04 March 2019

Local Administrator Baseline Compliance

One of the issues we have had is some users ending up being in the administrators group. There are circumstances to which we have to sometimes put a user in that group to install an application which is both user and computer-based. It can be easy to forget to take the user back out of that group. We don't allow the end users here to have local administrator privileges for security reasons.

I have finally gotten around to using PowerShell along with the compliance settings in SCCM to manage this issue. To implement a compliance setting to monitor systems where users have local admin privs, I first setup the configuration item. As shown below, I setup the configuration item to look for an integer value, 0 or 1, returned from the PowerShell script. It returns 0 if nothing shows up in the query and a 1 if there are users in the query.

The first step is to create the Configuration Item as shown in the following instructions:

In SCCM under Assets and Compliance-->Compliance Settings-->Configuration Items, click Create Configuration Item from the toolbar above.

In my environment, we are now only Windows 10, so I selected that as the platform.

The next screen will be to create the conditions associated with the configuration item. Under this, you will click New

The next screen is creating the setting. I used the name Local Administrators, the setting is defined by a PowerShell script that returns an integer value of 0 or 1.

The next screen is entering the PowerShell script to query for users that may exist in the group. If there are users in your environment that need to be there by default, you will need to add them to the where-object to exclude from the query. You could also put them in a text file on a UNC share the script could read and compare against.

Here is the script for easy copy and paste.

 If ((Get-LocalGroupMember -Group Administrators | Where-Object {($_.ObjectClass -eq 'User') -and ($_.Name -notlike '*Administrator*')}).Count -gt 0) {Echo 1} else {Echo 0}  

Next comes the Compliance Rules. This is where you specify what the value returned from the query is considered as complying.

This is the specification defined for the rule.

Now that Configuration Items is created, we must create a Baseline that will use the Configuration Item when deployed out to collections.

In SCCM under Assets and Compliance-->Compliance Settings-->Configuration Baselines, click Create Configuration Baseline from the toolbar above.

I used the Name Local Admin. Next, click on Add-->Configuration Items. The following screen will appear:

Select the Local Administrator and click Add. Mine in the pic is slightly different in naming because I already had this created before writing this blog.

Now click OK and the Configuration Baseline will be created. The Baseline is now ready to be deployed out. Select the Local Admin Baseline from the Configuration Baselines and click Deploy. The following screen will appear:

These are the specifications I decided to use. I made the alert to generate if 100% compliance is not met so I know by the next day if someone has local admin. As you can see in the results below, the system I deployed it to is compliant.

I also went into that system and added a user to the administrators group it returned the result of non-compliant when I reran the compliance scan. Another thing that can be done here is to create collections that are based on the compliance and non-compliance of the baseline. This can be done by clicking on the configuration baseline and then right-clicking on the deployment at the bottom. Click on Create New Collection and the options to create the collections by the results will come up as shown below.

If you want to expedite the evaluation time while testing this out, you can go to a system you have deployed this to and open up Configuration Manager from the control panel. Under that, click configurations. If it is not appearing there yet, click refresh and the new baseline should appear. Now that it is displayed there, you can click evaluate at the bottom to run the baseline.



Post a Comment