Contributor:
Kris Zentek
October 6th, 2011

Who Has Admin Rights?

Before implementing a least privilege desktop policy it is generally good practice to know who you are likely to affect. This is not an easy task if you do not already manage or track which users have previously been given local admin rights on their devices.

Microsoft provides a free utility which does just this – the Microsoft Baseline Security Analyzer, or MBSA for short.

MBSA - Computer Selection 1

Choose a type of scan or view previous scan results

The MBSA is designed to highlight potential security risks on endpoints and makes recommendations for remediation of these risks. Access to a local admin account is of course a high risk concern, and so this is one of the things it checks for.

MBSA - Scan Selection 2

Select your scanning options

It works by scanning each target endpoint for the number of entries in the Local Administrators group, which for any endpoint joined to a domain should only contain the Local Administrator user and the Domain Admins group. So if it detects more than two entries, it flags this in the graphical UI. From here you can drill into the report to display the actual group memberships.

MBSA - Computer Selection 3

Summary of all endpoint scan results

MBSA - Computer Selection 4

Summary of the scan results and details of the ‘Administrators’ test

In summary, you should have a good understanding of which users have admin rights before implementing least privilege. If you don’t already audit this, then MBSA can provide this information for you.

For more information and to download MBSA, visit the MBSA TechNet resource here.

More from the Blog

Related technology and security insights