Client Management Suite

 View Only
Expand all | Collapse all

Find Members of Power Users Group

  • 1.  Find Members of Power Users Group

    Posted Oct 07, 2010 11:56 AM

    Ok I looked and hacked a bit at the count of accounts who have Local Administrator rights and came up with:

    select
    ag1.[Domain] [Admin Group Domain], 
    ag1.[Member Name] [Admin Account],
    i.[Name] [Computer Name]
     from dbo.vUGAdminGroupMember ag1
     JOIN dbo.vComputer i
      ON ag1.[_ResourceGuid] = i.Guid
    where i.[System Type] LIKE 'Win%'
    AND (ag1.[Member Name] <> 'Domain Admins'
    and ag1.[Member Name] NOT LIKE 'Administra%')
    order by ag1.[Member Name]

    So my question is I  have been looking high and dry for a way to find those pesky users with Power User rights.  Does anyone have a way to gather this data??

    I did find this and I think that this would be a way to join some data to end up with what I need but I just can't find the data!

    select 
    *
    from dbo.vUGGroup
    where [group id] = 'S-1-5-32-547'

    So does anyone have any idea on how to get this information?


     



  • 2.  RE: Find Members of Power Users Group
    Best Answer

    Posted Oct 07, 2010 05:34 PM

    We had a similar requirement for the Remote Desktop Users group on our clients. In both NS6 and NS7 we could only find the users and Admin groups members so we created a custom inventory task to do this. The Inv_UG_Group table (which is behind the vUGGroup view) only contains group names, not members or references, from my experience. You can find some good detail on the tables here

    Not sure what version of NS you are using but in v7 the steps were pretty straight forward to collect this:

    1. Create a custom inventory data class to hold the users (we just collect Member name and domain).
    2. Create a custom inventory vbscript to get the users in the group - this is the hardest bit (KBs that helped me are Intro doc and samples - you can use the scripts in the v6 samples, just need to change the objects that are written to).
    3. Create a task to run this script.
    4. Query the custom data class.

    I don't know of any way to do this without custom inventory, but someone else may have a better idea?



  • 3.  RE: Find Members of Power Users Group

    Posted Oct 08, 2010 10:33 AM

    trigger thank you very much for the detail!  We are using NS7 with CMS.

    Do you mind sharing your script you used to get the RDP group?  I'm not a coder by any means but I can usually mod a script to do what I need.

    If not I understand and I will look at what you do.

    One thing ot note this then runs as a task and not a policy as the other inventory jobs.  Is there anyway to make it run with a current inventory policy?



  • 4.  RE: Find Members of Power Users Group

    Posted Oct 10, 2010 05:27 PM
      |   view attached

    The inventory stuff in 7 appears to be more rigid in this sense, and this is the only way we could think of to get the data. We do this for 6-10 custom inventory items and they do not produce much load on the clients, but yes it is a task, not a policy so doesn't work when machines are offline ( I have had that "discussion" with some Symantec people as its a little annoying ).

    Anyway, attached is a cutout of some of our scripts that do just the group stuff. Our scripts are very compartmentalised so I have had to copy paste it into a single file with some comments. You should be able to work it out from here.

    Attachment(s)



  • 5.  RE: Find Members of Power Users Group

    Posted Oct 11, 2010 09:14 AM

    Created this Idea so that hopefully this eventually will just be built into Inventory Collection.

     

    https://www-secure.symantec.com/connect/idea/local-group-membership-inventory-collection

     

    Trigger please add anything you feel needed to the Idea as you seem to have a good understanding of this.  Thank you for the information and support also!



  • 6.  RE: Find Members of Power Users Group

    Posted Oct 12, 2010 12:06 PM

    Trigger one question if you only collect name and domain how do you tell which machine this is set on?  Is there a guid that gets created that I can join with automatically?

     

    I'm currently reviewing some of the support articles you highlighted.



  • 7.  RE: Find Members of Power Users Group

    Posted Oct 12, 2010 04:31 PM

    the guid should be for the machine reporting the data, right?

    neil



  • 8.  RE: Find Members of Power Users Group

    Posted Oct 12, 2010 05:31 PM

    When you create the custom inventory class with the Name and Domain it also has two fields you don't see in the interface:

    • _id - which I can't figure out (in some classes where there are multiple rows this would make sense)
    • _ResourceGUID - this is the one that you use to link back to the computer

    The SQL would be very similar to your original query, but joining to the new custom inventory class instead of vUGAdminGroupMember



  • 9.  RE: Find Members of Power Users Group

    Posted Oct 13, 2010 02:30 PM
    Trigger one more question. Looking at your script what I can't figure out is where you reference the custom data classes. looking at the script example from the links you sent I can see it plainly and can see how it matches the names they put in the dataclass but in your script I can't figure this out. Also this script is meant only to be run for one group.


