Yesterday I posted a quick article on getting the age of the local administrator account password. It seemed appropropriate to follow up on a quick and dirty way to list all members of the local administrator group. Normally, I would turn to WMI and have written about this in the past. It is very easy to see members.
To query a remote computer all I need to do is wrap this in Invoke-Command and use PowerShell remoting. Yes, there is some overhead for remoting but overall performance is pretty decent. And if you already have an established PSSession, even better. Well, maybe it can. I have no problem using legacy tools when they still get the job done and this certainly qualifies.
Now I only get the member names. I came up with a scriptblock like this:. This will create a simple object with a properties for the computername, group name and members.
This function lets me specify a group of computers or PSSessions as well as the local group name. Send Gmail Post to LinkedIn. Sign in to your account Account Login Username. Sign in. Forgot your password?If you are managing the devices with configuration manager ,you can leverage Configmgr tool to get this task done so easily.
I have tried this solution very long ago for some of my customers which worked fantasticbut i did not blog about this as there are already posts available online. So during my online search,i found few other blogs that talk about this solution.
I tried importing the cab file from sherry blog into configuration baseline, but for some unknown reason ,importing of cab file that did not succeeded on both Configmgr and Configmgr Current branch Both environments have the following error. I am not the only one facing issue while importing the cab file, there are lot more people who posted about it on TechNet for solution. So i started creating configuration items ,configuration baseline and do changes to client agent settings MOF file ,generate report.
I am attaching the configuration baseline cab file here for you to download ,extract ,import into your configmgr or configmgr current branch and simply deploy to your required collection, import MOF file into client agent settings for hardware inventory. If you see any issues while Importing the cab file into configuration baseline ,please follow the steps illustrated below how to implement this solution step by step.
Have attached both scripts in the download section for your reference in case you don't want all groups information. Import the MOF file into default client agent settings but do not select the changes in default client agent settings.
You can select these changes on custom client agent settings to deploy to collection.
Note: Should i go with configuration item or as package? I would strongly suggest you go with configuration item and make it recurring instead of scheduling it for 1 time. Why should i make it recurring? Before we start the steps, download the files that are required to create baseline,MOF file ,reports etc from here. Go to your custom client agent settings and select localgroupmembers that you want to get local members information. If you do not have any custom client agent settings in your environment ,you can enable this settings in default client agent settings.
Step 2: From configuration manager console, assets and compliancecompliance settings right click configuration item ,create new ,type Name ,description. This is script 2 what i referred above. If you want only members of local admin group ,select localadmins.
If you try it and find that it works on another platform, please add a note to the script discussion to let others know. To provide feedback or report bugs in sample scripts, please start a new discussion on the Discussions tab for this script. Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose.
The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.There are so many time-saving things PowerShell can do with AD objects.
How to Add User to Local Administrator Group in Windows
Using PowerShell get AD group members and groups saves a ton of time. Active Directory groups are a great way to segment out user accounts.
Groups allow admins to define resources access across many systems. You can then use this information to generate tons of interesting reports. If you'd like to follow along in this article, please be sure you have the following requirements ready to go:.
Get-AdGroupMember looks inside of each group and returns all user accounts, groups, contacts and other objects that exist in that group. The Filter parameter is required. It exists to limit the groups returned based on various criteria. You can see an example below. Scrolling through all of these groups may take awhile if you have hundreds or even thousands in your domain.
It allows you to limit your query down to a single AD object. For example, if you needed to check if a group called HR existed, you could find out by running the command below. This cmdlet gets user, group and computer objects in a particular group.
Perhaps you need to find all members of the Administrators group. In its simplest form, you'd simply use the Identity parameter again specifying the name of the group as below. As you may know, AD groups can not only contain user accounts but other groups also called nesting.
When a group is nested inside of another group, the members of that group inherit the same permissions assigned to the parent group. To remediate that, you can use the Recursive parameter.
For example, you could find members of groups nested inside of the HR group using the Recursive parameter as shown below. If you need to query AD for many different groups or group members at once, you can also do that using a PowerShell foreach loop. A foreach loop runs a command or code for each item in a collection. In this case, that collection will be a list of group names.
