Login script

[Miha]

Hi

Does anyone know or have a script that will send me an email when a user
logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
credentials)?
We're assuming that some of our company users know local admin password, so
we want to know if someone tries or logs into his computer like local admin?
Is this possible, or how can this be done?
Thank you in advance !
Regards,
Miha

 

[Florian Frommherz [MVP]]

Howdie!

Does anyone know or have a script that will send me an email when a user
logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
credentials)?
We're assuming that some of our company users know local admin password,
so we want to know if someone tries or logs into his computer like local
admin? Is this possible, or how can this be done?

Not a ready-to-go script but what you basically need is the ifmember.exe
from the Resource Kit (iirc) and some command line mailing program like
blat (which is free). If I'm correct, blat doesn't need to be installed
and can be called off a network share. You need to explore yourself.

I guess that script can be done with a few lines of batch.

cheers,

Florian

 

[Pegasus \(MVP\)]

Hi

Does anyone know or have a script that will send me an email when a user
logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
credentials)?
We're assuming that some of our company users know local admin password,
so we want to know if someone tries or logs into his computer like local
admin? Is this possible, or how can this be done?
Thank you in advance !
Regards,
Miha

AFAIK the environmental variable %UserDomain% will tell
whether a user gets validated locally or on the domain. As Florian
says, use blat.exe to send yourself a note when this happens.

 

[Pegasus \(MVP\)]

Hi

Does anyone know or have a script that will send me an email when a user
logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
credentials)?
We're assuming that some of our company users know local admin password,
so we want to know if someone tries or logs into his computer like local
admin? Is this possible, or how can this be done?
Thank you in advance !
Regards,
Miha

Further to my previous note: The question I failed to answer is
WHAT can you use to trigger the script to send you a message.
You cannot use your domain logon script (since it won't get
executed under local log-ins) and you probably cannot use a
local login script (because it would be visible to the user). I'll
think about this one a little more. Perhaps WMI has a solution.

 

[Shay Levi]

Adding to Pegasus... you can check the %LogonServer% value.
If the value equels the local computer name then the user is logged-on locally.

 

[Shay Levi]

You can also check for the current logged-on user group membership:

C:\> WHOAMI /GROUPS | find /i "BUILTIN\Administrators"


This is the result on my computer:

[Group 3] = "BUILTIN\Administrators"

 

[Shay Levi]

One way is to copy a script file to all workstations windows directory and
put a shourtcut to the script (using wscript.exe)
on each computer's 'C:\Documents and Settings\All Users\Start Menu\Programs\Startup'
directory.

The script should echo nothing (dialogs, msgbox's etc) and should have it's
first line set to:

On Error Resume Next

To supress any unexpected errors, that way it will run invisibly.

 

[Al Dunbar]

If the suspected culprits have the smarts they might anticipate almost
anything you could do. They could prevent the sending of the email by
disconnecting the workstation from the network before logging on. One
response to that possibility would be to also log all logons locally, giving
time and date, and then periodically collecting those records for analysis.

/Al

 

[Allan]

It is possible with a little work. There are many steps.

All of this can be done in any order, you just need all the pieces before it
will work, there may be a better way.

-(change share) Create a share on a server that is accessible to all
computers. In the Share Permissions set Everyone to Change and Anonymous
Logon to Change. In this directory create a log file named something like
locals.log. (this is done because the local users don't actually have rights
on a domain server)

-(read share) Create a share on a server that is accessible to all
computers. In the Share Permissions, set Everyone to Read and Anonymous
Logon to Read. In that shared directory, create a script maybe called
localcheck.vbs (I suggest encoding it to a vbe) that can determine if the
logged on user is a local user or not and make it log the information in the
locals.log file created in the previous share.

- Now, create a script named something like checkreg.vbs that will check the
systems registry HKLM\Software\Microsoft\Windows\Run. Using this script you
add the execution of the localcheck.vbs that we created in the previous
step. You can just use All Users - Startup but if users are local admins,
they might keep removing the entry. Storing in the registry is a little
harder to find and if you don't want to edit the registry with a logon
script you can just do a mass remote registry edit. When you add the entry
in registry use something like "wscript.exe
\\server.domain.com\(ReadShareName)\localcheck.vbs" using the full UNC will
ensure that if the DNS suffix is different, you can still get to the script.

- In a Group Policy, add the checkreg.vbs as a startup script to the OU that
contains the computer that you want to check.

Now that you have everything logged, you can pretty much determine what is
going. If you are still wanting an e-mail when it happens so you can respond
asap, you need to do the following.

The reason we did all the previous steps is because I assume that your
workstations are not authorized to send mail. So you just need to authorize
the server that contains the Change Share we created before and create a
file monitor described in this link:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0404.mspx

Use the __InstanceModificationEvent event on the locals.log file to send you
a e-mail.

I hope this is understandable.

Thanks,
Allan

 

[Al Dunbar]

Hi

Does anyone know or have a script that will send me an email when a user
logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
credentials)?
We're assuming that some of our company users know local admin password,

Hold it right there, then. The larger question is this: do you need to know
who knows the password, or do you need to ensure that nobody knows the
password?

If your script advises you that the administrator account has just logged on
locally, it will not be able to tell you who is doing this. And if you never
get any of the messages, this will not confirm that nobody knows the
password.

A more rational approach would be to develop a strategy to secure the
passwords of any and all local accounts, privileged or otherwise. Nobody,
not even the IT staff charged with maintaining and supporting the
workstations should know the administrator password. If they need admin
privs, they should have a domain account that is made a member of the local
administrators groups on all machines.

The password should be set and sealed in a vault. This can be done in a way
that no single person knows what it is by having a script generate a random
password, apply it, and then print it out on a printer sandwiched by blank
pages. A number of witnesses watching the printer will confirm that the
output was sealed in an envelope without anyone looking at it.


/Al


so

 

[Miha]

Hi guys,
Thank you all for very helpfull informations, specially Allan for complete
steps how to do this
Thanks!
Regards,Miha