Search This Blog

Loading...

Wednesday, July 29, 2009

A way of finding the local admin account by searching SIDs

Let's say you don't know the account name for the local admin account. The below code will find it for you. This is really good to have if a customer used the "oh-not-so-good-way-to-apply-security" approach.
I actually had a customer (before I came along and changed it) randomize the renaming of the local admin on their workstations....
Do I need to say that they didn't have a log. And even more "strange" is that they actually created 20+ local accounts just to confuse a potential bad guy.....
I will not start to rant about what I think of this approach. Never the less I had to find all the local admin accounts on their workstations. So I wrote some code that I fired off remotely and logged the information in a secure place. The basis of that code is below:
(as usual wrapping might be an issue)

-Script Begins-
'============================================================
' NAME: find-AdminName.vbs
' AUTHOR: Jimmy Andersson, Q Advice AB
' DATE: 21/04/2009
' Version: 1.0 - initial version
' USAGE: cscript find-AdminName.vbs
'============================================================
Option Explicit

'============================================================
'==== Declare variables and sets objWMIService
'============================================================
Dim strComputer, objWMIService, objAccount, colAccounts

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

'===========================================================
'==== Below code finds the local ADMINISTRATOR account
'==== by searching the SIDs of local accounts
'===========================================================
Set colAccounts = objWMIService.ExecQuery _
("Select * From Win32_UserAccount Where LocalAccount = TRUE")
For Each objAccount in colAccountsIf Left (objAccount.SID, 6) = "S-1-5-" and Right(objAccount.SID, 4) = "-500" Then
Call getInfo
End If
Next

'===========================================================
'==== Function to get properties
'===========================================================
Function getInfo
wScript.Echo "Name: " & objAccount.Name
wScript.Echo "SID: " & objAccount.SID
wScript.Echo "Description: " & objAccount.Description
wScript.Echo "Disabled: " & objAccount.Disabled
wScript.Echo "Pwd Expires: " & objAccount.PasswordExpires
wScript.Echo "Pwd Required: " & objAccount.PasswordRequired
wScript.Echo "Pwd Changeable: " & objAccount.PasswordChangeable
End Function
-Script Ends-

1 comment:

Marian said...

Thanks for your posts!