Script for Local User and Group Baselines

James TaralaAssurance

In keeping with my New Year’s resolutions, I want to continue posting information on how an auditor might take advantage of baselines when performing an Information System (IS) audit. Certainly I hope system administrators will be able to take advantage of this information as well when performing their own Control Self Assessments (CSAs).

For a primer on why you might want to consider performing a system baseline or for a process for performing system baselines, check out our previous blog entries here. <shamelessplug>Or if you really want to deeper dive, try the SANS Audit 407 class </shamelessplug>.

As we discussed earlier as well, we are going to rely primarily on PowerShell to pull this information for us. So all of the scripts you will see in this series will be written as PowerShell scripts. For your sake, make your life easy, and install PowerShell version 2.0, that will give you the latest and greatest functionality and give you the same development environment we’re primarily using to write these scripts.

So to get started with our baseline scripts, we are going to use a couple easy scripts to produce a list of the user accounts and the groups on a local Microsoft Windows machine (Windows 2000 or later). In order to produce a list of local user accounts, try the following command:

Get-WmiObject Win32_UserAccount -filter “LocalAccount=True” | Select-Object Domain,Name,Disabled

For a list of groups on a local machine, try the following command:

Get-WmiObject Win32_Group -filter “LocalAccount=True” | Select-Object Domain,Name

Now, could we have used WMIC to do much of the same work, of course! But for the sake of this series we are going to use PowerShell instead. Once everyone gets a taste for the simple scripts, then we’ll move on to slightly more difficult ones next. So let’s stay in the same language to be consistent.

For a complete copy of each of the scripts in this series (plus bonus scripts as they arrive), check out our full directory listing at http://www.enclavesecurity.com/scripts/.

Enjoy! We look forward to providing you more fully featured scripts as the year progresses. If you do have any requests, don’t be shy, and feel free to make requests too.