Scan the domain for users with local admin privilages

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Anyone know of a decent script/app that I can use to scan domain computers and audit who has local admin privilages?

There are plenty of apps I can use to display this info (net user localgroup administrators; mbsa, etc.) but I'm looking for something that I can filter out groups that are supposed to have admin privilages so I can just get an easy report of machines that are no the way they are supposed to be (nice and simple).

I was thinking about trying to write something to do this; but I'm assuming someone has written something like this already. Anyone know of an app that will do this?

-Erik
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Well... there's always Microsoft Baseline Security Analyzer, but you have to claw through the reports manually once it's done scanning the domain or IP range. Who's got a better one?
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Yeah I'm hoping for a single report; I'd also like to be able to exclude certain groups from the report (because there are groups that should have privilages).
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
tbh, easist way is to get a tool to dump it all to a text file (ldifde maybe?) and then sharpen up those scripting chops. Perl would be my generalpurposejackofalltrades tool of choice for this.
 

mparr1708

Senior member
Jan 5, 2005
258
0
0
Try DUMPSec (used to be called dumpacl). I know you can pull group membership from your domain members one at a time. Not sure if you can use it scan and pull your whole domain at once.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
For the most part that script is working just like it should; from here I'll just use excel to filter the results.

The only problem I had was that the VB script kept dieing on several of our machines with a "You were not connected because a duplicate name exists on the network. Go to System in Control Panel to change the computer name and try again." error.

I was able to get around it easy enough by modifying the bat file to generate the vbs with an "on error resume next"
Code:
@echo.On error resume next>>"AllLocalAdmins.VBS"

P.S. This can take a long time on domains with a large number of machines (since it has to check if each machine is alive). Granted you could always limit the scope easily enough.

Hope this is helpfull to others.
Erik