I’m looking to create some relevance code that will return a list of all users that are unauthorized to be in the local administrators group. If there are no unauthorized accounts the code should return “Compliant” I would be providing a string of the authorized users in the relevance code. Here’s what I’ve been trying to get working but it’s just not working. This code is always returning Compliant when is shouldn’t. I must have something wrong or maybe there’s a better way to get this done. Any Thoughts?
if (exists local group “administrators” whose ("|" & member of it as string as lowercase &"|" is not contained by “|usera|userb|userc|”)) then (concatenation “; " of names of local group “administrators” whose (”|"& members of it as lowercase & “|” is not contained by “|usera|userb|userc|”)) else (“Compliant”)
I think the key is that you need to have to “whose” clauses because you need to iterate over the groups and then iterate over the members of the group… As I was playing with it, I changed a few things and this seems to work:
q: if (exists members whose ("|usera|userb|userc|quetzal\administrator|" contains ("|" & (it as string as lowercase) & “|”)) of local group “administrators”) then (concatenation “; " of names of local group “administrators” whose (exists member whose (”|usera|userb|userc|quetzal\administrator|" contains ("|"& it as string as lowercase & “|”)) of it)) else (“Compliant”)
A: Administrators
Note that most users should be in the format of “domain\username” or “computername\username”.
Thanks for the quick response. I believe your code only works on BES v7.0 Clients We currently only have BES v6.0.28.4 Clients in our environment. Any thoughts as to how I can get this to work in v6. The code you gave me always returns “Compliant” no mater what user is in the list; much like what was happening with my code.
You are correct… my mistake the code does work on v6 clients
Ben,
Looking back at your provided code it does not do what I was requesting; see my first post above. Your relevance is returning the name of the local group which contains the users that were listed in the string. I’m looking for code that will only show me the users that are not in the provided string; hence only show unauthorized users of the local administrators group. This relevance is going to be used to find computers that have users with admin rights that should not have.
if (exists members whose ("|usera|userb|userc|quetzal\administrator|" contains ("|" & (it as string as lowercase) & “|”)) of local group “administrators”) then (concatenation “; " of (it as string) of members whose (”|usera|userb|userc|quetzal\administrator|" contains ("|" & (it as string as lowercase) & “|”)) of local group “administrators”) else (“Compliant”)