« Previous Next »

Thread: How to now the members of local Administrators group in Windows 2003

Last post 07-21-2009 11:22 AM by umacf24. 1 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (2 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 06-29-2009, 8:15 AM

    • gsiqadm
    • Not Ranked
    • Joined on 06-27-2009, 1:16 PM
    • Posts 1

    How to now the members of local Administrators group in Windows 2003

    Reply Contact

    Hi all,


    My company Policies say that I have to at all times see who use's the administrator accounts. I’ve been using Logparser to import Securitylog and Applicationslog (for the SQL server) into a SQL server. I’m using MS Access to extract reports. This is ok.

    The problem is to know at all times who is in the group Local Administrators. Normally this is known users, but in this hacker world you never no. So I wish to, someway, to import into an SQL table of all the users of Local Administrators, either they are Domain users or local users. Hope someone has any ideas by using Logparser combined with WMI.

    Thanks

    Gsiqadm
    Tags:

  • 07-21-2009, 11:22 AM In reply to

    • umacf24
    • Not Ranked
    • Joined on 07-21-2009, 9:59 AM
    • Posts 1

    Re: How to now the members of local Administrators group in Windows 2003

    Reply Contact

    That's more of a snapshot question than an event question.

    Logparser could give you the 636 events when users are put into the Administrator groups and Power Users local groups (following the advice that "Power Users are just Administrators who haven't made themselves into Administrators yet." The query to do that is something like this (%Name% is the name of the system you are looking at, and we're looking for SIDs instead of "Administrators" because you'll want to be language independent):

     select TimeGenerated,ComputerName,Strings
     from \\%Name%\Security
     where
      ((EventID=636) or (EventID=637))
      and
      ((Strings like '%{S-1-5-32-544}%') or (Strings like '%{S-1-5-32-547}%'))

    But that only tells you what happened, and it won't even tell you that if the log is erased by an unwanted admin (and it only gives you the SIDs of the accounts added -- use psgetsid to look them up). So you need a different -- snapshot -- approach. I wrote a perl script to do that -- basically using the network remote management API in Windows -- but I'm not posting it here because I'll get heckled, and it depends on a lot of monitoring infrastructure.

    To be honest, I think the best approach now would be VB and WMI and I think the Scripting Guys published something similar on Technet recently.
    Tags:
Page 1 of 1 (2 items)
Microsoft Communities