+ Reply to Thread
Results 1 to 10 of 10
  1. Coffee Addict coffeeking's Avatar
    Join Date
    Feb 2008
    Location
    WORLD
    Posts
    304

    Certifications
    BSIT from OIT, CCNA, CCNA:Sec, SECURITY+, MCITP: SQL SRVR 2008, CISA
    #1

    Default Finding Local Admins on 3000+ machines

    Heah All,

    I have been asked to find a script or a way to find out all the members who are Local Admins on their machines. There are more than 3000 members in out organization. We also use a AD monitoring software by Quest software but it is just a monitoring and reporting and tool and not an auditing tool.

    Any recommendations will be greatly appreciated.
    Reply With Quote Quote  

  2. SS -->
  3. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #2
    I've just done exactly the same thing at work, I'm not very good at scripting but managed to come up with this logon script to detect who has local admins then distributed a script to remove it from the naughty users.

    Remove Admin Rights Scripts Dales-Diary

    Probably not the best way of doing it but it may give you something to work with.
    Reply With Quote Quote  

  4. Coffee Addict coffeeking's Avatar
    Join Date
    Feb 2008
    Location
    WORLD
    Posts
    304

    Certifications
    BSIT from OIT, CCNA, CCNA:Sec, SECURITY+, MCITP: SQL SRVR 2008, CISA
    #3
    Dale,

    thanks for your recommendation, it looks quite simple but I am having a hard time finding isadmin.exe. will let you know once I find it and am able to run the script.
    Reply With Quote Quote  

  5. Coffee Addict coffeeking's Avatar
    Join Date
    Feb 2008
    Location
    WORLD
    Posts
    304

    Certifications
    BSIT from OIT, CCNA, CCNA:Sec, SECURITY+, MCITP: SQL SRVR 2008, CISA
    #4
    Hey Dale,

    I was able to find isadmin and blat and ran the script but it only returns the output for current user, here is what it shows:

    Current user is an administrator

    I know I am missing a piece in there, I am trying to get it for all machines in a given domain.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #5
    Quote Originally Posted by dales View Post
    I've just done exactly the same thing at work, I'm not very good at scripting but managed to come up with this logon script to detect who has local admins then distributed a script to remove it from the naughty users.

    Remove Admin Rights Scripts Dales-Diary

    Probably not the best way of doing it but it may give you something to work with.
    You can do the exact same thing with a GPO. Restricted Groups I believe is the setting.
    Reply With Quote Quote  

  7. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #6
    Yes what actually I think you may need to do is change the %nwusername% bits to %username%. We run a netware shop so my particular issue was getting which machine was running admin and who was logging into it as such. %nwusername% tells me the netware cred %username% should tell you the AD user cred.

    As I say its a bit scrappy and not the most elegant way of doing things but it works ok for me until I learn a better way.
    Reply With Quote Quote  

  8. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #7
    Quote Originally Posted by rwwest7 View Post
    You can do the exact same thing with a GPO. Restricted Groups I believe is the setting.
    Good point not sure how that works as above we are a netware shop so group policy implimentation is sketchy at best and I needed to be sure I got everyones level of access.
    Reply With Quote Quote  

  9. Coffee Addict coffeeking's Avatar
    Join Date
    Feb 2008
    Location
    WORLD
    Posts
    304

    Certifications
    BSIT from OIT, CCNA, CCNA:Sec, SECURITY+, MCITP: SQL SRVR 2008, CISA
    #8
    Quote Originally Posted by dales View Post
    Yes what actually I think you may need to do is change the %nwusername% bits to %username%. We run a netware shop so my particular issue was getting which machine was running admin and who was logging into it as such. %nwusername% tells me the netware cred %username% should tell you the AD user cred.

    As I say its a bit scrappy and not the most elegant way of doing things but it works ok for me until I learn a better way.
    Thanks Dale, will try that and let you know.

    one quick question and this might be very basic one since I am not very familiar with the whole process yet; I ran the script from my machine that is just one of the machines in the same domain and I am admin on my machine. so if I changed the %nwusername% to %username%, do you think it would still give the information for all workstations on that domain?
    Reply With Quote Quote  

  10. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #9
    Quote Originally Posted by coffeeking View Post
    Thanks Dale, will try that and let you know.

    one quick question and this might be very basic one since I am not very familiar with the whole process yet; I ran the script from my machine that is just one of the machines in the same domain and I am admin on my machine. so if I changed the %nwusername% to %username%, do you think it would still give the information for all workstations on that domain?
    yes that should work you will obviously need to distribute the script by group policy.
    Reply With Quote Quote  

  11. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #10
    I have a script to do it. PM me your email coffeeking and I'll send it to you.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks