• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

Check account permissions

Hi,

I'm trying to create a more secure network. One of the actions is to reduce the ammount of accounts with admistrator permissions. There are a few account that probably have something to do with an application or service.

Is there a way to check for what an account is used on a server or in the network?

Network contains a Windows Server 2003 domain and a Windows Server 2012 domain.
0
SvenIA
Asked:
SvenIA
2 Solutions
 
Dan McFaddenSystems EngineerCommented:
Doing a security audit (which is what your question is about) can be a significant project... just a heads-up.

The basics are to identify administrator groups at the following levels:

1. Enterprise
2. Domain
3. Local (individual servers and/or workstations)

You will have to examine admin groups in all of your user domains and your root domain to determine who users or groups have admin access.  If you find groups that are members of an admin group, you will have to audit that group as well.

Depending on how deep of an audit you want to do, you will want to membership in the following AD groups:

1. Administrators
2. Enterprise Admins
3. Domain Admins
4. Schema Admins
5. Server Operators
6. Backup Operators
7. Account Operators

On the individual servers (non-Domain Controllers and workstations):

1. Administators

After you have completed the identify tasks, you'll need to ask why these user accounts have admin access and then figure out if they really need such unrestrained permissions.

If you have Powershell available, you can run the following command to get the membership of the groups listed above:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | ft -auto

Open in new window


To get the list into a CSV file:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | Export-Csv -Path c:\test\Group-EA.csv -Encoding ascii -NoTypeInformation

Open in new window


You would just need to replace the contents of the "Identity" switch on the command line with various AD group names as well as the name of the output file in the "Path" switch.

Hope this helps...

Dan
0
 
Mohammed KhawajaManager - Infrastructure: Information TechnologyCommented:
For starters, check what users are members of what groups as mentioned about.  Next, find out what accounts are used as service accounts.  You could do that by running the following PowerShell command:

gwmi win32_service | ft caption, startname -AutoSize

Next, look at scheduled tasks and see if there are any tasks running under a domain username.  Easiest way to do is to run the following command:

schtasks /query /v /s targetcomputername | find "domainname\"

i.e.  You want a list from dom1dc01 and the domain name is Domain1 then you run:
schtasks /query /v /s dom1dc01 | find "DOMAIN1\"
0
 
SvenIAAuthor Commented:
Thanks guys!
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now