|
|
|||||||
Does anyone know of a way to enumerate the members of the local admin group on a NT4 workstation (No ADSI)? Looking for a method other than Howard's dll. |
||||||||
|
|
|||||||
Does this work on nt: "net localgroup administrators" (from command prompt) |
||||||||
|
|
|||||||
You can use GrpMaint.exe as a standalone solution. You can enum remote servers and workstations. Or are you looking for a way to do this from within the logon script as a user? |
||||||||
|
|
|||||||
Howard, I would like to run it from the login script. Users will have admin rights. Shelling out net localgroup administrators would be a possible solution, but it doesn't differentiate between users and groups as members. It just spits out everything. |
||||||||
|
|
|||||||
k, why you want to have loginscript checking for all admin group members? |
||||||||
|
|
|||||||
I can not understand the requirement for a user to enum the group. Can you tell us what exactly you want to get from this operation and how you intend to use the data? Code: break On |
||||||||
|
|
|||||||
The information will be gathered as part of our invnetory script at login. This info is of no value to the user and the user never sees it, but the info is stored in a SQL database. This allows us to audit the members of the local admin group on any given PC. Many PC's have members who should not be. |
||||||||
|
|
|||||||
This code should work to get all of the objects that are in the local admin group. I dont know how to tell the difference from users and groups however. Code: $memberfile = "%temp%\adminmembers.tmp" |
||||||||
|
|
|||||||
k, this worked on my w2k system: Code:
|
||||||||
|
|
|||||||
Nice...It also works on XP Pro |
||||||||
|
|
|||||||
damn. I have mistakenly created script that has potential to become UDF |
||||||||
|
|
|||||||
Yes, good code for 2000/XP there Lonk However for NT 4 which was the original request it does not appear to work. I tested it on NT 4 SP6a workstation and NT 4 Server SP6a and neither one returned info. So unless Lonk or someone else can figure out a pure KiXtart method, I'll suggest this. NetLocalGroupEnum NetUserGetLocalGroups NetUserEnum Using Win32 C,C++,VB,Perl,Python,etc... you could use NetLocalGroupGetMembers Otherwise you may have to locate a compiled .EXE or use WSH/ADSI to really accomplish this task. Here is a tool that I think should do what you're looking to do, but I've not tested it on NT 4 http://www.joeware.net/win32/zips/Lg.zip He also has a lot of other nice utilities for Admin work. http://www.joeware.net/ |
||||||||
|
|
|||||||
Also, on 2000/XP it will show my own account which is a member of a Universal group on the AD, but it won't list the members of the other users in that group which actually do have local admin rights based on that group. |
||||||||
|
|
|||||||
Quote: Can't you just enumerate the results? Would you not want to know both group and user members? |
||||||||
|
|
|||||||
I would not have the user collect this info. Instead, I would have the computer create a flag file on a server indicating it is available for interogation. A server based process would then query the workstation for any info needed outside the logon process. |
||||||||
|
|
|||||||
Howard, I don't think a server admin script would be able to do it either without using ADSI/WMI or 3rd party against NT 4.0 He said without either of those methods. |
||||||||
|
|
|||||||
Yes he did say that...but the reason I think he said that ADSI was not installed on his current NT4 clients. In the scanario I put forth, he would not need ADSI on the clients just the computer from where the admin script was executed. |
||||||||
|
|
|||||||
Dependencies: WMI enabled Code:
With output: Quote: |
||||||||
|
|
|||||||
hey co, I see only groups in there... didn't he say only users |
||||||||
|
|
|||||||
XPtest is a user.... Quote: |
||||||||
|
|
|||||||
hey johnie... are you gonna just sit back there and let us fight? please tell us where you at so we can try to better be of assistance. |