Proactive Remediation to Disable all Local Admins on a PC that’s not the LAPS user for Azure AD devices

See Detection here

https://pariswells.com/blog/research/powershell-script-to-get-all-active-local-administrators-on-the-pc/

# get the list of user names that are member of the Administrators group
# we can't use Get-LocalGroupMember due to bug https://github.com/PowerShell/PowerShell/issues/2996
# remove empty and non usable lines of the output

$localadminallow = "localadmin"

#get Local Admins

$adminlist = (net localgroup Administrators) | Where-Object { $_ -match '\S' } | Select-Object -Skip 4 | Select-Object -SkipLast 1

#does our lap local admin exist and in Admin Group?

if ($localadminallow -in $adminlist){ 

	# now filter away the domain members you do not want to be listed 

	$domain = "domain.local"
	$Regexes = '^(?!'+$domain+'\\).*$'
	$localAdmins = ($adminlist | Select-String -Pattern $Regexes).Line

	# now filter away the allow local admins 
	 
	$localAdmins = $localAdmins | Where-Object { $localadminallow -ne $_ }


	#Disable local Admins 
	$ActiveLocalAdmins = foreach ($admin in $localAdmins)
	{
	 (Get-LocalUser -Name $admin | ? {$_.enabled -eq 'True'}) | Disable-LocalUser
	}

}
else 
{
	Write-Host "$localadminallow Does not exist"
}
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely