Finding Local Admins on 3000+ machines

coffeekingcoffeeking Member Posts: 305 ■■■■□□□□□□
Heah All,

I have been asked to find a script or a way to find out all the members who are Local Admins on their machines. There are more than 3000 members in out organization. We also use a AD monitoring software by Quest software but it is just a monitoring and reporting and tool and not an auditing tool.

Any recommendations will be greatly appreciated.

Comments

  • dalesdales Member Posts: 225
    I've just done exactly the same thing at work, I'm not very good at scripting but managed to come up with this logon script to detect who has local admins then distributed a script to remove it from the naughty users.

    Remove Admin Rights Scripts Dales-Diary

    Probably not the best way of doing it but it may give you something to work with.
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
  • coffeekingcoffeeking Member Posts: 305 ■■■■□□□□□□
    Dale,

    thanks for your recommendation, it looks quite simple but I am having a hard time finding isadmin.exe. will let you know once I find it and am able to run the script.
  • coffeekingcoffeeking Member Posts: 305 ■■■■□□□□□□
    Hey Dale,

    I was able to find isadmin and blat and ran the script but it only returns the output for current user, here is what it shows:

    Current user is an administrator

    I know I am missing a piece in there, I am trying to get it for all machines in a given domain.
  • rwwest7rwwest7 Member Posts: 300
    dales wrote: »
    I've just done exactly the same thing at work, I'm not very good at scripting but managed to come up with this logon script to detect who has local admins then distributed a script to remove it from the naughty users.

    Remove Admin Rights Scripts Dales-Diary

    Probably not the best way of doing it but it may give you something to work with.
    You can do the exact same thing with a GPO. Restricted Groups I believe is the setting.
  • dalesdales Member Posts: 225
    Yes what actually I think you may need to do is change the %nwusername% bits to %username%. We run a netware shop so my particular issue was getting which machine was running admin and who was logging into it as such. %nwusername% tells me the netware cred %username% should tell you the AD user cred.

    As I say its a bit scrappy and not the most elegant way of doing things but it works ok for me until I learn a better way.
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
  • dalesdales Member Posts: 225
    rwwest7 wrote: »
    You can do the exact same thing with a GPO. Restricted Groups I believe is the setting.

    Good point not sure how that works as above we are a netware shop so group policy implimentation is sketchy at best and I needed to be sure I got everyones level of access.
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
  • coffeekingcoffeeking Member Posts: 305 ■■■■□□□□□□
    dales wrote: »
    Yes what actually I think you may need to do is change the %nwusername% bits to %username%. We run a netware shop so my particular issue was getting which machine was running admin and who was logging into it as such. %nwusername% tells me the netware cred %username% should tell you the AD user cred.

    As I say its a bit scrappy and not the most elegant way of doing things but it works ok for me until I learn a better way.

    Thanks Dale, will try that and let you know.

    one quick question and this might be very basic one since I am not very familiar with the whole process yet; I ran the script from my machine that is just one of the machines in the same domain and I am admin on my machine. so if I changed the %nwusername% to %username%, do you think it would still give the information for all workstations on that domain?
  • dalesdales Member Posts: 225
    coffeeking wrote: »
    Thanks Dale, will try that and let you know.

    one quick question and this might be very basic one since I am not very familiar with the whole process yet; I ran the script from my machine that is just one of the machines in the same domain and I am admin on my machine. so if I changed the %nwusername% to %username%, do you think it would still give the information for all workstations on that domain?

    yes that should work you will obviously need to distribute the script by group policy.
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    I have a script to do it. PM me your email coffeeking and I'll send it to you.
Sign In or Register to comment.