Trying to list only local administrator accounts that are enabled on windows workstations.
Have this code so far but I am running into issues beyond this point trying to compare if the active user is an administrator.
$enabledUsers = (Get-LocalUser | Select * | sort Name, FullName, Enabled) | where-object enabled -eq $true
$enabledUsers | Select Name, Fullname
CodePudding user response:
You can use Get-LocalGroupMember
to get all members of the Administrators
group, however this cmdlet doesn't tell us if the returned users are Enabled, we can pass the SID of each user to Get-LocalUser
and filter for those Enabled ones:
Get-LocalGroupMember Administrators | Where-Object { (Get-LocalUser $_.SID -EA 0).Enabled }
-EA 0
(-ErrorAction SilentlyContinue
) is used in this example because the members of the group may not be of the class User, in which case, the cmdlet would throw an error (which we want to avoid).
If you need LocalUser
objects instead of LocalPrincipal
objects, you can use this instead:
Get-LocalGroupMember Administrators | ForEach-Object {
if(($usr = Get-LocalUser $_.SID -EA 0) -and $usr.Enabled) {
$usr | Select-Object Name, FullName
}
}
CodePudding user response:
Get-LocalGroupMember Adminstrators | Where-Object {$_.PrincipalSource -ne "ActiveDirectory"} | select sid | ForEach-Object {
Get-LocalUser $_.sid | Where-Object {$_.Enabled -eq $True } | select name, enabled
}
If you need to filter out AD admins as well