Analysis - local admins with last login date

Maverick · January 14, 2016, 10:40pm

Howdy,
I have an analysis which seems to be working to get the local admins on the windows servers. But I need to add the last login date to the query.

If possible I would like to get this to export as a csv file, but I have not seen anyway to do this so far. I’m running 1 build behind the latest version. I also want to get this in a web report, but I have not found a way to get any of the custom analysis into a web report yet.

The local admin analysis doesn’t give groups, only users, I may need to add in groups, of course not with a last login date, but is that possible?

jgstew · January 15, 2016, 12:58am

For last login, one option might be to look at the modification date of a file that gets touched on login in the user folder.

steini44 · January 15, 2016, 7:21am

For the csv-file, you can look into the Excel Connector. There you can have your analysis, actions etc in an excelsheet.

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Excel%20Connector

jgo · January 15, 2016, 4:07pm

Try this…

Q: (names of it, last logon of it) of users whose (admin privilege of it=true)
A: Administrator, ( Tue, 14 Jul 2009 00:08:59 -0500 )
A: jgo, ( Fri, 15 Jan 2016 11:13:44 -0500 )

You can then consume this property in a web report where you will be able to export to CSV.

Maverick · January 15, 2016, 9:51pm

Thank you! Can I get the status of the account - true or false, as well as the age of the password, and ideally I would like to get the full name, description, and possibly other fields, but at least the disabled status, last login, and password age are the key items now, and this will only run against local accounts, correct?

Maverick · January 15, 2016, 10:02pm

I did find this query on a very old post and it looks like it works in BigFix now, but the results show either 1 account or “multiple results”.

How can I get that to view correctly and/or export to a csv file, although a web would be fine.

I did look at the excel connector, but I can’t get it working,

(
   name of item 0 of it,logon count of item 0 of it , password ages of item 0 of it, last logon of item 0 of it as string |"Never",account disabled flag of item 0 of it, item 1 of it
 )
 of 
 (
   it, names of items 1 of 
   (
     sid of it, local groups
   )
   whose
   (
     exists 
     (
       item 0 of it as string as lowercase, members of item 1 of it as string as lowercase
     )
     whose
     (
       item 0 of it = item 1 of it
     )
   )
 )
 whose
 (
   item 1 of it = "Administrators"
 )
 of local users

jgo · January 18, 2016, 7:17pm

You could also use this:

q: (names of it, last logon of it, password age of it, (if (exists  full name of it) then full name of it else "n\a"), (if (exists  comment of it) then comment of it else "n\a")) of users whose (admin privilege of it=true)
A: Administrator, ( Tue, 14 Jul 2009 00:08:59 -0500 ), ( 482 days, 20:02:52 ), n\a, Built-in account for administering the computer/domain
A: user1, ( Mon, 18 Jan 2016 13:44:04 -0500 ), ( 56 days, 03:13:22 ), n\a, test123
// also use this relevance to see what else you could ask... .
q: properties of type "user"

Once this is a property then you could digest it in web reports, IE Explore Data --> Computers --> Edit Columns --> Property Name–> Click on “Expand-O Image” next to property name.

Maverick · January 19, 2016, 6:12pm

Is there a good article or reference that lists what details you can get on a property such as the “user”?

jgstew · January 20, 2016, 12:14am

I merged into this post @Maverick 's replies to this post: Local accounts analysis with details