Multiple properties of local accounts

josephalves 2022-01-24 23:08:06 UTC #1

What am I doing wrong here?

I want to get information on a user. I did the statement below to get properties of users.

properties of type “user”

logged on user of : logged on user
sid of : security identifier
name of : string
active directory user of : active directory local user
password age of : time interval
guest privilege of : boolean
user privilege of : boolean
admin privilege of : boolean
home directory of : string
home directory folder of : folder
comment of : string
script flag of : boolean
account disabled flag of : boolean
home directory required flag of : boolean
no password required flag of : boolean
password change disabled flag of : boolean
locked out flag of : boolean
password expiration disabled flag of : boolean
normal account flag of : boolean
temporary duplicate account flag of : boolean
workstation trust account flag of : boolean
server trust account flag of : boolean
interdomain trust account flag of : boolean
logon script of : string
print operator flag of : boolean
communications operator flag of : boolean
server operator flag of : boolean
accounts operator flag of : boolean
full name of : string
user comment of : string
application parameter string of : string
allowed workstations string of : string
last logon of : time
last logoff of : time
account expiration of : time
maximum storage of : integer
bad password count of : integer
logon count of : integer
logon server of : string
country code of : integer
code page of : integer
id of : integer
user id of : integer
primary group id of : integer
profile folder of : string
home directory drive of : string
password expired of : boolean
domain of : string
winrt packages of : winrt package

When I do this it works.
(names of it) of users

Administrator
DefaultAccount
Guest
usrTemplate

This works as well.
(last logons of it) of users

Sat, 22 Jan 2022 12:01:00 -0700
Fri, 28 May 2021 06:31:55 -0700
Tue, 23 May 2017 12:47:30 -0700

When I try to combine them it fails. I have tried this so many different ways and I get different errors.
(names of it & " - " & last logons of it as string) of users

(name of it & " - " & last logon of it as string) of users
Error: Singular expression refers to nonexistent object.

josephalves 2022-01-24 23:14:21 UTC #2

Also, I can do full name of domain users but not properties of type “domain user”.
Error: Singular expression refers to nonexistent object.

Why?

SLB 2022-01-24 23:16:29 UTC #3

Its because you are trying to join plural strings. You would need to use singular strings to join the results, eg

Q: (name of it & " - " & (last logon of it as string | "No Login")) of users
A: DefaultAccount - No Login
A: Guest - No Login
A: Administrator - Mon, 11 Mar 2019 17:41:26 +0000
A: MyLocal - Fri, 17 Dec 2021 11:34:02 +0000
T: 4.462 ms
I: plural string

josephalves 2022-01-24 23:17:44 UTC #4

Tried that too

josephalves 2022-01-24 23:18:38 UTC #5

It works if I use the | “No Login”

What does that do and why did that fix it?

SLB 2022-01-24 23:18:43 UTC #6

You will get errors if the local user has never logged in. You can trap those using the “|” operator

josephalves 2022-01-24 23:19:25 UTC #7

Ahh. So basically it trips out over a single objects and fails?

Thank you very much for the quick reply. It’s been driving me crazy.

josephalves 2022-01-24 23:20:52 UTC #8

Also why did you have to use “,” instead of “&”

SLB 2022-01-24 23:22:34 UTC #9

That was more a case of too much haste on my side. I edited my initial response to use & to join the results

josephalves 2022-01-24 23:27:37 UTC #10

Nice. So I changed it a little.
(name of it & " - " & (last logon of it as string | “No Login”) & " - " & (last logoff of it as string | “No Logoff”)) of users

Looks good.

Now the next question, why can’t I do the same with Domain Users instead of users.
When I do properties of type “Domain User” I get the error below. I’d rather use domain users over just users to get the same type of information.

trn 2022-01-25 08:47:14 UTC #11

There is no type ‘domain user’, so there are no properties .

See https://developer.bigfix.com/relevance/reference/user.html

‘domain users’ returns all of the users that are members of the domain for which the machine is a user.

josephalves 2022-01-25 23:51:07 UTC #12

You lost me. How did you get that? I see if I keep scrolling it shows a bunch of properties of Users but is there an easier way to see if an object has properties?

trn 2022-01-26 08:14:54 UTC #13

The page has two primary sections - ‘Creation’ & ‘Properties’

Also, I can do full name of domain users but not properties of type “domain user”.
Error: Singular expression refers to nonexistent object.

Why?

Whichever creation mechanism you use, it will return objects of type ‘User’.

That said, you probably don’t want to use ‘domain users’ on a machine in a domain with a lot of users…

AlanM 2022-01-26 17:10:17 UTC #14

So there are a few things at play here.
The domain user type inherits from user so all the properties are available.

The inspectors though rely on Windows actually filling out a structure completely ( the struct is https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/ns-lmaccess-user_info_3 ) and for various reasons it leaves them blank a lot especially on the domain user requests probably due to reasons that have been mentioned before (overloading the domain controller).

An additional wrinkle is that on a domain controller, all the domain users are “local” to the system so therefore are regular users.

josephalves 2022-01-26 19:16:03 UTC #15

I actually started with local users because that is what I am trying to do, pull a list of domain users from a domain controller, specifically only the PDC. I was trying to work with domain users though to see if the filtering is any better. Looks like it’s just easier to keep going with the local users though.

josephalves 2022-02-08 16:57:35 UTC #16

How do I make “Windows” not case sensitive? I’m guessing case insensitive regular expression but not sure how to write it out.

(name of it & " - " & (last logon of it as string | “No Login” & " -" & (comment of it as string) & " - " & (last logoff of it as string | “No Logoff”))) of users whose (comment of it contains “Windows” as string)

trn 2022-02-08 17:17:49 UTC #17

…whose (comment of it as lowercase contains “Windows” as lowercase)

josephalves 2022-02-08 17:23:57 UTC #18

Thank you.

Why did I have to use “as lowercase” before and after “windows”? That is what threw me off there.

JasonWalker 2022-02-08 17:42:51 UTC #19

That’s to convert both the actual ‘comment’ value and the literal ‘Windows’ string to lowercase, so they’ll both match.
You could have also changed the literal yourself, as

(comment of it as lowercase contains “windows”)

I prefer explicitly forcing both to lowercase, as someone modifying the relevance later may not know they have to enter an all lowercase string.

josephalves 2022-05-03 14:23:58 UTC #20

I found out we have some admins that are trying to set their passwords to never expire in customer domains so I need to expand this. I’m having trouble with the AND searching for the boolean “False”. It ends up finding an account that doesn’t have password set to never expire because it has OneNeck in the name and ignores the AND condition. What am I doing wrong here?

(full name of it & " - " & (last logon of it as string | "No Login" & " -" & (comment of it as string) & " - " & (last logoff of it as string | "No Logoff") & " - Disabled=" & account disabled flag of it as string & " - Password Never Expires=" & password expiration disabled flag of it as string )) of users whose ((comment of it as lowercase contains "windows" as lowercase) OR (comment of it as lowercase contains "oneneck" as lowercase) AND (password expiration disabled flag of it as string contains "False"))