Audit Local Admin Group Membership PowerShell

Auditing system access can be made much easier with PowerShell.  This function returns the members of the local admin group on a Windows system by using WMI.  If there are domain groups nested in the local admin group, you can use the parameter -EnumerateDomainGroups and the script will attempt to pull domain group membership information from AD.  This functionality uses PowerShell’s AD module which is a requirement if you want to enumerate these groups.  This will result in a list of all user accounts, local and domain, that have access to the system.

Here I’m just asking for the members of Administrators with no domain enumeration.

3

And here I’m asking the function to go out to AD and find out what user accounts are members of the domain groups. Even though I had to blank out most of the results, you can see that it pulled user objects from the “domain admins” group

4

Function Code:

Get-LocalAdminGroupMembers

function Get-LocalAdminGroupMembers {
<#
.SYNOPSIS
Get a list of accounts in the local admin group of a system
.DESCRIPTION
Get-LocalAdminGroupMembers uses wmi to gather a list of the members of the administrators group
.EXAMPLE
Get-LocalAdminGroupMembers

DESCRIPTION
-----------
This command will return the members of the administrators group for the local system
.EXAMPLE
Get-LocalAdminGroupMembers -ComputerName "SERVER1"

DESCRIPTION
-----------
This command will return the members of the administrators group for the system named SERVER1
.EXAMPLE
Get-LocalAdminGroupMembers -ComputerName "SERVER1" -EnumerateDomainGroups

DESCRIPTION
-----------
This is the same as the previous example with 1 differce; It will attempt to identify/enumerate 
the members nested into any identified domain groups.  This requires that the AD PowerShell module
#>
    [CmdletBinding()] param (
        [parameter(Mandatory=$false)] [string]$ComputerName=$env:COMPUTERNAME,
        [parameter(Mandatory=$false)] [switch]$EnumerateDomainGroups,
        [parameter(Mandatory=$false)] [Management.Automation.PSCredential] $Credential
    )
    PROCESS {
    
        $resultArray = @()
    
        try {
        
            #get wmi group member info for local admin group
            if($Credential) {
                $adminObjects = Get-WmiObject win32_groupuser -ComputerName $ComputerName -ErrorAction Stop -Credential $Credential | ? {$_.groupcomponent -like '*Name="Administrators"'}
            }
            else {
                $adminObjects = Get-WmiObject win32_groupuser -ComputerName $ComputerName -ErrorAction Stop | ? {$_.groupcomponent -like '*Name="Administrators"'}
            }
            
            foreach ($adminObject in $adminObjects) {
                $partComponent = $adminObject.partcomponent
                $itemName = $partComponent.Substring($partComponent.LastIndexOf('=')+2,$partComponent.length-$partComponent.LastIndexOf('=')-3)
                $domainName = $partComponent.Substring(0,$partComponent.LastIndexOf('=')-6)
                $domainName = $domainName.Substring($domainName.LastIndexOf('"')+1,$domainName.length-$domainName.lastindexof('"')-1)
                
                #if FQDN, pull out computer name
                if($ComputerName.IndexOf('.') -ne -1) {
                    $ComputerName = $ComputerName.Substring(0,$ComputerName.IndexOf('.')-1)
                }
                
                #determine account type
                if($partComponent -match "Win32_UserAccount.Domain" -and $domainName -eq $ComputerName) {
                    $acctType = "Local User"
                }
                elseif($partComponent -match "Win32_UserAccount.Domain") {
                    $acctType = "Domain User"
                }
                elseif ($partComponent -match "Win32_Group.Domain") {
                    $acctType = "Domain Group"
                }
                elseif ($partComponent -match "Win32_SystemAccount.Domain") {
                    $acctType = "System"
                }
                else {
                    $acctType = "UNKNOWN"
                }
                
                #try to get domain group members
                if($EnumerateDomainGroups -and $acctType -eq "Domain Group") {
                    try {
                        Get-ADGroupMember -Recursive -Identity $itemName -ErrorAction Stop | %{
                            #create custom member object
                            $custMemberObj = New-Object PSObject -Property @{
                                COMPUTER_NAME = $ComputerName
                                ACCOUNT_TYPE = "Domain Nested User"
                                ACCOUNT_NAME = $_.Name
                                DOMAIN_NAME = $domainName
                                PARENT_GROUP = $itemName
                            }
                            $resultArray += $custMemberObj
                        }
                    }
                    catch {
                        Write-Host "`nWARNING: Enumerating Domain Group $itemName failed`n" -ForegroundColor Yellow
                        #create custom member object
                        $custMemberObj = New-Object PSObject -Property @{
                            COMPUTER_NAME = $ComputerName
                            ACCOUNT_TYPE = $acctType
                            ACCOUNT_NAME = $itemName
                            DOMAIN_NAME = $domainName
                            PARENT_GROUP = ""
                        }
                    }
                }
                else {
                    #create custom member object
                    $custMemberObj = New-Object PSObject -Property @{
                        COMPUTER_NAME = $ComputerName
                        ACCOUNT_TYPE = $acctType
                        ACCOUNT_NAME = $itemName
                        DOMAIN_NAME = $domainName
                        PARENT_GROUP = ""
                    }
                }
                
                $resultArray += $custMemberObj
            }
        }
        catch {
            Write-Host "`n$_`n" -ForegroundColor Magenta
            return
        }
        
        return ($resultArray | sort ACCOUNT_TYPE)
    }
}

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>