This will return the primary user of a computer, and detect if that user is in the local administrators group (very useful for InfoSec reporting). I’m using it with Intune. Works perfectly.
This is a slightly modified version, as I’ve removed site data, but you’ll get the idea.
Some Interesting Parts
- The script adds registry keys for reporting from an SCCM CMPivot.
- Has a secondary method for returning members, due to a known SID issue with the Get-LocalGroupMember cmdlet.
- Can be used with Intune to return a 1 or 0. 1 being ADMIN (1 becomes the throw). 0 being USER.
- Was tested in the SYSTEM account, the way I test all scripts, programs, and configs. Why is that important? Because security context is king, and impacts how a script runs.
So easy, but highly useful. This technique could be adapted to other boolean-based reporting.
Lab Test
For my test machines, I audited a few hundred devices to verify the results were accurate. 100%. I didn’t need third party tools, MSGraph, APIs, or anything beyond the script.
Code
# MrNetTek # eddiejackson.net # 7/24/2024 # free for public use # free to claim as your own $ErrorActionPreference = 'SilentlyContinue' # Import necessary modules Import-Module -Name Microsoft.PowerShell.Management Import-Module -Name Microsoft.PowerShell.Security Import-Module -Name Microsoft.PowerShell.Utility Import-Module -Name Microsoft.PowerShell.Host # Initialize variables $USER = $null $UN = $null $inAdminGroup = 0 $elevationStatus = $null $members = $null $PC = "$env:COMPUTERNAME".ToLower() # Ensure the log directory exists and clear previous logs $logPath = "C:\setup\isAdmin.log" if (-not (Test-Path "C:\setup")) { New-Item -Path "C:\setup" -ItemType Directory } if (Test-Path $logPath) { Clear-Content $logPath } Start-Sleep 1 # Define the registry path for session data $regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData" # Get the last logged-on user session $sessions = Get-ChildItem -Path $regPath | Where-Object { $_.PSChildName -match '^\d+$' } $lastSession = if ($sessions) { ($sessions | Sort-Object { [int]$_.PSChildName } | Select-Object -Last 1).PSChildName } else { 0 } $keyPath = "$regPath\$lastSession" $USER = (Get-ItemProperty -Path $keyPath -Name LoggedOnSAMUser -ErrorAction SilentlyContinue).LoggedOnSAMUser # Parse the username $UN = if ($USER -match '\\') { $USER.Split('\\')[1] } else { $USER } $UN = $UN.ToLower().Trim() -replace 'YourDomain1|YourDomain2', '' # Check if the user is in the local administrators group $members = Get-LocalGroupMember -Group Administrators -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Name if (-not $members) { $members = net localgroup administrators | Out-String } $members = $members.ToLower() -replace 'the command completed successfully.|-+|nt authority|everyone|system|administrator|guest', '' # Determine if the parsed username is in the administrators group $inAdminGroup = if ($members -match $UN) { 1 } else { 0 } $elevationStatus = if ($inAdminGroup) { "ADMIN" } else { "USER" } # Create or update registry keys $registryPath = "HKLM:\SOFTWARE\IsAdmin" if (-not (Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null } # Add registry keys for SCCM CMPivot. I use this for reporting from SCCM. Set-ItemProperty -Path $registryPath -Name "Username" -Value $USER -Type String Set-ItemProperty -Path $registryPath -Name "IsAdmin" -Value $elevationStatus -Type String Set-ItemProperty -Path $registryPath -Name "CMPivot" -Value "$USER $elevationStatus" -Type String Set-ItemProperty -Path $registryPath -Name "Parsed" -Value $UN -Type String Set-ItemProperty -Path $registryPath -Name "PC" -Value $PC -Type String # Write results to the log file. This is more just for me while I test. "FULL USER: $USER" | Add-Content $logPath "PARSED: $UN" | Add-Content $logPath "ELEVATION: $elevationStatus" | Add-Content $logPath "PC: $PC" | Add-Content $logPath # Set error handling preference and exit status $ErrorActionPreference = 'Stop' if ($inAdminGroup) { throw "User is an administrator"; exit 1 } else { exit 0 }