To do that, you'd first create a collection or array of these group names. Then, for each name in that collection, run Get-ADGroupMember providing the name of each group to the Identity parameter. By default, whenever you run an AD group cmdlet, it uses your logged-in credentials to query Active Directory. This behavior dictates you need to be on a domain-joined computer logged in as an Active Directory user that has permission.
Script to enumerate members of local administrators group
But what if you're on a workgroup computer or need to authenticate to AD as a different user? In that case, you can use the Credential parameter. This parameter allows you to specify a username and password to use for authentication. For example, perhaps your user account doesn't have the right to perform an AD task. You have a service account with additional rights.This event generates when a process enumerates a user's security-enabled local groups on a computer or device.
Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user.
The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers. Formats vary, and include the following:. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager. You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode. Event Versions: 0. Yes No. Any additional feedback? Skip Submit. Send feedback about This product This page. This page. Submit feedback. There are no open issues. View on GitHub. Is this page helpful?Returns a collection of the principal objects that is contained in the group.
When the recursive flag is set to true, this method searches the current group recursively and returns all nested group members. This method does not search the current group recursively. Therefore, group objects may be returned in the principal object collection. Members are returned without respect to the context.
The returned principal collection may also contain members that are located in a different store than the group. The following code connects to the LDAP domain "fabrikam.
The returned principal collection does not contain group objects when the recursive flag is set to true ; only leaf nodes are returned. For example, when a group that contains a computer object and a group object with only user principals is searched recursively, the returned collection contains the computer object and the user principal objects in the nested group. Since the group object is not a leaf, even when it is empty, it is not returned in the recursive search.
When the recursive flag is set to falsethe returned collection may contain group objects. Skip to main content. Exit focus mode. Group Principal. AccountManagement Assembly: System. GetMembers Boolean. Is this page helpful?
Yes No. Any additional feedback? Skip Submit.This functionality has been indispensable on both our pentests and longer-term red-team engagements. I wanted to do a more detailed writeup on Get-NetLocalGroupits recent changes, and how you can use it effectively on assessments.
After additional testing the dev branch will be merged into master in the next week or so. This returns more limited information, but is significantly faster. By enumerating the local administrators on a remote machine, we can pull any domain accounts that can install agents or otherwise triage a target. These make excellent targets for later user hunting.
This will perform local admin access enumeration on all computers listed in Active Directory and output everything to a nicely sortable. But be warned: this can be very slow for large environments, and it is definitely not stealthy, as you are touching every machine as quickly as your system will allow.
We started using this function more and more to target specific servers beyond just domain controllers. This gives us nice new results like the screenshot at the top of the post. With the full canonical domain name, we can also now easily recursively resolve any domain group results down to their user members.
This has greatly sped up user hunting engagements with complex, nested group relationships. This approach has the advantage of no communication with a target system, as it only queries your primary or specified domain controller for the relevant information. The -Recurse flag will resolve the membership of any results that are a group themselves. Hopefully you guys find this new functionality as useful as we have on complex engagements.
Read more posts about redteaming. Here is a brief description of my test environment: I have a win Domain controller, a win7 box and a win10 box.
I tried to enumerate the Admins of win10 box from win7 box logged in as local admin on win7 but it failed. However, if I do the reverse — enumerate the Admins of win7 box from win10 box logged in as local admin on win10it was successful. Your email address will not be published. Save my name, email, and website in this browser for the next time I comment. Notify me of follow-up comments by email. Notify me of new posts by email. This site uses Akismet to reduce spam.
Learn how your comment data is processed.
SCCM ConfigMgr report for local admins and local group members
Local Group Enumeration Published March 9, by harmj0y. Get-NetLocalGroup — New Developments We started using this function more and more to target specific servers beyond just domain controllers. Use this to build a list of target SIDs of all groups the target is a member of.How to Enumerate and Audit the Membership of the Privileged Domain Admins Group in Active Directory
Query for any computers in resulting OUs and return any resulting sites. Read more posts about redteaming powerview. Rajiv October 5, Leave a Reply Cancel reply Your email address will not be published.