Jump to content
markwiater

Local Administrator Group Audit

Recommended Posts

The attached script was intended to solve the problem of knowing when members of a workstations local administrators group changed. I schedule this against groups to run first thing each morning.

There are actually two scripts, the second inserts records into a custom table in the database, one record for each member of the local administrators group. My thought here was that I could more easily determine the new group member, but perhaps it's overkill to add a record for each member.

Script logic is rather simple, just get the group membership via powershell and massage the data so we can work with it and insert records in a table to so we can report on it if needed. I also wanted to know if the group member was a local user or domain user, so there's logic in the script to detect that and record it in the table.

If the group membership changed on this invocation of the script from the previous execution, I've chosen to create a ticket. But that can be changed in favor of a monitor that does what you want instead.

I haven't written Report Center reports for this, but they shouldn't be difficult to create if necessary.

I've found this useful in detecting instances when techs have modified the group membership, obviously, but also when a trust relationship between computer and domain has been broken.

Audit Localadmin groupmem - master.xml

Share this post


Link to post
Share on other sites

Folks,

If you were interested in this, might want to hold off on this version. There's a bug or three in this version relating to the table creation and verification. I'll get these fixed early in the week, and there's also some collaboration that might turn it into a more useful tool.

thanks

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...