Enumerate Admins

TheMSsForum.com: The Microsoft Software Forum

I am trying to setup a script to audit Builtin Administrators and Domain
Administrators for every domain in our forest. I would like to have a script
that runs without any user interaction and dumps to some kind of file for
reporting purposes. Any help is appreciated.
Top

Re: Enumerate Admins by deckhopper

deckhopper
Tue Jan 24 00:56:47 CST 2006

Try this?

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

objCommand.CommandText = _
"<GC://dc=fabrikam,dc=com>;" & _
"(&(objectCategory=person)(objectClass=user));" & _
"name;subtree"

Set objRecordSet = objCommand.Execute

While Not objRecordset.EOF
Wscript.Echo objRecordset.Fields("name")
objRecordset.MoveNext
Wend

objConnection.Close

Top

Re: Enumerate Admins by COTAD

COTAD
Tue Jan 24 08:02:02 CST 2006

I only need to dump information about Domain Admins and Builtin
Administrators for every domain in the forest. It appears this script dumps
every user account in every domain.

"deckhopper" wrote:

> Try this?
>
> Set objConnection = CreateObject("ADODB.Connection")
> objConnection.Open "Provider=ADsDSOObject;"
>
> Set objCommand = CreateObject("ADODB.Command")
> objCommand.ActiveConnection = objConnection
>
> objCommand.CommandText = _
> "<GC://dc=fabrikam,dc=com>;" & _
> "(&(objectCategory=person)(objectClass=user));" & _
> "name;subtree"
>
> Set objRecordSet = objCommand.Execute
>
> While Not objRecordset.EOF
> Wscript.Echo objRecordset.Fields("name")
> objRecordset.MoveNext
> Wend
>
> objConnection.Close
>
>
Top

Re: Enumerate Admins by Yannick

Yannick
Tue Jan 24 11:31:01 CST 2006

This one will display the list of users which populates a defined group
(with FQN like sNomGroupe)
Put it in a fonction and do that for each domain you have and it will be
okay.

______________________________________________________________
Dim sNomGroupe, oGroupe, oMembreGroupe

sNomGroupe = "OU=Groupes,DC=MonDomaine,DC=MaBoite,DC=MonPays")
Set oGroupe = GetObject("LDAP://" & sNomGroupe)

Wscript.Echo "Les membres du groupe: " & oGroupe.Name & "sont :"
For Each oMembreGroupe in oGroupe.Members
Wscript.Echo " --> " & oMembreGroupe.Name
Next
________________________________________________________________

Hope it could help you.

Yannick SCHAPPLER
France



"COT-AD" <COTAD@discussions.microsoft.com> a écrit dans le message de news:
90ACB021-773A-4DF3-8CE4-9C8AEC87118E@microsoft.com...
>I only need to dump information about Domain Admins and Builtin
> Administrators for every domain in the forest. It appears this script
> dumps
> every user account in every domain.
>
> "deckhopper" wrote:
>
>> Try this?
>>
>> Set objConnection = CreateObject("ADODB.Connection")
>> objConnection.Open "Provider=ADsDSOObject;"
>>
>> Set objCommand = CreateObject("ADODB.Command")
>> objCommand.ActiveConnection = objConnection
>>
>> objCommand.CommandText = _
>> "<GC://dc=fabrikam,dc=com>;" & _
>> "(&(objectCategory=person)(objectClass=user));" & _
>> "name;subtree"
>>
>> Set objRecordSet = objCommand.Execute
>>
>> While Not objRecordset.EOF
>> Wscript.Echo objRecordset.Fields("name")
>> objRecordset.MoveNext
>> Wend
>>
>> objConnection.Close
>>
>>


