Under Review

NOTE: There are multiple recommendations covered within this posts comment section to help identify local admins. Please be sure you are using the right query shared for your goal.

EDR Query to find all local admins (Windows)

I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right now I'm left with doing it via SCCM and Powershell, but this is a little unreliable for us. Any chance of seeing a prebuilt query within Live Discover for this? Or can anyone lend me a hand figuring out the query?

EDIT:

I accidentally omitted an important piece. I've been researching on this for the past few days and forgot what the real hangup is.

We want to query both local users and domain users. Basically, we want to see any and all accounts that are added to the local admin group on any machine. So if MYDOMAIN\Jensenj is in the group on one of our computers, we want to know. We'd like to run this periodically to ensure that we don't have any accounts that we don't know about out there in the wild, as sometimes we have staff with admin creds that may add an account to that group (We're working on the root cause there:)

Parents Comment
  • Yes! Thank you for that.

    I accidentally omitted an important piece. I've been researching on this for the past few days and forgot what the real hangup is.

    We want to query both local users and domain users. Basically, we want to see any and all accounts that are added to the local admin group on any machine. So if MYDOMAIN\Jensenj is in the group on one of our computers, we want to know. We'd like to run this periodically to ensure that we don't have any accounts that we don't know about out there in the wild, as sometimes we have staff with admin creds that may add an account to that group (We're working on the root cause there:)

Children
No Data