Jump to content

Get users on the Local admin groups


Recommended Posts

I had this issue, most of the users are working with admin privileges on their computer, but I didn't have idea which users.

 I did this following a reddit user:

Step 1: Create two new EDF(Extra data fields):

Local Admin Accounts

 Local Admin Accounts last date checked

Step 2: Create a script for populate those fields

POWERSHELL: Get-LocalGroupMember -Group "Administrators" | Select Name

SET: [EXTRAFIELD Local Admin Accounts] = %powershellresult%

SET: [EXTRAFIELD Local Admin Accounts last date checked] = %when%

Step 3 Create a report or use advance search

I haven't built a report for this, we audit the EDFs using an advanced search. You'd want to pull something like this:

[Computer.Extra Data Field.Local Admin Accounts] Contains ""

[Computer.Extra Data Field.Local Admin Accounts last date checked] Contains ""

[Computer.Client.General.Name] Contains NULL

 

Also I created a script for remove all the users and leave a few users that has access.

if($delete1 =Get-LocalGroupMember -Group "Administrators" |where{$_.name -NotLike '*domain\administrator*' -and $_.name -notlike '*domain\domainuser*'  -and $_.name -notlike '*localuser*'-and $_.name -notlike '*domain\DOMAIN ADMINS*'})
{
Remove-LocalGroupMember -Group "Administrators" -Member $delete1
}

 

Sometimes we explained the scripts for powerusers and not for beginners. If you're starting on this and you have any question that you think could be a stupid question(there is not a stupid question), don't be afraid to ask, everyone start asking questions. I'm here to help

 

 

Link to post
Share on other sites
  • 3 weeks later...

This is awesome, I've been looking for a way to do exactly this.

I've followed your steps, creating the two new extra data fields, and I'm working on step two creating the script - running into issues here:

The Script(6466) failed in the Then section at step 2. The reason: SQL Execute failed processing query

This is what I have in the script:

image.thumb.png.34cf6ff9cfa3d6beefa8363ab90bd7dd.png

Any idea what may be going wrong?

  • Like 1
Link to post
Share on other sites

Did you create the Extra data fields?

Because looks like the script can't find the field on database, also for windows 7 I created a few adjustments, because that powershell comand only works on windows 10

 

Edited by ernesto
Link to post
Share on other sites

Yep, I created the extra data fields before creating the script, "Extra Field" in the ExtraData Set Value function is a drop down list, so the EDF has to exist to select from the list - it throws an error if you try to just type in an EDF that doesn't exist.

Link to post
Share on other sites
1 hour ago, Dave86 said:

This is awesome, I've been looking for a way to do exactly this.

I've followed your steps, creating the two new extra data fields, and I'm working on step two creating the script - running into issues here:


The Script(6466) failed in the Then section at step 2. The reason: SQL Execute failed processing query

This is what I have in the script:

image.thumb.png.34cf6ff9cfa3d6beefa8363ab90bd7dd.png

Any idea what may be going wrong?

1 hour ago, ernesto said:

Did you create the Extra data fields?

 

 

 

 

9 minutes ago, Dave86 said:

Yep, I created the extra data fields before creating the script, "Extra Field" in the ExtraData Set Value function is a drop down list, so the EDF has to exist to select from the list - it throws an error if you try to just type in an EDF that doesn't exist.

Make sure that you can write something into the EDF field. Check my script I made a few adjustment for windows 7

newscript.jpg

Link to post
Share on other sites
1 minute ago, ernesto said:

I tried but I don't know is a missconfiguration on my end but didn't work

It working great on my server but it not working for French local admin group (Administrateurs) i edited the script to include both French and english local group

Admon Maintenance Service Script / Line 3

Original Code:

$myadmins = net localgroup administrators | where {$_ -AND $_ -notmatch "command completed successfully"} |  select -skip 4  -ErrorAction SilentlyContinue
$i = 0
foreach ($admin in $myadmins){
              $admin = $admin.Replace("\","\\")
	if($i -eq 0){
		write-output "( %clientid% ,  %computerid% , NOW(), '$admin')"
        }else{
		write-output ",( %clientid% ,  %computerid% , NOW(), '$admin')"
	}
   $i++
}

Edited for English and French

$Groups = Get-LocalGroup | foreach {$_.Name}

If($Groups -contains "Administrateurs"){
    
    $myadmins = net localgroup Administrateurs | where {$_ -AND $_ -notmatch "correctement."} |  select -skip 4  -ErrorAction SilentlyContinue
    $i = 0
    foreach ($admin in $myadmins){
                  $admin = $admin.Replace("\","\\")
	    if($i -eq 0){
		    write-output "( %clientid% ,  %computerid% , NOW(), '$admin')"
            }else{
		    write-output ",( %clientid% ,  %computerid% , NOW(), '$admin')"
	    }
       $i++
    }
}
else {

    $myadmins = net localgroup administrators | where {$_ -AND $_ -notmatch "command completed successfully"} |  select -skip 4  -ErrorAction SilentlyContinue
    $i = 0
    foreach ($admin in $myadmins){
                  $admin = $admin.Replace("\","\\")
	    if($i -eq 0){
		    write-output "( %clientid% ,  %computerid% , NOW(), '$admin')"
            }else{
		    write-output ",( %clientid% ,  %computerid% , NOW(), '$admin')"
	    }
       $i++
    }
}

 

Link to post
Share on other sites

Only if you want to detect other language local Admin

Copy Line 3 and disable it, edit the copy with my custum script

One more thing, if the script not populate users in the database, you can try to change the line 3 

Script Credentials: Run as admin to Run as local agent

Edited by nicecube
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...