How to Get Local Group Membership Reports


Native Auditing vs. Netwrix Auditor for Windows Server

Native Auditing Netwrix Auditor for Windows Server
Steps
  1. Open the Powershell ISE → Create new script with the following code and run it, specifying the computer list and the path for export:

    invoke-command {
    $members = net localgroup administrators | 
     where {$_ -AND $_ -notmatch "command completed successfully"} | 
     select -skip 4
    New-Object PSObject -Property @{
     Computername = $env:COMPUTERNAME
     Group = "Administrators"
     Members=$members
     }
    } -computer fs1,sp01,ncnad -HideComputerName | 
    Select * -ExcludeProperty RunspaceID | Export-CSV c:\data\local_admins.csv -NoTypeInformation 

  2. Open the file produced by the script in MS Excel.

Sample report:

  1. Run Netwrix Auditor → Navigate to Reports → Open “Windows Server” → Go to “Windows Server - State-in-Time” → Select “Members of Local Administrators Group” → Click “View”.

  2. To save the report, click the “Export” button and choose PDF, Word or Excel format. To receive the report regularly by email, click the “Subscribe” button and choose the schedule you prefer.

Audit Local Group Membership to Enforce Good Access Hygiene and Spot Deviations from Your Baseline

Active Directory user accounts are sometimes granted local group membership so that those users can install the programs they need to do their jobs without asking for help. While this approach to system and application maintenance reduces helpdesk workload, it can significantly increase security risks. In particular, once local access rights are granted, they are rarely revoked, which increases the attack surface area and the risk of privilege abuse. You need to stay on top of local group membership in order to harden Windows Server security and maintain good IT hygiene.

Using PowerShell, you can get a report listing local administrator group membership. However, be prepared to revamp your PowerShell scripting skills to get local these administrative user group membership reports. On top of that, exporting user objects into .CSV format might not be the most comprehensive way to determine whether certain users should members of a local admin group, according to your baseline.

Netwrix Auditor for Windows Server keeps you informed about which users have local administrator privileges. Reviewing the report on a regular basis will help you determine your baseline. If there is any deviation from that baseline or your security policy, you can quickly restrict access and thereby minimize security risks. Subscribe to the report to stay on top of local group membership and facilitate good IT housekeeping.

Join the discussion