404 Tech Support

Auditing the local Administrators group with PowerShell

Good security means knowing the endpoints of your environment. One component of endpoint security is knowing who is a local administrator on which computers. One sign that the endpoint might be compromised is having someone added to the local Administrators group who should not be there. Whether you regularly add primary users as Administrators or not, auditing this area can give you confidence that your endpoints are secure in this regard.

This PowerShell script can be assigned as a startup script or folded into your standard endpoint inventory. It is really just a starting point, accomplishing the more painful point of getting the local group membership. From here, you could filter the members so that your standard Administrator accounts and groups like Domain Admins are filtered out – making it easier to spot the needles with less haystacks. You could also format the output into a csv to make automating the review more easily or output the group membership directly to a database.

# LocalAdminsInventory.ps1
# Jason Hamilton
# 12/22/2015
# Queries computer for members of the local Administrators group and outputs
# to a file
###########################################

$Computer = $env:COMPUTERNAME
$ADSIComputer = [ADSI]("WinNT://$Computer,computer") 
$group = $ADSIComputer.psbase.children.find('Administrators',  'Group')
$members = $group.psbase.invoke("members")  | ForEach{
    $_.GetType().InvokeMember("Name",  'GetProperty',  $null,  $_, $null)
}

if (test-connection server.fqdn){
    Write-output $members | Out-File \server.fqdnLogsLocalAdmins$Computer.txt
}