How can I create search for temporary users in privileged groups? Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Administrators, Backup Operators, Incoming Forest Trust Builders, Server Operators. I'm struggling
Can you set up the "| ldapsearch " command in your Splunk environment, so that it can perform LDAP queries to your AD?
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.2/User/Theldapsearchcommand
Once that is complete, you can search for users with a "accountExpires" time:
| ldapsearch domain="default" search="(&(objectclass=user))" attrs="cn,displayName,title,department,whenCreated,mail,lastLogonTimestamp,accountExpires"
| table cn mail displayName title department whenCreated lastLogonTimestamp accountExpires