Local computer account and associated Registry Key

  • Thread starter Thread starter Sam
  • Start date Start date
S

Sam

I need to know if there is a way to know if a user changes
a password to a local account on their PC. Unfortuantely
users have local admin rights, which allows them to change
the password of a local admin account called "helpdesk".
I have a piece of software that can inventory the registry
and check if a reg key or value has changed. Is it
possible to scan the registry to find out if a user has at
some point changed the password.

I tried tracking this through regmon, but it's confusing
as heck. I don't see a specific reg key that changes when
I adjust the password to the "helpdesk" account.

Thanks
Sam
 
Sam wrote in
I need to know if there is a way to know if a user changes
a password to a local account on their PC. Unfortuantely
users have local admin rights, which allows them to change
the password of a local admin account called "helpdesk".
I have a piece of software that can inventory the registry
and check if a reg key or value has changed. Is it
possible to scan the registry to find out if a user has at
some point changed the password.

I tried tracking this through regmon, but it's confusing
as heck. I don't see a specific reg key that changes when
I adjust the password to the "helpdesk" account.
Click to expand...

With the users as Local Administrators...
You could enable Auditing (but they could clear the log)
If you can make a remote login to a local shell you could issue a
net user helpdesk
and get back (part)
Password last set 2003-09-27 14:11
or similar.

You could stipulate "bad things will happen to you" if they change
that account. ;-) (and get HR to back you)

I'm sure there are other ways. AFAIK you cannot monitor the registry
for the change directly because it is stored encrypted and secured in
the SAM.
 
Sam wrote in
I need to know if there is a way to know if a user changes
a password to a local account on their PC. Unfortuantely
users have local admin rights, which allows them to change
the password of a local admin account called "helpdesk".
I have a piece of software that can inventory the registry
and check if a reg key or value has changed. Is it
possible to scan the registry to find out if a user has at
some point changed the password.

I tried tracking this through regmon, but it's confusing
as heck. I don't see a specific reg key that changes when
I adjust the password to the "helpdesk" account.
Click to expand...

With the users as Local Administrators...
You could enable Auditing (but they could clear the log)
If you can make a remote login to a local shell you could issue a
net user helpdesk
and get back (part)
Password last set 2003-09-27 14:11
or similar.

You could stipulate "bad things will happen to you" if they change
that account. ;-) (and get HR to back you)

I'm sure there are other ways. AFAIK you cannot monitor the registry
for the change directly because it is stored encrypted and secured in
the SAM.
 
Back
Top