Audit-Local-Admins

3.0

Audit-Local-Admins.ps1

                                Param(

    [Switch]$Debug = $false,

    [Switch]$Console = $False,

    [Switch]$UseExcel = $True,

    [Switch]$IncludeAdmins = $False,    

    [Switch]$ShortReport = $False    

    )

<#==============================================================================

          File Name : Audit-Local-Admins.ps1

    Original Author : Kenneth C. Mazie 

                    : 

        Description : Queries the local admins group on all domain computers and emails a report on findings.

                    : 

              Notes : Normal operation is with no command line options.  Basic log is written to C:\Scripts

                    : Optional argument: -Debug $true (defaults to false.  Changes runtime options, email recipient, sets UseExcel to false) 

                    :                    -Console $true (displays runtime info on console)

                    :                    -UseExcel $false (defaults to $true. Creates an Excel spreadsheet and stores the last 10.  Attaches to outgoing email by default.)

                    :                    -IncludeAdmins $true (defaults to $false. Will include entries on the administrators array in the final report)

                    :                    -LongReport $true (defaults to $false.  Will include ALL systems.  Short report only adds a system to the output if anomalies are found)

                    : 

           Warnings : None

                    :   

              Legal : Public Domain. Modify and redistribute freely. No rights reserved.

                    : SCRIPT PROVIDED "AS IS" WITHOUT WARRANTIES OR GUARANTEES OF 

                    : ANY KIND. USE AT YOUR OWN RISK. NO TECHNICAL SUPPORT PROVIDED.

                    :

            Credits : Code snippets and/or ideas came from many sources including but 

                    :   not limited to the following:

                    : N/A

                    : 

     Last Update by : Kenneth C. Mazie 

    Version History : v1.00 - 09-16-13 - Original 

     Change History : v1.10 - 04-19-15 - Edited to allow color coding of HTML output, only keep 10 XLSX files.

                    : v1.20 - 02-02-16 - Fixed lock up after closing Excel.

                    : v1.30 - 03-10-16 - Corrected spreadsheet attachment error. Added admin ignore option

                    : v2.00 - 02-02-18 - Major rewrite for PS 5.1.  Added external config file to genericize script.

                    :                    Altered report output formatting.

                    : v2.10 - 03-15-18 - Tweaked for upload to PS Gallery.

                    : v2.20 - 06-18-18 - Adjusted local administrator decoy detection so if a local user named "administrator"

                    :                    is found with a non-standard SID it gets flagged.

                    : v3.00 - 07-13-18 - Complete rewrite.  Changed report generation, changed arguments, added color to excel

                    :                    tweaked messages, added detection of permission issues.

                    :

#===============================================================================#>

<#PSScriptInfo

.VERSION 3.00

.GUID 77f578dc-4887-44b2-b981-783aba19755d

.AUTHOR Kenneth C. Mazie (kcmjr AT kcmjr.com)

.DESCRIPTION 

Queries the local admins group on all domain computers and emails a report on findings..

#>

#requires -version 5.1

Clear-Host 

If ($Debug){$Script:Debug = $True}

If ($Console){$Script:Console = $True}

If ($UseExcel){$Script:UseExcel = $True} 

If ($IncludeAdmins){$Script:IncludeAdmins = $True} 

If ($Debug){$Script:UseExcel = $False} 

If ($ShortReport){$Script:ShortReport = $True}

$ErrorActionPreference = "silentlycontinue"

#--[ Manual bypass options ]---------

#$Script:Console = $True

#$Script:Debug = $True

#$Script:UseExcel = $true

#$Script:IncludeAdmins = $true

#$Script:ShortReport = $true

#------------------------------------

#--[ Functions ]-------------------------------------------------------------------------

Function LoadModules {

    If (!(Get-module ActiveDirectory)){Import-Module ActiveDirectory}

}    

Function LoadConfig { #--[ Read and load configuration file ]-----------------------------------------

    If (!(Test-Path $Script:ConfigFile)){       #--[ Error out if configuration file doesn't exist ]--

        $Script:EmailBody = "---------------------------------------------`n" 

        $Script:EmailBody += "--[ MISSING CONFIG FILE.  Script aborted. ]--`n" 

