Re: Auditing a Domain from a Guest Account
From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)Date: 03/28/02
- Previous message: Eric Fitzgerald [MSFT]: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
- In reply to: REader: "Auditing a Domain from a Guest Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> Date: Thu, 28 Mar 2002 13:30:21 -0800
In NT4 Guests can enumerate users & groups and shares, including hidden
shares. NTFS permissions usually not; you can only enumerate what you can
read so if they want permissions reports then you're going to have to be an
admin.
Look at the SRVINFO utility in the Resource Kit.for share enumeration.
Look at the NET.EXE utility for domain user & group enumeration.
NET USER /DOMAIN - lists users in domain
NET USER <username> /DOMAIN - lists properties of domain user <username>
NET GROUP /DOMAIN - lists global groups in domain
NET LOCALGROUP /DOMAIN - lists local groups in domain
NET GROUP <groupname> /DOMAIN - lists members of global group <groupname>
NET LOCALGROUP <groupname> /DOMAIN - lists members of local group
<groupname>
Doing this by hand is silly, and impractical for a domain of any significant
scale.
If you're clever, you'll use NT's "FOR" command in a batch file to parse out
the names and put them into a report. FOR has an awful lot of power (hint:
delims and tokens), use "help for" for more info.
Of course, I'll bet you could do this with ADSI if you installed it, and
reporting would be even easier.
For permissions, there's good old CACLS, but you might want to look at 3rd
party permission reporting utilities.
-- Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation"REader" <nextread@nntp.com> wrote in message news:Aqwo8.95317$7b.8664502@bin7.nnrp.aus1.giganews.com... > O.K. This question is definitely going to get me flamed (and as an MCSE, I > deserve it), but here it is: > > I've been assigned a project auditing someone else's domain; the client > wants a simple user map listing the local/global users and groups, who and > what is a member of each, and NTFS permissions and shares. Pretty tame > stuff. There are only six servers: a PDC, three BDC's (don't ask), and two > member. Normally, I'd just use an off-the-shelf utility like Bindview or > Ecora to whip through the system and print out a nice map in Visio. I hate > sitting at consoles.... > > Here's the rub: the client insists that I sit at an NT4 Workstation, or > perhaps a Server console using an account with AT MOST domain guest and/or > domain user access, and browse through User Manager for Domains and Server > Manager and build the map by hand. She MIGHT allow the software, provided > the account it uses an account with only user/guest access. > > I say it ain't gonna happen. I've been managing NT3x/4/Win2K over a period > of seven years, and am asking for a second opinion, lest I really am losing > my mind. Am I nuts for even entertaining the notion that a guest account > will allow me to browse objects and create maps? Is there something she > knows, that I do not? > > Serious Responses/Flames only, Please > >
- Next message: Asheesh Laroia: "Re: Domain Admin on BDC - but diskeeper claims I have no administrative rights"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
- In reply to: REader: "Auditing a Domain from a Guest Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
