Solved

Check account permissions

Posted on 2014-09-23
3
284 Views
Last Modified: 2014-09-30
Hi,

I'm trying to create a more secure network. One of the actions is to reduce the ammount of accounts with admistrator permissions. There are a few account that probably have something to do with an application or service.

Is there a way to check for what an account is used on a server or in the network?

Network contains a Windows Server 2003 domain and a Windows Server 2012 domain.
0
Comment
Question by:SvenIA
3 Comments
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 350 total points
ID: 40338824
Doing a security audit (which is what your question is about) can be a significant project... just a heads-up.

The basics are to identify administrator groups at the following levels:

1. Enterprise
2. Domain
3. Local (individual servers and/or workstations)

You will have to examine admin groups in all of your user domains and your root domain to determine who users or groups have admin access.  If you find groups that are members of an admin group, you will have to audit that group as well.

Depending on how deep of an audit you want to do, you will want to membership in the following AD groups:

1. Administrators
2. Enterprise Admins
3. Domain Admins
4. Schema Admins
5. Server Operators
6. Backup Operators
7. Account Operators

On the individual servers (non-Domain Controllers and workstations):

1. Administators

After you have completed the identify tasks, you'll need to ask why these user accounts have admin access and then figure out if they really need such unrestrained permissions.

If you have Powershell available, you can run the following command to get the membership of the groups listed above:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | ft -auto

Open in new window


To get the list into a CSV file:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | Export-Csv -Path c:\test\Group-EA.csv -Encoding ascii -NoTypeInformation

Open in new window


You would just need to replace the contents of the "Identity" switch on the command line with various AD group names as well as the name of the output file in the "Path" switch.

Hope this helps...

Dan
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 150 total points
ID: 40338831
For starters, check what users are members of what groups as mentioned about.  Next, find out what accounts are used as service accounts.  You could do that by running the following PowerShell command:

gwmi win32_service | ft caption, startname -AutoSize

Next, look at scheduled tasks and see if there are any tasks running under a domain username.  Easiest way to do is to run the following command:

schtasks /query /v /s targetcomputername | find "domainname\"

i.e.  You want a list from dom1dc01 and the domain name is Domain1 then you run:
schtasks /query /v /s dom1dc01 | find "DOMAIN1\"
0
 
LVL 7

Author Closing Comment

by:SvenIA
ID: 40351836
Thanks guys!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question