Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Looking for way to enumerate members of local administrators group

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 07-03-2008
Mark
 
Posts: n/a
Looking for way to enumerate members of local administrators group

Hi, I have a difficult WMI/VBScript question.

My goal is to list the membership of the local Administrators group on a series of servers. Normally this would be easy and I could use the code:

Set objGroup = GetObject("WinNT://" & ComputerName & "/Administrators,group")
For Each objUser in objGroup.Members
Wscript.Echo objUser.Name
Next

under normal circumstances... my problem is that my id doesn't have permission and I need to authenticate the call, that is I have a list of servers and domain id's that have permissions to make the call.

For all other WMI calls (like win32_Disk), I would use an authenticated call:

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
"root\CIMV2", _
strCredentials, _
strPassword)


But the "WinNT:" GetObject call does not seem to support a set of credentials. So I am looking for a way to solve this. I think I am looking at two possibilities:

1 - find a syntax that permits the "WinNT://" GetObject call to use credentials
2 - use similar WIN32 WMI calls to achieve the same thing. I know that WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I can see a list of id's and a list of groups using them but I can't make out how to connect the two.


Can anyone help me?

Mark


Reply With Quote
  #2  
Old 07-03-2008
Richard Mueller [MVP]
 
Posts: n/a
Re: Looking for way to enumerate members of local administrators group

Mark wrote:

Hi, I have a difficult WMI/VBScript question.

My goal is to list the membership of the local Administrators group on a
series of servers. Normally this would be easy and I could use the code:

Set objGroup = GetObject("WinNT://" & ComputerName &
"/Administrators,group")
For Each objUser in objGroup.Members
Wscript.Echo objUser.Name
Next

under normal circumstances... my problem is that my id doesn't have
permission and I need to authenticate the call, that is I have a list of
servers and domain id's that have permissions to make the call.

For all other WMI calls (like win32_Disk), I would use an authenticated
call:

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
"root\CIMV2", _
strCredentials, _
strPassword)


But the "WinNT:" GetObject call does not seem to support a set of
credentials. So I am looking for a way to solve this. I think I am looking
at two possibilities:

1 - find a syntax that permits the "WinNT://" GetObject call to use
credentials
2 - use similar WIN32 WMI calls to achieve the same thing. I know that
WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I can
see a list of id's and a list of groups using them but I can't make out how
to connect the two.
-----

You can use the OpenDSObject method with the WinNT provider. For example:
============
Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_USE_ENCRYPTION = &H2

strUserName = "JSmith"
strPassword = "xzy312q"
strComputer = "TestComputer"

Set objNS = GetObject("WinNT:")
Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
& "/Administrators,group", _
strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
ADS_USE_ENCRYPTION)
For Each objMember In objGroup.Members
Wscript.Echo objMember.Name
Next

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Reply With Quote
  #3  
Old 08-03-2008
Mark
 
Posts: n/a
Re: Looking for way to enumerate members of local administrators group

Thank you very much Richard, I was unable to find anything that referenced
the ability to add in credentials to the call. It works quite well!

One thing that is strange, when going across untrusted domains, I am only
retrieving local id/groups on the servers, but no domain groups. Is that a
feature of how it works?

