Audit Report – Find non-compliant local admins!

A typical IT audit concern is defining who has local admin rights on their computers. At times you may need to add users as a troubleshooting step or because an application requires it and Run As is not feasible. Typically you want to remove them as soon as your task is done, but in the fast- paced world of desktop support and systems management, sometimes you forget… ahem. Hey, it happens. So what can you do about it? You can use complicated scripts that take all day to create or find which may result in hard-to-read output … or you can use a simple Goverlan Scope Action!

So why is it so important to control the use of administrative privileges? In today’s precarious world of ever increasing malicious attacks and corporate IT penetration, you need to protect your systems from any vector. Verizon conducts a yearly Data Breach Investigation Report (DBIR) with the US Secret Service. The 2011 report showed that 21% of attacks were done using stolen credentials and that account audits and event log searches were major steps in mitigating these security threats.

The SANS Institute is an organization based on training security professionals. This link describes guidelines to securing your workstation environment per NIST requirements.

You can satisfy the issues of privileged access with the Goverlan Remote Administration Suite.

What you need to know…

To get this information, you need to do a bit of intelligence gathering. First things first, who are the local admins on your workstations? This report will get you a current picture of what your environment’s local SAM databases look like. You will have to look through this and identify who does and doesn’t belong. This is super easy to accomplish with Goverlan Scope Actions. You can easily generate an easy-to-read report in a matter of seconds! In the report shown here, we see that our favorite user, Duke, is a member of the Local Administrators group on his PC. Not good.

The next step is finding out who added him. Just the fact that you can find this information will ensure that your

technicians keep the local SAM clean with no unauthorized accounts. Now here’s the catch. Audit-report1Whenever the local SAM is changed, there is an event logged in the local security log of the workstation. Most default event logs are set to overwrite as needed. This being the case, you may not be able to catch the event if the user was entered as a local admin before. Secondly, if technicians are using a service account, you wouldn’t be able to identify them.

Let’s say you did grab the event log and you could find the event. Wouldn’t it be great to see what account was used to add the user to the local admins group? This can be done! With a little help from WMI and Goverlan you could scan the local security logs of your workstations and find the information you need. In the report below, we see the offending technician and the SID of the account that was added. You can use your favorite SID finding tool or use Goverlan to find out who it is. Most likely if you have made it this far, you have a fairly good idea of what users you are dealing with.

Audit-queryNow it’s time to take this a step further. Question: Can I proactively monitor and get reports on local administrative group access? The answer is YES. With the Goverlan Remote Administration Suite, you can get these reports emailed to you regularly (via Scope Actions) so you can monitor changes in your local workstation SAM. With Goverlan and a bit of investigative work, you can satisfy your IT compliance and audit requirements before the auditors come knocking.



Download a free, full 30-day trial of Goverlan today. Learn more about Goverlan’s ROI & benefits.


Reference – (pdf)


2 thoughts on “Audit Report – Find non-compliant local admins!

  1. How is this a tutorial?! There’s no information regarding *HOW* to actually do any of this using Goverlan! I’ve purchased the product, now where are my instructions on how to get it singing?!

Leave a Reply