Using PowerShell to Check for Newly Created Local Admins

  administration, powershell, scripting, windows

So, as the title says: I am trying to write up a PowerShell script that checks to see if any user accounts have been added to the Local Administrators group or have been added as an Administrator on the local machine. I have been using Get-EventLog and Get-WinEvent in an attempt to accomplish what I a trying to do. The problem I am having is isolating or extracting the information I want out of the event logs.

This is what I have so far:

$Date = ((Get-Date).AddDays(-1)).Date

$Events = Get-WinEvent -FilterHashtable @{
     StartTime = $Date
     LogName = 'Security'
     ProviderName = 'Microsoft-Windows-Security-Auditing'
     ID = 4732
    }

I figure, if I can get the Username of the account that was added; which group or permissions it was given; and the date it was created, I can selectively output that information for each log over the last 24 hours. I’m not sure if I should be trying to use Get-Item or Get-Content, or if there is another way I should be trying to tackle this.

Source: Windows Questions

LEAVE A COMMENT