script to list users and groups in domain admin and local ..

Archived from groups: microsoft.public.win2000.security (More info?)

I am looking for a script or guidance to write a script that will list all
the users and groups that belong to the domain admin group and the local
admin group on each server in the domain. This way, I will not have to check
each server individually when doing periodic security scans.

If anyone can help, I would appreciate. Thanks.

N.P.
6 answers Last reply
More about script list users groups domain admin local
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Take a look at the ScriptCenter
    www.microsoft.com/technet/scriptcenter
    These are not full, off-the-shelf scripts, but you should find code
    that can do what you are after with very little adjustment.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "crosswired" <crosswired@discussions.microsoft.com> wrote in message
    news:1BA8FDE1-B57F-42A1-9F35-E664D9F4960A@microsoft.com...
    > I am looking for a script or guidance to write a script that will list all
    > the users and groups that belong to the domain admin group and the local
    > admin group on each server in the domain. This way, I will not have to
    check
    > each server individually when doing periodic security scans.
    >
    > If anyone can help, I would appreciate. Thanks.
    >
    > N.P.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    You can use a basic batch file coupled with a text file conataining your
    server names for this:

    ******************************************
    ECHO OFF

    ::Enumerate the Domain Admin group members
    net group "domain admins" /domain

    ::Call from file each server I would like to Enumerate the local
    administrators group
    for /f %%i in (Computers.txt) do call PUTYOURCOMMAND HERE \\%%i
    >>FILENAMEHERE.txt
    END
    ******************************************

    Where you see the \\%%i is where the computer names will be filled in
    automatically from your text file which contains them. There are plenty of
    tools capable of enumerating remote admin groups.


    "crosswired" <crosswired@discussions.microsoft.com> wrote in message
    news:1BA8FDE1-B57F-42A1-9F35-E664D9F4960A@microsoft.com...
    >I am looking for a script or guidance to write a script that will list all
    > the users and groups that belong to the domain admin group and the local
    > admin group on each server in the domain. This way, I will not have to
    > check
    > each server individually when doing periodic security scans.
    >
    > If anyone can help, I would appreciate. Thanks.
    >
    > N.P.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Domain admins membership can be determined easily enough in Active Directory
    users and Computers and as other posts have mentioned you can use scripts
    using the net command and such to enumerate local administrators. FYI MBSA
    can scan network computers and among other things be able to list the local
    administrators on each computer. Group Policy computer configuration
    Restricted Groups can be used to enforce membership in any domain or local
    group if you want to consider such. If you want to use Restricted Groups to
    restrict local computer administrators group be sure to do it at the OU
    level only. --- Steve

    http://www.microsoft.com/technet/security/tools/mbsahome.mspxb --- MBSA

    "crosswired" <crosswired@discussions.microsoft.com> wrote in message
    news:1BA8FDE1-B57F-42A1-9F35-E664D9F4960A@microsoft.com...
    >I am looking for a script or guidance to write a script that will list all
    > the users and groups that belong to the domain admin group and the local
    > admin group on each server in the domain. This way, I will not have to
    > check
    > each server individually when doing periodic security scans.
    >
    > If anyone can help, I would appreciate. Thanks.
    >
    > N.P.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I can use this code from EzAD Scriptomatic but it will only give me one user
    at a time and only that user I ask for. Is there a variable that will scan
    the entire DC for all users? Thanks!


    strContainer = ""
    strName = "EzAdUser"

    On Error Resume Next

    '***********************************************
    '* Connect to an object *
    '***********************************************
    Set objRootDSE = GetObject("LDAP://rootDSE")
    If strContainer = "" Then
    Set objItem = GetObject("LDAP://" & _
    objRootDSE.Get("defaultNamingContext"))
    Else
    Set objItem = GetObject("LDAP://cn=" & strName & "," & strContainer & ","
    & _
    objRootDSE.Get("defaultNamingContext"))
    End If
    '***********************************************
    '* End connect to an object *
    '***********************************************


    "Steven L Umbach" wrote:

    > Domain admins membership can be determined easily enough in Active Directory
    > users and Computers and as other posts have mentioned you can use scripts
    > using the net command and such to enumerate local administrators. FYI MBSA
    > can scan network computers and among other things be able to list the local
    > administrators on each computer. Group Policy computer configuration
    > Restricted Groups can be used to enforce membership in any domain or local
    > group if you want to consider such. If you want to use Restricted Groups to
    > restrict local computer administrators group be sure to do it at the OU
    > level only. --- Steve
    >
    > http://www.microsoft.com/technet/security/tools/mbsahome.mspxb --- MBSA
    >
    > "crosswired" <crosswired@discussions.microsoft.com> wrote in message
    > news:1BA8FDE1-B57F-42A1-9F35-E664D9F4960A@microsoft.com...
    > >I am looking for a script or guidance to write a script that will list all
    > > the users and groups that belong to the domain admin group and the local
    > > admin group on each server in the domain. This way, I will not have to
    > > check
    > > each server individually when doing periodic security scans.
    > >
    > > If anyone can help, I would appreciate. Thanks.
    > >
    > > N.P.
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    You may want to post to the microsoft.public.windows.server.scripting
    newsgroup, including more detail as from what you have posted it is
    hard to see just what you are doing and particularly how you are
    handling what is returned to you.

    --
    Roger
    "Manlytrash" <ccaldwell@dblair.com> wrote in message
    news:8BE56B84-51EA-4F56-A919-A582EDD182C8@microsoft.com...
    > I can use this code from EzAD Scriptomatic but it will only give me one
    user
    > at a time and only that user I ask for. Is there a variable that will scan
    > the entire DC for all users? Thanks!
    >
    >
    > strContainer = ""
    > strName = "EzAdUser"
    >
    > On Error Resume Next
    >
    > '***********************************************
    > '* Connect to an object *
    > '***********************************************
    > Set objRootDSE = GetObject("LDAP://rootDSE")
    > If strContainer = "" Then
    > Set objItem = GetObject("LDAP://" & _
    > objRootDSE.Get("defaultNamingContext"))
    > Else
    > Set objItem = GetObject("LDAP://cn=" & strName & "," & strContainer &
    ","
    > & _
    > objRootDSE.Get("defaultNamingContext"))
    > End If
    > '***********************************************
    > '* End connect to an object *
    > '***********************************************
    >
    >
    > "Steven L Umbach" wrote:
    >
    > > Domain admins membership can be determined easily enough in Active
    Directory
    > > users and Computers and as other posts have mentioned you can use
    scripts
    > > using the net command and such to enumerate local administrators. FYI
    MBSA
    > > can scan network computers and among other things be able to list the
    local
    > > administrators on each computer. Group Policy computer configuration
    > > Restricted Groups can be used to enforce membership in any domain or
    local
    > > group if you want to consider such. If you want to use Restricted Groups
    to
    > > restrict local computer administrators group be sure to do it at the OU
    > > level only. --- Steve
    > >
    > > http://www.microsoft.com/technet/security/tools/mbsahome.mspxb --- MBSA
    > >
    > > "crosswired" <crosswired@discussions.microsoft.com> wrote in message
    > > news:1BA8FDE1-B57F-42A1-9F35-E664D9F4960A@microsoft.com...
    > > >I am looking for a script or guidance to write a script that will list
    all
    > > > the users and groups that belong to the domain admin group and the
    local
    > > > admin group on each server in the domain. This way, I will not have
    to
    > > > check
    > > > each server individually when doing periodic security scans.
    > > >
    > > > If anyone can help, I would appreciate. Thanks.
    > > >
    > > > N.P.
    > >
    > >
    > >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Just wanted to thank everyone for the help and advice. Much appreciated.


    "Steven L Umbach" wrote:

    > Domain admins membership can be determined easily enough in Active Directory
    > users and Computers and as other posts have mentioned you can use scripts
    > using the net command and such to enumerate local administrators. FYI MBSA
    > can scan network computers and among other things be able to list the local
    > administrators on each computer. Group Policy computer configuration
    > Restricted Groups can be used to enforce membership in any domain or local
    > group if you want to consider such. If you want to use Restricted Groups to
    > restrict local computer administrators group be sure to do it at the OU
    > level only. --- Steve
    >
    > http://www.microsoft.com/technet/security/tools/mbsahome.mspxb --- MBSA
    >
    > "crosswired" <crosswired@discussions.microsoft.com> wrote in message
    > news:1BA8FDE1-B57F-42A1-9F35-E664D9F4960A@microsoft.com...
    > >I am looking for a script or guidance to write a script that will list all
    > > the users and groups that belong to the domain admin group and the local
    > > admin group on each server in the domain. This way, I will not have to
    > > check
    > > each server individually when doing periodic security scans.
    > >
    > > If anyone can help, I would appreciate. Thanks.
    > >
    > > N.P.
    >
    >
    >
Ask a new question

Read More

Domain Security Servers Windows