Re: Local PC Admin Group change - Alerts

From: "Rob Creely" <programmingart@xxxxxxxxx>
Date: Mon, 20 Aug 2007 18:33:48 -0400

Dear List,

Is there a way to get information about changes done to the Local
"Administrators" group of a PC that is attached to the domain. I know
that it is possible to get information about changes in the user groups
defined within the AD, but that is not my objective instead my concern
is about local admin / power user groups within individual PCs connected
to the domain.

I do not want to check in the event viewer of individiual PCs but hoped
to see this info come to a central place or to the event viewer of any
of the domain controllers within the network whose logs are already
being audited.

If anyone has thought abt this before & know a way to achieve it without
the installation of any agent on PCs barring a logon batch file if
necessary, please would you let me know of the same.

Thanks,
Tinu Koshy

PS: My paranoia comes from the fact that we have over 40 domain
administrators. I hope to put in a process correction there but only
once I have some technical controls to back me.

Hi Tinu.

I don't know of a way to be alerted to local computer/server group
changes w/o some sorta of agent running. This is why they are "local
groups". You may want to take a look at OSSEC HIDS:
http://www.ossec.net. It can detect changes to the any local groups
desired and alert you within seconds of a change. However, I'm not
sure how well this would scale if you wanted to install it on all your
PCs. Maybe with a minimized ruleset, ie. just a rule related to the
Local Admin group change, it would be feasible.

I agree that reducing the # of domain admins would be wise. At least
delegate so that only those who need rights on a particular PC have
those rights and no one else. Pretty easy to do this within AD and OU
creation. I can't see why 40 people would need admin access to all
PCs/Servers on your network.

Good luck and hope this was of some help.

--Rob

References:
- Local PC Admin Group change - Alerts
  - From: Tinu Koshy (CISD)
- Re: Local PC Admin Group change - Alerts
  - From: Kurt Buff

Prev by Date: secure LAMP architecture (MySQL in particular)
Next by Date: Re: RE: syslog
Previous by thread: Re: Local PC Admin Group change - Alerts
Next by thread: secure LAMP architecture (MySQL in particular)
Index(es):
- Date
- Thread

Relevant Pages

Re: Client Setup Wizard Error
... I don't want my users to have local admin ... I have no problem initially having admin rights to set them up, ... elevate the permissions of all domain users of that workstation to "local ... How can that work unless all users are Local Administrators at all times? ...
(microsoft.public.windows.server.sbs)
Re: Local Admin
... button you don't get the option for the local admin group. ... of just being able to do it for the one machines local ... >users or groups that need to be local administrators on ... >> control at my workplace. ...
(microsoft.public.win2000.security)
Re: Add users to local admin via login script
... A good solution is to add "interactive" to the local admin group. ... A complication is that the Startup script does not know who the user will ... Administrators group, and then all the desired users can be made members ... Set objNetwork = CreateObject ...
(microsoft.public.windows.server.active_directory)
Re: Local Administrators
... Some months ago I inquired need to make sbs 2003 users administrators ... Hi Sorry for the late reply, making the new User local admin is ... properly on that machine or may not allow to install at all. ...
(microsoft.public.windows.server.sbs)
Local PC Admin Group change - Alerts
... "Administrators" group of a PC that is attached to the domain. ... is about local admin / power user groups within individual PCs connected ... I do not want to check in the event viewer of individiual PCs but hoped ... of the domain controllers within the network whose logs are already ...
(Security-Basics)