers,dc=oranges,dc=com"

I get the error "A referral was recieved from the server'

Cant' figure out what I am doing wrong on this one?

Thanks again!
Answered 02/03/2005 by: ehammett
Yellow Belt

Please log in to comment
0
Glad it worked.

Maybe you can try dropping off the "dc=com".
Answered 02/03/2005 by: pjohnson
Orange Belt

Please log in to comment
0
When I try to run it I get the following message
(5,1) (null): A referral was returned from the server

Any ideas?

Computers are in the default COmputers OU, domain is napierbrown.co.uk.

Anyhelp much appreciated!.

============================

Dim sTrComputer
Dim colPingedComputers
' Change this to the OU you would like to check
strComputerContainer = "ou=Computers,dc=napierbrown,dc=co.uk"
Set objContainer = GetObject("LDAP://" & strComputerContainer)

objContainer.Filter = Array("Computer")
' The log file will be created in the same location as the script
strLogFile = "LocalAdmins.LOG"
' Emunerate the local group 'Administrators'. This can be changed. ie: Power Users, Network Configuration Operations
strLocalAdminGroup = "Administrators"
Set objFSO = CreateObject("Scripting.FileSystemObject")
on error resume next
Set objLogFile = objFSO.CreateTextFile(strLogFile, NO_OVERWRITE)
If Err.Number <> 0 Then
' Before running the script, make sure the log file does NOT exisit otherwise the script will stop
WScript.Echo "Cannot create " & strLogFile & " -OR- " & strLogFile & " already exists."
WScript.Quit
End If
On Error GoTo 0
objLogFile.WriteLine("**************** Started at " & Now() & "****************")
objLogFile.WriteLine()
objLogFile.WriteLine("Machine Name,Local Administrators")
On Error Resume Next
For Each objComputer In objContainer
strComputer = Split(objComputer.Name, "=")(1)
Call GetLocalAdmins(strComputer)
Next
objLogFile.WriteLine()
objLogFile.WriteLine("**************** Finished at " & Now() & "****************")
objLogFile.Close
'-=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=-
' SUB GetLocalAdmins
' purpose: Retrieve list of local administrators from online machines
' input: strComputer (a machine name)
' output: results are echoed on screen and saved in strLogFile
' notes: uses Win32_PingStatus class ("strPinger" must be XP or 2003)
'-=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=--=[]=-
Sub GetLocalAdmins(HostName)
strPinger = "."
Set colPingedComputers = GetObject("winmgmts:{impersonationLevel=impersonate}//" & strPinger & "/root/cimv2"). ExecQuery("SELECT * FROM Win32_PingStatus " & "WHERE Address = '" + strComputer + "'")
For each objComputer in colPingedComputers
If objComputer.StatusCode = 0 Then
WScript.Echo "Processing " & strComputer
Set objLocalAdminGroup = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)
For Each objLocalAdmin In objLocalAdminGroup.Members
objLogFile.WriteLine(strComputer & "," & objLocalAdmin.Name)
Next
Set objLocalAdminGroup = Nothing
Else
WScript.Echo strComputer & " Offline"
objLogFile.WriteLine(strComputer & " Offline")
End If
Next
End Sub
Answered 02/17/2005 by: markholmes24
Senior Yellow Belt

Please log in to comment
0
Change the following line from

strComputerContainer = "ou=Computers,dc=napierbrown,dc=co.uk"

to

strComputerContainer = "ou=Computers,dc=napierbrown,dc=co,dc=uk"
Answered 02/17/2005 by: brenthunter2005
Fifth Degree Brown Belt

Please log in to comment
0
Many thanks for that Brett - thats that bit sorted.I'm now getting 'no such object on the server' - any ideas? The computers are in AD in the default 'Computers' container, thus

napierbrown.co.uk
|
|
Computers
Answered 02/17/2005 by: markholmes24
Senior Yellow Belt

Please log in to comment
0
The default container "Computers" in Active Directory Users & Computers is not an OU, so your syntax is wrong. I had the same problem see post above.

So change strComputerContainer = "ou=Computers,dc=napierbrown,dc=co,dc=uk"

to strComputerContainer = "cn=Computers,dc=napierbrown,dc=co,dc=uk"

that should work at least it worked for me. Let me know if this helps.
Answered 02/17/2005 by: ehammett
Yellow Belt

Please log in to comment
0
Yeah ehammett, that will work. my bad.
Answered 02/17/2005 by: brenthunter2005
Fifth Degree Brown Belt

Please log in to comment
0
All working now, thanks very much for your help guys.
Answered 02/17/2005 by: markholmes24
Senior Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity