Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows Server 2019 / How to Get a List of Local Administrators on Computers

March 16, 2024

How to Get a List of Local Administrators on Computers

In this article, we will look at how to get a list of users and groups that have local administrator rights on Windows workstations and servers on your network.

Contents:
  • Find Local Administrators on the Local Computer
  • Get Local Administrators Group Member from Remote Computer
  • Removing Users from the Local Administrators Group

Find Local Administrators on the Local Computer

In Windows, you can use the Computer Management snap-in (compmgmt.msc) to view, add, or remove users in the local Administrators group. Expand Computer Management -> Local users and Group -> Groups. Then select the Administrators group.

By default, when a Windows computer is joined to an Active Directory domain, administrator rights are granted to local administrator users and the Domain Admins security group.

All other users or groups are added to the Administrators group separately (manually, via Group Policy, scripts, etc.).

view local admins in windows

List the members of the local Administrators group using PowerShell:

Get-LocalGroupMember -Group "Administrators"

Get-LocalGroupMember: Get Local Administrators with PowerShell

Please note that the Principal parameter contains the source of this user/group, which can be the Local, Active Directory, or Azure AD domain.

This is how you can list only the local users who have administrator privileges:

Get-LocalGroupMember Administrators | Where-Object { (Get-LocalUser $_.SID -ErrorAction SilentlyContinue).Enabled }

You can filter the list to include only AD users:

Get-LocalGroupMember Administrators | Where-Object {$_.PrincipalSource -eq "ActiveDirectory"} | select PrincipalSource,class,name,SID

If the Active Directory for Windows PowerShell module from the RSAT package is installed on your computer, you can get additional information about AD users or groups by their SIDs.

In this example, the script finds the members of all Active Directory groups that are local administrators on this computer (the Get-ADGroupMember cmdlet is used to get the list of AD group users). Then the Get-ADUser is used to get the SamAccountName and the status of the account (Enabled = True/False).

$admins=Get-LocalGroupMember Administrators | Where-Object {$_.PrincipalSource -eq "ActiveDirectory"}
Foreach ($admin in $admins)
{
If ($admin.objectclass –eq "User") {get-aduser $admin.sid|select SamAccountName,enabled }
If ($admin.objectclass –eq "Group") {Get-ADGroupMember $admin.sid | foreach { Get-ADUser $_ |Select-Object SamAccountName,enabled }}
}

Get local Administrators group members

Similarly, you can get any other user attributes from Active Directory.

Get Local Administrators Group Member from Remote Computer

The above example gets the list of users with administrator rights on the local computer. Now let’s look at how to get the members of the local Administrators group from a remote Windows computer.

To run commands on remote computers, you must configure PowerShell Remoting and open the TCP 5985 firewall port. You can enable and configure WinRM (PSRemoting) using GPO, and then change your Windows Defender Firewall Group Policy settings to open an additional port.

Use the Invoke-Command PowerShell cmdlet to run a command on a remote computer. To list the administrators on the remote computer named wsk-m2211, use the following command:

Invoke-Command -ComputerName wsk-m2211 -ScriptBlock {Get-LocalGroupMember -Name 'Administrators'|select Name,ObjectClass,PrincipalSource|ft}

Now let’s see how to get a list of administrators from multiple computers. For convenience, we will exclude the Domain Admins group from the results:

$results = Invoke-Command wsk-m2211,srv-sql01,srv-rds02 -ScriptBlock {Get-LocalGroupMember -Name 'Administrators'|where {$_.name –notlike "*Domain Admins*"}|select Name,ObjectClass,PrincipalSource}
$results | Select-Object PSComputerName,Name,ObjectClass,PrincipalSource

Get the local Administrators of many computers remotely

You can exclude the built-in administrator or other accounts from the results.

Use the Export-CSV command to export the resulting list of users and groups to a CSV file:

$results | Export-CSV "C:\PS\admins.CSV" -NoTypeInformation -Encoding UTF8

You can query multiple computers or servers from a domain simultaneously. In this example, I want to get a list of admins on all Windows Server hosts in AD. Use the Get-ADComputer cmdlet to list enabled Windows Server computers in Active Directory:

$computers = (Get-ADComputer -Filter 'operatingsystem -like "*Windows server*" -and enabled -eq "true"').Name

Next, get the list of local Administrators group members on each host:

$results = Invoke-Command -ComputerName $computers -ScriptBlock {Get-LocalGroupMember -Name 'Administrators'|where {$_.name –notlike "*Domain Admins*"}|select Name,ObjectClass,PrincipalSource} -ErrorAction SilentlyContinue

Removing Users from the Local Administrators Group

Enterprise administrators need to keep track of the members of the local Administrators group on domain computers. The main idea is to minimize the number of users with local admin rights.

It is recommended that you use Group Policy Preferences or Restricted Groups to automatically add users to the local Administrators group. These GPOs will automatically add the required users to the Administrators group and will exclude all the other users (which are manually added).

You can manually remove a user from the local admins’ group with the command:

Remove-LocalGroupMember -Group Administrators -Member username

You can remove a user from a group on a remote computer:

Invoke-Command -ComputerName wsk-m2211 –ScriptBlock {Remove-LocalGroupMember -Group Administrators -Member username}

However, there’s a more advanced method you can use. Suppose you have created a list of users with administrative privileges on computers and saved it in the $results variable.

$results = Invoke-Command wsk-m2211,wsk-m2233 -ScriptBlock {Get-LocalGroupMember -Name 'Administrators'|where {$_.name –notlike “*Domain Admins*”}|select Name,ObjectClass,PrincipalSource,SID}

Then display a list of users and computers in the form of an Out-GridView list:

$principals_to_remove=$results | Out-GridView -Title "Select principal to remove from local admins" -OutputMode Multiple

The next thing you have to do is to select the users you want to remove from the Administrators group (press and hold CTRL to select multiple rows in the table) and run the code:

foreach ($principal in $principals_to_remove)
{
Invoke-Command $principal.PSComputerName -ScriptBlock {Remove-LocalGroupMember -Group Administrators -Member $using:principal.name}
}

How to remove users from local Administrators group with PowerShell?

Note. The $using:principal.name construct allows you to pass a local variable value from your computer to a remote PSRemoting session.

This will remove the users you have selected from the local Administrators group on the remote computers.

1 comment
6
Facebook Twitter Google + Pinterest
Active DirectoryPowerShellWindows 10Windows Server 2019
previous post
Connect to MS SQL Server Database in Visual Studio Code
next post
How to Reset the Group Policy Settings on Windows

Related Reading

How to Restore Deleted EFI System Partition in...

March 11, 2024

How to Run Program without Admin Privileges and...

June 8, 2023

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

How to Install Remote Server Administration Tools (RSAT)...

March 17, 2024

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

March 17, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

1 comment

Oliv TheFrog June 21, 2023 - 1:19 pm

Gathering the members of the “local administrators” group by its name, is just … a very bad idea !

The name of this group is depending of the local culture, but the SID of this group is always the same : it’s a Well-known SID.

One of the first rule to know when you wand to script something is “think code re-use”.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Adding Domain Users to the Local Administrators Group in Windows
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top