Easy Local Group Membership Enumeration
Need to know who are members of each local administrator’s group? Here’s a script that can help.
Thanks for the article on local admin passwords
. The tools you mentioned are very helpful. What I am really looking for is a tool to query the local admin group to see if any users have discovered the local admin password and made themselves local admins on their machines. How can I automate this function? It's great to be able to change passwords in bulk, but I first need to know if they have been compromised.
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Good question, Peter. There are a few scripts out there that can offer what you are looking for. One very good script is Marcin Policht’s ManageLocal.vbs script. Marcin’s script offers a little more than you are looking for, but is still a very useful tool. There is also a free and simple to use command line tool developed by Joe Richards called Lg that can provide this functionality as well.
With Lg, you can list all members of the Administrators group on a system by using the following syntax:
For example, you could run this command to show all members of the local administrator’s group on the system WS1:
While this is nice, you would probably like to have a handy little script that just gives you the local administrator account members for all of your systems in your domain. With that in mind, I thought it would be fun to write a vbscript that provides exactly what you’re looking for.
Here is a script that will enumerate all local administrator group members for every computer in your domain, and store the results in a text file. Note that you will need to have domain administrative rights in order to run the script:
On Error Resume Next
Const ForWriting = 2
' Variable for admin group name, modify this
' variable if the administrators account has
' been renamed.
strAdminGroup = "Administrators"
' Format date/time stamp for output file
strTimeDate = Year(Date) & "-" & Month(Date) & _
"-" & Day(Date) & "~~" & Hour(Time) & "-" & _
' Output file name and path
strLogFile = "C:\adminaccounts-" & strTimeDate & _
'Create Log File
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile (strLogFile, _
' Connect to domain and collect computer accounts
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = _
"SELECT Name, Location FROM 'LDAP://" & _
objRootDSE.Get("defaultNamingContext") & "'" _
& "WHERE objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
' Output domain computer accounts, connect to each
' computer, and enumerate admin account members
Do Until objRecordSet.EOF
strComputer = objRecordSet.Fields("Name").Value
objFile.WriteLine "System: " & strComputer
Set objGroup = GetObject("WinNT://" & strComputer & _
"/" & strAdminGroup)
If Err <> 0 Then
objFile.Writeline("*** System Unreachable ***")
For Each member In objGroup.Members
' All done!
Note that you may need to edit two variables to adopt the script to work within your domain. The strAdminGroup variable identifies the name of the local administrators group. If the group has been renamed, you will need to specify the new name in this variable. The other variable that you may decide to modify is strLogFile, which identifies the name and path of the output log file. By default, the file is written to the C drive.
Note also that the script uses RootDSE binding, so you won't need to specify a domain name in the script. Instead, the script connects to the domain in which its host system is a member.
When run without any modifications, the script creates a log file that includes the date and time in which the script was run. For example, you may see an output file named adminaccounts-2006-11-14~~12-52.txt. Note that the time is included after the consecutive tildes. Once the script completes, it will notify you with an "Audit Complete!" pop-up message.
Since you would probably want to know when a system is unreachable (such as if it is turned off when the script is run), I have the script include the line "*** System Unreachable ***" for any system that the script could not establish a connection with. Here’s an example of the output file:
*** System Unreachable ***
*** System Unreachable ***
Hopefully, this script delivers just what you’re looking for. Keeping track of local administrators is a very important part of one’s job, so I hope that you can get some mileage out of the script.