Mark




"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
> Mark wrote:
>
> Hi, I have a difficult WMI/VBScript question.
>
> My goal is to list the membership of the local Administrators group on a
> series of servers. Normally this would be easy and I could use the code:
>
> Set objGroup = GetObject("WinNT://" & ComputerName &
> "/Administrators,group")
> For Each objUser in objGroup.Members
> Wscript.Echo objUser.Name
> Next
>
> under normal circumstances... my problem is that my id doesn't have
> permission and I need to authenticate the call, that is I have a list of
> servers and domain id's that have permissions to make the call.
>
> For all other WMI calls (like win32_Disk), I would use an authenticated
> call:
>
> Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
> Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
> "root\CIMV2", _
> strCredentials, _
> strPassword)
>
>
> But the "WinNT:" GetObject call does not seem to support a set of
> credentials. So I am looking for a way to solve this. I think I am looking
> at two possibilities:
>
> 1 - find a syntax that permits the "WinNT://" GetObject call to use
> credentials
> 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
> WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
> can see a list of id's and a list of groups using them but I can't make
> out how to connect the two.
> -----
>
> You can use the OpenDSObject method with the WinNT provider. For example:
> ============
> Const ADS_SECURE_AUTHENTICATION = &H1
> Const ADS_USE_ENCRYPTION = &H2
>
> strUserName = "JSmith"
> strPassword = "xzy312q"
> strComputer = "TestComputer"
>
> Set objNS = GetObject("WinNT:")
> Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
> & "/Administrators,group", _
> strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
> ADS_USE_ENCRYPTION)
> For Each objMember In objGroup.Members
> Wscript.Echo objMember.Name
> Next
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>


Reply With Quote
  #4  
Old 08-03-2008
Richard Mueller [MVP]
 
Posts: n/a
Re: Looking for way to enumerate members of local administrators group

I don't have an untrusted domain to test with, but if you authenicate to a
computer object, you can see objects in the computer, but you have not
authenticated to the domain. You can see a local group, but if a member of
the local group is a domain object, like "Domain Admins", I don't know what
you will see. The Members method of the group object returns a collection of
member objects, and it makes sense that you cannot include references to
domain objects in this collection if you are not authenticated to the
domain.

If you are authenticated as a member of the "Domain Admins" group in the
other domain, there would be no problem, as this group by default is a
member of the local Administrators group for all computers joined to the
domain. Maybe you can authenticate to the local group with credentials of a
member of the "Domain Admins" group (in the untrusted domain). Maybe you
need to use something similar to:
========
strDomainAdmName = "JSmith"
strPassword = "xzy312q"
strComputer = "TestComputer"
strDomain = "MyDomain"

Set objNS = GetObject("WinNT:")
Set objGroup = objNS.OpenDSObject("WintNT://" & strDomain & "/" &
strComputer _
& "/Administrators,group", _
strDomainAdmName, strPassword, ADS_SECURE_AUTHENTICATION Or
ADS_USE_ENCRYPTION)

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Mark" <mark_butler@verizon.net> wrote in message
news:5DF1B796-D11C-427C-8C82-E3EE66FA49CC@microsoft.com...
> Thank you very much Richard, I was unable to find anything that referenced
> the ability to add in credentials to the call. It works quite well!
>
> One thing that is strange, when going across untrusted domains, I am only
> retrieving local id/groups on the servers, but no domain groups. Is that a
> feature of how it works?
>
> Mark
>
>
>
>
> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
> message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
>> Mark wrote:
>>
>> Hi, I have a difficult WMI/VBScript question.
>>
>> My goal is to list the membership of the local Administrators group on a
>> series of servers. Normally this would be easy and I could use the code:
>>
>> Set objGroup = GetObject("WinNT://" & ComputerName &
>> "/Administrators,group")
>> For Each objUser in objGroup.Members
>> Wscript.Echo objUser.Name
>> Next
>>
>> under normal circumstances... my problem is that my id doesn't have
>> permission and I need to authenticate the call, that is I have a list of
>> servers and domain id's that have permissions to make the call.
>>
>> For all other WMI calls (like win32_Disk), I would use an authenticated
>> call:
>>
>> Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
>> Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
>> "root\CIMV2", _
>> strCredentials, _
>> strPassword)
>>
>>
>> But the "WinNT:" GetObject call does not seem to support a set of
>> credentials. So I am looking for a way to solve this. I think I am
>> looking at two possibilities:
>>
>> 1 - find a syntax that permits the "WinNT://" GetObject call to use
>> credentials
>> 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
>> WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
>> can see a list of id's and a list of groups using them but I can't make
>> out how to connect the two.
>> -----
>>
>> You can use the OpenDSObject method with the WinNT provider. For example:
>> ============
>> Const ADS_SECURE_AUTHENTICATION = &H1
>> Const ADS_USE_ENCRYPTION = &H2
>>
>> strUserName = "JSmith"
>> strPassword = "xzy312q"
>> strComputer = "TestComputer"
>>
>> Set objNS = GetObject("WinNT:")
>> Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
>> & "/Administrators,group", _
>> strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
>> ADS_USE_ENCRYPTION)
>> For Each objMember In objGroup.Members
>> Wscript.Echo objMember.Name
>> Next
>>
>> --
>> Richard Mueller
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>

