List Non-Compliant Accounts - Fixlet ID 117581

Regarding Fixlet ID 117581, I would like to retrieve a list of non-compliant accounts specifically those with the SeRemoteInteractiveLogonRight privilege that do not belong to SID groups S-1-5-32-544 (Administrators) or S-1-5-32-555 (Remote Desktop Users).

I attempted to construct a relevance expression to identify such accounts but did not get the desired results. Here’s the expression I tried:

//Original
not exists 1 whose (exists (concatenation ", " of (it as string) of ((number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0) of concatenation ", " of (it as string) of (exist matches (regex "S-1-5-32-(544|555)") of it) of component strings of sids of it) of accounts with privilege "SeRemoteInteractiveLogonRight") whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0))

//attempted my version:
Q: accounts with privilege "SeRemoteInteractiveLogonRight" whose ((exist matches (regex "S-1-5-32-(544|555)") of it) of component strings of sids of it)
E: This expression evaluates to an unrepresentable object of type "security account"
T: 1.611 ms

Does this work for you?

Q: sids of accounts with privilege "SeRemoteInteractiveLogonRight" whose ((exist matches (regex "S-1-5-32-(544|555)") of it) of component strings of sids of it)
A: BUILTIN\Remote Desktop Users
A: BUILTIN\Administrators
T: 2.504 ms
I: plural security identifier

1 Like

Thanks @SLB :slight_smile: I was trying with names, String etc. didnt think of sids.