<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Monitoring Windows local administrator group in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-local-administrator-group/m-p/121381#M25174</link>
    <description>&lt;P&gt;Hi,  &lt;/P&gt;

&lt;P&gt;I want to monitor membership of the Local Administrators group on several of my systems. When I run the WMI query described &lt;A href="http://blogs.splunk.com/2013/08/05/monitoring-local-administrators-on-remote-windows-systems/"&gt;Here&lt;/A&gt;, the group membership recursively expands.  This ends up reporting A LOT of entries.  I would like to get only the members that are directly in the group.&lt;/P&gt;

&lt;P&gt;I'm using the WMI monitor with a locally installed Universal Forwarder.  &lt;/P&gt;

&lt;P&gt;This WMI works: &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;SELECT * FROM Win32_GroupUser where GroupComponent="Domain='MACHINE_NAME',Name='Administrators'"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;BUT it requires me to include the MACHINE_NAME.  Is there a different way to write the query?  Can I use environment variables?  I've tried $HOSTNAME &amp;amp; $COMPUTERNAME to no avail. Is there a better way to do this?&lt;/P&gt;</description>
    <pubDate>Wed, 30 Oct 2013 00:25:50 GMT</pubDate>
    <dc:creator>cyrus494</dc:creator>
    <dc:date>2013-10-30T00:25:50Z</dc:date>
    <item>
      <title>Monitoring Windows local administrator group</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-local-administrator-group/m-p/121381#M25174</link>
      <description>&lt;P&gt;Hi,  &lt;/P&gt;

&lt;P&gt;I want to monitor membership of the Local Administrators group on several of my systems. When I run the WMI query described &lt;A href="http://blogs.splunk.com/2013/08/05/monitoring-local-administrators-on-remote-windows-systems/"&gt;Here&lt;/A&gt;, the group membership recursively expands.  This ends up reporting A LOT of entries.  I would like to get only the members that are directly in the group.&lt;/P&gt;

&lt;P&gt;I'm using the WMI monitor with a locally installed Universal Forwarder.  &lt;/P&gt;

&lt;P&gt;This WMI works: &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;SELECT * FROM Win32_GroupUser where GroupComponent="Domain='MACHINE_NAME',Name='Administrators'"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;BUT it requires me to include the MACHINE_NAME.  Is there a different way to write the query?  Can I use environment variables?  I've tried $HOSTNAME &amp;amp; $COMPUTERNAME to no avail. Is there a better way to do this?&lt;/P&gt;</description>
      <pubDate>Wed, 30 Oct 2013 00:25:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-local-administrator-group/m-p/121381#M25174</guid>
      <dc:creator>cyrus494</dc:creator>
      <dc:date>2013-10-30T00:25:50Z</dc:date>
    </item>
    <item>
      <title>Re: Monitoring Windows local administrator group</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-local-administrator-group/m-p/121382#M25175</link>
      <description>&lt;P&gt;User powershell for this...&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Get-WmiObject win32_groupuser | Where-Object { $_.GroupComponent -match 'administrators' } | ForEach-Object {[wmi]$_.PartComponent }
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 30 Oct 2013 01:47:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Monitoring-Windows-local-administrator-group/m-p/121382#M25175</guid>
      <dc:creator>ShaneNewman</dc:creator>
      <dc:date>2013-10-30T01:47:11Z</dc:date>
    </item>
  </channel>
</rss>

