Windows Unauthorized Admins Script

Problem Overview

This script tackles the often-overlooked issue of unauthorized local administrators on Windows endpoints by automatically detecting any admin accounts that are not officially approved, preventing security gaps that can arise from unnoticed privileged users.

Description

It leverages Level script variables (such as “DetectedAdmins”) alongside custom fields (for example, “AuthorizedAdmins”) to cross-check active Windows admin accounts against your organization’s sanctioned admin list. If any unapproved user is found, the script flags and reports them, then exits with an error code to trigger alerts or additional actions through Level. By integrating with a script-based monitor, you can seamlessly generate notifications whenever an unauthorized admin appears.

Script

<#
This resource is provided as a convenience for Level users. We cannot 
guarantee it will work in all environments. Please test before deploying 
to your production environment. We welcome contributions to our community 
library

Level Library
https://level.io/library/script-windows-unauthorized-admins
#>

$AuthorizedAdmins = "{{cf_authorized_admins}}"

# Convert both lists to arrays and trim spaces
$detectedAdmins = "{{DetectedAdmins}}"
$detectedArray = $detectedAdmins -split ',' | ForEach-Object { $_.Trim().ToLower() }
$authorizedArray = $AuthorizedAdmins -split ',' | ForEach-Object { $_.Trim().ToLower() }

# Find admins in detected list but not in authorized list
# Convert both to lowercase for case-insensitive comparison
$unauthorizedAdmins = $detectedArray | Where-Object { $authorizedArray -notcontains $_ }

# Output unauthorized admins separated by commas
$unauthorizedString = $unauthorizedAdmins -join ','

if ($unauthorizedAdmins.Count -gt 0) {
    Write-Output "$unauthorizedString"
    exit 1
} else {
    Write-Output "No unauthorized admins detected."
    exit 0
}

Use Cases

• Monitoring newly added admin accounts without proper authorization
• Enforcing least privilege policies and compliance requirements
• Automating security checks to reduce manual oversight
• Integrating into broader admin compliance automation workflows

Recommendations

• Pair this script with a script-based monitor in Level to automatically flag suspicious admin additions in real time
• Configure an automated schedule in Level to run ongoing compliance checks, ensuring no unauthorized accounts linger
• Always test in a non-production environment to confirm correct output and error codes
• Maintain an up-to-date authorized admin list in Level’s custom fields to ensure accurate comparisons

FAQ

• How does the script know which admins are authorized?
  ‍It pulls a comma-separated list from the “AuthorizedAdmins” custom field, then compares it to the detected admins.

• What if the script output is empty?
  ‍That means there are no unauthorized admins. The script will simply report “No unauthorized admins detected.”

• Can I integrate this with other resources for a bigger compliance picture?
  ‍Yes, you can combine it with an admin users monitor or an admin compliance automation for a comprehensive approach to privileged access management.

• Why does the script exit with ‘1’ when unauthorized admins are found?
  ‍The non-zero exit code allows Level to recognize an exception or error state, so it can trigger alerts or subsequent remediations.