/build/static/layout/Breadcrumb_cap_w.png

HOWTO: Create a custom inventory rule to show all local administrators.

Want to see which users/groups have local admin rights on your machines? Create these Custom Inventory Rules to list that in the inventory record!

PC Rule

For PCs, create a custom inventory rule (Inventory -> Software -> Create New) and fill the CIR box with the following command:


ShellCommandTextReturn(net localgroup Administrators)


Custom Inventory Rule syntax

I would suggest naming the rule "Local Administrators" for simplicity.

Make sure to select all Windows versions and your machines should start checking in with results like this:

1) Local Administrators:Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
AD\jsmith
AD\Domain Admins
AD\DEPT-ADM
Administrator
LOCAL-ADMIN
The command completed successfully.

[string]


OS X Rule

For Macs, create another custom inventory rule (Inventory -> Software -> Create New) and fill the CIR box with the following command:


Update: Based on a tip from serkowski, I have changed the use of awk to sed, as seen below.


ShellCommandTextReturn(dscl . -read /Groups/admin GroupMembership | sed 's/GroupMembership: root //' | sed 's/ / | /g')


Piping the results of the dscl query to two consecutive sed (stream editor) commands will remove the "GroupMembership:" prefix, and will exclude the root account, and will then add pipes(|) between resulting accounts.

I named this rule OS X Local Administrators, again for simplicity.

Make sure all versions of OS X are selected, and your macs should start checking in with results like this:

1) OS X Local Administrators:    local-admin | jsmith [string]


Reporting

From this point, you can create reports to detect common accounts, or even to detect if the current logged in user is an admin. Here is an example of detecting if the current logged in user is an admin. Replace the ##### examples with the software IDs of the Custom Inventory Rules you created above:


SELECT * FROM MACHINE
JOIN MACHINE_CUSTOM_INVENTORY ON MACHINE_CUSTOM_INVENTORY.ID=MACHINE.ID AND (SOFTWARE_ID=##### OR SOFTWARE_ID=#####)
WHERE MACHINE_CUSTOM_INVENTORY.STR_FIELD_VALUE LIKE CONCAT('%', MACHINE.USER, '%') AND MACHINE.USER !=''


Comments

  • I followed you up to the Reporting section. I run the report that I made from your code with my Software_ID's and I get back no results. I can see there are already 20 machines in the custom inventory so I know it has successfully pulled information.
    Any ideas? Thanks. - AFCUjstrick 11 years ago
    • Are any of your users local admins? The report I listed only shows results if the 'logged in user' field in the Inventory matches one of the local admin accounts explicitly, not if they are members of a security group, or are non-admin users. - jaredv 11 years ago
  • It looks like "Supported Operating System" is ignored, and it runs on all operating systems!
    So how do I prevent the command from running on the wrong OS and producing a screenful of usage information?
    Or worse, the command is successful and causes an unintended result? - serkowski 11 years ago
  • Not ignored for Windows boxes, but is ignored for OSX and Linux. Looks like a bug.
    A better rule for OSX is:
    ShellCommandTextReturn(dscl . -read /Groups/admin GroupMembership | sed 's/GroupMembership: root //')
    And a rule for Linux looks like:
    ShellCommandTextReturn(grep wheel /etc/group | sed 's/^.*:root,//') - serkowski 11 years ago
    • Great suggestion! I've updated the original post to use sed. - jaredv 11 years ago
    • And yes, I've started seeing the "Supported Operating System" selection being ignored by OS X and Linux agents. Need to submit a bug report for that. - jaredv 11 years ago
  • How can I use this same script to filter out those known admin users. For Example I have IT department users that are admins that I do not want this report to report on. - tim.scott@cedarparktexas.gov 11 years ago
    • Sorry that I didn't see this question earlier. If you're still interested in filtering like this (or if anyone else has the same question), I would suggest piping the results to FINDSTR for the windows rule, like so:

      net localgroup Administrators | FINDSTR /V "ADMIN1" | FINDSTR /V "ADMIN2" - jaredv 10 years ago
      • I can not get this to work. Are there certain character that need to be escaped? How would I escape them?

