Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
is there a way to identify users who belong to admin groups in AD
- Thread starter bookouri
- Start date
- Thread starter
- #4
i wanted to get the members of all the "administrator" type groups. Domain Admins, Administrators, Enterprise Admins, Server Operators, etc.. there's several groups id like to keep an eye on..
i can probably come up with a script of some kind, i thought for sure i had seen something in Windows that would tell you who had admin rights...
i can probably come up with a script of some kind, i thought for sure i had seen something in Windows that would tell you who had admin rights...
There's nothing built-in that will tell you, short of manually examining the groups. Where I work the only solution that we could come up with was to have a script that runs daily at 6am and checks the last modified date on those groups and then sends an email if they've been changed in the last 24 hours. You could also make it keep a list of group membership, so that if it sees that it was modified it can tell you what was changed. The only problem is that if you add someone to a group and then take them out between scripts running, you get an email that the group was modified but it can't tell you what changed.
I know that there are tools you can buy that will do 'round the clock monitoring of your admin groups (I think that Quest Software sells one), but having the script was "good enough" for us.
I know that there are tools you can buy that will do 'round the clock monitoring of your admin groups (I think that Quest Software sells one), but having the script was "good enough" for us.
- Thread starter
- #6
- Status
Similar threads
- Question
