Hello!

One of our vbs scripts monitors any changes in Win32_Account class:

"
strComputer = "."

Set objWMIService = GetObject("winmgmts:{(Security)}\\" & strComputer & "\root\cimv2")
Set objEventSource = objWMIService.ExecNotificationQuery ("Select * From __InstanceOperationEvent WITHIN 10 Where TargetInstance isa 'Win32_Account' and TargetInstance.LocalAccount=TRUE")

...

"

The problem is that in spite of adding TargetInstance.LocalAccount=TRUE this code still captures Win32_Account class's changes in ANY domain of our enterprise domain tree, even when connected to "." (locally).

This page https://msdn.microsoft.com/ru-ru/library/windows/desktop/aa394061%28v=vs.85%29.aspx says:

"The Win32_Account abstract WMI class contains information about user accounts and group accounts known to the computer system running Windows. User or group names recognized by a Windows domain are descendants (or members) of this class."

Q1: Does this definition mean that connection to the LOCAL Win32_Account class (".") will capture not only local but domain account modifications (if a computer is a member of a domain) as well, because User or group names recognized by a Windows domain are descendants (or members) of this class?  - that's what I see in my network.

Q2: What should I do to narrow down the scope of the command to the single domain - city2.enterprise.local?

Thank you in advance,

Michael