Today's post is going to be about using Tim Golden's python win32api module to query the builtin administrators group on remote devices. To date this is the only method I've discovered that seems to require very limited permissions (authenticated users?) and doesn't rely on WMI.
Getting Python Configured
Assuming you already installed Python from The Python Downloads Website, use pip to install the pypiwin32 module like so:C:\Program Files (x86)\Python36-32\Scripts>pip.exe install --proxy http://corporateproxy.contoso.com:1111 pypiwin32
Tim's got some decent documentation on this module here.
Putting the module to use - The Console Way
First get into the python console by just running "python" from your command line or install directory. Once you're there we'll need to import the win32net module we just installed with pip.>>>import win32net
Now that it's imported we'll pick on a server and see what we get. In this case I provide the integer value 2 for the "level" parameter because I want the full domain name and username of the group members returned. You can read the details about the different levels in Microsoft's Documentation of the NetLocalGRoupGetMembers Function.
I'll go ahead and store what we get back in a variable called "data" so we can explore it a little bit to see what's there and how it's formatted. Keep in mind in this case server1 is resolvable in dns via an nslookup or dig command.
>>>data=win32net.NetLocalGroupGetMembers("server1","Administrators",2)
If you just run the command data you can see the response we got contains a bunch of information, which could range from domain or local groups and users or even other computer objects.
This object is a tuple, and the first element of the tuple is the list of security principals who were found as a member of the Administrators group. So if we want to explore this object we can run like data[0][0] which will show us the first element in that list of principals. It should look something like this:
{'sid': <PySID object at 0x0000A4B0>, 'sidusage': 2, 'domainandname': 'contoso\\Domain Users'}
Most of the time we'll be able to make use of the domainandname value for what we want, we could also make use of the SID object and translate it, but for now we'll just consider the domainandname values as good enough.
Exploring the items one at a time is kinda lame, but a quick loop like this one will show you each of the items.
for item in data[0]:
item
item
This is all well and good for looking at the members of the Administrators group for just one computer, but what about collecting this from multiple computers?
Collecting from multiple devices
So this is all well and good for individual computers, but lets say we have a couple computers we want to collect this from a list of computers. In this case I'll assume you're on a Windows device with your list of computers at C:\computers.txt. To read a file into python we generally use the "with" command to release the file when we're done with it, and in this case we can use use "read" to get the contents and "splitlines" to create a list splitting on the newline character, like this:with open("C:\\computers.txt") as file:
computer_list=file.read().splitlines()
computer_list=file.read().splitlines()
Once we have that list of computers we can go ahead and collect permissions from them. In this case I'll go ahead and create a dictionary with the computername as the key, and assign the comma separated list of entities with permission as each value.
permdict={}
for computer in computer_list:
data=win32net.NetLocalGroupGetMembers(computer,"Administrators",2)
permdict[computer]=",".join([item['domainandname'] for item in data[0]])
for computer in computer_list:
data=win32net.NetLocalGroupGetMembers(computer,"Administrators",2)
permdict[computer]=",".join([item['domainandname'] for item in data[0]])
This will give us a dictionary object permdict with an entry for each of our computers. Just for ease of use I'll write this data out into a "results" CSV, with one line for each account found.
with open("C:\\adminoutput.csv","a") as csvfile:
csvfile.write("ComputerName,Admin")
for key in permdict.keys():
for admin in permdict[key].split(","):
csvfile.write("\n")
csvfile.write(key+","+admin)
csvfile.write("ComputerName,Admin")
for key in permdict.keys():
for admin in permdict[key].split(","):
csvfile.write("\n")
csvfile.write(key+","+admin)
Hopefully this helps in the event you're trying to figure out who's in your Administrators groups.