>



Reply With Quote
  #5  
Old 04-06-2008
Mahesh
 
Posts: n/a
Re: Looking for way to enumerate members of local administrators g

How do i retrieve the domain name of the users under Administrators group
using the OpenDSObject method with the WinNT provider.

Thanks for yous posts.
Regards
Mahesh

"Mark" wrote:

> Thank you very much Richard, I was unable to find anything that referenced
> the ability to add in credentials to the call. It works quite well!
>
> One thing that is strange, when going across untrusted domains, I am only
> retrieving local id/groups on the servers, but no domain groups. Is that a
> feature of how it works?
>
> Mark
>
>
>
>
> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
> message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
> > Mark wrote:
> >
> > Hi, I have a difficult WMI/VBScript question.
> >
> > My goal is to list the membership of the local Administrators group on a
> > series of servers. Normally this would be easy and I could use the code:
> >
> > Set objGroup = GetObject("WinNT://" & ComputerName &
> > "/Administrators,group")
> > For Each objUser in objGroup.Members
> > Wscript.Echo objUser.Name
> > Next
> >
> > under normal circumstances... my problem is that my id doesn't have
> > permission and I need to authenticate the call, that is I have a list of
> > servers and domain id's that have permissions to make the call.
> >
> > For all other WMI calls (like win32_Disk), I would use an authenticated
> > call:
> >
> > Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
> > Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
> > "root\CIMV2", _
> > strCredentials, _
> > strPassword)
> >
> >
> > But the "WinNT:" GetObject call does not seem to support a set of
> > credentials. So I am looking for a way to solve this. I think I am looking
> > at two possibilities:
> >
> > 1 - find a syntax that permits the "WinNT://" GetObject call to use
> > credentials
> > 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
> > WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
> > can see a list of id's and a list of groups using them but I can't make
> > out how to connect the two.
> > -----
> >
> > You can use the OpenDSObject method with the WinNT provider. For example:
> > ============
> > Const ADS_SECURE_AUTHENTICATION = &H1
> > Const ADS_USE_ENCRYPTION = &H2
> >
> > strUserName = "JSmith"
> > strPassword = "xzy312q"
> > strComputer = "TestComputer"
> >
> > Set objNS = GetObject("WinNT:")
> > Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
> > & "/Administrators,group", _
> > strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
> > ADS_USE_ENCRYPTION)
> > For Each objMember In objGroup.Members
> > Wscript.Echo objMember.Name
> > Next
> >
> > --
> > Richard Mueller
> > Microsoft MVP Scripting and ADSI
> > Hilltop Lab - http://www.rlmueller.net
> > --
> >
> >

>

Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Looking for way to enumerate members of local administrators group"
Thread Thread Starter Forum Replies Last Post
Domain user to local administrators group alimk Windows Server Help 5 30-09-2009 06:33 PM
how to pull local group members in vbscript? vivekmohan Software Development 3 25-07-2009 01:52 PM
Remove user account from local administrators group via GPO Dil-Ber Active Directory 2 23-02-2009 10:11 PM
List users in local administrators group on remote machine Nick Windows Server Help 5 11-10-2008 12:31 AM
Automatically Adding Domain Groups into Local Administrators group Frragrant Active Directory 3 17-06-2008 03:16 PM


All times are GMT +5.5. The time now is 07:47 PM.