Knowing who has local admin rights on your computers is critical for security. In this guide, I’ll show you how to get members of the local administrators group using PowerShell, and the AD Pro Toolkit. I’ll cover checking a single computer, scanning all computers, and exporting the results.
Table of contents
- Get Local Administrators using PowerShell
- Get Local Administrators using PowerShell (Multiple Computers)
- Get Local Administrators group members with AD Pro Toolkit
- Get Group Members of All Local Groups
Get Local Administrators using PowerShell
Use the Get-LocalGroupMember cmdlet to get members of the local administrator group.
Get-LocalGroupMember -Group "Administrators"
In the above screenshot, you can see I have several groups and users that are a member of the local administrators group. It even shows members that are part of another domain.
To export the list of administrators, use this command.
Get-LocalGroupMember -Group "Administrators" | Export-Csv -path c:\temp\localadmins.csvGet Local Administrators using PowerShell (Multiple Computers)
To get the local administrators on multiple computers you need to have PowerShell Remoting enabled.
When PowerShell Remoting is enabled you can then use the Invoke-Command to get the local administrator on multiple computers. To run this command on multiple computers just separate them with a comma. Here is an example of running this command on computers with the hostname of PC1 and PC2.
Invoke-Command -ComputerName pc2, pc1 -ScriptBlock {Get-LocalGroupMember -Name 'Administrators'}
You can see in the above screenshot the output is not ideal and would require some additional work. This is why I created the AD Pro Toolkit, it makes scanning multiple computers for local admins very easy and the output is simple to read.
Need to audit local admins across all computers? AD Pro Toolkit scans your entire domain and exports the results in one click. Try it free for 14 days.
Get Local Administrators group members with AD Pro Toolkit
The AD Pro Toolkit includes a Local Admins Report tool that lets you scan one or all computers and get a list of every member in the local administrators group. No PowerShell needed, just select the computers, click run, and export the results.
Requirements:
WMI needs to be allowed on the Windows Firewall Settings. If you have this blocked you can use group policy to open this up on all computers.
Step 1: Click on “Security Tools” and then “Local Admins Report”
Step 2. Click “Browse OU” to select an OU or the entire domain
Step 3. Click “Scan” to start scanning computers.
Note: The expand group members option will show the members of a group.
Step 4: To export the report to csv click the export csv button.
Now you will have a report of all local administrators on all computers. In the screenshot below I highlighted some accounts that should not have admin rights. I’ll need to investigate these computers.
CSV Sample export
Get Group Members of All Local Groups
The toolkit also lets you get members of all local groups. For example, maybe you need to audit who has RDP access, who is a backup operator and so on.
- Go to Computers > Local Group Check
- Select an OU and click scan.
Download AD Pro Toolkit and try this tool for free.
I’ve just shown you two methods for finding administrator rights. Now you need to identify the users that do not need these rights and remove them.
The best way to remove local administrator rights is to use group policy and Restricted groups. Restricted groups allow you to centrally manage the local groups on all computers in your domain. You can also target specific computers or OUs instead of the entire domain.