        $Script:EmailBody += "---------------------------------------------" 

        #SendEmail    #--[ No email without the settings file.  Preset the options if you like ]--

        Write-Host $EmailBody -ForegroundColor Red

        break

    }Else{

        [xml]$Script:Configuration = Get-Content $Script:ConfigFile      

        $Script:DebugTarget = $Script:Configuration.Settings.General.DebugTarget

        $Script:ExclusionList = ($Script:Configuration.Settings.General.Exclusions).Split(",")

        $Script:ValidAdmins = ($Script:Configuration.Settings.General.ValidAdmins).Split(",")

        $Script:ReportName = $Script:Configuration.Settings.General.ReportName

        $Script:Domain = $Script:Configuration.Settings.General.Domain

        $Script:DebugEmail = $Script:Configuration.Settings.Email.Debug 

        $Script:eMailTo = $Script:Configuration.Settings.Email.To

        $Script:eMailFrom = $Script:Configuration.Settings.Email.From    

        $Script:eMailHTML = $Script:Configuration.Settings.Email.HTML

        $Script:eMailSubject = $Script:Configuration.Settings.Email.Subject

        $Script:SmtpServer = $Script:Configuration.Settings.Email.SmtpServer

        $Script:UserName = $Script:Configuration.Settings.Credentials.Username

        $Script:EncryptedPW = $Script:Configuration.Settings.Credentials.Password

        $Script:Base64String = $Script:Configuration.Settings.Credentials.Key   

        $ByteArray = [System.Convert]::FromBase64String($Base64String)

        $Script:Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, ($EncryptedPW | ConvertTo-SecureString -Key $ByteArray)

        $Script:Password = $Credential.GetNetworkCredential().Password    

    }

}

Function SendEmail {

    $email = $null

    If ($Script:Debug){$ErrorActionPreference = "stop"}

    $eMailBody = "Local Administrator Report."

    If ($Script:Debug){

        $eMailRecipient = $Script:DebugEmail                                        #--[ Debug destination email address 

    }Else{    

        $eMailRecipient = $Script:eMailTo                                           #--[ Destination email address 

    }

    $emailFrom = $Script:eMailFrom                                                  #--[ Sender address.

    $email = New-Object System.Net.Mail.MailMessage

    $email.From = $Script:eMailFrom

    $email.IsBodyHtml = $Script:eMailHTML

    $email.To.Add($eMailRecipient)

    $email.Subject = $Script:eMailSubject

    If ($Script:UseExcel){

        $email.Attachments.Add($Script:FileName)

    }      

    $email.Body = $Script:ReportBody 

    $smtp = new-object Net.Mail.SmtpClient($Script:SmtpServer)

    $smtp.Send($email)

    If ($Script:Console){Write-Host "`n--[ Email sent ]--" -ForegroundColor Green}

}

Function GetTargets {

    $Script:TargetList =  ""

    If ($Script:Debug){

        $Script:TargetList = @(Get-ADComputer -Credential $Credential  -Filter "Name -Like '*$Script:DebugTarget*'" -ErrorAction 0 | Select Name | Sort Name)

        Write-Host "-- DEBUG MODE --" -ForegroundColor red 

    }Else{

        $Script:TargetList = @(Get-ADComputer -Credential $Credential -Filter * | select name | sort name)

    }    

    $Script:Count = $Script:TargetList.count

}

#==[ Main Body ]================================================================

$Script:ReportBody = ""

$HtmlData = ""

$DayOfWeek = (get-date).DayOfWeek

$StartTime = [datetime]::Now

# $Domain = (Get-ADDomain).DNSroot      #--[ Alternate ]--

$Computer = $Env:ComputerName

$Script:Message = ""

$ScriptName = ($MyInvocation.MyCommand.Name).split(".")[0] 

$Script:LogFile = "$PSScriptRoot\$ScriptName-{0:MM-dd-yyyy_HHmmss}.html" -f (Get-Date)  

$Script:ConfigFile = "$PSScriptRoot\$ScriptName.xml"  

LoadConfig 

LoadModules

GetTargets

#--[ Add header to html log file ]--

$Script:ReportBody = @() 

