Learning WMIC: part 2 – Finding Group Members

Posted on by

Let’s dig around a little deeper into the capabilities of WMIC and use WMIC to find information needed to solve a problem

Problem: list the active users with access to a system, and the groups they belong to…

Solution:

1. All user accounts that have access to a windows host can be listed using wmic commands

wmic useraccount list brief

This command will list all of the user accounts that have access to the system, starting with local accounts followed by domain accounts. That’s OK, but we don’t now which, if any, of the accounts are inactive.

wmic useraccount list status

This command will show the accounts with the Status column output. “Degraded” in the status column indicates the account is inactive. 

2. Account groups can also be listed using wmic commands

wmic group list brief

This command lists all of the groups with security associations on the Windows hosts

3. Now things get a little more complex. From the previous list (wmic group list brief), look for the group you want to know the members of. Now we need to find the path to that group.

wmic group list instance

Notice that there is a column in the output named _RELPATH. That piece of information may be important. But this command is the one that is important. Note where the backslashes are “escaped” to let parsing occur properly.

wmic path Win32_groupuser where (groupcomponent="win32_group.name=\”Test Group\",domain=\”MyDomain\"")

This gives us a list of the users that are a part of that group!

So, the entire command that could be entered from the OS command line (non-interactive) would be

wmic /node:<hostname> /user:<username> /password:<password> path Win32_groupuser where (groupcomponent="win32_group.name=\”Test Group\",domain=\”MyDomain\"")

Let’s break that command down…

  • /node: is used to point to the host we are going to query. If running the command on the host to query, this is not needed
  • /user: is used to specify a user account that has privileges to run the query
  • /password: is the password for the account that has privileges to run the query
  • path Win32_groupuser is a WMI class that relates a group and an account that is a member of that group
  • where (…) indicates only to return records that match the “groupcomponent” attributes given
  • win32_group.name is the property of the win32_group class that we are checking

That’s it for now. More to come!

Posted in Learning, Technical and tagged .

Leave a Reply

Your email address will not be published. Required fields are marked *