When trying to track down a user or group, it can be very confusing as to what you are actually looking at. In a recent audit, there were numerous domains, customized groups (not named all that well), and of course group membership which was highly confusing. In order to track down each account we had to decrypt the naming convention, then determine if the account was a user or group. Finally, knowing all of this we could determine the overall scope of the access and therefore know who had access to which resource. Getting to this point was a bit confusing, as not everyone has been working with Windows for 20 years! This article will help you understand how to decrypt the user and group syntax that shows up in reports and GUIs throughout the enterprise.
Default Users and Groups
When a server is installed and Active Directory is created there are default users and groups that are also created. Of course, the accounts created on a server are local users and groups and the accounts created in Active Directory (on domain controllers) are domain accounts.
These accounts are key during an evaluation as they can help you quickly analyze the access, rather than having to track down whether or not the account is a user or group. For example, if you see an account on an access control list that has the name Domain Admins, you can pretty quickly evaluate that this is the default group for the domain that is designed to control the entire domain. In a like manner, if you find a user named Guest, you can be fairly confident that this is either the local or domain user that is created by default.
Of course, you are not 100% certain that any default user or group name was changed, which is why you perform other checks on the name and SID. Every default account has a “well known SID”, which allows the OS and you to track these special accounts, even if the name is changed. Here is a place you can get the SIDs for the Windows Server 2008 R2 Active Directory accounts.
Is That a Local Account or Domain Account?
The first step in our decryption of users and groups is to determine if the account is a local account or domain account. This is important because you will have each account stored in a different database (local SAM or Active Directory database). Knowing which database or report (if you have a listing of the database accounts) to access will be key to determine if the account is a user or group.
Domain accounts are fairly easy to spot, as they will have the domain name associated with it. Remember that each Active Directory domain has two names: NetBIOS name and DNS name. The DNS name will be easy to spot due to the fact that it will look similar to what you see on the Internet. You might see a DNS name like derekmelber.com, auditingwindowsexpert.com, etc.
Domains also have a NetBIOS name, which has a limit of 15 characters and typically does not include special characters. These names will include names like DEREKMELBER, CORP, ROOT, etc.
The NetBIOS and DNS name for the same domain don’t need to be in any way related! So, you will need to have a listing of each domain with both names so you can quickly reference the accounts you find on the access control lists.
Domain accounts will typically have the NetBIOS name shown in front of the account name, with a “\” in between. So, the following would be domain accounts:
You can see a few of these domain accounts in Figure 1.
Figure 1: Domain accounts have the domain name listed in the account name.
In order to obtain a listing of the domain names (both NetBIOS and DNS) for each domain, you simply need to run the “set” command on one DC per domain. The output would look like that in Figure 2.
Figure 2: The SET command shows both the NetBIOS and DNS name for the domain.
You can see in Figure 2 that the USERDNSDOMAIN is the DNS name and the USERDOMAIN is the NetBIOS name.
So, when you have an entry that lists the domain name first before the account name, you will be able to check on the domain account list for the account.
There is one more account that you will find on your lists that will be a domain account. These accounts have the word BUILTIN\ before the account name and will only be the default accounts. Figure 3 illustrates what this might look like in a report.
Figure 3: BUILTIN accounts are domain accounts, which are default accounts.
Local accounts will be all of the other accounts you find and will typically have distinct formats as well. The first type of format for a local account is one which has the server name followed by a “\”, then the account name. Figure 4 illustrates what this might look like.
Figure 4: Local accounts have the server name first, followed by the account name.
In this case, the server name is derekmelber7 and the account names are Administrators and Users. With the server name in this case being so close to the domain name above, it is key to obtain the list of domain names, so you know that anything that is not a domain name must be the server name.
Another format that you might see is one that has a “.\” then the account name. This is typically a reference to the local system accounts. Figure 5 illustrates what this might look like.
Figure 5: Local system accounts might also have a “.\” to reference them.
Is That a User or Group?
Now that we know if the account is a local or domain account, we can go to the correct database or list to ensure that we know if it is user or group. Without knowing this, it would be very difficult to determine where to go and if the account is a user or group.
Let’s say that you have an account named DEREKMELBER\ADMINS_ACCTS. Of course, we know that this is a domain account, based on our SET output and decryption of the name. We would go to our domain output for groups and search for the name ADMINS_ACCTS. If the name does not appear on that list, you can assume it is a user. A quick search on the user list for the domain would be a good double check, but our decryption has determined that it is a user.
If the account is a group, you will need to enumerate the members of the group and for each member, perform the same iterative queries on both the group and user lists. Groups are often nested in other groups.. .many times two to four deep! Be patient and follow the pattern to get the members of all groups.
Decrypting accounts on access control lists and other access lists can be time consuming. Using these tips and tricks you can quickly analyze if the account is a local or domain account, then if it is a user or group. Without these tips, you can spend hours trying to perform searches, when a quick glance at them will give you direction.