Results 1 to 5 of 5

Thread: Looking for way to enumerate members of local administrators group

  1. #1
    Mark Guest

    Looking for way to enumerate members of local administrators group

    Hi, I have a difficult WMI/VBScript question.

    My goal is to list the membership of the local Administrators group on a series of servers. Normally this would be easy and I could use the code:

    Set objGroup = GetObject("WinNT://" & ComputerName & "/Administrators,group")
    For Each objUser in objGroup.Members
    Wscript.Echo objUser.Name
    Next

    under normal circumstances... my problem is that my id doesn't have permission and I need to authenticate the call, that is I have a list of servers and domain id's that have permissions to make the call.

    For all other WMI calls (like win32_Disk), I would use an authenticated call:

    Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
    Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
    "root\CIMV2", _
    strCredentials, _
    strPassword)


    But the "WinNT:" GetObject call does not seem to support a set of credentials. So I am looking for a way to solve this. I think I am looking at two possibilities:

    1 - find a syntax that permits the "WinNT://" GetObject call to use credentials
    2 - use similar WIN32 WMI calls to achieve the same thing. I know that WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I can see a list of id's and a list of groups using them but I can't make out how to connect the two.


    Can anyone help me?

    Mark


  2. #2
    Richard Mueller [MVP] Guest

    Re: Looking for way to enumerate members of local administrators group

    Mark wrote:

    Hi, I have a difficult WMI/VBScript question.

    My goal is to list the membership of the local Administrators group on a
    series of servers. Normally this would be easy and I could use the code:

    Set objGroup = GetObject("WinNT://" & ComputerName &
    "/Administrators,group")
    For Each objUser in objGroup.Members
    Wscript.Echo objUser.Name
    Next

    under normal circumstances... my problem is that my id doesn't have
    permission and I need to authenticate the call, that is I have a list of
    servers and domain id's that have permissions to make the call.

    For all other WMI calls (like win32_Disk), I would use an authenticated
    call:

    Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
    Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
    "root\CIMV2", _
    strCredentials, _
    strPassword)


    But the "WinNT:" GetObject call does not seem to support a set of
    credentials. So I am looking for a way to solve this. I think I am looking
    at two possibilities:

    1 - find a syntax that permits the "WinNT://" GetObject call to use
    credentials
    2 - use similar WIN32 WMI calls to achieve the same thing. I know that
    WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I can
    see a list of id's and a list of groups using them but I can't make out how
    to connect the two.
    -----

    You can use the OpenDSObject method with the WinNT provider. For example:
    ============
    Const ADS_SECURE_AUTHENTICATION = &H1
    Const ADS_USE_ENCRYPTION = &H2

    strUserName = "JSmith"
    strPassword = "xzy312q"
    strComputer = "TestComputer"

    Set objNS = GetObject("WinNT:")
    Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
    & "/Administrators,group", _
    strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
    ADS_USE_ENCRYPTION)
    For Each objMember In objGroup.Members
    Wscript.Echo objMember.Name
    Next

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --



  3. #3
    Mark Guest

    Re: Looking for way to enumerate members of local administrators group

    Thank you very much Richard, I was unable to find anything that referenced
    the ability to add in credentials to the call. It works quite well!

    One thing that is strange, when going across untrusted domains, I am only
    retrieving local id/groups on the servers, but no domain groups. Is that a
    feature of how it works?

    Mark




    "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
    message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
    > Mark wrote:
    >
    > Hi, I have a difficult WMI/VBScript question.
    >
    > My goal is to list the membership of the local Administrators group on a
    > series of servers. Normally this would be easy and I could use the code:
    >
    > Set objGroup = GetObject("WinNT://" & ComputerName &
    > "/Administrators,group")
    > For Each objUser in objGroup.Members
    > Wscript.Echo objUser.Name
    > Next
    >
    > under normal circumstances... my problem is that my id doesn't have
    > permission and I need to authenticate the call, that is I have a list of
    > servers and domain id's that have permissions to make the call.
    >
    > For all other WMI calls (like win32_Disk), I would use an authenticated
    > call:
    >
    > Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
    > Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
    > "root\CIMV2", _
    > strCredentials, _
    > strPassword)
    >
    >
    > But the "WinNT:" GetObject call does not seem to support a set of
    > credentials. So I am looking for a way to solve this. I think I am looking
    > at two possibilities:
    >
    > 1 - find a syntax that permits the "WinNT://" GetObject call to use
    > credentials
    > 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
    > WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
    > can see a list of id's and a list of groups using them but I can't make
    > out how to connect the two.
    > -----
    >
    > You can use the OpenDSObject method with the WinNT provider. For example:
    > ============
    > Const ADS_SECURE_AUTHENTICATION = &H1
    > Const ADS_USE_ENCRYPTION = &H2
    >
    > strUserName = "JSmith"
    > strPassword = "xzy312q"
    > strComputer = "TestComputer"
    >
    > Set objNS = GetObject("WinNT:")
    > Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
    > & "/Administrators,group", _
    > strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
    > ADS_USE_ENCRYPTION)
    > For Each objMember In objGroup.Members
    > Wscript.Echo objMember.Name
    > Next
    >
    > --
    > Richard Mueller
    > Microsoft MVP Scripting and ADSI
    > Hilltop Lab - http://www.rlmueller.net
    > --
    >
    >



