Audit For Privileged Accounts

Hi there,

Is there is a command-line or script available which can generate a report
of all accounts with administrator equivalent privileges in Windows AD setup,
with added information on which machine the id resides., etc?

Thanks,
Venkatesh

Hello Venkatesh,

From another posting:

You can use the script below to generate a report on local Administrators
and Power Users. Copy it into a text file and rename it with the .vbs extension.
Run it from the domain controller. For the computers you are auditing, you
must have Administrator privileges and be able to access the computer's RPC
ports. The output is tab delimited and can be opened in Excel.

'--------------------------------------------------------------------------------

Set oADInfo = CreateObject("ADSystemInfo")
Set oFso = WScript.CreateObject("Scripting.Filesystemobject")
Set oShell = WScript.CreateObject("Wscript.Shell")

LogPath = oShell.SpecialFolders("MyDocuments") + "\Privileged Local
User Audit.txt"
AdsiPath = "WinNT://" + oADInfo.DomainShortName
tab = Chr(9)

' Connect to Active Directory

Set ADComputers = GetObject(AdsiPath)
ADComputers.Filter = Array("Computer")

' Open the log file

Set oLog = oFso.CreateTextfile(LogPath, true)
oLog.WriteLine "Privileged Local Users on Computers in the " + _
oADInfo.DomainDNSName + _
" domain."
oLog.WriteLine Now
oLog.WriteLine ""
oLog.WriteLine "Computer" + tab + _
"Administrators" + tab + _
"Administrators Groups" + tab + _
"Power Users" + tab + _
"Power Users Groups"

' Check each computer

For Each oComputer in ADComputers

' Trap any errors in case the user is unauthorized, the computer is
inaccessible, etc.
On Error Resume Next

' Get the Administrators users and groups

AdminUsers = ""
AdminGroups = ""
Set objGroup = GetObject("WinNT://" & oComputer.Name & "/
Administrators")
If Not(Err.Number = 0) Then
AdminUsers = Err.Number
AdminGroups = Err.Number
End If

For Each objUser In objGroup.Members
If objUser.Class = "User" Then
AdminUsers = AdminUsers + objUser.Name + "; "
else
AdminGroups = AdminGroups + objUser.Name + "; "
end if
Next

' Get the Power Users users and groups

PowerUsers = ""
PowerGroups = ""
Set objGroup = GetObject("WinNT://" & oComputer.Name & "/Power
Users")
If Not(Err.Number = 0) Then
PowerUsers = Err.Number
PowerGroups = Err.Number
End If

For Each objUser In objGroup.Members
If objUser.Class = "User" Then
PowerUsers = PowerUsers + objUser.Name + "; "
else
PowerGroups = PowerGroups + objUser.Name + "; "
end if
Next

' Output to the log

oLog.WriteLine oComputer.Name + tab + _
AdminUsers + tab + _
AdminGroups + tab + _
PowerUsers + tab + _
PowerGroups

Next

' Close log file handle, open the log in Notepad

oLog.Close
oShell.Run "notepad.exe """ + LogPath + """"

' Clean up

Set ADComputers = Nothing
Set oADInfo = Nothing
Set oFso = Nothing
Set oLog = Nothing
Set oLog = Nothing
Set oShell = Nothing

'--------------------------------------------------------------------------------


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi there,
>
> Is there is a command-line or script available which can generate a
> report of all accounts with administrator equivalent privileges in
> Windows AD setup, with added information on which machine the id
> resides., etc?
>
> Thanks,
> Venkatesh

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news: .com...
> Hello Venkatesh,
>
> From another posting:
>
> You can use the script below to generate a report on local Administrators
> and Power Users. Copy it into a text file and rename it with the .vbs
> extension. Run it from the domain controller. For the computers you are
> auditing, you must have Administrator privileges and be able to access the
> computer's RPC ports. The output is tab delimited and can be opened in
> Excel.

A quick reading of this script suggests to me that it may not list accounts
that get their admin privs indirectly through AD group nesting.

