We're running XP Professional with SP2. Is there a script (VB, WSH,
etc) that could be used to delete all local accounts on the machine
except for the builtin Windows accounts (as well as any ASP.net
accounts) and the account of the user who is currently logged in. I
know that I could figure out the account of the the currently logged
in user by using the %username% environment variable. I was thinking
of the Addusers.exe utility in the Server Resource Kit, but I'm not
sure that it will work for my needs. What we're trying to eliminate
is any users who may have created local "back door" accounts while
they were administrators of their PCs. We're about to take these
rights away but we want to ensure there is no way they can circumvent
the process by simply using a seperate local account to login with
full rights. Suggestions?
Thanks!
A VBScript program can easily enumerate all local accounts on a computer.
The problem is how to tell which are builtin, which created by apps, and
which created by users. It depends on the OS. Builtin accounts, like
Administrator and Guest, should have the string "Built-in account" in the
description, but this can be changed. To enumerate all local accounts:
==========
Option Explicit
Dim objNetwork, strComputer, objComputer, objUser
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
Set objComputer = GetObject("WinNT://" & strComputer)
objComputer.Filter = Array("user")
For Each objUser In objComputer
Wscript.Echo objUser.Name & ", " & objUser.Description
Next
========
In the above you could delete any of the accounts by running the
DeleteObject method of the user object. For example:
======
For Each objUser In objComputer
' Delete all users that don't have "built-in" included in description.
If (InStr(LCase(objUser.Description), "built-in") > 0) Then
objUser.DeleteObject (0)
End If
Next
======
At least I assume the DeleteObject method is supported by the WinNT provider
for user objects. If not, you can use the Delete method of the container
object:
======
For Each objUser In objComputer
' Delete all users that don't have "built-in" included in description.
If (InStr(LCase(objUser.Description), "built-in") > 0) Then
objComputer.Delete "user", objUser.Name
End If
Next
======
In any case, the problem is determining which accounts to not delete. I
would suggest, if you don't have too many computers, running a script that
enumerates all users on all computers. The first script above can be run
remotely on any computer by hard coding the NetBIOS name of the remote
computer in the strComputer variable, for example (instead of retrieving the
NetBIOS name of the local computer from the wshNetwork object). ADO can be
used in a VBScript program to retrieve the sAMAccountName of all computers
in the domain, and then in a loop you can enumerate the local users on each.
For more on using ADO see this link:
http://www.rlmueller.net/ADOSearchTips.htm
For example:
==========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strComputer
Dim objComputer, objUser
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on computer objects.
strFilter = "(objectCategory=computer)"
' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve NetBIOS name of computer.
strComputer = adoRecordset.Fields("sAMAccountName").Value
' Remove trailing "$".
strComputer = Left(strComputer, Len(strComputer) - 1)
' Bind to the computer object.
' Trap error if not available.
On Error Resume Next
Set objComputer = GetObject("WinNT://" & strComputer)
If (Err.Number <> 0) Then
Wscript.Echo strComputer & " (Not Available)"
End If
On Error GoTo 0
' Filter on local user objects.
objComputer.Filter = Array("user")
' Enmerate all local users.
For Each objUser In objComputer
Wscript.Echo strComputer & "," & objUser.Name _
& "," & objUser.description & "," & objUser.AccountDisabled
Next
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
========
I added the AccountDisabled property method, which returns True if the
account is disabled, False if it is not. The output can be redirected to a
text file, which is comma delimited and can be read into a spreadsheet. I
trapped the possible error if the remote computer is not available.
You could also indicate which accounts are direct members of the local
Administrators group. A quick take on this would be to use this Do Until
loop in place of the one above (not the additional variable):
========
Dim objGroup
Do Until adoRecordset.EOF
' Retrieve NetBIOS name of computer.
strComputer = adoRecordset.Fields("sAMAccountName").Value
' Remove trailing "$".
strComputer = Left(strComputer, Len(strComputer) - 1)
' Bind to the computer object.
' Trap error if not available.
On Error Resume Next
Set objComputer = GetObject("WinNT://" & strComputer)
If (Err.Number <> 0) Then
Wscript.Echo strComputer & " (Not Available)"
End If
On Error GoTo 0
' Bind to the local Administrators group.
Set objGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
' Filter on local user objects.
objComputer.Filter = Array("user")
' Enmerate all local users.
For Each objUser In objComputer
Wscript.Echo strComputer & "," & objUser.Name _
& "," & objUser.description & "," & objUser.AccountDisabled _
& "," & objGroup.IsMember(objUser.AdsPath)
Next
adoRecordset.MoveNext
Loop
=======
After this you should be able to decide which accounts should be deleted.
Note that you can do this remotely without visiting the computers (although
you will need to note which computers where not available and repeat the
process on them). You can also delete the accounts remotely. However, I
assume an AD network and that users do not log in locally. Otherwise how do
you decide who can logon locally? The first to try?
