The Local Administrators Report is a great report available to users of our Systems Governance Solution set, but focusing solely on Local Admins may not be the complete picture. The Local Administrators job (SG_LocalAdmins) uses our USERSGROUPS Data Collector. While scoped by default to only look for that local groups members, the Data Collector can be set to bring back other local groups as well. This can simply be done as follows:Within the Jobs tree navigate to System Governance > Privileged Accounts > Local Administrators > SG_LocalAdmins, expand the Configure node and Select Queries:Double-Click the Direct Membership Query, or Select it then click Query Properties. Select configure in the pop-up window to view the USERSGROUPS GUI. Clicking the ellipses (…) under “All users in the following groups:” allows you to Select the relevant groups you would like to include with the collection, seen here:
Connecting to a blank host brings back local groups, and can be scoped to hosts with known desired groups to be included. I personally like to include Backup Operators and Remote Desktop Users to get richer audit results. Save the settings and include the new groups within the Expand Effective Membership analysis located within the Configure > Analysis of the same job. The WHERE statement needs to be changed from ‘=’ to ‘IN’ with a parenthesis around the desired group names like I’ve done below:
Save and Close, and finally run as usual. Now our report will contain those new groups and can be filtered/scoped as desired:
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.