/Al

> '--------------------------------------------------------------------------------
>
> Set oADInfo = CreateObject("ADSystemInfo")
> Set oFso = WScript.CreateObject("Scripting.Filesystemobject")
> Set oShell = WScript.CreateObject("Wscript.Shell")
>
> LogPath = oShell.SpecialFolders("MyDocuments") + "\Privileged Local
> User Audit.txt"
> AdsiPath = "WinNT://" + oADInfo.DomainShortName
> tab = Chr(9)
>
> ' Connect to Active Directory
>
> Set ADComputers = GetObject(AdsiPath)
> ADComputers.Filter = Array("Computer")
>
> ' Open the log file
>
> Set oLog = oFso.CreateTextfile(LogPath, true)
> oLog.WriteLine "Privileged Local Users on Computers in the " + _
> oADInfo.DomainDNSName + _
> " domain."
> oLog.WriteLine Now
> oLog.WriteLine ""
> oLog.WriteLine "Computer" + tab + _
> "Administrators" + tab + _
> "Administrators Groups" + tab + _
> "Power Users" + tab + _
> "Power Users Groups"
>
> ' Check each computer
>
> For Each oComputer in ADComputers
>
> ' Trap any errors in case the user is unauthorized, the computer is
> inaccessible, etc.
> On Error Resume Next
>
> ' Get the Administrators users and groups
>
> AdminUsers = ""
> AdminGroups = ""
> Set objGroup = GetObject("WinNT://" & oComputer.Name & "/
> Administrators")
> If Not(Err.Number = 0) Then
> AdminUsers = Err.Number
> AdminGroups = Err.Number
> End If
>
> For Each objUser In objGroup.Members
> If objUser.Class = "User" Then
> AdminUsers = AdminUsers + objUser.Name + "; "
> else
> AdminGroups = AdminGroups + objUser.Name + "; "
> end if
> Next
>
> ' Get the Power Users users and groups
>
> PowerUsers = ""
> PowerGroups = ""
> Set objGroup = GetObject("WinNT://" & oComputer.Name & "/Power
> Users")
> If Not(Err.Number = 0) Then
> PowerUsers = Err.Number
> PowerGroups = Err.Number
> End If
>
> For Each objUser In objGroup.Members
> If objUser.Class = "User" Then
> PowerUsers = PowerUsers + objUser.Name + "; "
> else
> PowerGroups = PowerGroups + objUser.Name + "; "
> end if
> Next
>
> ' Output to the log
>
> oLog.WriteLine oComputer.Name + tab + _
> AdminUsers + tab + _
> AdminGroups + tab + _
> PowerUsers + tab + _
> PowerGroups
>
> Next
>
> ' Close log file handle, open the log in Notepad
>
> oLog.Close
> oShell.Run "notepad.exe """ + LogPath + """"
>
> ' Clean up
>
> Set ADComputers = Nothing
> Set oADInfo = Nothing
> Set oFso = Nothing
> Set oLog = Nothing
> Set oLog = Nothing
> Set oShell = Nothing
>
> '--------------------------------------------------------------------------------
>
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi there,
>>
>> Is there is a command-line or script available which can generate a
>> report of all accounts with administrator equivalent privileges in
>> Windows AD setup, with added information on which machine the id
>> resides., etc?
>>
>> Thanks,
>> Venkatesh
>
>

"Venkatesh" <> wrote in message
news:75B59488-6FA0-4650-9981-...
> Hi there,
>
> Is there is a command-line or script available which can generate a report
> of all accounts with administrator equivalent privileges in Windows AD
> setup,
> with added information on which machine the id resides., etc?
>
> Thanks,
> Venkatesh


Can you elaborate on what you mean by Windows AD setup?

Do you mean you need a script to generate a report to enumerate accounts,
for example, in the Administrators group?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Hi Ace,

Yes that's exactly what I need.

Script which can scan domain member servers (in batches) and enumerate
accounts or domain groups which are the members of local Administrator group.

Thank you.
V

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Venkatesh" <> wrote in message
> news:75B59488-6FA0-4650-9981-...
> > Hi there,
> >
> > Is there is a command-line or script available which can generate a report
> > of all accounts with administrator equivalent privileges in Windows AD
> > setup,
> > with added information on which machine the id resides., etc?
> >
> > Thanks,
> > Venkatesh
>
>
> Can you elaborate on what you mean by Windows AD setup?
>
> Do you mean you need a script to generate a report to enumerate accounts,
> for example, in the Administrators group?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
>
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>

Yes that's right, enumerate Administrator groups of Member servers.

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Venkatesh" <> wrote in message
> news:75B59488-6FA0-4650-9981-...
> > Hi there,
> >
> > Is there is a command-line or script available which can generate a report
> > of all accounts with administrator equivalent privileges in Windows AD
> > setup,
> > with added information on which machine the id resides., etc?
> >
> > Thanks,
> > Venkatesh
>
>
> Can you elaborate on what you mean by Windows AD setup?
>
> Do you mean you need a script to generate a report to enumerate accounts,
> for example, in the Administrators group?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
>
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>

"Venkatesh" <> wrote in message
news:39576E49-FB82-42F4-85F4-...
> Hi Ace,
>
> Yes that's exactly what I need.
>
> Script which can scan domain member servers (in batches) and enumerate
> accounts or domain groups which are the members of local Administrator
> group.
>
> Thank you.
> V

Ok. See if these help:

Dump Group Membership To A Tab Delimited Text File... ( Vbscript )
http://cwashington.netreach.net/depo...tType=vbscript

I've used CWashington's scripts for this same task, but I used it to dump
the whole domain so I can audit everything. There are others at
CWashington's site. Just go to http://cwashington.netreach.net and click on
VBDScript, and search "Group Members"

Tutorial for VBScript. Example enumerate members of a Windows groupOur
Mission and Goal; Example 1: Discovering who is a member of the
Administrators Group; VBScript Tutorial: Learning Points for Enumerating a
Group ...
http://www.computerperformance.co.uk...te_members.htm

Microsoft Certified Professional Magazine Online | Column: Easy ...Nov 15,
2006 ... Here is a script that will enumerate all local administrator group
members for every computer in your domain, and store the results in a ...
http://mcpmag.com/columns/article.asp?EditorialsID=1538

I hope that helps.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay