{"id":67543,"date":"2006-04-13T15:10:00","date_gmt":"2006-04-13T15:10:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2006\/04\/13\/how-can-i-distinguish-between-local-users-and-domain-users\/"},"modified":"2006-04-13T15:10:00","modified_gmt":"2006-04-13T15:10:00","slug":"how-can-i-distinguish-between-local-users-and-domain-users","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-distinguish-between-local-users-and-domain-users\/","title":{"rendered":"How Can I Distinguish Between Local Users and Domain Users?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! When using a script to return members of the local Administrators account, how can I distinguish between local users and domain users?

— KS<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, KS. You know, many years ago there was a TV game show called What\u2019s My Line?<\/I> The premise of the show was that some person with an unusual occupation would come out on stage and a panel of celebrities would quiz this person, asking a bunch of Yes-No questions and trying to determine what his or her unusual occupation was. (Hey, all we said was that it was a game show; we never said it was an exciting and fun-filled game show.) If a panelist asked the right questions, then he or she might be able to determine the person\u2019s occupation. If they asked the wrong questions, though \u2026.<\/P>\n

We have the same sort of situation here. (Hey, who said, \u201cBeginning with the fact that this column is neither exciting nor fun-filled?\u201d What could possibly<\/I> be more exciting and fun-filled than distinguishing between local user accounts and domain user accounts?) Suppose we have a script that returns the members of the local Administrators group on a computer named atl-fs-01. That script might look something like this:<\/P>

strComputer = “atl-fs-01”<\/p>\n
Set colGroups = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)<\/p>\n
For Each objUser In colGroups.Members\n    Wscript.Echo objUser.Name\nNext\n<\/PRE>\n
When we run the script we\u2019ll get back information similar to this:<\/P>
Administrator\nDomain Admins\nkenmyer\nInfoSec Secure Environment\npilarackerman\njonathanhaas\n<\/PRE>\n
That\u2019s great but, as you pointed out, KS, we have no way of knowing whether kenmyer (to pick one) is a local user or a domain user. As celebrity panelists (the Scripting Guys are about as famous as most of the \u201ccelebrities\u201d who appeared on What\u2019s My Line?<\/I>), our job is to figure out what question we can ask that will tell us whether these are local users or domain users. That\u2019s not an easy task, either, because we need to use the WinNT provider to get information about these users; as we all know, the WinNT provider (unlike its Active Directory counterpart) can tell us only a few things about a given account on a local computer.<\/P>\n
Fortunately, though, one of the questions we can<\/I> ask of the WinNT provider is this: \u201cWhat is the ADsPath for the user?\u201d (OK, so it\u2019s not a Yes-No question. But we\u2019re not really<\/I> playing What\u2019s My Line?<\/I> here. That was just an analogy.) The ADsPath for a user account is roughly equivalent to a UNC path for a file. For example, suppose we have a file with the UNC path \\\\atl-fs-01\\public\\kenmyer\\test.doc. The UNC path tells us exactly where the file Test.doc can be found: it\u2019s on the computer atl-fs-01, on the shared folder Public, in the KenMyer folder. <\/P>\n
Likewise, suppose we have an ADsPath like this: WinNT:\/\/FABRIKAM\/atl-fs-01\/Administrator. That tells us that we have a local account named Administrator which can be found on the computer atl-fs-01, which is a member of the Fabrikam domain. In other words, local accounts will always feature the name of the computer as part of the ADsPath; domain accounts will not. For example, here\u2019s what we get back when we echo back the ADsPath for the members of the Administrators group:<\/P>
WinNT:\/\/FABRIKAM\/atl-fs-01\/Administrator\nWinNT:\/\/FABRIKAM\/Domain Admins\nWinNT:\/\/FABRIKAM\/kenmyerp\nWinNT:\/\/FABRIKAM\/InfoSec Secure Environment\nWinNT:\/\/FABRIKAM\/atl-fs-01\/pilarackerman\nWinNT:\/\/FABRIKAM\/jonathanhaas\n<\/PRE>\n
There you have it. If you look closely, you\u2019ll see that the string \/atl-fs-01\/<\/B> appears in two of the paths: the one for Administrator and the one for PilarAckerman. Consequently, those two must be local accounts, and the other accounts must be domain accounts.<\/P>\n
But, needless to say, we don\u2019t want<\/I> to look closely, do we? Instead, we want the script to just tell us which accounts are local users and which accounts are domain users. The following script should do just that:<\/P>
strComputer = “atl-fs-01”\nstrTestString = “\/” & strComputer & “\/”<\/p>\n
Set colGroups = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)<\/p>\n
For Each objUser In colGroups.Members\n    If InStr(objUser.AdsPath, strTestString) Then\n        Wscript.Echo “Local user: ” & objUser.Name\n    Else\n        Wscript.Echo “Domain user: ” & objUser.Name\n    End If\nNext\n<\/PRE>\n
As you can see, this script starts out by assigning the name of the computer to a variable named strComputer. We then take the name of that computer (atl-fs-01) and add a \/ to the beginning and the end (\/atl-fs-01\/). This value is assigned to a variable named strTestString. Why do we need to add the \/ to the beginning and the end? To be honest, it\u2019s more a safeguard than anything else. It\u2019s unlikely you would, say, have a domain named atl-fs-01999, but putting \/\u2019s before and after the computer name helps ensures we don\u2019t inadvertently identify a domain account as a local account. <\/P>\n
After setting up our variables we then use this line of code to bind to the local Administrators account on the computer atl-fs-01:<\/P>
Set colGroups = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)\n<\/PRE>\n
What we want to do now is loop through the value of the Members<\/B> property, a multi-valued attribute that lists each of the members of the Administrators group. For each user in the group we use this line of code to determine whether our test string (\/atl-fs-01\/) can be found anywhere within the user\u2019s ADsPath:<\/P>
If InStr(objUser.AdsPath, strTestString) Then\n<\/PRE>\n
If the string is found, we assume that this is a local user and echo back that fact; if the string is not found then we assume that this is a domain user, and we echo back that<\/I> fact. When all is said and done, we get back a nice little report that looks like this:<\/P>
Local user: Administrator\nDomain user: Domain Admins\nDomain user: kenmyerp\nDomain user: InfoSec Secure Environment\nLocal user: pilarackerman\nDomain user: jonathanhaas\n<\/PRE>\n
It\u2019s not the fanciest output in the world, but it tells you what you need to know. <\/P>\n
So there you have it: the scripting version of What\u2019s My Line?<\/I> Next time out we\u2019ll do a scripting version of Fear Factor<\/I><\/B><\/A>. With that in mind, you might want to brush up on your spider eating and your banana slug daiquiri drinking. And don\u2019t forget to spend some time sitting in a bathtub filled with toads and alligators (although that\u2019s something every scripter should be doing anyway).<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! When using a script to return members of the local Administrators account, how can I distinguish between local users and domain users?— KS Hey, KS. You know, many years ago there was a TV game show called What\u2019s My Line? The premise of the show was that some person with an unusual […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,23,24,3,20,5],"class_list":["post-67543","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-local-accounts-and-windows-nt-4-0-accounts","tag-other-directory-services","tag-scripting-guy","tag-user-accounts","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! When using a script to return members of the local Administrators account, how can I distinguish between local users and domain users?— KS Hey, KS. You know, many years ago there was a TV game show called What\u2019s My Line? The premise of the show was that some person with an unusual […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/67543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=67543"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/67543\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=67543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=67543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=67543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}