Audit Your Windows Endpoints for Local Administrator Accounts

  • 12 April 2021
  • 4 replies
  • 320 views

Userlevel 5

This simple worklet will audit your Windows endpoints and report any local administrator accounts to the Automox activity log.


This will only report on endpoints running at least Windows 10 v1607, Server 2016, or having at least PowerShell v5.1 installed.


Evaluation:


# If Windows OS isn't at least Win10 v1607 or Server 2016 or PowerShell < v5.1, then exit 
if ($PSVersionTable.PSVersion -lt [version]'5.1') { Exit 0 }

$scriptBlock = {

$adminNames = Get-LocalGroupMember -Group Administrators
If ($adminNames) { Return 1 } else { Return 0 }

}

$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
Exit $exitCode

Remediation:


$scriptBlock = {

$adminNames = (Get-LocalGroupMember -Group Administrators).Name
Return $adminNames

}

$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
Write-Output $exitCode

4 replies

Thank you for this worklet. It works great with computers that are on the domain or have connection to the domain (i.e. via VPN), or where any account in the group still exists (not been deleted from AD).


If the account has been deleted, or if only the SID is showing because of not been recently connected to the network (domain), then the command doesn’t work. Any ideas how to overcome this?

Badge

Very useful worklet

we have it working, managed to interrogate a number of our devices

however I would like to run this applet once a month, put all the data returned in to a single document, say a CSV file and then email it to me

I can’t see how to achieve that, can anyone help?
cheers

I have been attempting to get this working. I am targeting my own machine for testing. However it returns a black log summary. 
Verified I copied directly from above.
Checked the powershell version is 5.1, and if I run the below locally, I get results.
Get-LocalGroupMember -Group Administrators

Any ideas?

Thanks
 

Userlevel 4
Badge

Hi SCrawford,

We have a revamped version of this in the Worklet Catalog which would function out of the box. Give it a try and let me know if it works for you!
 

 

Reply