(Msg. 9) Posted: Wed May 21, 2008 5:19 pm
Post subject: Re: Login script [Login to view extended thread Info.] Archived from groups: microsoft>public>scripting>vbscript, others (more info?)
"Miha" <miha.bernik.DeleteThis@email.si> wrote in message
news:9A73E8CF-5187-4DE2-82AE-910F857CE42E@microsoft.com...
> Hi
>
> Does anyone know or have a script that will send me an email when a user
> logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
> credentials)?
> We're assuming that some of our company users know local admin password,
Hold it right there, then. The larger question is this: do you need to know
who knows the password, or do you need to ensure that nobody knows the
password?
If your script advises you that the administrator account has just logged on
locally, it will not be able to tell you who is doing this. And if you never
get any of the messages, this will not confirm that nobody knows the
password.
A more rational approach would be to develop a strategy to secure the
passwords of any and all local accounts, privileged or otherwise. Nobody,
not even the IT staff charged with maintaining and supporting the
workstations should know the administrator password. If they need admin
privs, they should have a domain account that is made a member of the local
administrators groups on all machines.
The password should be set and sealed in a vault. This can be done in a way
that no single person knows what it is by having a script generate a random
password, apply it, and then print it out on a printer sandwiched by blank
pages. A number of witnesses watching the printer will confirm that the
output was sealed in an envelope without anyone looking at it.
/Al
so
> we want to know if someone tries or logs into his computer like local
> admin? Is this possible, or how can this be done?
> Thank you in advance !
> Regards,
> Miha
(Msg. 10) Posted: Wed May 21, 2008 6:05 pm
Post subject: Re: Login script [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
It is possible with a little work. There are many steps.
All of this can be done in any order, you just need all the pieces before it
will work, there may be a better way.
-(change share) Create a share on a server that is accessible to all
computers. In the Share Permissions set Everyone to Change and Anonymous
Logon to Change. In this directory create a log file named something like
locals.log. (this is done because the local users don't actually have rights
on a domain server)
-(read share) Create a share on a server that is accessible to all
computers. In the Share Permissions, set Everyone to Read and Anonymous
Logon to Read. In that shared directory, create a script maybe called
localcheck.vbs (I suggest encoding it to a vbe) that can determine if the
logged on user is a local user or not and make it log the information in the
locals.log file created in the previous share.
- Now, create a script named something like checkreg.vbs that will check the
systems registry HKLM\Software\Microsoft\Windows\Run. Using this script you
add the execution of the localcheck.vbs that we created in the previous
step. You can just use All Users - Startup but if users are local admins,
they might keep removing the entry. Storing in the registry is a little
harder to find and if you don't want to edit the registry with a logon
script you can just do a mass remote registry edit. When you add the entry
in registry use something like "wscript.exe
\\server.domain.com\(ReadShareName)\localcheck.vbs" using the full UNC will
ensure that if the DNS suffix is different, you can still get to the script.
- In a Group Policy, add the checkreg.vbs as a startup script to the OU that
contains the computer that you want to check.
Now that you have everything logged, you can pretty much determine what is
going. If you are still wanting an e-mail when it happens so you can respond
asap, you need to do the following.
The reason we did all the previous steps is because I assume that your
workstations are not authorized to send mail. So you just need to authorize
the server that contains the Change Share we created before and create a
file monitor described in this link:
Use the __InstanceModificationEvent event on the locals.log file to send you
a e-mail.
I hope this is understandable.
Thanks,
Allan
"Miha" <miha.bernik.DeleteThis@email.si> wrote in message
news:9A73E8CF-5187-4DE2-82AE-910F857CE42E@microsoft.com...
> Hi
>
> Does anyone know or have a script that will send me an email when a user
> logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
> credentials)?
> We're assuming that some of our company users know local admin password,
> so we want to know if someone tries or logs into his computer like local
> admin? Is this possible, or how can this be done?
> Thank you in advance !
> Regards,
> Miha
(Msg. 11) Posted: Sun May 25, 2008 9:16 pm
Post subject: Re: Login script [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Hi guys,
Thank you all for very helpfull informations, specially Allan for complete
steps how to do this
Thanks!
Regards,Miha
"Al Dunbar" <AlanDrub DeleteThis @hotmail.com.nospaam> wrote in message
news:e7uCNz5uIHA.2188@TK2MSFTNGP04.phx.gbl...
>
> "Miha" <miha.bernik DeleteThis @email.si> wrote in message
> news:9A73E8CF-5187-4DE2-82AE-910F857CE42E@microsoft.com...
>> Hi
>>
>> Does anyone know or have a script that will send me an email when a user
>> logs into a WinXP computer with LOCAL ADMIN credentials (not with domain
>> credentials)?
>> We're assuming that some of our company users know local admin password,
>
> Hold it right there, then. The larger question is this: do you need to
> know who knows the password, or do you need to ensure that nobody knows
> the password?
>
> If your script advises you that the administrator account has just logged
> on locally, it will not be able to tell you who is doing this. And if you
> never get any of the messages, this will not confirm that nobody knows the
> password.
>
> A more rational approach would be to develop a strategy to secure the
> passwords of any and all local accounts, privileged or otherwise. Nobody,
> not even the IT staff charged with maintaining and supporting the
> workstations should know the administrator password. If they need admin
> privs, they should have a domain account that is made a member of the
> local administrators groups on all machines.
>
> The password should be set and sealed in a vault. This can be done in a
> way that no single person knows what it is by having a script generate a
> random password, apply it, and then print it out on a printer sandwiched
> by blank pages. A number of witnesses watching the printer will confirm
> that the output was sealed in an envelope without anyone looking at it.
>
>
> /Al
>
>
> so
>> we want to know if someone tries or logs into his computer like local
>> admin? Is this possible, or how can this be done?
>> Thank you in advance !
>> Regards,
>> Miha
>
>
All times are: Eastern Time (US & Canada) (change) Goto page Previous1, 2
Page 2 of 2
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other