Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Can SAM or another SW module monitor changes to local admin groups?

I had the security team ask me this one.

They say that sometimes people have local admin access and then they give their buddies local admin to a different machine and that bypasses security.

I was thinking conceptually that there is probably a way to monitor a local admin group on a machine with something like "alert me if local admin doesn't match these three entries" but I'm not sure how I could do something like that. Likely powershell. It doesn't seem like SAM would be the right tool for this but I'm checking to see if anyone has any ideas or recommendations for other software that is used for this type of thing. We have NCM, NPM, IPAM, and SAM.

Thanks!

Find more posts tagged with

Accepted answers

All comments

osborne_graham

You could do this either with a powershell script in SAM (or SCM if you can fork out for another product).

In SAM a really really basic solution could be something along the lines of:

$adminmembers = (Get-LocalGroupmember -Group administrators | Where-Object {$_.objectclass -eq 'user'}).count

write-host "message.AdminMembers: Members of the local admin group"

write-host "statistic.AdminMembers: $adminmembers"

exit 0

which will give you a count of the members of the local admins group, you could either set the critical value to anything above zero or create a components alert specifically looking at the result.

In SCM just use 'Get-LocalGroupmember -Group 'administrators' | Where-Object {$_.objectclass -eq 'user'}' and baseline all devices.

mesverrum

Also worth pointing out that SW recently acquired the ARM product, not a part of Orion (yet?) But it is a dedicated tool for monitoring user permissions and it is ultimately MUCH more powerful and efficient for this kind of thing than rigging up Sam monitors and powershell.

osborne_graham

I haven't had a chance to get hands on with ARM yet but I was under the impression it monitored AD via the DC's, does it also monitor the local groups on the individual nodes too?

rushcoil

Thanks for the info!

rushcoil

Thank you. I will give this a shot. I think they just want to be altered if someone alters the baseline. They can run Veronis for comprehensive reports.

jgrobinette050

LEM does this but I see rushcoil doesn't have it. I like the SAM powershell solution.

I monitor root access on Linux boxes and remote admin access on MS servers. Put in a couple rules in LEM and it does it thing. The ISSE likes the email event which ids the folks logging in and the monitor/alert part. I have two for remote MS access ones for straight up remote logins, in case our SAs decide to be bad and one for users outside our admin team.