2 Replies Latest reply on Dec 14, 2010 8:31 AM by sporterfield

    Create a Query to Determine Who has Local Admin Rights

    Rookie

      I'm banging my head trying to create a query to determine which users on what machines have local admin rights. Has anyone succeeded in creating a similar query? I've tried a few different criteria and it either returns every computer and after checking in windows computer management it does not show any local administrators, or it shows a short list and no local admins as well. Any help would be appreciated.

       

      Thanks,

      Tom

       

      http://www.cnn.com/video/#/video/bestoftv/2010/12/02/mxp.bodyfat.shoplift.cnn?hpt=T2

        • 1. Re: Create a Query to Determine Who has Local Admin Rights
          Rookie

          There are numerous scripts you can run to determine if a user is local admin or not...  If you google it, you'll find examples in VBS, and so on.  What you could do is write a local admin checker code that runs silently during the logon script.  Have the script write the %username% variable in a chosen spot in the HKLM registry.  If it does not succeed, then that user was NOT an admin, since non-admins cannot modify HKLM.  Then, you could modify your ldappl3.template to scan for that registry setting, which should return a username and store that in Custom Data.

           

          This would be a start, anyway..

          • 2. Re: Create a Query to Determine Who has Local Admin Rights
            Apprentice

            It's a real shame they didn't put the local admin group members in multiple records to allow querying for computers with users who are administrators.  I like that script idea, but that will only show a user who logged on and was an administrator.  It won't necessarily show all users who are administrators.  If you only have one HKLM value, it would get overwritten each time an admin user signs on.  I suppose it should be possible to have the script attempt to delete multiple values then enumerate the administrators group back into the values.  I'm not sure if that would work in custom fields, though.  I'm also not convinced adding yet another delay to computer startup would go over well.