Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Monitoring Windows local administrator group

cyrus494
Engager

Hi,

I want to monitor membership of the Local Administrators group on several of my systems. When I run the WMI query described Here, the group membership recursively expands. This ends up reporting A LOT of entries. I would like to get only the members that are directly in the group.

I'm using the WMI monitor with a locally installed Universal Forwarder.

This WMI works:

SELECT * FROM Win32_GroupUser where GroupComponent="Domain='MACHINE_NAME',Name='Administrators'"

BUT it requires me to include the MACHINE_NAME. Is there a different way to write the query? Can I use environment variables? I've tried $HOSTNAME & $COMPUTERNAME to no avail. Is there a better way to do this?

Tags (2)
0 Karma

ShaneNewman
Motivator

User powershell for this...

Get-WmiObject win32_groupuser | Where-Object { $_.GroupComponent -match 'administrators' } | ForEach-Object {[wmi]$_.PartComponent }
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!