Posts Tagged ‘VBS’
VBS: List all domain accounts configured on a machine
Hello,
We recently felt the need of tightening our company security:
- removing all unnecessary domain accounts from Windows Services, Scheduled Tasks and COM+
- Reviewing the local admins group for every server
I have used this script to get a CSV of all the domain accounts configured on our servers as windows services, COM+, DCOM and scheduled tasks.
It also creates a txt file with the local administrator group members.
I hope it’ll save you some:
Dim sComputer
Main
Sub Main()
Set wshNetwork = WScript.CreateObject( "WScript.Network" )
do while wshNetwork.computerName = ""
WScript.Sleep 250
wshNetwork.computerName
loop
sComputer = wshNetwork.computerName
Dim ObjFSO
Set objFSO = CreateObject("Scripting.FileSystemObject")
dim objFile, objFileAdmins
Set objFile = objFSO.OpenTextFile("C:\" & wshNetwork.computerName & "-ServicesOutput.txt", 2, True)
Set objFileAdmins = objFSO.OpenTextFile("C:\" & wshNetwork.computerName & "-AdminOutput.txt", 2, True)
Call LocalAdminList(wshNetwork.computerName, objFileAdmins)
Call COMPlusId(wshNetwork.computerName, objFile)
Call LogInServices(objFile)
Call SchedTasks(objFile)
call DCOM(objFile)
objFile.close
objFileAdmins.Close
'since we used for different servers we benefitted from having all these files in one location hence here I move every single file to a share
ObjFSO.CopyFile "C:\" & wshNetwork.computerName & "-ServicesOutput.txt", "\\A-Remote-Location\yourfile.csv", True
ObjFSO.CopyFile "C:\" & wshNetwork.computerName & "-AdminOutput.txt", "\\A-Remote-Location\yourfile.csv", true
Set objFile = ObjFSO.GetFile("C:\" & wshNetwork.computerName & "-ServicesOutput.txt")
objFile.Delete
Set objFile = ObjFSO.GetFile("C:\" & wshNetwork.computerName & "-AdminOutput.txt")
objFile.Delete
End Sub
Sub COMPlusId(sComputerName, objFile)
Dim cat
Set cat = CreateObject ("COMAdmin.COMAdminCatalog")
Dim apps
Set apps = cat.GetCollection("Applications")
apps.Populate
Dim app
For Each app In apps
if app.Value("Identity") <> "Interactive User" and app.Value("Identity") <> "LocalSystem" And _
(InStr(app.Value("Identity"),"YOUR-DOMAIN\") > 0 Or _
InStr(app.Value("Identity"),"@YOUR-DOMAIN") > 0) Then
objFile.WriteLine(sComputer & ";" & "COM User List;" & app.name & ";" & app.Value("Identity") & ";")
end if
Next
End Sub
Sub LocalAdminList(sComputerName,objFile)
Dim oGroup, oMember
set oGroup = GetObject("WinNT://"& sComputerName &"/Administrators")
for each oMember in oGroup.members
'Here I wanted to list ONLY the local admins that were not supposed to be there, you might want to personalize this IF with your internal sec policy
if oMember.adspath <> "WinNT://YOUR-DOMAINROOT/Enterprise Admins" and oMember.adspath <> "WinNT://YOUR-DOMAIN/Domain Admins" and oMember.adspath <> "WinNT://" & sComputerName & "/Administrator" and oMember.adspath <> "WinNT://" & sComputerName & "/Administrator" then
objFile.WriteLine(sComputer & ";" & "Local Admin List;" & oMember.adspath)
End if
next
End Sub
Sub LogInServices(objServiceFile)
Dim objFileTemp
Dim ObjFSO
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set wshShell = WScript.CreateObject ("WSCript.shell")
wshshell.run "cmd /c regedit.exe /e /a c:\Temp_Services.txt " & """HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services""", 6, True
set wshshell = nothing
Set objFileTemp = objFSO.OpenTextFile("c:\Temp_Services.txt", 1, True)
Do Until objFileTemp.AtEndOfStream
