Recently I’ve been working on some fixlets that need to access some values from the local group policies. I’ve been having a little trouble getting to:
Now I’ve looked through the windows inspector reference and found that this key is missing from the security database that’s supported directly through BigFix. In addition according to Microsoft there is no corresponding registry key for this setting. My final avenue is to utilize the RSOP through the WMI interface that BigFix provides. I’ve found this related forum post ( http://forum.bigfix.com/viewtopic.php?id=1851 ) however the script sample no longer works. I’ve tried a few variations of it but I never get anything back (nonexistent object error). Any ideas on how to pull this particular setting?
I’ve been trying something like this:
Q: (select (“setting from RSOP_SecuritySettingboolean WHERE keyname=‘PasswordComplexity’ and precedence=1”) of rsop computer wmis)
E: Singular expression refers to nonexistent object.
Or:
Q: names of (selects (“setting from RSOP_SecuritySettingboolean WHERE keyname=‘PasswordComplexity’ and precedence=1”) of rsop computer wmis)
As you can see the singular select doesn’t return anything but the plural seems to return something yet I can’t get to any information about what was returned. Any ideas?
So after a lot of digging it seems that WMI will not report the local policy settings only the ones set by a group policy. This means as far as I know the only way to retrieve these settings is to use SecEdit and prase the results. Now I can figure out a way to do this in a two part fixlet one to dump the Secedit data to a file and then later parse that file with another scriplet with a check for age on that file to make sure its current.
Yes I do and while you do have fixlets for “Password must meet complexity requirements” they do not have a valid/working relevance nor do they have any actions.
The other settings in this group use your native relevance functionality (security database) to inspect things like password length etc requirements. However, in the case of password complexity, you do not provide such built in relevance. Instead the provided fixlet uses WMI to verify this setting alone.
As I discussed in my follow up post this is not logically sound as this method will only return group policies not local policies. In the instances where this setting is being pushed by GPO then this setting would have to be updated with the domain controller not the local machine.
Here is the fixlet and corresponding action we are using for Password Complexity. It checks GPO via RSOP, then checks the setting in registry. Hope this helps.
Fixlet:
if (exists (select object “* from RSOP_SecuritySettingBoolean where KeyName = ‘PasswordComplexity’ and precedence = 1” of rsop computer wmi)) then (not (boolean value of properties “Setting” of (select object “* from RSOP_SecuritySettingBoolean where KeyName = ‘PasswordComplexity’ and precedence = 1” of rsop computer wmi))) else (if (exists lasts 1 of firsts 154 of (values “F” of keys “HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account” of registry as string)) then (hexadecimal integer (last 1 of first 154 of (value “F” of key “HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account” of registry as string)) !=1) else (true))
Action:
delete __appendfile
appendfile
Unicode
appendfile Unicode=yes
appendfile
Version
appendfile signature="$CHICAGO$"
appendfile Revision=1
appendfile
System Access
appendfile PasswordComplexity = 1
delete “{name of drive of system folder}\temp.inf”
copy __appendfile “{name of drive of system folder}\temp.inf”
waithidden “{pathname of system folder}\secedit.exe” /configure /db {name of drive of system folder}\temp.sdb /cfg {name of drive of system folder}\temp.inf /quiet
delete “{name of drive of system folder}\temp.inf”
delete “{name of drive of system folder}\temp.sdb”
I believe the current state is the same. The only way i can find to get the local policy setting for password complexity status (Security Settings -> Account Policies -> Password Policy -> Password Must Meet Complexity Requirements) is using secedit.exe /export /cfg