Report last user on server, exclude admins

mesee2 · June 23, 2020, 4:42pm

I need some assistance in building an analysis to determine the last logged in user and last login time, where the user is not part of a specific AD group.

the bigfix webui has this statement as a starting point:

if (name of operating system as lowercase starts with “win”) then((name of parent folder of it, modification time of it) of files “NTUSER.DAT” of folders of folder “c:\users”) as string else (“No Login Info Found”)

This currently outputs all users folder names, including ‘default’ and local admins. I would like to exclude the ‘default’ and also our admins which are a member of an AD group from the report and just output the most recent username and timestamp.

After i have the most recent user and time, I would like to have a second relevance true/false if last login time is more than 90 days ago.

Any help is appreciated,
Thank you

cmcannady · June 23, 2020, 4:49pm

@mesee2, have you searched BigFix.me or BigFix GitHub or @jgstew GitHub for the desired content?

mesee2 · June 23, 2020, 4:51pm

Yes, i found a few similar but could not get them to work.
I know i didn’t paste my several attempts…

I cant figure out the whose statement - 'whose name as lowercase does not start with “default” ’

trn · June 23, 2020, 5:05pm

You need to get the syntax correct - you are missing the braces on the whose clause and you also need to specify the owning object for the name (and until things get complex, that will be ‘of it’)

whose (name of it as lowercase does not start with “default”)