/build/static/layout/Breadcrumb_cap_w.png

Create a CIR to get a clean list of your local admins and then filter out the IT approved admins also. Presented at Dell World User Forum 2014 - lessons from the field

This is a repost to fix some minor errors and also work around UAC problems

You will need this vbs script and batch file to create this:

fadmins.vbs
CreateObject("Wscript.Shell").Run "C:\ProgramData\Dell\KACE\user\filteredadmins.bat",0,True
FilteredAdmins.bat
echo off
if exist c:\programdata\dell\kace\user\out.txt del c:\programdata\dell\kace\user\out.txt /q
for /f "tokens=* skip=6" %%g in ('net localgroup administrators') do echo %%g >> c:\programdata\dell\kace\user\out.txt
for %%g in (c:\programdata\dell\kace\user\out.txt) do (findstr /v /b /c:"The command" %%g > c:\programdata\dell\kace\user\admins.txt)
REM:: this part removes the IT approved users and groups ::
for %%g in (c:\programdata\dell\kace\user\admins.txt) do (findstr /v /b /c:"localuser" %%g > c:\programdata\dell\kace\user\temp1.txt)
for %%g in (c:\programdata\dell\kace\user\temp1.txt) do (findstr /v /b /c:"localuser2" %%g > c:\programdata\dell\kace\user\temp.txt)
for %%g in (c:\programdata\dell\kace\user\temp.txt) do (findstr /v /b /c:"Administrator" %%g > c:\programdata\dell\kace\user\temp1.txt)
for %%g in (c:\programdata\dell\kace\user\temp1.txt) do (findstr /v /b /c:"domain\Desktop Local Admins" %%g > c:\programdata\dell\kace\user\temp.txt)
for %%g in (c:\programdata\dell\kace\user\temp.txt) do (findstr /v /b /c:"domain\Domain Admins" %%g > c:\programdata\dell\kace\user\temp1.txt)
for %%g in (c:\programdata\dell\kace\user\temp1.txt) do (findstr /v /b /c:"domain\ITO PC Admins" %%g > c:\programdata\dell\kace\user\filteredadmins.txt)
del c:\programdata\dell\kace\user\temp*.txt /q
Take above batch code and modify the lower portion to reflect any users you want to filer out.  Make sure the last write to text file is named what ever you plan on using in the CIR "shell command text return statement"

Zip the vbs and batch file up together to attach to the CIR you will create next.

CIR1  attach zip file to this one (see at bottom of screen shot)
K7CGIj.jpeg
ShellCommandTextReturn(cmd /c cscript /b c:\programdata\dell\kace\user\fadmins.vbs&type c:\programdata\dell\kace\user\filteredadmins.txt )

CIR2
C2goRA.jpeg
ShellCommandTextReturn(cmd /c type c:\programdata\dell\kace\user\admins.txt )

Create file sync or MI to install the files from the 1st CIR

You will need to use a MI if you do not have a common user to file sync with, the MI will install as system.

File sync method: (suggested by fellow ITNinja blaise_gregory)
8jnp4y.jpeg
MI method will require an install bat also:
xcopy filteredadmins.bat "c:\programdata\dell\kace\user" /q /y
xcopy fadmins.vbs "c:\programdata\dell\kace\user" /q /y

add the install bat to the zip if you choose the MI method

MI Method:
bGgpDn.jpeg
create reports (we use the built-in Kace notes field to list who is approved to be local admin)
dhnoJJ.jpeg
filter on the CIR field you are using as "is not null"

I3VYxD.jpeg
Wizard created reports looks like this:
qjW3pD.jpegT2wL0A.jpeg

Custom inventory under the machine looks like this:
nx0tMv.jpeg


Comments

  • Thanks for this great scripts!
    They could also be run as K1000 scripts instead of MI if a fixed folder for the output files is present (e.g C:\Windows\). That would be a way to schedule the local admin evaluation on a regular basis. The CIRs would fetch updated data with every inventory. - chrpetri 9 years ago
    • the mi or fs is just put to the files in place the Filtered CIR runs a vbscript to update every inventory cycle - SMal.tmcc 9 years ago
  • Nice write up. I use this for my CIR, filters out all the extra junk text and could be used to filter out accounts you don't want to know about - by adding | FINDSTR /V "youruser". But it wouldn't be broken down into two sections like yours.

    ShellCommandTextReturn(cmd.exe /c net localgroup Administrators | FINDSTR /V "Administrator" | FINDSTR /V "Members" | FINDSTR /V "The command completed successfully." | FIND /V "-------------------------------------------------------------------------------") - SDNBTP 9 years ago
  • After reading all the info in this post here is what I did:
    Basically what I did was to modify the above FilteredAdmins.bat file as needed, used a script to copy it to the machine and then execute, created a CIR to retrieve the .txt file results from the machine and created a report (like one above) to report the results. Works great! - bnerison 9 years ago
This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