Enumerating Group Members with WMI, VBscript
-
I just recently began exploring WMI since you can't do everything with ADSI. My current project is to compile a list of domain users in my company with Local Administrator privileges on our numerous servers so that we may clean out any users who ought not have these powers. The problem is I can't seem to get the records I want from my query. Take a look at the following code:
strComputer = "." Set objSWbemServices = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colSWbemObjectSet = objSWbemServices.ExecQuery("SELECT FullName," & _ "Domain, LocalAccount FROM Win32_UserAccount WHERE LocalAccount = false") For Each objSWbemObject In colSWbemObjectSet WScript.Echo " Domain: " & objSWbemObject.Domain & vbCrLf & _ "Full Name: " & objSWbemObject.FullName & vbCrLf NextThis query returns what appears to be all of the user accounts in my domain. I assume this is because our general domain users group is a member of the local "Users" group. How can I make the query only collect domain users who are also members of the local "Administrators" group? Thanks, Seth Kelly -
I just recently began exploring WMI since you can't do everything with ADSI. My current project is to compile a list of domain users in my company with Local Administrator privileges on our numerous servers so that we may clean out any users who ought not have these powers. The problem is I can't seem to get the records I want from my query. Take a look at the following code:
strComputer = "." Set objSWbemServices = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colSWbemObjectSet = objSWbemServices.ExecQuery("SELECT FullName," & _ "Domain, LocalAccount FROM Win32_UserAccount WHERE LocalAccount = false") For Each objSWbemObject In colSWbemObjectSet WScript.Echo " Domain: " & objSWbemObject.Domain & vbCrLf & _ "Full Name: " & objSWbemObject.FullName & vbCrLf NextThis query returns what appears to be all of the user accounts in my domain. I assume this is because our general domain users group is a member of the local "Users" group. How can I make the query only collect domain users who are also members of the local "Administrators" group? Thanks, Seth KellyAllright, well I've made some progress here. I have a script that runs almost perfectly, but has a habit of getting stuck. Here's the essential code:
Set fso = CreateObject("Scripting.FileSystemObject") Set scribe = fso.CreateTextFile("c:\LocalAdminList.txt") Set boxes = fso.OpenTextFile("c:\servers.txt",1,false) DO Set CompConn = GetObject("winmgmts:\\" & box & "\root\cimv2") Set ColUsers = CompConn.ExecQuery("SELECT * FROM Win32_GroupUser WHERE" &_ "GroupComponent='Win32_Group.Domain=\'BUILTIN\',Name=\'Administrators\'' ") FOR EACH User IN ColUsers Username = User.PartComponent scribe.writeline Username (*script gets stuck here*) NEXT LOOP WHILE(boxes.atendofstream = false)Simple enough. Yet when I run the script against a list of a few hundred servers it gets stuck somewhere between the second and third server. Specifically, it never gets out of the FOR loop after it processes the last user in the second server's collection. When I remove this server from the list the script makes it through 5 more servers and then same deal. No errors, it just sits and doesn't do anything. Does anybody have any idea why this script won't drop out of the FOR loop when it ought to? Alternatively, is there any code to make it drop out after a certain period of innactiviy? -
Allright, well I've made some progress here. I have a script that runs almost perfectly, but has a habit of getting stuck. Here's the essential code:
Set fso = CreateObject("Scripting.FileSystemObject") Set scribe = fso.CreateTextFile("c:\LocalAdminList.txt") Set boxes = fso.OpenTextFile("c:\servers.txt",1,false) DO Set CompConn = GetObject("winmgmts:\\" & box & "\root\cimv2") Set ColUsers = CompConn.ExecQuery("SELECT * FROM Win32_GroupUser WHERE" &_ "GroupComponent='Win32_Group.Domain=\'BUILTIN\',Name=\'Administrators\'' ") FOR EACH User IN ColUsers Username = User.PartComponent scribe.writeline Username (*script gets stuck here*) NEXT LOOP WHILE(boxes.atendofstream = false)Simple enough. Yet when I run the script against a list of a few hundred servers it gets stuck somewhere between the second and third server. Specifically, it never gets out of the FOR loop after it processes the last user in the second server's collection. When I remove this server from the list the script makes it through 5 more servers and then same deal. No errors, it just sits and doesn't do anything. Does anybody have any idea why this script won't drop out of the FOR loop when it ought to? Alternatively, is there any code to make it drop out after a certain period of innactiviy?Well, I might as well continue answering my own questions. A bit of searching and I found this problem with WMI queries. Essentially, that report tells me that even though I ran my query looking for local users it still queries my entire domain to find them. My very large network isn't exactly standardized software-wise, so I assume the servers that this script hangs on don't have the proper hotfixes to handle my query. "EXIT FOR" is of course the equivalent to "break" that I was looking for, but I'm still curious about a condition that would break off the loop after a certain amount of inactivity. The query in my code runs server-side, so my end is indeed inactive while it queries endlessly. Another more useful tip would be one that explains how to improve my query. My problem is...essentially...solved, but not nearly to my satisfaction. Any help would still be much appreciated.