Weekend Scripter: Use PowerShell to Find Local Administrators on a Computer

Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell and WMI CIM associations to find local administrators.

Microsoft Scripting Guy, Ed Wilson, is here. Well, we have been really lucky the past couple of days in Charlotte, North Carolina—at least weather wise. Yesterday, it was 60 degrees Fahrenheit and it was sunny with a clear blue sky. I am sitting on the lanai sipping a nice cup of green tea with a cinnamon stick, lemon grass, Jasmine flowers, and just a little bit of lavender. It tastes as great as it smells—certainly a nice way to relax and ease into the day.

Use WMI to find members of the local administrator group

When I can get away with it, I love simplicity. Once you know Windows Management Instrumentation (WMI), the world of Windows administration opens to you. In fact, with the introduction of the CIM cmdlets in Windows PowerShell 3.0, and the movement towards Open Management Infrastructure (OMI), knowing how to use this technology becomes much more important—it is knowledge you can leverage over and over in your daily work.

Anyway, today I was playing around with association WMI classes, and I decided to spend a bit of time using the Win32_GroupUser WMI class.

Note   I talk about WMI associations in Use PowerShell CIM Cmdlets to Discover WMI Associations.

This association class references two other classes: Win32_Group and Win32_Account. This information is shown here.

15:56 C:> Get-CimClass win32_groupuser | select -expand cimclassproperties


Name               : GroupComponent

Value              :

CimType            : Reference

Flags              : Property, Key, ReadOnly, NullValue

Qualifiers         : {Aggregate, read, key, MappingStrings...}

ReferenceClassName : Win32_Group


Name               : PartComponent

Value              :

CimType            : Reference

Flags              : Property, Key, ReadOnly, NullValue

Qualifiers         : {read, key, MappingStrings, Override}

ReferenceClassName : Win32_Account

By using Windows PowerShell 2.0 (or Windows PowerShell 3.0), I can query this class by using the Get-WmiObject cmdlet to directly query the association class. I can then filter out the GroupComponent that matches administrators. For each of those, I can use the WMI type accelerator to retrieve the PartComponent property. From the output above, the PartComponent property contains the Win32_Account, and the GroupComponent property contains the Win32_Group, as shown here.

Get-WmiObject win32_groupuser |

Where-Object { $_.GroupComponent -match 'administrators' } |

ForEach-Object {[wmi]$_.PartComponent }

When I run the code, the following appears in the Windows PowerShell console.

16:03 C:> Get-WmiObject win32_groupuser |

>> Where-Object { $_.groupcomponent -match 'administrators' } |

>> ForEach-Object {[wmi]$_.partcomponent }


AccountType : 512

Caption     : edLTAdministrator

Domain      : edLT

SID         : S-1-5-21-3464415469-1849125893-2015719117-500

FullName    :

Name        : Administrator


AccountType : 512

Caption     : edLTed

Domain      : edLT

SID         : S-1-5-21-3464415469-1849125893-2015719117-1001

FullName    :

Name        : ed


Caption : IAMMREDDomain Admins

Domain  : IAMMRED

Name    : Domain Admins

SID     : S-1-5-21-1457956834-3844189528-3541350385-512

The previous command is a single logical line, but it is broken at the pipe character for ease of reading. By using the Windows PowerShell 3.0 syntax, and a few aliases, I can reduce this to a single physical line. The command is shown here.

gwmi win32_groupuser | ? groupcomponent -match 'administrators' | % {[wmi]$_.partcomponent}

Use the PowerShell 3.0 CIM cmdlets to get local admins

I can use the same WMI classes, but use the CIM cmdlets from Windows PowerShell 3.0. This simplifies the code a bit. The first thing I need to do is to obtain a CIM instance. To do this, I use the Get-CimInstance cmdlet. I specify the WMI class as Win32_Group, and I look for groups with the name of administrators. I pipe the returned CIM Instance to the Get-AssociatedInstance cmdlet. This cmdlet will query for an association based upon the association class name.

So you see, it is important to know what WMI classes are made up on which WMI association class. I know, because I know how to use the CIM cmdlets to expand the output to see the association. Now, all I need to do is specify that I am looking for an association and specify the associated class, as shown here.

Get-CimInstance -ClassName win32_group -Filter "name = 'administrators'" |

Get-CimAssociatedInstance -Association win32_groupuser

The command and its associated output is shown here.

16:06 C:> Get-CimInstance -ClassName win32_group -Filter "name = 'administrators'" |

>> Get-CimAssociatedInstance -Association win32_groupuser



Name             Caption          AccountType      SID              Domain

----             -------          -----------      ---              ------

Administrator    edLTAdminist... 512              S-1-5-21-3464... edLT

ed               edLTed          512              S-1-5-21-3464... edLT


Caption : IAMMREDDomain Admins

Domain  : IAMMRED

Name    : Domain Admins

SID     : S-1-5-21-1457956834-3844189528-3541350385-512

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Comments (9)

  1. Anonymous says:

    nevermind… just saw that it does not.. it actually picks up anyone in a group that contains the word “administrators” in the groupname somewhere. looks like AD only, not local groups. would it be possible to mod this for local group administrators?

  2. Anonymous says:

    does this script find all the local administrators on workstations on a domain?

  3. Vern_Anderson says:

    Thank you for including the 2.0 version as well!

  4. Maikel Kachouh says:

    this works like a charm, thank you

    Do you know why it is so slow though, takes about 1-2 min per computer

  5. anony says:

    Work though it’s too slow to use on 3000 pcs

  6. yaro137 says:

    this is far too slow to be of enterprise environment use

  7. Dean says:

    Very helpful. Thanks

  8. FJ says:

    The best I have found so far. Allows you to use the .Name on the users…
    The get-CimInstance is THE way to go.

  9. Anonymous says:

    I maintain a list of links I call "security stuff every Microsoft customer should know" that

Skip to main content