Local Administrators Group Enumeration

Tue, 19 Sep 2006 04:34:26 GMT

I can't take all the credit for this script, some of it came from a source that I honestly don't remember. I usually find interesting snippets when looking for something else and save them to my /Snippets directory. This project came about because I needed a way to collect the members of a PC's local Administrators group into an SMS database. I could not find a good way to do it so I came up with a 2 step process;

1. Run a script on the PC that stuffs a registry key with the members of the local Administrators group
2. Configure the SMS_DEF.MOF to collect the registry key.

The first part is what this blog post is about; the vbscript. I will start with the following snippet:

Dim oNetwork, sComputer, oLocalGroup, aUsers

Set oNetwork = CreateObject("Wscript.Network")
sComputer = oNetwork.ComputerName

Set oLocalGroup = GetObject("WinNT://" & sComputer & "/Administrators,group")

For Each oMember In oLocalGroup.Members
aUsers = Split(oMember.AdsPath, "/")
WScript.Echo aUsers(UBOUND(aUsers)-1) & "\" & aUsers(UBOUND(aUsers))
Next

Very simple really. When the AdsPath of a user is returned, it looks like this WinNT://XXX/YYY/ZZZ if it is a local account (user or group) or WinNT://XXX/ZZZ if it is a domain account (user or group). XXX = Workgroup or Domain name, YYY = Server name, ZZZ = account name (user or group). You will notice that if you take each line and split it into elements separated by the forward slash '/', the last two elements are always what we want. The line WScript.Echo aUsers(UBOUND(aUsers)-1) & "\" & aUsers(UBOUND(aUsers)) takes the second to last and last elements and puts them together in the familiar DOMAIN\Account format.

With a little more editing, I was able to stuff the registry with the "rebuilt" account name;

Dim oShell, oFSO, oNetwork, sComputer, oLocalGroup, aUsers

Set oShell = Wscript.CreateObject("Wscript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")

Set oNetwork = CreateObject("Wscript.Network")
sComputer = oNetwork.ComputerName

Set oLocalGroup = GetObject("WinNT://" & sComputer & "/Administrators,group")
x = 1
For Each oMember In oLocalGroup.Members
    aUsers = Split(oMember.AdsPath, "/")
    oShell.RegWrite "HKLM\SYSTEM\MYCOMPANYSINFO\Security\LocalGroup\Administrators\Member" & x, aUsers(UBOUND(aUsers)-1) & "\" & aUsers(UBOUND(aUsers)), "REG_SZ"
    x = x + 1
Next

Wscript.Quit(0)

Note that the oShell.RegWrite line is continuous through the "REG_SZ". This window may have broken it up.

The result is that in the desired registry key, you will have Member1, Member2, etc with their values set to the member name.

-Gill

Gilliath: Scripting - vbscript

Local Administrators Group Enumeration