Audit Local Group Memberships

Do you have a nagging feeling that there are local administrator accounts distributed throughout your domain? If you don’t have an easy way of finding all these accounts the sydi audit local group tool is just for you.


The script is included in the tools directory of SYDI Server. It works in the same way as SYDI Overview does. It parses SYDI-Server XML files and creates an Excel file containing a list of all your local groups on your client computers and member servers. The Excel file will have an overview sheet which lists all your groups and a separate sheet for each and every group. Viewing the individual sheets will show you the group members for every computer in your selection of XML files, this is provided that the group exists on the computer and that it has members.

Usage Scenarios

You might want to track how many local administrators you have in your organization, perhaps some users have been placed in the local administrators group “temporarily” but have now settled in with all the privileges it provides. Even if your organization doesn’t yet disallow local administrative access you still might want to be able to see in black and white which users have been granted this access. The Power Users group can be another group you want to monitor.

If you have a standardized environment your group structure on your clients should all look the same way. You can use the tool to find any additional groups which shouldn’t be there.

Using the Script

Like many other SYDI tools this script is written in vbscript and intended to be run from cscript.exe. To use it you provide an argument with the path to your SYDI Server output files:

Cscript.exe sydi-audit-localgroups.vbs -xN:\SYDI\Output