Export (0) Print
Expand All

Administrators check

Published: December 16, 2009

Applies To: Forefront Client Security

The Administrators SSA check identifies and lists the user accounts that belong to the local Administrators group. If more than two individual administrator accounts are detected, Client Security lists in related reports the account names as a potential vulnerability.

User accounts that belong to the local Administrators or Domain Admins groups have authority to do almost anything on the systems and networks that they have permission to access. If such an account is taken over maliciously, catastrophic harm could be done to the system or network.

The local administrator account and domain administrator accounts are excluded from this check.

Resolutions for potentially unacceptable scores

On each scanned computer assigned a Medium score, it is recommended that you review the list of members in the local Administrators and Domain Admins groups to ensure that all users with administrative authority are justified.

In general, it is recommended to keep the number of administrators to a minimum because administrators essentially have complete control over the computer.

Scoring and results

This check generates scores on two levels:

  • Overall

  • Per account

Overall scoring

The following table shows how Client Security determines the overall score resulting from assessing administrator accounts on the scanned computer.

 

Score Number of accounts with Medium score Number of accounts with Informational score Number of accounts with Low score Results message

Medium

At least 2

0 or more

0 or more

The following number of unnecessary Local Administrators were found on this computer: number.

Low

Less than 2

0 or more

0 or more

Unnecessary Local Administrators were not found on this computer.

Per account scoring

The following table shows how Client Security determines the score resulting from assessing a specific user account that is a member of the local Administrators group.

 

Score Account is a member of Domain Admins group Account is the built-in member of the local Administrators group Account is a member of the Group Policy Restricted group (not supported in Windows 2000) Exclude account from count More than one non-excluded account Results message

Medium

No

No

No

No

Yes

The following account is a member of the Local Administrators group: domain\username.

Low

No

No

No

No

No

The following account is a member of the Local Administrators group: domain\username.

Informational

No

Yes

No

Yes

Not applicable

The following account is the built-in member of the Local Administrators group: domain\username.

 

No

No

Yes

Yes

Not applicable

The following account is a member of the Local Administrators group and of a Group Policy Restricted Group: domain\username.

 

Yes

No

No

Yes

Not applicable

The following account is a member of the Local Administrators group: domain\username.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft