Windows Get Local Admins Script

Problem Overview

This script addresses the challenge of managing local administrator privileges in Windows environments, where it can be difficult to discern which accounts hold elevated rights and whether those accounts remain enabled. By providing a clear overview of current local admins, it empowers IT professionals and MSPs to comply with security best practices and avert potential unauthorized access.

Description

The script examines the local Administrators group on a Windows system, filtering out only those accounts that are actively enabled. It then consolidates these account names into a comma-separated list, ensuring that you have a concise snapshot of all active admins. By returning an easy-to-read output, it streamlines privilege oversight and helps administrators rapidly identify any unexpected or unnecessary elevated privileges.

Because Level runs scripts with system-level permissions, no additional elevation is required. Once executed, you’ll have a swift and reliable means of auditing local administrative rights without complicated workarounds or manual checks.

Script

<#
This resource is provided as a convenience for Level users. We cannot 
guarantee it will work in all environments. Please test before deploying 
to your production environment. We welcome contributions to our community 
library

Level Library
https://level.io/library/script-windows-get-local-admins
#>

# Get all local admins that are enabled
$admins = Get-LocalGroupMember -Group "Administrators" | 
          Where-Object { $_.ObjectClass -eq 'User' -and (Get-LocalUser $_.SID).Enabled -eq $true } | 
          Select-Object -ExpandProperty Name

# Extract just the username by splitting on '\' and taking the last part
$admins = $admins | ForEach-Object { ($_ -split '\\')[-1] }

# Join the usernames into a single string separated by commas
$detectedAdmins = $admins -join ","

# Output for verification
Write-Output $detectedAdmins

Use Cases

• Quickly auditing local admin privileges for compliance
• Identifying dormant but enabled admin accounts
• Spot-checking user elevations after onboarding or offboarding
• Monitoring unauthorized privilege assignments on critical systems

Recommendations

• Configure a script-based monitor in Level to run on demand whenever you suspect unauthorized changes in local admin privileges.
• For regular checks, create a Level automation with a schedule trigger to run this script automatically at set intervals.
• Always test the script in a non-production environment to confirm output accuracy.
• Review detected admins against known policies to ensure only appropriate users have elevated access.

FAQ

• How does the script authenticate to retrieve the list of administrators?
  ‍Level runs scripts with System-level permissions, so additional credentials are not required.

• Can I modify the target group to something other than “Administrators”?
  ‍Yes, simply change the group name in the script if you have a different local group for admin-level privileges.

• What if the script returns no results?
  ‍It’s possible your Administrators group has no enabled local users, or it might be managed by a domain. Verify your Windows configuration and group memberships.

• How do I troubleshoot errors or unexpected output?
  ‍Check the Level logs for script execution details, confirm the targeted group name is correct, and ensure the local user objects can be accessed under current policies and configurations.