RE: Local PC Admin Group change - Alerts

["Roger A. Grimes" <roger () banneretcs com>]

What you're asking cannot be done in Windows without some other sort of
adjunct tool or agent. Turn on Audit Account Management on each PC, then
have an agent report the event to a central collection site/tool.
Alternately, you can use a remote query tool, like log parser, or a
script to remotely query each PC at pre-set intervals to collect the
information. But really, it's better to have a client-agent tool to
report the event when it occurs instead of making lots of remote queries
that usually return nothing.

Also, you can use AD's Restricted Groups feature to help keep your local
groups restricted to just the membership you want.

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger () banneretcs com or rogrim () microsoft com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Tinu Koshy (CISD)
Sent: Thursday, August 16, 2007 8:01 AM
To: security-basics () securityfocus com
Subject: Local PC Admin Group change - Alerts


Dear List,

Is there a way to get information about changes done to the Local
"Administrators" group of a PC that is attached to the domain. I know
that it is possible to get information about changes in the user groups
defined within the AD, but that is not my objective instead my concern
is about local admin / power user groups within individual PCs connected
to the domain.

I do not want to check in the event viewer of individiual PCs but hoped
to see this info come to a central place or to the event viewer of any
of the domain controllers within the network whose logs are already
being audited.

If anyone has thought abt this before & know a way to achieve it without
the installation of any agent on PCs barring a logon batch file if
necessary, please would you let me know of the same.

Thanks,
Tinu Koshy

PS: My paranoia comes from the fact that we have over 40 domain
administrators. I hope to put in a process correction there but only
once I have some technical controls to back me.
===========================================================
Disclaimer: The information in this email and in any files Transmitted
with it is intended only for the addressee and may contain confidential
and/or privileged material. Access to this email by anyone other than
the intended recipient is unauthorized. If you receive this in error,
please contact the sender immediately and delete the material from any
computer.  If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in
reliance on it, is strictly prohibited and Abu Dhabi Company For Onshore
Oil Operations (ADCO) is not responsible for any consequence from such
unauthorized usage.  Statement and opinions expressed in this e-mail are
those of the sender, and do not necessarily reflect those of Abu Dhabi
Company For Onshore Oil Operations (ADCO).