Finding Local Admins on 3000+ machines

coffeeking

Heah All,

I have been asked to find a script or a way to find out all the members who are Local Admins on their machines. There are more than 3000 members in out organization. We also use a AD monitoring software by Quest software but it is just a monitoring and reporting and tool and not an auditing tool.

Any recommendations will be greatly appreciated.

dales

I've just done exactly the same thing at work, I'm not very good at scripting but managed to come up with this logon script to detect who has local admins then distributed a script to remove it from the naughty users.

Remove Admin Rights Scripts Dales-Diary

Probably not the best way of doing it but it may give you something to work with.

coffeeking

Dale,

thanks for your recommendation, it looks quite simple but I am having a hard time finding isadmin.exe. will let you know once I find it and am able to run the script.

coffeeking

Hey Dale,

I was able to find isadmin and blat and ran the script but it only returns the output for current user, here is what it shows:

Current user is an administrator

I know I am missing a piece in there, I am trying to get it for all machines in a given domain.

rwwest7

dales wrote: »

I've just done exactly the same thing at work, I'm not very good at scripting but managed to come up with this logon script to detect who has local admins then distributed a script to remove it from the naughty users.

Remove Admin Rights Scripts Dales-Diary

Probably not the best way of doing it but it may give you something to work with.

You can do the exact same thing with a GPO. Restricted Groups I believe is the setting.

dales

Yes what actually I think you may need to do is change the %nwusername% bits to %username%. We run a netware shop so my particular issue was getting which machine was running admin and who was logging into it as such. %nwusername% tells me the netware cred %username% should tell you the AD user cred.

As I say its a bit scrappy and not the most elegant way of doing things but it works ok for me until I learn a better way.

dales

rwwest7 wrote: »

You can do the exact same thing with a GPO. Restricted Groups I believe is the setting.

Good point not sure how that works as above we are a netware shop so group policy implimentation is sketchy at best and I needed to be sure I got everyones level of access.

coffeeking

dales wrote: »

Yes what actually I think you may need to do is change the %nwusername% bits to %username%. We run a netware shop so my particular issue was getting which machine was running admin and who was logging into it as such. %nwusername% tells me the netware cred %username% should tell you the AD user cred.

As I say its a bit scrappy and not the most elegant way of doing things but it works ok for me until I learn a better way.

Thanks Dale, will try that and let you know.

one quick question and this might be very basic one since I am not very familiar with the whole process yet; I ran the script from my machine that is just one of the machines in the same domain and I am admin on my machine. so if I changed the %nwusername% to %username%, do you think it would still give the information for all workstations on that domain?

dales

coffeeking wrote: »

Thanks Dale, will try that and let you know.

one quick question and this might be very basic one since I am not very familiar with the whole process yet; I ran the script from my machine that is just one of the machines in the same domain and I am admin on my machine. so if I changed the %nwusername% to %username%, do you think it would still give the information for all workstations on that domain?

yes that should work you will obviously need to distribute the script by group policy.

astorrs

I have a script to do it. PM me your email coffeeking and I'll send it to you.