question

Arni-3472 avatar image
0 Votes"
Arni-3472 asked SherryKissinger-ECM commented

SCCM Query for local Admin


Hello, I need assistance in generating report to show Local Admin users in our Windows 7 Windows 10, and Windows Servers environment. I need to compile these to place a security rules. The report should also show the name of the computer or the FQDN.

Any help is greatly appreciated, thanks.

We're using SCCM 2012.

mem-cm-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

II found the forum about : SCCM Report to find domain users with local admin privilege on all domain computers and pointing it to Sherry Kissinger. However, that link is broken or no longer working. I hope someone can assist, thanks.

0 Votes 0 ·
Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Arni-3472 commented

Hi @Arni-3472,

We could use SCCM CMPivot Query to find local administrator accounts.

Use the below SCCM CMPivot query to find local administrator accounts. Enter the query and click Run Query.
Administrators | where Name !contains 'Administrator' and Name !contains 'Domain Admins'

For more information, please refer to Prajwal Desai's article:
Find Local Administrator Accounts with SCCM CMPivot Query
Note: Non-Microsoft link, just for the reference.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I@Amandayou-MSFT

This is great to know! I will give this a try and get back to you. Thanks for the info.


0 Votes 0 ·

@Amandayou-MSFT

Is there a way to find out if the Local Admin and Administrator account is Active or Disabled using the CM Pivot? I have sorted the report with these two accounts but wanting to know if they are active or not. Any help is appreciated, thanks.

0 Votes 0 ·

Hi,

The idea of using the CM Pivot is excellent, there is no way to achieve it at this time. It's recommended that we could use the following user voice link to submit our suggestion to get it.
https://configurationmanager.uservoice.com/forums/300492-ideas

Fortunately, we could use powershell to get file, put it in sccm package and it will return the result.

$env:computername >> "destination path file"
get-localuser | select name, enabled | out-file -filepath "destination path file" -append

Best regards,
Amanda

0 Votes 0 ·

@Amandayou-MSFT

Thank you for this information. do you have a step by step guide on how to apply the PowerShell on SCCM or if it's not too much to ask, if you could walk me through on how to create sccm package applying the PowerShell to produce the result would be greatly appreciated? I am not familiar with this process of creating a package. Thanks.

0 Votes 0 ·
Show more comments

@Amandayou-MSFT

Hello Amanda, I tried running the PowerShell Script on my computer and I got this result:

Name Enabled


Administrator True
ABUser True
DefaultAccount False
Guest False
Localadmin True
WDAGUtilityAccount False

II noticed, it doesn't display the Computer Name. How can I run this script on SCCM and run it against all our computer collection (Client and Servers), which will include the full computer name in the report, Can the output be on Spreadsheet too? Thanks

0 Votes 0 ·
SherryKissinger-ECM avatar image
0 Votes"
SherryKissinger-ECM answered Arni-3472 edited

in my opinion, at this point you aren't asking the question of "what can ECM do for me", you are asking the question of "I need to have a remote powershell script do this for me, presuming I have local Admin rights on all of the target devices", where the results will be spit out into a local xlsx or csv file, after remotely connecting across the network to a list of devices". CM would not "create a spreadsheet" like you are asking for.

If you really want ECM to "do this for you", at this point it isn't a pivot script, nor (in my opinion) a script within CM--but you could do that, I guess--that wouldn't be my first method that I would use, however.

I think what you "really want" (at the risk of guessing what you really want) is a way to inventory this information. This would be a custom inventory, where you would, most likely, deploy a Script (via a Configuration item), then import a CUSTOM inventory mof file (to create a custom table and view), and then, you can query your CM database for this information; after your devices have had a chance to run that Configuration Item, and subsequently do hardware inventory.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SherryKissinger-ECM

Hello Sherry, the CMPivot was almost perfect, thanks to @Amandayou-MSFT for introducing this new tool to me. It was almost perfect until I received a request if it can also show if these accounts (e.g. LocalAdmin and Administrator) are active or disabled. I understand that the CMPivot (administration) is only limited up to four columns. I would like to use the CM to generate what I need which will also include the LocalAdmin/Administrator "status." I don't expect the CM to produce a report or output to spreadsheet. That question regarding the spreadsheet only came when Amanda introduced the PowerShell out-file. I usually just copy the result from the CM and paste it to spreadsheet then rearranging the columns manually. In CMPivot (Administrators), the results that I have are (Device - Object Class - Name - Principal Source). Can you help on another query in CM where I can have all the results that I need? Thanks.