  • 10.  RE: Find Members of Power Users Group

    Posted Oct 13, 2010 05:33 PM
      |   view attached

    Yep that script just does only the "Remote Desktop Users" group, to do more than one group you could either duplicate the script and change the names, or perhaps modularise the script more and do multiple groups in one script. We tend to have a single vbs for each dataclass we inventory and then call then from a command task in altiris that runs multiple vbs files one after the other.

    With regards to the custom data class, line 5 is the one that specifies which computer group and line 28 (below) -

    set objDCInstance = objNSE.AddDataClass("Remote Desktop Group") ' -THIS IS THE NAME OF THE DATACLASS

    is the one that specifies which data class we are loading - so there should be a custom inventory class call Remote Desktop Group created with two fields (Name and Domain - have attached our class config), the field names are never referenced in the script.

    In the Altiris Examples they gather and build the dataclass as they go, whereas this script gathers all the users into an array and then builds the dataclass rows (using AddInventoryRow) after doing all the gathering - we did this so we didn't have to write the AddRow stuff individually in every script (we use wsf files and include the common routines).

    I hope this helps

     

    Attachment(s)

    xml
    Remote Desktop Group.xml   2 KB 1 version


  • 11.  RE: Find Members of Power Users Group

    Posted Oct 14, 2010 12:19 PM

    This is kind of what I was looking for when I mentioned the data class.

     the field names are never referenced in the script.

     Thank you for the information.



  • 12.  RE: Find Members of Power Users Group

    Posted Oct 27, 2010 11:50 AM


    Off Topic:

    Trigger may I ask how you got that attached XML of your dataclass?



  • 13.  RE: Find Members of Power Users Group

    Posted Oct 27, 2010 06:13 PM
    1. On the menu bar go to Settings->All Settings.
    2. Then browse the tree to Notification Server->Resource and Data Class Settings -> Data Classes
    3. Navigate further to the data class you want to get at, so in my case then Inventory -> User and Group
    4. Right-Click the Data Class you are after

    At this point theres two ways to get it. You can Choose export and it will save the class as a file, or choos View as XML which will open a new window of the same data. Menu pic below...



  • 14.  RE: Find Members of Power Users Group

    Posted Oct 28, 2010 11:33 AM

    Trigger thank you very much for this information as this gives me something to look at what I created compared to what you had.

    One other quick question and I'm sorry to keep bothering you but ...

    We are creating custom data classes here and mine were created under inventory/Custom.  How did you get yours under Inventory/User and Group  ??

    Again I'm sure this is something simple and sorry for wasting your time.



  • 15.  RE: Find Members of Power Users Group

    Posted Oct 28, 2010 04:29 PM

    Trigger I have taken a test pc loaded up the Remote Desktop Users group and the power users group and created two scripts and two data classes.  The task run successfully and I don't see anything apparent in the NS logging.  The issue is I don't see any data.

    I have looked at my sql server under the two tables INV_CUSTOMDATACLASSNAME.  Is this not where the data would go?  What am I missing or any troubleshooting steps you can recommend so I can figure out where I’m going wrong.



  • 16.  RE: Find Members of Power Users Group

    Posted Oct 31, 2010 05:30 PM

    In that screen shot of the menu there is a move option that lets you move it in the tree - just make sure you keep it inside the DataClasses Node. Another alternative is that you can drag the classes in the tree, but - and this is a big but - when you are dragging it the tree control used by altiris has a "feature" where if you have scrolled the tree window down the drop point is not where the mouse is. That may not make sense, but just make sure what is highlighted in the tree is the folder you want to move the class to - NOT where the mouse is located.

    Unless you are moving a lot of stuff I find the Move option on the menu much easier.



  • 17.  RE: Find Members of Power Users Group

    Posted Oct 31, 2010 06:19 PM

    Your data should go in that table if the name you put in the script is CUSTOMDATACLASSNAME (note no INV_ in the script)

    This will be a little detailed, but something else to check first would be if any custom inventory is working. So if you don't have any other Custom inv stuff create a really simple custom inventory class/task with one string no multiline and load it to test.

