wmi script to find out the time when the user was added to local administration group

Hi Friends,

i need a script/query based on wmi/wql that find out the time when the user was added to local administration group on this computer

Regards

Tanoj

February 10th, 2015 10:08am

WMI does not keep security information.

Unless you have enabled auditing, this information is not retained in any way.

If auditing is enabled, you can write a powershell script to look for the specific event in the eventlog. More specifically, you should look for all security events with id 4732 containing the group.

this one command does the trick

get-eventlog -logname security -instanceid 4732 -message *administrators*

https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).as

February 10th, 2015 5:10pm

Wow the command line works great and looks like i have come very close to my destination ....

the command line gets me all the events related to the instance 4732, which is great, can we edit this command line more to get me the output of only one particular user ?

Regards

Tanoj

February 11th, 2015 9:35am

it's powershell, so you can apply whatever filter/markup/... you want to the output.

something like

$username= "MyUser" get-eventlog -logname security -instanceid 4732 |where-object {$_.ReplacementStrings[6] -like $username}

Free Windows Admin Tool Kit Click here and download it now
February 11th, 2015 11:52am

Hi Sennevl,

the above script is returning me blank value, could you please check for me.

Please find the screenshot attached

Regards

Tanoj

February 12th, 2015 4:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics