Overview

This article describes how GFI EventsManager determines if a given event refers to an administrator.

Information

When you scan a machine for the first time, EventsManager will:

1. Evaluate all local users.
2. Evaluate all local groups.
3. Evaluate all users on the DC responsible for this machine.
4. Evaluate all groups responsible for this machine.
5. Query the SID (Security Identifier) of every item found above and cross-reference it with a list of well known SID’s which will tell us whether the user/group is an administrator.
6. Save the result of each query in a cache file.

When EventsManager then receives an event from that machine, it will:

1. Read the user name of the event.
2. Find out of which local and domain groups the user is a member (even indirectly over other groups).
3. Compare with the cache file whether the user itself or any of the groups they are a member of was found to be an administrator.
4. If that’s the case then the user is marked as being an administrator for the machine from which the event was received.
   
   

• For more information about well known SID's, please read the following article about Well-known security identifiers in Windows operating systems.
   
• For events captured from Domain Controllers, we reference with well-known administrator groups only since there are no local users/groups on Domain Controllers.