Audit Network Environment for Computers with Local Admin rights

[Guest Eager Learner]

I'm trying to find out how to audit our Windows environment (with AD) for

computers that have local admin rights. I want to capture users that have

admin rights on any computer and remove them from our network. Any help

would be appreciated.

[Guest Richard Mueller [MVP]]

Re: Audit Network Environment for Computers with Local Admin rights

 

Eager Learner wrote:

> I'm trying to find out how to audit our Windows environment (with AD) for

> computers that have local admin rights. I want to capture users that have

> admin rights on any computer and remove them from our network. Any help

> would be appreciated.

 

It can be difficult to determine who has administrative rights on a

computer. Unless someone knows of a third party tool that can help, you may

need to run a script. I have an example VBScript program that documents all

members of the local Administrators group. However, this will not reveal

users that have admin permissions granted by other means. It also fails if

the local Administrators group is renamed. However, the program does reveal

all local and domain users that are members of the group, even due to group

nesting. The program is linked here:

 

http://www.rlmueller.net/Enumerate%20Local%20Group.htm

 

As written, the program documents the local computer Administrators group.

You can modify it to document the Administrators group on a remote computer

by assigning the NetBIOS name of the remote computer to the variable

strComputer (instead of retrieving the computer name from the wshNetwork

object). The script should be run at a command prompt with the cscript host.

The output can be redirected to a text file. For example:

 

cscript //nologo EnumLocalGroup.vbs > report.txt

 

You could also incorporate this code in a loop that enumerates all computer

objects in the domain (or in an OU). You can use ADO to enumerate all

computer objects in the domain. Information on using ADO in this link:

 

http://www.rlmueller.net/ADOSearchTips.htm

 

Using the variables in this link, you would use the filter:

 

strFilter = "(objectCategory=computer)"

 

You would retrieve the value of the sAMAccountName attribute of the computer

objects, which is the NetBIOS names of the computers with "$" appended on

the end. You will need to strip off the trialing "$" from the value of the

sAMAccountName attribute when you assign the value to the variable

strComputer.

 

strAttributes = "sAMAccountName"

 

I hope this helps.

 

--

Richard Mueller

Microsoft MVP Scripting and ADSI

Hilltop Lab - http://www.rlmueller.net

--

[Guest Jack Doyle]

Re: Audit Network Environment for Computers with Local Admin rights

 

Eager Learner wrote:

> I'm trying to find out how to audit our Windows environment (with AD) for

> computers that have local admin rights. I want to capture users that have

> admin rights on any computer and remove them from our network. Any help

> would be appreciated.

 

You could use restricted groups in Group Policy to set the local

administrators group the way you want. It wouldn't really matter who

was currently in them, it will be able to set them exactly how you want.

 

--

 

Jack Doyle, Systems Engineer

ScriptLogic Corporation

http://www.scriptlogic.com