6 Replies Latest reply on Aug 6, 2014 1:45 PM by Don Kim

    Account for multiple entries in User Rights Policies

    Don Kim

      I would like to create a compliance rule for user rights policy such as "Change time zone". Policy defines there are only a few permitted entries. For example BUILTIN\Administrators and NT AUTHORITY\LOCAL SERVICE.

       

      I have brought in the "Change time zone" user rights policy as a part and used both the effective and local setting and tried both list of string values and string value. In my case these are the same. When testing this rule, the output on the left looks like this:

       

      "NT AUTHORITY\LOCAL SERVICE,BUILTIN\Administrators"

       

      If use "equals" operator, it will return non compliant because sometimes the order is different from above or a server may have one and not the other. "Is one of" also produces similar results.

       

      "Contains" operator will return a compliant result when I create a rule for each entry; however, will still return compliant if another invalid entry was present. I would like to see if there an operator or perhaps different logic I can use that will give me the desired result before scripting this out.

        • 1. Re: Account for multiple entries in User Rights Policies
          Monoj Padhy

          "NT AUTHORITY\LOCAL SERVICE,BUILTIN\Administrators" break this into two and then use "equal" operator. whats stopping you doing this way. My thinking may sound naive. Currently I have no access to BSA, will try to figure out this in a better way in couple of days.

          1 of 1 people found this helpful
          • 2. Re: Account for multiple entries in User Rights Policies
            Don Kim

            In order for the = operator to work, one would have define all possible values like this:

            = null (a blue one) (or)

            = NT AUTHORITY\LOCAL SERVICE (or)

            = BUILTIN\Administrators (or)

            = NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators (or)

            = BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE (or)

             

            This will work as above, but wont scale well if other users need to be added or the rule needs to be tweaked.

            • 3. Re: Account for multiple entries in User Rights Policies
              Joe Piotrowski

              I think I wrote a Rule that does a similar check against a registry key like this. Does this help?

               

              foreach

              "Registry Value:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine"

                "Multi Value (Windows)" contains "Software\Microsoft\OLAP Server" AND

                "Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Perflib" AND

                "Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Print" AND

                "Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Windows" AND

                "Multi Value (Windows)" contains "System\CurrentControlSet\Control\ContentIndex" AND

                "Multi Value (Windows)" contains "System\CurrentControlSet\Control\Print\Printers" AND

                "Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server" AND

                "Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server\UserConfig" AND

                "Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" AND

                "Multi Value (Windows)" contains "System\CurrentControlSet\Services\Eventlog" AND

                "Multi Value (Windows)" contains "System\CurrentControlSet\Services\Sysmonlog"

              end

              1 of 1 people found this helpful
              • 4. Re: Account for multiple entries in User Rights Policies
                Don Kim

                I ended up dropping the Server Object part and creating an extended object that translates the comma to a return. (like Monoj Padhy and Joe Piotrowski suggested) this way I can use equals and check for each value like this:

                 

                = null (or)

                = NT AUTHORITY\LOCAL SERVICE (or)

                = BUILTIN\Administrators

                 

                to extended or add users it would be matter of adding a line instead of rewriting the rule:

                + (or)

                = newuser

                 

                Not much difference, but it does solve the issue of multiple values being seen as a single value. I was hoping this was possible using the server objects parts but time to move on.

                • 5. Re: Account for multiple entries in User Rights Policies
                  Joe Piotrowski

                  Can you share the EXO you wrote? I'm curious how you chose to handle it.

                   

                  I think this can be done with another Loop type, but I don't have my environment up to verify.

                  • 6. Re: Account for multiple entries in User Rights Policies
                    Don Kim

                    Its not pretty - but it does the job. I have to create file on the server. Looks like this:

                     

                    "nexec -e secedit /export /areas USER_RIGHTS /cfg (filename)"

                     

                    gives me output like this:

                    settings.png

                     

                    Then use EO to parse output to = SID where I can match to a users/no user. Its a round-a-bout approach

                     

                    There might be a way to parse directly from secedit, but I havent been able to make that happen yet.