0 Votes 0 ·
  • forget pivot, Amanda already said "The idea of using the CM Pivot is excellent, there is no way to achieve it at this time. It's recommended that we could use the following user voice link to submit our suggestion to get it.
    https://configurationmanager.uservoice.com/forums/300492-ideas"... aka... right NOW it's impossible to use CM Pivot--that would be an enhancement to the product.

  • Go to Software Library, Scripts.

  • Create Script, give it a name, and the script is this and only this one single line:
    get-localuser | Select Name, Enabled

  • Once created, you will have to approve the script for use before you can use it. Depending upon how your environment is setup, you might need to have someone ELSE approve the script (not you). If you are the one and only and sole user of CM in your environment, then you may want to first follow the directions here, https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-deploy-scripts for allowing script creators to self-approve their own scripts.

1 Vote 1 ·
  • once the script is approved, go to Assets, Device Collections, pick a collection, and right-click run script, pick this script.

  • Wait. You know the drill.

  • if a machine is online and able to reply eventually you'll get responses. Remember this is only going to be for machines which happen to be online and available.

  • The results won't be pretty, but you'll have them. likely you'll need to do a lot of parsing / fun things to make it look pretty.

if you want it logical and (imo) more useful; I spent some time updating and testing a script + mof edit / custom inventory for "all members of all local groups... including whether or not the local user account referenced is enabled True/False"

Still testing in my whopping lab of 2 devices. I may blog it later this weekend...

1 Vote 1 ·
Arni-3472 avatar image Arni-3472 SherryKissinger-ECM ·

I just tried it and got what I wanted and you are correct, I need to do a lot of parsing on this to make it look nice. I will wait for the script that you are testing about the "all members of all local groups..." and will try that when its ready. Thank you!

0 Votes 0 ·

you "could" also have TWO scripts in the scripts node. one specifically and only and just for
Get-LocalUser | where-object {$_.Name -eq 'Administrator'} | Select enabled

and the other specifically and only and just for
Get-LocalUser | where-object {$_.Name -eq 'LocalAdmin'} | Select enabled

presuming those are the two and only two accounts you actually care about on the targets, by those specific names. might be a 'bit' easier to parse the results. Maybe.

1 Vote 1 ·
Arni-3472 avatar image Arni-3472 SherryKissinger-ECM ·

@SherryKissinger-ECM

I will also try these two scripts. Thank you so much!

0 Votes 0 ·
SherryKissinger-ECM avatar image
0 Votes"
SherryKissinger-ECM answered SherryKissinger-ECM commented

For testing... this would be a Script + Mof edit; to inventory using a powershell script the 'all members of all local groups", optionally log to a local log file on each client when the script runs. The script does also lookup when the member of a local group is a local user account, is that local user account Enabled True/False, and able to report on that.

https://tcsmug.org/blogs/sherry-kissinger/568-cm-all-members-of-all-local-groups-powershell

This has only been tested in a 2-device lab environment--aka... hardly tested at all. Do I think it works? probably. But more testing definitely would need to be done to confirm.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SherryKissinger-ECM

Great information! Thank you for sharing. I have generated the report that our Security Admin wants to see and it's an eye opener to all of us that a lot of our machines have enabled Local Admins. This time, I need help on a way of disabling these LocalAdmin accounts (specific account because there are two but we want to keep just one). Perhaps, in a smaller group first, then if everything looks good, we will expand the implementation. Do you know a safer way of doing this in SCCM and making sure that it's actually disabled? This is our initial step, but eventually, we will delete this account, I guess using a group policy script or SCCM, whichever is more reliable and consistent. The remaining machines with Administrator account will be managed using LAPS. Thanks again and looking forward to your valuable assistance.

