{"id":7276,"date":"2023-09-01T03:25:02","date_gmt":"2023-09-01T03:25:02","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7276"},"modified":"2024-01-24T23:12:43","modified_gmt":"2024-01-24T23:12:43","slug":"powershell-script-to-get-all-active-local-administrators-on-the-pc","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/powershell-script-to-get-all-active-local-administrators-on-the-pc","title":{"rendered":"Powershell Script or Advanced Hunting to Get All Active Local Administrators on the PC"},"content":{"rendered":"\n

Get Local Admins<\/p>\n\n\n\n

\n#Check is Machine in Azure AD as LAPs Azure AD only works in Domain Joined Mchines\n\n$subKey = Get-Item \"HKLM:\/SYSTEM\/CurrentControlSet\/Control\/CloudDomainJoin\/JoinInfo\"\n\n$guids = $subKey.GetSubKeyNames()\nforeach($guid in $guids) {\n$guidSubKey = $subKey.OpenSubKey($guid);\n$tenantId = $guidSubKey.GetValue(\"TenantId\");\n}\n\nif ($tenantId -ne $null) {\n\n\t# get the list of user names that are member of the Administrators group\n\t# we can't use Get-LocalGroupMember due to bug https:\/\/github.com\/PowerShell\/PowerShell\/issues\/2996\n\t# remove empty and non usable lines of the output\n\n\n\n\t$adminlist = (net localgroup Administrators) | Where-Object { $_ -match '\\S' } | Select-Object -Skip 4 | Select-Object -SkipLast 1\n\n\t# now filter away the domain members you do not want to be listed  by finding items without \\\n\n\t$Regexes = '^[^\\\\]+$'\n\t$localAdmins = ($adminlist | Select-String -Pattern $Regexes).Line\n\n\t# now filter away the allow local admins \n\n\t$localadminallow = \"palocaladmin\" \n\t$localAdmins = $localAdmins | Where-Object { $localadminallow -ne $_ }\n\n\n\t#Get just the Active local Admins \n\t$ActiveLocalAdmins = foreach ($admin in $localAdmins)\n\t{\n\t (Get-LocalUser -Name $admin | ? {$_.enabled -eq 'True'}).name\n\t}\n\n\n\n\tif ($ActiveLocalAdmins) {\n\tWrite-host $ActiveLocalAdmins\n\tExit 1\n\t}\n\n}\n\nelse {\n\t\n\tExit 0\n\tWrite-host \"Not In Azure AD\"\n}<\/code><\/pre>\n\n\n\n
Get Local and Domains Users in Admins<\/p>\n\n\n\n
\n#Check is Machine in Azure AD as LAPs Azure AD only works in Domain Joined Mchines\n\n$subKey = Get-Item \"HKLM:\/SYSTEM\/CurrentControlSet\/Control\/CloudDomainJoin\/JoinInfo\"\n\n$guids = $subKey.GetSubKeyNames()\nforeach($guid in $guids) {\n$guidSubKey = $subKey.OpenSubKey($guid);\n$tenantId = $guidSubKey.GetValue(\"TenantId\");\n}\n\nif ($tenantId -ne $null) {\n\n\t# get the list of user names that are member of the Administrators group\n\t# we can't use Get-LocalGroupMember due to bug https:\/\/github.com\/PowerShell\/PowerShell\/issues\/2996\n\t# remove empty and non usable lines of the output\n\n\t$adminlist = (net localgroup Administrators) | Where-Object { $_ -match '\\S' } | Select-Object -Skip 4 | Select-Object -SkipLast 1\n\t\n\t# now filter away accounts that have \\ for anything on the domain \n\n\t$Regexes = '^.*(\\\\).*$'\n\t$LocalDomainlAdmins = ($adminlist | Select-String -Pattern $Regexes).Line\n\t\n\t# now filter away Domain Admins \n\t$Regexes = '^((?!Domain Admins).)*$'\n\t$LocalDomainlAdmins = ($LocalDomainlAdmins | Select-String -Pattern $Regexes).Line\n\n\t# now filter away allowed Admins from list \n\t$Regexes = '(?i)^((?!mpandey|jcooper|chorton).)*$'\n\t$LocalDomainlAdmins = ($LocalDomainlAdmins | Select-String -Pattern $Regexes).Line\n\n\n\t# now filter only members without \\ for local admins\n\n\t$Regexes = '^[^\\\\]+$'\n\t$localAdmins = ($adminlist | Select-String -Pattern $Regexes).Line\n\n\t# now filter away the allowed local admins \n\n\t$Regexes = '(?i)^((?!property).)*$'\n\t$localAdmins = ($localAdmins | Select-String -Pattern $Regexes).Line\n\n\t#Get just the Active local Admins \n\t$ActiveLocalAdmins = foreach ($admin in $localAdmins)\n\t{\n\t (Get-LocalUser -Name $admin | ? {$_.enabled -eq 'True'}).name\n\t}\n\n\tif ($ActiveLocalAdmins -or $LocalDomainlAdmins ){\n\tWrite-host \"Local $ActiveLocalAdmins\" \"Domain $LocalDomainlAdmins\"\n\tExit 1\n\t}\n\n\n\n}\n\nelse {\n\t\n\tExit 0\n\tWrite-host \"Not In Azure AD\"\n}<\/code><\/pre>\n\n\n\n
Find Local Admin Logins with Defender Advanced Hunting<\/p>\n\n\n\n
DeviceLogonEvents\r\n| where IsLocalAdmin == 1\r\n| project DeviceName, AccountDomain, AccountName, LogonType, ActionType\r\n| summarize count() by DeviceName, AccountName<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Get Local Admins Get Local and Domains Users in Admins Find Local Admin Logins with Defender Advanced Hunting<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7276","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=7276"}],"version-history":[{"count":8,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7276\/revisions"}],"predecessor-version":[{"id":7610,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7276\/revisions\/7610"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=7276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=7276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=7276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}