Identifying local admins not on my whitelist

Embarrassed to ask that one, I’m probably going to figure it out shortly after hitting “post”, but…

I’m trying to identify PCs with administrators that should not be admins

So if I do that in qna:
q: members of local group "administrators"
I get:
A: PCNAME\admin1
A: domain\Domain Admins
A: domain\Local Administrators

Now I’ve been meaning to write something that says if the answer is NOT one of the above, return false… concatenation of computer name + \admin 1 or “domain\domain admins” or “domain\local admins” …

exists names whose (it != “domain\Domain Admins”) of local groups “administrators” and (exists names whose (it != “domain\Local Administrators”) of local groups “administrators”) seems to work but when I start going into the concatenation of computer name\admin1 (which works separately) all hell breaks loose…

I keep hitting syntax issues, whose/it issues or false positives, I’m sure someone already wrote that up and can hit me over the head with it, please ? :wink:

Hey Greg, we did in fact have to do this recently, so you are in luck. :slight_smile:

This is what we used (using your example members that should be in your whitelist):

set of ("PCNAME\admin1"; "domain\Domain Admins"; "domain\Local Administrators") = set of (members of local group "administrators" as string)

This will evaluate to true if the admin group only contains your whitelist. It should return false if there are members that are not in your whitelist, or if the device is missing any whitelist members.

If you run into situations where some devices may have different members, you might need to adjust it to use “set contains” or something.

Let me know if you run into any issues with this.

My current working relevance was horrible:

exists (if (it does not contain (":" & computer name & “\admin1”) and it as lowercase does not contain (":" & computer name as lowercase & “\admin”) and it as lowercase does not contain ("\local administrators") and it as lowercase does not contain ("\domain admins")) then (it) else (nothing)) of (item 0 of it & “:” & item 1 of it as string) of (name of it, (if (number of members of it > 0) then (members of it as string) else (“No Members”))) of local group “administrators”

I will gladly try yours in a minute, thanks very much !

so this works, I made it != for my purposes… However it seems like it’d be looking for an exact match between the 2 sets (criteria and result)…

If I have extra criteria on the first set that are present on some machines and not others, it’s going to flag them. The goal would be to flag only the machines that have something “OTHER THAN” the criteria in the results (something extra), but “less than” the criteria listed would be OK… Really I want an easy way to white list some admin names, and have BigFix flag machines that have admins that are not on that list (but if they have only part of the list, it’s all good) Ugh… Will play some more ! Thanks Sean!

PS: the ugly relevance above from my prev. post actually does the same thing if I have less criteria than the actual result, only works OK the other way around…

Yeah, the relevance I supplied handles “exact matching” only. To your point, you want to know if a possibly rogue admin account is there, and I’m guessing you also want to know the user/group name.

You can get both of these answers from one relevance query:

elements of (set of (members of local group "administrators" as string) - set of ("PCNAME\admin1"; "domain\Domain Admins"; "domain\Local Administrators"))

Devices that contain all the whitelisted accounts will have a result of <none>. Devices that have admin accounts that are not in the whitelist will have their names displayed so you can remediate them.

I believe this will fit your needs, let me know how it goes.

Hey Greg.

Have you thought about just making an analysis that reports all of the current members of the administrators group and then using a web report to filter out the values that are whitelisted?

This would allow you to adjust the report filter in real time without having to wait for clients to come back online and without having to worry about offline clients reporting that they are all good but actually having a blacklisted administrator.

just a thought,