Kaseya Community

Determine local admin rights on workstations

  • We would like to be able to report on which users have local admin rights. Even better would be to be able to add/remove them if required. Anyone have any ideas?

    Legacy Forum Name: Determine local admin rights on workstations,
    Legacy Posted By Username: rvines@axcelltech.com
  • Here is a script we use to monitor local administrator accounts. This will dump all local administrators into a log file and upload the log file to your K server. Use the documents tab to retrieve the file.

    Script Name: Get Local Administrators
    Script Description:

    IF True
    THEN
    Execute Shell Command
    Parameter 1 : net localgroup administrators >> #vAgentConfiguration.agentTempDir#\local_admins.log
    Parameter 2 : 1
    OS Type : 0
    Get File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\local_admins.log
    Parameter 2 : ..\Docs\LocalAdmins\local_admins.log
    Parameter 3 : 2
    OS Type : 0
    Delete File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\local_admins.log
    OS Type : 0
    ELSE

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: cnwicsurrett
  • Awesome. I found a VB script that will do this sort of thing but dumps it to an excel file but not knowing vbs from the back of my hand I was intimidated to even attempt anything with it. I was really hoping to get a report going that would grab the info, I'm not sure I will be able to do it in a timely fashion though.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: tsorensen@group1auto.com
  • Let me take this one a step further...

    We are just beginning a project to remove local admin rights from users - to address security concerns, reduce virus/malware infections, etc. I am tryign to think of a way that I might be able to automate this with Kaseya.

    I can use the above logic to export a list to a text/log file. But then I need to parge that file, ake a list of the local administrators, then remove each of them from the local adminsitrators group - execpt for the domain admin account, and our custom account.

    I haven't started this effort yet. I thought I would check to see if anyone else migth have already written the script, or a piece of it.

    Lloyd

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: lwolf
  • I have the remove local admin portion but it would be for one username at a time. Would be swell if the net command could b triggered with a wildcard and except statement. Here's the script we use to remove a user from the local admins group.


    Script Name: Remove an account from local admins
    Script Description: Removes the defined domain user from the local administrators group. Edit the script before executing to customize for your use.

    IF True
    THEN
    Execute Shell Command
    Parameter 1 : net localgroup administrators "domain\user" /delete
    Parameter 2 : 1
    OS Type : 0
    ELSE



    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: tsorensen@group1auto.com
  • lwolf
    Let me take this one a step further...

    We are just beginning a project to remove local admin rights from users - to address security concerns, reduce virus/malware infections, etc. I am tryign to think of a way that I might be able to automate this with Kaseya.

    I can use the above logic to export a list to a text/log file. But then I need to parge that file, ake a list of the local administrators, then remove each of them from the local adminsitrators group - execpt for the domain admin account, and our custom account.

    I haven't started this effort yet. I thought I would check to see if anyone else migth have already written the script, or a piece of it.

    Lloyd


    script to removal all local admins can be found here:

    http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec05/hey1212.mspx

    Assuming your custom account is the same on every domain you could use a managed variable for the domain name and add that user back in. A FQDN managed variable is one of my most use managed variables, its a pain to setup but well worth it after the fact.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: cnwicsurrett
  • What you could do is run the first script that gives you that list of local admin users, then in the same script write a vbs file that will parse the first file and build an array of users (excluding the domain admin and anyone else you thought should not be included). then you had the array to a loop statement that will use Todd's delete user command to remove everyone but who you want to keep as a local admin.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: boudj
  • The script on the technet website only goes so far as to allow you to change one machine name at a time with the strComputer = "atl-ws-01" which doesn't work for me. I didn't want to make a list of machine names and would rather have a script to dump on a machine, run it and be done, so after toying with the one thing i fail at most... vbs, i have a working vbs file (thanks to a long time friend who figured out my fail in 20 seconds grrr). Edit the kserviceaccount to your local/domain service you use. all other users are removed from local admins group.


    Set oShell = CreateObject( "WScript.Shell" )
    comp=oShell.ExpandEnvironmentStrings("%ComputerName%")

    Set objGroup = GetObject("WinNT://" & comp & "/Administrators")

    For Each objUser In objGroup.Members
    If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" AND objUser.Name <> "kserviceaccount Then
    objGroup.Remove(objUser.AdsPath)
    End If
    Next


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: tsorensen@group1auto.com
  • boudj
    that will use Todd's delete user command to remove everyone but who you want to keep as a local admin.


    **GASP** DUDE! NO FIRST NAMES!

    I kid Wink

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: tsorensen@group1auto.com
  • tsorensen,

    Wow, that looks very promising. I will give it a try. Thanks so much for sharing!

    Lloyd

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: lwolf
  • tsorensen,

    Looking very good. I am working on a combined script that does the following:
    - export BEFORE list of local administrators to text file, and upload to kserver
    - copy VBScript from KServer to Agent
    - Use VBScript to purge local administrators, leaving only local administrator, domain admins, and our custom Kaseya account
    - export AFTER list of local administrators to text file, and upload to kserver
    - write message to local Windows event log, and K script log.

    I will definately post when I am done.

    But, I have a VB Script question that I need help with. The code provided uses

    If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" AND objUser.Name <> "kserviceaccount" Then


    In some cases, we were inconsistent with our Kaseya service account. In some cases it is "kserviceaccount", other cases it is "Kserviceaccount", other cases it is "KServiceAccount", etc. Always the same letters of the alphabet, just different lowercase and uppercase combinations.

    Could you provdie the VB Script IF statement to make the comparison be case insensitive?

    Thanks so much!

    Lloyd

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: lwolf
  • lwolf
    tsorensen,

    Looking very good. I am working on a combined script that does the following:
    - export BEFORE list of local administrators to text file, and upload to kserver
    - copy VBScript from KServer to Agent
    - Use VBScript to purge local administrators, leaving only local administrator, domain admins, and our custom Kaseya account
    - export AFTER list of local administrators to text file, and upload to kserver
    - write message to local Windows event log, and K script log.

    I will definately post when I am done.

    But, I have a VB Script question that I need help with. The code provided uses


    In some cases, we were inconsistent with our Kaseya service account. In some cases it is "kserviceaccount", other cases it is "Kserviceaccount", other cases it is "KServiceAccount", etc. Always the same letters of the alphabet, just different lowercase and uppercase combinations.

    Could you provdie the VB Script IF statement to make the comparison be case insensitive?

    Thanks so much!

    Lloyd


    Try

    If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" AND LCase(objUser.Name) <> "kserviceaccount" Then


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: RCS-Michael
  • Ok. Time to teach a couple VBS tips:

    1. Forget the computer name stuff. It's only useful if your using a VBS script to connect and retrieve information from other computers. For most VBS scripts ran/scheduled by Kaseya you want to use the current computer. So change the computer name to ".".

    2. UCase / LCase functions. These functions convert a string to upper or lower case.

    So here's the VB script modified to run on the local computer and ignore case.

    strComputer = "."

    Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")

    For Each objUser In objGroup.Members
    If LCase(objUser.Name) <> "administrator" AND LCase(objUser.Name) <> "domain admins" Then
    Wscript.Echo objUser.Name
    End If
    Next

    Matt

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: connectex
  • Thanks connectex. I tried googling to see if there was a variable to use to just make it run local but all the scripts i looked over were all meant to be run from apparently a workstation or server on the same local lan. Now i know to do the "." which is extremely helpful. Thanks again.

    I also noticed after i pasted i forgot the other quote on the other side of kservice account, sorry.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: tsorensen@group1auto.com
  • While this is all very cool, are we making this way too complicated? Why not just use Restricted Groups in group policy? Takes 30 seconds to set up and will be enforced on each PC boot.

    I'm all for Kaseya scripting but sometimes it is not the best tool for the job.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: djmundy