Properties of local group administrators

(imported topic written by tharryman91)

I am trying to get certain properties (names of it, logon count of it, password ages of it, last logons of it) of all of the members of the local group Administrators. Some of the computers queried are domain members, but most are not.

I read over the posting

here

about how to get the properties of local users. The same Q on my domain machine does not produce the same A that he is getting, however. Noah got this:

q: properties whose (it as string contains “local user”)

A: domain user : local user

A: domain users: local user

A: local user : local user

A: local users: local user

A: name of : string

A: password age of : time interval

A: guest privilege of : boolean

A: user privilege of : boolean

A: admin privilege of : boolean

A: home directory of : string

A: comment of : string

A: script flag of : boolean

A: account disabled flag of : boolean

A: home directory required flag of : boolean

A: no password required flag of : boolean

A: password change disabled flag of : boolean

A: locked out flag of : boolean

A: password expiration disabled flag of : boolean

A: normal account flag of : boolean

A: temporary duplicate account flag of : boolean

A: workstation trust account flag of : boolean

A: server trust account flag of : boolean

A: interdomain trust account flag of : boolean

A: logon script of : string

A: print operator flag of : boolean

A: communications operator flag of : boolean

A: server operator flag of : boolean

A: accounts operator flag of : boolean

A: full name of : string

A: user comment of : string

A: application parameter string of : string

A: allowed workstations string of : string

A: last logon of : time

A: last logoff of : time

A: account expiration of : time

A: maximum storage of : integer

A: bad password count of : integer

A: logon count of : integer

A: logon server of : string

A: country code of : integer

A: code page of : integer

A: user id of : integer

A: primary group id of : integer

A: profile folder of : string

A: home directory drive of : string

A: password expired of : boolean

I get this:

Q: properties whose (it as string contains “local user”)

A: local user of : active directory local user

A: logged on user of : active directory local user

A: local users of : active directory local user

A: logged on users of : active directory local user

A: name of : string

A: distinguished name of : string

A: distinguished name error message of : string

A: groups error message of : string

A: sample time of : time

A: group of : active directory group

A: groups of : active directory group

A: local user : user

A: local users: user

A: active directory user of : active directory local user

Regardless, the help from his post works great to get the properties I am looking for from the local user accounts:

Q: (names of it, logon count of it, password ages of it, last logons of it) of local users

This works great to get the members (local and domain) of the local group administrators:

Q: members  of local group 
"Administrators"

However, when I try to concatenate the two , I get bruises from banging my head on the desk; I am unable to query any information about domain users in the local group “Administrators”

Any assistance would be much appreciated!

Timothy

(imported comment written by SystemAdmin)

Hey Timothy,

The user inspectors have changed a lot between versions, so the properties Noah returned were probably from a 7.x relevance debugger. I have 8.1 and it matches your results.

This should do what you are looking for:

(
   name of item 0 of it,logon count of item 0 of it , password ages of item 0 of it, last logon of item 0 of it as string |"Never",account disabled flag of item 0 of it, item 1 of it
 )
 of 
 (
   it, names of items 1 of 
   (
 sid of it, local groups
   )
   whose
   (
 exists 
 (
   item 0 of it as string as lowercase, members of item 1 of it as string as lowercase
 )
 whose
 (
   item 0 of it = item 1 of it
 )
   )
 )
 whose
 (
   item 1 of it = "Administrators"
 )
 of local users

-Zak

(imported comment written by tharryman91)

Amazing… I can mostly figure out what is happening here. The item 0 / item 1 reference has me a bit over a barrel, but I will ensure I understand all items of it before I deploy it.

However, it still returns only local users, not either of the 2 Domain users in the local Administrators group.

Thanks very much,

Timothy

(imported comment written by SystemAdmin)

Zak,

This query is very useful but as tharryman pointed out, can you explain what the item 0 / item 1 of it references? Also when I add a slightly modified version of this to an analysis, the output shows in some cases. Is there a way to get this to list all users in the analysis output as user1,user2,user3 etc… instead of the current output?

(imported comment written by SystemAdmin)

(took me a little while to figure out why I did that too)

Basically, we have two objects in relevance that arent normally related, the object and the object. Since our objective with this statement is to get a bunch of user data based on the group they are in, what have to do a little relevance tuple trickery to match these two objects.

