Solved: Splunk 6.1 how to find a listing of local admins o...

tbalouch · ‎05-19-2014

Hey guys,

I was wondering if there is a search that would list all local admin accounts on a workstation or server in my windows domain?

brooklynotss · ‎09-04-2015

http://blogs.splunk.com/2014/07/10/monitoring-local-administrators-on-windows-hosts/

View solution in original post

brooklynotss · ‎09-04-2015

http://blogs.splunk.com/2014/07/10/monitoring-local-administrators-on-windows-hosts/

tbalouch · ‎05-19-2014

Thanks that looks like it works. But how would I output this to a file? Can i create a new file in the Splunk forwarder directory on the remote server?

lukejadamec · ‎05-19-2014

You would need to monitor an output that contains the list of local admins, and that does not happen automatically on Windows systems.

You could create a script to run on a schedule that generates a list of local admins, and read that data into Splunk. The command to run in the script would be this I think:
net localgroup administrators

Splunk 6.1 how to find a listing of local admins on all workstations and servers

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Splunk 6.1 how to find a listing of local admins on all workstations and servers

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem