SCCM Query for local Admin

Arni 116

Hello, I need assistance in generating report to show Local Admin users in our Windows 7 Windows 10, and Windows Servers environment. I need to compile these to place a security rules. The report should also show the name of the computer or the FQDN.

Any help is greatly appreciated, thanks.

We're using SCCM 2012.

Arni 116 Reputation points

2021-07-29T23:49:19.867+00:00

II found the forum about : SCCM Report to find domain users with local admin privilege on all domain computers and pointing it to Sherry Kissinger. However, that link is broken or no longer working. I hope someone can assist, thanks.

Accepted answer

Amandayou-MSFT 11,046 Reputation points

2021-07-30T02:46:24.64+00:00

Hi @Arni ,

We could use SCCM CMPivot Query to find local administrator accounts.

Use the below SCCM CMPivot query to find local administrator accounts. Enter the query and click Run Query.
Administrators | where Name !contains 'Administrator' and Name !contains 'Domain Admins'

For more information, please refer to Prajwal Desai's article:
Find Local Administrator Accounts with SCCM CMPivot Query
Note: Non-Microsoft link, just for the reference.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Arni 116 Reputation points

2021-07-30T06:42:26.23+00:00

I@Amandayou-MSFT

This is great to know! I will give this a try and get back to you. Thanks for the info.

Arni 116 Reputation points

2021-08-05T18:41:21.497+00:00

@Amandayou-MSFT

Is there a way to find out if the Local Admin and Administrator account is Active or Disabled using the CM Pivot? I have sorted the report with these two accounts but wanting to know if they are active or not. Any help is appreciated, thanks.

Amandayou-MSFT 11,046 Reputation points

2021-08-06T07:24:28.207+00:00

Hi,

The idea of using the CM Pivot is excellent, there is no way to achieve it at this time. It's recommended that we could use the following user voice link to submit our suggestion to get it.
https://configurationmanager.uservoice.com/forums/300492-ideas

Fortunately, we could use powershell to get file, put it in sccm package and it will return the result.

$env:computername >> "destination path file"
get-localuser | select name, enabled | out-file -filepath "destination path file" -append

Best regards,
Amanda

Arni 116 Reputation points

2021-08-06T15:17:04.483+00:00

@Amandayou-MSFT

Thank you for this information. do you have a step by step guide on how to apply the PowerShell on SCCM or if it's not too much to ask, if you could walk me through on how to create sccm package applying the PowerShell to produce the result would be greatly appreciated? I am not familiar with this process of creating a package. Thanks.

Brandon M 1 Reputation point

2021-08-06T15:30:54.37+00:00

You can use the Scripts feature under the Software Library. I use it all the time to run PowerShell scripts on devices and collections to gather information or quickly apply a configuration.
https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-deploy-scripts

Alternatively, you can create and deploy PowerShell scripts via Task Sequences using the "Run PowerShell Script" step, but that is more for applying configuration to a device. Since you are looking to gather information, I suggest using the Scripts method. The script output is returned back to the console and you can view it later from Monitoring\Script Status.

Sherry Kissinger 3,801 Reputation points

2021-08-06T17:23:34.447+00:00

In my opinion (and it's just my opinion), a package to spit out those values into a local text file on each device won't be that useful. you might as well remotely connect to each device and go look interactively then, too. (since that is what you'll be doing).

Possibilities; you could "create a script" in the console (Scripts node), where you specifically look for the SPECIFIC usernames you said you wanted to know about (you said there were two? "with these two accounts")

Get-LocalUser | where-object {$_.Name -eq 'Administrator'} | Select enabled

that might work. But if you want to "inventory" that information, then it might get trickier; where if you want that information in tables/views in your database, about whether or not any particular locally defined username is enabled or disabled.

