{"id":7375,"date":"2023-10-15T21:27:52","date_gmt":"2023-10-15T21:27:52","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7375"},"modified":"2023-11-09T23:18:45","modified_gmt":"2023-11-09T23:18:45","slug":"proactive-remediation-to-disable-all-local-admins-on-a-pc-thats-not-the-laps-user-for-azure-ad-devices","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/proactive-remediation-to-disable-all-local-admins-on-a-pc-thats-not-the-laps-user-for-azure-ad-devices","title":{"rendered":"Proactive Remediation to Disable all Local Admins on a PC that&#8217;s not the LAPS user for Azure AD devices"},"content":{"rendered":"\n<p>See Detection here<\/p>\n\n\n\n<p><a href=\"https:\/\/pariswells.com\/blog\/research\/powershell-script-to-get-all-active-local-administrators-on-the-pc\/\">https:\/\/pariswells.com\/blog\/research\/powershell-script-to-get-all-active-local-administrators-on-the-pc\/<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\"># get the list of user names that are member of the Administrators group\n# we can't use Get-LocalGroupMember due to bug https:\/\/github.com\/PowerShell\/PowerShell\/issues\/2996\n# remove empty and non usable lines of the output\n\n$localadminallow = \"localadmin\"\n\n#get Local Admins\n\n$adminlist = (net localgroup Administrators) | Where-Object { $_ -match '\\S' } | Select-Object -Skip 4 | Select-Object -SkipLast 1\n\n#does our lap local admin exist and in Admin Group?\n\nif ($localadminallow -in $adminlist){ \n\n\t# now filter away the domain members you do not want to be listed \n\n\t$domain = \"domain.local\"\n\t$Regexes = '^(?!'+$domain+'\\\\).*$'\n\t$localAdmins = ($adminlist | Select-String -Pattern $Regexes).Line\n\n\t# now filter away the allow local admins \n\t \n\t$localAdmins = $localAdmins | Where-Object { $localadminallow -ne $_ }\n\n\n\t#Disable local Admins \n\t$ActiveLocalAdmins = foreach ($admin in $localAdmins)\n\t{\n\t (Get-LocalUser -Name $admin | ? {$_.enabled -eq 'True'}) | Disable-LocalUser\n\t}\n\n}\nelse \n{\n\tWrite-Host \"$localadminallow Does not exist\"\n}\n\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>See Detection here https:\/\/pariswells.com\/blog\/research\/powershell-script-to-get-all-active-local-administrators-on-the-pc\/<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7375","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=7375"}],"version-history":[{"count":3,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7375\/revisions"}],"predecessor-version":[{"id":7426,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7375\/revisions\/7426"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=7375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=7375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=7375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}