We wanted to check if domain user group which has prefix “xy” and members of local administrators group has full control permission over “HKEY_LOCAL_MACHINE\Software” registry key.
If the above condition is true, then it would say pass … else it woul say fail.
(this came about from this topic: http://forum.bigfix.com/viewtopic.php?id=1030 since only local users with prefix “ron” are successfully being audited, but domain users with “ron” is not being checked)
Try adding “names of domain users” to your expression too:
q: effective read permissions for (names of domain users whose (name of it as lowercase starts with “ron”);names of local users whose (name of it as lowercase starts with “ron”)) of dacls of security descriptors of key “HKEY_LOCAL_MACHINE\Software” of registry
Note: be careful with running any relevance expression that contains “local users” on domain controllers because if there are lots of domain users, the expression will take a very long time (and it will look like your domain controller agent has died).