StarDestroyer.Net BBS

We have a user that was able to get his name rights on various comptures, we want to remove those however we have 8000 computers spread over 2 dozen domains plus countless subdomains. Is there a way through DHCP or Dameware to find which computers he tampered with without manually checking everyone.

Parse through the login logs?

By "name rights" do you mean he created a local user name with administrative rights on certain computers in order to bypass domain login? If so, what server/client operating systems?

TheFeniX wrote:By "name rights" do you mean he created a local user name with administrative rights on certain computers in order to bypass domain login? If so, what server/client operating systems?

We use vista enterprise with server 2008. We have a 3 step process adding computers to the domain, and he was able to insert his name in the first step.

Definitely not DHCP.
I'm not familiar with Dameware.

Group Policy should be able to do it - ISTR we have it set up so any local users are removed from the admin group, and I think you can even delete them completely.

AMX wrote:Definitely not DHCP.
I'm not familiar with Dameware.

Group Policy should be able to do it - ISTR we have it set up so any local users are removed from the admin group, and I think you can even delete them completely.

yeah having one of the programmers here writing the script for the group policy as I such with programing of any kind.

Can you make a GPO to push out and remove any instance of his account on local computers, or at least change the level?

Essentially, just have a Group Policy script that removes all non-built-in users from the PC. The only issue is if users like to install their own programs or management insists on having administrative access to their PCs. Then you can create another script that adds certain groups to the local administrators group.

Personally, this is the best solution as no one should be creating local admins on their PCs without IT knowing about it. By leaving this policy enforced, it will delete any newly created local users as well.

AMX wrote:I'm not familiar with Dameware.

Dameware is a remote access program like VNC, but with with a few other quirks.

AMT wrote:Can you make a GPO to push out and remove any instance of his account on local computers, or at least change the level?

That's what I mean.
I can't find the right setting in the technet documentation right now.

AMX wrote:

AMT wrote:Can you make a GPO to push out and remove any instance of his account on local computers, or at least change the level?

That's what I mean.
I can't find the right setting in the technet documentation right now.

Something like this should work. It just depends on how far you want to go. On our network, any PCs on-site must login with domain user, with the exception of the (renamed) local administrator. Remote PCs don't have this requirement (for obvious reasons).

TheFeniX wrote:

AMX wrote:I'm not familiar with Dameware.

Dameware is a remote access program like VNC, but with with a few other quirks.

I actually like Dameware here. It lets me do AD work that normal AD doesn't do easily. Nothing big, but minor stuff that makes the non-techies happy like pictures for their accounts.

dragon wrote:We have a user that was able to get his name rights on various comptures, we want to remove those however we have 8000 computers spread over 2 dozen domains plus countless subdomains. Is there a way through DHCP or Dameware to find which computers he tampered with without manually checking everyone.

When you say he "gave his name rights," what do you mean? Did he sneak his AD username into the local admin group? Or did he make a new local user in the admin group for himself as a back door?

Fixing the problem is easy enough. TheFeniX made a good suggestion, and you could also do things like using Active Directory and a GPO to strip all users out of the local Administrators group except for those you specifically select; even if he were able to add himself back in, the policy would strip him right back out the next time it updates. You wouldn't need to select for specific user names (in case he changed his tactics) either, it would all just happen automatically.

I wouldn't just delete all user account info from a PC though - some applications make some significant changes to the profile of the user, and if you set a script to delete it all, you'd have the user needing to rerun the setup every time they log on - and sometimes that requires temporary Admin rights.

Finding out which PCs he hit is a little more difficult. You'd need to know which user name he was using for his little security breach. If he suck himself into the Admin group (either his AD account or a new local user) on a source image or something (what's the first step you referred to?), then at least the user name should be consistent. A simple logon script could check the members of the local administrators group and log the computer name of every instance where it catches the flagged user name. You could apply that universally to the company for a week or so through GPO, and as long as every computer gets logged on to by anyone, you'd get a pretty comprehensive list. Of course, you'd need to do that before fixing the problem, so that might not work for you (if it's an AD account, you could just disable it, and fix it after you finish logging the affected PCs; you could do the same for local accounts, too, it's just more time consuming since you'd need to script it as opposed to a little checkbox in AD).