Audit Your Windows Endpoints for Local Administrator Accounts

  • 12 April 2021
  • 2 replies
  • 162 views
Tony
Userlevel 5
  • Tony
  • Automox Employee
  • 36 replies

This simple worklet will audit your Windows endpoints and report any local administrator accounts to the Automox activity log.


This will only report on endpoints running at least Windows 10 v1607, Server 2016, or having at least PowerShell v5.1 installed.


Evaluation:


# If Windows OS isn't at least Win10 v1607 or Server 2016 or PowerShell < v5.1, then exit 

if ($PSVersionTable.PSVersion -lt [version]'5.1') { Exit 0 }



$scriptBlock = {



    $adminNames = Get-LocalGroupMember -Group Administrators

    If ($adminNames) { Return 1 } else { Return 0 }



}



$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

Exit $exitCode

Remediation:


$scriptBlock = {



    $adminNames = (Get-LocalGroupMember -Group Administrators).Name

    Return $adminNames



}



$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

Write-Output $exitCode

2 replies

J

Thank you for this worklet. It works great with computers that are on the domain or have connection to the domain (i.e. via VPN), or where any account in the group still exists (not been deleted from AD).


If the account has been deleted, or if only the SID is showing because of not been recently connected to the network (domain), then the command doesn’t work. Any ideas how to overcome this?

L

Very useful worklet

we have it working, managed to interrogate a number of our devices

however I would like to run this applet once a month, put all the data returned in to a single document, say a CSV file and then email it to me

I can’t see how to achieve that, can anyone help?
cheers

Reply


Terms & ConditionsCookie settings