Getting members of administrative accounts on computer

(imported topic written by jdaly)

I am currently trying to write a relevance expression that will check the member of the local admin group on each machine. From searching these forums I have found the following works reasonably well.

(members of local group “Administrators” as string)

Testing with Q&A I have the following

q: (members of local group “Administrators” )

A: computername\administrator

A: domain\Domain Admins

A: domain\user1

A: domain\user2

I would like to see if there is a way of limiting the results to only those that start with domain. This way i will only get the domain accounts that are administrators on the machine.

I would have thought it would be something like

(members of local group “Administrators” as string whose name of it starts with “domain”)

However that doesnt seem to work. Im pretty new to relevance language and still learning so any help would be greatly appreciated.

Thanks

(imported comment written by MattPeterson)

A couple issues with your statement. First your parentheses were in the wrong place. You need your object (members of local group administrators as sting) to be in parentheses then you also need your statement following whose in parentheses.

Also, since your casting your object as sting, you cannot ask for name of it (name of it is not even a valid property for memeber of group)…

Here is what your statement should look like:

(members

of

local group

“Administrators”

as

string)

whose

(
it

starts with

“Domain”
)

(imported comment written by jdaly)

Thanks for your quick reply. How do you know when to just use it or when you can use “name of it” or some other “something of it”?

I guess that is the hardest thing im finding so far with the relevance language is the syntax and getting it right.

Also how do you know what properties can be retrieved by any relevance?

(imported comment written by MattPeterson)

The inspector guides (Windows link below) will show you what properties are available to query for each OS.

http://www.google.com/url?q=http://support.bigfix.com/fixlet/documents/WinInspectors-2006-08-10.pdf&sa=U&ei=NDg0U5azKKzMsQSD3IGADQ&ved=0CC4QFjAC&sig2=LLnXEKjHz0UvMps5MkXkzw&usg=AFQjCNHt9tmPg9jsGKRpa9_PGAZKgS3WyQ

I’m attaching the Relevance Language guide (I couldn’t find a working link for it online). This will explain the basics of the relevance language. It will explain things like how to do a whose clause.

(imported comment written by jdaly)

Thank you very much for these. Definitley should be helpful.

(imported comment written by jgstew)

This does not directly address your question, but is related:

Local Admin/User Audit - Windows
http://bigfix.me/analysis/details/2994547

I highly recommend looking for similar examples on bigfix.me as a way to learn to write relevance.