Audit Your Windows Endpoints for Local Administrator Accounts

This simple worklet will audit your Windows endpoints and report any local administrator accounts to the Automox activity log.

This will only report on endpoints running at least Windows 10 v1607, Server 2016, or having at least PowerShell v5.1 installed.

Evaluation:

# If Windows OS isn't at least Win10 v1607 or Server 2016 or PowerShell < v5.1, then exit 
if ($PSVersionTable.PSVersion -lt [version]'5.1') { Exit 0 }

$scriptBlock = {

    $adminNames = Get-LocalGroupMember -Group Administrators
    If ($adminNames) { Return 1 } else { Return 0 }

}

$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
Exit $exitCode

Remediation:

$scriptBlock = {

    $adminNames = (Get-LocalGroupMember -Group Administrators).Name
    Return $adminNames

}

$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
Write-Output $exitCode
1 Like

Thank you for this worklet. It works great with computers that are on the domain or have connection to the domain (i.e. via VPN), or where any account in the group still exists (not been deleted from AD).

If the account has been deleted, or if only the SID is showing because of not been recently connected to the network (domain), then the command doesn’t work. Any ideas how to overcome this?