This will return the primary user of a computer, and detect if that user is in the local administrators group (very useful for InfoSec reporting). I’m using it with Intune. Works perfectly.
This is a slightly modified version, as I’ve removed site data, but you’ll get the idea.
Some Interesting Parts
- The script adds registry keys for reporting from an SCCM CMPivot.
- Has a secondary method for returning members, due to a known SID issue with the Get-LocalGroupMember cmdlet.
- Can be used with Intune to return a 1 or 0. 1 being ADMIN (1 becomes the throw). 0 being USER.
- Was tested in the SYSTEM account, the way I test all scripts, programs, and configs. Why is that important? Because security context is king, and impacts how a script runs.
So easy, but highly useful. This technique could be adapted to other boolean-based reporting.
Lab Test
For my test machines, I audited a few hundred devices to verify the results were accurate. 100%. I didn’t need third party tools, MSGraph, APIs, or anything beyond the script.
Code
# MrNetTek
# eddiejackson.net
# 7/24/2024
# free for public use
# free to claim as your own
$ErrorActionPreference = 'SilentlyContinue'
# Import necessary modules
Import-Module -Name Microsoft.PowerShell.Management
Import-Module -Name Microsoft.PowerShell.Security
Import-Module -Name Microsoft.PowerShell.Utility
Import-Module -Name Microsoft.PowerShell.Host
# Initialize variables
$USER = $null
$UN = $null
$inAdminGroup = 0
$elevationStatus = $null
$members = $null
$PC = "$env:COMPUTERNAME".ToLower()
# Ensure the log directory exists and clear previous logs
$logPath = "C:\setup\isAdmin.log"
if (-not (Test-Path "C:\setup")) { New-Item -Path "C:\setup" -ItemType Directory }
if (Test-Path $logPath) { Clear-Content $logPath }
Start-Sleep 1
# Define the registry path for session data
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData"
# Get the last logged-on user session
$sessions = Get-ChildItem -Path $regPath | Where-Object { $_.PSChildName -match '^\d+$' }
$lastSession = if ($sessions) { ($sessions | Sort-Object { [int]$_.PSChildName } | Select-Object -Last 1).PSChildName } else { 0 }
$keyPath = "$regPath\$lastSession"
$USER = (Get-ItemProperty -Path $keyPath -Name LoggedOnSAMUser -ErrorAction SilentlyContinue).LoggedOnSAMUser
# Parse the username
$UN = if ($USER -match '\\') { $USER.Split('\\')[1] } else { $USER }
$UN = $UN.ToLower().Trim() -replace 'YourDomain1|YourDomain2', ''
# Check if the user is in the local administrators group
$members = Get-LocalGroupMember -Group Administrators -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Name
if (-not $members) { $members = net localgroup administrators | Out-String }
$members = $members.ToLower() -replace 'the command completed successfully.|-+|nt authority|everyone|system|administrator|guest', ''
# Determine if the parsed username is in the administrators group
$inAdminGroup = if ($members -match $UN) { 1 } else { 0 }
$elevationStatus = if ($inAdminGroup) { "ADMIN" } else { "USER" }
# Create or update registry keys
$registryPath = "HKLM:\SOFTWARE\IsAdmin"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}
# Add registry keys for SCCM CMPivot. I use this for reporting from SCCM.
Set-ItemProperty -Path $registryPath -Name "Username" -Value $USER -Type String
Set-ItemProperty -Path $registryPath -Name "IsAdmin" -Value $elevationStatus -Type String
Set-ItemProperty -Path $registryPath -Name "CMPivot" -Value "$USER $elevationStatus" -Type String
Set-ItemProperty -Path $registryPath -Name "Parsed" -Value $UN -Type String
Set-ItemProperty -Path $registryPath -Name "PC" -Value $PC -Type String
# Write results to the log file. This is more just for me while I test.
"FULL USER: $USER" | Add-Content $logPath
"PARSED: $UN" | Add-Content $logPath
"ELEVATION: $elevationStatus" | Add-Content $logPath
"PC: $PC" | Add-Content $logPath
# Set error handling preference and exit status
$ErrorActionPreference = 'Stop'
if ($inAdminGroup) { throw "User is an administrator"; exit 1 } else { exit 0 }