Overview
This article describes how GFI EventsManager determines if a given event refers to an administrator.
Information
When you scan a machine for the first time, EventsManager will:
- Evaluate all local users.
- Evaluate all local groups.
- Evaluate all users on the DC responsible for this machine.
- Evaluate all groups responsible for this machine.
- Query the SID (Security Identifier) of every item found above and cross-reference it with a list of well known SID’s which will tell us whether the user/group is an administrator.
- Save the result of each query in a cache file.
When EventsManager then receives an event from that machine, it will:
- Read the user name of the event.
- Find out of which local and domain groups the user is a member (even indirectly over other groups).
- Compare with the cache file whether the user itself or any of the groups they are a member of was found to be an administrator.
- If that’s the case then the user is marked as being an administrator for the machine from which the event was received.
NOTES:
- For more information about well known SID's, please read the following article about Well-known security identifiers in Windows operating systems.
- For events captured from Domain Controllers, we reference with well-known administrator groups only since there are no local users/groups on Domain Controllers.