Hi Friends,
i need a script/query based on wmi/wql that find out the time when the user was added to local administration group on this computer
Regards
Tanoj
Technology Tips and News
Hi Friends,
i need a script/query based on wmi/wql that find out the time when the user was added to local administration group on this computer
Regards
Tanoj
WMI does not keep security information.
Unless you have enabled auditing, this information is not retained in any way.
If auditing is enabled, you can write a powershell script to look for the specific event in the eventlog. More specifically, you should look for all security events with id 4732 containing the group.
this one command does the trick
get-eventlog -logname security -instanceid 4732 -message *administrators*
https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).as
Wow the command line works great and looks like i have come very close to my destination ....
the command line gets me all the events related to the instance 4732, which is great, can we edit this command line more to get me the output of only one particular user ?
Regards
Tanoj
it's powershell, so you can apply whatever filter/markup/... you want to the output.
something like
$username= "MyUser" get-eventlog -logname security -instanceid 4732 |where-object {$_.ReplacementStrings[6] -like $username}
Hi Sennevl,
the above script is returning me blank value, could you please check for me.
Please find the screenshot attached
Regards
Tanoj