    On to the Nerd stuff... With no errors and no data the first step would be to check the script. Not sure of your level of scripting expertise, but heres what I do usually:

    1. From a command prompt run the script with the debug switch: cscript /x SCRIPTNAME.vbs
             This requires a script debugger to be installed - Office and visual studio will install one of these for you

    2. Step through the script line by line and check that it is building an object which has data
            So in the script I attached earlier this would be :

    1. ensuring that arrMembership contains data - type ?arrMemberShip in the immediate window after it should be filled by code
    2. Check the arrCols variable has stuff in it after it should be filled - type ?arrCOls(0) in the immediate window - should show first account
    3. Check objNSE is created properly - ?objNSE.xmlbody should show an empty inventory after the create line
    4. The AddInventoryRow routine is adding data to the objNSE object - same command above after addinventory row has run should show something like


    An important extra check is that the fields in this are in the same order as in your data class - so c0 is the first field and this holds the Username, etc. Not too critical here as there are only two strings and shouldn't be an error if they are in the wrong order

     Assuming this all works correctly there are two extra things to do at the NS that may help

    1. Check the bad folders in the NSCAP location - \\altirisNS\NSCAP or whatever the local path is. These would be small files so probably in the EvtQFast\Bad folder if they are going in there - easiest way to find them is to use something like Notepad++ ad search for files in the EvtQ folders with the Resource GUID in the file, if they are erroring but not showing in the log you may see it here.
    2. Run the Altiris Profiler on the server and look in this for any reference to resources GUID or the Dataclass GUID or the DataClass Name

    Hope this steers you in the right direction

     



  • 18.  RE: Find Members of Power Users Group

    Posted Nov 03, 2010 02:53 PM

    ok looks to be in the vb code I'm  having a problem:

    copied code to notepad created a vbs file on my desktop.

    'Declare global variables
    dim objNSE, objDCInstance, objDataClass

    Dim arrMembership, arrCols()
    arrMembership = GetGroupMembership("Power Users")
    Redim arrCols(UBound(arrMembership))

    dim intMembers, arrRow(1), arrUser
    For intMembers = 0 to uBound(arrMembership)
     'Populate Values
     arrUser = split(arrMembership(intMembers), "\")
     arrRow(0) = arrUser(1)
     arrRow(1) = arrUser(0)
     
     'Add Row to arrCols
     arrCols(intMembers) = arrRow
    Next

    'Create instance of Altiris NSE component
    set objNSE = WScript.CreateObject ("Altiris.AeXNSEvent")

    ' Set the header data of the NSE
    ' Please don't modify this GUID
    objNSE.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
    objNSE.Priority = 1

    'Create Inventory data block. Here assumption is that the data class is already configured on server
    set objDCInstance = objNSE.AddDataClass("PowerUsers") ' -THIS IS THE NAME OF THE DATACLASS
    set objDataClass = objNSE.AddDataBlock(objDCInstance)

    Dim intCol
    For intCol = 0 to uBound(arrCols)
     AddInventoryRow(arrCols(intCol))
    Next

    ' Send the NSE data to the NS server
    objNSE.SendQueued

    'Functions down here to make it easier to understand
    Function GetGroupMembership(strGroupName)
     'Returns an array with members of a given local group in format Domain\UserName
     dim colGroups, objGroup, objUser, strUsers
     strUsers = ""

     Set colGroups = GetObject("WinNT://.")
     colGroups.Filter = Array("group")
     For Each objGroup In colGroups
      If objGroup.Name = strGroupName Then
       For Each objUser in objGroup.Members
        dim strUser
        'strUser = objUser.Name
        strUser = objUser.adsPath
        strUser = replace(replace(strUser, "WinNT://", ""), "/", "\")
        If strUsers = "" Then
         strUsers = strUser
        Else
         strUsers = strUsers & "," & strUser
        End If
       Next
      End If
     Next

     dim arrUsers
     arrUsers = split(strUsers, ",")
     GetGroupMembership = arrUsers
    End Function

    Sub AddInventoryRow(arrData)
     'Add a new row
     dim objDataRow
     set objDataRow = objDataClass.AddRow
     
     Dim intCols
     For intCols = 0 To uBound(arrData)
      objDataRow.SetField intCols,  ToXmlString(arrData(intCols))
     Next
    End Sub

    'Internal Functions
    Function ToXmlString(strInput)
      Dim strOutput
      If (IsNull(strInput)) Then
        ToXMLString = strInput
      Else
        strOutput = Replace(strInput, "&", "&amp;")
        strOutput = Replace(strOutput, """", "&quot;")
        strOutput = Replace(strOutput, "<", "&lt;")
        ToXmlString = Replace(strOutput, ">", "&gt;")
      End If
    End Function

