Detecting admin rights

[Linkex]

So here is my challenge - our IT estate has had a poorly managed admin rights control for several years and no one now knows who has them and on what machines. So, I want to create a small autohotkey executable that will detect admin rights and report back. This will then be deployed across the estate. The application will execute with admin rights, so it can access anything a normal admin could

What I need to know is, what's the best way of detecting admin rights programmatically? Ideally a command line I can run in the background. Another issue to consider is that while the current user of the machine might not have admin rights, someone else might (Rights are assigned on a username/machine combination), so it needs to check all access, not just the current user.

I know what your thinking. Why not have the AD guys check? I've looked into it and its not possible. I'm not going into the specifics, but it returns false positives.

tl;dr - how do you tell who has admin rights from the command line or some other background process the user wouldn't notice?

 

[theheyes]

I would use accesschk from sysinternals if you know the account names.

 

[LizardKing]

Write a script that trys to create a dir in program files and logs if successful.


The proper way would be to use GPO to limit who is a member of the admins group

 

[SoundsGood]

I wanted to find out a similar thing the other day, I wrote this PS script which might be useful to you. It queries an OU you choose, pings each machine once, if it pings it will get the contents of local admin group. If it doesn't ping it will add it to a list and try it again until there's none left

Spoiler

Remove-Item unresponsiveComputers.txt -erroraction silentlycontinue
dsquery computer "OU=Servers,DC=blah,DC=blahcompany,DC=com" -o rdn -limit 0 | % {$_ -replace '"', ""} | Out-File unresponsiveComputers.txt 

while (Test-Path unresponsiveComputers.txt)
{
    $computers = Get-Content unresponsiveComputers.txt
    Remove-Item unresponsiveComputers.txt -erroraction silentlycontinue

    foreach ($computer in $computers)
	{
	   $computer = $computer.Trim()
	   ping -n 1 -i 200 -w 300 $computer | out-null
	   if ($LASTEXITCODE -lt 1)
	   {  
            Write-Host "$computer" -ForegroundColor Green
            $admins = Gwmi win32_groupuser –computer $computer  
            $admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}  
            $admins |% {  
                $_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul  
                $matches[1].trim('"') + “\” + $matches[2].trim('"') 
            }
	   }
       else
       {
            Write-Host "Did not respond: $computer"
            $computer | Out-File unresponsiveComputers.txt -Append   
       }
    }
    Write-Host "`nLooping..`n"
    #Start-Sleep -S 10800
}

 

[Linkex]

Thanks for the response guys, lots of good stuff here.

I would use accesschk from sysinternals if you know the account names.

If I can find a way to pull out a list of every user account thats been on the machine, that might work, thanks!

Write a script that trys to create a dir in program files and logs if successful.


The proper way would be to use GPO to limit who is a member of the admins group

That was my first thought, and is still a possible backup plan - the problem is that it will only check the active user, so it will still leave big gaps.

Regarding the GPO, your absolutely right and technically we do, through AD groups rather than GPO, but as there are way to many users and who needs admin rights changes so often, its impossible to restrict by name, so we rely on granting access by adding users into an AD group. The fault here (And this was not under my control at the time) is that while we had a proper process to request admin rights, no one thought to create a process to remove them. So the AD has tonnes of redundant entries where person A had admin on machine X, then swapped it to machine Y and re-requested the rights. So now hes an admin on machine Y, but technically he still also has rights over machine X even though its now in another department in another building and he will never use it. But if he did, he would have admin rights. Yes, that's a mega fail.

I wanted to find out a similar thing the other day, I wrote this PS script which might be useful to you. It queries an OU you choose, pings each machine once, if it pings it will get the contents of local admin group. If it doesn't ping it will add it to a list and try it again until there's none left

Spoiler

Remove-Item unresponsiveComputers.txt -erroraction silentlycontinue
dsquery computer "OU=Servers,DC=blah,DC=blahcompany,DC=com" -o rdn -limit 0 | % {$_ -replace '"', ""} | Out-File unresponsiveComputers.txt 

while (Test-Path unresponsiveComputers.txt)
{
    $computers = Get-Content unresponsiveComputers.txt
    Remove-Item unresponsiveComputers.txt -erroraction silentlycontinue

    foreach ($computer in $computers)
	{
	   $computer = $computer.Trim()
	   ping -n 1 -i 200 -w 300 $computer | out-null
	   if ($LASTEXITCODE -lt 1)
	   {  
            Write-Host "$computer" -ForegroundColor Green
            $admins = Gwmi win32_groupuser –computer $computer  
            $admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}  
            $admins |% {  
                $_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul  
                $matches[1].trim('"') + “\” + $matches[2].trim('"') 
            }
	   }
       else
       {
            Write-Host "Did not respond: $computer"
            $computer | Out-File unresponsiveComputers.txt -Append   
       }
    }
    Write-Host "`nLooping..`n"
    #Start-Sleep -S 10800
}

Thanks for this. The problem we have is that we have plenty of users who work remotely and only VPN to pick up emails etc, so the chances of that co-inciding with the script are slim. Thats why I wanted to deploy an application that then reports back - as soon as they VPN in, they will get the deployment and then check in automatically - it should hit everyone (In theory)