Relevace Help - Local Account running a Service

daydrew · April 2, 2015, 4:15pm

I need help identifying endpoints running services with a local account whose passwords are set to expire.

First, identifying an endpoint running a service with a local account has been difficult enough for some reason.

Example, this returns False when it should return True:

Q: exist local user whose (".\" & name of it = login account of services)
A: False

However, this returns True (which proves the above QnA statement should be True):

Q: exist local user whose (".\" & name of it = login account of service whose (display name of it = "SQL Server (MSSQLSERVER)"))
A: True

My goal was essentially to be this:

Q: if (exist local user whose (".\" & name of it = login account of services)) then (not password expiration disabled flag of local user whose (".\" & name of it = login account of services)) else (false)

Thoughts?

jmaple · April 2, 2015, 4:24pm

I guess I’m not sure of the relevance of having the “.” string. What does it represent?

daydrew · April 2, 2015, 4:28pm

In my experience when a service is using a local user for its login name, it reports back .\UserA for the local user named UserA.

Therefore since .\UserA != UserA, I add the “.” to the name of the local user.

Did that clarify?

jmaple · April 2, 2015, 4:35pm

The local user relevance does that for you. Asking BigFix the following question should get you a simple user name string:

q: unique values of login accounts of services
A: LocalSystem
A: NT AUTHORITY\LocalService
A: NT AUTHORITY\NetworkService
A: NT Authority\LocalService
A: NT Authority\NetworkService
A: localSystem
T: 42.407 ms

Hence, you should be able to do this:

if (exist local user whose (name of it = login account of services)) then (not password expiration disabled flag of local user whose (name of it = login account of services)) else (false)

daydrew · April 2, 2015, 4:42pm

That doesn’t work.

Here is what I get:

Q: unique values of login accounts of services
A: .\SVC_SQLAGENTUSER
A: .\SVC_SQLBROWSERUSER
A: .\SVC_SQLFTSUSER
A: .\SVC_SQLINTSVCSUSER
A: .\SVC_SQLSERVERUSER
A: LocalSystem
A: NT AUTHORITY\LocalService
A: NT AUTHORITY\NETWORKSERVICE
A: NT AUTHORITY\NetworkService
A: NT Authority\LocalService
A: NT Authority\NetworkService
A: localSystem

AND

Q: names of local users
A: Administrator
A: Guest
A: SVC_SQLAGENTUSER
A: SVC_SQLBROWSERUSER
A: SVC_SQLFTSUSER
A: SVC_SQLINTSVCSUSER
A: SVC_SQLSERVERUSER

daydrew · April 2, 2015, 4:53pm

I think the issue has to have something to do with plurals.

As expected:

Q: exist (login accounts of services) whose (it starts with ".\")
A: True

Should be True

Q: exist local users whose (".\" & name of it = login account of services)
A: False

jgstew · April 2, 2015, 5:10pm

exists local users whose (exists (name of it, unique values of login accounts of services) whose(item 1 of it ends with item 0 of it))

daydrew · April 2, 2015, 5:18pm

I get Error: Singular expression refers to non-unique object.

Q: if (exist local users whose (exists (name of it, login accounts of services) whose(item 1 of it ends with item 0 of it))) then (not password expiration disabled flag of local users whose (exists (name of it, login accounts of services) whose(item 1 of it ends with item 0 of it))) else (false)
A: False
E: Singular expression refers to non-unique object.

jgstew · April 2, 2015, 5:27pm

Does this part work by itself?

daydrew · April 2, 2015, 5:28pm

Yes.

The error is when I try to return the password expiration disabled flag property of multiple accounts that fall into the relevance you provided.

jgstew · April 2, 2015, 5:30pm

exists local users whose ((not password expiration disabled flag of it) AND exists (name of it, unique values of login accounts of services) whose(item 1 of it ends with item 0 of it) )

Or, you can get the actual names for an analysis property:

names of local users whose ((not password expiration disabled flag of it) AND exists (name of it, unique values of login accounts of services) whose(item 1 of it ends with item 0 of it) )

In general, it is not needed to use If/Then if you write the relevance this way, and it is much more clear to follow.

daydrew · April 2, 2015, 5:34pm

Awesome! That’s it.

Now I just need to develop the actionscript to set the password never expires flag on the accounts that come back true to the first statement.

AlanM · April 2, 2015, 5:51pm

I know this looks strange but I think it gets the same idea with only one whose

exists (services) whose ( not password expiration disabled flag of user of (user of process(pid of it)) )

daydrew · April 2, 2015, 5:57pm

This doesn’t return the result I would expect to see.

Q: exists local users whose ((not password expiration disabled flag of it) AND exists (name of it as lowercase, unique values of (login accounts of services as lowercase)) whose(item 1 of it ends with item 0 of it) )
A: True
T: 46.620 ms

Compared to:

Q: exists (services) whose (not password expiration disabled flag of user of (user of process(pid of it)))
A: False
T: 3.447 ms

daydrew · April 2, 2015, 6:15pm

Also by this you make the assumption the service is running and has a PID. This is not always the case when a service is set to startup type demand (Manual).

jmaple · April 2, 2015, 6:32pm

For your action script, I have been using a solution for changing user account flags you could try using. It’s kind of rough though because it basically grabs all accounts that don’t have the flag and applies it using cmd. But you would need to set the re-apply value to whenever it’s relevant again to get all the accounts you want to change. It does it in two stages. First it generates a simple text output of a list of accounts that have the password expiration flag. Next it applies to command to each user itteratively as the action re-applies.

//Remove any old results
delete __appendfile
delete "C:\Temp\users.txt"

//Determine if any users with this flag exist on the system
if {exists local user whose (not password expiration disabled flag of it))}
appendfile {concatenation "%0d%0a" of (names of local users whose (not password expiration disabled flag of it))}
endif

//Create the list of users who still need the change
if {exists folder "C:\TEMP" AND exists file "__appendfile"}
copy __appendfile "C:\TEMP\users.txt"
elseif {not exists folder "C:\TEMP" AND exists file "__appendfile"}
dos md "C:\TEMP"
copy __appendfile "C:\TEMP\users.txt"
endif

//Define the parameter of the user name to be changed by grabbing the first result of the file
if {exists file "C:\TEMP\users.txt"}
parameter "UserName"="{line 1 of file "C:\TEMP\users.txt"}"
endif

//Perform the change
if {exists local user whose (not password expiration disabled flag of it))}
dos wmic path Win32_UserAccount where Name='{parameter "UserName" of action}' set PasswordExpires=false
endif

Not sure if that would be what you’re looking for or not. You would also need to change it so it only applies to your user accounts you want changed in case you don’t want to change the built-in guest or admin accounts or any other local accounts that may be present. In your case it would be:

names whose (it starts with "SVC_") of local users whose ((not password expiration disabled flag of it))

daydrew · April 2, 2015, 8:06pm

What about this?

delete __appendfile

appendfile {concatenation "%0d%0a" of ("WMIC USERACCOUNT WHERE %22Name='" & it & "'%22 SET PasswordExpires=FALSE") of (names of local users whose ((not password expiration disabled flag of it) AND exists (name of it as lowercase, unique values of (login accounts of services as lowercase)) whose (".\" & item 0 of it = item 1 of it)))}

move __appendfile run.bat

waithidden cmd.exe /c run.bat

jgstew · April 2, 2015, 8:09pm

that looks like it should work, assuming that wmic command line will work.