🚀 Automating Local Administrator Group Cleanup with PowerShell
- Avijit Dutta
- Aug 19
- 3 min read
✨ Introduction - Local Administrator Group Cleanup with PowerShell
In modern enterprise environments, security hardening is a top priority 🔐. One of the biggest risks is unmanaged Local Administrator accounts. Over time, users and groups may be added to the Local Administrators group, creating potential backdoors for attackers.
Manually auditing and cleaning these accounts across multiple machines is time-consuming ⏳ and error-prone.
💡 That’s where PowerShell automation comes in! This blog walks you through a script that will do the Local Administrator Group Cleanup with PowerShell. Steps are:
Fetches computer names from a text file 📂
Validates if they exist in the domain 🖥️
Removes all unwanted accounts from Local Administrators 🚫
Keeps only Local Administrator (built-in) and Domain Admins 👑
Logs results into an Excel file 📊
Sends the report via email automatically 📧
🛠️ Prerequisites
Before running the script, make sure you have:
1) PowerShell 5.1+ or PowerShell 7.x
👉 Confirm using:
2) Active Directory Module
Installed via RSAT on Windows 10/11
Or use Install-WindowsFeature RSAT-AD-PowerShell on servers
3) ImportExcel PowerShell Module
4) SMTP Relay Configured 📧
Required for sending the Excel report by email
5) Computer List File
A text file at C:\AD_Scripts\Computers.txt with one computer name per line
📖 Helpful Scenarios
This automation is useful in several real-world situations:
🔹 Post-Audit Compliance – After an IT security audit, you may need to clean local admin groups across hundreds of machines.
🔹 New Security Baseline Rollout – When rolling out a new policy restricting local admin access, this script ensures all systems comply.
🔹 User Exit Process – If a privileged user leaves the organisation, you can quickly remove their access from all workstations/servers.
🔹 Regular Maintenance – Run this script periodically (monthly/quarterly) to ensure your systems remain clean and compliant.
⚡ How the Script Works
Reads Computer Names from Computers.txt 📂
Checks Active Directory to verify computer accounts 🔎
Connects Remotely to each valid computer 🖥️
Lists Local Admin Group Members 👥
Removes Unwanted Accounts while keeping:
Local Administrator (default, local admin user)
Domain Admins group (Active Directory Domain Admins Group)
Writes Results to Excel with columns:
Computer Name
Status (Cleaned, Error, Not Found)
Users/Groups Removed
Emails the Report to IT admins for tracking and evidence 📧
⏬Complete Script
Please find the complete PowerShell Script below.
📥 Download the Script
The full script named "Remove-LocalAdmins.ps1" is included in the zip file "Remove-LocalAdmins.zip". You can download it, unzip it, and use it.
📊 Sample Excel Output
Computer Name | Status | Users & Groups Removed |
PC-101 | ✅ Cleaned - Users/Groups removed | John.Doe, HelpdeskGroup |
PC-205 | ℹ️ Nothing to remove | |
PC-350 | ❌ Computer account not found in the Domain |
✅ Conclusion
Managing local administrator privileges is critical for ensuring security in enterprise environments. 🚨
By automating this task with PowerShell, you:
Reduce manual effort ⏳
Improve security posture 🔐
Ensure compliance 📜
Get centralised reporting 📊
👉 With a single script, you can audit, clean, and document the entire process.
Stay Proactive, Stay Secure! 🔥
#PowerShell, #SysAdmin, #ActiveDirectory, #WindowsServer, #ITInfrastructure, #ServerAdministration, #Automation, #CyberSecurity, #InfoSec, #CloudAndSecurity, #SecOps, #ITCompliance, #WindowsAdmin, #TechAutomation, #EnterpriseIT, #DataSecurity, #PowerShellScripts, #ITSecurity, #SysAdminLife, #MicrosoftTech
☕ Found this helpful? Share it & show some love!
Tip me a coffee at 👉 paypal.me/duttaavijit #ThankYou #SupportCreators
Your small support helps fuel more free, volunteer-driven content like this. Thank you! 🙏