Penetration Testing mailing list archives

Re: How to get the list of domain admins

From: pand0ra <pand0ra.usa () gmail com>
Date: Fri, 25 Jul 2008 13:56:03 -0600

Here is a .vbs script you can use to find all of that. It will dump
the info to a .csv file.



Option Explicit
On Error Resume Next


Const GROUP_DN1 = "WinNT://<insert domain>/Administrators"
Const GROUP_DN2 = "WinNT://<insert domain>/Enterprise Admins"
Const GROUP_DN3 = "WinNT://<insert domain>/Schema Admins"
Const GROUP_DN4 = "WinNT://<insert domain>/Domain Adminis"
Const GROUP_DN5 = "WinNT://<insert domain>/Server Operators"
Const GROUP_DN6 = "WinNT://<insert domain>/Account Operators"
Const GROUP_DN7= "WinNT://<insert domain>/Backup Operators"

Const GROUP_DN8= "WinNT://<insert domain>/Server Operators"
Const GROUP_DN9= "WinNT://<insert domain>/Enterprise Server Operators"
Const GROUP_DN10= "WinNT://<insert domain>/ENT Server Operators"
Const GROUP_DN11= "WinNT://<insert domain>/DNSAdmins"

Const OUTPUT_FILE_NAME = "Groups.csv"
Const DELIMITER = ","


Dim intCounter, objFileOutput, objFSO, objGroup, objMember, strDomainName

Sub EnumGroups(strDN, strGroupName)
   Set objGroup = GetObject(strDN)
   For Each objMember In objGroup.Members
       Select Case objMember.Class
           Case "User"
               objFileOutput.WriteLine Replace(Mid(objMember.ADsPath,
9), "/", "\") & DELIMITER & objMember.FullName & DELIMITER &
objMember.Description & DELIMITER & strGroupName
               intCounter = intCounter + 1
           Case "Group"
               EnumGroups objMember.ADsPath,
Replace(Mid(objMember.ADsPath, 9), "/", "\")
           Case Else
               objFileOutput.WriteLine Replace(Mid(objMember.ADsPath,
9), "/", "\") & DELIMITER & DELIMITER & DELIMITER & DELIMITER &
strGroupName
               intCounter = intCounter + 1
       End Select
   Next
End Sub


Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN1, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN1, Replace(Mid(GROUP_DN1, 9), "/", "\") & vbCrLf & vbCrLf


Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN2, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN2, Replace(Mid(GROUP_DN2, 9), "/", "\") & vbCrLf & vbCrLf


Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN3, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN3, Replace(Mid(GROUP_DN3, 9), "/", "\") & vbCrLf & vbCrLf


Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN4, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN4, Replace(Mid(GROUP_DN4, 9), "/", "\") & vbCrLf & vbCrLf


Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN5, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN5, Replace(Mid(GROUP_DN5, 9), "/", "\") & vbCrLf & vbCrLf


Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN6, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN6, Replace(Mid(GROUP_DN6, 9), "/", "\") & vbCrLf & vbCrLf


Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN7, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN7, Replace(Mid(GROUP_DN7, 9), "/", "\") & vbCrLf & vbCrLf

Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN8, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN8, Replace(Mid(GROUP_DN8, 9), "/", "\") & vbCrLf & vbCrLf

Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN9, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN9, Replace(Mid(GROUP_DN9, 9), "/", "\") & vbCrLf & vbCrLf

Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN10, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN10, Replace(Mid(GROUP_DN10, 9), "/", "\") & vbCrLf & vbCrLf

Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set objFileOutput = objFSO.CreateTextFile(OUTPUT_FILE_NAME)
objFileOutput.WriteLine Replace(Mid(GROUP_DN11, 9), "/", "\") & vbCrLf
& "------------------------------------------" & vbCrLf & "UserName" &
DELIMITER & "FullName" & DELIMITER & "Description" & DELIMITER &
"Group Name" & vbCrLf &
"----------------------------------------------------------------------------------------------------------------"
EnumGroups GROUP_DN11, Replace(Mid(GROUP_DN11, 9), "/", "\") & vbCrLf & vbCrLf

MsgBox "Completed enumerating users.", vbInformation, "Execution completed"
'end

On Thu, Jul 17, 2008 at 11:22 PM, Shankar Arjunan
<shankar.arjunan () gmail com> wrote:

Hi all,

Can anyone tell me how to get list of users who are having domain admin
rights in a domain.  I vaguely remember using it through command line
utility net use or net localgroup ..

Thanks in advance
Shankar

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

How to get the list of domain admins Shankar Arjunan (Jul 22)
- Re: How to get the list of domain admins Sean Brackeen (Jul 25)
  - RE: How to get the list of domain admins asamargin (Jul 28)
  - Re: How to get the list of domain admins Neil Moore (Jul 28)
- RE: How to get the list of domain admins Robert Petrunic (Jul 25)
- Re: How to get the list of domain admins Marco Ivaldi (Jul 25)
- Re: How to get the list of domain admins Taufiq Ali (Jul 25)
- Re: How to get the list of domain admins Kurt Buff (Jul 25)
- Re: How to get the list of domain admins pand0ra (Jul 28)
- RE: How to get the list of domain admins Roni Bachar (Jul 29)
- <Possible follow-ups>
- RE: How to get the list of domain admins Tudor, Razvan (Jul 25)