Easily Find Local Administrators on all Computers

In this article, I’ll show you how to get the local administrators on all computers in your network.

Users that have local administrator rights give have full control over the local computer. Administrator accounts are what attackers search for. This allows them to have full control of the computer, install malicious software and seek to gain full access to the entire network. It also makes it easy for the user to install unwanted software that can contain a virus.

In a Microsoft Vulnerability report, they found that 85% of critical vulnerabilities could have been mitigated by removing admin rights.

What are local administrators?

On the local computer, there is a group called Administrators. Users of this local group will have administrator rights on the local computer. You can see this group by going to Computer Management -> Local users and Group -> Groups

In the screenshot above you can see I have four members in the local administrator group. Two of these members are domain groups (ADPRO\Domain Admins and ADPRO\Domain Users). It’s normal for domain admins and the local administrator account to be in this group.

Domain Users should not be in this group. This means every user in the domain has full admin rights to the computer.

Let’s check out two methods for hunting down users that have local administrator rights.

Method 1: Find Local Administrator Rights with GUI Tool

The AD Pro Toolkit includes a tool that makes it very easy to get all local administrators.

Requirements:

  1. AD Pro Toolkit – You can download a free trial here.
  2. WMI needs to be open on the endpoint firewall. If you have this blocked you can use group policy to open this up on all computers.

Step 1: Open Tool

Click on Local Group Management

Step 2: Select Seach Options

You can choose to search the entire domain or pick an OU or group.

Step 3: Click Run

Now just click the run button. The results will be displayed in the report section.

By default, the tool will display all local groups and group members. You can use the built in filtering to remove unwanted groups and group members. In step 4 I’ll show you how to filter for the administrator group.

Step 4: Filter Results

Right click the Group Name column and select “Filter Editor”

Create a filter Group Name = Administrators and click Ok.

Now the report will just display the administrator’s group.

At this point, you have a report of who has local administrator rights on all computers. You could use the filter to filter at some of the members that can be ignored such as the Domain Admins.

If you want to add more filters just add another condition. Here is an example of removing the Domain Admins. Member Name does not equal Domain Admins

To export just click the export button, select format, and select “export all rows”

Now you will have a report of all local administrators on all computers. In the screenshot below I highlighted some accounts that should not have admin rights. I’ll need to investigate these computers.

Method 2: Find Local Administrator Rights with PowerShell

To find local administrators with PowerShell you can use the Get-LocalGroupMember command.

Here is an example of running on a local computer

Get-LocalGroupMember -Group "Administrators"

The above example is running the command on the local computer. To run on a remote computer you can use the invoke-command. For this command to work you will need to have PowerShell Remoting enabled. It’s disabled by default.

You can use the command Enable-PSRemoting to enable PowerShell Remoting. You would need to use group policy or some other deployment method to enable on all computers.

When PowerShell Remoting is enabled you can use this command to get the local administrators on remote computers.

Invoke-Command -ComputerName pc2 -ScriptBlock{Get-LocalGroupMember -Name 'Administrators'}

To run this command on multiple computers just separate them with a comma. Here is an example of running this command on computers with the hostname of PC1 and PC2.

Invoke-Command -ComputerName pc1, pc2 -ScriptBlock{Get-LocalGroupMember -Name 'Administrators'}

The output is not ideal compared to the GUI tool but if you are into PowerShell you can modify the output.

Removing Local Administrator Rights

I’ve just shown you two methods for finding administrator rights. Now you need to identify the users that do not need these rights and remove them.

The best way to remove local administrator rights is to use group policy and Restricted groups. Restricted groups allow you to centrally manage the local groups on all computers in your domain. You can also target specific computers or OUs instead of the entire domain.

I wrote a separate how-to guide on this, you can check it out here.

Top 25
Active Directory
Security Checklist

Download this FREE PDF checklist that includes the top 25 best practices for securing Active Directory and Windows systems.

2 thoughts on “Easily Find Local Administrators on all Computers”

Leave a Comment