Skip navigation

Real World Shell Scripting: Auditing the Membership of Privileged Groups


Periodically auditing group membership is an important administrative task in Windows 2000 and Windows NT environments. Periodic audits are especially important when you have powerful server-based local groups, such as the Administrators, Server Operators, and Backup Operators groups. If you have several administrators who add user and group accounts on numerous machines, the administrators can easily forget to remove those accounts after they're no longer needed, especially if those accounts are for special projects or onetime software installations.

Opening your user-management GUI and copying names to a spreadsheet so that you can review group membership information is time-consuming. You can reduce the time required to gather this information by using a script. I created AccountAudit.bat for that purpose. This script gathers membership information for groups that reside on domains and servers, then compiles the information in a simple text report for you to review. Figure 1, page 2, shows a sample report. Let's look at how the script creates this report and how you can adapt the script to use in your environment.

How the Script Works
AccountAudit.bat uses the Local Groups (local.exe) and Global Groups (global.exe) utilities to gather group membership information. The Local Groups utility lists the members of local groups that reside on domains or servers, whereas the Global Groups utility lists the members of global groups that reside on domains or servers.

You can find the Global Groups and Local Groups utilities in the Microsoft Windows 2000 Server Resource Kit or Microsoft Windows NT Server 4.0 Resource Kit Supplement 4. If you run the Local command and Global command with no command-line arguments, you'll find that these commands use the same syntax, which is

Command GroupName
  DomainName | \\ServerName

where Command is either Local (if the target group is local) or Global (if the target group is global) and GroupName is the target group's name. Depending on whether the target group resides on a domain or server, you specify either the domain's name (DomainName) or the server's name (ServerName), respectively. You must enclose in quotes any domain or server names that include spaces.

After you become familiar with the commands' syntax, you need to make a list of which groups you want to audit. You can include any groups you want, such as the Enterprise Admins group or DHCP Administrators group. AccountAudit.bat gathers information on a few key groups. First, the script gathers information about the Domain Admins group, which is a domain-based global group. The script uses the Global command with the DomainName parameter to gather this group's membership list. Next, AccountAudit.bat gathers information about five domain-based local groups: Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators. The script uses the Local command with the DomainName parameter to list these groups' members. Finally, the script gathers information about three server-based local groups: Administrators, Backup Operators, and Power Users. (The Power Users group is available in only Windows XP, Win2K, and NT Workstation.) The script uses the Local command with the \\ServerName parameter to obtain these groups' membership roster.

For each group, the script directs the Local or Global command's output to an output file. For example, in the code

Global "Domain Admins"

the Global command returns the members of the Domain Admins group in MyDomain and redirects this membership information to the file that the %Outputfile% environment variable represents. However, if you were to open this output file, you wouldn't find the group's name anywhere. When you're gathering information about several groups, the lack of group names makes reading the output difficult.

There are several ways to make the command output easier to read. For example, as Listing 1 shows, you can first use the Echo command to display the group name, then indent the Global command's output by including tabs. The last line in Listing 1 creates a blank line to separate this group's information from that of the next group.

When you use tabs in a script, be sure to press the Tab key; don't insert an arrow symbol (*) as I did in Listing 1. I used arrows only to show where I put tabs. When you open AccountAudit.bat in Notepad, you'll see large spaces rather than the arrows. Alternatively, you can replace the script's tabs with commas and create a Comma Separated Value (CSV) file. That way, you can open the file in Microsoft Excel, then use Excel to sort the group membership information.

The code in Listing 1 redirects all the group membership information to an output file—no output goes to the console. If you want the information to go to the console as well as to the output file, you can use two Echo commands each time, as Listing 2 shows. The first Echo command sends the information to the console; the second Echo command redirects the information to the output file. AccountAudit.bat sends all group membership information to both the console and the output file.

One finishing touch I added to AccountAudit.bat is a Net User command that determines whether the domain-based Guest account is disabled. (Although you can use the Net User command on local servers, you would need to run the command locally so that the script tests for the domain Guest account only.) As Listing 3 shows, the Findstr command searches the Net User command's output for the string Account active. When the string is present, the For command displays and logs the message Warning: Guest account enabled!. Otherwise, the For command displays and logs the message Account Disabled.

Using the Script
I tested AccountAudit.bat on machines running Win2K Server Service Pack 2 (SP2) and NT Server 4.0 SP6a. To use the script in your environment, follow these steps:

  1. Download the script from the Code Library on the Windows Scripting Solutions Web site (
  2. Install the Win2K resource kit or NT 4.0 Supplement 4 so that the Global Groups and Local Groups utilities are available.
  3. Configure AccountAudit.bat by following the instructions in the code that Listing 4 shows.

Auditing Made Easy
Keeping tabs on the members of privileged groups is an important task. Using AccountAudit.bat to programmatically gather group membership information makes monitoring these groups easier. The easier the task, the more faithfully you're likely to perform it.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.