Check Local Administrators Group

system · May 5, 2011, 9:41pm

(imported topic written by lunchboxfl91)

I would like to create an Analyses that checks the local administrators group on each of our machines. We have a list of users and group that are suppose to be in that group. What we want is to only see machines that have users or groups that are not in the approved list and display them for use to remove when found. Any help on this would be great. Thanks.

system · May 5, 2011, 11:04pm

(imported comment written by SystemAdmin)

I have a property lying around that returns some information about each user:

(
   name of it,
   (
 concatenation "|" of names of items 1 of 
 (
   sid of it, local groups
 )
 whose
 (
   exists 
   (
     item 0 of it as string as lowercase, members of item 1 of it as string as lowercase
   )
   whose
   (
     item 0 of it = item 1 of it
   )
 )
   )
   , last logon of it as string |"Never", logon count of it, account disabled flag of it
 )
 of local users

if you want to filter the results to just those that are not in some hardcoded approved list, you can do somethign like this:

(
   name of it, 
   (
 concatenation "|" of names 
 whose
 (
   "|approvedGroup1|approvedGroup2|approvedGroup3|" does not contain 
   (
     "|"& it &"|"
   )
 )
 of items 1 of 
 (
   sid of it, local groups
 )
 whose
 (
   exists 
   (
     item 0 of it as string as lowercase, members of item 1 of it as string as lowercase
   )
   whose
   (
     item 0 of it = item 1 of it
   )
 )
   )
   , last logon of it as string |"Never", logon count of it, account disabled flag of it
 )
 of local users 
 whose
 (
   "|approvedUser1|approvedUser2|approvedUser3|" does not contain 
   (
 "|"& name of it &"|"
   )
 )

-Zak

system · May 5, 2011, 11:14pm

(imported comment written by lunchboxfl91)

Does not seem to be working right. I just want to check the Administrators group on a machine and if a user or group is in the Administrators group that is not approved tell me what machine and what user.

system · May 6, 2011, 12:13am

(imported comment written by SystemAdmin)

You probably want something more like this:

account names whose ("|approvedAccount1|approvedAccount2|approvedAccount3|" does not contain "|"& it &"|") of sids of members of local groups whose (name of it = "Administrators")

it’ll print out the users or groups that are applied to the administrators group, that are not part of your approved list.

system · May 6, 2011, 7:11pm

(imported comment written by MattBoyd)

Here’s the way that that I like to do it with sets of elements:

elements of (set of (account names of sids of members of local groups whose (name of it = “Administrators”)) - set of (“Administrator”; “ApprovedGroup1”; “ApprovedGroup2”))

system · May 9, 2011, 3:12pm

(imported comment written by lunchboxfl91)

This just checks for each of the names and displays on pc’s that have other than those approved names…it does not change them does it?

system · May 9, 2011, 5:49pm

(imported comment written by MattBoyd)

Correct. Relevance cannot be used to modify a system. It is read-only.

system · May 9, 2011, 5:56pm

(imported comment written by lunchboxfl91)

I get syntax errors. The relevance expression contains unbalanced parentheses or unterminated strings.

system · May 9, 2011, 7:20pm

(imported comment written by MattBoyd)

Hmm… can you double check that you didn’t miss a parenthesis when you copied and pasted it?

system · May 9, 2011, 7:26pm

(imported comment written by lunchboxfl91)

Missed a " thanks.