Want to see which users/groups have local admin rights on your machines? Create these Custom Inventory Rules to list that in the inventory record!

PC Rule

For PCs, create a custom inventory rule (Inventory -> Software -> Create New) and fill the CIR box with the following command:


ShellCommandTextReturn(net localgroup Administrators)


Custom Inventory Rule syntax

I would suggest naming the rule "Local Administrators" for simplicity.

Make sure to select all Windows versions and your machines should start checking in with results like this:

1) Local Administrators:Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
AD\jsmith
AD\Domain Admins
AD\DEPT-ADM
Administrator
LOCAL-ADMIN
The command completed successfully.

[string]


OS X Rule

For Macs, create another custom inventory rule (Inventory -> Software -> Create New) and fill the CIR box with the following command:


Update: Based on a tip from serkowski, I have changed the use of awk to sed, as seen below.


ShellCommandTextReturn(dscl . -read /Groups/admin GroupMembership | sed 's/GroupMembership: root //' | sed 's/ / | /g')


Piping the results of the dscl query to two consecutive sed (stream editor) commands will remove the "GroupMembership:" prefix, and will exclude the root account, and will then add pipes(|) between resulting accounts.

I named this rule OS X Local Administrators, again for simplicity.

Make sure all versions of OS X are selected, and your macs should start checking in with results like this:

1) OS X Local Administrators:    local-admin | jsmith [string]


Reporting

From this point, you can create reports to detect common accounts, or even to detect if the current logged in user is an admin. Here is an example of detecting if the current logged in user is an admin. Replace the ##### examples with the software IDs of the Custom Inventory Rules you created above:


SELECT * FROM MACHINE
JOIN MACHINE_CUSTOM_INVENTORY ON MACHINE_CUSTOM_INVENTORY.ID=MACHINE.ID AND (SOFTWARE_ID=##### OR SOFTWARE_ID=#####)
WHERE MACHINE_CUSTOM_INVENTORY.STR_FIELD_VALUE LIKE CONCAT('%', MACHINE.USER, '%') AND MACHINE.USER !=''