Looking for way to enumerate members of local administrators group

Printable View

07-03-2008
Mark

Looking for way to enumerate members of local administrators group

Hi, I have a difficult WMI/VBScript question.

My goal is to list the membership of the local Administrators group on a series of servers. Normally this would be easy and I could use the code:

Set objGroup = GetObject("WinNT://" & ComputerName & "/Administrators,group")
For Each objUser in objGroup.Members
Wscript.Echo objUser.Name
Next

under normal circumstances... my problem is that my id doesn't have permission and I need to authenticate the call, that is I have a list of servers and domain id's that have permissions to make the call.

For all other WMI calls (like win32_Disk), I would use an authenticated call:

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
"root\CIMV2", _
strCredentials, _
strPassword)

But the "WinNT:" GetObject call does not seem to support a set of credentials. So I am looking for a way to solve this. I think I am looking at two possibilities:

1 - find a syntax that permits the "WinNT://" GetObject call to use credentials
2 - use similar WIN32 WMI calls to achieve the same thing. I know that WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I can see a list of id's and a list of groups using them but I can't make out how to connect the two.

Can anyone help me?

Mark
07-03-2008
Richard Mueller [MVP]

Re: Looking for way to enumerate members of local administrators group

Mark wrote:

Hi, I have a difficult WMI/VBScript question.

My goal is to list the membership of the local Administrators group on a
series of servers. Normally this would be easy and I could use the code:

Set objGroup = GetObject("WinNT://" & ComputerName &
"/Administrators,group")
For Each objUser in objGroup.Members
Wscript.Echo objUser.Name
Next

under normal circumstances... my problem is that my id doesn't have
permission and I need to authenticate the call, that is I have a list of
servers and domain id's that have permissions to make the call.

For all other WMI calls (like win32_Disk), I would use an authenticated
call:

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
"root\CIMV2", _
strCredentials, _
strPassword)

But the "WinNT:" GetObject call does not seem to support a set of
credentials. So I am looking for a way to solve this. I think I am looking
at two possibilities:

1 - find a syntax that permits the "WinNT://" GetObject call to use
credentials
2 - use similar WIN32 WMI calls to achieve the same thing. I know that
WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I can
see a list of id's and a list of groups using them but I can't make out how
to connect the two.
-----

You can use the OpenDSObject method with the WinNT provider. For example:
============
Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_USE_ENCRYPTION = &H2

strUserName = "JSmith"
strPassword = "xzy312q"
strComputer = "TestComputer"

Set objNS = GetObject("WinNT:")
Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
& "/Administrators,group", _
strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
ADS_USE_ENCRYPTION)
For Each objMember In objGroup.Members
Wscript.Echo objMember.Name
Next

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
08-03-2008
Mark

Re: Looking for way to enumerate members of local administrators group

Thank you very much Richard, I was unable to find anything that referenced
the ability to add in credentials to the call. It works quite well!

One thing that is strange, when going across untrusted domains, I am only
retrieving local id/groups on the servers, but no domain groups. Is that a
feature of how it works?

Mark

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
> Mark wrote:
>
> Hi, I have a difficult WMI/VBScript question.
>
> My goal is to list the membership of the local Administrators group on a
> series of servers. Normally this would be easy and I could use the code:
>
> Set objGroup = GetObject("WinNT://" & ComputerName &
> "/Administrators,group")
> For Each objUser in objGroup.Members
> Wscript.Echo objUser.Name
> Next
>
> under normal circumstances... my problem is that my id doesn't have
> permission and I need to authenticate the call, that is I have a list of
> servers and domain id's that have permissions to make the call.
>
> For all other WMI calls (like win32_Disk), I would use an authenticated
> call:
>
> Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
> Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
> "root\CIMV2", _
> strCredentials, _
> strPassword)
>
>
> But the "WinNT:" GetObject call does not seem to support a set of
> credentials. So I am looking for a way to solve this. I think I am looking
> at two possibilities:
>
> 1 - find a syntax that permits the "WinNT://" GetObject call to use
> credentials
> 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
> WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
> can see a list of id's and a list of groups using them but I can't make
> out how to connect the two.
> -----
>
> You can use the OpenDSObject method with the WinNT provider. For example:
> ============
> Const ADS_SECURE_AUTHENTICATION = &H1
> Const ADS_USE_ENCRYPTION = &H2
>
> strUserName = "JSmith"
> strPassword = "xzy312q"
> strComputer = "TestComputer"
>
> Set objNS = GetObject("WinNT:")
> Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
> & "/Administrators,group", _
> strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
> ADS_USE_ENCRYPTION)
> For Each objMember In objGroup.Members
> Wscript.Echo objMember.Name
> Next
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
08-03-2008
Richard Mueller [MVP]

Re: Looking for way to enumerate members of local administrators group

I don't have an untrusted domain to test with, but if you authenicate to a
computer object, you can see objects in the computer, but you have not
authenticated to the domain. You can see a local group, but if a member of
the local group is a domain object, like "Domain Admins", I don't know what
you will see. The Members method of the group object returns a collection of
member objects, and it makes sense that you cannot include references to
domain objects in this collection if you are not authenticated to the
domain.

