How to Get Local Group Members Report with or without PowerShell

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows Server
Native Auditing
Netwrix Auditor for Windows Server
Steps
  1. Open the PowerShell ISE → Create a new script with the following code and run it, specifying the computer name and the path for export:

$strComputer = get-content env:computername #Enter the name of the target computer, localhost is used by default
Write-Host "Computer: $strComputer"
$computer = [ADSI]"WinNT://$strComputer"
$objCount = ($computer.psbase.children | measure-object).count
Write-Host "Q-ty objects for computer '$strComputer' = $objCount"
$Counter = 1
$result = @()
foreach($adsiObj in $computer.psbase.children)
{
  switch -regex($adsiObj.psbase.SchemaClassName)
    {
      "group"
      {
        $group = $adsiObj.name
        $LocalGroup = [ADSI]"WinNT://$strComputer/$group,group"
        $Members = @($LocalGroup.psbase.Invoke("Members"))
        $objCount = ($Members | measure-object).count
        Write-Host "Q-ty objects for group '$group' = $objCount"
        $GName = $group.tostring()

        ForEach ($Member In $Members) {
          $Name = $Member.GetType().InvokeMember("Name", "GetProperty", $Null, $Member, $Null)
          $Path = $Member.GetType().InvokeMember("ADsPath", "GetProperty", $Null, $Member, $Null)
          Write-Host " Object = $Path"

                   $isGroup = ($Member.GetType().InvokeMember("Class", "GetProperty", $Null, $Member, $Null) -eq "group")
          If (($Path -like "*/$strComputer/*") -Or ($Path -like "WinNT://NT*")) { $Type = "Local"
          } Else {$Type = "Domain"}
          $result += New-Object PSObject -Property @{
            Computername = $strComputer
            NameMember = $Name
            PathMember = $Path
            TypeMemeber = $Type
            ParentGroup = $GName
            isGroupMemeber = $isGroup
            Depth = $Counter
          }
        }
      }
    } #end switch
} #end foreach
Write-Host "Total objects = " ($result | measure-object).count
$result = $result | select-object Computername, ParentGroup, NameMember, TypeMemeber, PathMember, isGroupMemeber, Depth
$result | Export-Csv -path ("C:\LocalGroups({0})-{1:yyyyMMddHHmm}.csv" -f
$env:COMPUTERNAME,(Get-Date)) -Delimiter ";" -Encoding "UTF8" -force -NoTypeInformation

  1. Open the file produced by the script in MS Excel.
How to Get Local Group Membership Report: file produced by powershell script in MS Excel
  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Windows Server" section → Go to "Windows Server – State-in-Time" → Select "Local Users and Groups" → Click "View".
  2. To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".
  3. To receive the report regularly by email, click the "Subscribe" button and choose the schedule you prefer.


Sample report:

How to Get Local Group Membership Report: Local Users and Groups Netwrix Auditor report

Get Local Group Members without PowerShell Scripting

Staying on top of local group membership is essential to Microsoft Windows Server security and good IT hygiene. In particular, you need to pay attention to the privileged groups on local machines, such as the local Administrators group. Sometimes Active Directory user accounts are added to these groups so users can install the programs they need to do their jobs without asking for help, and once local access rights are granted, they are rarely revoked. While this approach reduces helpdesk workload, it can significantly increase security risks on your systems by increasing the attack surface area and the risk of privilege abuse.

If you have enough PowerShell knowledge and experience, you can create a script that lists the membership of all local groups, including the local Administrators group. However, exporting all user objects into .CSV format might not be the most effective way to establish a baseline of the members of local groups and spot inappropriate changes to those groups.

Netwrix Auditor for Windows Server keeps you informed about which users are members of what groups. Reviewing the report on a regular basis will help you determine your baseline and spot any deviations that violate your security policy. With the actionable information provided, you can quickly restrict access and thereby minimize security risks. Subscribe to the report to stay on top of local group membership and facilitate good IT housekeeping.

Related How-tos