?
Solved

Tracking domain accounts in the administrator group

Posted on 2013-10-30
7
Medium Priority
?
650 Views
Last Modified: 2013-11-04
Hello

Is there a tool/method to track a domain account that appears several times in the administrator groups on servers ?

Thanks
0
Comment
Question by:nico-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 9

Expert Comment

by:stu29
ID: 39612082
Set up Audit logging in your security policy (either local or Group Policy), then check your Security logs.

4727 – A security-enabled global group was created.

4728 – A member was added to a security-enabled global group.

4730 – A security-enabled global group was deleted.

4731 – A security-enabled local group was created.

4732 – A member was added to a security-enabled local group.

4733 – A member was removed from a security-enabled local group.

4734 – A security-enabled local group was deleted.

4735 – A security-enabled local group was changed.

4737 – A security-enabled global group was changed.

4754 – A security-enabled universal group was created.

4755 – A security-enabled universal group was changed.

4756 – A member was added to a security-enabled universal group.

4757 – A member was removed from a security-enabled universal group.

4758 – A security-enabled universal group was deleted.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39612087
You can use below command to list members of groups.

dsget group "CN=GroupName,DC=domainame,DC=local" -members


In order to find out changes, creation or deletion events, you must keep the “Account Management” auditing enabled.


Apart from the auditing, you can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships.
 
NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html
 
Quest: http://www.quest.com/changeauditor-for-active-directory/
0
 
LVL 9

Expert Comment

by:stu29
ID: 39612117
If these are domain groups you can check the metadata also

repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=techevan,DC=lab"

You will see something like

Type     Attribute     Last Mod Time         Originating DSA         Loc.USN          Org.USN Ver        Distinguished Name
===  ========  ===========      =================   ======= ======= === =========================
ABSENT   member        2010-11-05 16:55:28 TestSiteTEST-DC01  749327  749327   2  CN=Rick Sheikh,OU=Users,DC=techevan,DC=lab
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:nico-
ID: 39612256
Hello

Other way around.  Need to know how many times a domain account appears in the local administrators group in the server estate.

I've seen this done before but can't remember how.  Maybe a tool like AD Manager ?
0
 
LVL 9

Accepted Solution

by:
stu29 earned 1200 total points
ID: 39612318
Try using powershell

PS C:\> invoke-command {
>> net localgroup administrators |
>> where {$_ -AND $_ -notmatch "command completed successfully"} |
>> select -skip 4
>> } -computer chi-fp01
>>
Administrator
GLOBOMANTICS\Chicago IT
GLOBOMANTICS\Domain Admins

Let’s go one more level and write an object to the pipeline and be better at handling output from multiple computers.

$members = net localgroup administrators |
 where {$_ -AND $_ -notmatch "command completed successfully"} |
 select -skip 4
New-Object PSObject -Property @{
 Computername = $env:COMPUTERNAME
 Group = "Administrators"
 Members=$members
 }

This will create a simple object with a properties for the computername, group name and members. Here’s how I can use it with Invoke-Command.

invoke-command {
$members = net localgroup administrators |
 where {$_ -AND $_ -notmatch "command completed successfully"} |
 select -skip 4
New-Object PSObject -Property @{
 Computername = $env:COMPUTERNAME
 Group = "Administrators"
 Members=$members
 }
} -computer chi-fp01,chi-win8-01,chi-ex01 -HideComputerName |
Select * -ExcludeProperty RunspaceID
0
 

Author Comment

by:nico-
ID: 39612449
way over my head that :) but it looks good.
0
 

Author Closing Comment

by:nico-
ID: 39621682
No idea if that was right :)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question