SCCM Query for local Admin

Arni 116

Hello, I need assistance in generating report to show Local Admin users in our Windows 7 Windows 10, and Windows Servers environment. I need to compile these to place a security rules. The report should also show the name of the computer or the FQDN.

Any help is greatly appreciated, thanks.

We're using SCCM 2012.

Arni 116 Reputation points

2021-07-29T23:49:19.867+00:00

II found the forum about : SCCM Report to find domain users with local admin privilege on all domain computers and pointing it to Sherry Kissinger. However, that link is broken or no longer working. I hope someone can assist, thanks.

Accepted answer

Amandayou-MSFT 11,046 Reputation points

2021-07-30T02:46:24.64+00:00

Hi @Arni ,

We could use SCCM CMPivot Query to find local administrator accounts.

Use the below SCCM CMPivot query to find local administrator accounts. Enter the query and click Run Query.
Administrators | where Name !contains 'Administrator' and Name !contains 'Domain Admins'

For more information, please refer to Prajwal Desai's article:
Find Local Administrator Accounts with SCCM CMPivot Query
Note: Non-Microsoft link, just for the reference.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Arni 116 Reputation points

2021-07-30T06:42:26.23+00:00

I@Amandayou-MSFT

This is great to know! I will give this a try and get back to you. Thanks for the info.

Arni 116 Reputation points

2021-08-05T18:41:21.497+00:00

@Amandayou-MSFT

Is there a way to find out if the Local Admin and Administrator account is Active or Disabled using the CM Pivot? I have sorted the report with these two accounts but wanting to know if they are active or not. Any help is appreciated, thanks.

Amandayou-MSFT 11,046 Reputation points

2021-08-06T07:24:28.207+00:00

Hi,

The idea of using the CM Pivot is excellent, there is no way to achieve it at this time. It's recommended that we could use the following user voice link to submit our suggestion to get it.
https://configurationmanager.uservoice.com/forums/300492-ideas

Fortunately, we could use powershell to get file, put it in sccm package and it will return the result.

$env:computername >> "destination path file"
get-localuser | select name, enabled | out-file -filepath "destination path file" -append

Best regards,
Amanda

Arni 116 Reputation points

2021-08-06T15:17:04.483+00:00

@Amandayou-MSFT

Thank you for this information. do you have a step by step guide on how to apply the PowerShell on SCCM or if it's not too much to ask, if you could walk me through on how to create sccm package applying the PowerShell to produce the result would be greatly appreciated? I am not familiar with this process of creating a package. Thanks.

Brandon M 1 Reputation point

2021-08-06T15:30:54.37+00:00

You can use the Scripts feature under the Software Library. I use it all the time to run PowerShell scripts on devices and collections to gather information or quickly apply a configuration.
https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-deploy-scripts

Alternatively, you can create and deploy PowerShell scripts via Task Sequences using the "Run PowerShell Script" step, but that is more for applying configuration to a device. Since you are looking to gather information, I suggest using the Scripts method. The script output is returned back to the console and you can view it later from Monitoring\Script Status.

Sherry Kissinger 3,806 Reputation points

2021-08-06T17:23:34.447+00:00

In my opinion (and it's just my opinion), a package to spit out those values into a local text file on each device won't be that useful. you might as well remotely connect to each device and go look interactively then, too. (since that is what you'll be doing).

Possibilities; you could "create a script" in the console (Scripts node), where you specifically look for the SPECIFIC usernames you said you wanted to know about (you said there were two? "with these two accounts")

Get-LocalUser | where-object {$_.Name -eq 'Administrator'} | Select enabled

that might work. But if you want to "inventory" that information, then it might get trickier; where if you want that information in tables/views in your database, about whether or not any particular locally defined username is enabled or disabled.

Arni 116 Reputation points

2021-08-06T19:23:00.607+00:00

@Amandayou-MSFT

Hello Amanda, I tried running the PowerShell Script on my computer and I got this result:

Name Enabled
---- -------
Administrator True
ABUser True
DefaultAccount False
Guest False
Localadmin True
WDAGUtilityAccount False

II noticed, it doesn't display the Computer Name. How can I run this script on SCCM and run it against all our computer collection (Client and Servers), which will include the full computer name in the report, Can the output be on Spreadsheet too? Thanks
Sign in to comment

7 additional answers

Sherry Kissinger 3,806 Reputation points

2021-12-02T14:04:51.483+00:00

Thanks for testing! I've added a note to the original blog entry with your findings, and your work around. Perhaps I can craft a localization-agnostic method for determining a local user account enabled/disabled... Some global companies may have dozens or more localizations to consider; the script might get really messy with multiple -or statements for different possible localizations.

But I'm glad you found the cause, and a workaround for your environment.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Paolo Bragagni 1 Reputation point

2021-12-02T08:33:17.547+00:00

Yes it was localization.

Change that lines in:
#Check if a Local user account is enabled or not. Make it $null to start with; just to be sure it's clean and empty.
$Enabled = $null
if ( ($ReturnedValues.PrincipalSource -eq 'Local') -and (($ReturnedValues.ObjectClass -eq 'User') -or ($ReturnedValues.ObjectClass -eq 'Utente'))) {
Please sign in to rate this answer.
Sherry Kissinger 3,806 Reputation points

2021-12-07T16:25:05.367+00:00

I've updated the script in the original blog to (hopefully) be language-localization agnostic.

Thanks for testing and identifying an issue!
-Sherry
Sign in to comment
Paolo Bragagni 1 Reputation point

2021-12-01T15:22:40.877+00:00

It seems that it never goes though the part where you check for Enable or disable
if ( ($ReturnedValues.PrincipalSource -eq 'Local') -and ($ReturnedValues.ObjectClass -eq 'User')) {
ecc ecc

perhaps because of language?
'User'->'Utente'

in CMLocalGroupMembers.log
I found everything but enable/disable

part of log:

<![LOG[Type: Local
]LOG]!><time="09:47:27.040704" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
<![LOG[Group: Administrators
]LOG]!><time="09:47:27.122001" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
<![LOG[Account or nested group Inside: myname
]LOG]!><time="09:47:27.163759" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
<![LOG[Domain: PC-NAME
]LOG]!><time="09:47:27.185128" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
<![LOG[Category: Utente

]LOG]!><time="09:47:27.232527" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Sherry Kissinger 3,806 Reputation points

2021-12-01T14:47:51.09+00:00

What does the log say, on a box where you KNOW there are test multiple local accounts, where one of those local accounts is enabled, and the other disabled?

Log Location, if run as SYSTEM, this will most likely be %windir%\temp
$LogFilePath = $env:TEMP + "\CMLocalGroupMembers.log"

There is a section in the script where when the script is trying to figure out if an account is local and disabled, it will write notes to the log file:

under this comment in the script:
Check if a Local user account is enabled or not. Make it $null to start with; just to be sure it's clean and empty.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

SCCM Query for local Admin

7 additional answers

part of log:

]LOG]!><time="09:47:27.232527" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">