Local list of users
in [Security]
|
From: BKiddo on 26 Apr 2010 17:46 Suppose you have 100 Windows XP or 7 PCs, can you get a report from the Domain Controller to know which local users are created in each PC?
From: Shenan Stanley on 27 Apr 2010 00:59 BKiddo wrote: > Suppose you have 100 Windows XP or 7 PCs, can you get a report from > the Domain Controller to know which local users are created in each > PC? If you create and run a script to enumerate the local accounts on each machine that runs from the DC using credentials that have local adminstrative rights on each machine - but the domain controller really has nothing to do with the local accounts on each machine, it would just be a convenient 'center' starting point. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html
From: VanguardLH on 27 Apr 2010 04:51 BKiddo wrote: > Suppose you have 100 Windows XP or 7 PCs, can you get a report from the > Domain Controller to know which local users are created in each PC? So why did you give these users the password to the Administrator or another admin-level local account so these users could create more local accounts? If they are admins then you gave them your control.
From: BKiddo on 27 Apr 2010 12:15 The cliente did it; and now I have to audit it! "VanguardLH" wrote: > BKiddo wrote: > > > Suppose you have 100 Windows XP or 7 PCs, can you get a report from the > > Domain Controller to know which local users are created in each PC? > > So why did you give these users the password to the Administrator or another > admin-level local account so these users could create more local accounts? > If they are admins then you gave them your control. > . >
From: VanguardLH on 27 Apr 2010 20:05 BKiddo wrote: > VanguardLH wrote: > >> BKiddo wrote: >> >>> Suppose you have 100 Windows XP or 7 PCs, can you get a report from the >>> Domain Controller to know which local users are created in each PC? >> >> So why did you give these users the password to the Administrator or another >> admin-level local account so these users could create more local accounts? >> If they are admins then you gave them your control. > > The cliente did it; and now I have to audit it! I suppose you could use a one-time login script that you push via domain policies that runs a batch file with something like (this is off the top of my head): @date /t @time /t @net user called listuser.bat which the login script runs as: listuser.bat > <uncpath>\accounts\%computername%\userlist.txt where <uncpath> is to a network host to which all users have permission to write into the "accounts" subfolder and where you can go lookup the output. Some you wouldn't care about, like Administrator since this account always exists (whether the user can log onto that local account or not), and others are accounts designed for use by particular services or the OS. Rather than use a one-time logon script, you could keep it enabled all the time for all users and then append the output from each of their logins to monitor when they change (add or delete) the accounts on their host, as in running: listuser.bat >> <uncpath>\accounts\%computername%\userlist.txt (> does an overwrite, >> does an append).
|
Next
|
Last
Pages: 1 2 Prev: Modify printer permissions (security tab not showing) Next: MS06-024 update not found |