     

    Running this returns:

    C:\Documents and Settings\jlawson\Desktop\pu.vbs(12, 2) Microsoft VBScript run
    time error: Subscript out of range: '[number: 1]'


    C:\Documents and Settings\jlawson\Desktop>echo %errorlevel%
    0 

     

    Row 12 is this line:  arrRow(0) = arrUser(1)



  • 19.  RE: Find Members of Power Users Group

    Posted Nov 03, 2010 05:43 PM
      |   view attached

    OK, so what is likely happening is that the User name from the group probably doesn't have a \ in it (as in DOMAIN\USER) - maybe an unresolved SID from a deleted account or something. For debugging these things another technique I use is to echo things to the screen to see where it is up to. So if you were to change that for loop as below you should be able to see what is in each entry in the group is in the command prompt as you step through:

    dim intMembers, arrRow(1), arrUser
    For intMembers = 0 to uBound(arrMembership)
     wscript.echo "User:[" & arrMembership(intMembers) & "]"
     'Populate Values
     arrUser = split(arrMembership(intMembers), "\")
     arrRow(0) = arrUser(1)
     arrRow(1) = arrUser(0)
     
     'Add Row to arrCols
     arrCols(intMembers) = arrRow
    Next

    Assuming the issue is that some account is not listing DOMAIN\USER the new attached version will tweak it appropriately to handle this (I will probably put this into the script we have in production as well)

    There we go (hopefully), vbscript 102 smiley

    Attachment(s)



  • 20.  RE: Find Members of Power Users Group

    Posted Nov 03, 2010 06:03 PM

    I will check this out and funny but was thinking I need to take out my test cases and test this script figuring it had to do with what I placed in the group.

    When I added users I added what I wanted to test for.  A group and Not sure if I did more than one group or not but want to test a domain group and a local group.  Don't need someone putting Builtin\users in the power users group.  I also put in a domain\user and a MachineName\user.  I'm betting the local groups and local user mask out the domain information because it is local.  I bet this is why I have this problem.  In the end want to what is in this group no matter what.  I'm out of town so will test this as soon as I have some time to VPN in.

     

    Actually off for CMS training.



  • 21.  RE: Find Members of Power Users Group

    Posted Nov 03, 2010 06:54 PM

    We have local users and groups in these things, but not sure about any of the built-ins. Will be interested in how you go, I might do some more testing myself as well. 



  • 22.  RE: Find Members of Power Users Group

    Posted Nov 03, 2010 08:08 PM

    Trigger first I want to say thank you very much as you can tell I don't know vbscript I only know how to make something finished fit.


     When I added the echo it ran through all the items and it then failed after it displayed them.  So I tried the updated script and it works great but one thing.


    The local group I added was "everyone" which because it has no domain is probably why it was failing.  So what it does now without the domain is it puts the “everyone” group in the domain field instead of the member name field.



  • 23.  RE: Find Members of Power Users Group

    Posted Nov 03, 2010 08:26 PM

    In the lines
      'If no backslash empty domain field and put everything into the user field
    arrRow(0) = ""
    arrRow(1) = arrMembership(intMembers)

     

    Swap them around as below and it should go in the name one
      'If no backslash empty domain field and put everything into the user field
    arrRow(0) = arrMembership(intMembers)
    arrRow(1) = ""

    That will swap the data to the other field.

    Makes sense why that group has no domain, its a welll known sid object and doesnt have any specific domain.

    Good that you can see it now, just remember to rem out the echo in the script when you deploy it as an Altiris task



  • 24.  RE: Find Members of Power Users Group

    Posted Nov 03, 2010 08:58 PM

    Works like a charm now!  Thank you for all your help.  I'm running this for the Power Users Group and the Remote Desktop Users Group.  Again thank you for the help I'm sure many will find this post very helpful!



  • 25.  RE: Find Members of Power Users Group

    Posted Feb 13, 2024 02:24 PM

    Hello All,

    I have read this thread and I have replicated the solution, and it has been super helful for me, but I need an extra step.

    What I need is to extract All USers from All groups in a sample of servers withing my landscape.

    Unfortunately the solution found here is totally valid but the vbsscript captures only values for one group that needs to be definded in the script

    Could someone help to customize the vbs script to go into all existing groups in a server and getting all members? 

    If I would need few fixed goups like "Remote Desktop Users", "Power Users" and "Administrators" I could run this script three times and save contain in three different dataclasses, but I need all groups and we dont have same groups in all servers.

    Thanks a lot for your valuable help!