Security

search for temporary users in privileged groups

brandylee1993
Explorer

How can I create search for temporary users in privileged groups? Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Administrators, Backup Operators, Incoming Forest Trust Builders, Server Operators.  I'm struggling

Labels (1)
0 Karma

dave_null
Path Finder

Can you set up the "| ldapsearch " command in your Splunk environment, so that it can perform LDAP queries to your AD?

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.2/User/Theldapsearchcommand

https://www.splunk.com/en_us/blog/tips-and-tricks/integrating-active-directory-into-splunk-with-sa-l...

Once that is complete, you can search for users with a "accountExpires" time:

| ldapsearch domain="default" search="(&(objectclass=user))" attrs="cn,displayName,title,department,whenCreated,mail,lastLogonTimestamp,accountExpires"
| table cn mail displayName title department whenCreated lastLogonTimestamp accountExpires
0 Karma