Local Administrators Members

Comments

15 comments

  • Bouma, Colby

    I was able to kind of do this with a report. Create a basic report with the columns "Computer/Name" and "Local Group Member/Name". For the Filter add a Value Filter of "Local Group/Name/Equals/Administrators" and 2 more Value Filters like "Local Group Member/Name/Does Not Equal/Administrator".

     

    Clear as mud, right? The screenshots probably make WAY more sense :D

     

    I tried doing this with a collection, but I can't figure out how to make it work. I either get every computer in the database or zero computers. I even tried to get fancy and use regex, but that didn't work either.

    1
    Comment actions Permalink
  • Shane Corellian

    The reason we haven't added this is because many companies have different names for approved accounts.

    For Reports or Collections you have two options when it comes to the filters.

    You can use one Does Not Match Expression filter. Don't get confused by the ^ and $. They aren't strictly necessary. ^ simply means that the string begins with the following character and the $ means that is the end of the string. ^Administrator$ means the name must be Administrator while ^Administrator means the name could be Administrator HQ (basically the account name begins with Administrator). The pipe | means OR.

    LocalAdminsRegEx.png

     

    Or to have different filter groups for each account name. Notice how All four sub groups are on the same level (directly under the main group.

    LocalAdmins.png

    0
    Comment actions Permalink
  • Bouma, Colby

    Thank you Shane, this is very helpful!

    0
    Comment actions Permalink
  • Mikestoolz

    What I do is just set group policy to remove all user accounts from local admins group and only allow groups to be in local admins.

    This way you just manage the groups on the domain and don't worry about any computers getting users added to the local admin group.

    0
    Comment actions Permalink
  • Shane Corellian

    Great point, Mike

    GPOs are very helpful in these situations. I'm definitely a fan of "set it and forget it".

    0
    Comment actions Permalink
  • Michael Muni

    Here is a simple script you can use as well. You  can set it as a startup script or push it out with pdq. This will delete all accounts and groups except for the ones specified. You can tack on as many accounts or groups to exclude by adding additional And (sAdmGrpUser <> "user_or_group_name") 

     

     

     

    '====================
    'This script will remove all unwanted user accounts from local administrators group.
    '====================
    Set wshShell = WScript.CreateObject( "WScript.Shell" )
    strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
    sNode = strComputerName

    On Error Resume Next

    ' group name to remove user from
    Set oGroupAdm = GetObject("WinNT://" & sNode & "/Administrators")

    ' loop through all members of the Administrators group
    For Each oAdmGrpUser In oGroupAdm.Members

    ' get the name and make it lowercase
    sAdmGrpUser = LCase(oAdmGrpUser.Name)

    ' Leave administrator and Domain Admins alone
    ' use lowercase letters in the names in the If statement!
    If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
    'msgbox oAdmGrpUser.Name
    ' remove users from Administrators group
    oGroupAdm.Remove oAdmGrpUser.ADsPath
    End if
    Next

    0
    Comment actions Permalink
  • Jason Hanks

    Check out this updated forum post for further information:

    Local Admins Report

    0
    Comment actions Permalink
  • Shapiro, Jonathan

    Is there a way to tweak the report filter to show when the current user is in the local admins group?  That isn't a system variable, but there is there a way to run some powershell code or something in this filter field?

    0
    Comment actions Permalink
  • Colby Bouma

    @Shapiro, Jonathan

    You can add "Computer | Current User Name" to the Columns.

    0
    Comment actions Permalink
  • Shapiro, Jonathan

    Actually, I was looking for a filter to apply to limit the rows in the report to show those computers that the current user is in the local administrators group.

     

    0
    Comment actions Permalink
  • Colby Bouma

    I think I was able to create a SQL report that does what you want.

    SELECT
    Computers.Name as "Computer Name",
        Computers.CurrentUser as "Current User",
        LocalGroupMembers.UserName as "Local Group Member Name"
    FROM Computers
        INNER JOIN LocalGroupMembers ON LocalGroupMembers.ComputerId = Computers.ComputerId
    WHERE <ComputerFilter>
        AND LocalGroupMembers.GroupName = 'Administrators'
        -- LIKE syntax from: https://stackoverflow.com/questions/3498844/sqlite-string-contains-other-string-query#comment61900744_3498858
        AND Computers.CurrentUser LIKE '%'||LocalGroupMembers.UserName||'%'
        AND NOT LocalGroupMembers.UserName LIKE 'Administrator'
        AND NOT LocalGroupMembers.UserName LIKE 'Domain Admins'

     

    0
    Comment actions Permalink
  • Shapiro, Jonathan

    I'm jealous of what you SQL guys can do.  This really works.  Thank-you so much.  

    I need to tweak it to add a few more columns.  I need computer IP address, AD Parent Folder, Computer O/S, and maybe O/S Install Date.  I also would like it to run against machines that have been scanned in the last 25 days (active machines.  I did that by attaching it to a collection source, but there is probably some SQL code to do same).

    For a hack like me, is there a way to look at the SQL from a standard report?  Then I can get the names/tables of the fields I need to do this myself and maybe learn something?

    0
    Comment actions Permalink
  • Shapiro, Jonathan

    Well, I realize the SQL editor provides all that.  It lists tables/columns.  This is a big help.

    0
    Comment actions Permalink
  • Shapiro, Jonathan

    I was able to figure out how to add the additional columns I need.

    I am curious, though, is there a way to convert or view standard reports as SQL?  

    0
    Comment actions Permalink
  • Colby Bouma

    Cool, I'm glad that worked for you and that you were able to add the columns you wanted.

    No, there is no way to convert a Basic Report into SQL.

    0
    Comment actions Permalink

Please sign in to leave a comment.