Script to report if user has admin rights?

1

Does anyone know of a script or a simple method to determine en masse which of my users in Syncro have admin rights on their machines? It has recently come to my attention that we may have left some end users with admin rights during onboarding and I want to see how many there are.

I used ChatGpt to create a script that will check and I can manually look for the script results, but I would rather have it write to a custom asset field and I can never figure that part out, even using the little guide at the bottom of the scripts.

Before I pour hours down this rabbit hole is there a more obvious option I am missing?

1 Like
2

This is what I use, and it writes to a custom field.

Import-Module $env:SyncroModule

$obj_group = [ADSI]"WinNT://localhost/Administrators,group"
$members= @($obj_group.psbase.Invoke("Members")) | foreach{([ADSI]$_).InvokeGet("Name")}

Set-Asset-Field -Name "Local Admin" -Value $members
3 Likes
3

Excellent thanks for the help .That worked perfectly!

4

Looks super interesting! Can some one tell me where and how i put this in Syncromsp to automate it! Thanks.

5

Create a new script and copy and paste in the code. The next step is to create a Syncro Asset Custom field by going to Admin Settings and Under the Customer Section on the left Nav there is a Asset Custom Field option. Create a Text Field under Syncro Devices

6

Dear Jimmie, Thank you so much for the script.

Anyone who need help, regarding implementing the Jimmie script in Syncro and storing the names of all local admin users to a custom field. You can do the following. Once you have something in custom field, you can then generate alert or ticket.

Jimmie’s Script

Import-Module $env:SyncroModule $obj_group = [ADSI]“WinNT://localhost/Administrators,group”
$members= @($obj_group.psbase.Invoke(“Members”)) | foreach{([ADSI]$_).InvokeGet(“Name”)} Set-Asset-Field -Name
Set-Asset-Field -Name “Local Admin” -Value $members

NOTE: This is 100% working script and configured in our Syncro RMM instance. Follow the below steps to implement the solution

NOTE: We will have to create a custom field named “Local Admin” in Syncro. This script will publish all usernames in this field those belongs to Local Admin Group in the system.

NOTE: It’s essential that the field name must be exactly “Local Admin” with a space, as any deviation will prevent the script from functioning correctly because the custom filed name is specified in the Jimmie script.

To implement, please follow these steps:

  1. Create a new script in Syncro by copying and pasting the code provided above.

  2. In the Syncro Admin Settings, navigate to the Customer Section in the left-hand side-bar and click on “Asset Custom Field”

  3. Now under the “Syncro Devices” by clicking on it, create a new custom field, type as a “Text Field” and name it “Local Admin”, ensuring the exact name of custom field including the space.

  4. Thats All, run the script. After script has completed, it will publish all users in the custom field those belongs to system “Local Admin Group”

  5. You can run this script on all customers, all computers using policy. I am sure you can also generate the alert / email from the custom field.

Enjoy !

Prabhpal Singh Mavi

7

Script To Delete Users From Local Admin Group With Exception

Remove All Users (Domain Users / Local Users) From Local Admin Group With Exception. Just Check Your power-shell Version etc… if Any Issue. This is working script in our environment.

Here i am deleting all users from local admin group (Domain Users / Non Domain Users (Local System Users)) using script expect Local Administrator & also maintaining (Not Deleting) MSP Administrator (NAdmin). You can also maintain another admin if you want by modifying the script.

$LocalDomain = $env:USERDOMAIN
$DomainAdmins = “$LocalDomain\Domain Admins”
$ComputerName = $env:COMPUTERNAME
$OEMAdministrator = “$ComputerName\Administrator”
$MSPAdministrator = "$ComputerName\NAdmin”
Get-LocalGroupMember Administrators | ForEach-Object {
$UserName = $_.Name
“Found: $UserName”
If (($UserName -ne $DomainAdmins) -and ($UserName -ne $OEMAdministrator) -and ($UserName -ne $MSPAdministrator)) {
“Removing $UserName from local Administrators group.”
Remove-LocalGroupMember -Group Administrators -Member $UserName
}
“”
}

Enjoy !

8

Hey just a tip @Prabhpal_Singh , you will want to use the “” tag around your code. Other wise, its not formatted correctly and might lead to some issues later.

1 Like
9

Thank you for the correction.

10

Here i am disabling all users expect Administrator and re enabling “NAdmin” local User. I did not know the command to preserve NAdmin user with one command, so this is kind of work around but working just fine. If anyone know how to preserve administrator and NAdmin in same command, please update here.

get-localuser | ? {$_.name -ne ‘Administrator’} | disable-localuser
Start-Sleep -Seconds 2
Enable-LocalUser -Name “NAdmin”

11

why not just

Get-LocalUser | Where-Object {$_.Name -notin @('Administrator', 'NAdmin')} | Disable-LocalUser

12

Dear Travis,

I want to extend my appreciation for the important role that you and your team play in creating and maintaining our SyncroMSP community. Your efforts have been instrumental in making this community thrive.

Best regards,

13

Hello Guys,

#Special thanks to Daniel Hedges and Travis for giving us this scripts.

As we move forward with the development.

  1. As explained above, the Jimmie script retrieves all users who are part of the local administrator group.

  2. As explained above how to create a custom field titled “Local Admin” in Syncro to store the users names those are part of local administrator group using Jimmie script above.

  3. If you run the script at this point, it will publish the user names of those who are part of the local administrator group in the “Local Admin” custom field created earlier explained above.

  4. Then Travis took initiative and assisted us in creating a command (script) to disable all users who belong to the local administrator group, except for the accounts we want o preserve - “Administrator” and “NAdmin”

  5. Once this is completed, the process could be considered finished. However, if there is interest in further development, we can proceed to generate alerts in Syncro and create tickets accordingly.

We need to define the requirements to support this development (Generate alerts in Syncro ). Key requirements include:

  1. We will have to create a platform variable in Syncro named “localadmins”.
  2. Developing a script to implement the alert functionality.

To create the platform variable in Syncro, follow these steps:

  1. Log in to your Syncro instance.
  2. Navigate to the Admin section and click on Scripts.
  3. Click on New Script.
  4. Provide a name and description for your script.
  5. Click the “Add Script Variable” button.
  6. In the Variable Name field, type “localadmins” (WITHOUT QUOTES (“”)) AND ensure accuracy with the spelling of Variable name
  7. Select Platform as the Variable Type.
  8. In the Value field, enter or select {{asset_custom_field_local_admin}}
  9. Copy and paste the script provided below into the corresponding field.

Import-Module $env:SyncroModule
$admins = $field -split ‘,’ | ForEach-Object { $_.Trim() }
$acceptableValues = @(‘Administrator’, ‘NAdmin’)
foreach ($user in $admins) {
write-host “checking $user”
if ($user -notin $acceptableValues) {
Rmm-Alert -Category ‘Invalid Local Admin’ -Body “Local Admin User $user found”
}
}

Schedule the both scripts

Schedule Set the Local Admin Asset field BEFORE you run the script that checks the field and creates and alert. That way the field is up to date. Schedule this script to run once a week on Monday at 8am and second script at 10am.

In this single community post, We have successfully implemented a solution to identifying unauthorized local administrators, automate the process of disabling them, deleting them if, and generate alerts within Syncro.

Thank you

1 Like