I actually had a customer (before I came along and changed it) randomize the renaming of the local admin on their workstations....
Do I need to say that they didn't have a log. And even more "strange" is that they actually created 20+ local accounts just to confuse a potential bad guy.....
I will not start to rant about what I think of this approach. Never the less I had to find all the local admin accounts on their workstations. So I wrote some code that I fired off remotely and logged the information in a secure place. The basis of that code is below:
(as usual wrapping might be an issue)
-Script Begins-
'============================================================
' NAME: find-AdminName.vbs
' AUTHOR: Jimmy Andersson, Q Advice AB
' DATE: 21/04/2009
' Version: 1.0 - initial version
' USAGE: cscript find-AdminName.vbs
'============================================================
Option Explicit
'============================================================
'==== Declare variables and sets objWMIService
'============================================================
Dim strComputer, objWMIService, objAccount, colAccounts
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
'===========================================================
'==== Below code finds the local ADMINISTRATOR account
'==== by searching the SIDs of local accounts
'===========================================================
Set colAccounts = objWMIService.ExecQuery _
("Select * From Win32_UserAccount Where LocalAccount = TRUE")
For Each objAccount in colAccountsIf Left (objAccount.SID, 6) = "S-1-5-" and Right(objAccount.SID, 4) = "-500" Then
Call getInfo
End If
Next
'===========================================================
'==== Function to get properties
'===========================================================
Function getInfo
wScript.Echo "Name: " & objAccount.Name
wScript.Echo "SID: " & objAccount.SID
wScript.Echo "Description: " & objAccount.Description
wScript.Echo "Disabled: " & objAccount.Disabled
wScript.Echo "Pwd Expires: " & objAccount.PasswordExpires
wScript.Echo "Pwd Required: " & objAccount.PasswordRequired
wScript.Echo "Pwd Changeable: " & objAccount.PasswordChangeable
End Function
-Script Ends-
No comments:
Post a Comment