none
How to get the full list of local admins with cmd RRS feed

  • Question

  • When I use a simple command like :

    >net localgroup Administrators

    It gives me :

    Administrator

    mycorp\Domain Admins

    But when I use the tool "get local admins gui" (http://www.cjwdev.com/Software/GetLocalAdminsGUI/Info.html?LMCL=UpSkkc), it show me way more local administrators (like 50+). Moreover, I can see that these administrators come from different groups. Some comes from mycorp\Domain Admins, but some others come from others groups, why is that ?

    I want to know how the tool retrieve the full list, and how to do this with the command line (or powershell).

    Tuesday, November 19, 2019 11:08 AM

Answers

  • net localgroup Administrators gives out the details about the members in the local admin groups, but donot tell about there type. 

    I am not sure but the tool that you are using might be checking the object type, and if it finds out that the output is having some group it goes on further expanding the same, for example the command "Get-LocalGroupMember -Name Administrators" gives me below output:

    In the above output you can see for one of the member the ObjectClass is "Group", so I will further dig in to expand it's members(what we call recursion in programming terms). 

    As you are not having the admin privileges I am assuming that you are working on a client OS and you might not be able to import the active directory module to expand such group. In this case net group might come handy for you. Try below script, it might work for you, you can later on format the output to fit with your use:

    $AdminMembers = @()
    # Fetch out all the members of the local administrators group
    $LocalAdminGroupMembers = Get-LocalGroupMember -Name Administrators
    
    # Add all the user types to our final result
    $AdminMembers += $LocalAdminGroupMembers | Where-Object {$_.ObjectClass -eq "User"} | Select -ExpandProperty Name
    
    # Iterate through the group and fetch users using the net group command and add the same to final result
    $LocalAdminGroupMembers | 
    Where-Object {$_.ObjectClass -eq "Group"} | foreach {
    
        $netGroupResult = net group $(($_.Name -split "\\")[-1]) /domain
        $AdminMembers   += $netGroupResult[8..($netGroupResult.length -3)] -split "\s+" | Where-Object {$_}
    }
                                    
    
    # Display out the final result
    Write-Output "***********************************************************"
    Write-Output "Following are the members of the local administrators group"
    $LocalAdminGroupMembers
    
    Write-Output "***********************************************************"
    Write-Output "You have a total of $($AdminMembers.Count) admin user account present in the group, following are the details:"
    $AdminMembers



    • Edited by DumbleD0re Tuesday, November 19, 2019 1:59 PM
    • Proposed as answer by Imran_Khan Tuesday, November 19, 2019 2:15 PM
    • Marked as answer by Jean Blonblon Tuesday, November 19, 2019 2:54 PM
    Tuesday, November 19, 2019 1:58 PM
  • Well then you need to ask the tool author about how it works. In any case you need some sort of authorization on the remote computer.

    Im not sure what is your point when you say to understand how the groups are tied. From what you posted so far, you have Domain Admins group which has members inside (either user or groups). So why dont you simply check who are the members of domain admins group either using ADUC console or powershell command?

    Get-Adgroup "Domain Admins" | get-Adgroupmember

    PS: Domain Admins accounts should have only access to Domain controllers, not to all servers/workstations in the environment. It is not secure to use such privileged account to access such devices.


    Mark as answer if it solves your issue. Leos

    • Marked as answer by Jean Blonblon Tuesday, November 19, 2019 2:27 PM
    Tuesday, November 19, 2019 1:19 PM

All replies

  • I guess you would need to ask author of the tool mentioned. Tho I would assume that your Domain Admins group includes named users as well as other nested groups and the tool queries all of them.

    If you want to do this remotely with powershell, you need to use PS-Remoting and cmdlet Get-Localgroupmember which will return list of users and groups and you can query them further from your AD. 

    Why do you ask for powershell script if this is what the tool you mentioned do for you? 


    Mark as answer if it solves your issue. Leos

    Tuesday, November 19, 2019 11:43 AM
  • Actually I won't be able to use powershell remotely, because I don't have any admin privilege. That is why it is surprising to me that the tool can get that much information.

    I want to understand how all these domain/local admins groups and user are tied together. The tool is great but it doesn't give me a clue about how all of this is working, it is like a black box tool.

    Tuesday, November 19, 2019 1:05 PM
  • Well then you need to ask the tool author about how it works. In any case you need some sort of authorization on the remote computer.

    Im not sure what is your point when you say to understand how the groups are tied. From what you posted so far, you have Domain Admins group which has members inside (either user or groups). So why dont you simply check who are the members of domain admins group either using ADUC console or powershell command?

    Get-Adgroup "Domain Admins" | get-Adgroupmember

    PS: Domain Admins accounts should have only access to Domain controllers, not to all servers/workstations in the environment. It is not secure to use such privileged account to access such devices.


    Mark as answer if it solves your issue. Leos

    • Marked as answer by Jean Blonblon Tuesday, November 19, 2019 2:27 PM
    Tuesday, November 19, 2019 1:19 PM
  • net localgroup Administrators gives out the details about the members in the local admin groups, but donot tell about there type. 

    I am not sure but the tool that you are using might be checking the object type, and if it finds out that the output is having some group it goes on further expanding the same, for example the command "Get-LocalGroupMember -Name Administrators" gives me below output:

    In the above output you can see for one of the member the ObjectClass is "Group", so I will further dig in to expand it's members(what we call recursion in programming terms). 

    As you are not having the admin privileges I am assuming that you are working on a client OS and you might not be able to import the active directory module to expand such group. In this case net group might come handy for you. Try below script, it might work for you, you can later on format the output to fit with your use:

    $AdminMembers = @()
    # Fetch out all the members of the local administrators group
    $LocalAdminGroupMembers = Get-LocalGroupMember -Name Administrators
    
    # Add all the user types to our final result
    $AdminMembers += $LocalAdminGroupMembers | Where-Object {$_.ObjectClass -eq "User"} | Select -ExpandProperty Name
    
    # Iterate through the group and fetch users using the net group command and add the same to final result
    $LocalAdminGroupMembers | 
    Where-Object {$_.ObjectClass -eq "Group"} | foreach {
    
        $netGroupResult = net group $(($_.Name -split "\\")[-1]) /domain
        $AdminMembers   += $netGroupResult[8..($netGroupResult.length -3)] -split "\s+" | Where-Object {$_}
    }
                                    
    
    # Display out the final result
    Write-Output "***********************************************************"
    Write-Output "Following are the members of the local administrators group"
    $LocalAdminGroupMembers
    
    Write-Output "***********************************************************"
    Write-Output "You have a total of $($AdminMembers.Count) admin user account present in the group, following are the details:"
    $AdminMembers



    • Edited by DumbleD0re Tuesday, November 19, 2019 1:59 PM
    • Proposed as answer by Imran_Khan Tuesday, November 19, 2019 2:15 PM
    • Marked as answer by Jean Blonblon Tuesday, November 19, 2019 2:54 PM
    Tuesday, November 19, 2019 1:58 PM