Intune reporting with Log Analytics: list local admin accounts on your devices and who added them
In this post I will show you how to create a report of local admin found on your devices using Intune, PowerShell and Log Analytics.
The solution
This will resume in few steps:
- Creating a Proactive Remediation sript
- This script will be executed on your devices
- It will check if there are local admin account
- If yes it will check who added them and when
- It will send info to Log Analytics
Sometimes the report won't display when local admin account has been added. Indeed the script will check for each account if there is a corresponding event report 4732 .
This event log is located in Security event which is often purge.
The Power BI way
You can see on my post there, how to do the same with Power BI.
Get the files
Click on the below GitHub picture to get required below files:
- LocalAdmin_Workbook.json
- Detection_script.ps1
How it looks like ?
The Log Analytics will display below information:
- A Pie chart with number of devices with and without local admin account(s)
- A grid about devices with local admin account(s)
The grid will display:
- Device name
- User name
- Device model
- Number of local admin account
- Name of local admin account
- When they have been added
The Log Analytics will look like as below:
Log Analytics information
In order to create this report we will need some information relative to the Log Analytics workspace.
See below required info:
- Workspace ID
- Primary key
- Name of the custom log to create or update
In this example, the custom log is named: LocalAdminReport.
To get those information go to Log Analytics Workspace > Agents management
You will find both Workspace ID and Primary key.
Then we will proceed as below:
1. Open the file Detection_script.ps1
2. Fill below variables:
- $CustomerID: workspace ID
- $ShareKey: Primary key
Adding authorized account
The detection script will check if there are some local admin account on your devices.
You may have configured some local admin group or account on your devices.
For instance we can imagine below needs:
- Local admin group allowing your help desk to do task with privileges
- Local admin account Administrator
- Azure AD roles for
You can configure the script to bypass those accounts and not displayed them in the report.
This will allow you to list only not wanted local admin accounts.
To add authorized account(s) proceed as below:
1. Search variable $Authorized_Accounts
2. Add account, group, SID there
3. Separates each one with a ";"
4. See below an example:
Creating the Proactive Remediation package
1. Go to the Microsoft Endpoint Manager admin center
2. Go to Reports
3. Go to Endpoint Analytics
4. Go to Proactive Remediations
5. Click on Create script package
6. Type a name
7. Click on Next
8. Click on Detection script file
9. Browse the script Detection_script.ps1
10. Click on Next
11. Select the group
12. In the Schedule part, choose when the package should be run.
13. Click on Apply
14. Click on Next
15. Click on Create
Log Analytics workbook
In this part we will create the report.
1. Go to the Azure portal
2. Go to Log Analytics workspace
3. Go to workbook
4. Click on New
5. Go to Advanced editor
6. Search line "fallbackResourceIds": [
7. Above this part add content from LocalAdmin_Workbook.json
8. If you have changed the name of the local admin report, replace it in the json with yours
2 commentaires
Harrah's Cherokee Casino & Hotel - MapYRO
Harrah's Cherokee 안산 출장안마 Casino & Hotel is situated 파주 출장안마 near 태백 출장샵 Harrah's 부산광역 출장마사지 Cherokee Casino & Hotel and offers gaming, live 충주 출장안마 entertainment, restaurants.
Thanks is it correct that even if i authorize the AAD Sids I still see them in the report?
Enregistrer un commentaire