Hi,
I don’t have the query tool installed and couldn’t find any such option on the web report.
I would like to get a list of users per computer who are members of the local administrator groups without any action needed right now.
Just seeing a list of users per computer.
Please assist what would be the easiest way and what syntax should I use?
Thanks in advance,
I’d create an Analysis to retrieve this as a property. Getting to a final result is a little more complex than one might expect though.
The simplest form of the relevance query is
q: members of local group "Administrators"
A: Win11\Administrator
A: Win11\Jason
A: Win11\admin3
A: D\Domain Admins
Here I have a computer named “Win11” on the domain named “D”. One of the first issues we see is that any local user who is a member of the group is prefixed by the COMPUTERNAME. That will make it difficult to compare groups across multiple computers, if every computer has a distinct result for COMPUTERNAME\Administrator (a thousand computers would generate a thousand unique results).
The second complication we’ll see is that the ‘member’ has a default attribute reflecting the user name. If there is a Domain User who is a member of the group, but the name cannot be resolved (either because the Domain user has been deleted, or because there’s a domain trust in place and the computer can’t actually resolve the trusted user’s name), that user gets dropped out of the result. So instead of just retrieving the ‘member’, I like to retrieve ‘sid of member’. If the sid can be resolved to a user name, that name is returned; but if it can’t be resolved, the SID of the user account is presented instead of simply dropping the result.
Putting those two together (retrieving the SID, and checking/replacing the computer name), we can end up with
q: (if it as lowercase starts with computer name as lowercase & "\" then ".\" & following text of first "\" of it else it) of (it as string) of sids of members of local group "Administrators"
A: .\Administrator
A: .\Jason
A: .\admin3
A: D\Domain Admins
What’s nice about this is that a thousand computers, instead of showing COMPUTERNAME\Administrator, will all show the same result “.\Administrator”, which makes it far easier to find the outliers “.\Jason” and “.\admin3”.
A final complication is that if you have renamed the local Administrators group, or are in a different language version of Windows where the name is not “Administrators”, this might not have any results. So instead of looking up the Administrators group by name, let’s look up the group given its SID - which remains the same in every language of Windows and also remains the same if you rename the group.
The final query I’d use in the Analysis is
q: (if it as lowercase starts with computer name as lowercase & "\" then ".\" & following text of first "\" of it else it) of (it as string) of sids of members of local groups whose (component string of sid of it = "S-1-5-32-544")
A: .\Administrator
A: .\Jason
A: .\admin3
A: D\Domain Admins
1 Like