Top

Re: Enumerate Admins by Richard

Richard
Tue Jan 24 16:17:31 CST 2006

Hi,

Finding all users with admin privileges can be a challenge. I thought I saw
a third party tool for this some time ago. If I find it, I'll post again. In
the meantime I have a sample VBScript program that displays all members of a
specified group linked here:

http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm

It reveals membership due to group nesting, plus the "Primary" group
membership. You can specify the Distinguished Name of the Administrators
group (in the Builtin container), the "Domain Admins" group, the "Enterprise
Admins" group, etc. The Administrators group should includes "Domain Admins"
and "Enterprise Admins". At a command prompt, you could create a text file
report of admin membership with:

cscript //nologo EnumGroup.vbs
"cn=Administrators,cn=Builtin,dc=MyDomain,dc=com" > AdmReport.txt

You would have to repeat this for each domain.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"COT-AD" <COTAD@discussions.microsoft.com> wrote in message
news:90ACB021-773A-4DF3-8CE4-9C8AEC87118E@microsoft.com...
>I only need to dump information about Domain Admins and Builtin
> Administrators for every domain in the forest. It appears this script
> dumps
> every user account in every domain.
>
> "deckhopper" wrote:
>
>> Try this?
>>
>> Set objConnection = CreateObject("ADODB.Connection")
>> objConnection.Open "Provider=ADsDSOObject;"
>>
>> Set objCommand = CreateObject("ADODB.Command")
>> objCommand.ActiveConnection = objConnection
>>
>> objCommand.CommandText = _
>> "<GC://dc=fabrikam,dc=com>;" & _
>> "(&(objectCategory=person)(objectClass=user));" & _
>> "name;subtree"
>>
>> Set objRecordSet = objCommand.Execute
>>
>> While Not objRecordset.EOF
>> Wscript.Echo objRecordset.Fields("name")
>> objRecordset.MoveNext
>> Wend
>>
>> objConnection.Close
>>
>>


Top

Re: Enumerate Admins by COTAD

COTAD
Thu Feb 02 14:32:44 CST 2006

I would like to have a script that would run through every domain in the
forest without any user interaction. Do you know of a way to accomplish this
task?

"Richard Mueller" wrote:

> Hi,
>
> Finding all users with admin privileges can be a challenge. I thought I saw
> a third party tool for this some time ago. If I find it, I'll post again. In
> the meantime I have a sample VBScript program that displays all members of a
> specified group linked here:
>
> http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm
>
> It reveals membership due to group nesting, plus the "Primary" group
> membership. You can specify the Distinguished Name of the Administrators
> group (in the Builtin container), the "Domain Admins" group, the "Enterprise
> Admins" group, etc. The Administrators group should includes "Domain Admins"
> and "Enterprise Admins". At a command prompt, you could create a text file
> report of admin membership with:
>
> cscript //nologo EnumGroup.vbs
> "cn=Administrators,cn=Builtin,dc=MyDomain,dc=com" > AdmReport.txt
>
> You would have to repeat this for each domain.
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
>
> "COT-AD" <COTAD@discussions.microsoft.com> wrote in message
> news:90ACB021-773A-4DF3-8CE4-9C8AEC87118E@microsoft.com...
> >I only need to dump information about Domain Admins and Builtin
> > Administrators for every domain in the forest. It appears this script
> > dumps
> > every user account in every domain.
> >
> > "deckhopper" wrote:
> >
> >> Try this?
> >>
> >> Set objConnection = CreateObject("ADODB.Connection")
> >> objConnection.Open "Provider=ADsDSOObject;"
> >>
> >> Set objCommand = CreateObject("ADODB.Command")
> >> objCommand.ActiveConnection = objConnection
> >>
> >> objCommand.CommandText = _
> >> "<GC://dc=fabrikam,dc=com>;" & _
> >> "(&(objectCategory=person)(objectClass=user));" & _
> >> "name;subtree"
> >>
> >> Set objRecordSet = objCommand.Execute
> >>
> >> While Not objRecordset.EOF
> >> Wscript.Echo objRecordset.Fields("name")
> >> objRecordset.MoveNext
> >> Wend
> >>
> >> objConnection.Close
> >>
> >>
>
>
>
Top

