JSI Tip 8875. How can I list the members of the local Windows XP or Windows Server 2003 Administrators group, including those that are member via group nesting?

Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, I have scripted Administrators.bat to list the members of the local Administrators group, including those that are member via group nesting.

To run Administrators.bat on a Windows XP domain member, or on a Windows Server 2003 domain member, or on a Windows Server 2003 domain controller, run Administrators.

Administrators.bat contains:

@echo off
setlocal ENABLEDELAYEDEXPANSION
set out="%TEMP%\Administrators.tm1"
set srt="%TEMP%\Administrators.tm2"
if exist %out% del /q %out%
for /f "Skip=6 Tokens=*" %%a in ('net localgroup administrators^|FINDSTR /V /C:"The command completed"') do (
 set object=%%a
 call :what
)
sort %out% /O %srt%
del /q %out%
set prev=N
for /f "Tokens=*" %%a in ('type %srt%') do (
 if "!prev!" NEQ "%%a" set prev=%%a&@echo %%a
)
del /q %srt%
endlocal
goto :EOF
:what
set bs=%object:\=%
if "%bs%" EQU "%object%" goto lclusr
call set bs=%%object:%USERDOMAIN%\=%%
if "%bs%" EQU "%object%" goto lclusr
set qo=dsquery * domainroot -filter "(&(objectCategory=Person)(sAMAccountName=%bs%))" -attr sAMAccountName -L
call :go>nul 2>&1
if "%OK%" NEQ "N" goto usr
set qo=dsquery * domainroot -filter "(&(objectCategory=Group)(sAMAccountName=%bs%))" -attr distinguishedName -L
call :go>nul 2>&1
if "%OK%" EQU "N" goto eo
set sec=N
set grp=%OK%
for /f "Tokens=1,2" %%s in ('dsget group "%grp%" -secgrp -L^|FIND "secgrp:"') do (
 if /i "%%t" EQU "yes" set sec=Y
)
if "%sec%" EQU "N" goto eo
for /f "Tokens=1*" %%m in ('dsget group "%grp%" -samid -L^|FIND "samid:"') do (
 set sam="%%n"
)
call :dg %sam%
for /f "Tokens=*" %%m in ('dsget group "%grp%" -members -expand') do (
 call :uog %%m>nul 2>&1
 If "!OK!" NEQ "N" @echo !OK!>>%out%
 If "!OK!" EQU "N" call :dgd %%m
)
for /f "Tokens=*" %%m in ('dsget group "%grp%" -memberof -expand') do (
 call :uog %%m>nul 2>&1
 If "!OK!" NEQ "N" @echo !OK!>>%out%
 If "!OK!" EQU "N" call :dgd %%m
)
goto :EOF
:dgd
set sec=N
for /f "Tokens=1,2" %%s in ('dsget group %1 -secgrp -L^|FIND "secgrp:"') do (
 if /i "%%t" EQU "yes" set sec=Y
)
if "%sec%" EQU "N" goto eo
for /f "Tokens=1*" %%j in ('dsget group %1 -samid -L^|FIND "samid:"') do (
 set nbdm="%%k"
)
goto dgf
:dg
set nbdm=%1
:dgf
call :dgfs>nul 2>&1
goto :EOF
:dgfs
for /f "Skip=4 Tokens=*" %%i in ('net group %nbdm% /domain^|findstr /V /C:"----" /C:"The command completed"') do (
 set line=%%i
 if "!line!" NEQ "Members" call :parse
)
goto :EOF
:strip
set short=%name%#
set short=%short:  =%
set short=%short: #=#%
set short=%short:#=%
@echo %USERDOMAIN%\%short%>>%out%
goto :EOF
:parse
set name=%line:~0,25%
call :strip
set name=%line:~25,25%
if not "%name%" EQU "" call :strip
set name=%line:~50,25%
if not "%name%" EQU "" call :strip
goto :EOF
:uog
set OK=N
set qry=dsget user %1 -samid -L
for /f "Tokens=1*" %%x in ('%qry%^|FIND "samid:"') do (
 set OK=%USERDOMAIN%\%%y
)
goto :EOF
:lclusr
@echo %ComputerName%\%object%>>%out%
goto :EOF
:usr
@echo %USERDOMAIN%\%OK%>>%out%
goto :EOF
:eo
@echo %object%>>%out%
goto :EOF
:go
set OK=N
for /f "Tokens=*" %%u in ('%qo%') do (
 set OK=%%u
)



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish