The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS - Local Administrator Accounts

Description: The query allows you to check macOS systems for local administrator accounts. The administrator on a Mac has full privileges to install programs, uninstall them, modify files, or compromise the system. The query helps to identify local administrator accounts to ensure IT hygiene and compliance in the enterprise.

What The Data Shows: User ID, Username, User description


SELECT u.uuid, u.username, u.description
FROM users AS u
INNER JOIN user_groups AS g ON g.gid=u.gid
WHERE g.gid = 20
GROUP BY username;


1 Comment
Carbon Black Employee
Status changed to: Approved

@lschulze thanks for contributing to the Query Exchange!