Determining users and groups with senetworklogonright

(imported topic written by dmoore21)

So, I’ve got a chunk of relevance that stipulates that only Administrators and Power Users should have the senetworklogonright… But I would like to modify it take a different approach. Instead of positively identifying which groups and users should have the right, I would rather have the relevance stipulate which groups and users should NOT have the right…

Here’s my existing relevance statement:

not exists 1 whose ((((0 < size of it) of item 0 of it and ((item 0 of it * item 1 of it) = item 1 of it)) of (set of component strings of sids of accounts with privilege “senetworklogonright”, set of component strings of sids of security accounts “Administrators”)) and (((0 < size of it) of item 0 of it and ((item 0 of it * item 1 of it) = item 1 of it)) of (set of component strings of sids of accounts with privilege “senetworklogonright”, set of component strings of sids of security accounts “Power Users”)) and (((0 < size of it) of item 0 of it and ((item 0 of it * item 1 of it) = item 1 of it)) of (set of component strings of sids of accounts with privilege “senetworklogonright”, set of component strings of sids of security accounts “”)) and (((0 < size of it) of item 0 of it and ((item 0 of it * item 1 of it) = item 1 of it)) of ((set of (component strings of sids of (local users; local groups); names of keys of keys “HKLM\Security\Policy\Accounts” of x32 registry) - set of component strings of sids of accounts with privilege “senetworklogonright”), (((set of (component strings of sids of (local users; local groups); names of keys of keys “HKLM\Security\Policy\Accounts” of x32 registry) - set of component strings of sids of security accounts “Administrators”) * (set of (component strings of sids of (local users; local groups); names of keys of keys “HKLM\Security\Policy\Accounts” of x32 registry) - set of component strings of sids of security accounts “Power Users”)) * (set of (component strings of sids of (local users; local groups); names of keys of keys “HKLM\Security\Policy\Accounts” of x32 registry) - set of component strings of sids of security accounts “”)))))

Thoughts and suggestions appreciated!

(imported comment written by dmoore21)

So, I’ve tried this in the Fixlet Debugger:

Q: (it contains “SeNetworkLogonRight”) of (privileges of security accounts (“Users”;“Authenticated Users”;“Domain Users”;“Everyone”))

A: False

A: False

A: False

A: False

A: False

A: False

A: False

T: 1.418 ms

And it seems to work ok. But when I create a fixlet with that exact relevance, I don’t get the results I expect… Thoughts?

(imported comment written by dmoore21)

This seems to work out well:

(it contains “SeNetworkLogonRight”) of concatenation of (privileges of security accounts (“Users”;“Authenticated Users”;“Domain Users”;“Everyone”))