Solved

Tracking domain accounts in the administrator group

Posted on 2013-10-30
7
630 Views
Last Modified: 2013-11-04
Hello

Is there a tool/method to track a domain account that appears several times in the administrator groups on servers ?

Thanks
0
Comment
Question by:nico-
  • 3
  • 3
7 Comments
 
LVL 9

Expert Comment

by:stu29
ID: 39612082
Set up Audit logging in your security policy (either local or Group Policy), then check your Security logs.

4727 – A security-enabled global group was created.

4728 – A member was added to a security-enabled global group.

4730 – A security-enabled global group was deleted.

4731 – A security-enabled local group was created.

4732 – A member was added to a security-enabled local group.

4733 – A member was removed from a security-enabled local group.

4734 – A security-enabled local group was deleted.

4735 – A security-enabled local group was changed.

4737 – A security-enabled global group was changed.

4754 – A security-enabled universal group was created.

4755 – A security-enabled universal group was changed.

4756 – A member was added to a security-enabled universal group.

4757 – A member was removed from a security-enabled universal group.

4758 – A security-enabled universal group was deleted.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39612087
You can use below command to list members of groups.

dsget group "CN=GroupName,DC=domainame,DC=local" -members


In order to find out changes, creation or deletion events, you must keep the “Account Management” auditing enabled.


Apart from the auditing, you can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships.
 
NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html
 
Quest: http://www.quest.com/changeauditor-for-active-directory/
0
 
LVL 9

Expert Comment

by:stu29
ID: 39612117
If these are domain groups you can check the metadata also

repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=techevan,DC=lab"

You will see something like

Type     Attribute     Last Mod Time         Originating DSA         Loc.USN          Org.USN Ver        Distinguished Name
===  ========  ===========      =================   ======= ======= === =========================
ABSENT   member        2010-11-05 16:55:28 TestSiteTEST-DC01  749327  749327   2  CN=Rick Sheikh,OU=Users,DC=techevan,DC=lab
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:nico-
ID: 39612256
Hello

Other way around.  Need to know how many times a domain account appears in the local administrators group in the server estate.

I've seen this done before but can't remember how.  Maybe a tool like AD Manager ?
0
 
LVL 9

Accepted Solution

by:
stu29 earned 400 total points
ID: 39612318
Try using powershell

PS C:\> invoke-command {
>> net localgroup administrators |
>> where {$_ -AND $_ -notmatch "command completed successfully"} |
>> select -skip 4
>> } -computer chi-fp01
>>
Administrator
GLOBOMANTICS\Chicago IT
GLOBOMANTICS\Domain Admins

Let’s go one more level and write an object to the pipeline and be better at handling output from multiple computers.

$members = net localgroup administrators |
 where {$_ -AND $_ -notmatch "command completed successfully"} |
 select -skip 4
New-Object PSObject -Property @{
 Computername = $env:COMPUTERNAME
 Group = "Administrators"
 Members=$members
 }

This will create a simple object with a properties for the computername, group name and members. Here’s how I can use it with Invoke-Command.

invoke-command {
$members = net localgroup administrators |
 where {$_ -AND $_ -notmatch "command completed successfully"} |
 select -skip 4
New-Object PSObject -Property @{
 Computername = $env:COMPUTERNAME
 Group = "Administrators"
 Members=$members
 }
} -computer chi-fp01,chi-win8-01,chi-ex01 -HideComputerName |
Select * -ExcludeProperty RunspaceID
0
 

Author Comment

by:nico-
ID: 39612449
way over my head that :) but it looks good.
0
 

Author Closing Comment

by:nico-
ID: 39621682
No idea if that was right :)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now