$Script:ReportBody += '

<style type="text/css">

    table.myTable { border:5px solid black;border-collapse:collapse; }

    table.myTable td { border:2px solid black;padding:5px;background: #E6E6E6 } 

    table.myTable th { border:2px solid black;padding:5px;background: #B4B4AB }

    table.bottomBorder { border-collapse:collapse; }

    table.bottomBorder td, table.bottomBorder th { border-bottom:1px dotted black;padding:5px; }

</style>'

$Script:ReportBody += '<table class="myTable">'

$Script:ReportBody += '<tr><td colspan=4><center><h1>-- '+$Script:ReportName+' Report --</h1></center></td></tr>'

If ($Script:ShortReport ){

    $Script:ReportBody += "<tr><td colspan=4><center>The following report displays members of the local administrators group for servers and/or PCs that don't belong.</center></td></tr>"

}Else{

    $Script:ReportBody += '<tr><td colspan=4><center>The following report displays all members of the local administrators group for every server and PC in the domain.</center></td></tr>'

}

#--[ Excel Non-Interactive Fix ]------------------------------------------------

#--[ Excel will crash when run non-interactively via a scheduled task if these folders don't exist.  Folder permissions may cause this to fail. Creation may fail due to permission issues. ]--

Try{

    If (!(Test-path -Path "C:\Windows\System32\config\systemprofile\Desktop")){New-Item -Type Directory -Name "C:\Windows\System32\config\systemprofile\Desktop" -ErrorAction "SilentlyContinue" -Force}

    If (!(Test-path -Path "C:\Windows\SysWOW64\config\systemprofile\Desktop")){New-Item -Type Directory -Name "C:\Windows\SysWOW64\config\systemprofile\Desktop" -ErrorAction "SilentlyContinue" -Force}

}Catch{}    

#--[ Detect Excel, use it and send attachment if found, otherwise only create HTML ]--

$Script:NoExcel = $False

if (!(get-itemproperty hklm:\software\microsoft\windows\currentversion\uninstall\* | select displayname | where {$_.displayname -like "*Office*"} -ne "")){

    $Script:UseExcel = $False

    $Script:NoExcel = $True

    $Script:ReportBody += '<tr><td colspan=4><center>NOTICE: Excel was not located on the system running this report.  No spreadsheet will be included.</center></td></tr>'

}

If ($Script:UseExcel){

    $Row = 0

    $Col = 1

    #--[ Create a new Excel object ]--

    $Excel = New-Object -Com Excel.Application

    If ($Script:Console -or $Script:Debug){

        $Excel.visible = $True

        $Excel.DisplayAlerts = $true

        $Excel.ScreenUpdating = $true

        $Excel.UserControl = $true

        $Excel.Interactive = $true

    }Else{

        $Excel.visible = $False

        $Excel.DisplayAlerts = $false 

        $Excel.ScreenUpdating = $false 

        $Excel.UserControl = $false

        $Excel.Interactive = $false

    }

    $Workbook = $Excel.Workbooks.Add()

    $WorkSheet = $Workbook.WorkSheets.Item(1)

    #--[ Write Worksheet title ]--

    $WorkSheet.Cells.Item($Row,1) = "Local Administrator Audit Report - $DateTime"

    $WorkSheet.Cells.Item($Row,1).font.bold = $true

    $WorkSheet.Cells.Item($Row,1).font.underline = $true

    $WorkSheet.Cells.Item($Row,1).font.size = 18

    #--[ Write worksheet column headers ]--

    $Row ++

    $WorkSheet.Cells.Item($Row,$Col) = "TARGET:"

    $WorkSheet.Cells.Item($Row,$Col).font.bold = $true

    $WorkSheet.Cells.Item($Row,$Col).HorizontalAlignment = 1

#    $WorkSheet.Cells.Item($Row,$Col).Borders.Item(10).LineStyle = 1     #--[ optional formatting ]--

#    $WorkSheet.Cells.Item($Row,$Col).Borders.Item(10).Weight = 4

    $Col++

    $WorkSheet.Cells.Item($Row,$Col) = "STATUS:"

    $WorkSheet.Cells.Item($Row,$Col).font.bold = $true

    $WorkSheet.Cells.Item($Row,$Col).HorizontalAlignment = 1

#    $WorkSheet.Cells.Item($Row,$Col).Borders.Item(10).LineStyle = 1

#    $WorkSheet.Cells.Item($Row,$Col).Borders.Item(10).Weight = 4

    $Col++

    $WorkSheet.Cells.Item($Row,$Col) = "USER:"

    $WorkSheet.Cells.Item($Row,$Col).font.bold = $true

    $WorkSheet.Cells.Item($Row,$Col).HorizontalAlignment = 1

#    $WorkSheet.Cells.Item($Row,$Col).Borders.Item(10).LineStyle = 1

#    $WorkSheet.Cells.Item($Row,$Col).Borders.Item(10).Weight = 4

    $WorkSheet.application.activewindow.splitcolumn = 0

    $WorkSheet.Cells.Item(2,1).Select

#    $WorkSheet.application.activewindow.splitrow = 1

    $WorkSheet.application.activewindow.freezepanes = $true

    $Resize = $WorkSheet.UsedRange

    [void]$Resize.EntireColumn.AutoFit()

}

#--[ HTML Report Header ]--

$Script:ReportBody += '<tr><th>Target System</th><th>Account Name</th><th>Account Location</th><th>Account Type</th></tr>'

$Row ++

If ($Script:Console){

    Write-Host "`n--- BEGIN ---" -ForegroundColor Green

    Write-Host "`nTotal Target Systems = $Count" -ForegroundColor Cyan 

}

$Remaining = 0 #$Count

ForEach ($Target in $TargetList){

    $Target = $Target.name

    $IncludeTarget = $true                 #--[ The default is to add all targets to Excel, HTML, and ALWAYS to console ]--

    $AddSystem = $false                    #--[ By default we do NOT add the system to Excel or HTML, only on display ]--

    $AddRow = $False                       #--[ This determines if the individual row is included in output ]--

    $HtmlRowData = ""

    $HtmlSystemData = ""  

    $Anomaly = $False                      #--[ Flag for filtering "brief" report ]--  

    $Col = 1

    If ($Script:Console){Write-Host "`nTarget System = $Target     ("($Remaining+1)"of $Count )" -ForegroundColor Cyan }

    $Script:ExclusionList | ForEach-Object {                      #--[ Create a flag to denote when a system should be bypassed ]--

        if ($Target -match $_){$IncludeTarget = $False} 

    }       

    $WorkSheet.Cells.Item($row,$col) = $Target

    $Col ++

    If($IncludeTarget){                     #--[ Include these systems ]--

        if (Test-Connection -ComputerName $Target -count 1 -BufferSize 16 -ErrorAction SilentlyContinue){ 

            $WorkSheet.Cells.Item($row,$col).font.colorindex = 10

            $WorkSheet.Cells.Item($row,$col) = "OK";$Col ++

            If ($Script:Debug){

                $HtmlSystemData += '<tr><td><font color=darkcyan><strong>' + $Target.ToUpper() + '</strong></td><td colspan=3>Connection: <font color=darkgreen>OK</font>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<font color=#a0a0a0>( Target '+($Remaining+1)+' of '+$Count+' Targets Total, '+($Count-($Remaining+1))+' Remaining.  )</font></td></tr>'

            }Else{

                $HtmlSystemData += '<tr><td><font color=darkcyan><strong>' + $Target.ToUpper() + '</strong></td><td colspan=3>Connection: <font color=darkgreen>OK</font></td></tr>'

            }

            #--[ Get list of users in local admin group with WMI ]--

            #$AdminList = Get-WmiObject -computername $Target -Class win32_groupuser -ErrorAction "SilentlyContinue" -Credential $Script:Credential  | WHERE {$_.groupcomponent -match 'administrators' } | foreach {[WMI]$_.partcomponent } 

            $AdminList = Invoke-Command -ScriptBlock {Get-LocalGroupMember -Group "Administrators"} -ComputerName $Target -Credential $Credential

            #--[ Get list of local users with WMI to check for decoy account. ]--

            [Array]$LocalAccounts = Get-WmiObject -Class Win32_UserAccount -Namespace "root\cimv2" -Filter "LocalAccount='$True'" -ComputerName $Script:Target -Credential $Script:Credential -ErrorAction silentlycontinue 

            If($AdminList.count -eq 0){  #--[ There has been an error accessing the target ]--

                $Anomaly = $true

                If ($Script:Console){

                    Write-Host "       ERROR:  Cannot read the Administrators group!!!" -ForegroundColor Red

                }    

                $HtmlRowData += '<tr><td><font color=darkcyan><strong>&nbsp;</td><td colspan=3><font color=darkmagenta>There was an error accessing the target Administrators group...</font></td></tr>'   

                $WorkSheet.Cells.Item($row,$col).font.colorindex = 13

                $WorkSheet.Cells.Item($row,$col) = "Error accessing Administrators group"

                $Script:HtmlSystemData += $HtmlRowData 

            }Else{

                #--[ Process each user in Administrators group ]-------------------------------------------------------------------

                ForEach ($UserObject in $AdminList){ 

                    $HtmlRowData = '<tr><td>&nbsp;</td>'

                    $AddRow = $False

                    If ($Script:Console){

                        Write-Host "       Found: "$UserObject.Name.Split("\")[1]  -ForegroundColor Yellow -NoNewline

                        Write-Host "   ("$UserObject.SID")" -ForegroundColor Gray -NoNewline

                    }

                    If ($Script:ValidAdmins -Contains $UserObject.Name.Split("\")[1] ){   #--[ Inspect valid admins array to see if this user is on it ]--

                        If($Script:IncludeAdmins){$AddRow = $true}                        #--[ Add the user only if we want valid admins ]--

                        Write-Host "   (Valid Admin)" -ForegroundColor Green

                        $HtmlRowData += '<td><font color=darkgreen>' + $UserObject.Name.Split("\")[1]

                        $HtmlRowData += '<td><font color=darkgreen>' + ($UserObject.Name.Split("\")[0]).ToLower()

                        $WorkSheet.Cells.Item($row,$col).font.colorindex = 10

                        $WorkSheet.Cells.Item($row,$col) = $UserObject.Name.Split("\")[1]+"  (Valid)"

                    }ElseIf ($UserObject.Name.Split("\")[1] -eq "Administrator"){         #--[ Validate the administrator account is a decoy ]--

                        $AddRow = $True

                        $Anomaly = $true

                        If (($UserObject.SID.SubString(0,6) -eq "S-1-5-") -and ($UserObject.SID.SubString($UserObject.SID.Length - 4) -eq "-500")){   #--[ Valid SID for admin ]--

                            Write-Host "" 

                            $HtmlRowData += '<td><font color=darkred>' + $UserObject.Name.Split("\")[1]

                            $HtmlRowData += '<td><font color=darkred>' + ($UserObject.Name.Split("\")[0]).ToLower()

                            $WorkSheet.Cells.Item($row,$col).font.colorindex = 3

                            $WorkSheet.Cells.Item($row,$col) = $UserObject.Name.Split("\")[1]+"  (Default)"

                        }Else{

                            Write-host " -- DECOY ADMIN ACCOUNT IDENTIFIED --" -ForegroundColor Magenta 

                            $HtmlRowData += '<td><font color=darkgreen>' + $UserObject.Name.Split("\")[1] + ' (Decoy)'

                            $HtmlRowData += '<td><font color=darkgreen>' + ($UserObject.Name.Split("\")[0]).ToLower()

                            $WorkSheet.Cells.Item($row,$col).font.colorindex = 10

                            $WorkSheet.Cells.Item($row,$col) = $UserObject.Name.Split("\")[1]+"  (Decoy)"

                        }                     

                    }Else{                                                                #--[ If we get here it's a bad user ]--

                        $Anomaly = $true

                        $AddRow = $True

                        Write-Host ""

                        $HtmlRowData += '<td><font color=darkred>' + $UserObject.Name.Split("\")[1]

                        $HtmlRowData += '<td><font color=darkred>' + ($UserObject.Name.Split("\")[0]).ToLower()

                        $WorkSheet.Cells.Item($row,$col).font.colorindex = 3

                        $WorkSheet.Cells.Item($row,$col) = $UserObject.Name.Split("\")[1]

                    }    

                    If ($UserObject.PrincipalSource -ne "local"){                         #--[ Is the account local of domain? ]--

                        $HtmlRowData += '<td><font color=darkblue>Domain '+$UserObject.Class+'</td>'

                    }Else{

                        $HtmlRowData += '<td><font color=#ff8000>Local '+$UserObject.Class+'</td>'

                    }

                    $HtmlRowData += '</tr>'     #--[ End the HTML row ]--

                    $Col++

                    If ($AddRow){ # -or $Script:LongReport)  { 

                        $Script:HtmlSystemData += $HtmlRowData

                    }

                }          

                #--[ End of User Processing ]------------------------------------------------------------------------------------------   

            }  

        }Else{

            if ($Script:Console){Write-Host "       System is not reachable online..." -ForegroundColor Red }

            $Anomaly = $True

            $WorkSheet.Cells.Item($row,$col).font.colorindex = 3

            $WorkSheet.Cells.Item($row,$col) = "OFFLINE"

            $HtmlRowData += '<tr><td><font color=darkcyan><strong>' + $Target + '</td><td colspan=3>Connection:<font color=darkred> FAILED</font>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<font color=#909090>( Target '+($Count-($Remaining-1)) +' of '+$Count+' Targets Total, '+($Remaining-1)+' Remaining.  )</font></td></tr>'

            $Script:HtmlSystemData += $HtmlRowData

            $AddSystem = $True

        } 

    }Else{  #--[ Bypass these systems ]--

        if ($Script:Console){Write-Host "       System is on the exclusion list..." -ForegroundColor Magenta }

        $Anomaly = $True

        $WorkSheet.Cells.Item($row,$col).font.colorindex = 13

        $WorkSheet.Cells.Item($row,$col) = "EXCLUDED"

        If ($Script:Debug){

            $HtmlRowData += '<tr><td><font color=darkcyan><strong>' + $Target.ToUpper() + '</td><td colspan=3><font color=darkmagenta>Target is on the exclusion list.</font>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<font color=#909090>( Target '+($Remaining+1) +' of '+$Count+' Targets Total, '+$Remaining+' Remaining.  )</font></td></tr>'

         }Else{    

            $HtmlRowData += '<tr><td><font color=darkcyan><strong>' + $Target.ToUpper() + '</td><td colspan=3><font color=darkmagenta>Target is on the exclusion list.</font></td></tr>'   

        }             

        $Script:HtmlSystemData += $HtmlRowData   #--[ Add the HTML row data to HTML system data ]--

    }  #--[ End of system inclusion loop ]--   

    If ((!$Script:ShortReport) -or $Anomaly){

       $Script:ReportBody += $Script:HtmlSystemData    #--[ Add HTML system data to HTML report only if anomaly found or short report not selected ]--

    }

    $Remaining ++

    $Row ++

    $Resize = $WorkSheet.UsedRange

    [void]$Resize.EntireColumn.AutoFit()

}

$Script:ReportBody += '</table>'

$Script:ReportBody += '<br><font color=#909090>Script "'+$MyInvocation.MyCommand.Name+'" executed from "'+$env:computername+'".<br>'

$Resize = $WorkSheet.UsedRange

[Void]$Resize.EntireColumn.AutoFit()

[string]$DateTime = Get-Date -Format MM-dd-yyyy_HHmmss 

[string]$Script:FileName = "$PSScriptRoot\LocalAdminUserAudit_$DateTime.xlsx"

If ($UseExcel){    

    Try{

        $Workbook.SaveAs($Script:FileName)

        $Workbook.Saved = $true 

        $Workbook.Close() 

        $Excel.Quit()

        $Excel = $Null

        if ($Script:Debug){Write-host "`nExcel Closed and Saved...`n" -ForegroundColor Cyan}

    }Catch{    

        if ($Script:Debug){Write-host "`nThere was a problem closing and/or Saving the Excel spreadsheet...`n" -ForegroundColor Red}

    }    

}    

#--[ Removing any older Excel files.  Retaining ten most recent. ]--

###Get-ChildItem -Path "$PSScriptRoot\*.xlsx" | Where-Object { -not $_.PsIsContainer } | Sort-Object -Descending -Property LastTimeWrite | Select-Object -Skip 10 | Remove-Item         

If (!$Script:Debug){Get-ChildItem -Path "$PSScriptRoot\" | Where-Object { -not $_.PsIsContainer -and $_.name -like "*.xlsx" } | Sort-Object -Descending -Property LastTimeWrite | Select-Object -Skip 10 | Remove-Item }

$Script:ReportBody += '</table><br>'

$x = 0

If ($Script:NoExcel){

    $Script:ReportBody += '<br>NOTICE: Spreadsheet not included because Excel was not found on the system running this script.  Install Excel to include the spreadsheet.<br>'

}    

$Script:ReportBody += 'The following list contains all users/groups that are ignored by this report unless the "includeadmins" option is expressly selected.'

$Script:ReportBody += '<br>If "Administrator" is noted as (DECOY) it means an admin account was detected but has a non-default SID.  These are usually decoy'

$Script:ReportBody += '<br>accounts but should NOT be in the local admin group.'

$Script:ReportBody += '<br><br>These are considered "known" accounts and are expected to be found.  All others are anomalous:<br>'

if ($Script:Debug){Write-host "`nIgnored Admin Accounts:" }

While ($x -lt $Script:ValidAdmins.Count ){

    if ($Script:Debug){Write-host "-- "$Script:ValidAdmins[$x] }

    $Script:ReportBody += " - "+$Script:ValidAdmins[$x]+"<br>"

    $x++

}

$Script:ReportBody += '<br>Color scheme:<br> - Green User = Expected<br> - Red User = Investigate'

$Script:ReportBody += '<br> - Gray User = Ignored<br> - Orange Type = Local Resource<br> - Blue Type = Domain Resource'

If ($Debug){

    $Script:ReportBody += '<br><br>Script runtime options:'

    If ($Debug){$Script:ReportBody += '<br> - Debug option ENABLED'}

    If ($Console){$Script:ReportBody += '<br> - Console option ENABLED'}

    If (!$Script:UseExcel){$Script:ReportBody += '<br> - Excel option DISABLED'}

    If ($IncludeAdmins){$Script:ReportBody += '<br> - IncludeAdmins option ENABLED'}

    If ($Script:ShortReport){$Script:ReportBody += '<br> - ShortReport option ENABLED'}

    $Script:ReportBody += '<br>'

}

SendEmail 

[gc]::Collect()

[gc]::WaitForPendingFinalizers()

if ($Script:Debug){Write-host "`nCompleted..." }

<#--[ XML Config File Example ]-------------------------------------------------------------------------

<!-- Settings & Configuration File -->

<Settings>

    <General>

        <ReportName>Local Administrator Audit</ReportName>

        <DebugTarget>testpc</DebugTarget>                      <!-- Partial names OK to include a group -->

        <ValidAdmins>Local_Admin_Grp-1,Local_Admin_Grp-2,localadmin,administrator</ValidAdmins>

        <Exclusions>pc27,pc01</Exclusions>

        <Domain>mydomain.com</Domain>

    </General>

    <Email>

        <From>MonthlyReports@mydomain.com</From>

        <To>admin@mydomain.com</To>

        <Debug>me@mydomain.com</Debug>

        <Subject>Local Administrator Audit</Subject>

        <HTML>$true</HTML>

        <SmtpServer>10.10.5.5</SmtpServer>

    </Email>

    <Credentials>

        <UserName>domain\serviceaccount</UserName>

        <Password>766743f0423413AegMAYQBhAGEAYQBhAGQANQBkADQAZQAzAGYANAAyADUGIATgiAwADYAZAA3AGUAZgGADQAYwBkADYAZQBmAGQAOAA0ADEANgBiAAYQA2AGQAZAA2B2AHYAZQAxAGIATgBaADAEcAaAB1AFEAPQA9AHwAYwAzADQANgADAANwAGQAZgA3ADIAYQABkAGYAZAA=</Password>

        <Key>kdhICvLO+eJ76/AWnHbXN0IObEyjuTie8mE=</Key>

    </Credentials>

</Settings>    

#>