Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 175
  • Last Modified:

Detection Tool for Privileged Accounts

due of history,in our enterprise we have all kinds of accounts mixed up.

Domain Admin must be removed from Local Admin
and Domain Admin groups must be removed from workstation and server local administrator group

etc.

is there a tool that detects all those accounts "hidden" in an environment?

further: i need to reset the PW on all those accounts once found,that tool should be able to do that
0
DukewillNukem
Asked:
DukewillNukem
  • 3
  • 2
3 Solutions
 
kevinhsiehCommented:
You can use Restricted Groups in Group Policy to define the membership of the Administrators local group of domain joined machines. The policy will add missing members and delete extra members of the local groups you configure. If you plan on not having Domain Admins as a member of the local Administrators group, hopefully you have another group or user added or there won't be any users with local administrator rights!

http://support.microsoft.com/kb/279301
0
 
Rich RumbleSecurity SamuraiCommented:
Yeah it would be best to use AD to remove and re-assign the users/groups...
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
-rich
0
 
DukewillNukemAuthor Commented:
"Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups."
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Rich RumbleSecurity SamuraiCommented:
You would use Restricted groups to remove any other user/group who isn't  User-x or in Group-X... You will be resetting the local administrator group to what you want it to be. If you want Domain Admins to be the only ones in the local administrators, then you can do that, if you want JSmith to be the only local admin, you can do that...
-rich
0
 
DukewillNukemAuthor Commented:
whats the easiest way to accomplish that?
0
 
Rich RumbleSecurity SamuraiCommented:
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now