Use this Goverlan Scope Action to find out who is in the local administrator group on your Windows workstations.
**Disclaimer: These tutorials are for demonstration purposes. Please test all Scope Actions before deploying them into production.**
This is a useful report for auditing the local admins group on your machines. Take the scope action a step further and automatically remove the non-compliant admins as well.
Step 1 – Starting a new Scope Action
If you have never created a Scope Action before, please refer to the below video and the Scope Action Creation Basics article for more information.
Step 2 – Creating a Non-compliant Local Admins Audit Report
The action module should consist of the following Report Item:
Add \ Remove –> Report Computer Property –> Local Account Database –> Local Groups –> Members –> AD Account Name
TIP: Instead of choosing “Members”, try choosing “Members (Effective)” to recurse the groups and get more information on who exactly has local administrative rights. See this () for more information on Recursive Group reporting.
Step 3 – Filtering out known accounts
You will need a filter to select the local admins group and filter out accounts that should be in group.
Use the “Only if the following is true” section to create the filter:
Add \ Remove –> Set Computer Condition –> Local Account Database –> Local Groups –> NT Account Name
The condition should be set to “=”
The Desired Value should be Administrators
Next, Filter out accounts and groups that should not appear in the report. These are accounts that should be present in the local admins group.
Add \ Remove –> Set Computer Condition –> Local Account Database –> Local Groups –> Members –> NT Account Name
The condition should be set to “NOT =”
The Desired Value should be “Administrator” or the name or your local admin account.
Add a new condition for each “Members –> NT Account Name” value that should not appear in the report.
Optional Step – Removing Non-Compliant Admins
Create a new action module and add the following action.
Add \ Remove –> Execute Computer Action –> Local Account Database –> Local Groups –> Members –> Delete Object
Create the same filter in Step 3. Goverlan will remove all users or groups EXCEPT the ones specified in the list.
NOTE: YOU MUST NOW CREATE THE SAME FILTER IN STEP 3! NOT DOING THIS WILL TELL GOVERLAN TO REMOVE ALL MEMBERS!
Re-run the report from Step 2 to verify your results.