Remotely Verifying Rights of Local Accounts

[Thomas M.]

My employer has undertaken a project to get all of our users running with
limited user rights instead of administrator rights on the local box. I've
been given the task of figuring out how to verify that each department is in
compliance with this new policy.

Our machines run Windows XP and we are running Novell on the network. We
also run Active Directory. Is there a way to scan a range of IPs and detect
user accounts that have administrator rights on the local PC? Barring that,
it there any software out there that can detect user accounts that have
local administrative rights, perhaps when the user authenticates to a Novell
server or to Active Directory?

We just want a way to verify that departments are in compliance with the
standard, and I would rather not have to ask them and then just take their
words for it--I'd like to be able to independently verify that departments
are in compliance.

I'm new to the whole issue of limited user rights so I'm not sure if there
are any tools like this out there. Part of me thinks that such a tool does
not exist because it would be an excellent hacker tool and would present a
security risk to organizations, but the other part of me suspects that
hackers have tools like this anyway, so why not give it to Network
Administrators for legitimate work.

Anyway, if anyone has dealt with this kind of issue before, or knows of any
automated method for collecting this kind of information, please enlighten
me.

--Tom

 

[Pegasus \(MVP\)]

My employer has undertaken a project to get all of our users running with
limited user rights instead of administrator rights on the local box. I've
been given the task of figuring out how to verify that each department is in
compliance with this new policy.

Our machines run Windows XP and we are running Novell on the network. We
also run Active Directory. Is there a way to scan a range of IPs and detect
user accounts that have administrator rights on the local PC? Barring that,
it there any software out there that can detect user accounts that have
local administrative rights, perhaps when the user authenticates to a Novell
server or to Active Directory?

We just want a way to verify that departments are in compliance with the
standard, and I would rather not have to ask them and then just take their
words for it--I'd like to be able to independently verify that departments
are in compliance.

I'm new to the whole issue of limited user rights so I'm not sure if there
are any tools like this out there. Part of me thinks that such a tool does
not exist because it would be an excellent hacker tool and would present a
security risk to organizations, but the other part of me suspects that
hackers have tools like this anyway, so why not give it to Network
Administrators for legitimate work.

Anyway, if anyone has dealt with this kind of issue before, or knows of any
automated method for collecting this kind of information, please enlighten
me.

--Tom

In a Windows environment you could run this batch file:

@echo off
echo Local Administrator Log compiled on %date% > c:\Users.tmp
echo ================================== >> c:\Users.tmp
for /L %%a in (1,1,254) do call :Sub %%a
type c:\Users.tmp | find /i /v "psexec" | find /i /v "Russinovich" | find /i
/v "sysinternals" | find /i /v "error code" | find /i /v "Alias Name" | find
/i /v "unrestricted access" > c:\Users.tmp
notepad c:\Users.txt
goto :eof

:Sub
echo Pinging 192.168.0.%1
ping 192.168.0.%1 -n 1 | find /i "bytes=" > nul || goto :eof
echo Processing 192.168.0.%1
echo Local Administrators on 192.168.0.%1 >> c:\Users.tmp
psexec \\192.168.0.%1 net localgroup administrators >> c:\Users.txt

You can download psexec.exe from www.sysinternals.com.

 

[Thomas M.]

Thanks for the reply. I'm not real experienced with scripting, although I
have done some, so I'll need to study the batch file a bit before I can
determine if it will work for us. Nonetheless, it certainly gives us a
place to start. Thanks again!

--Tom