PowerShell | Local Admin Group & Default Administrator
Built in Guest & Administrator by SID
Understanding and managing the built-in Guest and Administrator accounts on local systems is crucial for maintaining a secure computing environment. The Administrator account has elevated privileges that allow full control over the system, making it a prime target for malicious attacks. Identifying and securing this account is essential to prevent unauthorized access and potential system compromise.
The Guest account, while intended for temporary and limited access, can pose significant security risks if enabled, as it provides an easy entry point for unauthorized users. Disabling the Guest account is a best practice to minimize security vulnerabilities and ensure that only authorized users can access the system. By effectively managing these accounts, administrators can enhance the overall security posture, protecting sensitive data and system integrity from potential threats.
PowerShell Solition | Pull Default Account by SID
$MyCommand={
$Array=@()
$AccountFinder=Get-WMIObject -class Win32_UserAccount -Filter "LocalAccount=$True"
$Array+= $AccountFinder | ?{$_.SID -like "S-1-5-21*501"} | Select Name, Disabled
$Array+= $AccountFinder | ?{$_.SID -like "S-1-5-21*500"} | Select Name, Disabled
Return $Array
}
CLS
$ServerName=Read-Host "Enter ServerName"
Invoke-Command $ServerName -Scriptblock $MyCommand
Remotely Manage Local Accounts Using PowerShell and WinRM
Remote management of local accounts is a critical task for system administrators, enabling them to manage user access, enforce policies, and maintain security across multiple systems. PowerShell, combined with Windows Remote Management (WinRM), is a powerful tool for this purpose, providing a range of cmdlets to perform these tasks efficiently. Here’s a comprehensive guide on how to remotely manage local accounts using PowerShell and WinRM.
​
Prerequisites
Before you begin, ensure that:
-
You have administrative privileges on the target systems.
-
WinRM is enabled and configured on the remote systems.
-
The systems are configured to allow remote management (firewall rules, network settings, etc.)
List Local Administrator Group Membership
#Prompt User for ComputerName
$ComputerName = Read-Host "Enter Server Name:"
#Query Computer for list of Local Admins Group
Invoke-Command -ComputerName $ComputerName -ScriptBlock {
#List of Local Admins
Get-LocalGroupMember -Group "Administrators"
}
Remove User from Local Administrator Group
<#
Designed to simply remove 1 user from the local admin group
on a remote computer. You could modify this to loop through
a list of computers to remove an account on a list of
specific computers.
#>
#Prompt User for Computer Name:
$ComputerName = Read-Host "Enter Server Name"
#Promputer User for Username:
$Username= Read-Host "Enter Username"
#Strings Computer Name and User Name Together
$Login="$Computername\$Username"
#Remove Account from Local Admins Group
Invoke-Command -ComputerName $ComputerName -ScriptBlock {
Remove-LocalGroupMember -Group "Administrators" -Member $args
} -ArgumentList $Login
Add User to Local Administrator Group
<#
Designed to simply add 1 user to the local admin group
on a remote computer. You could modify this to loop through
a list of computers to add an account on a list of
specific computers.
#>
#Prompt User for Computer Name:
$ComputerName = Read-Host "Enter Server Name"
#Prompt User for Username:
$Username= Read-Host "Enter Username"
#Strings Computer Name and User Name Together
$Login="$Computername\$Username"
#Add User to Local Admin Group on Machine
Invoke-Command -ComputerName $ComputerName -ScriptBlock {
Add-LocalGroupMember -Group "Administrators" -Member $args
} -ArgumentList $Login