Re: How could I find invisible user in admin group?
From: Olaf Engelke [MVP Windows Server] (oenews01_at_mvps.org)
Date: Fri, 12 Aug 2005 15:09:32 +0200
there is no such thing like an invisible user in a group.
There are some possibilities how a user can have Administrator permissions,
without you are being aware of it.
He is member of another group, which is member of the Administrators group.
Check for such groups and their members.
The account/password combo of one of the Administrator accounts is known to
an unauthorized person.
Change the passwords for all accounts, which are member of the Administrator
Some Scheduled task which is accessible for him is running in the context of
an Administrator (maybe by swapping the started file you could elevate
administrator permissions for that process).
Run Scheduled tasks with an account, which has the necessary permissions and
not more. Protect the called batches etc.
Some malware is used to break in to the system and work with the permissions
of the system account (so not really Administrator, but the system account
has also high level permissions).
Keep the patch level up to date and protect your machines against malware.
Limit the user permissions (especially software installation/execution,
drive access to external drives and data sources (CD, floppy, USB,
Intensive auditing and studying of event logs on clients and server would be
the only way with Windows to discover such internal attacks.
Best greetings from Germany