Detection Tool for Privileged Accounts

due of history,in our enterprise we have all kinds of accounts mixed up.

Domain Admin must be removed from Local Admin
and Domain Admin groups must be removed from workstation and server local administrator group

etc.

is there a tool that detects all those accounts "hidden" in an environment?

further: i need to reset the PW on all those accounts once found,that tool should be able to do that
DukewillNukemAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
You can use Restricted Groups in Group Policy to define the membership of the Administrators local group of domain joined machines. The policy will add missing members and delete extra members of the local groups you configure. If you plan on not having Domain Admins as a member of the local Administrators group, hopefully you have another group or user added or there won't be any users with local administrator rights!

http://support.microsoft.com/kb/279301
0
Rich RumbleSecurity SamuraiCommented:
Yeah it would be best to use AD to remove and re-assign the users/groups...
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
-rich
0
DukewillNukemAuthor Commented:
"Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups."
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Rich RumbleSecurity SamuraiCommented:
You would use Restricted groups to remove any other user/group who isn't  User-x or in Group-X... You will be resetting the local administrator group to what you want it to be. If you want Domain Admins to be the only ones in the local administrators, then you can do that, if you want JSmith to be the only local admin, you can do that...
-rich
0
DukewillNukemAuthor Commented:
whats the easiest way to accomplish that?
0
Rich RumbleSecurity SamuraiCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.