Here is another way of looking at what the inner part of that expression does:

Q: (name of it, sid of it) of local users, members of local groups A: ( Guest, NINJAERBIRD\Guest ), NINJAERBIRD\zkus A: ( Guest, NINJAERBIRD\Guest ), NINJAERBIRD\Guest A: ( Guest, NINJAERBIRD\Guest ), NT AUTHORITY\IUSR A: ( Guest, NINJAERBIRD\Guest ), NT AUTHORITY\INTERACTIVE A: ( Guest, NINJAERBIRD\Guest ), NT AUTHORITY\Authenticated Users A: ( Guest, NINJAERBIRD\Guest ), NINJAERBIRD\test A: ( Guest, NINJAERBIRD\Guest ), NINJAERBIRD\zkus A: ( Guest, NINJAERBIRD\Guest ), NINJAERBIRD\test A: ( test, NINJAERBIRD\test ), NINJAERBIRD\zkus A: ( test, NINJAERBIRD\test ), NINJAERBIRD\Guest A: ( test, NINJAERBIRD\test ), NT AUTHORITY\IUSR A: ( test, NINJAERBIRD\test ), NT AUTHORITY\INTERACTIVE A: ( test, NINJAERBIRD\test ), NT AUTHORITY\Authenticated Users A: ( test, NINJAERBIRD\test ), NINJAERBIRD\test A: ( test, NINJAERBIRD\test ), NINJAERBIRD\zkus A: ( test, NINJAERBIRD\test ), NINJAERBIRD\test A: ( zkus, NINJAERBIRD\zkus ), NINJAERBIRD\zkus A: ( zkus, NINJAERBIRD\zkus ), NINJAERBIRD\Guest A: ( zkus, NINJAERBIRD\zkus ), NT AUTHORITY\IUSR A: ( zkus, NINJAERBIRD\zkus ), NT AUTHORITY\INTERACTIVE A: ( zkus, NINJAERBIRD\zkus ), NT AUTHORITY\Authenticated Users A: ( zkus, NINJAERBIRD\zkus ), NINJAERBIRD\test A: ( zkus, NINJAERBIRD\zkus ), NINJAERBIRD\zkus A: ( zkus, NINJAERBIRD\zkus ), NINJAERBIRD\test

basically this list is just a cross product of all the members of the local groups, and all the local users. That (item 0 of it = item 1 of it) piece of relevance is to filter it so that the list only contains the pairs where the sid of the user matches the name of the member of the group. From there, we can filter out the ones that aren’t in the “administrator” group, and print out the some data about the users.

Zman442, are you just looking for a joined list of user names corresponding to the group? you can use “concatenations of” to do something like this:

concatenations 
", " of  ( name of item 0 of it ) of ( it, names of items 1 of ( sid of it, local groups ) whose ( exists ( item 0 of it as string as lowercase, members of item 1 of it as string as lowercase ) whose ( item 0 of it = item 1 of it ) ) ) whose ( item 1 of it = 
"Administrators" ) of local users

-Zak

(imported comment written by SystemAdmin)

Thanks, I often forget about the concatenation feature. I tested and it works well. I will apply it to the other properties and see how the analysis looks.

ALT-TAB, when looking through the existing properties I see the ability to check total size of system drive and free space of the system drive but how do I report on total space and total free space when more than one drive iavailablele? I would like the ability to report as totals of all drives and each drive individually depending on the situation.

Is this another instance of the concatenation feature?

(imported comment written by SystemAdmin)

Zak,

When I use the concatenation feature on the names section of the user query it works as expected, I see a commma delimited output of all users in the Administrators group. I also split out the individual queries to get logon count, password age and last logon. When I use the concatenation feature against those queries I get for Logon Count, Password Age and Account Disabled however Last Logons works and also shows a comma delimited list of last logons.

Thoughts?

(imported comment written by SystemAdmin)

zman442

ALT-TAB, when looking through the existing properties I see the ability to check total size of system drive and free space of the system drive but how do I report on total space and total free space when more than one drive iavailablele? I would like the ability to report as totals of all drives and each drive individually depending on the situation.

Is this another instance of the concatenation feature?

there are a few inspectors that take a list in relevance and turns them into a single result. Concatenation is one, and it will join all your strings together:

Q: concatenations of (“1”;“2”;“3”;“4”)

A: 1234

We also have a “sum of” inspector that adds together a list of integers, which is what you want here:

Q: sum of (1;2;3;4)

A: 10

There is also “maximum” and “minimum”, and probably other that i’ve forgotten.

zman442

When I use the concatenation feature against those queries I get for Logon Count, Password Age and Account Disabled however Last Logons works and also shows a comma delimited list of last logons.

Thoughts?

I am not sure… I would have to see your relevance to understand better.

-Zak