How to find local administrators (users with administrator rights) on all PC's and generate raport, then how to automate remove local administrators form PC's?

Question

How to find local administrators (users with administrator rights) on all PC's and generate raport, then how to automate remove local administrators form PC's?

Jacek S 6

I wasn't able to find so I need your help.

I need to know how to find all local administrators (users witch administrator rights) on all PC's in my domain (PowerShell script, GPO, ...) even on the machines that are down during scanning process (if that was possible)

Then I need and generate raport with all those admins and PC names next to it,

After that I have to automate remove all those local administrators form PC's?

I need simple but complete step by step info/manual .

Can someone help me?

Thank you in advance

1 answer

Your answer

Answer 1

Local accounts are stored on the machine that owns them. You cannot get this information without accessing the machine itself. Assuming you are dealing with a large network then this could take a while as each machine has to be scanned. However doing it is trivial depending upon the technology you want to use. For example given an arbitrary machine (for which you have the necessary rights) then the Get-LocalGroupMember Powershell cmdlet (PS 5.1+) gives you the local users.

   Get-LocalGroupMember Administrators

As for getting all the AD servers you'll need to query AD for that. Then enumerate each server to get the members.

   Get-ADComputer -Filter * -SearchBase "DC=mycompany,DC=com"

Putting it all together for a report.

   $servers = Get-ADComputer -Filter * -SearchBase "DC=mycompany ,DC=com" | Select-Object Name  
   foreach ($server in $servers) {  
       Invoke-Command -Session $server -cred -ScriptBlock {  
           Get-LocalGroupMember -Group Administrators | Write-Host "[$($server.Name)] $($_.Name)"  
       } -Credential $adminCredentials  
   }

Personally, if you want to manage the local admins then you should be using group policy for that. Have the group policy wipe out everyone in the local admins group and put in only the users you want. This is a per-machine list. By default you would likely only want your domain admins (maybe) and whoever runs your infrastructure but you can add additional people per machine.

Refer to the following article on how to set up GP to do this automatically. If you really want to do it by script then be aware that after your script runs any admin can add users back into the group. Hence why GP is a better option.

Trần Ngọc Nam 20 Reputation points

2023-02-21T03:00:51.5333333+00:00

Hello,

I have a problem when I use that command

How can I do to fix it?
Please, help me.
Michael Taylor 57,316 Reputation points

2023-02-21T15:00:56.8133333+00:00

The error says you are not specifying the credentials parameter. Either you left off -Credential` or adminCredentials is not set properly.
Trần Ngọc Nam 20 Reputation points

2023-02-24T01:51:25.1466667+00:00

I try remove -Credential like:

$servers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name foreach ($server in $servers) { Invoke-Command -Session $server -ScriptBlock { Get-LocalGroupMember -Group Administrators | Write-Host "[$($server.Name)] $($_.Name)" } }

But it reponse error like:

How can I fix it?

Share via

How to find local administrators (users with administrator rights) on all PC's and generate raport, then how to automate remove local administrators form PC's?

1 answer

Your answer