Security Basics mailing list archives
RE: Local PC Admin Group change - Alerts
From: "Bowers, Jeramy J" <jebowers () iupui edu>
Date: Mon, 20 Aug 2007 11:48:49 -0400
If I were tasked with monitoring (and ultimately controlling) this type of scenario, I'd make a choice based on a couple of criteria. If there are a bunch of domain admins, but no/few others who need to be admins of their workstations, use group policy to define exactly the membership of the administrators group. Even if a domain admin adds an acconut to the local admins group, it is removed at the next policy refresh. If the admins of a workstation are usually just the primary user, then create a logging method into SQL that runs via script at every restart or login. You can then quantify the admins of a workstation, and determine approximately when an admin was added to the workstation. I've seen one method where an AD group is created for each computer needing one or more (non-domain admin) administrators. Then via GPO, only that group is allowed as admins of the PC (Pcname-Admins group for each computer). This can get a bit cumbersome if there are a lot of workstations needing admins. Perhaps logging would be a good first step, so you can see what's actually going on with the admins group on your workstations. JJB -----Original Message----- From: Tinu Koshy (CISD) [mailto:tkoshy () adco ae] Sent: Thursday, August 16, 2007 8:01 AM To: security-basics () securityfocus com Subject: Local PC Admin Group change - Alerts Dear List, Is there a way to get information about changes done to the Local "Administrators" group of a PC that is attached to the domain. I know that it is possible to get information about changes in the user groups defined within the AD, but that is not my objective instead my concern is about local admin / power user groups within individual PCs connected to the domain. I do not want to check in the event viewer of individiual PCs but hoped to see this info come to a central place or to the event viewer of any of the domain controllers within the network whose logs are already being audited. If anyone has thought abt this before & know a way to achieve it without the installation of any agent on PCs barring a logon batch file if necessary, please would you let me know of the same. Thanks, Tinu Koshy PS: My paranoia comes from the fact that we have over 40 domain administrators. I hope to put in a process correction there but only once I have some technical controls to back me. =========================================================== Disclaimer: The information in this email and in any files Transmitted with it is intended only for the addressee and may contain confidential and/or privileged material. Access to this email by anyone other than the intended recipient is unauthorized. If you receive this in error, please contact the sender immediately and delete the material from any computer. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is strictly prohibited and Abu Dhabi Company For Onshore Oil Operations (ADCO) is not responsible for any consequence from such unauthorized usage. Statement and opinions expressed in this e-mail are those of the sender, and do not necessarily reflect those of Abu Dhabi Company For Onshore Oil Operations (ADCO).
Current thread:
- Local PC Admin Group change - Alerts Tinu Koshy (CISD) (Aug 17)
- RE: Local PC Admin Group change - Alerts Bowers, Jeramy J (Aug 20)
- RE: Local PC Admin Group change - Alerts Roger A. Grimes (Aug 20)
- Re: Local PC Admin Group change - Alerts Kurt Buff (Aug 20)
- Re: Local PC Admin Group change - Alerts Rob Creely (Aug 21)