Skip to main content

This simple worklet will audit your Windows endpoints and report any local administrator accounts to the Automox activity log.



This will only report on endpoints running at least Windows 10 v1607, Server 2016, or having at least PowerShell v5.1 installed.



Evaluation:



# If Windows OS isn't at least Win10 v1607 or Server 2016 or PowerShell < v5.1, then exit 

if ($PSVersionTable.PSVersion -lt [version]'5.1') { Exit 0 }



$scriptBlock = {



$adminNames = Get-LocalGroupMember -Group Administrators

If ($adminNames) { Return 1 } else { Return 0 }



}



$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

Exit $exitCode



Remediation:



$scriptBlock = {



$adminNames = (Get-LocalGroupMember -Group Administrators).Name

Return $adminNames



}



$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

Write-Output $exitCode

Thank you for this worklet. It works great with computers that are on the domain or have connection to the domain (i.e. via VPN), or where any account in the group still exists (not been deleted from AD).



If the account has been deleted, or if only the SID is showing because of not been recently connected to the network (domain), then the command doesn’t work. Any ideas how to overcome this?


Very useful worklet

we have it working, managed to interrogate a number of our devices

however I would like to run this applet once a month, put all the data returned in to a single document, say a CSV file and then email it to me

I can’t see how to achieve that, can anyone help?
cheers


I have been attempting to get this working. I am targeting my own machine for testing. However it returns a black log summary. 
Verified I copied directly from above.
Checked the powershell version is 5.1, and if I run the below locally, I get results.
Get-LocalGroupMember -Group Administrators

Any ideas?

Thanks
 


Hi SCrawford,

We have a revamped version of this in the Worklet Catalog which would function out of the box. Give it a try and let me know if it works for you!
 

 


Hi,
When the worklet runs, is there a way to export the actual results to a csv file in a central location or create a custom report?


Worklet that I use will remove users from the lcl admin group if they are not in a specifically defined list. May be helpful to people here.

Evaluation:

<#
.SYNOPSIS
This test script evaluates if any local administrators accounts are
unauthorized.
.DESCRIPTION
This test script gets the local administrators group, takes the names
of each account, and puts it into an array. It then checks each name
in the array against a list of authorized admin account names.
.Notes
File Name :Remove_Unauth_Admins_Eval.ps1
Author :TJ Coppola
Prerequisite :PowerShell V2 over win7 and upper
#>

$scriptblock = {

########CHANGE THIS#########
#define authorized admins
$allowed = @()
############################

#Get local administrators
$lcladmins = (Get-LocalGroupMember Administrators).Name

#Check authorization
$hostname = $env:COMPUTERNAME + "\\"
foreach ($admin in $lcladmins){
$admin = $admin -replace $hostname,""
$eval = $allowed.Contains($admin)
if($eval){
write-host $admin "is allowed to be an administrator."
}
else{
$count ++
write-host $admin "is not allowed to be an administrator."

}
}

#Evaluate
if($count > 0){
Write-Host "Unauthorized administrator accounts detected. Please remediate."
exit 1
}
else{
exit 0
}
}

#Run as 64-bit Powershell
$64bit = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
$64bit



Remediation:

<#
.SYNOPSIS
This script evaluates if any local administrators accounts are
unauthorized and removes them.
.DESCRIPTION
This test script gets the local administrators group, takes the names
of each account, and puts it into an array. It then checks each name
in the array against a list of authorized admin account names. If an
account is unauthorized it is removed from the local administrators
group.
.Notes
File Name :Remove_Unauth_Admins.ps1
Author :TJ Coppola
Prerequisite :PowerShell V2 over win7 and upper
#>

$scriptblock = {

########CHANGE THIS#########
#define authorized admins
$allowed = @()
############################

#Get local administrators
$lcladmins = (Get-LocalGroupMember Administrators).Name

#Check for and remove unauthorized administrators
$hostname = $env:COMPUTERNAME + "\\"
foreach ($admin in $lcladmins){
$admin = $admin -replace $hostname,""
$eval = $allowed.Contains($admin)
if($eval){
write-host $admin "is allowed to be an administrator."
}
else{
Remove-LocalGroupMember -Group Administrators -Member $admin
write-host $admin "removed from adminstrators group."

}
}
}

#Run as 64-bit Powershell
$64bit = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
$64bit

 


Hi,
When the worklet runs, is there a way to export the actual results to a csv file in a central location or create a custom report?

It looks like you may be looking for the export-csv command. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-7.4

 

The Policy Results Report may be a useful tool for you here. You can find it under the reports tab visible on the Automox Dashboard.


Reply