Re: Enumerate Admins by Richard

Richard
Fri Feb 03 21:10:09 CST 2006

Hi,

If all domains are in the same forest, you can use a recursive subroutine.
The one below simply displays all domain names:

Set objRootDSE = GetObject("LDAP://RootDSE")
Set objRootDomain = GetObject("LDAP://" &
objRootDSE.Get("rootDomainNamingContext"))

Call EnumDomains(objRootDomain, "")

Sub EnumDomains(objParent, strOffset)
' Subroutine to document domains.
Dim objChild

' Document domain.
Wscript.Echo strOffset & obParent.Name

' Enumerate child domains.
objParent.Filter = Array("domain")
For Each objChild in objParent
Call EnumDomains(objChild, "--" & strOffset)
Next
End Sub

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"COT-AD" <COTAD@discussions.microsoft.com> wrote in message
news:D7E125F7-1B45-4869-9B39-174E10E7C89C@microsoft.com...
>I would like to have a script that would run through every domain in the
> forest without any user interaction. Do you know of a way to accomplish
> this
> task?
>
> "Richard Mueller" wrote:
>
>> Hi,
>>
>> Finding all users with admin privileges can be a challenge. I thought I
>> saw
>> a third party tool for this some time ago. If I find it, I'll post again.
>> In
>> the meantime I have a sample VBScript program that displays all members
>> of a
>> specified group linked here:
>>
>> http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm
>>
>> It reveals membership due to group nesting, plus the "Primary" group
>> membership. You can specify the Distinguished Name of the Administrators
>> group (in the Builtin container), the "Domain Admins" group, the
>> "Enterprise
>> Admins" group, etc. The Administrators group should includes "Domain
>> Admins"
>> and "Enterprise Admins". At a command prompt, you could create a text
>> file
>> report of admin membership with:
>>
>> cscript //nologo EnumGroup.vbs
>> "cn=Administrators,cn=Builtin,dc=MyDomain,dc=com" > AdmReport.txt
>>
>> You would have to repeat this for each domain.
>>
>> --
>> Richard
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>>
>> "COT-AD" <COTAD@discussions.microsoft.com> wrote in message
>> news:90ACB021-773A-4DF3-8CE4-9C8AEC87118E@microsoft.com...
>> >I only need to dump information about Domain Admins and Builtin
>> > Administrators for every domain in the forest. It appears this script
>> > dumps
>> > every user account in every domain.
>> >
>> > "deckhopper" wrote:
>> >
>> >> Try this?
>> >>
>> >> Set objConnection = CreateObject("ADODB.Connection")
>> >> objConnection.Open "Provider=ADsDSOObject;"
>> >>
>> >> Set objCommand = CreateObject("ADODB.Command")
>> >> objCommand.ActiveConnection = objConnection
>> >>
>> >> objCommand.CommandText = _
>> >> "<GC://dc=fabrikam,dc=com>;" & _
>> >> "(&(objectCategory=person)(objectClass=user));" & _
>> >> "name;subtree"
>> >>
>> >> Set objRecordSet = objCommand.Execute
>> >>
>> >> While Not objRecordset.EOF
>> >> Wscript.Echo objRecordset.Fields("name")
>> >> objRecordset.MoveNext
>> >> Wend
>> >>
>> >> objConnection.Close
>> >>
>> >>
>>
>>
>>


Top

Re: Enumerate Admins by COTAD

COTAD
Wed Feb 08 09:11:29 CST 2006

Ok. What would I need to do to get the list of administrators once I have
the list of domains?

