Let’s dig around a little deeper into the capabilities of WMIC and use WMIC to find information needed to solve a problem
Problem: list the active users with access to a system, and the groups they belong to…
Solution:
1. All user accounts that have access to a windows host can be listed using wmic commands
wmic useraccount list brief
This command will list all of the user accounts that have access to the system, starting with local accounts followed by domain accounts. That’s OK, but we don’t now which, if any, of the accounts are inactive.
wmic useraccount list status
This command will show the accounts with the Status column output. “Degraded” in the status column indicates the account is inactive.
2. Account groups can also be listed using wmic commands
wmic group list brief
This command lists all of the groups with security associations on the Windows hosts
3. Now things get a little more complex. From the previous list (wmic group list brief), look for the group you want to know the members of. Now we need to find the path to that group.
wmic group list instance
Notice that there is a column in the output named _RELPATH. That piece of information may be important. But this command is the one that is important. Note where the backslashes are “escaped” to let parsing occur properly.
wmic path Win32_groupuser where (groupcomponent="win32_group.name=\”Test Group\",domain=\”MyDomain\"")
This gives us a list of the users that are a part of that group!
So, the entire command that could be entered from the OS command line (non-interactive) would be
wmic /node:<hostname> /user:<username> /password:<password> path Win32_groupuser where (groupcomponent="win32_group.name=\”Test Group\",domain=\”MyDomain\"")
Let’s break that command down…
- /node: is used to point to the host we are going to query. If running the command on the host to query, this is not needed
- /user: is used to specify a user account that has privileges to run the query
- /password: is the password for the account that has privileges to run the query
- path Win32_groupuser is a WMI class that relates a group and an account that is a member of that group
- where (…) indicates only to return records that match the “groupcomponent” attributes given
- win32_group.name is the property of the win32_group class that we are checking
That’s it for now. More to come!