Monitor Administrator Security Group In LabTech with ADMON

Admon-logo Who’s in and out of your Security Group?

 

 

 

ADMON is a LabTech plugin used to monitor and restore changes made to your local administrators group. Many viral attacks end up trying to add or change the users in the local administrators group of an infected PC. Sometimes these subtle changes go un-noticed and end up causes very expensive repairs and loss of data. ADMON will alert you to the changes, create tickets and if set to auto restore will add time to ticket and restore the admin group back as it was, before closing the ticket out. If your clients need  to audit who has what privileges across the PCs in the network, you can use the simple export tool provided in the plugin to get a detailed list of computers and the users with admin rights into Excel.

 

Have a peek at what we are doing!

We provide a master on / off switch for easy control over the plugin and a control to set and manage the scanning interval for greater flexibility.

mastermenu

 

 

Each client has a “Admin Group” tab at the Client console level that displays key information on each PC scanned for that client. You have a master enable switch to enable each client you want to provide the service for. We provide the ability to monitor both additions and removals individually which will create alerts only, or if you add the ticketing box it the plugin will also create tickets for you. You can set the system to auto restore any changes as part of the monitoring (2 way monitoring needs to be set). If you opt to auto restore and also select ticketing, the system will open a ticket, add 10 minutes, auto restore the group and close the ticket completing the required repairs. Select any machine and right click to reveal a menu to manage alarms and to manage the Administrators group. Use the export to Excel tool to get the data out of LabTech and into 3rd party applications like Excel.

clienttab

 

The View Alarms popup reveals who has fired off alarms and what was delivered (alert or ticket) Once a system has alarmed or has been ticketed no new alarms are sent until cleared. To clear double click the selected item.

viewalarms

 

Selecting a computer from the main screen and right clicking for a menu to manage the administrators group will lead you here. This tool allows you to add or remove users to the administrators group directly from LabTech. See the commands execute in near real time inside the console window provided.

add-remove-user

 

Current Version 1.0.0.76

Download the DLL to install via LabTech Plugin Manager

download

 

 

 

 

[Solved] – MS EXCHANGE 550 5.7.1 Client does not have permissions to send as this sender

 5.7.1 Client does not have permissions to send as this sender

This is what your Microsoft Exchange 2007 and or 2010 server may report when you try to send email through the Exchange server when permissions have been fouled up. The First this to check on is the “Manage Send As Permissions” under the user mailbox properties in the Exchange Management Console. Access the Exchange management console and select the user that is having the issue. Right Click, go to the send as permissions option.. now check that User NT AUTHORITY\SELF is listed.

Edit Send As Permissions
Exchange 2007

 

If it is not listed here then you need to add it in. This allows the authenticated user to send as their “Self”. Now retest your connection an try send a piece of mail.

 

 

Good Luck,

Cubert 😎

How-to : Pass a username and password to Windows shutdown.exe command.

Here was my scenario I found myself in not to long ago. I have an Active Directory domain with a server outside of the domain in it’s own workgroup. It used different credentials for the administrator account then what the domain uses. One day it stopped responding to RDP and several control programs we have on it so we needed to do a reboot.

No problems right? just type in the command below:

shutdown /r /t 3 /m \\ServerName

 

Not so right, right off the bat we get  ServerName: Access is denied.(5)

That’s right we do not have permissions “Yet”… But how do we send permissions to shutdown.exe ? If you do a shutdown /? you will find no switches for username and password but there is a way around this.

We will connect to the servers IPC$ and authenticate then we will run our command. Here is what you do:

First lets make a connection and authenticate by running the following cmd:

NET USE \\MyServer\IPC$ mypassword /USER:myuser

 

If successful then we are now ready to run the shutdown cmd in the same window:

shutdown /r /t 3 /m \\ServerName

Wait a few seconds and and you should get back your prompt which tells you the command was sent successfully. You now have authenticated and sent the shutdown cmd to a remote server using different permissions.

I hope this helps someone out there

Enjoy

Cubert