So I wanted an answer to a very simple question. Who on my network has been given Local Admin rights?
We have had requirements in the past where users had to be administrators for whatever reason, usually due to applications not working. Now i want to get a better understanding of who has access so we can try and minimise this (as I find it to be a security risk).
I did some searching around and it looks like i have found the a very simple solution. In short its a simple 2 line script that checks domain users (other than Domain Admins) and saves them in a file called %computername%.txt. It then searches that file for the user names and creates a new file for each user name in a different file called %username%.txt.
This way you get text files (on a network location) for users and computers and is easy to find what you are after.
The code is below:
echo *** Checking Admin rights of PC and User ***
net localgroup administrators | find "\" | find /v "Domain Admins" > \\server\share\admins\PC\%COMPUTERNAME%.txt
for /F "tokens=1,2 delims=\" %%i in (\\server\share\admins\PC\%COMPUTERNAME%.txt) do if not "%%j"=="" echo %DATE% — %COMPUTERNAME% >> \\server\share\admins\USER\%%j.TXT
Now all you have to do is a startup script in a group policy, and away it goes.
-Make sure the location \\server\share\admins has read and write access by all users.
-Make sure you apply the startup script to the computers OU (or the domain if you want to include all machines) and assign it to “Authenticated Users” so that it can apply to all authenticated computer accounts.
-Assign only to PC computer OU’s to exclude all servers and only apply to client PC’s.
So the script was a success. After running it on all of our PC OU’s as a startup script, i found that out of our small number of 200 odd clients there were aprox 15 PC’s with local admin rights and from them we only need to correct about 10.
Please let me know how it goes in your environment!