"Richard Mueller" wrote:

> Hi,
>
> If all domains are in the same forest, you can use a recursive subroutine.
> The one below simply displays all domain names:
>
> Set objRootDSE = GetObject("LDAP://RootDSE")
> Set objRootDomain = GetObject("LDAP://" &
> objRootDSE.Get("rootDomainNamingContext"))
>
> Call EnumDomains(objRootDomain, "")
>
> Sub EnumDomains(objParent, strOffset)
> ' Subroutine to document domains.
> Dim objChild
>
> ' Document domain.
> Wscript.Echo strOffset & obParent.Name
>
> ' Enumerate child domains.
> objParent.Filter = Array("domain")
> For Each objChild in objParent
> Call EnumDomains(objChild, "--" & strOffset)
> Next
> End Sub
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
>
> "COT-AD" <COTAD@discussions.microsoft.com> wrote in message
> news:D7E125F7-1B45-4869-9B39-174E10E7C89C@microsoft.com...
> >I would like to have a script that would run through every domain in the
> > forest without any user interaction. Do you know of a way to accomplish
> > this
> > task?
> >
> > "Richard Mueller" wrote:
> >
> >> Hi,
> >>
> >> Finding all users with admin privileges can be a challenge. I thought I
> >> saw
> >> a third party tool for this some time ago. If I find it, I'll post again.
> >> In
> >> the meantime I have a sample VBScript program that displays all members
> >> of a
> >> specified group linked here:
> >>
> >> http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm
> >>
> >> It reveals membership due to group nesting, plus the "Primary" group
> >> membership. You can specify the Distinguished Name of the Administrators
> >> group (in the Builtin container), the "Domain Admins" group, the
> >> "Enterprise
> >> Admins" group, etc. The Administrators group should includes "Domain
> >> Admins"
> >> and "Enterprise Admins". At a command prompt, you could create a text
> >> file
> >> report of admin membership with:
> >>
> >> cscript //nologo EnumGroup.vbs
> >> "cn=Administrators,cn=Builtin,dc=MyDomain,dc=com" > AdmReport.txt
> >>
> >> You would have to repeat this for each domain.
> >>
> >> --
> >> Richard
> >> Microsoft MVP Scripting and ADSI
> >> Hilltop Lab - http://www.rlmueller.net
> >>
> >> "COT-AD" <COTAD@discussions.microsoft.com> wrote in message
> >> news:90ACB021-773A-4DF3-8CE4-9C8AEC87118E@microsoft.com...
> >> >I only need to dump information about Domain Admins and Builtin
> >> > Administrators for every domain in the forest. It appears this script
> >> > dumps
> >> > every user account in every domain.
> >> >
> >> > "deckhopper" wrote:
> >> >
> >> >> Try this?
> >> >>
> >> >> Set objConnection = CreateObject("ADODB.Connection")
> >> >> objConnection.Open "Provider=ADsDSOObject;"
> >> >>
> >> >> Set objCommand = CreateObject("ADODB.Command")
> >> >> objCommand.ActiveConnection = objConnection
> >> >>
> >> >> objCommand.CommandText = _
> >> >> "<GC://dc=fabrikam,dc=com>;" & _
> >> >> "(&(objectCategory=person)(objectClass=user));" & _
> >> >> "name;subtree"
> >> >>
> >> >> Set objRecordSet = objCommand.Execute
> >> >>
> >> >> While Not objRecordset.EOF
> >> >> Wscript.Echo objRecordset.Fields("name")
> >> >> objRecordset.MoveNext
> >> >> Wend
> >> >>
> >> >> objConnection.Close
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
Top

Re: Enumerate Admins by Richard

Richard
Fri Feb 10 20:49:16 CST 2006

Hi,

Once you have the Distinguished Name of the domain, you can bind to the
admin group objects, which by default are in the cn=Users container, like
"Domain Admins" and "Enterprise Admins", and enumerate the membership. If
any of the members are groups, you have to enumerate those groups also.

