Powershell: Find builtin local Administrator account

Administrating accounts on local computers (clients of servers) is not that common in a domain environment, but there is one account that often get discussed – the local administrator.

Some companies disable this account on machines, some set its password to a standard password and some randomize a password at deployment and keeps track of them in a database or similar. The thing is that sometimes, often in troubleshooting scenarios, it is really convenient to have the password for the local administrator account on a server at hand, but it can be tricky to keep track of which password to use on which server.

Some companies use localized versions of the operating system meaning that the local administrator account is not always named Administrator it could be Järjestelmänvalvoja, Administrateur, Rendszergazda, Administrador, Администратор, Administrador or Administratör, and some companies rename the local administrator account to something completely different.

So how do we get the name of the local administrators account on a machine?

Each account has a unique identifier called Security Identifier (SID). I’m not going to go deeper in to how a SID is generated, but a few accounts have SIDs that always matches a certain pattern. These SIDs are called well-known security identifiers.

The Administrator account is the only account that has a SID that ends with “-500”. Using this knowledge I wrote a simple function in powershell that will list all local users on a machine and return the name of the account with a SID that ends with “-500”.

function Get-SWLocalAdmin {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$true)]
        $ComputerName
    )
    Process {
        Foreach ($Computer in $ComputerName) {
            Try {
                Add-Type -AssemblyName System.DirectoryServices.AccountManagement
                $PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine, $Computer)
                $UserPrincipal = New-Object System.DirectoryServices.AccountManagement.UserPrincipal($PrincipalContext)
                $Searcher = New-Object System.DirectoryServices.AccountManagement.PrincipalSearcher
                $Searcher.QueryFilter = $UserPrincipal
                $Searcher.FindAll() | Where-Object {$_.Sid -Like "*-500"}
            }
            Catch {
                Write-Warning -Message "$($_.Exception.Message)"
            }
        }
    }
}

In future posts I will go through how to determine when the password was last set, how to change it and how to verify that the password was correctly set.