|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Teh Fizzgig (fizzgig
foofus.net)
Date: Sun Apr 08 2007 - 15:58:54 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
WALI wrote:
>
> Hi, on the same lines as an earlier posted who sought to find Blank
> passwords, I was wondering if there is a way to find out, as to who all
> have Local Administration Rights in my domain?
We have a tool we use internally that's not 100% stable called OWNR. The
module that performs this action uses the NetUserGetInfo API function
to do it's dirty work by looking at the usri11_priv field (using the
"USER_INFO_11" information structure - this makes more sense when you
read the API docs). :) I haven't really spent any time searching out a
ready-made tool to do it, but it would be pretty easy to write a
script/simple program to do this. Look for accounts which have a user
privilege level of 2. Those will be your admin accounts. Keep in mind
you *may* need to have admin privileges to run this API with this level
of detail (easy enough if you are a domain admin).
FWIW, I am working on a new version of this tool for public consumption
that will address this as well as a lot more Windows domain data
gathering tasks. I'll post to the list as the release draws closer - I
imagine I'm still at least a month out. If you want help writing a
script/program though let me know, since I've already done it. :)
> I mean, I want to Audit is if our Helpdesk personnel has scrupulously
> given Local Admin rights on workstations, or created user accounts with
> Local Admin rights for their friends/acquaintances etc.
Indeed - we strongly recommend to our customers that they audit this
frequently. This is obviously easy at a domain level, but monitoring
local admin accounts can be a pain.
> I was wondering, if there is an alternative to restrict HelpDesk from
> knowing local Admin username and password and still do not effect their
> ability to troubleshoot a problem in case they need to have escalated
> rights on someone's PC?
Make them a member of a domain group that is in the Administrators group
on local workstations? I strongly advise against giving HelpDesk folks
domain admin credentials unless they are the same ones doing actual
domain-level sys admin tasks. This is pushable via group policy.
--fizzgig
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]