search for temporary users in privileged groups


How can I create search for temporary users in privileged groups? Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Administrators, Backup Operators, Incoming Forest Trust Builders, Server Operators.  I'm struggling

Labels (1)
0 Karma

Path Finder

Can you set up the "| ldapsearch " command in your Splunk environment, so that it can perform LDAP queries to your AD?

Once that is complete, you can search for users with a "accountExpires" time:

| ldapsearch domain="default" search="(&(objectclass=user))" attrs="cn,displayName,title,department,whenCreated,mail,lastLogonTimestamp,accountExpires"
| table cn mail displayName title department whenCreated lastLogonTimestamp accountExpires
0 Karma