Tuesday, May 16, 2006
Enumerate Administrators
Well, here's a script that pulls a list of computers from your Active Directory domain, connects to each computer, and enumerates a list of users, groups, or computer accounts that have local administrative permissions. When I wrote this script, I had in mind security auditing, as I wanted to make sure that no one who didn't need Administrator privileges, didn't have them. The script will also echo out the user currently logged onto each computer. For terminal servers, this will only show one user, but it was designed with single-logon XP clients after-all, so don't be picky :)
If you have any trouble running this script, feel free to let me know. I designed it be cross-domain compatible so that I could post it up here and anyone could use it. I welcome any comments, questions, and constructive criticism; I'm always looking for ideas on how to make some cool new script. Anyway, without further to do, here is the script:
'Computers array
dim computers
'Computers that weren't accessible
dim bad
set objAD = GetObject("LDAP://RootDSE")
domain = objAD.Get("DefaultNamingContext")
set objAD = GetObject("LDAP://" & domain)
objAD.filter = array("computer","organizationalUnit")
getComputers(objAD)
computerlist = split(computers)
for i = 0 to ubound(computerlist)-1
if isAlive(computerlist(i)) then enumAdmins(computerlist(i))
next
'==================FUNCTION==================
'Name/Params: getComputers(pcname)
'Purpose: Connect to computer, grab local Administrators group, and echo out members
'==============================================
function getComputers(objAD)
for each adobj in objAD
if adobj.class = "organizationalUnit" then
'The replace here fixes up any OUs that might have slashes in the names
set ou = GetObject("LDAP://" & replace(adobj.distinguishedName,"/","\/"))
getComputers(ou)
elseif adobj.class = "computer" then
pcname = right(adobj.name,len(adobj.name)-3)
computers = computers & pcname & " "
end if
next
end function
'==================FUNCTION==================
'Name/Params: enumAdmins(pcname)
'Purpose: Connect to computer, grab local Administrators group, and echo out members
'==============================================
function enumAdmins(pcname)
on error resume next
set computer = GetObject("WinNT://" & pcname & "/Administrators")
if err.number <> 0 then
bad = bad & pcname & " "
else
set users = computer.Members()
wscript.echo "##### " & pcname & " (" & getLoggedOnUser(pcname) & ") #####"
for each user in users
wscript.echo user.name
next
end if
Err.clear
end function
'==================FUNCTION==================
'Name/Params: getLoggedOnUser(pcname)
'Purpose: Connect to computer, grab currently logged on user and return value
'==============================================
function getLoggedOnUser(pcname)
on error resume next
set objWMI = GetObject("winmgmts:\\" & pcname & "\root\cimv2:win32_computersystem")
if err.number = 0 then
set results = objWMI.Instances_
for each obj in results
getLoggedOnUser = obj.username
next
end if
err.clear
end function
'==================FUNCTION==================
'Name/Params: isAlive(pcname)
'Purpose: Ping computer to pre-test for IP connectivity. Returns true if resolved IP address is pingable
'==============================================
function isAlive(pcname)
isAlive = false
set objWMI = GetObject("winmgmts:\\.\root\cimv2")
sQuery = "select * from win32_pingstatus where address='" & pcname & "' and timeout=1000"
set results = objWMI.ExecQuery(sQuery)
for each result in results
if result.statuscode = 0 then
isAlive = true
end if
next
end function
badmachines = split(bad)
wscript.echo vbcrlf & "The following computers were unable to be contacted. Please audit these individually"
wscript.echo "===================================================================================="
for i = 0 to badmachines - 1
wscript.echo badmachines(i)
next ¶ 11:01 AM
If you have any trouble running this script, feel free to let me know. I designed it be cross-domain compatible so that I could post it up here and anyone could use it. I welcome any comments, questions, and constructive criticism; I'm always looking for ideas on how to make some cool new script. Anyway, without further to do, here is the script:
'Computers array
dim computers
'Computers that weren't accessible
dim bad
set objAD = GetObject("LDAP://RootDSE")
domain = objAD.Get("DefaultNamingContext")
set objAD = GetObject("LDAP://" & domain)
objAD.filter = array("computer","organizationalUnit")
getComputers(objAD)
computerlist = split(computers)
for i = 0 to ubound(computerlist)-1
if isAlive(computerlist(i)) then enumAdmins(computerlist(i))
next
'==================FUNCTION==================
'Name/Params: getComputers(pcname)
'Purpose: Connect to computer, grab local Administrators group, and echo out members
'==============================================
function getComputers(objAD)
for each adobj in objAD
if adobj.class = "organizationalUnit" then
'The replace here fixes up any OUs that might have slashes in the names
set ou = GetObject("LDAP://" & replace(adobj.distinguishedName,"/","\/"))
getComputers(ou)
elseif adobj.class = "computer" then
pcname = right(adobj.name,len(adobj.name)-3)
computers = computers & pcname & " "
end if
next
end function
'==================FUNCTION==================
'Name/Params: enumAdmins(pcname)
'Purpose: Connect to computer, grab local Administrators group, and echo out members
'==============================================
function enumAdmins(pcname)
on error resume next
set computer = GetObject("WinNT://" & pcname & "/Administrators")
if err.number <> 0 then
bad = bad & pcname & " "
else
set users = computer.Members()
wscript.echo "##### " & pcname & " (" & getLoggedOnUser(pcname) & ") #####"
for each user in users
wscript.echo user.name
next
end if
Err.clear
end function
'==================FUNCTION==================
'Name/Params: getLoggedOnUser(pcname)
'Purpose: Connect to computer, grab currently logged on user and return value
'==============================================
function getLoggedOnUser(pcname)
on error resume next
set objWMI = GetObject("winmgmts:\\" & pcname & "\root\cimv2:win32_computersystem")
if err.number = 0 then
set results = objWMI.Instances_
for each obj in results
getLoggedOnUser = obj.username
next
end if
err.clear
end function
'==================FUNCTION==================
'Name/Params: isAlive(pcname)
'Purpose: Ping computer to pre-test for IP connectivity. Returns true if resolved IP address is pingable
'==============================================
function isAlive(pcname)
isAlive = false
set objWMI = GetObject("winmgmts:\\.\root\cimv2")
sQuery = "select * from win32_pingstatus where address='" & pcname & "' and timeout=1000"
set results = objWMI.ExecQuery(sQuery)
for each result in results
if result.statuscode = 0 then
isAlive = true
end if
next
end function
badmachines = split(bad)
wscript.echo vbcrlf & "The following computers were unable to be contacted. Please audit these individually"
wscript.echo "===================================================================================="
for i = 0 to badmachines - 1
wscript.echo badmachines(i)
next ¶ 11:01 AM
