Audit Local Administrator Accounts

What the administrator account auditor does

This Automox Worklet™ queries Windows endpoints using PowerShell and retrieves all members of the local Administrators group. The Worklet uses WMI classes to enumerate the win32_group and win32_groupuser associations, providing accurate discovery of all local administrator accounts regardless of domain membership status.

The Worklet delivers audit results in two ways. If no local admin accounts exist, it exits cleanly with confirmation. If local administrators are found, the Worklet flags the endpoint for remediation and outputs a formatted table listing each account name to the activity log for your review.

This approach provides real-time visibility into privileged account status across your endpoint inventory, eliminating the need for manual administrative audits or third-party discovery tools.

Why audit local administrator accounts

Unauthorized or forgotten admin accounts create hidden privilege escalation paths that attackers exploit for lateral movement and persistence. When endpoints have untracked local administrator accounts, attackers can compromise one endpoint and pivot across your network using these privileged credentials. This risk multiplies when former employees retain admin access, shadow IT creates unauthorized accounts, or misconfigured systems grant unnecessary privileges.

Compliance frameworks including CIS Benchmarks, PCI-DSS, and HIPAA require organizations to maintain inventories of privileged accounts and restrict administrative access to authorized users only. Auditing local administrators demonstrates compliance with these standards and helps prepare for compliance audits and regulatory examinations.

From an operational perspective, endpoints with unnecessary local admin accounts create support and troubleshooting challenges. When users have administrative privileges, they can make unauthorized system changes that compromise stability and security. Automated discovery allows you to identify which endpoints need admin account removal, enabling centralized control over your infrastructure.

How administrator account auditing works

1. Evaluation phase: The Worklet queries the local Administrators group using WMI and retrieves all associated user accounts. It checks whether the group contains any members by examining the win32_group and win32_groupuser association classes. The evaluation result determines whether the endpoint requires remediation.

2. Remediation phase: The Worklet formats the administrator account names into a formatted table and outputs the list to the activity log. Each local admin account is displayed with its full account name, making it easy for you to identify which accounts exist on the endpoint. The output provides the information you need to decide whether to remove specific accounts or escalate for management review.

Administrator audit requirements

• Windows 8, Windows 10, Windows 11, Server 2012 R2, Server 2016, Server 2019, or Server 2022

• PowerShell 3.0 or later (standard on supported Windows versions)

• Worklet must run with local system privileges to query the Administrators group

• WMI (Windows Management Instrumentation) must be functional on the endpoint

Expected administrator account audit results

After running this Worklet, you will have a complete list of all local administrator accounts on each endpoint. The activity log displays the account names in a formatted table, making it easy to identify unexpected or unauthorized admin accounts. Endpoints with no local administrator accounts show a confirmation message, indicating compliance with your security policy.

Verification and next steps: Review the Activity Log output for each endpoint and compare discovered accounts against your authorized administrator list. Flag accounts that do not match approved users for removal or investigation. Schedule this Worklet to run regularly (weekly or monthly) to detect configuration drift, unauthorized privilege escalation, or newly created admin accounts. This ongoing visibility enables you to maintain least privilege principles and respond quickly to security policy violations.

How to validate audit local administrator accounts changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for audit local administrator accounts.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Write-Output, Get-CimInstance, Get-CimAssociatedInstance.

4. Validate remediation effects from script operations such as Write-Output, Get-CimInstance, Get-CimAssociatedInstance, then rerun evaluation for compliance.