Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring Windows local administrator group

cyrus494
Engager
‎10-29-2013 05:25 PM

Hi,

I want to monitor membership of the Local Administrators group on several of my systems. When I run the WMI query described Here, the group membership recursively expands. This ends up reporting A LOT of entries. I would like to get only the members that are directly in the group.

I'm using the WMI monitor with a locally installed Universal Forwarder.

This WMI works: 

SELECT * FROM Win32_GroupUser where GroupComponent="Domain='MACHINE_NAME',Name='Administrators'"

BUT it requires me to include the MACHINE_NAME. Is there a different way to write the query? Can I use environment variables? I've tried $HOSTNAME & $COMPUTERNAME to no avail. Is there a better way to do this?

Tags (2)
0 Karma
Reply

ShaneNewman
Motivator
‎10-29-2013 06:47 PM

User powershell for this...

Get-WmiObject win32_groupuser | Where-Object { $_.GroupComponent -match 'administrators' } | ForEach-Object {[wmi]$_.PartComponent }
0 Karma
Reply
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Get Updates on the Splunk Community!