I have a working search that we use to give a list of the members of admin groups in Active Directory:
| inputlookup AD_Groups_LDAP_list
| where group_name="Domain Admin" OR group_name="Local Admin"
| mvexpand group_members
| table cn, group_members
Some of the group_members are groups themselves so I would like to do a further search to find the members of the groups that are members of the admin groups (hope this makes sense)
I can identify which group_members are another group by the naming conventions we use (the groups will always begin with "Role_") but I'm not sure how I can do the next query to return the members of the "Role_" groups within the same search.
Not a best one but I guess it will do the job
| inputlookup AD_Groups_LDAP_list
| where group_name="Domain Admin" OR group_name="Local Admin"
| mvexpand group_members
| table cn, group_members
| lookup AD_Groups_LDAP_list group_name as group_members OUTPUT group_members as group_members1
| mvexpand group_members1
| eval group_members = coalesce(group_members1, group_members)
Not a best one but I guess it will do the job
| inputlookup AD_Groups_LDAP_list
| where group_name="Domain Admin" OR group_name="Local Admin"
| mvexpand group_members
| table cn, group_members
| lookup AD_Groups_LDAP_list group_name as group_members OUTPUT group_members as group_members1
| mvexpand group_members1
| eval group_members = coalesce(group_members1, group_members)