Delete list of local user accounts on multiple remote servers?

Howdy,

I have a list of user accounts that I have to delete on many remote Windows 2003, 2008 (x86 and x64), 2008R2, and 2012 servers.

I am brand new to trying to create fixlets and I could use some help.

There are many accounts to delete and I don’t expect that they will exist on all servers.

IE: User1, User2, and User3 may exist on 3 out of the 300 servers, but User 4 might exist on all 300 servers, but the others won’t exist. Some of the servers may not have any of the accounts that I deploy the fixlet against.

The other part of this is using IEM to provide a report of “all local accounts” on all the servers. Right now I use a PowerShell script across multiple domains which is a bit of a pain and gather the “local admins” only.

Can someone help?

To start we can get the names of all of the local user accounts on an endpoint with the following relevance:

"names of local users"

To get that for all of your endpoints you would make a new analysis in your BigFix console with a property called something like, “Local Users” and that relevance statement as the value of the property of the analysis.

On my test endpoint this returns:

Q: names of local users
A: Administrator
A: DefaultAccount
A: Guest

To search for specific users you can use:

exists (names of local users) whose (it = "Testname" or it = "testname2")

On my test endpoint this happens:

Q: exists (names of local users) whose (it = "Testname" or it = "testname2")
A: False

… because I don’t have a testname or testname2 user. Though, if I tweak the relevance to check for an Administrator account:

Q: exists (names of local users) whose (it = "Administrator" or it = "testname2")
A: True

So now we have the relevance part – we know how to check if the account exists.

So make a new fixlet with this as its relevance:

Q: exists (names of local users) whose (it = "Insert Admin Account 1 name here" or it = "Insert Admin Account 2 name here")
A: True

For the Action Script of the fixlet we will call the net user command to remove the user accounts.

Normally we’d use a, “Waithidden” command to make sure the commands finish but in this case we don’t really need to and can use the following action script:

Runhidden net user "Insert Admin Account 1 name here" /delete
Runhidden net user "Insert Admin Account 2 name here" /delete

And if you aren’t already I’d highly recommend using the Fixlet Debugger for testing these relevance and action script statements.

You can find out more about that here: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Fixlet%20Debugger%20(QnA)%20Tool

Thank you for the quick and helpful reply!

How do I actually create the “task/fixlet/action - I am not sure of the proper term” to do a search for “all local accounts”?

Your queries are great, so I can search for the specific user names, that will be helpful when I have to do this as people leave the business.

Is there a report I can run before to see what accounts exist on the servers and then I can run it afterwards to see what is deleted?

If I want to run the fixlet, then I have to put in the commands below? Is there anything else I have to add and is there a way to find out how many accounts are deleted on each server and which accounts, or anything like that in a report I can run?

exists names whose (it = “TESTNAME” or it = “testname2”) of local users
Run net user Testname /delete
Run net user testname2 /delete

So the first thing you’ll want to do is make an Analysis. Analyses are the way in which you can pull information from an endpoint. Go into your console and click on the Analyses section on the left and then right click on the right hand side and hit Create New Analysis…

1. Give the Analysis a name like: Local Account Check
2. Under Properties hit Add Property
3. Give it a name like “Local Accounts”
4. Give it a Relevance of names of local users
5. Press Ok

Wait a couple minutes and you should start to see results coming in. You can use these results to generate a report of what local accounts are on each server.

Now we want to actually make a change to the endpoints (remove the local accounts). To do this we want to use a Fixlet. To make a Fixlet click on Fixlets and Tasks on the left hand side of the console and right click on the right hand side and press Create New Fixlet…

1. Give the Fixlet a name like: Local Account Cleanup

2. Under Actions add a line of, “Runhidden net user Testname /delete” for each account you want to remove and replace testname with the name of the account

3. Under Relevance change it from “All Computers” to, “Computers which match all of the relevance clauses below”

4. Replace, “true” with your relevance statement (Make sure to replace testname with the names of the accounts and add additional or statements for additional accounts:

   “exists names whose (it = “TESTNAME” or it = “testname2”) of local users”

5. Press Ok

Now you need to make an action. Click on the fixlet you just made and press Take Action and action it against a test computer and see what happens!

