The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Determine local administrator accounts

Description: Retrieves a list of local administrator accounts.

What The Data Shows: Finds local accounts that are in the administrator group.

SQL: 

SELECT username, groupname, type, u.UID, g.GID, Description, comment 
FROM users u
JOIN user_groups ug ON ug.UID = u.UID
JOIN groups g ON g.GID = ug.GID
WHERE g.GROUPNAME = "Administrators"
AND u.type = "local";
16 Comments
wmorse
New Contributor II

Yes GID 555. 

In the 2nd query I left out "local" statement to see if I could get all users to try and pick up any AD accounts. Is that possible? 

jnelson
Carbon Black Employee
Status changed to: Under Review

@wmorse please email me at njon@vmware.com so we can set up a time to review as I think it may be easier to troubleshoot 

techlab
New Contributor II

Hi,

I tried it and it works great, Thank you!!

I am not a coder so seeking help, is it possible to modify it to try few common passwords on the identified admin account or even all account?


Thanks

 

jnelson
Carbon Black Employee

@techlab That is not possible with Audit and Remediation.

techlab
New Contributor II

@jnelson Thanks 

Is it possible with other CB product?

Also it would be very helpful if you can direct me towards online resource which explains difference between all CB products/components/solutions.

jnelson
Carbon Black Employee

@techlab I am sorry, but no CB products are capable of testing passwords.

For the details on the rest of the Carbon Black offerings, you can check out the Product Path tab on this page: https://carbonblack.vmware.com/