Searching for a tool......
Hello All,
I'm in search for tool that can capture and report the number of direct, and nested, members of a systems admin group across any/all Windows Server 2k3/8 servers in a 3000 system environment. All servers are members of the same domain under Active Directory. I would like to stay clear of agent based solutions. My first requirement for the tool is to gather a server count of all systems that have an alarming amount of admin group members (have yet to set a specific threshold). From that, I will take the necessary steps to minimize this count. The second requirement for the tool would be to monitor and alert any changes of the admins group for all systems in the environment. Is there a tool that can perform both, or either?
You input is appreciated. Thank you
Espazito [/align]
I'm in search for tool that can capture and report the number of direct, and nested, members of a systems admin group across any/all Windows Server 2k3/8 servers in a 3000 system environment. All servers are members of the same domain under Active Directory. I would like to stay clear of agent based solutions. My first requirement for the tool is to gather a server count of all systems that have an alarming amount of admin group members (have yet to set a specific threshold). From that, I will take the necessary steps to minimize this count. The second requirement for the tool would be to monitor and alert any changes of the admins group for all systems in the environment. Is there a tool that can perform both, or either?
You input is appreciated. Thank you
Espazito [/align]
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
lurims
13 years ago
I can write a Vbscript that can do all of these things but one step at a time. Let me know if you are interested in that. Here is the step by step action script I thought of.
First Requirement:
Get all machines in the domain including worskations and servers
For each machine see what are all the groups those have admin access
Enumeraate each group member for admin groups recursively
Second Requirement:
Create a Vbscript that dumps all admin groups to a text file, this will a reference file.
Create another script or have the logic in the same script to run on daily basis and compare with the reference file.
When you approve the chnges you have to create a new reference file.
Let me know what you think.
First Requirement:
Get all machines in the domain including worskations and servers
For each machine see what are all the groups those have admin access
Enumeraate each group member for admin groups recursively
Second Requirement:
Create a Vbscript that dumps all admin groups to a text file, this will a reference file.
Create another script or have the logic in the same script to run on daily basis and compare with the reference file.
When you approve the chnges you have to create a new reference file.
Let me know what you think.
Posted by:
anonymous_9363
13 years ago
Nested group memberships are tricky, as the usual AD method (memberOf) doesn't return such memberships.Search for 'GetInfoEx("tokenGroups")' to turn up Mr Mueller's (sp?) excellent selection of scripts.
Posted by:
espazito
13 years ago
Already explored the VBScript route. I need something that doesn't require much skill to manage and configure for the level 1 guys, per mgmt.
I'm thinking of something like DataAdvantage from Varonis, or Hyena from System Tools. Anyone familiar with either, or have any input on a similar tool.
I'm thinking of something like DataAdvantage from Varonis, or Hyena from System Tools. Anyone familiar with either, or have any input on a similar tool.
Posted by:
anderskarl
12 years ago
If there is anyone with an answer to this I am also really interested in the answer. This is something I have been trying to do with scripts but not succeeded with, so any tool that works fine would be of great benefit.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.