Audit Membership of the Local Admins Group with PowerShell

Recently, I needed to make sure that specific accounts were members of the local administrators group on several servers along with making sure that no other users were members of it.

PowerShell version 5.1 introduced a module named Microsoft.PowerShell.LocalAccounts that contains the following commands for managing local users and groups.

Checking the group membership is as easy as running Get-LocalGroupMember within the script block of Invoke-Command and targeting remote systems.

Adding a user to the group is also simple. The commands seem very basic, although they get the job done. I was expecting an Identity parameter and maybe a PassThru parameter, but no such luck.

You could also group your output to make it easier to determine who’s on first and what’s on second.

And of course, removing a user is also easy and very similar to adding a user.

Another thought is that you could use the Write-SqlTableData and Read-SqlTableData commands that are part of the SQLServer PowerShell module to store this information in a database and compare it later to determine if any group membership changes have been made.

Please post any comments, questions, and/or suggestions as a comment to this blog article.

µ

2 Comments

  1. Joseph Fenly

    Hi Mike, thanks for this article. I guess this won’t work if the target endpoint isn’t running 5.1?

    Reply
  2. vikram nanda

    Hello Mike,

    I have used the below command to get the member of remove server administrators. but getting the below error. can you please assist me on this issue.

    command:

    PS C:\Windows\system32> Invoke-Command -ComputerName AVMP001 {
    Get-LocalGroupMember -Group Administrators
    }

    ERROR:
    The term ‘Get-LocalGroupMember’ is not recognized as the name of a cmdlet,
    function, script file, or operable program. Check the spelling of the name, or
    if a path was included, verify that the path is correct and try again.
    + CategoryInfo : ObjectNotFound: (Get-LocalGroupMember:String) []
    , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
    + PSComputerName : ADHPCWFMEP001

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: