Local Administrators Report

Post Reply
Posts: 5
Joined: 26. Jun 2023, 17:59

Local Administrators Report

Post by MBone » 10. May 2024, 18:34

I wanted to post here to see if anyone has had any luck monitoring who is a local administrator on computers through the Inventory data that is captured? I have been fiddling with a WQL query but can't seem to get it to function as I want it to as I believe it is a limitation of the query function. Essentially, I'd like to be able to run a report on every account that is a member of the Administrators group on each of our computers enrolled in Empirum.

As a base, I know I can SELECT * FROM Win32_GroupUser to see a massive amount of data, but I am struggling to refine the query in a working fashion. The last iteration of my testing was using:
SELECT * FROM Win_32_GroupUser WHERE GroupComponent = "Win32_Group.Domain='*',Name='Administrators'"
This isn't returning anything in Empirum and I suspect it is because the query is invalid, either because of single and double quotes not being used correctly or because of a limitation in WQL. When I feed the above query into powershell using "getwmiobject -query" it fails with an invalid query error. I've tried adjusting things but am coming up empty handed.

Is there an efficient way for me to go about doing this in Empirum Inventory?

I appreciate any input you might have!

Post Reply

Return to “Inventory”

Who is online

Users browsing this forum: No registered users and 0 guests