Weekend Scripter: Use PowerShell to Find Local Administrators on a Computer

Weekend Scripter: Use PowerShell to Find Local Administrators on a Computer

  • Comments 5
  • Likes

Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell and WMI CIM associations to find local administrators.

Microsoft Scripting Guy, Ed Wilson, is here. Well, we have been really lucky the past couple of days in Charlotte, North Carolina—at least weather wise. Yesterday, it was 60 degrees Fahrenheit and it was sunny with a clear blue sky. I am sitting on the lanai sipping a nice cup of green tea with a cinnamon stick, lemon grass, Jasmine flowers, and just a little bit of lavender. It tastes as great as it smells—certainly a nice way to relax and ease into the day.

Use WMI to find members of the local administrator group

When I can get away with it, I love simplicity. Once you know Windows Management Instrumentation (WMI), the world of Windows administration opens to you. In fact, with the introduction of the CIM cmdlets in Windows PowerShell 3.0, and the movement towards Open Management Infrastructure (OMI), knowing how to use this technology becomes much more important—it is knowledge you can leverage over and over in your daily work.

Anyway, today I was playing around with association WMI classes, and I decided to spend a bit of time using the Win32_GroupUser WMI class.

Note   I talk about WMI associations in Use PowerShell CIM Cmdlets to Discover WMI Associations.

This association class references two other classes: Win32_Group and Win32_Account. This information is shown here.

15:56 C:\> Get-CimClass win32_groupuser | select -expand cimclassproperties

 

Name               : GroupComponent

Value              :

CimType            : Reference

Flags              : Property, Key, ReadOnly, NullValue

Qualifiers         : {Aggregate, read, key, MappingStrings...}

ReferenceClassName : Win32_Group

 

Name               : PartComponent

Value              :

CimType            : Reference

Flags              : Property, Key, ReadOnly, NullValue

Qualifiers         : {read, key, MappingStrings, Override}

ReferenceClassName : Win32_Account

By using Windows PowerShell 2.0 (or Windows PowerShell 3.0), I can query this class by using the Get-WmiObject cmdlet to directly query the association class. I can then filter out the GroupComponent that matches administrators. For each of those, I can use the WMI type accelerator to retrieve the PartComponent property. From the output above, the PartComponent property contains the Win32_Account, and the GroupComponent property contains the Win32_Group, as shown here.

Get-WmiObject win32_groupuser |

Where-Object { $_.GroupComponent -match 'administrators' } |

ForEach-Object {[wmi]$_.PartComponent }

When I run the code, the following appears in the Windows PowerShell console.

16:03 C:\> Get-WmiObject win32_groupuser |

>> Where-Object { $_.groupcomponent -match 'administrators' } |

>> ForEach-Object {[wmi]$_.partcomponent }

>> 

AccountType : 512

Caption     : edLT\Administrator

Domain      : edLT

SID         : S-1-5-21-3464415469-1849125893-2015719117-500

FullName    :

Name        : Administrator

 

AccountType : 512

Caption     : edLT\ed

Domain      : edLT

SID         : S-1-5-21-3464415469-1849125893-2015719117-1001

FullName    :

Name        : ed

 

Caption : IAMMRED\Domain Admins

Domain  : IAMMRED

Name    : Domain Admins

SID     : S-1-5-21-1457956834-3844189528-3541350385-512

The previous command is a single logical line, but it is broken at the pipe character for ease of reading. By using the Windows PowerShell 3.0 syntax, and a few aliases, I can reduce this to a single physical line. The command is shown here.

gwmi win32_groupuser | ? groupcomponent -match 'administrators' | % {[wmi]$_.partcomponent}

Use the PowerShell 3.0 CIM cmdlets to get local admins

I can use the same WMI classes, but use the CIM cmdlets from Windows PowerShell 3.0. This simplifies the code a bit. The first thing I need to do is to obtain a CIM instance. To do this, I use the Get-CimInstance cmdlet. I specify the WMI class as Win32_Group, and I look for groups with the name of administrators. I pipe the returned CIM Instance to the Get-AssociatedInstance cmdlet. This cmdlet will query for an association based upon the association class name.

So you see, it is important to know what WMI classes are made up on which WMI association class. I know, because I know how to use the CIM cmdlets to expand the output to see the association. Now, all I need to do is specify that I am looking for an association and specify the associated class, as shown here.

Get-CimInstance -ClassName win32_group -Filter "name = 'administrators'" |

Get-CimAssociatedInstance -Association win32_groupuser

The command and its associated output is shown here.

16:06 C:\> Get-CimInstance -ClassName win32_group -Filter "name = 'administrators'" |

>> Get-CimAssociatedInstance -Association win32_groupuser

>> 

 

Name             Caption          AccountType      SID              Domain

----             -------          -----------      ---              ------

Administrator    edLT\Administ... 512              S-1-5-21-3464... edLT

ed               edLT\ed          512              S-1-5-21-3464... edLT

 

Caption : IAMMRED\Domain Admins

Domain  : IAMMRED

Name    : Domain Admins

SID     : S-1-5-21-1457956834-3844189528-3541350385-512

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thank you for including the 2.0 version as well!

  • this works like a charm, thank you

    Do you know why it is so slow though, takes about 1-2 min per computer

  • does this script find all the local administrators on workstations on a domain?

  • nevermind... just saw that it does not.. it actually picks up anyone in a group that contains the word "administrators" in the groupname somewhere. looks like AD only, not local groups. would it be possible to mod this for local group administrators?

  • Work though it's too slow to use on 3000 pcs