PRIVILEGE AUDIT

Local Privilege Auditing. Instantly.

Verify local administrator rights across remote endpoints in seconds. Detect unauthorized privilege escalation and validate LAPS functionality without interrupting the user.

SEE HOW IT WORKS

WinRM Dispatcher ● CONNECTED

[UHDC] Connecting to LAPTOP-US-4829 via WinRM...

--- Administrators Group Members ---

> LAPTOP-US-4829\Administrator

Type: User | Source: Local

> ACME\Domain Admins

Type: Group | Source: ActiveDirectory

> ACME\jsmith

Type: User | Source: ActiveDirectory

Trust, But Verify.

Active Directory only shows what domain groups a user belongs to. It cannot tell you if a local IT technician manually added a user's domain account directly to the local SAM database of a specific laptop. The UHDC bridges this visibility gap.

Direct SAM Query

Bypasses Active Directory assumptions to query the actual hardware's Security Account Manager (SAM) database, providing absolute truth regarding local endpoint privileges.

Source Identification

Clearly distinguishes between local machine accounts (like the built-in Administrator) and Active Directory domain accounts, making it easy to spot unauthorized domain users.

Silent Execution

Runs entirely in the background via WinRM. You can audit a machine for suspicious activity or verify LAPS functionality without the user ever knowing you are connected.

INTERACTIVE TRAINING ENGINE

⭐ 100 XP

How Junior Techs Learn This Tool:

While the UHDC uses PowerShell in the background to parse and format the data, a junior technician should know how to audit local groups manually using classic command-line tools. The training engine teaches them how to utilize Sysinternals PsExec to remotely execute the native net localgroup command to instantly list all members of the local Administrators group.

psexec \\$Target net localgroup administrators

The In-Person Equivalent

Opening Computer Management (compmgmt.msc), navigating to Local Users and Groups -> Groups, and double-clicking 'Administrators'. Alternatively, opening a local command prompt and typing: net localgroup administrators

Technical Q&A

Q: Why do we need to query the PC directly? Can't we just look at the user's Active Directory groups?

No. Active Directory only shows what domain groups a user belongs to. It does not know if a local IT technician manually added a user's domain account directly to the local SAM database of a specific laptop. The only way to definitively know who has admin rights on a specific piece of hardware is to query the hardware itself.

Q: What does the "PrincipalSource" property mean?

PrincipalSource tells you where the account originates. If it says Local, the account exists only on that specific computer's hard drive (like the built-in 'Administrator' account). If it says ActiveDirectory, it is a domain account (like 'ACME\jsmith') that has been granted local privileges.

Q: Can this script remove unauthorized administrators?

This specific script is strictly for auditing (read-only). If you identify an unauthorized user, you would typically use a Group Policy update, Intune Endpoint Security policy, or a custom remote command to strip the access, ensuring the remediation aligns with your organization's broader security framework.