Solved

Check account permissions

Posted on 2014-09-23
3
272 Views
Last Modified: 2014-09-30
Hi,

I'm trying to create a more secure network. One of the actions is to reduce the ammount of accounts with admistrator permissions. There are a few account that probably have something to do with an application or service.

Is there a way to check for what an account is used on a server or in the network?

Network contains a Windows Server 2003 domain and a Windows Server 2012 domain.
0
Comment
Question by:SvenIA
3 Comments
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 350 total points
Comment Utility
Doing a security audit (which is what your question is about) can be a significant project... just a heads-up.

The basics are to identify administrator groups at the following levels:

1. Enterprise
2. Domain
3. Local (individual servers and/or workstations)

You will have to examine admin groups in all of your user domains and your root domain to determine who users or groups have admin access.  If you find groups that are members of an admin group, you will have to audit that group as well.

Depending on how deep of an audit you want to do, you will want to membership in the following AD groups:

1. Administrators
2. Enterprise Admins
3. Domain Admins
4. Schema Admins
5. Server Operators
6. Backup Operators
7. Account Operators

On the individual servers (non-Domain Controllers and workstations):

1. Administators

After you have completed the identify tasks, you'll need to ask why these user accounts have admin access and then figure out if they really need such unrestrained permissions.

If you have Powershell available, you can run the following command to get the membership of the groups listed above:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | ft -auto

Open in new window


To get the list into a CSV file:

Get-ADGroupMember -Serve "<YourDomainControllerServerName>" -Identity "Enterprise Admins" | select objectClass,name,distinguishedName | Export-Csv -Path c:\test\Group-EA.csv -Encoding ascii -NoTypeInformation

Open in new window


You would just need to replace the contents of the "Identity" switch on the command line with various AD group names as well as the name of the output file in the "Path" switch.

Hope this helps...

Dan
0
 
LVL 24

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 150 total points
Comment Utility
For starters, check what users are members of what groups as mentioned about.  Next, find out what accounts are used as service accounts.  You could do that by running the following PowerShell command:

gwmi win32_service | ft caption, startname -AutoSize

Next, look at scheduled tasks and see if there are any tasks running under a domain username.  Easiest way to do is to run the following command:

schtasks /query /v /s targetcomputername | find "domainname\"

i.e.  You want a list from dom1dc01 and the domain name is Domain1 then you run:
schtasks /query /v /s dom1dc01 | find "DOMAIN1\"
0
 
LVL 7

Author Closing Comment

by:SvenIA
Comment Utility
Thanks guys!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now