BleepingComputer.com: Locating PC's on a network with Local Admin users

I need to be able to determine if any user's profile on any of our 500+ computers have been granted local admin rights. I have been tasked with finding a way, aside from locating all of the computer's through Active Directory or through our Symantec AV Console, to identify which computer's have a user in the Administrators group that doesn't belong there. I can identify that part if I can just see a list of that group for each of the PC's. I just don't care to do this manually.

Any thoughts?

http://www.bleepingcomputer.com/forums/topic272149.html

Yes it really is that complex. I don't have the resources to figure it out for ya since I don't work for a regional ISP anymore or a corporation that will let me play with their AD servers and tools.

There probably are specific tools for what you want and they are probably priced prohibitively which is why the problem was dumped on you.

I have used scripting to create temporary flat files that can be searched for router interface info using a variety of unix tools in the past and even grep in its crudest form can find specific strings. The hard part is collecting the data and putting it in whatever form will yield useful data for your particular task.

I don't have the resources to even guess at that.

Anything you can read in a terminal can be used by a script.

Anything that can be identified by a string that does not contain control codes (or control codes that can't be escaped in the string) can be searched for.

Crafting grep searches so they also return identifying date as to which machine the user is on may be where the complexity gets out of hand. Sed and awk and their decedents might help massage the data and VI macros can do amazing things.

So If there was an easy answer you might have had one by now.

ok I broke down and used google for ya.

http://blog.tech-cats.com/2007/09/querying...hrough-sql.html
http://blog.tech-cats.com/2007/11/getting-...led-active.html

if you know the string to query in AD to determine the local user with admin rights (or whatever it is your looking for), you should be able to substitute the string for the one used to find enabled/disabled users.

I have not managed an AD server since several versions back so I have no way to test this. You would have to set up SQL on something.

I don't have any current knowledge but I think servers managed by AD don't have any local users. Maybe that's just those configured as domain controllers.

Anyway it is a starting place.

I am merging this topic to your original topic to avoid confusion all around. ~ OB