cancel
Showing results for 
Search instead for 
Did you mean: 
zakhter
Level 7

Report for local user logons

Hi All,

Need to generate a report on local accounts logon.  Where Host = Domain.

This is to prevent sneaky admins logging onto domain members with locally created accounts.

Not sure if a watch list or correlation rule should be created.

Regards,

0 Kudos
2 Replies
catdaddy
Level 20

Re: Report for local user logons

Moved from Community Support to VirusScan Enterprise > Discussions

For better exposure and assistance.

By

Moderator

Cliff
McAfee Volunteer
0 Kudos
rmetzger
Level 14

Re: Report for local user logons

Hi Zakhter,

Well, not sure why/what you are trying to stop, here is a cmd line solution run from the local machine:

    net localgroup "Administrators"

This should list all local (domain=Host)  IDs with Administrator rights. Note: many System/Service level IDs will be listed starting with

    "NT Authority\..."

Also, some 'groups' may be reported, which are considered Members of the "Administrators" group. To see these members, repeat the command for each group

  ex.

    net localgroup "{whatever group name reported}"

Hopefully this is helpful.

Ron Metzger

0 Kudos