RE: Local PC Admin Group change - Alerts

["Bowers, Jeramy J" <jebowers () iupui edu>]

If I were tasked with monitoring (and ultimately controlling) this type
of scenario, I'd make a choice based on a couple of criteria.  If there
are a bunch of domain admins, but no/few others who need to be admins of
their workstations, use group policy to define exactly the membership of
the administrators group.  Even if a domain admin adds an acconut to the
local admins group, it is removed at the next policy refresh.  

If the admins of a workstation are usually just the primary user, then
create a logging method into SQL that runs via script at every restart
or login.  You can then quantify the admins of a workstation, and
determine approximately when an admin was added to the workstation.

I've seen one method where an AD group is created for each computer
needing one or more (non-domain admin) administrators.  Then via GPO,
only that group is allowed as admins of the PC (Pcname-Admins group for
each computer).  This can get a bit cumbersome if there are a lot of
workstations needing admins.

Perhaps logging would be a good first step, so you can see what's
actually going on with the admins group on your workstations.

JJB

-----Original Message-----
From: Tinu Koshy (CISD) [mailto:tkoshy () adco ae] 
Sent: Thursday, August 16, 2007 8:01 AM
To: security-basics () securityfocus com
Subject: Local PC Admin Group change - Alerts


Dear List,

Is there a way to get information about changes done to the Local
"Administrators" group of a PC that is attached to the domain. I know
that it is possible to get information about changes in the user groups
defined within the AD, but that is not my objective instead my concern
is about local admin / power user groups within individual PCs connected
to the domain.

I do not want to check in the event viewer of individiual PCs but hoped
to see this info come to a central place or to the event viewer of any
of the domain controllers within the network whose logs are already
being audited.

If anyone has thought abt this before & know a way to achieve it without
the installation of any agent on PCs barring a logon batch file if
necessary, please would you let me know of the same.

Thanks,
Tinu Koshy

PS: My paranoia comes from the fact that we have over 40 domain
administrators. I hope to put in a process correction there but only
once I have some technical controls to back me.
===========================================================
Disclaimer: The information in this email and in any files Transmitted
with it is intended only for the addressee and may contain confidential
and/or privileged material. Access to this email by anyone other than
the intended recipient is unauthorized. If you receive this in error,
please contact the sender immediately and delete the material from any
computer.  If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in
reliance on it, is strictly prohibited and Abu Dhabi Company For Onshore
Oil Operations (ADCO) is not responsible for any consequence from such
unauthorized usage.  Statement and opinions expressed in this e-mail are
those of the sender, and do not necessarily reflect those of Abu Dhabi
Company For Onshore Oil Operations (ADCO).