Audit For Privileged Accounts

Discussion in 'Server Security' started by Venkatesh, Apr 8, 2009.

  1. Venkatesh

    Venkatesh Guest

    Hi there,

    Is there is a command-line or script available which can generate a report
    of all accounts with administrator equivalent privileges in Windows AD setup,
    with added information on which machine the id resides., etc?

    Thanks,
    Venkatesh
     
    Venkatesh, Apr 8, 2009
    #1
    1. Advertisements

  2. Hello Venkatesh,

    From another posting:

    You can use the script below to generate a report on local Administrators
    and Power Users. Copy it into a text file and rename it with the .vbs extension.
    Run it from the domain controller. For the computers you are auditing, you
    must have Administrator privileges and be able to access the computer's RPC
    ports. The output is tab delimited and can be opened in Excel.

    '--------------------------------------------------------------------------------

    Set oADInfo = CreateObject("ADSystemInfo")
    Set oFso = WScript.CreateObject("Scripting.Filesystemobject")
    Set oShell = WScript.CreateObject("Wscript.Shell")

    LogPath = oShell.SpecialFolders("MyDocuments") + "\Privileged Local
    User Audit.txt"
    AdsiPath = "WinNT://" + oADInfo.DomainShortName
    tab = Chr(9)

    ' Connect to Active Directory

    Set ADComputers = GetObject(AdsiPath)
    ADComputers.Filter = Array("Computer")

    ' Open the log file

    Set oLog = oFso.CreateTextfile(LogPath, true)
    oLog.WriteLine "Privileged Local Users on Computers in the " + _
    oADInfo.DomainDNSName + _
    " domain."
    oLog.WriteLine Now
    oLog.WriteLine ""
    oLog.WriteLine "Computer" + tab + _
    "Administrators" + tab + _
    "Administrators Groups" + tab + _
    "Power Users" + tab + _
    "Power Users Groups"

    ' Check each computer

    For Each oComputer in ADComputers

    ' Trap any errors in case the user is unauthorized, the computer is
    inaccessible, etc.
    On Error Resume Next

    ' Get the Administrators users and groups

    AdminUsers = ""
    AdminGroups = ""
    Set objGroup = GetObject("WinNT://" & oComputer.Name & "/
    Administrators")
    If Not(Err.Number = 0) Then
    AdminUsers = Err.Number
    AdminGroups = Err.Number
    End If

    For Each objUser In objGroup.Members
    If objUser.Class = "User" Then
    AdminUsers = AdminUsers + objUser.Name + "; "
    else
    AdminGroups = AdminGroups + objUser.Name + "; "
    end if
    Next

    ' Get the Power Users users and groups

    PowerUsers = ""
    PowerGroups = ""
    Set objGroup = GetObject("WinNT://" & oComputer.Name & "/Power
    Users")
    If Not(Err.Number = 0) Then
    PowerUsers = Err.Number
    PowerGroups = Err.Number
    End If

    For Each objUser In objGroup.Members
    If objUser.Class = "User" Then
    PowerUsers = PowerUsers + objUser.Name + "; "
    else
    PowerGroups = PowerGroups + objUser.Name + "; "
    end if
    Next

    ' Output to the log

    oLog.WriteLine oComputer.Name + tab + _
    AdminUsers + tab + _
    AdminGroups + tab + _
    PowerUsers + tab + _
    PowerGroups

    Next

    ' Close log file handle, open the log in Notepad

    oLog.Close
    oShell.Run "notepad.exe """ + LogPath + """"

    ' Clean up

    Set ADComputers = Nothing
    Set oADInfo = Nothing
    Set oFso = Nothing
    Set oLog = Nothing
    Set oLog = Nothing
    Set oShell = Nothing

    '--------------------------------------------------------------------------------


    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 8, 2009
    #2
    1. Advertisements

  3. Venkatesh

    Al Dunbar Guest

    A quick reading of this script suggests to me that it may not list accounts
    that get their admin privs indirectly through AD group nesting.

    /Al
     
    Al Dunbar, Apr 9, 2009
    #3

  4. Can you elaborate on what you mean by Windows AD setup?

    Do you mean you need a script to generate a report to enumerate accounts,
    for example, in the Administrators group?

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 16, 2009
    #4
  5. Venkatesh

    Venkatesh Guest

    Hi Ace,

    Yes that's exactly what I need.

    Script which can scan domain member servers (in batches) and enumerate
    accounts or domain groups which are the members of local Administrator group.

    Thank you.
    V
     
    Venkatesh, May 7, 2009
    #5
  6. Venkatesh

    Venkatesh Guest

    Yes that's right, enumerate Administrator groups of Member servers.
     
    Venkatesh, May 7, 2009
    #6
  7. Ok. See if these help:

    Dump Group Membership To A Tab Delimited Text File... ( Vbscript )
    http://cwashington.netreach.net/depo/view.asp?Index=924&ScriptType=vbscript

    I've used CWashington's scripts for this same task, but I used it to dump
    the whole domain so I can audit everything. There are others at
    CWashington's site. Just go to http://cwashington.netreach.net and click on
    VBDScript, and search "Group Members"

    Tutorial for VBScript. Example enumerate members of a Windows groupOur
    Mission and Goal; Example 1: Discovering who is a member of the
    Administrators Group; VBScript Tutorial: Learning Points for Enumerating a
    Group ...
    http://www.computerperformance.co.uk/vbscript/vbscript_group_enumerate_members.htm

    Microsoft Certified Professional Magazine Online | Column: Easy ...Nov 15,
    2006 ... Here is a script that will enumerate all local administrator group
    members for every computer in your domain, and store the results in a ...
    http://mcpmag.com/columns/article.asp?EditorialsID=1538

    I hope that helps.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    "Efficiency is doing things right; effectiveness is doing the right
    things." - Peter F. Drucker
    http://twitter.com/acefekay
     
    Ace Fekay [Microsoft Certified Trainer], May 7, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.