Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Need a script that Checks to see if a defined service account has admin privileges RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Need a script that checks to see if a defined service account (not current user) has admin privileges on a local server. the account may be nested in other groups that have admin access.
    • Moved by Bill_Stewart Tuesday, March 25, 2014 8:03 PM Question outside forum scope
    Friday, January 31, 2014 12:28 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    There are numerous commandline utilities that check an accounts permissions.

    For a user other than current user you cannot.

    Rights are additive and are a result of a logon process.  A user account has no rights until it is logged in. You can trace through all groups and all policies and attempt to resolve the total rights at a given moment and location.

    Example:

    A user belong to domain group G1.  They log into ws1.  They have a certain set of rights but no local SeSecurity right.  THe same user logs into WS2 and they have SeSecurity.  Why?  Because group G1 is a member of the Local Admins group.

    So there is no way to know what rights a user might have outside of  a specific logon.  You cannot inspect a users token from another logon session. 

    This is part of how Windows secures a user.

    To a certain degree you can run RSOP on an account and extrapolate the users rights in that one scenario. 

    You also need to be aware that rights may have been granted but they may not be available because programs can deny rights and programs can  fail to request rights in the token.

    The best thing is for you to explain why you need this info and perhaps we can find a way to get you what you need.

    ¯\_(ツ)_/¯


    • Edited by jrv Friday, January 31, 2014 2:34 AM
    • Proposed as answer by Christopher Ream Friday, January 31, 2014 2:54 AM
    • Marked as answer by Just Karl Friday, August 8, 2014 10:32 PM
    Friday, January 31, 2014 2:16 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You can use a powershell cmdlet to display what groups an account is in.  This means all groups, including nested groups.  It's the closest you'll get to simulating what a token will look like.

    That cmdlet is Get-ADAccountAuthorizationGroup
    http://technet.microsoft.com/en-us/library/ee617214.aspx

    Honestly, just like JRV points out, this won't be that useful.  With service accounts, permissions are usually assigned through User Rights Assignments on a particular server.  A service account might have 'power' on one box, but be a nobody on another server.

    It's best to assume all service accounts hold admin privileges and should be carefully controlled.

    Chris Ream



    Friday, January 31, 2014 2:54 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    There are numerous commandline utilities that check an accounts permissions.

    For a user other than current user you cannot.

    Rights are additive and are a result of a logon process.  A user account has no rights until it is logged in. You can trace through all groups and all policies and attempt to resolve the total rights at a given moment and location.

    Example:

    A user belong to domain group G1.  They log into ws1.  They have a certain set of rights but no local SeSecurity right.  THe same user logs into WS2 and they have SeSecurity.  Why?  Because group G1 is a member of the Local Admins group.

    So there is no way to know what rights a user might have outside of  a specific logon.  You cannot inspect a users token from another logon session. 

    This is part of how Windows secures a user.

    To a certain degree you can run RSOP on an account and extrapolate the users rights in that one scenario. 

    You also need to be aware that rights may have been granted but they may not be available because programs can deny rights and programs can  fail to request rights in the token.

    The best thing is for you to explain why you need this info and perhaps we can find a way to get you what you need.

    ¯\_(ツ)_/¯


    • Edited by jrv Friday, January 31, 2014 2:34 AM
    • Proposed as answer by Christopher Ream Friday, January 31, 2014 2:54 AM
    • Marked as answer by Just Karl Friday, August 8, 2014 10:32 PM
    Friday, January 31, 2014 2:16 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You can use a powershell cmdlet to display what groups an account is in.  This means all groups, including nested groups.  It's the closest you'll get to simulating what a token will look like.

    That cmdlet is Get-ADAccountAuthorizationGroup
    http://technet.microsoft.com/en-us/library/ee617214.aspx

    Honestly, just like JRV points out, this won't be that useful.  With service accounts, permissions are usually assigned through User Rights Assignments on a particular server.  A service account might have 'power' on one box, but be a nobody on another server.

    It's best to assume all service accounts hold admin privileges and should be carefully controlled.

    Chris Ream



    Friday, January 31, 2014 2:54 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Chris makes a good point.  Service accounts can be dangerous if managed carelessly.

    Generally speaking a service account should be local account except under very specific scenarios.  A local accounts rights canbeesily discovered via SECEDIT and group membership.

    Note that all rights are specified in SECEDIT on a member server and in AD GP on a DC.  You can inspect these by using the policy editor locally and on the DC.

    I recommend that all service accounts gain rights directly via local policy.  That means you wouldn't use groups to give out rights to service accounts.

    More important - have a policy and analyze it carefully.

    ¯\_(ツ)_/¯

    Friday, January 31, 2014 3:12 AM