Determining user�...
 
Notifications
Clear all

Determining user's groups from Windows image

26 Posts
7 Users
0 Likes
3,804 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

I received a question from a member of another list, and I'm trying to nail this down…

The question was, given an image of a Windows machine, how does one determine the groups that a particular user belongs to?

I started looking at the SID, but the documentation isn't definitive. I ran a quick test (accessed one of the user accounts on my system and added it to another group), but didn't find anything definitive.

Any thoughts on this would be appreciated.

Harlan

 
Posted : 26/01/2006 1:27 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Just a thought…..

1) Decompress a copy of the image (leaving original intact of course) to a hard drive.
2) Logon as administrator after resetting the password via ERD or any other util.
3) From run line, type lusrmgr.msc. This management console will give you a list of users and their respective group memberships.
4) Document everything including screen shots.

How would you get this information in EnCase, FTK etc. by merely mounting the image? Or Registry viewer? Hmmmm…

 
Posted : 26/01/2006 2:02 am
(@fatrabbit)
Posts: 132
Estimable Member
 

Yeah, not sure on how to extract it from an image. That information is stored somewhere in the AD or SAM database, depending on the version.

If you could fire up the image there is code floating around the net that extracts group membership information from the AD using the userInfo.Properties("MemberOf") syntax.

arashiryu suggestion is probably easier.

 
Posted : 26/01/2006 2:13 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Good suggestion, but what if that's not possible?

> How would you get this information in EnCase, FTK etc. by merely mounting the image? Or Registry viewer? Hmmmm…

That's the question…

Harlan

 
Posted : 26/01/2006 2:14 am
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

You may try this. I'd need to confirm it but I expect that you'll be able to do so for me.

HKEY_USERS\<SID>\Software\Microsoft\WIndows\Currentversion\Group Policy\GroupMembership

On my XP box it would appear to contain the correct information.

 
Posted : 26/01/2006 3:21 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Interesting…I don't have the "Group Policy" key on my systems at all.

My systems are all standalone.

Harlan

 
Posted : 26/01/2006 3:31 am
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

strange, so is mine / It's on my laptop as well.

I'm beginning to suspect it's due to local security policies being enabled…
The key also exists in HKLM.

The information is also within the SAM hive. I can dig around for it as it is stored in hex and requires translation.

This should help though
http//www.beginningtoseethelight.org/ntsecurity/index.php

 
Posted : 26/01/2006 4:22 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

I would have to pull Brian Carriers book off the shelf…but is it possible this type of info could be contained in the security descriptor attribute of the file records in the MFT …?

Andrew-

 
Posted : 26/01/2006 5:41 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

My response was in for a windows workstation not joined to a windows domain and for a local user account.

I don't believe you can use admin pack for server 2000/2003 and the group policy console on windows xp home edition. To run active directory console and group policy console the minimum requirement is a Windows XP Pro workstation joined to a windows domain. You can download tweakui and unlock portion of the windows registry to turn home edition to pro edition. it is cumbersome though from what I have experienced.

This is what I recommend.

1) Create a Server 2000/2003 VM. Designate is as a primary domain controller. Install admin pack for server 2000/2003 and the group policy management console.

Admin pack can be downloaded from
http//www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en

GPMC with sp1 can be downloaded from
http//www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

2) Create a user account using active directory console. This account will be used to logon to the domain from a windows xp pro workstation. This user account is a member of the domain users group only by default so far.

3) Create some domain global (security) groups using active directory console for testing later.

4) Create a windows xp pro VM. Join it to the domain. Workstation account will be created on/by the domain controller automatically. Reboot.

5) Logon using the domain user account created in step 1. After logon process is completed, record registry settings. Logoff.

6) Jump back on the domain controller and make the user account member of a domain global group created in step 1.

7) Jump back to the xp pro workstation and logon. After logon is complete, record registry changes.

8) Compare the registry changes from step 5 and step 7 and get a delta.

6) Mine this delta for information that changed after the user account is made a member of a additional or new global group. Hope something changed….

Its too bad that I purged my Virtual Machines at the end of the year. One of them would have been perfect for this scenario. We just implemented ESX server and I have requested some slices (space on esx server) since I am migrating our test lab to ESX server. Once that is complete, I plan to test this out. Don't know when I will get my slices . Hopefully soon.

 
Posted : 26/01/2006 8:41 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Andrew,

The access token/security descriptor is maintained in the file system. That tells you which groups can and cannot access the file/object. However, that doesn't tell you to which groups a particular user belongs.

Harlan

 
Posted : 26/01/2006 4:51 pm
Page 1 / 3
Share: