The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Local Administrator Permissions (w/ Domain Users)


The Least Privileged Model reduces risk by limiting the users who have admin permissions. Recommended best practice is to audit and limit access to administrative privileges. Learn more:


Lists all users in the local administrative group on a target system, as well as user ID and group ID.

SELECT, u.uid, u.uuid, g.gid, g.groupname, g.group_sid

FROM registry as r
JOIN groups AS g ON data = group_sid
JOIN users AS u ON regex_match(key,'S\-[\-0-9]+', 0) = u.uuid
WHERE key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership'
  AND groupname = 'Administrators';
Carbon Black Employee
Status changed to: Approved
New Contributor

Any possibility to get this Information without querying registry?

because what happens if someone added a User to the local Admin group and That User Never logged in. Than you wont get a proper Result.

i am searching for a query which lists me all members of the local admin group, also groups either local or domain.

Any idea?

Carbon Black Employee

@Kuchi not sure how I missed you comment, but I am really sorry that I did. Do you still need help with this question?