SCCM
Intune
AD
Powershell
Misc

Remove unwanted admin rights from computers

Intune and SCCM has remediation scripts available. The basic idea of these are that you do a detection script weather you should run a fix or not for the client. Idea is to gather all the local admin accounts and groups and whitelist the wanted groups.

In my case I run the script with Intune and detect local admin accounts and output the admin accounts if detected. 

<#
Script written by Tommi Voutilainen 

Set whitelisted account so you allow some admins to stay in your computer. Whitelisted account on the base script are Domain admins group and local admin WindowsLAPS. Note there is no example of Intune admin groups. 

#>
# Specify the SID prefix for the built-in administrator account
$AdminSIDPrefix = "S-1-5-21-*-500"  
$adminAccounts = Get-WmiObject -Class Win32_UserAccount | Where-Object { $_.SID -like "$AdminSIDPrefix*" }
# Whitelisted users who are allowed to remain in the local administrator group
$whitelist = @("Domain Admins", "WindowsLAPS")
$adminAccounts | ForEach-Object {
    if ($_ -notin $whitelist) {
        $whitelist += $_.Name
    }
}


# Specify the SID for the Administrators group
$remediate = $false
$AdminGroupSid = "S-1-5-32-544"
$AdminGroup = New-Object System.Security.Principal.SecurityIdentifier($AdminGroupSid)
$AdminGroupName = $AdminGroup.Translate([System.Security.Principal.NTAccount]).Value -replace '.+\\'


$localAdmins = (([ADSI]"WinNT://./$AdminGroupName").psbase.Invoke('Members') | % {$_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null)}) -match '^WinNT'| %{$_.Replace("WinNT://","")}

foreach ($adminUser in $localAdmins) {
    $adminUser = $adminUser.Replace('/', '\')
    $whitelistUsername = ($adminUser -split '\\')[-1]
    if ($whitelist -notcontains $whitelistUsername) {
        write-output "Found $adminUser from local admin group. Going to Remediation."
        $Remediate = $true
    }
    else {
        #Log -Message "Whitelisted user: $adminUser was found." -Type "Warning"
    }
}

if ($remediate) {
 
 exit 1
}
else {
 exit 0
}

The above is detection script for local admin accounts present with whitelisted group of Domain admins and local user WindowsLAPS. 

<#
Script written by Tommi Voutilainen 

Set Log file according to SCCM or Something else...
C:\Windows\CCM\Logs\AdminUsers.log"
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AdminUsers.log


#>
# Specify the SID prefix for the built-in administrator account
$AdminSIDPrefix = "S-1-5-21-*-500"  
$adminAccounts = Get-WmiObject -Class Win32_UserAccount | Where-Object { $_.SID -like "$AdminSIDPrefix*" }
# Whitelisted users who are allowed to remain in the local administrator group
$whitelist = @("Domain Admins", "WindowsLAPS")
$adminAccounts | ForEach-Object {
    if ($_ -notin $whitelist) {
        $whitelist += $_.Name
    }
}

function Log {
    Param (
        [Parameter(Mandatory=$false)]
        $Message,
 
        [Parameter(Mandatory=$false)]
        $ErrorMessage,
 
        [Parameter(Mandatory=$false)]
        $Component,
 
        [Parameter(Mandatory=$false)]
        $Type,
        
        [Parameter(Mandatory=$false)]
        $LogFile
    )
    # Mapping string type values to integer values
    $typeMap = @{
        "Normal" = 1
        "Warning" = 2
        "Error" = 3
    }
    $Time = Get-Date -Format "HH:mm:ss.ffffff"
    $Date = Get-Date -Format "MM-dd-yyyy"
    $LogFile = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AdminUsers.log"   # Remember to set this one
    if ($ErrorMessage -ne $null) {
        $Type = "Error"
    }
    if ($Component -eq $null) {
        $Component = "Temporary Admin Rights"
    }
    if ($Type -eq $null) {
        $Type = "Normal"
    }
    $LogMessage = "<![LOG[$Message $ErrorMessage" + "]LOG]!><time=`"$Time`" date=`"$Date`" component=`"$Component`" context=`"`" type=`"$($typeMap[$Type])`" thread=`"`" file=`"`">"
    $LogMessage | Out-File -Append -Encoding UTF8 -FilePath $LogFile
}

#$adminGroupName = "Administrators"

Log -Message "----------------------"
Log -Message "Whitelisted accounts are: $whitelist"
# Specify the SID for the Administrators group
$AdminGroupSid = "S-1-5-32-544"
$AdminGroup = New-Object System.Security.Principal.SecurityIdentifier($AdminGroupSid)
$AdminGroupName = $AdminGroup.Translate([System.Security.Principal.NTAccount]).Value -replace '.+\\'

$localAdmins = (([ADSI]"WinNT://./$AdminGroupName").psbase.Invoke('Members') | % {$_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null)}) -match '^WinNT'| %{$_.Replace("WinNT://","")}

foreach ($adminUser in $localAdmins) {
    $adminUser = $adminUser.Replace('/', '\')
    $whitelistUsername = ($adminUser -split '\\')[-1]
    if ($whitelist -notcontains $whitelistUsername) {
        Write-output "Removing $adminUser from local admin group."
        Log -Message "Removing $adminUser from local admin group."
        Remove-LocalGroupMember -Group $AdminGroupName -Member $adminUser -ErrorAction SilentlyContinue
    }
    else {
        Log -Message "Whitelisted user: $adminUser was found." -Type "Warning"
    }
}

$remainingAdmins = (([ADSI]"WinNT://./$AdminGroupName").psbase.Invoke('Members') | % {$_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null)}) -match '^WinNT'| %{$_.Replace("WinNT://","")}

foreach ($adminUser in $remainingAdmins) {
    $adminUser = $adminUser.Replace('/', '\')
    $whitelistUsername = ($adminUser -split '\\')[-1]
    if ($whitelist -notcontains $whitelistUsername) {
        Log -Message "$adminUser should not be local administrator anymore, but still is." -Type "Error"
    }
}
Log -Message "Script was run" (Get-Date -format "HH:mm d.M.yyyy")
Log -Message "----------------------"
exit 0

This way you gain access to see what local admin accounts you have and are there problems that you didn’t know in your environment.

Remember – There was no Intune admin rights here and to whitelist Intune admin rights you need to use graph.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts