I am wondering if it is possible to substitute the middle portion of a SID with wildcards. I need to add the local administrator account to this check. The local Admin SID will start with “S-1-5-” and end with “-500”.
Using relevance:-
not exists 1 whose (((item 0 of it contains item 1 of it) of (it, set of (if length of it > 0 then it as lowercase else nothing) of (if it contains “*” then parenthesized part 1 of match (regex “*(.+)”) of it else it) of (it as trimmed string) of substrings separated by “,” of “*S-1-5-32-546,*S-1-5-7”)) of set of (it as lowercase) of component strings of sids of accounts with privilege “SeDenyRemoteInteractiveLogonRight”)
The issue with this is you need to specify the text string to use for the match in my query or in the one below in Bold. What I would need to do is switch out the bold section with the actual object
Q: exists it whose (it starts with “S-1-5” and it ends with “-500”) of
I have this now based on the above but when I run it I get false if the administrator account is added or removed to SeRemoteInteractiveLogonRight
q: exists it whose (it starts with “*S-1-5” and it ends with “-500”) of elements of set of (it as lowercase) of component strings of sids of accounts with privilege “SeRemoteInteractiveLogonRight”
Note that you can’t use a * in Relevance as a wildcard (unless you are using the Regex operator).
I don’t have a -500 account on my test system, but this example from my system should help:
q: component strings of sids of accounts with privilege “SeRemoteInteractiveLogonRight”
A: S-1-5-32-555
A: S-1-5-32-544
q: exists it whose (it starts with “S-1-5” and it ends with “-500”) of component strings of sids of accounts with privilege “SeRemoteInteractiveLogonRight”
A: False
q: exists it whose (it starts with “S-1-5” and it ends with “-555”) of component strings of sids of accounts with privilege “SeRemoteInteractiveLogonRight”
q: not exists 1 whose (((item 0 of it = item 1 of it) of (it, set of (if length of it > 0 then it as lowercase else nothing) of (if it contains “*” then parenthesized part 1 of contain (regex “*(.+)”) of it else it) of (it as trimmed string) of substrings separated by “,” of “*S-1-5-32-544, *S-1-5-32-555”)) of set of (it as lowercase) of component strings of sids of accounts with privilege “SeRemoteInteractiveLogonRight”) and exists it whose (it ends with “-500” and it starts with “s-1-5-”) of elements of set of (it as lowercase) of component strings of sids of accounts with privilege “SeRemoteInteractiveLogonRight”
Now this works but is only checking for contains versus match, now all those groups/user should be found within SeRemoteInteractiveLogonRight if = true. However, I need to add the coma check “,” and add them together and compare the total number against a predefined number. This is used to ensure no extra groups/users have been added so 2 comas = 3 groups/users.
So if I check that there are only 2 comas, this should ensure only three groups/users are part of SeRemoteInteractiveLogonRight which now changes the query to a match
One of my peers advised me that I could use the word “domain” which did the trick
q:not exists 1 whose (((item 0 of it = item 1 of it) of (it, set of (if length of it > 0 then it as lowercase else nothing) of (if it contains “*” then parenthesized part 1 of match (regex “*(.+)”) of it else it) of (it as trimmed string) of substrings separated by “,” of “*S-1-5-32-546,*S-1-5-7,*S-1-5domain-500”)) of set of (if it ends with “-500” and it starts with “s-1-5” then concatenation of characters (0;1;2;3;4) of it & “domain-500” else it) of (it as lowercase) of component strings of sids of accounts with privilege “SeDenyNetworkLogonRight”)