Remote Query of Local Groups

From Atomicorp Wiki
Jump to: navigation, search

I have come up with a way for you to query remote machines and dump the contents of the locla Admin group and the local Power Users Group.

As a caveat, you need to add this line into your enterprise loing script or you will have problems running WMI remote administration on desktops:

netsh firewall set service remoteadmin enable subnet

This allows the script to connect to the RPC Server remotely for admin.

Now on to the fun...


[edit] ==================


[edit] ==================

The script will query the AD and pull out a list of all Computer objects. For each object it will attempt to connect to the Computer and dump the contents of the local Admin group and the local Power User group.

It will write the output to a file (LocalGroupDump.txt) in comma separated format, which allows you to import it into Excel.

The output file should look like this:

ComputerName,Reachable,LocalGroup,ObjectType,Object SEVENOFNINE,Y,Administrators,UserAccount,TSGINC.COM\TSG-Admin SEVENOFNINE,Y,Administrators,Group,TSGINC.COM\Domain Admins SEVENOFNINE,Y,Administrators,Group,TSGINC.COM\Enterprise Admins SEVENOFNINE,Y,Administrators,UserAccount,TSGINC.COM\bprime SEVENOFNINE,Y,Administrators,UserAccount,TSGINC.COM\cpriester SEVENOFNINE,Y,Administrators,UserAccount,TSGINC.COM\IMSAdmin SEVENOFNINE,Y,Administrators,UserAccount,TSGINC.COM\mshinn SEVENOFNINE,Y,Administrators,UserAccount,TSGINC.COM\tgajeski SEVENOFNINE,Y,Administrators,UserAccount,TSGINC.COM\exchangeadmin SEVENOFNINE,Y,Administrators,UserAccount,TSGINC.COM\ATROPHY$ SLEWARNE-LAPTOP,N SUTHERLAND,E THEX5MODEL,N TSG-1HZVY91,E TSG-1J7FM71,Y,Administrators,UserAccount,TSG-1J7FM71\Administrator TSG-1J7FM71,Y,Administrators,UserAccount,TSG-1J7FM71\tsguser TSG-1J7FM71,Y,Administrators,Group,TSGINC.COM\Domain Admins TSG-1J7FM71,Y,Administrators,UserAccount,TSGINC.COM\TSG-Admin TSG-1J7FM71,Y,Administrators,UserAccount,TSGINC.COM\evillarroel .....

There are five fields:

ComputerName - obvious

Reachable - this will be Y for yes, N for no and E for RPC Server error. If you get an E, it's got something to do with thr netsh command not running properly.

LocalGroup - the name of the local group we are talking about

ObjectType - this can be a User or a Group

Object - The fully qualified name (DOMAIN\USERNAME). This will tell you if it is a domain account or a local account.

[edit] ======================


[edit] ======================

It is up to you to change the following variables at the top of the script:

strLogin = "AEI\AEIAdmin" strPass = "blahblahblah" sDomain = "AEI"

Set these to the proper values. If you wish to change the name of the dump file, change it in this line:

Set oOutput = oFSO.CreateTextFile("LocalGroupDump.txt")

When you are ready to run the script, open a commnad prompt, cd to the proper folder and run:

       cscript WMI_whos_in_local_groups.vbs
Personal tools