The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Local Administrator Permissions (w/ Domain Users)

Description:

The Least Privileged Model reduces risk by limiting the users who have admin permissions. Recommended best practice is to audit and limit access to administrative privileges. Learn more: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implemen...

Results:

Lists all users in the local administrative group on a target system, as well as user ID and group ID.

SELECT u.directory, u.uid, u.uuid, g.gid, g.groupname, g.group_sid

FROM registry as r
JOIN groups AS g ON data = group_sid
JOIN users AS u ON regex_match(key,'S\-[\-0-9]+', 0) = u.uuid
WHERE key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership'
  AND groupname = 'Administrators';
3 Comments
jnelson
Carbon Black Employee
Status changed to: Approved
 
Kuchi
New Contributor

Any possibility to get this Information without querying registry?

because what happens if someone added a User to the local Admin group and That User Never logged in. Than you wont get a proper Result.

i am searching for a query which lists me all members of the local admin group, also groups either local or domain.

Any idea?

jnelson
Carbon Black Employee

@Kuchi not sure how I missed you comment, but I am really sorry that I did. Do you still need help with this question?