Audit Your Windows Endpoints for Local Administrator Accounts

Thank you for this worklet. It works great with computers that are on the domain or have connection to the domain (i.e. via VPN), or where any account in the group still exists (not been deleted from AD).

If the account has been deleted, or if only the SID is showing because of not been recently connected to the network (domain), then the command doesn’t work. Any ideas how to overcome this?

Very useful worklet

we have it working, managed to interrogate a number of our devices

however I would like to run this applet once a month, put all the data returned in to a single document, say a CSV file and then email it to me

I can’t see how to achieve that, can anyone help?
cheers

I have been attempting to get this working. I am targeting my own machine for testing. However it returns a black log summary. 
Verified I copied directly from above.
Checked the powershell version is 5.1, and if I run the below locally, I get results.
Get-LocalGroupMember -Group Administrators

Any ideas?

Thanks
 

Hi SCrawford,

We have a revamped version of this in the Worklet Catalog which would function out of the box. Give it a try and let me know if it works for you!
 

Hi,
When the worklet runs, is there a way to export the actual results to a csv file in a central location or create a custom report?

Worklet that I use will remove users from the lcl admin group if they are not in a specifically defined list. May be helpful to people here.

Evaluation:

<#
.SYNOPSIS
    This test script evaluates if any local administrators accounts are
    unauthorized.
.DESCRIPTION
    This test script gets the local administrators group, takes the names
    of each account, and puts it into an array. It then checks each name
    in the array against a list of authorized admin account names. 
.Notes
    File Name       :Remove_Unauth_Admins_Eval.ps1
    Author          :TJ Coppola
    Prerequisite    :PowerShell V2 over win7 and upper
#>

$scriptblock = {

    ########CHANGE THIS#########
    #define authorized admins
    $allowed = @()
    ############################

    #Get local administrators
    $lcladmins = (Get-LocalGroupMember Administrators).Name

    #Check authorization
    $hostname = $env:COMPUTERNAME + "\\"
    foreach ($admin in $lcladmins){
        $admin = $admin -replace $hostname,""
        $eval = $allowed.Contains($admin)
        if($eval){
            write-host $admin "is allowed to be an administrator."
        }
        else{
            $count ++
            write-host $admin "is not allowed to be an administrator."

        }
    }

    #Evaluate
    if($count > 0){
      Write-Host "Unauthorized administrator accounts detected. Please remediate."
      exit 1
    }
    else{
      exit 0
    }
}

#Run as 64-bit Powershell
$64bit = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
$64bit

Remediation:

<#
.SYNOPSIS
    This script evaluates if any local administrators accounts are
    unauthorized and removes them.
.DESCRIPTION
    This test script gets the local administrators group, takes the names
    of each account, and puts it into an array. It then checks each name
    in the array against a list of authorized admin account names. If an
    account is unauthorized it is removed from the local administrators
    group. 
.Notes
    File Name       :Remove_Unauth_Admins.ps1
    Author          :TJ Coppola
    Prerequisite    :PowerShell V2 over win7 and upper
#>

$scriptblock = {

    ########CHANGE THIS#########
    #define authorized admins
    $allowed = @()
    ############################

    #Get local administrators
    $lcladmins = (Get-LocalGroupMember Administrators).Name

    #Check for and remove unauthorized administrators
    $hostname = $env:COMPUTERNAME + "\\"
    foreach ($admin in $lcladmins){
        $admin = $admin -replace $hostname,""
        $eval = $allowed.Contains($admin)
        if($eval){
            write-host $admin "is allowed to be an administrator."
        }
        else{
            Remove-LocalGroupMember -Group Administrators -Member $admin
            write-host $admin "removed from adminstrators group."

        }
    }
}

#Run as 64-bit Powershell
$64bit = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
$64bit

It looks like you may be looking for the export-csv command. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-7.4

The Policy Results Report may be a useful tool for you here. You can find it under the reports tab visible on the Automox Dashboard.