If you are authenticated as a member of the "Domain Admins" group in the
other domain, there would be no problem, as this group by default is a
member of the local Administrators group for all computers joined to the
domain. Maybe you can authenticate to the local group with credentials of a
member of the "Domain Admins" group (in the untrusted domain). Maybe you
need to use something similar to:
========
strDomainAdmName = "JSmith"
strPassword = "xzy312q"
strComputer = "TestComputer"
strDomain = "MyDomain"

Set objNS = GetObject("WinNT:")
Set objGroup = objNS.OpenDSObject("WintNT://" & strDomain & "/" &
strComputer _
& "/Administrators,group", _
strDomainAdmName, strPassword, ADS_SECURE_AUTHENTICATION Or
ADS_USE_ENCRYPTION)

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Mark" <mark_butler@verizon.net> wrote in message
news:5DF1B796-D11C-427C-8C82-E3EE66FA49CC@microsoft.com...
> Thank you very much Richard, I was unable to find anything that referenced
> the ability to add in credentials to the call. It works quite well!
>
> One thing that is strange, when going across untrusted domains, I am only
> retrieving local id/groups on the servers, but no domain groups. Is that a
> feature of how it works?
>
> Mark
>
>
>
>
> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
> message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
>> Mark wrote:
>>
>> Hi, I have a difficult WMI/VBScript question.
>>
>> My goal is to list the membership of the local Administrators group on a
>> series of servers. Normally this would be easy and I could use the code:
>>
>> Set objGroup = GetObject("WinNT://" & ComputerName &
>> "/Administrators,group")
>> For Each objUser in objGroup.Members
>> Wscript.Echo objUser.Name
>> Next
>>
>> under normal circumstances... my problem is that my id doesn't have
>> permission and I need to authenticate the call, that is I have a list of
>> servers and domain id's that have permissions to make the call.
>>
>> For all other WMI calls (like win32_Disk), I would use an authenticated
>> call:
>>
>> Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
>> Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
>> "root\CIMV2", _
>> strCredentials, _
>> strPassword)
>>
>>
>> But the "WinNT:" GetObject call does not seem to support a set of
>> credentials. So I am looking for a way to solve this. I think I am
>> looking at two possibilities:
>>
>> 1 - find a syntax that permits the "WinNT://" GetObject call to use
>> credentials
>> 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
>> WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
>> can see a list of id's and a list of groups using them but I can't make
>> out how to connect the two.
>> -----
>>
>> You can use the OpenDSObject method with the WinNT provider. For example:
>> ============
>> Const ADS_SECURE_AUTHENTICATION = &H1
>> Const ADS_USE_ENCRYPTION = &H2
>>
>> strUserName = "JSmith"
>> strPassword = "xzy312q"
>> strComputer = "TestComputer"
>>
>> Set objNS = GetObject("WinNT:")
>> Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
>> & "/Administrators,group", _
>> strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
>> ADS_USE_ENCRYPTION)
>> For Each objMember In objGroup.Members
>> Wscript.Echo objMember.Name
>> Next
>>
>> --
>> Richard Mueller
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>
04-06-2008
Mahesh

Re: Looking for way to enumerate members of local administrators g

How do i retrieve the domain name of the users under Administrators group
using the OpenDSObject method with the WinNT provider.

Thanks for yous posts.
Regards
Mahesh

"Mark" wrote:

> Thank you very much Richard, I was unable to find anything that referenced
> the ability to add in credentials to the call. It works quite well!
>
> One thing that is strange, when going across untrusted domains, I am only
> retrieving local id/groups on the servers, but no domain groups. Is that a
> feature of how it works?
>
> Mark
>
>
>
>
> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
> message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
> > Mark wrote:
> >
> > Hi, I have a difficult WMI/VBScript question.
> >
> > My goal is to list the membership of the local Administrators group on a
> > series of servers. Normally this would be easy and I could use the code:
> >
> > Set objGroup = GetObject("WinNT://" & ComputerName &
> > "/Administrators,group")
> > For Each objUser in objGroup.Members
> > Wscript.Echo objUser.Name
> > Next
> >
> > under normal circumstances... my problem is that my id doesn't have
> > permission and I need to authenticate the call, that is I have a list of
> > servers and domain id's that have permissions to make the call.
> >
> > For all other WMI calls (like win32_Disk), I would use an authenticated
> > call:
> >
> > Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
> > Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
> > "root\CIMV2", _
> > strCredentials, _
> > strPassword)
> >
> >
> > But the "WinNT:" GetObject call does not seem to support a set of
> > credentials. So I am looking for a way to solve this. I think I am looking
> > at two possibilities:
> >
> > 1 - find a syntax that permits the "WinNT://" GetObject call to use
> > credentials
> > 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
> > WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
> > can see a list of id's and a list of groups using them but I can't make
> > out how to connect the two.
> > -----
> >
> > You can use the OpenDSObject method with the WinNT provider. For example:
> > ============
> > Const ADS_SECURE_AUTHENTICATION = &H1
> > Const ADS_USE_ENCRYPTION = &H2
> >
> > strUserName = "JSmith"
> > strPassword = "xzy312q"
> > strComputer = "TestComputer"
> >
> > Set objNS = GetObject("WinNT:")
> > Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
> > & "/Administrators,group", _
> > strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
> > ADS_USE_ENCRYPTION)
> > For Each objMember In objGroup.Members
> > Wscript.Echo objMember.Name
> > Next
> >
> > --
> > Richard Mueller
> > Microsoft MVP Scripting and ADSI
> > Hilltop Lab - http://www.rlmueller.net
> > --
> >
> >
>