is there a way to identify users who belong to admin groups in AD

[bookouri]

Is there a way to identify all users in AD who belong to any of the administrator groups without having to go to all the groups individually to check?

thanks

 

[rphips]

bookouri

just go to the administrators group and check out who is a member.

bob

 

[kmcferrin]

Write a script that connects to each of the admin groups and enumerates the members.

 

[bookouri]

i wanted to get the members of all the "administrator" type groups. Domain Admins, Administrators, Enterprise Admins, Server Operators, etc.. there's several groups id like to keep an eye on..

i can probably come up with a script of some kind, i thought for sure i had seen something in Windows that would tell you who had admin rights...

 

[kmcferrin]

There's nothing built-in that will tell you, short of manually examining the groups. Where I work the only solution that we could come up with was to have a script that runs daily at 6am and checks the last modified date on those groups and then sends an email if they've been changed in the last 24 hours. You could also make it keep a list of group membership, so that if it sees that it was modified it can tell you what was changed. The only problem is that if you add someone to a group and then take them out between scripts running, you get an email that the group was modified but it can't tell you what changed.

I know that there are tools you can buy that will do 'round the clock monitoring of your admin groups (I think that Quest Software sells one), but having the script was "good enough" for us.

 

[bookouri]

thanks thats probably gonna be the best i can do. Once i get things cleaned up, just being notified if the groups change will be good enough.

thanks