Local Administrators Members
***2015-05-21 - Moving to Inventory - Questions forum***
I would like to see a collectrion showing any computer that has members of the Administrators group that are not part of a certain set.
example
Computer1 has Administrators and Domain Admins under the Local Administrators group
Computer2 has Administrators, Domain Admins, and Unauthorized Local Admin under the Administrators group
Computer2 would showup as it has the Unauthorized Local Admin user in the Administrators group
4
Comments
I was able to kind of do this with a report. Create a basic report with the columns "Computer/Name" and "Local Group Member/Name". For the Filter add a Value Filter of "Local Group/Name/Equals/Administrators" and 2 more Value Filters like "Local Group Member/Name/Does Not Equal/Administrator".
Clear as mud, right? The screenshots probably make WAY more sense :D
I tried doing this with a collection, but I can't figure out how to make it work. I either get every computer in the database or zero computers. I even tried to get fancy and use regex, but that didn't work either.
The reason we haven't added this is because many companies have different names for approved accounts.
For Reports or Collections you have two options when it comes to the filters.
You can use one Does Not Match Expression filter. Don't get confused by the ^ and $. They aren't strictly necessary. ^ simply means that the string begins with the following character and the $ means that is the end of the string. ^Administrator$ means the name must be Administrator while ^Administrator means the name could be Administrator HQ (basically the account name begins with Administrator). The pipe | means OR.
Or to have different filter groups for each account name. Notice how All four sub groups are on the same level (directly under the main group.
Thank you Shane, this is very helpful!
What I do is just set group policy to remove all user accounts from local admins group and only allow groups to be in local admins.
This way you just manage the groups on the domain and don't worry about any computers getting users added to the local admin group.
Great point, Mike
GPOs are very helpful in these situations. I'm definitely a fan of "set it and forget it".
Here is a simple script you can use as well. You can set it as a startup script or push it out with pdq. This will delete all accounts and groups except for the ones specified. You can tack on as many accounts or groups to exclude by adding additional And (sAdmGrpUser <> "user_or_group_name")
'====================
'This script will remove all unwanted user accounts from local administrators group.
'====================
Set wshShell = WScript.CreateObject( "WScript.Shell" )
strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
sNode = strComputerName
On Error Resume Next
' group name to remove user from
Set oGroupAdm = GetObject("WinNT://" & sNode & "/Administrators")
' loop through all members of the Administrators group
For Each oAdmGrpUser In oGroupAdm.Members
' get the name and make it lowercase
sAdmGrpUser = LCase(oAdmGrpUser.Name)
' Leave administrator and Domain Admins alone
' use lowercase letters in the names in the If statement!
If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
'msgbox oAdmGrpUser.Name
' remove users from Administrators group
oGroupAdm.Remove oAdmGrpUser.ADsPath
End if
Next
Check out this updated forum post for further information:
Local Admins Report
Is there a way to tweak the report filter to show when the current user is in the local admins group? That isn't a system variable, but there is there a way to run some powershell code or something in this filter field?
@Shapiro, Jonathan
You can add "Computer | Current User Name" to the Columns.
Actually, I was looking for a filter to apply to limit the rows in the report to show those computers that the current user is in the local administrators group.
I think I was able to create a SQL report that does what you want.
I'm jealous of what you SQL guys can do. This really works. Thank-you so much.
I need to tweak it to add a few more columns. I need computer IP address, AD Parent Folder, Computer O/S, and maybe O/S Install Date. I also would like it to run against machines that have been scanned in the last 25 days (active machines. I did that by attaching it to a collection source, but there is probably some SQL code to do same).
For a hack like me, is there a way to look at the SQL from a standard report? Then I can get the names/tables of the fields I need to do this myself and maybe learn something?
Well, I realize the SQL editor provides all that. It lists tables/columns. This is a big help.
I was able to figure out how to add the additional columns I need.
I am curious, though, is there a way to convert or view standard reports as SQL?
Cool, I'm glad that worked for you and that you were able to add the columns you wanted.
No, there is no way to convert a Basic Report into SQL.