        ShellCommandTextReturn(net localgroup Administrators | FINDSTR /V "Administrator" | FINDSTR /V "Members" | FINDSTR /V "The command completed successfully." | FINDSTR /V "DOMAIN\Domain Admins")

        The command runs fine in a prompt and has a clean output. - mmcspadd 10 years ago
      • I'm having the same issue as mmcspadd. The command above works as expected when run interactively in a command prompt on a client server, but the K1000 seems to have trouble parsing it. I enabled debugging on one of my clients and see the following:
        [Fri Jun 14 14:46:46 2013] The option /V is unknown.
        [Fri Jun 14 14:46:46 2013] The syntax of this command is:
        [Fri Jun 14 14:46:46 2013] NET LOCALGROUP
        [groupname [/COMMENT:"text"]] [/DOMAIN]
        groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
        groupname name [...] {/ADD | /DELETE} [/DOMAIN]
        [Fri Jun 14 14:46:46 2013] More help is available by typing NET HELPMSG 3506.

        It's as though the K1000 is trying to use the /V argument against the net command, rather than findstr. Any suggestions? - brupnick 10 years ago
  • Does this work for local Power Users? - sajer137 10 years ago
    • For the Power Users group, you would have to specify the following, instead:

      net localgroup "Power Users" - jaredv 10 years ago
      • Appreciate it, thanks! - sajer137 10 years ago
  • I tried the Custom Inventory Rule but under K1000 5.5 to make it work I amended it in this way:
    ShellCommandTextReturn(cmd /c net localgroup Administrators) - StockTrader 10 years ago
  • To obtain the ID required by the query you can create this report:

    select SOFTWARE.DISPLAY_NAME,MACHINE_CUSTOM_INVENTORY.SOFTWARE_ID
    from SOFTWARE,MACHINE_CUSTOM_INVENTORY
    where
    SOFTWARE.ID=MACHINE_CUSTOM_INVENTORY.SOFTWARE_ID

    This will give you all the IDs of the custom field you created. - StockTrader 10 years ago
  • I think that I found a way to enter in the query directly the name of the field instead of the ID of if:
    That's my query:
    ----
    select SOFTWARE_ID,DISPLAY_NAME, STR_FIELD_VALUE , USER ,MACHINE.NAME FROM
    (select SOFTWARE.DISPLAY_NAME,MACHINE_CUSTOM_INVENTORY.SOFTWARE_ID,MACHINE_CUSTOM_INVENTORY.ID,MACHINE_CUSTOM_INVENTORY.STR_FIELD_VALUE
    from SOFTWARE,MACHINE_CUSTOM_INVENTORY
    where
    SOFTWARE.ID=MACHINE_CUSTOM_INVENTORY.SOFTWARE_ID AND
    DISPLAY_NAME LIKE '######' ) AS AAA,MACHINE
    WHERE
    AAA.ID=MACHINE.ID AND
    MACHINE.USER !=''AND
    AAA.STR_FIELD_VALUE LIKE CONCAT('%', MACHINE.USER, '%')
    ---
    Substitute ##### with the name of field.
    Marco - StockTrader - StockTrader 10 years ago
  • I polished a bit my query transforming it in something a bit more readable:
    select
    MACHINE.NAME, MACHINE.USER, CI.STR_FIELD_VALUE
    from
    MACHINE
    INNER JOIN
    MACHINE_CUSTOM_INVENTORY CI ON MACHINE.ID = CI.ID
    INNER JOIN
    SOFTWARE ON SOFTWARE.ID = CI.SOFTWARE_ID
    WHERE
    SOFTWARE.DISPLAY_NAME LIKE '######'
    AND MACHINE.USER != ''
    AND CI.STR_FIELD_VALUE LIKE CONCAT('%', MACHINE.USER, '%')

    Feel free to adjust the SELECT statement to your needs :-)
    Marco. - StockTrader 10 years ago
    • Is there are a way to exclude certain Admins from this report? - ranchristian 3 years ago
  • I went to a CSV export and use excel macros to quick format, creating a excel sheet in under a minute.
    http://www.itninja.com/question/is-there-a-way-to-develop-a-report-on-who-has-admin-rights-on-their-pc - SMal.tmcc 10 years ago
  • I realized this wasn't working on clients with agent version 5.5.30275, but this does:

    ShellCommandTextReturn(cmd.exe /c net localgroup Administrators) - awingren 10 years ago
  • I know this is a bit old, but i'm having a hard time locating the software ID of the rule I created. Any insight there? - anonymous_138211 5 years ago
    • @Mr.MattyV Go to this URL http://yourkaceserver/adminui/software? Then navigate to software, click on your software. The ID will be in the URL. - randyintally 5 years ago
  • Procuro como fazer uma regra para trocar a senha de adm local das maquinas, alguma opcao? - henlofer 4 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