In our security audits we’ve identified a vulnerability in the use of privileged accounts for desktop support. While it’s necessary to use privileged accounts to deliver support, profiles with cached credentials left on windows computers can be extracted and used to gain control of the domain. Here is a script to remove the cached profiles of your admin accounts.

Evaluation:

<#
.SYNOPSIS
    This script evaluates if certain profiles are present on a windows device.
.DESCRIPTION
    This test script sets a list of unwanted accounts and checks if they are present on a device. It returns a failure if any account in the list is present. 
.Notes
    File Name       :Remove_Cached_Admins_Eval.ps1
    Author          :TJ Coppola
    Prerequisite    :PowerShell V2 over win7 and upper
#>

#ADD UNWANTED PROFILES THIS ARRAY
$AccountList = @()

$eval = 0

Foreach ($Account in $AccountList){
  $instance = Get-CimInstance -ClassName Win32_UserProfile | ?{$_.LocalPath -like ('*'+$Account)}
  if ($instance){
    Write-Host $Account 'found.'
    $eval = 1
  }else{
    Write-Host $Account 'not found'
}

Exit $eval

Remediation:

<#
.SYNOPSIS
    This script checks if certain profiles are present on a windows device and removes them.
.DESCRIPTION
    This test script sets a list of unwanted account profiles and checks if they are present on a device. It deletes any profile included in that list. 
.Notes
    File Name       :Remove_Cached_Admins.ps1
    Author          :TJ Coppola
    Prerequisite    :PowerShell V2 over win7 and upper
#>

#ADD UNWANTED ACCOUNTS TO THIS ARRAY
$AccountList = @()

Foreach ($Account in $AccountList){
  $instance = Get-CimInstance -ClassName Win32_UserProfile | ?{$_.LocalPath -like ('*'+$Account)}
  if ($instance){
    Write-Host $Account 'found. Deleting.'
    $instance | Remove-CimInstance -Confirm:$false
  }else{
    Write-Host $Account 'not found'
  }
}