Windows Administrator Group Review
Review the Windows Administrator group membership for the following properties:
1. No local or domain individual user accounts are present except those required for GICOE or Citrix team operations.
2. No local or domain Raw SID entries are present.
3. Empower global groups are present.
4. No Empower local user or local IT groups are present.
5. Platform support team group(s) are present.
6. Modify the Administrator group membership as necessary to conform to the bullets above.
7. Attach before/after screen shots.
NOTE: Any Local accounts that start with "CTX_" are for Citrix team operations. The "LocAdm" account is for GICOE. These accounts MUST NOT be deleted.
You could certainly write a script to "audit" Citrix servers with Powershell, but if you know that you only want GroupX, GroupY and GroupZ to be local administrators on your servers, why not create a GPO to force those settings on a OU designated for Citrix servers? This would overwrite anything already in local administrators and ensure compliance as the GPO will be authoratative.