Back Door Admin Discovery and Removal


You are working with a computer in your domain and you discover a unknown user account in the document and settings or users (windows 7) folder of the computer.  You search your Active Directory for that user and don’t find them.  You then check the local computer users and computers to find that this is a backdoor administrator. Then you have to ask several questions: (I added my answers below each question)

  1. How did this local user account come to be on this computer?
    •  A boot disk was used to bypass the local security and create a backdoor administrator account.
  2. How did they compromise your security?
    • They where able to use the F12 to gain access through the boot menu.
  3. Who is the most likely to be responsible for compromising the security of the system?
    • This computer was a student computer and is most likely caused by students.
  4. How far spread is this problem?
    • Upon check several computers in this computer cart I discovered it was a school wide problem.  = ( 
  5. How can we fix this?
    • Remove the Local Admin users
    • Remove ability to boot to USB drive and CD/DVD drive
  6. What is the next step?
    • Create a script to do it for me to all computers on the server!


Students  created backdoor admin accounts with Hiren’s Boot CD it allows them to boot in from the cd drive and add backdoor admin that can be used to bypass the security of the domain.


The Solution

Bios Settings

In the Bios you will need to ensure the following

  • The bios is password protected
  • In the boot order remove the
    •  USB Drive
    • CD Drive
    • DIskette Drive

Discover how wide spread the problem is 

To Discover how wide speard this problem is I need to create a script that does several functions.  I first need it to go through a list of computers (within my Active Directory) and then have it test if the computers is on, if it is I want it to get a list of all the local accounts with Local Administrator Access to the machine.

Script for Discovering local admins in your domain.

Run this script as a domain admin

{code lang:vb id:11}{/code}


This script looks at a list of computers located on a server.  It will use the name of each line, break then go to the next line.  Once it has the computer name it will then  check that the computer is online.  If it is online it will then write to a file a list of accounts listed in the local Administrators group.  When the script is fhinished it will prompt completed.

It run my entire directory it took about 45mins and returned about 275 computers that where on.

Delete the Local Admins

This code will delete the local compters based on their names.

{code lang:vb id:12}{/code}

The End Results

  • I removed the ability to boot to another other device than the Harddrive.
  • Was able to list all the local admin accounts to determine the usernames of backdoor administrators
  • Ran a script that deleted the local admin accounts on the machines
In the end I was able to locate the local admin in each computer on my domain.  I could then look for users that didn’t belong in the local administrator group adding each suer the script. Then I took each compuoter that had a rouge admin account and add it to the script. Running the final script will delete the users from the computers all from the comfort of your chair!

See attched Sample files for examples of the files used with this script.