sData = objFileTemp.ReadLine
if instr(sData, """DisplayName""") > 0 then
sName = mid(sData,instr(sData, """=""") + 3, Len(sData) - instr(sData, """=""") - 3)
end if
if instr(sData, """ObjectName""") > 0 then
sIdAcct = mid(sData,instr(sData, """=""") + 3, Len(sData) - instr(sData, """=""") - 3)
sIdAcct = UCase(sIdAcct)
If sIdAcct <> UCase("LocalSystem") and _
sIdAcct <> UCase("NT AUTHORITY\\NetworkService") and _
sIdAcct <> UCase("NT AUTHORITY\\LocalService") and _
sIdAcct <> UCase("NT Authority\\NetworkService") And _
sIdAcct <> UCase("NT AUTHORITY\\NETWORK SERVICE") And _
sIdAcct <> UCase("NT AUTHORITY\\LOCAL SERVICE") Then
objServiceFile.Writeline(sComputer & ";" & "Services running under user accounts;" & sName & ";" & sIdAcct)
End if
end if
Loop
objFileTemp.Close
set objFileTemp = objFSO.GetFile("c:\Temp_Services.txt")
objFileTemp.Delete
End Sub
Sub SchedTasks(objServiceFile)
Dim objFileTemp, wshShell, sData, sName, sIdAcct
Dim ObjFSO
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set wshShell = WScript.CreateObject ("WSCript.shell")
wshshell.run "cmd /c schtasks /query /s " & sComputer & " /fo list /V > c:\temp_schtasks.txt", 2, True
set wshshell = nothing
Set objFileTemp = objFSO.OpenTextFile("c:\temp_schtasks.txt", 1, True)
Do Until objFileTemp.AtEndOfStream
sData = objFileTemp.ReadLine
if instr(sData, "TaskName:") > 0 then
sName = trim(right(sData,len(sData) - len("TaskName:")))
end if
if instr(sData, "Run As User:") > 0 then
sIdAcct = trim(right(sData,len(sData) - len("Run As User:")))
if sIdAcct <> "LocalSystem" and _
sIdAcct <> "NT AUTHORITY\\NetworkService" and _
sIdAcct <> "NT AUTHORITY\\LocalService" and _
sIdAcct <> "NT AUTHORITY\SYSTEM" then
objServiceFile.Writeline(sComputer & ";" & "Scheduled Tasks;" & sName & ";" & sIdAcct)
end if
end if
Loop
objFileTemp.Close
set objFileTemp = objFSO.GetFile("c:\temp_schtasks.txt")
objFileTemp.Delete
End Sub
Sub DCOM(objServiceFile)
Dim objFSO, wshShell, sData, sName, sIdAcct, objFileTemp
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set wshShell = WScript.CreateObject ("WSCript.shell")
wshshell.run "cmd /c regedit.exe /e /a c:\Temp_DCOM.txt " & """HKEY_CLASSES_ROOT\AppID""", 6, True
set wshshell = nothing
Set objFileTemp = objFSO.OpenTextFile("c:\Temp_DCOM.txt", 1, True)
Do Until objFileTemp.AtEndOfStream
sData = objFileTemp.ReadLine
if instr(sData, "@=""") > 0 then
sName = mid(sData,instr(sData, "=""") + 2, Len(sData) - instr(sData, "=""") - 2)
end if
if instr(sData, """RunAs""") > 0 then
sIdAcct = mid(sData,instr(sData, """=""") + 3, Len(sData) - instr(sData, """=""") - 3)
if ucase(sIdAcct) <> Ucase("LocalSystem") and _
ucase(sIdAcct) <> ucase("NT AUTHORITY\\NetworkService") and _
ucase(sIdAcct) <> ucase("NT AUTHORITY\\LocalService") and _
ucase(sIdAcct) <> ucase("Interactive User") then
objServiceFile.Writeline(sComputer & ";" & "DCOM Identities;" & sName & ";" & sIdAcct)
End if
end if
Loop
objFileTemp.Close
set objFileTemp = objFSO.GetFile("c:\Temp_DCOM.txt")
objFileTemp.Delete
end sub
Function GetCommandLineArgument(name)
Dim Args
Set Args = WScript.Arguments
Dim index
While index < args.count
If lcase(args(index)) = name Then
On Error Resume Next
index = index + 1
GetCommandLineArgument = args(index)
On Error Goto 0
If GetCommandLineArgument = "" Then
Usage "Error: Expected a value for argument: " & name
End If
index = args.count ' exit the loop
End If
index = index + 1
Wend
End Function
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }