1 Reply Latest reply on Oct 29, 2015 8:05 AM by Gary White

    Restricted Administrator Group Members V-1127 Help w/ Compliance Rule

    Gary White

      I been thrown into the fire here so please trust that I have been working on compliance rules for 3 weeks straight and we have until end of week to complete all the "Manual Checks". I don't think all the manual checks can have actual rules written and some have to be manual.


      This rule we need to document who is in the administrators group, mainly just groups since users are not allowed. I cannot for the life of me figure out how to edit this rule.


      I posted a similar rule V-1148 which I resolved on my own by just hammering away tying diff things. see rule for 1148 just below regarding local users accounts on the system:

      foreach "Windows User:*"

         @Name@ is one of ??TARGET.DISA Properties.PNC_Allowed Local User Accounts??



      While rule 1148 works great and is similar to 1127 regarding the administrator group VS local accounts, I cannot get the "is one of" declaration to be available when I want it. you see the TARGET.DISA Properties.PNC_Allowed_Local_User_accounts above? I created that with a "complex string" which allowed me to add the user accounts that are allowed on a local system. works great.


      So I created another object called PNC_Allowed_Local_Administrators see rule below.. I cannot get the "is one of" to show only if using @Name@  which then of course makes the object invisible.


      foreach "Windows Group:Administrators"

         @"Group Members (Windows)"@ = ??TARGET.DISA Properties.PNC_Allowed_Local_Administrators??



      with the above rule written, the results are Left Value "Administrators" Right Value the groups I have in my Allowed Local Administrators object I created. What I need is to see not Administrators group but who is inside the group and show a list of red for each that is not in my object I created.


      I have searched and also worked with a BL consultant we have working here however he says it is not possible and we would have to use a script and then turn the script into an object. Any help on this would be awesome. We are currently testing utilization and running compliance rules so I have limited time to research like I did last week. :/

        • 1. Re: Restricted Administrator Group Members V-1127 Help w/ Compliance Rule
          Gary White

          I found this:

          REGEX Help

          and I have tested the script locally on my laptop which does generate the list of accounts that are currently in the local administrators group on my laptop. So this is a start now I just need to figure if I can use that script with the local object I created containing the complex string of accounts that are allowed to actually be in the local administrators group.


          I will be working on this in between meetings and putting out other fires so I am def attempting to figure this out any help is appreciated and I will add any fix to this at the end of the discussion like I did for rule V-1148 posting I placed a few weeks ago. Thanks guys.