Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Local Admin Group Contains Member

I need to make a report that will list computers missing a specific local user from the local admin groups. We have a variety of local users in the local admin group which is fine, but I need to ensure that a single local user is in all local admin groups across all computers. I can't figure out how to setup the report so that it filters out computers who contain that local user.

0

Comments

2 comments
Date Votes
  • I have 2 similar SQL ones to offer, you can play around with them, maybe helps...

    Show PC-s where users are in Local Admin group:

    SELECT
       Computers.Name as "Computer Name",
       Computers.CurrentUser as "Current User",
       LocalGroupMembers.UserName as "Local Group Member Name",
       LocalGroupMembers.GroupName as "Local Group Member Group"
       FROM Computers
       INNER JOIN LocalGroupMembers ON LocalGroupMembers.ComputerId = Computers.ComputerId
    WHERE <ComputerFilter>
       AND LocalGroupMembers.GroupName = 'Administrators'
       AND Computers.CurrentUser LIKE '%'||LocalGroupMembers.UserName||'%'
       AND NOT LocalGroupMembers.UserName LIKE 'Administrator'
       AND NOT LocalGroupMembers.UserName LIKE 'Domain Admins'
    
    order by Computers.Name
    

    All AD Members in Local PC Admin Group who are NOT supposed to be there or not Computer Default

    SELECT
       Computers.Name as "Computer Name",
       Computers.CurrentUser as "Current User",
       LocalGroupMembers.UserName as "Local Group Member Name",
       Computers.ADDisplayName as "AD Full Name"
    FROM Computers
       INNER JOIN LocalGroupMembers ON LocalGroupMembers.ComputerId = Computers.ComputerId
    WHERE <ComputerFilter>
       AND LocalGroupMembers.GroupName = 'Administrators'
       AND Computers.CurrentUser LIKE '%'||LocalGroupMembers.UserName||'%'
       AND NOT LocalGroupMembers.UserName LIKE 'Administrator'
       AND NOT LocalGroupMembers.UserName LIKE 'Domain Admins'
       AND NOT LocalGroupMembers.UserName LIKE 'admin'
       AND NOT LocalGroupMembers.UserName LIKE 'MY AD GROUP'
       AND NOT LocalGroupMembers.UserName LIKE 'MY DIFFERENT AD GROUP'
    
    0
  • if you just need the report then you can define one in PDQ inventory as below if you want to use Deploy to fix the missing users then define a collection with the following lines. ALL Local Group Name Contains Administrator

    Local Group Member Name Does not contain single local user

    You can then run a PDQ Deploy powershell command against the report to add to required account to the local Admin group Add-LocalGroupMember -SID S-1-5-32-544 -Member enteryouruserhere this will add the user to the local admin group.

    0