Local Admin rights

%3CLINGO-SUB%20id%3D%22lingo-sub-474523%22%20slang%3D%22en-US%22%3ELocal%20Admin%20rights%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-474523%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20generate%20a%20report%20of%20users%20who%20has%20access%20local%20admin%20rights%20on%20the%20machines%20he%2Fshe%20has%20logged%20onto%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109589i8FACCEF68664BF7F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22datp.PNG%22%20title%3D%22datp.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1123958%22%20slang%3D%22en-US%22%3ERe%3A%20Local%20Admin%20rights%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1123958%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24027%22%20target%3D%22_blank%22%3E%40Alex%20Verboon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20script%20works%20to%20see%20who%20has%20logged%20in%20with%20local%20admin%2C%20but%20is%20there%20a%20way%20to%20see%20what%20systems%20have%20accounts%20with%20local%20admin.%26nbsp%3B%20We%20have%205%2C800%20PCs%20in%20ATP%2C%20of%20those%20I%20am%20trying%20to%20see%20where%20the%20local%20admins%20live%20and%20how%20many%20machines%201%20person%20has%20access%20to.%26nbsp%3B%20If%20I%20can%20get%20the%20raw%20data%20out%2C%20I%20can%20manipulate%20it%20in%20Excel.%26nbsp%3B%20Thank%20you%20Alex.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-962498%22%20slang%3D%22en-US%22%3ERe%3A%20Local%20Admin%20rights%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-962498%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11555%22%20target%3D%22_blank%22%3E%40Kapila%20Munaweera%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20Advanced%20hunting%20you%20can%20run%20the%20following%20query%20to%20find%20users%20who%20logged%20on%20with%20local%20admin%20rights.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20find%20users%20that%20logged%20on%20with%20Local%20Admin%20rights.%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ELogonEvents%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20IsLocalAdmin%20%3D%3D%201%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20locallogon%20%3D%20extractjson(%22%24.IsLocalLogon%22%2CAdditionalFields%2C%20typeof(string))%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20project%20EventTime%20%2C%20ComputerName%2C%20AccountDomain%2C%20AccountName%20%2C%20LogonType%2C%20ActionType%2C%20locallogon%20%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is there a way to generate a report of users who has access local admin rights on the machines he/she has logged onto?

datp.PNG

3 Replies
Highlighted

Hello @Kapila Munaweera 

 

Using Advanced hunting you can run the following query to find users who logged on with local admin rights. 

 

// find users that logged on with Local Admin rights.
LogonEvents
| where IsLocalAdmin == 1
| extend locallogon = extractjson("$.IsLocalLogon",AdditionalFields, typeof(string))
| project EventTime , ComputerName, AccountDomain, AccountName , LogonType, ActionType, locallogon

 

Highlighted

@Alex Verboon 

 

The script works to see who has logged in with local admin, but is there a way to see what systems have accounts with local admin.  We have 5,800 PCs in ATP, of those I am trying to see where the local admins live and how many machines 1 person has access to.  If I can get the raw data out, I can manipulate it in Excel.  Thank you Alex.

Highlighted

@Steven Mclean 

 

You can't query that information with MDATP, but if you use ConfigMgr you can use CMPIVOT which also provides the kusto query language and there you can run real time queries against all your devices. 

 

Description Query

List all Active directory user that are administrator of their machineAdministrators | where (ObjectClass == 'User') | where (PrincipalSource == 'ActiveDirectory')
List on which machine an admin is administratorAdministrators | where (Name == 'DOMAIN\\USERNAME')

 

also take a look at this video

Query local Administrators – https://youtu.be/bnZlapKHIh8?t=649

 

Hope that helps. 

 

There are also plently of blog posts about creating ConfigMgr reports for local administrators. 

 

Hope that helps

Alex

 

 

 

 

 

 

 

 

 

 

 

 

In this #SCCM video guide, we will be reviewing how you can use CMPivot to real-time query devices in SCCM and take action using Scripts. CMPivot is a new in...