  4. #4
    Richard Mueller [MVP] Guest

    Re: Looking for way to enumerate members of local administrators group

    I don't have an untrusted domain to test with, but if you authenicate to a
    computer object, you can see objects in the computer, but you have not
    authenticated to the domain. You can see a local group, but if a member of
    the local group is a domain object, like "Domain Admins", I don't know what
    you will see. The Members method of the group object returns a collection of
    member objects, and it makes sense that you cannot include references to
    domain objects in this collection if you are not authenticated to the
    domain.

    If you are authenticated as a member of the "Domain Admins" group in the
    other domain, there would be no problem, as this group by default is a
    member of the local Administrators group for all computers joined to the
    domain. Maybe you can authenticate to the local group with credentials of a
    member of the "Domain Admins" group (in the untrusted domain). Maybe you
    need to use something similar to:
    ========
    strDomainAdmName = "JSmith"
    strPassword = "xzy312q"
    strComputer = "TestComputer"
    strDomain = "MyDomain"

    Set objNS = GetObject("WinNT:")
    Set objGroup = objNS.OpenDSObject("WintNT://" & strDomain & "/" &
    strComputer _
    & "/Administrators,group", _
    strDomainAdmName, strPassword, ADS_SECURE_AUTHENTICATION Or
    ADS_USE_ENCRYPTION)

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --

    "Mark" <mark_butler@verizon.net> wrote in message
    news:5DF1B796-D11C-427C-8C82-E3EE66FA49CC@microsoft.com...
    > Thank you very much Richard, I was unable to find anything that referenced
    > the ability to add in credentials to the call. It works quite well!
    >
    > One thing that is strange, when going across untrusted domains, I am only
    > retrieving local id/groups on the servers, but no domain groups. Is that a
    > feature of how it works?
    >
    > Mark
    >
    >
    >
    >
    > "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
    > message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
    >> Mark wrote:
    >>
    >> Hi, I have a difficult WMI/VBScript question.
    >>
    >> My goal is to list the membership of the local Administrators group on a
    >> series of servers. Normally this would be easy and I could use the code:
    >>
    >> Set objGroup = GetObject("WinNT://" & ComputerName &
    >> "/Administrators,group")
    >> For Each objUser in objGroup.Members
    >> Wscript.Echo objUser.Name
    >> Next
    >>
    >> under normal circumstances... my problem is that my id doesn't have
    >> permission and I need to authenticate the call, that is I have a list of
    >> servers and domain id's that have permissions to make the call.
    >>
    >> For all other WMI calls (like win32_Disk), I would use an authenticated
    >> call:
    >>
    >> Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
    >> Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
    >> "root\CIMV2", _
    >> strCredentials, _
    >> strPassword)
    >>
    >>
    >> But the "WinNT:" GetObject call does not seem to support a set of
    >> credentials. So I am looking for a way to solve this. I think I am
    >> looking at two possibilities:
    >>
    >> 1 - find a syntax that permits the "WinNT://" GetObject call to use
    >> credentials
    >> 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
    >> WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
    >> can see a list of id's and a list of groups using them but I can't make
    >> out how to connect the two.
    >> -----
    >>
    >> You can use the OpenDSObject method with the WinNT provider. For example:
    >> ============
    >> Const ADS_SECURE_AUTHENTICATION = &H1
    >> Const ADS_USE_ENCRYPTION = &H2
    >>
    >> strUserName = "JSmith"
    >> strPassword = "xzy312q"
    >> strComputer = "TestComputer"
    >>
    >> Set objNS = GetObject("WinNT:")
    >> Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
    >> & "/Administrators,group", _
    >> strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
    >> ADS_USE_ENCRYPTION)
    >> For Each objMember In objGroup.Members
    >> Wscript.Echo objMember.Name
    >> Next
    >>
    >> --
    >> Richard Mueller
    >> Microsoft MVP Scripting and ADSI
    >> Hilltop Lab - http://www.rlmueller.net
    >> --
    >>
    >>

