-
1. Re: Account for multiple entries in User Rights Policies
Monoj Padhy Aug 5, 2014 9:01 AM (in response to Don Kim)1 of 1 people found this helpful"NT AUTHORITY\LOCAL SERVICE,BUILTIN\Administrators" break this into two and then use "equal" operator. whats stopping you doing this way. My thinking may sound naive. Currently I have no access to BSA, will try to figure out this in a better way in couple of days.
-
2. Re: Account for multiple entries in User Rights Policies
Don Kim Aug 5, 2014 10:23 AM (in response to Monoj Padhy)In order for the = operator to work, one would have define all possible values like this:
= null (a blue one) (or)
= NT AUTHORITY\LOCAL SERVICE (or)
= BUILTIN\Administrators (or)
= NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators (or)
= BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE (or)
This will work as above, but wont scale well if other users need to be added or the rule needs to be tweaked.
-
3. Re: Account for multiple entries in User Rights Policies
Joe Piotrowski Aug 5, 2014 12:49 PM (in response to Don Kim)1 of 1 people found this helpfulI think I wrote a Rule that does a similar check against a registry key like this. Does this help?
foreach
"Registry Value:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine"
"Multi Value (Windows)" contains "Software\Microsoft\OLAP Server" AND
"Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Perflib" AND
"Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Print" AND
"Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Windows" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\ContentIndex" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\Print\Printers" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server\UserConfig" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Services\Eventlog" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Services\Sysmonlog"
end
-
4. Re: Account for multiple entries in User Rights Policies
Don Kim Aug 6, 2014 9:42 AM (in response to Joe Piotrowski)I ended up dropping the Server Object part and creating an extended object that translates the comma to a return. (like Monoj Padhy and Joe Piotrowski suggested) this way I can use equals and check for each value like this:
= null (or)
= NT AUTHORITY\LOCAL SERVICE (or)
= BUILTIN\Administrators
to extended or add users it would be matter of adding a line instead of rewriting the rule:
+ (or)
= newuser
Not much difference, but it does solve the issue of multiple values being seen as a single value. I was hoping this was possible using the server objects parts but time to move on.
-
5. Re: Account for multiple entries in User Rights Policies
Joe Piotrowski Aug 6, 2014 10:48 AM (in response to Don Kim)Can you share the EXO you wrote? I'm curious how you chose to handle it.
I think this can be done with another Loop type, but I don't have my environment up to verify.
-
6. Re: Account for multiple entries in User Rights Policies
Don Kim Aug 6, 2014 1:45 PM (in response to Joe Piotrowski)Its not pretty - but it does the job. I have to create file on the server. Looks like this:
"nexec -e secedit /export /areas USER_RIGHTS /cfg (filename)"
gives me output like this:
Then use EO to parse output to = SID where I can match to a users/no user. Its a round-a-bout approach
There might be a way to parse directly from secedit, but I havent been able to make that happen yet.