6 Replies Latest reply on Feb 12, 2015 3:20 PM by Bill Robinson

    Audit for Objects "Containing"

    Robert Stinnett

        One of our users wants to audit the Windows ->  Local Groups -> Administrator group to see if it contains a user and/or specific group.  As far as we can tell, this is not possible.  It's an all or nothing audit comparison.


      Is there a way to do this?

        • 1. Re: Audit for Objects "Containing"
          Bill Robinson

          Audit is always all or nothing.  Can you use compliance here ?

          • 2. Re: Audit for Objects "Containing"
            Robert Stinnett



            We're just going down this path of using BL for audit/compliance -- could you go into a bit more detail of what you mean?



            • 3. Re: Audit for Objects "Containing"
              Bill Robinson

              Audit is always a comparison – what is on server A must match exactly what is on  serverB,C,D.  Compliance is conditional – eg if Y exists then A must = 1 if Z exists then B must = 2


              there should be operators for the local users or groups so you can say something like ‘Administrators.users is one of xxx’

              • 4. Re: Audit for Objects "Containing"
                Steffen Kreis

                Hi Robert,


                maybe some high-level steps on how to go forward.


                - You need to create a Component Template first, which will contain the rules you want to check against your targets.

                   Typically you wouldn't do that as a one-off task, but try to combine all sorts of "Compliance" or "Healthcheck" Rules that apply for a specific group of targets (e.g. all Windows Servers) into one template.


                - On the General Tab you need to define what you want to do with this Template. Tick "Compliance" here.


                - The Parts Tab defines the Server Objects you want to do something with. So for your example, you would add the

                   "Local Administrators" group from one of your Windows Servers and also the local user you want to check for and again tick the Compliance option for that Part.


                - On the Discover Tab of that Template you need to define a signature, which describes for which types of Targets this Template should be valid.

                  So for the example, all Windows Servers, you could just check the targets properties:



                - Finally on the Compliance Tab create a Rule (you can also group rules in to a Rule-Group) and define your condition.

                Use the items from the green "plus" button to setup your rule, it's quite intuitive.



                - Note for each rule you can also define a Remediation action. So you could directly deploy a package that addes the user, when it is missing.


                - When you have finished the creation of the Template, as the next step you need to run a "Discover" Job using that Template as an input against your targets.

                That will create the "Components" for all servers where your Discovery signature is valid.


                - Finally, create a Compliance-Job again with the Template as the input and run that against all the components/targets.



                Hope that helps you getting started!


                Compliance is a VERY powerful feature in BSA and is what makes BSA stand-out compared with lot's of other Tools on the market from my point of view.

                In 8.6 the rule engine is even more powerful and also the HTML Export functionality of the Compliance-Results is a great enhancement there.




                • 5. Re: Audit for Objects "Containing"
                  Cody Dean

                  If I understand your question right, you should be able to use a foreach loop and check if it "contains" or "does not contain"



                  • 6. Re: Audit for Objects "Containing"
                    Bill Robinson

                    that rule is going to look at each user name on the system and look if the name contains some string.  i think you need to look at one of the other attributes on the user object right ??