windowspowershelladministratoradministration

How to list only enabled local administrators


Trying to list only local administrator accounts that are enabled on windows workstations.

Have this code so far but I am running into issues beyond this point trying to compare if the active user is an administrator.

$enabledUsers = (Get-LocalUser | Select * | sort Name, FullName, Enabled) | where-object enabled -eq $true

$enabledUsers | Select Name, Fullname

Solution

  • You can use Get-LocalGroupMember to get all members of the Administrators group, however this cmdlet doesn't tell us if the returned users are Enabled, we can pass the SID of each user to Get-LocalUser and filter for those Enabled ones:

    Get-LocalGroupMember Administrators | Where-Object { (Get-LocalUser $_.SID -EA 0).Enabled }
    

    -EA 0 (-ErrorAction SilentlyContinue) is used in this example because the members of the group may not be of the class User, in which case, the cmdlet would throw an error (which we want to avoid).

    If you need LocalUser objects instead of LocalPrincipal objects, you can use this instead:

    Get-LocalGroupMember Administrators | ForEach-Object {
        if(($usr = Get-LocalUser $_.SID -EA 0) -and $usr.Enabled) {
            $usr | Select-Object Name, FullName
        }
    }