Solved

Check account permissions

Posted on 2014-09-23
3
287 Views
Last Modified: 2014-09-30
Hi,

I'm trying to create a more secure network. One of the actions is to reduce the ammount of accounts with admistrator permissions. There are a few account that probably have something to do with an application or service.

Is there a way to check for what an account is used on a server or in the network?

Network contains a Windows Server 2003 domain and a Windows Server 2012 domain.
0
Comment
Question by:SvenIA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 350 total points
ID: 40338824
Doing a security audit (which is what your question is about) can be a significant project... just a heads-up.

The basics are to identify administrator groups at the following levels:

1. Enterprise
2. Domain
3. Local (individual servers and/or workstations)

You will have to examine admin groups in all of your user domains and your root domain to determine who users or groups have admin access.  If you find groups that are members of an admin group, you will have to audit that group as well.

Depending on how deep of an audit you want to do, you will want to membership in the following AD groups:

1. Administrators
2. Enterprise Admins
3. Domain Admins
4. Schema Admins
5. Server Operators
6. Backup Operators
7. Account Operators

On the individual servers (non-Domain Controllers and workstations):

1. Administators

After you have completed the identify tasks, you'll need to ask why these user accounts have admin access and then figure out if they really need such unrestrained permissions.

If you have Powershell available, you can run the following command to get the membership of the groups listed above:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | ft -auto

Open in new window


To get the list into a CSV file:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | Export-Csv -Path c:\test\Group-EA.csv -Encoding ascii -NoTypeInformation

Open in new window


You would just need to replace the contents of the "Identity" switch on the command line with various AD group names as well as the name of the output file in the "Path" switch.

Hope this helps...

Dan
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 150 total points
ID: 40338831
For starters, check what users are members of what groups as mentioned about.  Next, find out what accounts are used as service accounts.  You could do that by running the following PowerShell command:

gwmi win32_service | ft caption, startname -AutoSize

Next, look at scheduled tasks and see if there are any tasks running under a domain username.  Easiest way to do is to run the following command:

schtasks /query /v /s targetcomputername | find "domainname\"

i.e.  You want a list from dom1dc01 and the domain name is Domain1 then you run:
schtasks /query /v /s dom1dc01 | find "DOMAIN1\"
0
 
LVL 7

Author Closing Comment

by:SvenIA
ID: 40351836
Thanks guys!
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
A hard and fast method for reducing Active Directory Administrators members.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question