Using to SCOM to Audit Local Administrators

Have you ever wondered or needed to actually know which users were actually set as local administrators on a server or group of servers? You are in luck if those servers are managed by SCOM. It can do that for you!

For that, we will need to put together a few pieces of OpsMgr magic.

First, we need to have a working script that does what you need, in this case, capturing the local administrator information. In these days of easy content replication, I have found this neat script from Richard Mueller, written back in 2007, that seems to do the job. I have then added a few SCOM related lines, to make sure it would return the required information in way SCOM can understand (PropertyBag).

In order the capture the information, I have created a new class based on the Windows Computer class (you could say I have extended the Windows Class) and named it Fehse.AdminInventory.ExtendedComputer.

<ClassType ID=”Fehse.AdminInventory.ExtendedComputer” Accessibility=”Internal” Abstract=”false” Base=”Windows!Microsoft.Windows.Computer” Hosted=”false” Singleton=”false”>
         <Property ID=”Administrators” Type=”string” Key=”false” CaseSensitive=”false” Length=”4000″ MinLength=”0″ />
       </ClassType>

Notice I have made the field 4000 bytes long. Longer fields of the string type won’t be migrated into the DW. You can experiment with Richtext as well, if you are using the new SCOM schema.

In order to discover the class, I’m using the script itself to gather the data and populate the Administrators property. Here go some key parts:

image

Notes: this is a lab test, so I have set it to run every 2 minutes. Don’t do that in production!

Once the discovery runs, you should be able to see something like this:

image

Well, you can’t actually see a lot in this pic, right? Remember to add the Local Administrators column by Personalizing the view. I have noticed the script returns data for DCs, although DCs have no local administrators. You can likely ignore it

You can also report on that. The data is stored in a table in the DW DB. I will get back here to add the proper instructions shortly (SCOM works in mysterious  ways).

You can find the MP here.

Hope this helps!