Regarding Fixlet ID 117581, I would like to retrieve a list of non-compliant accounts specifically those with the SeRemoteInteractiveLogonRight
privilege that do not belong to SID groups S-1-5-32-544
(Administrators) or S-1-5-32-555
(Remote Desktop Users).
I attempted to construct a relevance expression to identify such accounts but did not get the desired results. Here’s the expression I tried:
//Original
not exists 1 whose (exists (concatenation ", " of (it as string) of ((number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0) of concatenation ", " of (it as string) of (exist matches (regex "S-1-5-32-(544|555)") of it) of component strings of sids of it) of accounts with privilege "SeRemoteInteractiveLogonRight") whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0))
//attempted my version:
Q: accounts with privilege "SeRemoteInteractiveLogonRight" whose ((exist matches (regex "S-1-5-32-(544|555)") of it) of component strings of sids of it)
E: This expression evaluates to an unrepresentable object of type "security account"
T: 1.611 ms