Just something that has come to mind for a job I'm working on.
I'm working on a MS Small Business Server 2003 machine where there is some suggestion that perhaps unauthorized access is occurring from old user accounts that weren't disabled / removed when employees left.
In this instance I have free access to the server and the IT staff who maintain it so it's going to be easy to get this information from them and inspect the system live to confirm, however it occurred to me I'd like to be able to verify those findings from the image I acquired of the server a few days ago and also this will help eliminate any suggestion that accounts were deleted or locked out after I started my analysis.
For a normal computer I'd get the info I need from the SAM file, but with domain users this is not the case. Any idea's on where to find the equivalent information on an SBS machine?
To start
http//
For domain users, it's fairly trivial to determine the active user(s)…simply compare the modification times of the NTUSER.DAT hive files in each profile.
You can also correlate that information to what you find in the Security Event Log, *if* the appropriate logging is enabled.
Not sure about policy of linking files here - but I guess this PDF should be able to answer most questions
http//
Best regards
Daniel
Daniel,
Thanks for posting that PDF, but can you elaborate a bit on how obtaining the password hashes from the NTDS.DIT file will help the OP determine the active accounts on one system in the domain?
Thanks.
Hi Keydet,
first of all I have to admit that I am "guessing" and not knowing that this is at least a domain controller. I would say in most environments where a SBS 2003 Server is being used it will host the active directory database. This btw. also fits into the concept of the described problem, if a different server is acting as the domain controller, Adam would have get access to this one.
While this document is explaining how to obtain the password hashes it also explains on page five the DB structure of the NTDS.DIT - and there is what Adam was asking for - getting the information of the last login of a user account that should not be used anymore.
I understood his question like "What is the user DB (SAM) of an active directory and how can I read that" - and this is explained in that document )
If I was completely wrong - please apologize pointing into the wrong direction.
Best regards
Daniel
Daniel,
Thanks for that…and please do not misunderstand, as I am not trying to suggest that you are wrong or incorrect in some way.
Adam had asked/stated
"I'm working on a MS Small Business Server 2003 machine where there is some suggestion that perhaps unauthorized access is occurring from old user accounts that weren't disabled / removed when employees left."
To me…and I could be the one completely off-base here…that sounds as if he's asking the question of access; specifically, was someone accessing the system using old accounts.
I understand that at the end of the post, there is the question of finding something equivalent to the SAM database, but for domain accounts. If you were to isolate just that question from the context of the rest of the post, I would completely agree with you. I simply read this as a question of how to go about determining the active user accounts used to access a specific system.
Of course, I could be wrong.
Gentlemen, thank you both very much for the info.
I was able to corroborate nicely and confirm what the IT guy was telling me.
Adam,
So you parsed the NTDS.DIT file for the password?
No I looked at the NTUser.dat files for the various user accounts and with the list the IT guy gave me of current/deisabled/old accounts I used the timestamps to corroborate.
Thanks again.