Re: search for temporary users in privileged group...

brandylee1993 · ‎03-04-2021

How can I create search for temporary users in privileged groups? Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Administrators, Backup Operators, Incoming Forest Trust Builders, Server Operators. I'm struggling

dave_null · ‎03-05-2021

Can you set up the "| ldapsearch " command in your Splunk environment, so that it can perform LDAP queries to your AD?

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.2/User/Theldapsearchcommand

https://www.splunk.com/en_us/blog/tips-and-tricks/integrating-active-directory-into-splunk-with-sa-l...

Once that is complete, you can search for users with a "accountExpires" time:

| ldapsearch domain="default" search="(&(objectclass=user))" attrs="cn,displayName,title,department,whenCreated,mail,lastLogonTimestamp,accountExpires"
| table cn mail displayName title department whenCreated lastLogonTimestamp accountExpires

search for temporary users in privileged groups

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation