Least privilege access is a standard and basic security principle, but I found very important to verify that there are no exceptions or weaknesses in the systems with any unwanted user member of the local administrator group.
This script retrieves a list of all users that are a member of the local administrator group.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
function Get-LocalAdmin { <# .Synopsis Get Local admin list .Description Get Local admin list .Example Get-LocalAdmin -Computername myworkstation.contoso.com This shows the NTP Status of the localhost, this will be the result: Retrieving Local Admin list for myworkstation.contoso.com MYWORKSTATION\Administrator CONTOSO\Domain Admins .Example get-adcomputer -searchbase ‘OU=workstations,dc=contoso,dc=com’ -filter * -property * | select name | Get-LocalAdmin Get Local admin list for all the workstation in AD. .Notes Author: Paolo Frigo - https://www.scriptinglibrary.com #> param ( [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [Alias('Name')] [string[]]$ComputerName ) Process { Write-Warning "Retrieving Local Admin list for $ComputerName" try { If (!(Test-Connection -ComputerName $computerName -Count 1 -Quiet)) { Write-Output "$computerName is offline." #Continue # Move to next computer } else { $admins = Gwmi win32_groupuser –computer $ComputerName $admins = $admins |? {$_.groupcomponent –like '*"Administrators"'} $admins | % { $_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul $matches[1].trim('"') + “\” + $matches[2].trim('"') } } } catch { Write-Output "Can't gather information from $ComputerName" Write-Output $Error[0].Exception; } finally { } } } #Example with desktop, but you can use Laptops or VMs or Servers as OU get-adcomputer -searchbase ‘OU=workstations,dc=contoso,dc=com’ -filter * -property * | select name | Get-LocalAdmin |
It simple to use MMC and adding the snap-in of local user and groups for a remote or local machine (or run lusrmgr.msc). But I think this script can be extremely useful to run this check against a large number of workstations.
Note if you’re using Powershell 5.1 or later versions you can use this cmd-let : Get-LocalGroupMember
1 2 3 4 5 |
get-localgroupmember administrators ObjectClass Name PrincipalSource ----------- ---- --------------- User WS\Administrator Local |
From command prompt you can use also:
1 2 3 4 5 6 7 8 9 |
net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator The command completed successfully. |