(imported topic written by tj12)
Hi All,
I’m attempting to write a query that will find a specific user in the local Administrators group. I currently have the following query:
members of local group “Administrators”
This gives me all the users listed in the Administrators group.
Could somebody help me expand this query so the results would identify if a specific user, let’s call him “userA”, exists in the Administrators group?
Thank You
Tim
(imported comment written by jessewk)
tj,
Here are some example to get you started:
exists member whose (it as string as lowercase contains “bigfix\jesse”) of local group “Administrators”
exists member whose (account name of sid of it as lowercase contains “jesse”) of local group “Administrators”
exists member whose (domain name of sid of it as lowercase contains “bigfix” AND account name of sid of it as lowercase contains “jesse”) of local group “Administrators”
(imported comment written by tj12)
jessewk,
Thank you! I used the following query:
exists member whose (it as string as lowercase contains “domain\user”) of local group “Administrators”
In the relevance debugger and qna, I received the results I was expecting: True or False based on the user. When I copied the query from the debugger and executed this through the console, I received an as my result. The undefined result is:
The operator “local group” is not defined.
By chance, do you have any ideas?
Thanks in advance
Tim
(imported comment written by jessewk)
The inspectors you are using are new in 6.0.
You can try using the ‘local user’ inspector, but you will miss domain accounts that have administrative rights.
exist local user whose (admin privilege of it AND name of it as lowercase = “jesse”)
(imported comment written by SystemAdmin)
For v5, you can use this:
exists ( string values of selects ( “PartComponent from Win32_GroupUser where GroupComponent = 'Win32_Group.Domain=%22” & computer name & "%22,Name=%22Administrators%22’ " ) of wmi ) whose ( it contains “Win32_Group.Domain=%22DOMAINHERE%22,Name=%22LOOKINGFOR%22” )
Not pretty (and it uses WMI) but it’s what we’ve been using in v5 to find out