Verify if users were added to local Administrators

This script will scan the Security log for evidence of recent changes to the local Administrators group and report whether the required audit policy is configured on the machine.

Version: 1.7.8
Created: 2020-06-10
Modified: 2020-06-10
Creator: Marcel Calef
Downloads: 17
Tags:
The Script Copy Script Copied to clipboard

<# .NAME: Addition_to_Local_Admins.ps1 .CREDIT: https://security.stackexchange.com/questions/149519/how-to-find-who-granted-local-admin-privileges-to-a-user https://girl-germs.com/?p=363 which GPO corresponds with which Event ID Need to verify the computer has 'Audit Security Group Management' in Accoutn MAnagement enabled #>

$ErrorActionPreference = “ignore”

# Check if the Audit policy for recording the event 4732 is enabled for Success
$checkPol = (auditpol /get /subcategory:”Security Group Management” | findstr “Success”)

if([string]::IsNullOrEmpty($checkPol))
{ Write-Output ‘Audit policy not properly configued
run:
auditpol /set /subcategory:”Security Group Management” /success:enable’;
exit
}

### Create a filter query to search for additions to BUILTINAdministrators
### Security log event ID 4732
### Adding specifically to the Administrators SID
$xmlFilter = @”





“@

# Query and get the events
try {$adm_inclusion = Get-WinEvent -FilterXml $xmlFilter}
Catch {Write-Output “No events found (and auditpol was properly configured)”; exit }

$adm_inclusion | Format-List -Property TimeCreated,Id,Message | findstr /C:”TimeCreated” /C:”Subject:” /C:”Security ID” /C:”Account” /C:”Member” /C:”Group”

#$adm_inclusion.Message | findstr /C:”Subject:” /C:”Security ID” /C:”Account” /C:”Member” /C:”Group”

START YOUR TRIAL

Get Your Download Link

Gain access to ControlUp from your PC. Register and get a link to start your Free Trial.