I want to monitor membership of the Local Administrators group on several of my systems. When I run the WMI query described Here, the group membership recursively expands. This ends up reporting A LOT of entries. I would like to get only the members that are directly in the group.
I'm using the WMI monitor with a locally installed Universal Forwarder.
This WMI works:
SELECT * FROM Win32_GroupUser where GroupComponent="Domain='MACHINE_NAME',Name='Administrators'"
BUT it requires me to include the MACHINE_NAME. Is there a different way to write the query? Can I use environment variables? I've tried $HOSTNAME & $COMPUTERNAME to no avail. Is there a better way to do this?