Monitor Administrator Security Group In LabTech with ADMON

On January 26, 2016, in Projects, Scripting, by Cubert aka (Cube Dweller)

Admon-logo Who’s in and out of your Security Group?

 

 

 

ADMON is a LabTech plugin used to monitor and restore changes made to your local administrators group. Many viral attacks end up trying to add or change the users in the local administrators group of an infected PC. Sometimes these subtle changes go un-noticed and end up causes very expensive repairs and loss of data. ADMON will alert you to the changes, create tickets and if set to auto restore will add time to ticket and restore the admin group back as it was, before closing the ticket out. If your clients need  to audit who has what privileges across the PCs in the network, you can use the simple export tool provided in the plugin to get a detailed list of computers and the users with admin rights into Excel.

 

Have a peek at what we are doing!

We provide a master on / off switch for easy control over the plugin and a control to set and manage the scanning interval for greater flexibility.

mastermenu

 

 

Each client has a “Admin Group” tab at the Client console level that displays key information on each PC scanned for that client. You have a master enable switch to enable each client you want to provide the service for. We provide the ability to monitor both additions and removals individually which will create alerts only, or if you add the ticketing box it the plugin will also create tickets for you. You can set the system to auto restore any changes as part of the monitoring (2 way monitoring needs to be set). If you opt to auto restore and also select ticketing, the system will open a ticket, add 10 minutes, auto restore the group and close the ticket completing the required repairs. Select any machine and right click to reveal a menu to manage alarms and to manage the Administrators group. Use the export to Excel tool to get the data out of LabTech and into 3rd party applications like Excel.

clienttab

 

The View Alarms popup reveals who has fired off alarms and what was delivered (alert or ticket) Once a system has alarmed or has been ticketed no new alarms are sent until cleared. To clear double click the selected item.

viewalarms

 

Selecting a computer from the main screen and right clicking for a menu to manage the administrators group will lead you here. This tool allows you to add or remove users to the administrators group directly from LabTech. See the commands execute in near real time inside the console window provided.

add-remove-user

 

Current Version 1.0.0.76

Download the DLL to install via LabTech Plugin Manager

download

 

 

 

 

16 Responses to “Monitor Administrator Security Group In LabTech with ADMON”

  1. AJ Gyomber says:

    This plug-in looks very cool but I would like to suggest the following features.

    – Read a computer EDF that contains any additional authorized use accounts, such as, “domain\jdoe,pcname\jsmith”.
    – Allow for users defined in the plug-in to be in all local admin groups, such as, “corp\admin-tech”, “corp\admin-desktop” and “pcname\admin-local” in addition to the typical domain defaults.
    – Allow for the generation and passwords for defined local user account, i.e. “pcname\admin-local” and store that password as a computer EDF.
    – Change the password at specified time intervals
    – Have a function that would make the currently logged in user a local admin for a specified time interval and schedule the removal at that time.

    We use to have a script that did this and it was very beneficial for a variety of use cases. The unique local admin account created would be used for malware removal, it would also allow us to give an end-user that may be locked out and traveling a login they could use until they return. It also allowed for the exception of a user needing local admin rights. Lastly, if we have a technical end user working with a vendor we can give them temporary local admin rights to their user account to assist and then automatically remove.

    Thanks!
    AJ

  2. Donna says:

    Interesting plugin. I’m maintaining a network of 300 computers and i think im gonna need this. Security breach is one of my greatest fear.

  3. Vince says:

    Hello, I downloaded and setup the plugin, but the SAVE button never lights up and he settings are not retained. Please advise.

  4. cubert says:

    Vince, You will need to restart the DBagent before trying to use plugin.

  5. Cliff says:

    What is the scan interval or how is that configured? I can’t seem to find an option for that…

  6. Ben says:

    Cliff that will be under the View on the main Labtech area (between Main and Heads Up Display). that is the master switch to enable and set the scan times

  7. Graham says:

    Great tool and a huge time saver. Thank you!

    Not getting alerts or tickets though. Any pointers?

  8. Dan says:

    This is great and very helpful! Thank you for putting this together. I’m very interested in a version of this plugin where I can specify the name of a group to monitor across my Domain Controllers in Labtech. Would you be able to help me with this solution? We would be willing to pay for such a thing if it works like we are looking for.

    If you’d like to contact me privately instead please do.

    Thanks for your time and help.

  9. Ethan says:

    Great tool, thanks!

  10. David Latham says:

    Hi having some problems with getting this to alert, it is getting the info for admins and populating table but we are unable to get it to alert has anyone else seen this issue?

  11. Steve says:

    Does this Plugin not work with Automate Version 12? I tried to add the plugin but getting “Error Uploading Plugin”

  12. Nathan says:

    Also having an issue with this since the Automate 12 update.

    It only seems to be working for half of our clients that it’s enabled for. It’s seems to goe from client ID 1 – 60 and works perfectly, then for the remaining 20 clients with client IDs from 60 – 80 it just doesn’t work despite everything being turned on

  13. Ben says:

    Can ADMON be used to list existing members in the local Administrators group of all computers, not just changes (adds/removals)?

  14. Greg says:

    As others are noticing, we’re on Automate 12 and it’s populating changes in the list, but no tickets or alarms are created.

  15. […] Squidworks plugin can be found here […]

  16. Alan says:

    Have installed admon as part of the Habitat bundle.
    We are getting a lot of alerts, that appear to be false alerts for lots of users and groups being added or removed from the local Administrators Group.
    Have already turned off and back on to ‘reset’ the inventory for multiple clients – still getting a lot of false alerts.30 – 50 per day across all the clients.
    Love the idea of this alert, but it’s too much noise to be taking action on each alert, only to find it is not really an issue.
    Suggestions, please.

Leave a Reply