How to Get Local Group Members Report with or without PowerShell


Native Auditing vs. Netwrix Auditor for Windows Server

We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows Server
Steps
  1. Open the PowerShell ISE → Create a new script with the following code and run it, specifying the computer name and the path for export:

    $strComputer = get-content env:computername #Enter the name of the target computer, localhost is used by default
    Write-Host "Computer: $strComputer"
    $computer = [ADSI]"WinNT://$strComputer"
    $objCount = ($computer.psbase.children | measure-object).count
    Write-Host "Q-ty objects for computer '$strComputer' = $objCount"
    $Counter = 1
    $result = @()
    foreach($adsiObj in $computer.psbase.children)
    {
      switch -regex($adsiObj.psbase.SchemaClassName)
        {
          "group"
          {
            $group = $adsiObj.name
            $LocalGroup = [ADSI]"WinNT://$strComputer/$group,group"
            $Members = @($LocalGroup.psbase.Invoke("Members"))
            $objCount = ($Members | measure-object).count
            Write-Host "Q-ty objects for group '$group' = $objCount"
            $GName = $group.tostring()

            ForEach ($Member In $Members) {
              $Name = $Member.GetType().InvokeMember("Name", "GetProperty", $Null, $Member, $Null)
              $Path = $Member.GetType().InvokeMember("ADsPath", "GetProperty", $Null, $Member, $Null)
              Write-Host " Object = $Path"

                       $isGroup = ($Member.GetType().InvokeMember("Class", "GetProperty", $Null, $Member, $Null) -eq "group")
              If (($Path -like "*/$strComputer/*") -Or ($Path -like "WinNT://NT*")) { $Type = "Local"
              } Else {$Type = "Domain"}
              $result += New-Object PSObject -Property @{
                Computername = $strComputer
                NameMember = $Name
                PathMember = $Path
                TypeMemeber = $Type
                ParentGroup = $GName
                isGroupMemeber = $isGroup
                Depth = $Counter
              }
            }
          }
        } #end switch
    } #end foreach
    Write-Host "Total objects = " ($result | measure-object).count
    $result = $result | select-object Computername, ParentGroup, NameMember, TypeMemeber, PathMember, isGroupMemeber, Depth
    $result | Export-Csv -path ("C:\LocalGroups({0})-{1:yyyyMMddHHmm}.csv" -f
    $env:COMPUTERNAME,(Get-Date)) -Delimiter ";" -Encoding "UTF8" -force -NoTypeInformation

  2. Open the file produced by the script in MS Excel.


How to Get Local Group Membership Report: file produced by powershell script in MS Excel

  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Windows Server" section → Go to "Windows Server – State-in-Time" → Select "Local Users and Groups" → Click "View".
  2. To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".
  3. To receive the report regularly by email, click the "Subscribe" button and choose the schedule you prefer.


Sample report:

How to Get Local Group Membership Report: Local Users and Groups Netwrix Auditor report

Get Local Group Members without PowerShell Scripting

Staying on top of local group membership is essential to Microsoft Windows Server security and good IT hygiene. In particular, you need to pay attention to the privileged groups on local machines, such as the local Administrators group. Sometimes Active Directory user accounts are added to these groups so users can install the programs they need to do their jobs without asking for help, and once local access rights are granted, they are rarely revoked. While this approach reduces helpdesk workload, it can significantly increase security risks on your systems by increasing the attack surface area and the risk of privilege abuse.

If you have enough PowerShell knowledge and experience, you can create a script that lists the membership of all local groups, including the local Administrators group. However, exporting all user objects into .CSV format might not be the most effective way to establish a baseline of the members of local groups and spot inappropriate changes to those groups.

Netwrix Auditor for Windows Server keeps you informed about which users are members of what groups. Reviewing the report on a regular basis will help you determine your baseline and spot any deviations that violate your security policy. With the actionable information provided, you can quickly restrict access and thereby minimize security risks. Subscribe to the report to stay on top of local group membership and facilitate good IT housekeeping.