Q

How do I determine if user accounts have local administrative access?

Expert Laura E. Hunter explains how to find out which computer and user accounts have admin access using Active Directory, as well as how to use Group Policy to properly maintain the network.

I was wondering, how can I configure Active Directory and or all the workstations to show what computer and user accounts have local administrator access on the workstations?

The scenario is that some accounts may have been granted access via Active Directory in an organizational unit, while others the individual user in Active Directory may have been given the access to the local administrator group on the box.

I need to see a list so we can correct who should and who should not have local admin access.

Thank you for your help.

You can use the "net localgroup administrators" command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.

This was first published in November 2005

Dig deeper on Microsoft Active Directory Tools and Troubleshooting

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close