We are looking to police our local administrator groups on our Windows systems. Normally we do this through GPO’s and restricted groups however due to the complexity of SAP applications we are unable to manage the sheer number of GPO’s that would be required (one for each instance).
A local SAP install typically generates two accounts per instance: SAPService & adm. Both of these accounts must belong to the administrators group. I would like to use BigFix to continually search the local administrators group on all our SAP servers to make sure only the accounts we specify are in the group plus the accounts that fit into the above nomenclature. The SAP accounts will always be:
SAPService
adm
Is there a way to do this? If it finds any accounts that don’t fit, then it should allow us to remove the accounts from the admin group–they don’t necessarily have to be deleted.
Thanks and please let me know if this is confusing or if you need more detail.
Hmm… I thought I had responding to this one before…
Here is some relevance for a property you can use to detect this situation… Check out my relevance using QnA on these computers to make sure that I got it right:
Detect the SAP admin accounts:
names whose ((exists matches (case insensitive regex “SAPService\w\w\w”) of it) OR (exists matches (case insensitive regex “\w\w\wadm”) of it)) of local users whose (admin privilege of it)
Detect admin accounts that are NOT the SAP accounts and not the admin account:
names whose ((not (exists matches (case insensitive regex “SAPService\w\w\w”) of it) OR (exists matches (case insensitive regex “\w\w\wadm”) of it)) AND it as lowercase != “administrator”) of local users whose (admin privilege of it)
To put these in a Fixlet, you would add “exists” to the front of these relevance expressions to make them return true/false.
This should be the first step in your question… let me know how that works and then we can make the action.
Thanks for the syntax. When I run the syntax for “detect admin accounts that are NOT the SAP…” it correctly returns one account but it also returns sidADM. Any ideas?
Whoops… I forgot to add the second “not” (also had to change OR to AND)… Try this:
Detect admin accounts that are NOT the SAP accounts and not the admin account:
names whose ((not (exists matches (case insensitive regex “SAPService\w\w\w”) of it) AND (not exists matches (case insensitive regex “\w\w\wadm”) of it)) AND it as lowercase != “administrator”) of local users whose (admin privilege of it)
Thanks Ben, this is now working (sorry for the delay in getting back to you). The next step is removing the other accounts from the admin group–we don’t need to delete them, just remove them from the admin group. Thanks again!
I found that the commandline tool “net localgroup” could add/remove users from a group. The command is:
net localgroup administrators username1 username2 /delete
And by using the “concatenation” operator, we can embed the usernames in the commandline argument:
waithidden cmd.exe /C {“net localgroup administrators " & (concatenation " " of names whose ((not (exists matches (case insensitive regex “SAPService\w\w\w”) of it) AND (not exists matches (case insensitive regex “\w\w\wadm”) of it)) AND it as lowercase != “administrator”) of local users whose (admin privilege of it) & " /delete”}
I haven’t tested it so make sure you do… also make sure you Fixlet uses relevance to detect if there is at least one user in the admin group that matches this criteria because I am not sure what this commandline option will do if there are no users (and it runs “net localgroup administrators /delete”).
I am trying to do something similar but my grasp of regex is limited. I know I should eventually learn it but…
What I am trying to do is similar, I need to detect groups or users in the local groups such as administrators. I cannot seem to get the logic right in the QnA tool.
I list the administrators with this, very simple;
concatenations ", " of (members of local group “Administrators” as string)
What I need to do is search for a particular match in the subsequent list so I can use it as a boolean T/F using ‘exists’ which I can then use to execute the net localgroup /delete. I tried using some of the above logic but I keep getting property is undefined when changing the property to local group “Administrators” from local users.