Try the below script, in order to audit or list local administrators.
Here is the VBScript
Set objGroup = GetObject(“WinNT://./Administrators,group”)
For Each objUser In objGroup.Members
WScript.Echo “Member found: ” & objUser.Name
Next
set objGroup = Nothing
Here is the Powershell syntax
function LogToFile ([string]$strFileName, [string]$strComputer)
{
Add-Content $strFileName $strComputer
}
$strComputer = “.”
$computer = [ADSI](“WinNT://” + $strComputer + “,computer”)
$Group = $computer.psbase.children.find(“Administrators”)
$members= $Group.psbase.invoke(“Members”) | %{$_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)}
ForEach($user in $members)
{
Write-Host $user
$a = $strComputer + “!” + $user.ToString()
LogToFile “C:ss.txt” $a
}
Source: https://ponderingthought.com/2009/01/09/list-local-administrators-on-a-machine-using-powershell-adsi/
Below script retrieves a list of all users that are member of the local administrator group
function Get-LocalAdmin {
<# .Synopsis Get Local admin list .Description Get Local admin list .Example Get-LocalAdmin -Computername myworkstation.contoso.com This shows the NTP Status of the localhost, this will be the result: Retrieving Local Admin list for myworkstation.contoso.com MYWORKSTATION\Administrator CONTOSO\Domain Admins .Example get-adcomputer -searchbase ‘OU=workstations,dc=contoso,dc=com’ -filter * -property * | select name | Get-LocalAdmin Get Local admin list for all the workstation in AD. .Notes Author: Paolo Frigo – paolofrigo@gmail.com #>
param (
[Parameter(Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true,
Position = 0)]
[Alias(‘Name’)]
[string[]]$ComputerName
)
Process {
Write-Warning “Retrieving Local Admin list for $ComputerName”
try {
If (!(Test-Connection -ComputerName $computerName -Count 1 -Quiet)) {
Write-Output “$computerName is offline.”
#Continue # Move to next computer
}
else {
$admins = Gwmi win32_groupuser –computer $ComputerName
$admins = $admins |? {$_.groupcomponent –like ‘*”Administrators”‘}
$admins | % {
$_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul
$matches[1].trim(‘”‘) + “\” + $matches[2].trim(‘”‘) }
}
}
catch {
Write-Output “Can’t gather information from $ComputerName”
Write-Output $Error[0].Exception;
}
finally {
}
}
}
#Example with desktop, but you can use Laptops or VMs or Servers as OU
get-adcomputer -searchbase ‘OU=workstations,dc=contoso,dc=com’ -filter * -property * | select name | Get-LocalAdmin
Note if you’re using Powershell 5.1 or later versions you can use this cmd-let : Get-LocalGroupMember:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/Get-LocalGroupMember?view=powershell-5.1