PSY IT Runbooks

PowerShell Audit Script: Local Administrators Enumeration

by

GDanu
in

Auditing local administrator memberships is a common security requirement. This script is read-only, idempotent, and suitable for production use across servers and workstations.

Use Cases

  • Privileged access reviews

  • Incident response triage

  • Compliance audits

  • Baseline comparisons

Environment

  • Windows 10 / 11

  • Windows Server 2019 / 2022

  • PowerShell 5.1 or newer

Script (SAFE – Read-Only)

$Timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$Output = "C:\Temp\LocalAdmins_$Timestamp.csv"

$Admins = Get-LocalGroupMember -Group "Administrators" |
Select-Object Name, ObjectClass, PrincipalSource

$Admins | Export-Csv -Path $Output -NoTypeInformation

Enhancements (Optional, Still Safe)

Add basic logging:

Start-Transcript -Path "C:\Temp\LocalAdmins.log"
# script content
Stop-Transcript

Verification

Import-Csv C:\Temp\LocalAdmins_*.csv

Validate that:

  • Output contains expected users

  • No system state was modified

Rollback

No rollback required.
Script performs no write operations beyond CSV and log creation.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *