From: Teh Fizzgig (fizzgig@foofus.net)
Date: Sun Apr 08 2007 - 16:58:54 EDT
WALI wrote:
>
> Hi, on the same lines as an earlier posted who sought to find Blank
> passwords, I was wondering if there is a way to find out, as to who all
> have Local Administration Rights in my domain?
We have a tool we use internally that's not 100% stable called OWNR. The
module that performs this action uses the NetUserGetInfo API function
to do it's dirty work by looking at the usri11_priv field (using the
"USER_INFO_11" information structure - this makes more sense when you
read the API docs). :) I haven't really spent any time searching out a
ready-made tool to do it, but it would be pretty easy to write a
script/simple program to do this. Look for accounts which have a user
privilege level of 2. Those will be your admin accounts. Keep in mind
you *may* need to have admin privileges to run this API with this level
of detail (easy enough if you are a domain admin).
FWIW, I am working on a new version of this tool for public consumption
that will address this as well as a lot more Windows domain data
gathering tasks. I'll post to the list as the release draws closer - I
imagine I'm still at least a month out. If you want help writing a
script/program though let me know, since I've already done it. :)
> I mean, I want to Audit is if our Helpdesk personnel has scrupulously
> given Local Admin rights on workstations, or created user accounts with
> Local Admin rights for their friends/acquaintances etc.
Indeed - we strongly recommend to our customers that they audit this
frequently. This is obviously easy at a domain level, but monitoring
local admin accounts can be a pain.
> I was wondering, if there is an alternative to restrict HelpDesk from
> knowing local Admin username and password and still do not effect their
> ability to troubleshoot a problem in case they need to have escalated
> rights on someone's PC?
Make them a member of a domain group that is in the Administrators group
on local workstations? I strongly advise against giving HelpDesk folks
domain admin credentials unless they are the same ones doing actual
domain-level sys admin tasks. This is pushable via group policy.
--fizzgig
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:42 EDT