    >




  5. #5
    Mahesh Guest

    Re: Looking for way to enumerate members of local administrators g

    How do i retrieve the domain name of the users under Administrators group
    using the OpenDSObject method with the WinNT provider.

    Thanks for yous posts.
    Regards
    Mahesh

    "Mark" wrote:

    > Thank you very much Richard, I was unable to find anything that referenced
    > the ability to add in credentials to the call. It works quite well!
    >
    > One thing that is strange, when going across untrusted domains, I am only
    > retrieving local id/groups on the servers, but no domain groups. Is that a
    > feature of how it works?
    >
    > Mark
    >
    >
    >
    >
    > "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
    > message news:%23SRleS$fIHA.2000@TK2MSFTNGP03.phx.gbl...
    > > Mark wrote:
    > >
    > > Hi, I have a difficult WMI/VBScript question.
    > >
    > > My goal is to list the membership of the local Administrators group on a
    > > series of servers. Normally this would be easy and I could use the code:
    > >
    > > Set objGroup = GetObject("WinNT://" & ComputerName &
    > > "/Administrators,group")
    > > For Each objUser in objGroup.Members
    > > Wscript.Echo objUser.Name
    > > Next
    > >
    > > under normal circumstances... my problem is that my id doesn't have
    > > permission and I need to authenticate the call, that is I have a list of
    > > servers and domain id's that have permissions to make the call.
    > >
    > > For all other WMI calls (like win32_Disk), I would use an authenticated
    > > call:
    > >
    > > Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
    > > Set WmiObjSet = objSWbemLocator.ConnectServer(strComputer, _
    > > "root\CIMV2", _
    > > strCredentials, _
    > > strPassword)
    > >
    > >
    > > But the "WinNT:" GetObject call does not seem to support a set of
    > > credentials. So I am looking for a way to solve this. I think I am looking
    > > at two possibilities:
    > >
    > > 1 - find a syntax that permits the "WinNT://" GetObject call to use
    > > credentials
    > > 2 - use similar WIN32 WMI calls to achieve the same thing. I know that
    > > WMI_UserAccount, WMI_Group, WMI_GroupUser, WMI_GroupInDomain exist and I
    > > can see a list of id's and a list of groups using them but I can't make
    > > out how to connect the two.
    > > -----
    > >
    > > You can use the OpenDSObject method with the WinNT provider. For example:
    > > ============
    > > Const ADS_SECURE_AUTHENTICATION = &H1
    > > Const ADS_USE_ENCRYPTION = &H2
    > >
    > > strUserName = "JSmith"
    > > strPassword = "xzy312q"
    > > strComputer = "TestComputer"
    > >
    > > Set objNS = GetObject("WinNT:")
    > > Set objGroup = objNS.OpenDSObject("WintNT://" & strComputer _
    > > & "/Administrators,group", _
    > > strUserName, strPassword, ADS_SECURE_AUTHENTICATION Or
    > > ADS_USE_ENCRYPTION)
    > > For Each objMember In objGroup.Members
    > > Wscript.Echo objMember.Name
    > > Next
    > >
    > > --
    > > Richard Mueller
    > > Microsoft MVP Scripting and ADSI
    > > Hilltop Lab - http://www.rlmueller.net
    > > --
    > >
    > >

    >


Similar Threads

  1. Domain user to local administrators group
    By alimk in forum Windows Server Help
    Replies: 5
    Last Post: 30-09-2009, 06:03 PM
  2. how to pull local group members in vbscript?
    By vivekmohan in forum Software Development
    Replies: 3
    Last Post: 25-07-2009, 01:22 PM
  3. Replies: 2
    Last Post: 23-02-2009, 09:41 PM
  4. List users in local administrators group on remote machine
    By Nick in forum Windows Server Help
    Replies: 5
    Last Post: 11-10-2008, 12:01 AM
  5. Replies: 3
    Last Post: 17-06-2008, 02:46 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,638,277,258.82701 seconds with 17 queries