script to list users and groups in domain admin and local admin gr

G

Guest

I am looking for a script or guidance to write a script that will list all
the users and groups that belong to the domain admin group and the local
admin group on each server in the domain. This way, I will not have to check
each server individually when doing periodic security scans.

If anyone can help, I would appreciate. Thanks.

N.P.
 
T

Tekmazter

You can use a basic batch file coupled with a text file conataining your
server names for this:

******************************************
ECHO OFF

::Enumerate the Domain Admin group members
net group "domain admins" /domain

::Call from file each server I would like to Enumerate the local
administrators group
for /f %%i in (Computers.txt) do call PUTYOURCOMMAND HERE \\%%iEND
******************************************

Where you see the \\%%i is where the computer names will be filled in
automatically from your text file which contains them. There are plenty of
tools capable of enumerating remote admin groups.
 
S

Steven L Umbach

Domain admins membership can be determined easily enough in Active Directory
users and Computers and as other posts have mentioned you can use scripts
using the net command and such to enumerate local administrators. FYI MBSA
can scan network computers and among other things be able to list the local
administrators on each computer. Group Policy computer configuration
Restricted Groups can be used to enforce membership in any domain or local
group if you want to consider such. If you want to use Restricted Groups to
restrict local computer administrators group be sure to do it at the OU
level only. --- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspxb --- MBSA
 
G

Guest

I can use this code from EzAD Scriptomatic but it will only give me one user
at a time and only that user I ask for. Is there a variable that will scan
the entire DC for all users? Thanks!


strContainer = ""
strName = "EzAdUser"

On Error Resume Next

'***********************************************
'* Connect to an object *
'***********************************************
Set objRootDSE = GetObject("LDAP://rootDSE")
If strContainer = "" Then
Set objItem = GetObject("LDAP://" & _
objRootDSE.Get("defaultNamingContext"))
Else
Set objItem = GetObject("LDAP://cn=" & strName & "," & strContainer & ","
& _
objRootDSE.Get("defaultNamingContext"))
End If
'***********************************************
'* End connect to an object *
'***********************************************
 
R

Roger Abell

You may want to post to the microsoft.public.windows.server.scripting
newsgroup, including more detail as from what you have posted it is
hard to see just what you are doing and particularly how you are
handling what is returned to you.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Add domain admin back to local admin 2
local admin group change, how? 2
change local admin psw in AD 2
Change Groups in Local Admin group 2
adding domain groups to local admin group 1
no Domain Admin rights to a Domain Server 3
Local domain admin account 3
Local admin restricted from IISRESET 7

Top