I've been tasked with finding which users on my company's local network have local admin rights on their PCs. Unfortunately the way these rights have been assigned (via a Domain Group and Restricted Groups) means that gathering the information is more tricky than just extracting it frrom AD.
I've established that it can be found via membership of the BUILTIN\Administrators group, but also that this cannot be checked remotely or via WMI, as it doesn't report the membership of the BUILTIN\Administrator group correctly.
I've managed to write a batch file which parses the results of a gpresult and writes to a CSV, which could be deployed via logon script, but have been trying to see if the same could be achieved more elegantly via VBS. Here is the script:
The script loops through the registry and correctly harvests the USER SIDs, but the second part of the script, where it supposedly creates and then searches through an array of the groups that the user is a member of does not work, reporting a UBound type mismatch error (the array check also reports that it is not one). Now, that part of the script works fine in a separate VBS if I feed the SID and registry key path to it manually, so I'm confused as to why it's suddenly not working?
I've established that it can be found via membership of the BUILTIN\Administrators group, but also that this cannot be checked remotely or via WMI, as it doesn't report the membership of the BUILTIN\Administrator group correctly.
I've managed to write a batch file which parses the results of a gpresult and writes to a CSV, which could be deployed via logon script, but have been trying to see if the same could be achieved more elegantly via VBS. Here is the script:
Code:
Option Explicit
Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_SZ = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY = 3
Const REG_DWORD = 4
Const REG_MULTI_SZ = 7
Dim strComputer, objRegistryGetSID, objRegistryIsLocalAdmin
Dim strSIDKeyPath, arrSIDSubKeys, objSID
'set to local computer
strComputer = "."
'Regular Expression to find User SIDs and exclude default ones
Dim MyRegExp, targetString, colMatch1, objMatch1
Set MyRegExp = New RegExp
With MyRegExp
.Pattern = "S-1-5-21"
.Global = True
.IgnoreCase = True
End With
'set Registry queries
Set objRegistryGetSID=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
Set objRegistryIsLocalAdmin=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
'query to get user SIDs from Registry
strSIDKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy"
objRegistryGetSID.EnumKey HKEY_LOCAL_MACHINE, strSIDKeyPath, arrSIDSubKeys
'Cycle through array produced by query above to enumerate userr SIDs
For Each objSID In arrSIDSubKeys
targetString = objSID
Set colMatch1 = MyRegExp.Execute(targetString)
'Enumerate user SIDS for stage 2
For each objMatch1 in colMatch1
Dim strUserKeyPath, arrEntryNames, arrValueTypes
strUserKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\" & objSID & "\Group Membership"
'Echo full string (for testing purposes)
Wscript.Echo strUserKeyPath
'Query to list all groups that user is a member of
objRegistryIsLocalAdmin.EnumValues HKEY_LOCAL_MACHINE, strUserKeyPath, arrEntryNames, arrValueTypes
'Check that viariable is an array
If Not IsArray(arrEntryNames) Then
Wscript.Echo "No array returned1"
End If
'Loop through array to find user SIDs that are members of the BUILTIN\Administrators local group and report back if they are.
For i=0 To UBound(arrEntryNames)
objRegistryIsLocalAdmin.GetStringValue HKEY_LOCAL_MACHINE, strUserKeyPath, arrEntryNames(i),strValue
If strValue = "S-1-5-32-544" then
Wscript.Echo "IsLocalAdmin"
End If
Next
Next
NextThe script loops through the registry and correctly harvests the USER SIDs, but the second part of the script, where it supposedly creates and then searches through an array of the groups that the user is a member of does not work, reporting a UBound type mismatch error (the array check also reports that it is not one). Now, that part of the script works fine in a separate VBS if I feed the SID and registry key path to it manually, so I'm confused as to why it's suddenly not working?
Last edited: