_groovyNerd

Get-LocalAdministrators

by

_groovyNerd
in

When managing users in a Windows environment, having a clear understanding of who has local administrator rights is crucial. This becomes even more important when working with devices that are joined to Azure Active Directory (Azure AD) or EntraID, as some accounts may have local admin rights automatically granted.

In this post, I’ll show you a simple PowerShell script that allows you to quickly identify which members of the local administrators group are Azure AD (Cloud) users. This helps you stay in control of your devices and ensures compliance with your organization’s security policies.

PowerShell
# Retrieve the members of the local administrators group
$members = net localgroup administrators

# Skip the header and footer to isolate the actual members
$localMembers = $members[6..($members.Length-3)]

# Loop through each local admin member
ForEach ($LocalMember in $LocalMembers) {
    
    # Check if the member is an Azure AD user and exclude the default "AzureAD\Administrator" account
    If ($LocalMember -Like "AzureAD*" -and $LocalMember -notlike "AzureAD\Administrator") {
        
        # Output the Azure AD user
        $LocalMember
    }
    Else {
        # You can add any additional actions for non-Azure AD users here if needed
    }
}

Let’s walk through how the script works:

  1. Retrieve Local Administrators:
    • The net localgroup administrators command is used to get a list of all the members in the local administrators group.
  2. Isolate the Actual Members:
    • The $localMembers = $members[6..($members.Length-3)] line skips the first 6 lines (which are typically headers and group names) and excludes the last 3 lines, which usually contain command summaries.
  3. Loop Through Members:
    • The ForEach loop iterates through each local admin member to process it.
  4. Identify Azure AD Users:
    • The script checks if the admin member name starts with "AzureAD*" to identify cloud-based users.
    • It also ensures that the default "AzureAD\Administrator" account (which is often present) is excluded, as this account may not need to be listed.
  5. Output the Azure AD Users:
    • The script prints the names of the Azure AD users who are members of the local administrators group.

Why This Is Useful

This script is particularly helpful for IT administrators who need to:

  • Ensure that only authorized users have local administrator privileges.
  • Maintain compliance with security policies by auditing admin accounts on devices.
  • Identify which admin users are Azure AD or EntraID users, so they can take appropriate actions if necessary.

Running the Script

To run the script:

  1. Open PowerShell with administrator rights on the device you want to audit.
  2. Copy and paste the script into the PowerShell window.
  3. Press Enter to execute the script.
  4. You will see a list of Azure AD users who have local admin rights on the device.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *