What the tool does

Many organizations are implementing the "Principle of Least Privilege (POLP)" as a way to ensure only the minimum level of privileged access is granted to the smallest number of people for the shortest period of time. One of the first steps in implementing a POLP strategy should be to remove any standing administrator rights from user's laptops and workstations. The PEM Risk Discovery Tool gets you started by revealing what local admin accounts you have in your IT estate.

The list of users and groups in a given computer’s Administrators group is not stored in Active Directory - it is only available on the computer itself. To get the whole list of users in local Administrators groups within a domain, each computer in the domain must be queried.

• The Local Admin Audit Tool starts by getting the list of computers in the domain using a simple LDAP query against the default Domain Controller (queried as rootDSE).
• It then queries each computer using Active Directory Service Interfaces with the WinNT provider to obtain the list of members in that computer’s Administrators group (despite the name, this is not querying the domain’s Active Directory, but a simplified directory service that runs on each computer.).
• The information returned contains user names and last logon times - which is all the information needed to build the audit.
• The tool can be run with any user and on any workstation in your domain which fulfills the specified requirements.

What the tool does not

The tool does not save or report any information to any third party including Osirium.

Requirements

To make sure you don't have any problems running the assessment tool, check the following:

• Your user/workstation running the tool must be able to authenticate in the domain, it must be able to make DNS queries in the domain, and it must be able to make LDAP queries in the domain.
• The user running the tool must be in the local Administrator group of the computers that are being queried - this is a requirement when querying Administrators group members through Active Directory Service Interfaces.
• The tool requires .NET Core 3. If it isn't installed, you will be prompted to download and install .NET Core
• Finally, the workstation running the tool must be able to connect to the other workstations it is querying using SMB protocol on port 445.