Arni 116 Reputation points

2021-08-06T19:23:00.607+00:00

@Amandayou-MSFT

Hello Amanda, I tried running the PowerShell Script on my computer and I got this result:

Name Enabled
---- -------
Administrator True
ABUser True
DefaultAccount False
Guest False
Localadmin True
WDAGUtilityAccount False

II noticed, it doesn't display the Computer Name. How can I run this script on SCCM and run it against all our computer collection (Client and Servers), which will include the full computer name in the report, Can the output be on Spreadsheet too? Thanks
Sign in to comment

7 additional answers

Sherry Kissinger 3,801 Reputation points

2021-08-06T20:41:58.037+00:00

in my opinion, at this point you aren't asking the question of "what can ECM do for me", you are asking the question of "I need to have a remote powershell script do this for me, presuming I have local Admin rights on all of the target devices", where the results will be spit out into a local xlsx or csv file, after remotely connecting across the network to a list of devices". CM would not "create a spreadsheet" like you are asking for.

If you really want ECM to "do this for you", at this point it isn't a pivot script, nor (in my opinion) a script within CM--but you could do that, I guess--that wouldn't be my first method that I would use, however.

I think what you "really want" (at the risk of guessing what you really want) is a way to inventory this information. This would be a custom inventory, where you would, most likely, deploy a Script (via a Configuration item), then import a CUSTOM inventory mof file (to create a custom table and view), and then, you can query your CM database for this information; after your devices have had a chance to run that Configuration Item, and subsequently do hardware inventory.
Please sign in to rate this answer.
Arni 116 Reputation points

2021-08-06T22:11:40.49+00:00

@Sherry Kissinger

Hello Sherry, the CMPivot was almost perfect, thanks to @Amandayou-MSFT for introducing this new tool to me. It was almost perfect until I received a request if it can also show if these accounts (e.g. LocalAdmin and Administrator) are active or disabled. I understand that the CMPivot (administration) is only limited up to four columns. I would like to use the CM to generate what I need which will also include the LocalAdmin/Administrator "status." I don't expect the CM to produce a report or output to spreadsheet. That question regarding the spreadsheet only came when Amanda introduced the PowerShell out-file. I usually just copy the result from the CM and paste it to spreadsheet then rearranging the columns manually. In CMPivot (Administrators), the results that I have are (Device - Object Class - Name - Principal Source). Can you help on another query in CM where I can have all the results that I need? Thanks.

Sherry Kissinger 3,801 Reputation points

2021-08-06T23:14:09.937+00:00

forget pivot, Amanda already said "The idea of using the CM Pivot is excellent, there is no way to achieve it at this time. It's recommended that we could use the following user voice link to submit our suggestion to get it.
https://configurationmanager.uservoice.com/forums/300492-ideas"... aka... right NOW it's impossible to use CM Pivot--that would be an enhancement to the product.

Go to Software Library, Scripts.

Create Script, give it a name, and the script is this and only this one single line:
get-localuser | Select Name, Enabled

Once created, you will have to approve the script for use before you can use it. Depending upon how your environment is setup, you might need to have someone ELSE approve the script (not you). If you are the one and only and sole user of CM in your environment, then you may want to first follow the directions here, https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-deploy-scripts for allowing script creators to self-approve their own scripts.

Sherry Kissinger 3,801 Reputation points

2021-08-06T23:14:26.117+00:00

once the script is approved, go to Assets, Device Collections, pick a collection, and right-click run script, pick this script.

Wait. You know the drill.

if a machine is online and able to reply eventually you'll get responses. Remember this is only going to be for machines which happen to be online and available.

The results won't be pretty, but you'll have them. likely you'll need to do a lot of parsing / fun things to make it look pretty.

if you want it logical and (imo) more useful; I spent some time updating and testing a script + mof edit / custom inventory for "all members of all local groups... including whether or not the local user account referenced is enabled True/False"

Still testing in my whopping lab of 2 devices. I may blog it later this weekend...

Sherry Kissinger 3,801 Reputation points

2021-08-06T23:30:10.923+00:00

you "could" also have TWO scripts in the scripts node. one specifically and only and just for
Get-LocalUser | where-object {$_.Name -eq 'Administrator'} | Select enabled

and the other specifically and only and just for
Get-LocalUser | where-object {$_.Name -eq 'LocalAdmin'} | Select enabled

presuming those are the two and only two accounts you actually care about on the targets, by those specific names. might be a 'bit' easier to parse the results. Maybe.

Arni 116 Reputation points

2021-08-07T06:13:36.477+00:00

@Sherry Kissinger

I will also try these two scripts. Thank you so much!

