Auditing usage of C$ admin and remote registry?

tvout · 23-10-2006, 22:04

Hi all,
I really hope I might be able to get some help with this situation...
I work on a helpdesk where two companies were integrated, one where the helpdesk had local admin permissions, the other doesn't.
I'm working to gain local admin permissions on the side that doesn't have them but as it's a 10,000 strong customer base senior management need me to come up with details of potential audting methods available.
What would be extremely useful is access to the C$ admin shares of workstations and also remote registry possibly. I need to find a means of this being audited without having to purchase software to be rolled out to all 10,000 machines.
Ideally some kind of local app on the helpdesk machines that you have to use to access remote C$ shares or registries and logs activity (maybe all changes or just date and time when connection made by that individual)
If anyone has any ideas on how to do this I would be really really pleased.
The way it works in the company at present is that every workstation has the Administrators local group of which there are two members aside from the Administrator account. These are two global groups, one for technical/server support, the other for desktop support. The helpdesk does have a global group that contains all analysts or all analysts could be added to the desktop support group.
Alternatively helpdesk analysts could use an account which is in the Desktop Support global group, maybe one account used by all analysts that identifies them individually?
I'm really stuck on how to have access to workstation local drives and provide an audit trail...
It was easy to audit occasions when you'd remotely connect to a machine and log in with your account (creating a local profile etc.) with admin permissions to do things like install/repair software or increase virtual memory.
Anyone any thoughts on this at all?

Aragorn · 23-10-2006, 22:24

My initial thoughts are with 10000 users, why aren't you using Active Directory. AD would allow you to enforce group policies on all the clients meaning you could add the global groups to local admin automatically. AD would allow a huge amount of other activities to be automated/audited. You probably wouldn't need to manually connect to the C$ drive to fix most problems, but you could enable auditing for the local admin group via AD.
My AD skills are very rusty and yes it would cost to implement but with 10000 XP users you would be well advised to go the AD route.

tvout · 23-10-2006, 22:38

Funny you should mention that. The whole IT estate of the company is undergoing a refresh and is going to be going to active directory. One major change is that the C drive will be hidden from users.
This isn't all likely for about a year so I was looking into a means of doing this before it comes in...
Cheers

tvout · 24-10-2006, 20:58

A quick follow up to this.
Whilst using computer management today (where I have local admin rights) I noticed how in the shares/sessions bit it identified perfectly my access via C$ to that machine...it seemed to provide in realtime the kind of information I need...but there's no kind of logging facility.
I've been told at work for proper auditing you'd need to enable SNMP? on all machines in the network (we have a mix of NT4 and XP, mostly NT4 on the side I want admin rights on). This would potentially be a massive change...
I thought about a single machine which had an account that was in the local admins group of all machines (add that account to a global group which is already in the local admins group of all PCs). Somehow every person using that machine would have all activity monitored to all machines. We had a similar concept where two machines had XP on (all our machines are NT) to use remote desktop and remote assistance only with generic accounts.
The suggestion is that you can't audit the machine making the outgoing connections and all outbound activity, that auditing had to be on the remote machines being connected to?