Forums
Main Category
General (Technical,...
is this user accoun...
 
Notifications
Clear all

is this user account a member of local administrators?

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by nybella 16 years ago
3 Posts
2 Users
0 Reactions
960 Views
RSS
 ashley_thorn
(@ashley_thorn)
New Member
Joined: 17 years ago
Posts: 4
Topic starter 24/03/2009 8:13 pm  

hi guys,

I'm trying to identify whether a user a/c is a member of the local admins group? where is this info stored?

i'm hunting around in

–HKLM\SAM\SAM\Domains\Account\Users

–HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList

but have had no joy thus far.

Thanks in advance


   
Quote
nybella
 nybella
(@nybella)
Active Member
Joined: 16 years ago
Posts: 6
24/03/2009 9:52 pm  

Information about group membership is maintained in the SAM\SAM\Domains\Builtin\Aliases key. Each of the RID subkeys beneath the Aliases key has a C value that is a binary data type and needs to be parsed to determine which users are members of the group. Messieurs Carvey and Schuster have covered this beautifully in their blogs, and there you should find everything you need

http//windowsir.blogspot.com/2006/02/determining-group-membership-from.html

http//computer.forensikblog.de/en/2006/02/list_members_of_a_windows_group.html


   
ReplyQuote
nybella
 nybella
(@nybella)
Active Member
Joined: 16 years ago
Posts: 6
24/03/2009 9:58 pm  

You'll need to elevate to SYSTEM privileges in order to take this info down from a running system.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: