FindGrp resource kit utility

This week we discuss a handy little resource kit utility called

FindGrp.exe. I came across this utility in the Windows 2000 Resource

Kit recently when I had the need to find out what groups a particular

service account belonged to.

Using this utility is extremely easy. Just type findgrp.exe in a

command prompt window and you will be given a list of options available

to you.

For example, we were recently auditing the service accounts that were in

use on the servers within one of our primary NT 4.0 resource domains.

From a security standpoint, we try to limit the number of service

accounts in use, periodically change the passwords, and try not to use

service accounts that are members of the Administrators or Domain Admins

groups in our domains. This prevents us from getting into the situation

where we have a loophole in our environment upon which employees or

contractors who are no longer employed by us, or outsiders to the

organization could take advantage of and gain access to proprietary

systems.

In order for us to accomplish this task, we first needed to identify the

service accounts in use on all of our servers, and which service they

were in use by. We accomplished this using a handy little VBScript that

I created, which I will discuss in a future article. After we found

the service accounts that were in use, we wanted to find out what groups

they were members of. I could have probably created a VBScript for this

task, but I always look for a pre-built utility before I go and create

my own. In this case, I found the FindGrp.exe utility. By typing in

the following command:

Findgrp.exe Domain Domain\ServiceAccountName

The results it gave looked like the following:

------------------- Begin Output -------------------

Findgrp: working......

User "domain\ServiceAccountName" belongs to the following local groups

on domain:

Administrators

Users

User "domain\ServiceAccountName" belongs to the following global groups

on domain:

Domain Users

Domain Admins

--------------------- End Output -------------------

Reviewing the results, I found out that the account I was looking for is

a member of the Administrators and the Domain Admins groups. This does

not conform to our policy, so we will need to investigate this one

further.

As you can see, the FindGrp.exe is an excellent utility for finding out

what groups a particular account is a member of.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies