Solved

Check account permissions

Posted on 2014-09-23
3
278 Views
Last Modified: 2014-09-30
Hi,

I'm trying to create a more secure network. One of the actions is to reduce the ammount of accounts with admistrator permissions. There are a few account that probably have something to do with an application or service.

Is there a way to check for what an account is used on a server or in the network?

Network contains a Windows Server 2003 domain and a Windows Server 2012 domain.
0
Comment
Question by:SvenIA
3 Comments
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 350 total points
ID: 40338824
Doing a security audit (which is what your question is about) can be a significant project... just a heads-up.

The basics are to identify administrator groups at the following levels:

1. Enterprise
2. Domain
3. Local (individual servers and/or workstations)

You will have to examine admin groups in all of your user domains and your root domain to determine who users or groups have admin access.  If you find groups that are members of an admin group, you will have to audit that group as well.

Depending on how deep of an audit you want to do, you will want to membership in the following AD groups:

1. Administrators
2. Enterprise Admins
3. Domain Admins
4. Schema Admins
5. Server Operators
6. Backup Operators
7. Account Operators

On the individual servers (non-Domain Controllers and workstations):

1. Administators

After you have completed the identify tasks, you'll need to ask why these user accounts have admin access and then figure out if they really need such unrestrained permissions.

If you have Powershell available, you can run the following command to get the membership of the groups listed above:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | ft -auto

Open in new window


To get the list into a CSV file:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | Export-Csv -Path c:\test\Group-EA.csv -Encoding ascii -NoTypeInformation

Open in new window


You would just need to replace the contents of the "Identity" switch on the command line with various AD group names as well as the name of the output file in the "Path" switch.

Hope this helps...

Dan
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 150 total points
ID: 40338831
For starters, check what users are members of what groups as mentioned about.  Next, find out what accounts are used as service accounts.  You could do that by running the following PowerShell command:

gwmi win32_service | ft caption, startname -AutoSize

Next, look at scheduled tasks and see if there are any tasks running under a domain username.  Easiest way to do is to run the following command:

schtasks /query /v /s targetcomputername | find "domainname\"

i.e.  You want a list from dom1dc01 and the domain name is Domain1 then you run:
schtasks /query /v /s dom1dc01 | find "DOMAIN1\"
0
 
LVL 7

Author Closing Comment

by:SvenIA
ID: 40351836
Thanks guys!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question