Home/Toolchest

Local administrator group audit across Windows endpoints

A read-only local administrator audit that records privileged group membership across Windows endpoints for review.

Good For

  • privileged access review
  • workstation audits
  • server hardening
  • incident scoping
  • identity cleanup

How to Use It

  1. Start with a scoped server or workstation list so the audit does not become an unfocused domain crawl.
  2. Capture current local Administrators membership and preserve computer name, principal name, object type, and source.
  3. Compare results against approved break-glass, support, endpoint-management, and server-owner groups.
  4. If unexpected users or groups appear, validate through change history before requesting removal.
  5. Export results to CSV for identity owner review and exception tracking.
  6. Use the findings to create a remediation plan, not to automatically remove access during discovery.

Execution Modes

  • local
  • remote-single-host
  • remote-host-list
  • ad-filtered

Inputs and Outputs

Inputs

  • computer name
  • CSV or TXT endpoint list
  • Active Directory computer scope
  • approved admin group list

Outputs

  • verbose-console
  • csv

Command Starter

Safe to run: read-only

# ---------------------------------------------------------------------
# Operator inputs
# ---------------------------------------------------------------------
$ComputerNames = @('server01')
$OutputPath = '.\local-administrators-audit.csv'

# ---------------------------------------------------------------------
# Collect local Administrators membership from each scoped endpoint
# ---------------------------------------------------------------------
$Results = foreach ($ComputerName in $ComputerNames) {
    try {
        Invoke-Command -ComputerName $ComputerName -ErrorAction Stop -ScriptBlock {
            Get-LocalGroupMember -Group 'Administrators' |
                ForEach-Object {
                    [pscustomobject]@{
                        ComputerName   = $env:COMPUTERNAME
                        PrincipalName  = $_.Name
                        ObjectClass    = $_.ObjectClass
                        PrincipalSource = $_.PrincipalSource
                    }
                }
        }
    }
    catch {
        [pscustomobject]@{
            ComputerName    = $ComputerName
            PrincipalName   = $null
            ObjectClass     = $null
            PrincipalSource = $null
            Error           = $_.Exception.Message
        }
    }
}

$Results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
$Results | Format-Table -AutoSize

Validation

  • Every audited endpoint has a recorded local Administrators membership result or an access/error note.
  • Unexpected principals are classified as approved, exception, unknown, or removal candidate.
  • Any later removal work has separate approval and a rollback path through a known admin account or management tool.

Reporting

  • export local administrator membership to CSV for identity review
  • track unknown principals and exceptions in the ticket or audit worksheet
  • promote repeated use into a privileged-access drift report

Safety Notes

  • This audit is read-only and should not remove users or groups.
  • Do not remediate privileged access without break-glass validation, owner approval, and rollback planning.