Local admins powershell script

Anyone has a ps script that takes input from .csv file of computer names, and outputs another csv file with the local admins on those computers? My searches returned too many hits, some worked but they did not take input from a file.

Comments

  • 636-555-3226636-555-3226 Posts: 976Member
    Good question. I could use this in my environment if anybody has one. Wonder if there's a Nessus plug-in for that? Seems like something someone has made something for before
  • DoubleNNsDoubleNNs Posts: 2,013Member ■■■■■□□□□□
    The "Get-Content" cmdlet reads content from a text file, which seems like it could be abbreviated as "gc."
    $servers_list = gc file.txt
    Would probably save the contents of your file as a variable, which you could then iterate through, using a For or Foreach loop.

    I don't know any Powershell (or much about Windows in general haha) and too lazy to spin up a Windows VM at the moment. But if you show me what you have so far (the scripts you said worked), maybe I could put something together for you tomorrow.

    Edit: Or, alternatively, if you have Python available on whatever computer you're going to run the script, maybe I could write a short Python script for you?
    Goals for 2018:
    Certs: RHCSA, LFCS: Ubuntu, CNCF CKA, CNCF CKAD | AWS Certified DevOps Engineer, AWS Solutions Architect Pro, AWS Certified Security Specialist, GCP Professional Cloud Architect
    Learn: Terraform, Kubernetes, Prometheus & Golang | Improve: Docker, Python Programming
    To-do | In Progress | Completed
  • NetworkNewbNetworkNewb They are watching you Posts: 3,117Member ■■■■■■■■□□
    Could try this... did some editing on a function I found online. Will just need to edit the last "import-cvs" line for you csv file path and out-file path (where you want to save it). Also in your csv file that lists the computer names just make sure there is a header called "ComputerName". I ran it on my computer and it worked. Just don't know how it will work on other machines. Or how the formatting will look with multiple machines.



    function get-localadmins{
    [cmdletbinding()]
    Param(
    [string]$computerName
    )
    $group = get-wmiobject win32_group -ComputerName $computerName -Filter "LocalAccount=True AND SID='S-1-5-32-544'"
    $query = "GroupComponent = `"Win32_Group.Domain='$($group.domain)'`,Name='$($group.name)'`""
    $list = Get-WmiObject win32_groupuser -ComputerName $computerName -Filter $query
    $list | %{$_.PartComponent} | % {$_.substring($_.lastindexof("Domain=") + 7).replace("`",Name=`"","\")}
    }

    import-csv -path C:\input.csv | foreach-object { get-localadmins $_.ComputerName } | out-file C:\output.csv
  • NetworkNewbNetworkNewb They are watching you Posts: 3,117Member ■■■■■■■■□□
    Just tried it out at here at work, it does work. But there is was an extra space in the code that was messing it up. Also, it just puts everything into one line... Cleaned it up a tiny bit to make easier to read with multiple computer names as well. Instead of explaining where the one extra space is here is all the code again so you can just copy and paste it. Let me know if that works on your end.


    function get-localadmins{
    [cmdletbinding()]
    Param(
    [string]$computerName
    )
    $group = get-wmiobject win32_group -ComputerName $computerName -Filter "LocalAccount=True AND SID='S-1-5-32-544'"
    $query = "GroupComponent = `"Win32_Group.Domain='$($group.domain)'`,Name='$($group.name)'`""
    $list = Get-WmiObject win32_groupuser -ComputerName $computerName -Filter $query
    $list = $list | %{$_.PartComponent} | % {$_.substring($_.lastindexof("Domain=") + 7).replace("`",Name=`"","\")}
    $list = ,("Computer Name: " + $computerName) + $list
    $list += " "
    return $list
    }


    import-csv -path C:\input.csv | foreach-object { get-localadmins $_.ComputerName } | out-file C:\output.csv
  • NetworkNewbNetworkNewb They are watching you Posts: 3,117Member ■■■■■■■■□□
    Alright, thats weird. Must be something with this text input screen that causes an extra space in that one spot... I can't even edit my post to remove because when I select "edit post" the extra space isnt there. icon_confused.gif: Well, the extra space is in the function, the line that starts with $query. Towards the end of the of line where it says $($ group.name) , it should be $($group.name)
  • TheFORCETheFORCE Posts: 2,224Member
    Cool, that's nice of you man. I played around a bit more yesterday on my lab with the other scripts i had and got one of them to work this morning. I'll give yours a try later also. Still scanning.
  • NetworkNewbNetworkNewb They are watching you Posts: 3,117Member ■■■■■■■■□□
    no worries, I enjoy working on those. Will have to store it away in my script folder for rainy day when it might come in use. Maybe Mr.Plow will find a use for it.
  • iBrokeITiBrokeIT Posts: 1,150Member ■■■■■■■■□□
    As a security professional you should definitely look into PowerShell Empire and the PowerView module for enumerating a Windows environment.

    Great blog by the co-creator of Empire: harmj0y - security at the misfortune of others

    A few of the functions of PowerView:
    • Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to
    • Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain
    • Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
    • Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
    • Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines
    • Invoke-UserEventHunter - hunts for user logon events in domain controller event logs

    Git: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
  • NetworkNewbNetworkNewb They are watching you Posts: 3,117Member ■■■■■■■■□□
    That Powershell Empire definitely looks interesting. Might have to check that one out after the elearnsecurity PTP course
  • TheFORCETheFORCE Posts: 2,224Member
    I'll have to look into that, using my phone now so cant click on those links.
  • knownheroknownhero Posts: 450Member
    $Computer = Get-Content "c:\temp\names.csv"foreach ($i in $Computer){net localgroup administrators}
    I was looking at you message again and notice you wanted to output the file again. So I went back to the drawing board someone has actually done what I was kinda going to do.

    $Computers = Get-Content 'c:\temp\computernames.csv'
    $Reult = 'c:\temp\test.csv'
    $results = @()
    foreach($Computer in $computers)
    {
    $admins = @()$group =[ADSI]"WinNT://$server/Administrators"
    $members = @($group.psbase.Invoke("Members"))$members | foreach {
    $obj = new-object psobject -Property @{
    Server = $Computer
    Admin = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
    }
    $admins += $obj
    }
    $results += $admins
    }
    $results| Export-csv $Result -NoTypeInformation

    You don't need to go into the Wmi object to achieve this.
    70-410 [x] 70-411 [x] 70-462[x] 70-331[x] 70-332[x]
    MCSE - SharePoint 2013 :thumbup:

    Road map 2017: JavaScript and modern web development

Sign In or Register to comment.