Verify if users were added to local Administrators

Version: 1.7.8
Creator Name: Marcel Calef
Date Created: 2020-06-10
Date Modified: 2020-06-10
Scripting language: PS
Download Count: 8

This script will scan the Security log for evidence of recent changes to the local Administrators group and report whether the required audit policy is configured on the machine.
Tags: administrators,security,auditing

The Script

 .NAME:     Addition_to_Local_Admins.ps1

       which GPO corresponds with which Event ID
                Need to verify the computer has 'Audit Security Group Management' in Accoutn MAnagement enabled

$ErrorActionPreference = "ignore"

# Check if the Audit policy for recording the event 4732 is enabled for Success
$checkPol = (auditpol /get /subcategory:"Security Group Management" | findstr "Success")

    { Write-Output 'Audit policy not properly configued
       auditpol /set /subcategory:"Security Group Management" /success:enable';

### Create a filter query to search for additions to BUILTIN\Administrators
### Security log event ID 4732
### Adding specifically to the Administrators SID
$xmlFilter = @"
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='TargetSid'] and Data='S-1-5-32-544']]

# Query and get the events
try {$adm_inclusion = Get-WinEvent -FilterXml $xmlFilter}
    Catch {Write-Output "No events found (and auditpol was properly configured)"; exit }

$adm_inclusion | Format-List -Property TimeCreated,Id,Message | findstr /C:"TimeCreated" /C:"Subject:" /C:"Security ID" /C:"Account" /C:"Member" /C:"Group"

#$adm_inclusion.Message | findstr /C:"Subject:" /C:"Security ID" /C:"Account" /C:"Member" /C:"Group"