The problem is that these groups can be renamed or moved to other
containers/OU's. Also, administrative privileges can be granted to other
groups or users. I have no solution for that.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"COT-AD" <COTAD@discussions.microsoft.com> wrote in message
news:A170A563-D091-4B4C-8160-68F9A7156965@microsoft.com...
> Ok. What would I need to do to get the list of administrators once I have
> the list of domains?
>
> "Richard Mueller" wrote:
>
>> Hi,
>>
>> If all domains are in the same forest, you can use a recursive
>> subroutine.
>> The one below simply displays all domain names:
>>
>> Set objRootDSE = GetObject("LDAP://RootDSE")
>> Set objRootDomain = GetObject("LDAP://" &
>> objRootDSE.Get("rootDomainNamingContext"))
>>
>> Call EnumDomains(objRootDomain, "")
>>
>> Sub EnumDomains(objParent, strOffset)
>> ' Subroutine to document domains.
>> Dim objChild
>>
>> ' Document domain.
>> Wscript.Echo strOffset & obParent.Name
>>
>> ' Enumerate child domains.
>> objParent.Filter = Array("domain")
>> For Each objChild in objParent
>> Call EnumDomains(objChild, "--" & strOffset)
>> Next
>> End Sub
>>
>> --
>> Richard
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>>
>> "COT-AD" <COTAD@discussions.microsoft.com> wrote in message
>> news:D7E125F7-1B45-4869-9B39-174E10E7C89C@microsoft.com...
>> >I would like to have a script that would run through every domain in the
>> > forest without any user interaction. Do you know of a way to
>> > accomplish
>> > this
>> > task?
>> >
>> > "Richard Mueller" wrote:
>> >
>> >> Hi,
>> >>
>> >> Finding all users with admin privileges can be a challenge. I thought
>> >> I
>> >> saw
>> >> a third party tool for this some time ago. If I find it, I'll post
>> >> again.
>> >> In
>> >> the meantime I have a sample VBScript program that displays all
>> >> members
>> >> of a
>> >> specified group linked here:
>> >>
>> >> http://www.rlmueller.net/List%20Members%20of%20a%20Group.htm
>> >>
>> >> It reveals membership due to group nesting, plus the "Primary" group
>> >> membership. You can specify the Distinguished Name of the
>> >> Administrators
>> >> group (in the Builtin container), the "Domain Admins" group, the
>> >> "Enterprise
>> >> Admins" group, etc. The Administrators group should includes "Domain
>> >> Admins"
>> >> and "Enterprise Admins". At a command prompt, you could create a text
>> >> file
>> >> report of admin membership with:
>> >>
>> >> cscript //nologo EnumGroup.vbs
>> >> "cn=Administrators,cn=Builtin,dc=MyDomain,dc=com" > AdmReport.txt
>> >>
>> >> You would have to repeat this for each domain.
>> >>
>> >> --
>> >> Richard
>> >> Microsoft MVP Scripting and ADSI
>> >> Hilltop Lab - http://www.rlmueller.net
>> >>
>> >> "COT-AD" <COTAD@discussions.microsoft.com> wrote in message
>> >> news:90ACB021-773A-4DF3-8CE4-9C8AEC87118E@microsoft.com...
>> >> >I only need to dump information about Domain Admins and Builtin
>> >> > Administrators for every domain in the forest. It appears this
>> >> > script
>> >> > dumps
>> >> > every user account in every domain.
>> >> >
>> >> > "deckhopper" wrote:
>> >> >
>> >> >> Try this?
>> >> >>
>> >> >> Set objConnection = CreateObject("ADODB.Connection")
>> >> >> objConnection.Open "Provider=ADsDSOObject;"
>> >> >>
>> >> >> Set objCommand = CreateObject("ADODB.Command")
>> >> >> objCommand.ActiveConnection = objConnection
>> >> >>
>> >> >> objCommand.CommandText = _
>> >> >> "<GC://dc=fabrikam,dc=com>;" & _
>> >> >> "(&(objectCategory=person)(objectClass=user));" & _
>> >> >> "name;subtree"
>> >> >>
>> >> >> Set objRecordSet = objCommand.Execute
>> >> >>
>> >> >> While Not objRecordset.EOF
>> >> >> Wscript.Echo objRecordset.Fields("name")
>> >> >> objRecordset.MoveNext
>> >> >> Wend
>> >> >>
>> >> >> objConnection.Close
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>


Top