Join us June 17–18 for a deep dive into Copilot Control System—live expert-led sessions and Q&A on data security, agent lifecycle, adoption, and more! Learn more >

Forum Discussion

ianicepi

Copper Contributor

Jul 24, 2024

Getting local admins from all PCs

Hello, I am new to power shell scripting and i got a task where i need to restive all the users that have local admins on their devices. Any help? I managed to create a script but i got erro...

Windows PowerShell

LainRobertson

Silver Contributor

Jul 24, 2024

ianicepi

Hi, Iani.

With respect to testing for if a logged-on (aka interactive) user has local administration rights, you can use .NET's [Security.Principal.WindowsIdentity] class.

This will tell you if they have local administration rights independent of whether they are currently elevated or not.

Example

$Identity = [Security.Principal.WindowsIdentity]::GetCurrent();

[PSCustomObject] @{
    device = [string]::Concat([System.Environment]::MachineName.ToLower(), ".", [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name);
    user = $Identity.Name;
    isAdmin = $Identity.UserClaims.Value -contains "S-1-5-32-544";
}

Output

For a user that's not a local administrator:

For a user that's a local administrator but not currently running an elevated session:

For a user that's a local administrator and is running an elevated session:

Cheers,

Lain