What do you do when you need to know the list of local administrators on every Windows Server in a hurry? It can be a tricky task if approached in a poor manner.
Generating an output of Active Directory-based group membership is easy with many command-line tools such as CSVDE and LDIFDE. Local accounts, however, are a different beast. Further, determining the membership of a local security group is important, as Group Policy configurations may not be applied as expected for a number of reasons.
To help with this challenge, we'll lean on an old tool: the net command. The net command is sacred stuff to me, and I have trouble parting with the quick one-liners that have made me look good over the years.
For the example to enumerate what usernames are a local administrator on a Windows Server, run the following command:
Net localgroup "Administrators"The output will enumerate each username or group that composes the local administrators group; this will include members that are pushed down from Active Directory Group Policy.
Another way to do this is with Windows PowerShell. Like many other commands that are converted from DOS-based commands to PowerShell, there are more keystrokes. The equivalent commands to run as a PowerShell script could be run as in the following example:
$LocalGroup =[ADSI]"WinNT://Localhost/Administrators"
$UserNames = @($LocalGroup.psbase.Invoke("Members"))
$UserNames | foreach {$_.GetType().InvokeMember("Name", 'GetProperty',
$null, $_, $null)}Note: These scripts were adopted from examples at the PowerShell Code Repository.The next time you need this information quickly for local groups, it will be a quick and easy script that you can easily export to a text file for archival and audit purposes.