Finding user accounts with administrative privileges (Windows)

Hello,

I’m trying to get a list of user accounts with admin rights on Windows computers, but I’m running into a weird issue.

My relevance is:

(concatenation ", " of (members of local group (names of local groups whose ((it = "S-1-5-32-544") of component strings of sids of it)) as string) whose (it as lowercase is not hostname as lowercase & "\our-local-admin" and it is not hostname & "\Administrator" and it is not "AD\Domain Admins" and it is not "AD\our-network-admin-group"))

and I’m excluding a few names at the end since we know those accounts will be on every machine.

however, on some machines, we receive several results of just AD\, for example:

I can’t seem to figure out why. When I look at the administrators group, there doesn’t seem to be anything out of the ordinary. For example:

(the blurred out records are “hostname\our-local-admin” and “AD\our-network-admin-group”)

The analysis is set to run for every report, and these devices have been online and checking in, so I don’t think it’s stale records from previous relevance I may have written.

Where are these entries coming from?

Is it possible these machines are members of the Domain, but are currently disconnected from the Domain Controller or VPN and are not able to resolve the values of user names?

I don’t recall the exact details but my memory is that ‘member of group’ attempts to resolve the member to a username, and if the name is not available may not return anything (if the Domain is unreachable, or the account has been deleted from the Domain but was still referenced by a local group, etc.)

See whether these queries give different results for you -

q: members of local groups whose (component string of sid of it = "S-1-5-32-544")
A: ENDPOINT-1\Administrator
A: ENDPOINT-1\User1#
A: D\Domain Admins
T: 102.558 ms

q: sids of members of local groups whose (component string of sid of it = "S-1-5-32-544")
A: ENDPOINT-1\Administrator
A: ENDPOINT-1\User1#
A: D\Domain Admins

My memory is that by specifically asking for the sid of the group member, a name is returned if it’s resolvable but if it’s not resolvable the component string of the SID is returned instead. That may give some clue.

Thank you! It looks like that’s it. I had a device reconnect to the network, and the blank AD\s disappeared.

Indeed, I do also see different results for the queries you provided.

It seems specifically that domain groups with admin rights on the local machine fail to resolve, because individual users seem to show up fine.

I was then able to look up the SIDs with some code I found here: https://woshub.com/convert-sid-to-username-and-vice-versa/

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-####-####-####-###")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

The names returned were AD\Domain Admins and AD\our-network-admin-group, both groups with several users, and not a SID that would be signed in to the computer (I’m guessing that’s how it was able to resolve the individual users? because they were also signed in to the machine with a user profile)

Now I can grab the SIDs and filter out the known ones.

Thanks again!

Local user accounts:

(name of local user it) of ( (members of local group "Administrators" as string) whose (exist (local user it) whose ((account disabled flag of it) = False))) 

Domain user accounts:

(members of local group "Administrators" as string) whose ( (exists (domain user it) whose ( (not exist local user (name of it) AND (account disabled flag of it = False) ) )) )