Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Local Administrators Members

***2015-05-21 - Moving to Inventory - Questions forum***

I would like to see a collectrion showing any computer that has members of the Administrators group that are not part of a certain set.


Computer1 has Administrators and Domain Admins under the Local Administrators group

Computer2 has Administrators, Domain Admins, and Unauthorized Local Admin under the Administrators group

Computer2 would showup as it has the Unauthorized Local Admin user in the Administrators group



Date Votes
  • I was able to kind of do this with a report. Create a basic report with the columns "Computer/Name" and "Local Group Member/Name". For the Filter add a Value Filter of "Local Group/Name/Equals/Administrators" and 2 more Value Filters like "Local Group Member/Name/Does Not Equal/Administrator".


    Clear as mud, right? The screenshots probably make WAY more sense :D


    I tried doing this with a collection, but I can't figure out how to make it work. I either get every computer in the database or zero computers. I even tried to get fancy and use regex, but that didn't work either.

  • The reason we haven't added this is because many companies have different names for approved accounts.

    For Reports or Collections you have two options when it comes to the filters.

    You can use one Does Not Match Expression filter. Don't get confused by the ^ and $. They aren't strictly necessary. ^ simply means that the string begins with the following character and the $ means that is the end of the string. ^Administrator$ means the name must be Administrator while ^Administrator means the name could be Administrator HQ (basically the account name begins with Administrator). The pipe | means OR.



    Or to have different filter groups for each account name. Notice how All four sub groups are on the same level (directly under the main group.


  • Thank you Shane, this is very helpful!

  • What I do is just set group policy to remove all user accounts from local admins group and only allow groups to be in local admins.

    This way you just manage the groups on the domain and don't worry about any computers getting users added to the local admin group.

  • Great point, Mike

    GPOs are very helpful in these situations. I'm definitely a fan of "set it and forget it".

  • Here is a simple script you can use as well. You  can set it as a startup script or push it out with pdq. This will delete all accounts and groups except for the ones specified. You can tack on as many accounts or groups to exclude by adding additional And (sAdmGrpUser <> "user_or_group_name") 




    'This script will remove all unwanted user accounts from local administrators group.
    Set wshShell = WScript.CreateObject( "WScript.Shell" )
    strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
    sNode = strComputerName

    On Error Resume Next

    ' group name to remove user from
    Set oGroupAdm = GetObject("WinNT://" & sNode & "/Administrators")

    ' loop through all members of the Administrators group
    For Each oAdmGrpUser In oGroupAdm.Members

    ' get the name and make it lowercase
    sAdmGrpUser = LCase(oAdmGrpUser.Name)

    ' Leave administrator and Domain Admins alone
    ' use lowercase letters in the names in the If statement!
    If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
    'msgbox oAdmGrpUser.Name
    ' remove users from Administrators group
    oGroupAdm.Remove oAdmGrpUser.ADsPath
    End if

  • Check out this updated forum post for further information:

    Local Admins Report

  • Is there a way to tweak the report filter to show when the current user is in the local admins group?  That isn't a system variable, but there is there a way to run some powershell code or something in this filter field?

  • @Shapiro, Jonathan

    You can add "Computer | Current User Name" to the Columns.

  • Actually, I was looking for a filter to apply to limit the rows in the report to show those computers that the current user is in the local administrators group.


  • I think I was able to create a SQL report that does what you want.

    Computers.Name as "Computer Name",
        Computers.CurrentUser as "Current User",
        LocalGroupMembers.UserName as "Local Group Member Name"
    FROM Computers
        INNER JOIN LocalGroupMembers ON LocalGroupMembers.ComputerId = Computers.ComputerId
    WHERE <ComputerFilter>
        AND LocalGroupMembers.GroupName = 'Administrators'
        -- LIKE syntax from:
        AND Computers.CurrentUser LIKE '%'||LocalGroupMembers.UserName||'%'
        AND NOT LocalGroupMembers.UserName LIKE 'Administrator'
        AND NOT LocalGroupMembers.UserName LIKE 'Domain Admins'


  • I'm jealous of what you SQL guys can do.  This really works.  Thank-you so much.  

    I need to tweak it to add a few more columns.  I need computer IP address, AD Parent Folder, Computer O/S, and maybe O/S Install Date.  I also would like it to run against machines that have been scanned in the last 25 days (active machines.  I did that by attaching it to a collection source, but there is probably some SQL code to do same).

    For a hack like me, is there a way to look at the SQL from a standard report?  Then I can get the names/tables of the fields I need to do this myself and maybe learn something?

  • Well, I realize the SQL editor provides all that.  It lists tables/columns.  This is a big help.

  • I was able to figure out how to add the additional columns I need.

    I am curious, though, is there a way to convert or view standard reports as SQL?  

  • Cool, I'm glad that worked for you and that you were able to add the columns you wanted.

    No, there is no way to convert a Basic Report into SQL.