How I can monitor the local group memebrs using Universal Forwarder on remote server

I have used WMI.conf file to monitor Local groups using below stanza [WMI:LocalAdmins] interval = 3600 index = myindex wql = SELECT * FROM Win32_GroupUser disabled = 0 However, on local Splunk server it works fine but from remote server it returns data for all domain groups which I do not want. I referred another URL on this topic http://blogs.splunk.com/2014/07/10/monitoring-local-administrators-on-windows-hosts/ And used below script on my Windows 2012 R2 server script = (Get-WMIObject Win32_Group | Where-Object { $_.Name –eq ‘Administrators’ }).GetRelated() | Where-Object { $_.__CLASS –eq “Win32_UserAccount” –or $_.__CLASS –eq “Win32_Group” } | Select-Object __CLASS,Caption,SID schedule = 0 30 2 ? * * sourcetype = PowerShell:LocalAdmins source = PowerShell disabled = false but still I am not getting intended data. Its returning me somehting like below Installed application enumerated from "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573" (Default)=KB982573 DisplayName={F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 How, can I monitor local groups?