SysAdmin/Get-LocalAdmins.ps1 at main · bitjbullock/SysAdmin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# This script was originally written by, I assume?, NinjaRMM as there was no author listed and their repo is where I took this from initially.
# I've placed it here so I can modify it to my requirements.
#
#
#PARAMETER: -CustomField "ReplaceWithAnyTextCustomField"
#    Updates the custom field you specified (defaults to "LocalAdmins"). The Custom Field needs to be writable by scripts (otherwise the script will report it as not found).
#
#PARAMETER: -Delimiter "ReplaceWithYourDesiredDelimiter"
#    Places whatever is entered encased of quotes between each user name. See below example.
#
# Rewritten by Jonathan Bullock
# Rerewritten by ChatGPT to help me get rid of it inaccurately showing disabled accounts. I feel immense shame.
#
# 2025-03-07

[CmdletBinding()]
param (
    [Parameter()]
    [String]$CustomField = "LocalAdmins",

    [Parameter()]
    [String]$Delimiter = ', '
)

begin {
    # Optional: let environment variables override parameters
    if ($env:customFieldName -and $env:customFieldName -notlike "null") {
        $CustomField = $env:customFieldName
    }
    if ($env:delimiter -and $env:delimiter -notlike "null") {
        $Delimiter = $env:delimiter
    }

    $CheckNinjaCommand  = "Ninja-Property-Set"
    $LocalComputerName  = $env:COMPUTERNAME

    # Build a case-insensitive regex to match COMPUTERNAME\ at the start
    # Example: if $LocalComputerName = 'MYPC', it will match 'mypc\' or 'MYPC\' ...
    $LocalPrefixRegex   = '^(?i)' + [Regex]::Escape($LocalComputerName) + '\\'
}

process {
    # Get raw lines from net localgroup Administrators
    $RawUsers = net.exe localgroup "Administrators" |
        Where-Object { $_ -and $_ -notmatch "command completed successfully" } |
        Select-Object -Skip 4

    if (-not $RawUsers) {
        Write-Error "[Error] No users found in local Administrators group!"
        exit 1
    }

    $ProcessedUsers = @()

    foreach ($item in $RawUsers) {
        # 1) Trim each line to remove trailing/leading whitespace
        $line = $item.Trim()

        # 2) Remove COMPUTERNAME\ if it exists (case-insensitive)
        $localName = $line -replace $LocalPrefixRegex, ''
        $localName = $localName.Trim()

        # 3) Check if that changed anything
        if ($localName -eq $line) {
            #
            # => This means there was NO "COMPUTERNAME\" prefix
            # => Possibly a bare "Administrator" or a domain account
            #
            # Try to see if it's actually a local user by enumerating
            $localUser = Get-LocalUser -ErrorAction SilentlyContinue |
                Where-Object { $_.Name -ieq $line }

            if ($localUser) {
                # It's a local user
                if ($localUser.Enabled) {
                    # Only add if enabled
                    $ProcessedUsers += $line
                }
                else {
                    # Disabled => skip
                }
            }
            else {
                # Not found as a local user => treat it as domain/built-in => keep as-is
                $ProcessedUsers += $line
            }
        }
        else {
            #
            # => A prefix WAS removed. So $line started with "COMPUTERNAME\"
            # => $localName is what's left after removing it
            #
            # Check if it's a local user
            $localUser = Get-LocalUser -ErrorAction SilentlyContinue |
                Where-Object { $_.Name -ieq $localName }

            if ($localUser) {
                # It's a local user
                if ($localUser.Enabled) {
                    # Only add if enabled
                    $ProcessedUsers += $localName
                }
                else {
                    # Disabled => skip
                }
            }
            else {
                # Not found as a local user => see if it's a local group
                $localGroup = Get-LocalGroup -ErrorAction SilentlyContinue |
                    Where-Object { $_.Name -ieq $localName }

                if ($localGroup) {
                    # Keep local groups, minus the COMPUTERNAME\ prefix
                    $ProcessedUsers += $localName
                }
                else {
                    # It's neither a local user nor a local group => skip
                    # (avoid adding disabled or unknown items)
                }
            }
        }
    }

    # Show final list
    Write-Host "Local Admins (excluding disabled local users, keeping domain accounts/groups):"
    Write-Host "  $($ProcessedUsers -join $Delimiter)"

    # If Ninja-Property-Set is available, set the custom field
    if ( (Get-Command $CheckNinjaCommand -ErrorAction SilentlyContinue).Name -eq $CheckNinjaCommand `
         -and -not [string]::IsNullOrEmpty($CustomField) `
         -and -not [string]::IsNullOrWhiteSpace($CustomField)) {

        Write-Host "Attempting to set Custom Field: $CustomField"
        Ninja-Property-Set -Name $CustomField -Value ($ProcessedUsers -join $Delimiter)
    }
    else {
        Write-Warning "Unable to set custom field (lack of elevation or Ninja not found?)."
    }
}