Tech Line

Easy Local Group Membership Enumeration

Need to know who are members of each local administrator’s group? Here’s a script that can help.

Thanks for the article on local admin passwords. The tools you mentioned are very helpful. What I am really looking for is a tool to query the local admin group to see if any users have discovered the local admin password and made themselves local admins on their machines. How can I automate this function? It's great to be able to change passwords in bulk, but I first need to know if they have been compromised.
— Peter

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Good question, Peter. There are a few scripts out there that can offer what you are looking for. One very good script is Marcin Policht’s ManageLocal.vbs script. Marcin’s script offers a little more than you are looking for, but is still a very useful tool. There is also a free and simple to use command line tool developed by Joe Richards called Lg that can provide this functionality as well.

With Lg, you can list all members of the Administrators group on a system by using the following syntax:

lg \\<system>\administrators

For example, you could run this command to show all members of the local administrator’s group on the system WS1:

lg \\ws1\administrators

While this is nice, you would probably like to have a handy little script that just gives you the local administrator account members for all of your systems in your domain. With that in mind, I thought it would be fun to write a vbscript that provides exactly what you’re looking for.

Here is a script that will enumerate all local administrator group members for every computer in your domain, and store the results in a text file. Note that you will need to have domain administrative rights in order to run the script:

On Error Resume Next
Const ForWriting = 2
' Variable for admin group name, modify this
' variable if the administrators account has
' been renamed.
strAdminGroup = "Administrators"
' Format date/time stamp for output file
strTimeDate = Year(Date) & "-" & Month(Date) & _
  "-" & Day(Date) & "~~" & Hour(Time) & "-" & _
' Output file name and path
strLogFile = "C:\adminaccounts-" & strTimeDate & _

'Create Log File
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile (strLogFile, _
   ForWriting, True)

' Connect to domain and collect computer accounts
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = _
  "SELECT Name, Location FROM 'LDAP://" & _
  objRootDSE.Get("defaultNamingContext") & "'" _
  & "WHERE objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

' Output domain computer accounts, connect to each
' computer, and enumerate admin account members
Do Until objRecordSet.EOF
 strComputer = objRecordSet.Fields("Name").Value
 objFile.WriteLine "System: " & strComputer
 Set objGroup = GetObject("WinNT://" & strComputer & _
   "/" & strAdminGroup)
 If Err <> 0 Then
   objFile.Writeline("*** System Unreachable ***")
   For Each member In objGroup.Members
    objFile.WriteLine member.Name
 End If

' All done!
WScript.Echo("Audit Complete!")

Note that you may need to edit two variables to adopt the script to work within your domain. The strAdminGroup variable identifies the name of the local administrators group. If the group has been renamed, you will need to specify the new name in this variable. The other variable that you may decide to modify is strLogFile, which identifies the name and path of the output log file. By default, the file is written to the C drive.

Note also that the script uses RootDSE binding, so you won't need to specify a domain name in the script. Instead, the script connects to the domain in which its host system is a member.

When run without any modifications, the script creates a log file that includes the date and time in which the script was run. For example, you may see an output file named adminaccounts-2006-11-14~~12-52.txt. Note that the time is included after the consecutive tildes. Once the script completes, it will notify you with an "Audit Complete!" pop-up message.

Since you would probably want to know when a system is unreachable (such as if it is turned off when the script is run), I have the script include the line "*** System Unreachable ***" for any system that the script could not establish a connection with. Here’s an example of the output file:

System: DC1
Enterprise Admins
Domain Admins

System: XP-BASE
Domain Admins

System: RS1
*** System Unreachable ***

System: Reyes
*** System Unreachable ***

Hopefully, this script delivers just what you’re looking for. Keeping track of local administrators is a very important part of one’s job, so I hope that you can get some mileage out of the script.

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.