Arni 116 Reputation points

2021-08-07T18:39:54.703+00:00

I just tried it and got what I wanted and you are correct, I need to do a lot of parsing on this to make it look nice. I will wait for the script that you are testing about the "all members of all local groups..." and will try that when its ready. Thank you!

Scaccabarozzi, Thomas 0 Reputation points

2023-09-01T10:49:36.3566667+00:00

Please delete this message; I prefer use Class Extension.
Sign in to comment
Sherry Kissinger 3,801 Reputation points

2021-08-08T23:34:06.387+00:00

For testing... this would be a Script + Mof edit; to inventory using a powershell script the 'all members of all local groups", optionally log to a local log file on each client when the script runs. The script does also lookup when the member of a local group is a local user account, is that local user account Enabled True/False, and able to report on that.

https://tcsmug.org/blogs/sherry-kissinger/568-cm-all-members-of-all-local-groups-powershell

This has only been tested in a 2-device lab environment--aka... hardly tested at all. Do I think it works? probably. But more testing definitely would need to be done to confirm.
Please sign in to rate this answer.
A_Lop 41 Reputation points

2021-08-13T16:30:15.87+00:00

@Sherry Kissinger

Great information! Thank you for sharing. I have generated the report that our Security Admin wants to see and it's an eye opener to all of us that a lot of our machines have enabled Local Admins. This time, I need help on a way of disabling these LocalAdmin accounts (specific account because there are two but we want to keep just one). Perhaps, in a smaller group first, then if everything looks good, we will expand the implementation. Do you know a safer way of doing this in SCCM and making sure that it's actually disabled? This is our initial step, but eventually, we will delete this account, I guess using a group policy script or SCCM, whichever is more reliable and consistent. The remaining machines with Administrator account will be managed using LAPS. Thanks again and looking forward to your valuable assistance.

Sherry Kissinger 3,801 Reputation points

2021-08-13T18:51:45.37+00:00

"what to use' (GPO, CM, something else) to disable/delete the specific local accounts I'm not going to comment on. That's because people want to throw around the words "best practice says"; but that to me isn't helpful. What makes the most sense for your company to use, based upon your environment, and your policies and procedures, is what you should use to disable those local accounts, and then later delete them.

As for confirming <insert account names here> are locally disabled, and/or no longer exist, please feel free to test the blogged routine using CM as a script + mof edit, then reports later.

Scaccabarozzi, Thomas 0 Reputation points

2023-09-01T09:33:12.4233333+00:00

Dear @Sherry Kissinger I follow your guide (2023 version files) at https://tcsmug.org/blogs/sherry-kissinger/568-cm-all-members-of-all-local-groups-powershell.

I'm having a problem: the information is correctly collected on the user's workstation (the log file is created and using a WMI Explorer the information is locally populated correctly), but they DO NOT arrive in the database table and they are not even viewable by punctually accessing from SCCM to the user workstation.

Do you have anything to check that explains why the data doesn't get to SCCM?

Example, I cannot see LoadAdmin inside Hardware Inventory:

Even running the query on the database, the table remains empty.

Sherry Kissinger 3,801 Reputation points

2023-09-01T16:21:32.94+00:00

Did you import the mof into "Default Client Settings", Hardware Inventory? (steps 16/17/18 in that blog)
Sign in to comment
Paolo Bragagni 1 Reputation point

2021-12-01T14:35:13.977+00:00

Hi, I follow all the steps here https://tcsmug.org/blogs/sherry-kissinger/568-cm-all-members-of-all-local-groups-powershell

And it almost works. :)

tha only thing that doesnt work is the 'enable' 'disable' flag that never been populate. what I miss?

thanks in advance,
P.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Sherry Kissinger 3,801 Reputation points

2021-12-01T14:47:51.09+00:00

What does the log say, on a box where you KNOW there are test multiple local accounts, where one of those local accounts is enabled, and the other disabled?

Log Location, if run as SYSTEM, this will most likely be %windir%\temp
$LogFilePath = $env:TEMP + "\CMLocalGroupMembers.log"

There is a section in the script where when the script is trying to figure out if an account is local and disabled, it will write notes to the log file:

under this comment in the script:
Check if a Local user account is enabled or not. Make it $null to start with; just to be sure it's clean and empty.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment