Verify if users were added to local Administrators

Version: 1.7.8
Creator Name: Marcel Calef
Date Created: 2020-06-10
Date Modified: 2020-06-10
Scripting language: PS
Download Count: 17

This script will scan the Security log for evidence of recent changes to the local Administrators group and report whether the required audit policy is configured on the machine.
Tags: administrators,security,auditing

The Script

<#
 .NAME:     Addition_to_Local_Admins.ps1

 .CREDIT:   https://security.stackexchange.com/questions/149519/how-to-find-who-granted-local-admin-privileges-to-a-user  
            https://girl-germs.com/?p=363     which GPO corresponds with which Event ID
                Need to verify the computer has 'Audit Security Group Management' in Accoutn MAnagement enabled
#>

$ErrorActionPreference = "ignore"

# Check if the Audit policy for recording the event 4732 is enabled for Success
$checkPol = (auditpol /get /subcategory:"Security Group Management" | findstr "Success")

if([string]::IsNullOrEmpty($checkPol))
    { Write-Output 'Audit policy not properly configued
       run:
       auditpol /set /subcategory:"Security Group Management" /success:enable';
     exit
    }

### Create a filter query to search for additions to BUILTIN\Administrators
### Security log event ID 4732
### Adding specifically to the Administrators SID
$xmlFilter = @"
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4732)]] 
and 
*[EventData[Data[@Name='TargetSid'] and Data='S-1-5-32-544']]
</Select>
</Query>
</QueryList>
"@

# Query and get the events
try {$adm_inclusion = Get-WinEvent -FilterXml $xmlFilter}
    Catch {Write-Output "No events found (and auditpol was properly configured)"; exit }

$adm_inclusion | Format-List -Property TimeCreated,Id,Message | findstr /C:"TimeCreated" /C:"Subject:" /C:"Security ID" /C:"Account" /C:"Member" /C:"Group"

#$adm_inclusion.Message | findstr /C:"Subject:" /C:"Security ID" /C:"Account" /C:"Member" /C:"Group"