Using powershell I'd like to get a list of people who have admin privileges for a domain?

Question

I'd like to get a list of all people with admin privileges with powershell. What is the most optimal way to accomplish that? Which user property should I look at?

Answer 1

I realize this question is old, and Noah's answer helped get me in the ballpark. I just want to expand on it a little bit more. If you have multiple domains in your environment you can do something like this:

Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | Select Name

If you want to also see if which accounts are enabled or disabled:

Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | Get-ADUser | Select Name, Enabled

Or if you only want to see enabled accounts:

Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | get-aduser -Properties Description | Where {$_.Enabled -eq $true} | Select Name 

Answer 2

The other examples show how to get the easiest display of who has "admin" access to a domain but don't overlook the fact that "admin" access can be directly assigned to any user or group object on the domain object itself. Simply checking for members of "domain admins" and "enterprise admins" is not going to show you the whole picture.

As a starting point you could start with this and then investigate further:

(Get-ACL 'AD:\DC=MYDOMAIN,DC=local').Access | Format-Table IdentityReference,ActiveDirectoryRights,AccessControlType -AutoSize

Answer 3

dsquery * -filter (samaccoutname="domain admin") | dsget group -members -expand >>RESULT.txt

Answer 4

get-adgroupmember 'domain admins' | select name,samaccountname
get-adgroupmember 'enterprise admins' | select name,samaccountname