Get Local Admins<\/p>\n\n\n\n
\n#Check is Machine in Azure AD as LAPs Azure AD only works in Domain Joined Mchines\n\n$subKey = Get-Item \"HKLM:\/SYSTEM\/CurrentControlSet\/Control\/CloudDomainJoin\/JoinInfo\"\n\n$guids = $subKey.GetSubKeyNames()\nforeach($guid in $guids) {\n$guidSubKey = $subKey.OpenSubKey($guid);\n$tenantId = $guidSubKey.GetValue(\"TenantId\");\n}\n\nif ($tenantId -ne $null) {\n\n\t# get the list of user names that are member of the Administrators group\n\t# we can't use Get-LocalGroupMember due to bug https:\/\/github.com\/PowerShell\/PowerShell\/issues\/2996\n\t# remove empty and non usable lines of the output\n\n\n\n\t$adminlist = (net localgroup Administrators) | Where-Object { $_ -match '\\S' } | Select-Object -Skip 4 | Select-Object -SkipLast 1\n\n\t# now filter away the domain members you do not want to be listed by finding items without \\\n\n\t$Regexes = '^[^\\\\]+$'\n\t$localAdmins = ($adminlist | Select-String -Pattern $Regexes).Line\n\n\t# now filter away the allow local admins \n\n\t$localadminallow = \"palocaladmin\" \n\t$localAdmins = $localAdmins | Where-Object { $localadminallow -ne $_ }\n\n\n\t#Get just the Active local Admins \n\t$ActiveLocalAdmins = foreach ($admin in $localAdmins)\n\t{\n\t (Get-LocalUser -Name $admin | ? {$_.enabled -eq 'True'}).name\n\t}\n\n\n\n\tif ($ActiveLocalAdmins) {\n\tWrite-host $ActiveLocalAdmins\n\tExit 1\n\t}\n\n}\n\nelse {\n\t\n\tExit 0\n\tWrite-host \"Not In Azure AD\"\n}<\/code><\/pre>\n\n\n\nGet Local and Domains Users in Admins<\/p>\n\n\n\n
\n#Check is Machine in Azure AD as LAPs Azure AD only works in Domain Joined Mchines\n\n$subKey = Get-Item \"HKLM:\/SYSTEM\/CurrentControlSet\/Control\/CloudDomainJoin\/JoinInfo\"\n\n$guids = $subKey.GetSubKeyNames()\nforeach($guid in $guids) {\n$guidSubKey = $subKey.OpenSubKey($guid);\n$tenantId = $guidSubKey.GetValue(\"TenantId\");\n}\n\nif ($tenantId -ne $null) {\n\n\t# get the list of user names that are member of the Administrators group\n\t# we can't use Get-LocalGroupMember due to bug https:\/\/github.com\/PowerShell\/PowerShell\/issues\/2996\n\t# remove empty and non usable lines of the output\n\n\t$adminlist = (net localgroup Administrators) | Where-Object { $_ -match '\\S' } | Select-Object -Skip 4 | Select-Object -SkipLast 1\n\t\n\t# now filter away accounts that have \\ for anything on the domain \n\n\t$Regexes = '^.*(\\\\).*$'\n\t$LocalDomainlAdmins = ($adminlist | Select-String -Pattern $Regexes).Line\n\t\n\t# now filter away Domain Admins \n\t$Regexes = '^((?!Domain Admins).)*$'\n\t$LocalDomainlAdmins = ($LocalDomainlAdmins | Select-String -Pattern $Regexes).Line\n\n\t# now filter away allowed Admins from list \n\t$Regexes = '(?i)^((?!mpandey|jcooper|chorton).)*$'\n\t$LocalDomainlAdmins = ($LocalDomainlAdmins | Select-String -Pattern $Regexes).Line\n\n\n\t# now filter only members without \\ for local admins\n\n\t$Regexes = '^[^\\\\]+$'\n\t$localAdmins = ($adminlist | Select-String -Pattern $Regexes).Line\n\n\t# now filter away the allowed local admins \n\n\t$Regexes = '(?i)^((?!property).)*$'\n\t$localAdmins = ($localAdmins | Select-String -Pattern $Regexes).Line\n\n\t#Get just the Active local Admins \n\t$ActiveLocalAdmins = foreach ($admin in $localAdmins)\n\t{\n\t (Get-LocalUser -Name $admin | ? {$_.enabled -eq 'True'}).name\n\t}\n\n\tif ($ActiveLocalAdmins -or $LocalDomainlAdmins ){\n\tWrite-host \"Local $ActiveLocalAdmins\" \"Domain $LocalDomainlAdmins\"\n\tExit 1\n\t}\n\n\n\n}\n\nelse {\n\t\n\tExit 0\n\tWrite-host \"Not In Azure AD\"\n}<\/code><\/pre>\n\n\n\nFind Local Admin Logins with Defender Advanced Hunting<\/p>\n\n\n\n
DeviceLogonEvents\r\n| where IsLocalAdmin == 1\r\n| project DeviceName, AccountDomain, AccountName, LogonType, ActionType\r\n| summarize count() by DeviceName, AccountName<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Get Local Admins Get Local and Domains Users in Admins Find Local Admin Logins with Defender Advanced Hunting<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7276","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t