The fixlet is going to specific to a specific account, which’d be good if this is a once off process.

Depending on the situation a Task might be more flexible.

The Task can take a parameter with the names or a list of usernames.
This can then be re used.

Thanks! I did what you stated, but what’s the best option to select the Applicable Computers? I want it to run against “All Windows” computers.

I see the local accounts coming back.

On the New Analysis window, I put in:

1. Name - Get Local Accounts
2. Properties Tab - Local Accounts and below that in the relevance field I entered “names of local users”
3. On the Relevance Tab I put in “OS contains Windows”

Is that the best option?

Jakes,

For the analysis you could select, “Computers which match all of the relevance clauses below” and put

Windows of Operating System

As for the fixlet what I would do is use this in the relevance of the fixlet:

Windows of Operating System

exists names whose (it = "TESTNAME" or it = "testname2") of local users

Then, because of how Fixlets work you can just dynamically target by property and select the group of computers you want to action against. Fixlets will only apply to computers they are relevant to so if you select extra computers the fixlet won’t even run on those computers.

I am trying to do a disable of the accounts, but I don’t see the command line to do that?

I did apply it to the group “All Windows Computers”, so that’s working.

Here’s what you’re looking for:

runhidden net user "testuser" /active:no

Thank you! How do I make this a task compared to a fixlet?

It does make sense to make it a task as I have 80 accounts right now to search for and disable.

The analysis is working well, but how do I get it into a report format? When there are multiple accounts it states “multiple accounts”, so they aren’t easily viewed.

It would be best to just put the accounts into a list as you mentioned and then I can re-use the task.

One more quick item, I just setup an analysis to search for specific accounts.

I put the name in the general field, then for the property I put:
local accounts

Under the property for relevance I put in
"exists names whose (it = “TESTNAME” or it = “testname2”) of local users"

I then chose the relevance tab and put apply to group - all windows servers

I am not getting any results and I did update the account names.

Do I need the quotes around the names and/or the statement? I’ve tried with and without and I’m not getting the results or perhaps it’s taking longer than expected?

You can make a report using Web Reports. Now that you’ve made your analysis you can add it as a column in web reports and when you export it you can open it in excel to get all of the data.

It may take a couple of minutes for results to appear depending on if UDP pings are enabled and what your command polling interval is.

Also make sure:

1. The site you made the analysis in (or your operator site) has computers subscribed.
2. The computer group you put in the relevance has computers in it
3. The analysis is activated
4. Computers are appearing in the, “Applicable Computers” tab of the analysis

Yes, I have a large list of computers coming back.

What I am seeing is that if I put in a “test” account that doesn’t exist, the computers still show up in the analysis anyway.

I don’t see the “false” result you mentioned if the account doesn’t exist or the “true” result if the account exists.

The query to find “all local accounts” works great! It’s just filtering out the specific accounts that I am stuck on.

I have a list of 80 accounts I want to search for specifically.

I am going to disable them for 2 weeks and then delete them. Is a task going to be the easiest method and can I run an analysis on this first to find the servers that have the accounts?

The computers show up in the Applicable Computers tab or the Results tab?

Also keep in mind that when you adjust a property of an analysis your computers have to report back in before the results will change. This means that if you do something like:

true

and then change it to

false

You have to wait for the endpoints to get the update and report back in before their results will change.

Hello,
I am able to get the Analysis working now. I just am not sure how to do this as a reusable task?

I do want to do this as the task so I can list account names ad-hoc and then have the query run whether it’s the analysis or the task to disable or delete the list of accounts.

Can anyone help me with this?

You won’t be able to do it ad-hoc with an analysis, the analysis will have to be modified each time you want to get results from an endpoint.

That being said you can do it ad-hoc with a task:

action parameter query "LocalUser" with description "Please enter the username of the local user you would like to have removed."

runhidden net user "{parameter="LocalUser"} /active:no

The Local User Management dashboard in BigFix Labs is worth a look.
It has analysis that returns local users as well as functions to manage them (create, update, delete).

Maybe this is all you need