Query Exchange

 View Only
  • 1.  Local Administrator Permissions (w/ Domain Users)

    Broadcom Employee
    Posted Apr 29, 2022 05:36 PM

    Description:

    The Least Privileged Model reduces risk by limiting the users who have admin permissions. Recommended best practice is to audit and limit access to administrative privileges. Learn more: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

    Results:

    Lists all users in the local administrative group on a target system, as well as user ID and group ID.

    SELECT u.directory, u.uid, u.uuid, g.gid, g.groupname, g.group_sid
    FROM registry as r
    JOIN groups AS g ON data = group_sid
    JOIN users AS u ON regex_match(key,'S\-[\-0-9]+', 0) = u.uuid
    WHERE key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership'
      AND groupname = 'Administrators';

    #HelpDeskOperations
    #Windows
    #Compliance
    #ITHygiene
    #IncidentResponse
    #CarbonBlack


  • 2.  RE: Local Administrator Permissions (w/ Domain Users)

    Broadcom Employee
    Posted Apr 29, 2022 05:37 PM


  • 3.  RE: Local Administrator Permissions (w/ Domain Users)

    Posted Jun 18, 2022 09:41 AM

    Any possibility to get this Information without querying registry?

    because what happens if someone added a User to the local Admin group and That User Never logged in. Than you wont get a proper Result.

    i am searching for a query which lists me all members of the local admin group, also groups either local or domain.

    Any idea?



  • 4.  RE: Local Administrator Permissions (w/ Domain Users)

    Broadcom Employee
    Posted Feb 06, 2024 07:37 PM

     not sure how I missed you comment, but I am really sorry that I did. Do you still need help with this question?