This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

→ 🚀What's New? Join Us for the Fall Product Launch! Register Now !

Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

unauthorized administrators report and multiple domains

Fossy777
Engaged Sweeper III

‎11-03-2010 12:59 PM

Hi there,

I was wondering how the syntax of defining authorized administrators is:

I want to allow Mr. Garcia to be administrator on his PC in domain one but not on his pc in domain two. All I try to allow him to be administrator explicitely on this PC does not change the report.


Report says
 Computer  Domain  Description  Domainname  Username  
 it-ag     one                  one         garcia  
 it-ag     two                  one         garcia


I tried:
Domain/Computer   Administrator account
 one\it-ag         garcia
 one/it-ag         garcia
 one%it-ag         garcia
 one\it-ag%        garcia
 one/it-ag%        garcia
 it-ag             garcia

Nothing worked, in all cases Mr. Garcia still appears in the report as shown above.
Other lines like "Domain/Computer: bc-% Administrator account: bc" work...
How is the syntax? Is everything case sensitive? Or is it a bug?
Labels:
0 Kudos
10 REPLIES 10
Fossy777
Engaged Sweeper III

‎11-05-2010 10:34 AM

Is there already a feature request regarding this?

I don´t want to define simply "accounts" but "accounts on machines". So the configuration view could get extended from "domain/computer | Administrator" to "Computer´s Domain | Computername | Users Domain/Computer | Username" and the report could get extended this way.

Example:
I have defined some domain accounts to be authorized administrators on all machines (no problem so far). Now some software supplier installs some part of software which is insecure but has to run on only one machine using admin rights. I want to get alerted if anybody else uses this admin user on any other machine.

Other example see above: Mr. Garcia is allowed to be Administrator on his old PC in the old domain but the same user is not allowed to be administrator on his new machine. He has two PCs but he only has one user because there is a trust. Mr. Garcia has the ability to grant the rights himself - this is the cause I want to get alerted.

Good idea?
0 Kudos
Hemoco
Lansweeper Alumni
In response to Fossy777

‎11-05-2010 09:37 PM

Fossy777 wrote:

Other example see above: Mr. Garcia is allowed to be Administrator on his old PC in the old domain but the same user is not allowed to be administrator on his new machine. He has two PCs but he only has one user because there is a trust. Mr. Garcia has the ability to grant the rights himself - this is the cause I want to get alerted.

4.1 will scan eventviewer information and success events, you can use this to create reports when someone changes access permissions.
0 Kudos
Fossy777
Engaged Sweeper III

‎11-04-2010 12:20 PM

Sad but OK.

After I created a report per domain: How can I define him to be allowed administrator on a specific machine? This also does not work I now recognized...

Tried to simply fill in his hostname "one" but he is still shown as unauthorized...
0 Kudos
Fossy777
Engaged Sweeper III
In response to Fossy777

‎11-04-2010 03:25 PM

Fossy777 wrote:
Sad but OK.

After I created a report per domain: How can I define him to be allowed administrator on a specific machine? This also does not work I now recognized...

Tried to simply fill in his hostname "one" but he is still shown as unauthorized...

This does not work because the field "Domain/Computer" identifies the machine part of the user credential to be checked and not the machine on which he would be allowed to be Administrator. Am I right?

So I only can define a domain user to be allowed local administrator anyway in a specific domain but not only on a specific machine?
0 Kudos
Hemoco
Lansweeper Alumni
In response to Fossy777

‎11-04-2010 05:00 PM


This does not work because the field "Domain/Computer" identifies the machine part of the user credential to be checked and not the machine on which he would be allowed to be Administrator. Am I right?


Correct

So I only can define a domain user to be allowed local administrator anyway in a specific domain but not only on a specific machine?

You can define a domain user as:
1e column:domain, 2e column: username

You can define a local user as:
1e column:computername, 2e column: username
(computername can be a wildcard "%")
0 Kudos
Fossy777
Engaged Sweeper III

‎11-04-2010 12:12 PM

Then he may be administrator on all machines in domain one and the report does not show.
But he is only allowed to be administrator on only this machine in domain one!
0 Kudos
Hemoco
Lansweeper Alumni
In response to Fossy777

‎11-04-2010 12:16 PM

Fossy777 wrote:
Then he may be administrator on all machines in domain one and the report does not show.
But he is only allowed to be administrator on only this machine in domain one!

That's how the report works.

If you don't want this you will need to create your own custom report per domain.
0 Kudos
Hemoco
Lansweeper Alumni

‎11-04-2010 12:09 PM

I see the problem now:

First column is the domainname : one
Second column is the username: garcia

(make sure you remove any spaces after the username)
0 Kudos
Hemoco
Lansweeper Alumni

‎11-04-2010 11:56 AM

Did you rescan the computer after the change?
Do you see the new user in the users in groups page?
0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now