07-13-2023 06:05 AM
I decided to analyze AD users for administrative rights on local machines and wrote this query with 3 levels membership:
Select Top 1000000 tblassets.AssetID,
tblassets.Domain,
tblassets.AssetName,
tblUsersInGroup.Groupname As local_adm_group_name,
tblUsersInGroup.Domainname As local_membership_domain,
tblUsersInGroup.Username As local_membership_object_name,
tblADObjects1.domain As Down_L1_Domain,
tblADObjects1.sAMAccountName As Down_L1_Object_name,
tblADObjects2.domain As Down_L2_Domain,
tblADObjects2.sAMAccountName As Down_L2_Object_name,
tblADObjects3.domain As Down_L3_Domain,
tblADObjects3.sAMAccountName As Down_L3_Object_name
From tblassets
Inner Join tblUsersInGroup On tblassets.AssetID = tblUsersInGroup.AssetID And
tblUsersInGroup.admingroup = 1 And tblUsersInGroup.Username Not In
('Domain Admins', 'Administrator')
Left Join tblADObjects On tblUsersInGroup.Domainname = tblADObjects.domain And
tblUsersInGroup.Username = tblADObjects.sAMAccountName
Left Join tblADMembership On tblADObjects.ADObjectID =
tblADMembership.ParentAdObjectID
Left Join tblADObjects tblADObjects1 On tblADObjects1.ADObjectID =
tblADMembership.ChildAdObjectID
Left Join tblADMembership tblADMembership1 On tblADObjects1.ADObjectID =
tblADMembership1.ParentAdObjectID
Left Join tblADObjects tblADObjects2 On tblADMembership1.ChildAdObjectID =
tblADObjects2.ADObjectID
Left Join tblADMembership tblADMembership2 On tblADObjects2.ADObjectID =
tblADMembership2.ParentAdObjectID
Left Join tblADObjects tblADObjects3 On tblADMembership2.ChildAdObjectID =
tblADObjects3.ADObjectID
Order By Down_L3_Domain Desc,
Down_L2_Domain Desc,
Down_L1_Domain Desc,
local_membership_domain Desc,
tblassets.assetname Desc
*You can filter your standard accounts and groups by edit list
Not In ('Domain Admins', 'Administrator')
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now