0 Votes 0 ·

"what to use' (GPO, CM, something else) to disable/delete the specific local accounts I'm not going to comment on. That's because people want to throw around the words "best practice says"; but that to me isn't helpful. What makes the most sense for your company to use, based upon your environment, and your policies and procedures, is what you should use to disable those local accounts, and then later delete them.

As for confirming <insert account names here> are locally disabled, and/or no longer exist, please feel free to test the blogged routine using CM as a script + mof edit, then reports later.

0 Votes 0 ·
PaoloBragagni-2371 avatar image
0 Votes"
PaoloBragagni-2371 answered PaoloBragagni-2371 published

Hi, I follow all the steps here https://tcsmug.org/blogs/sherry-kissinger/568-cm-all-members-of-all-local-groups-powershell

And it almost works. :)

tha only thing that doesnt work is the 'enable' 'disable' flag that never been populate. what I miss?

thanks in advance,
P.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SherryKissinger-ECM avatar image
0 Votes"
SherryKissinger-ECM answered SherryKissinger-ECM edited

What does the log say, on a box where you KNOW there are test multiple local accounts, where one of those local accounts is enabled, and the other disabled?

Log Location, if run as SYSTEM, this will most likely be %windir%\temp
$LogFilePath = $env:TEMP + "\CMLocalGroupMembers.log"

There is a section in the script where when the script is trying to figure out if an account is local and disabled, it will write notes to the log file:

under this comment in the script:
Check if a Local user account is enabled or not. Make it $null to start with; just to be sure it's clean and empty.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaoloBragagni-2371 avatar image
0 Votes"
PaoloBragagni-2371 answered

It seems that it never goes though the part where you check for Enable or disable
if ( ($ReturnedValues.PrincipalSource -eq 'Local') -and ($ReturnedValues.ObjectClass -eq 'User')) {
ecc ecc

perhaps because of language?
'User'->'Utente'

in CMLocalGroupMembers.log
I found everything but enable/disable

part of log:


<![LOG[Type: Local
]LOG]!><time="09:47:27.040704" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
<![LOG[Group: Administrators
]LOG]!><time="09:47:27.122001" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
<![LOG[Account or nested group Inside: myname
]LOG]!><time="09:47:27.163759" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
<![LOG[Domain: PC-NAME
]LOG]!><time="09:47:27.185128" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">
<![LOG[Category: Utente
]LOG]!><time="09:47:27.232527" date="12-1-2021" component="ff33ae1c-b473-4ffe-8267-b73bd39c9735.ps1" context="NT AUTHORITY\SYSTEM" type="1" thread="8" file="">


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaoloBragagni-2371 avatar image
0 Votes"
PaoloBragagni-2371 answered SherryKissinger-ECM commented

Yes it was localization.

Change that lines in:
#Check if a Local user account is enabled or not. Make it $null to start with; just to be sure it's clean and empty.
$Enabled = $null
if ( ($ReturnedValues.PrincipalSource -eq 'Local') -and (($ReturnedValues.ObjectClass -eq 'User') -or ($ReturnedValues.ObjectClass -eq 'Utente'))) {

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I've updated the script in the original blog to (hopefully) be language-localization agnostic.

Thanks for testing and identifying an issue!
-Sherry

0 Votes 0 ·
SherryKissinger-ECM avatar image
0 Votes"
SherryKissinger-ECM answered

Thanks for testing! I've added a note to the original blog entry with your findings, and your work around. Perhaps I can craft a localization-agnostic method for determining a local user account enabled/disabled... Some global companies may have dozens or more localizations to consider; the script might get really messy with multiple -or statements for different possible localizations.

But I'm glad you found the cause, and a workaround for your environment.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.