PowerShell · Security
Audit local Administrators group members
Run via your RMM across all endpoints to detect unauthorised local admin access. Flags domain accounts, local accounts, and nested groups so you can enforce least-privilege. Pipe the output to a CSV for bulk review across a client site.
Script
Code
$computer = $env:COMPUTERNAME
$groupName = "Administrators"
try {
$group = [ADSI]"WinNT://$computer/$groupName,group"
$members = @($group.Invoke("Members"))
} catch {
Write-Error "Could not enumerate local Administrators: $($_.Exception.Message)"
exit 1
}
$results = foreach ($member in $members) {
$obj = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $member
$adspath = $obj.Path # e.g. WinNT://DOMAIN/username
[pscustomobject]@{
Computer = $computer
Account = $obj.Name[0]
Type = if ($adspath -match "WinNT://$computer/") { "Local" } else { "Domain" }
Path = $adspath
}
}
$results | Format-Table -AutoSize
$results | Export-Csv -Path ".LocalAdmins_$computer.csv" -NoTypeInformation
Write-Output "Exported to LocalAdmins_$computer.csv"Usage
How to use this script
Run via your RMM across all endpoints to detect unauthorised local admin access. Flags domain accounts, local accounts, and nested groups so you can enforce least-privilege. Pipe the output to a CSV for bulk review across a client site.
Review the script and test in a non-production environment before running at scale.
Tags
securityleast-privilegelocal-adminsaudit