schuetzdentalCB 8 Posted February 22, 2018 Share Posted February 22, 2018 Hey, am i able to check in ESET ERA if a System which is controlled by Endpoint Security has a logged in user with adminrights? i know i can grab windows systemlog etc. but i didnt found out where or if its possible to see if a user has local admin rights. thanks for any idea. Link to comment Share on other sites More sharing options...
Cousin Vinny 6 Posted February 22, 2018 Share Posted February 22, 2018 (edited) It is possible but there is no built-in functionality specific to this purpose. You need to execute a Run Command task on the host(s) you want to check. Since the Run Command task simply creates a local batch file and then executes it, the output is not returned to ERA and you will need to output the command to a file. Here's the command you want: "hostname & net localgroup administrators > \\%HOSTNAME%\%SHARE%\filename.log" Replace %HOSTNAME% and %SHARE% with your environment or just output the file locally. Edited February 22, 2018 by Cousin Vinny spelling Link to comment Share on other sites More sharing options...
schuetzdentalCB 8 Posted February 23, 2018 Author Share Posted February 23, 2018 thanks. thats a great idea. unfortunately this is not working. i think the user which is used from eset to run the batch file doesn't have access to the network share. is there any workaround? best regards Link to comment Share on other sites More sharing options...
Cousin Vinny 6 Posted February 23, 2018 Share Posted February 23, 2018 Sure you don't have to output to a network share, it would just simplify collecting the results had you ran this command on multiple machines. "hostname & net localgroup administrators > C:\filename.log" Link to comment Share on other sites More sharing options...
schuetzdentalCB 8 Posted March 1, 2018 Author Share Posted March 1, 2018 but then i can't collect the files over network - the first one with network path is a good idea but its not working. is eset creating logs which i could check to find out whats happening? ERA tells me the task was successfull but nothing stored in the network path. thanks Link to comment Share on other sites More sharing options...
Cousin Vinny 6 Posted March 1, 2018 Share Posted March 1, 2018 (edited) Make sure the share has permission granted to "Domain Computers" group - ESET executes the command as a local system account rather than a domain user. I did overlook something in my original reply though - it prints the hostname first and then outputs only the 'net' command to file... so the command needs to be modified a little. Edit: Or you could just simply output the file with the hostname as filename. net localgroup administrators > \\servername\sharename\%COMPUTERNAME%.log This way it writes the hostname to file and then appends the net command results to the same file. I tested this just now from ERA and it works fine. Edited March 1, 2018 by Cousin Vinny simplified command Link to comment Share on other sites More sharing options...
schuetzdentalCB 8 Posted March 2, 2018 Author Share Posted March 2, 2018 perfect!!! thank you very much. adding domain pcs worked. Link to comment Share on other sites More sharing options...
Recommended Posts