Working with relevance in the “Track Primary User” (https://bigfix.me/fixlet/details/2533) for specifically “LastLoggedInUser”. This relevance is working as intended but we have a couple of applications that register as a local login. I would like to EXCLUDE these application logins in the relevance.
LastLoggedInUser relevance:
tuple string item 0 of concatenation ", " of items 0 of ((item 0 of item 1 of it, item 1 of item 0 of it) of ((it,((preceding texts of firsts "%22" of following texts of firsts "Name=%22" of it, preceding texts of firsts "%22" of following texts of firsts ".LogonId=%22" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of (string values of selects "* from Win32_LoggedOnUser" of wmi)) & "|")))) of ((preceding texts of firsts "|" of it, following texts of firsts "|" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of ((if (it as string contains "LogonId") then (string values of it) else if (it as string contains "StartTime") then (time values of it as string) else "") of (selects "StartTime, LogonId from Win32_LogonSession where (LogonType=2 OR LogonType=10)" of wmi))) & "|")))) whose (item 0 of item 0 of it = item 1 of item 1 of it)) whose (item 1 of it = (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string))
I’ve managed to get the name excluded from just win32_LoggedOnUser but I can’t find how (where?) to add this in the original relevance.
Exclude specific account like “dwm” or “umf” from win32_LoggedOnUser:
((preceding text of first "%22" of following text of last "Name=%22" of string value of properties "Antecedent" of it) of select objects "* from Win32_LoggedOnUser" of wmis) whose ((it as string as lowercase does not contain "dwm" and (it as string as lowercase does not contain "wmf"))
I think the key is to exclude the accounts via the actual wmi query but I keep getting “Windows Error 0x80041017” when testing via the Fixlet Debugger.
Another option would be to specify specific domain account logons vs local user account logons.
Any help or breadcrumb would be very appreciated!