4 Replies Latest reply on Sep 24, 2020 4:31 AM by Arne Kaj Winther

    Find Local Groups

    Arne Kaj Winther
      Share This:

      Hello Community

       

      I got a problem with splitting this list I get from this command:

      discovery.runCommand(h, 'wmic.exe group where "localaccount=true" get Name > c:\\ADDM-2Gfil' );

       

      The result I get from this command is:

      Discovery MethodrunCommand
      Discovery Duration0 seconds
      Request Time2020-07-30 11:35 CEST
      Commandtype c:\ADDM-Gfil2
      ResultAccess Control Assistance Operators
      Administrators
      Backup Operators
      Certificate Service DCOM Access
      Cryptographic Operators
      Distributed COM Users
      Event Log Readers
      Guests
      Hyper-V Administrators
      IIS_IUSRS
      Network Configuration Operators
      Performance Log Users
      Performance Monitor Users
      Power Users
      Print Operators
      RDS Endpoint Servers
      RDS Management Servers
      RDS Remote Access Servers
      Remote Desktop Users
      Remote Management Users
      Replicator
      Storage Replica Administrators
      System Managed Accounts Group
      Users
      Access MethodRemQuery
      Discovery Access10.190.82.189 @ 2020-07-30 09:12:50.746347+00:00
      Requesting PatternWMIREMLocalGroups.WMIREMLoclGroups

       

      I've tryed to get it splitted in groups mames to run them for details like this:

       

      groups_raw  := discovery.runCommand(h, 'type c:\\ADDM-Gfil2' );

       

      if groups_raw.result then

         log.info('WINLocalGroup returned local groups %groups_raw.result%');

         for groups in text.split(groups_raw.result, "\n" ) do

            log.info('WINLocalGroup ready push  %groups.result%');

            if size(groups.result) > 3 then

               groups_s := text.split(res.result, "\n" );

               groups_s := discovery.runCommand(h, 'wmic group where (localaccount=true and name like "%groups.result%") get Caption,Description,Localaccount,Name,SID,SIDType,Status' );

               log.info('WINLocalGroup returned local group %groups_s.result% after groups_s');

               if size(groups_s) > 4 then

              

         Fill the detqils into var. and register them via

       

       

      Best regards,

      Arne

        • 1. Re: Find Local Groups
          Bob Anderson

          I hope this makes sense commenting on your code like this :  Next time, share the entire tpl file....is easier to help test, debug, and provide additional feedback

          .

          .

          .

          groups_raw  := discovery.runCommand(h, 'type c:\\ADDM-Gfil2' );

           

          if groups_raw.result then

             log.info('WINLocalGroup returned local groups %groups_raw.result%');

             for groups in text.split(groups_raw.result, "\n" ) do

                log.info('WINLocalGroup ready push  %groups.result%'); <-----------------------------------------------------groups is just a string so groups.result is undefined and probably causes ECA Error

                                                                                                  <-----------------------------------------------------just use -->%groups%<-- (NOTE: I like to use the pinchers --> and <-- around the

                                                                                                  <-----------------------------------------------------variables when logging, as it shows any 'white space' that is not normally visible

                if size(groups.result) > 3 then <--------------------------------------------------------------------------------------------groups is just a string so groups.result is undefined

                                                            <-------------------------------------------------------------------------------------------use: size(groups) which will return the size of the string (if that's what's needed)

                   groups_s := text.split(res.result, "\n" ); <----------------------------------------------------------------------------res is undefined so res.result is undefined, and not sure what you are trying to do

                                                                            <---------------------------------------------------------------------------group_s is undefined at this point

                   groups_s := discovery.runCommand(h, 'wmic group where (localaccount=true and name like "%groups.result%") get Caption,Description,Localaccount,Name,SID,SIDType,Status' );<--------------------------------------------------now, you are re-using the groups_s variable - is this a typo?

                                                                                                      <-------------------------------------------------groups.result is undefined and will cause an ECA Error

                                                                                                      <-------------------------------------------------use: name like "%groups%"

                   log.info('WINLocalGroup returned local group %groups_s.result% after groups_s'); <-------------need to check if groups_s.result exists before using it

                   if size(groups_s) > 4 then  <---------------------------------------------------------------------------------------------groups_s at this point is a single DiscoveredCommandResult node

                                                          <---------------------------------------------------------------------------------------------so will size never be larger than 1

          .

          .

          .

          hth,

           

          Bob

          • 2. Re: Find Local Groups
            Arne Kaj Winther

            Hi Bob

            Thanks, but now I got another issues. There is a space behind the group names when I have selected them and trying to get detail info about the groups and that’s does Windows not like.

            C:\Users\GENROOTADMINFAPPPRO>wmic group where (localaccount=true and name like "Power Users ") get Domain,Description,Localaccount,Name,SID,SIDType,Status

            No Instance(s) Available.

             

            When I test the command, I remove the space at the end of the command, and it works:

            C:\Users\GENROOTADMINFAPPPRO>wmic group where (localaccount=true and name like "Power Users") get Domain,Description,Localaccount,Name,SID,SIDType,Status

            Description        Domain               LocalAccount     Name                   SID                        SIDType               Status

            BE-S2686-MS4  TRUE Power Users      S-1-5-32-547      4                            OK

             

            In /usr/tideway/log I grep for “WINLocalGroup returned first” and find the username, after that the second one there is the error: 

            tw_svc_eca_patterns.log:E01-140579238672128: 2020-08-06 09:43:30,394: engine.pattern.WMIREMLocalGroups.WMIREMLoclGroups: INFO: WINLocalGroup returned first Replicator            

            tw_svc_eca_patterns.log:E01-140579238672128: 2020-08-06 09:43:30,591: engine.pattern.WMIREMLocalGroups.WMIREMLoclGroups: INFO: WINLocalGroup returned second businesslogic.base.NodeValue(store_id='\xb4\xe05Y\x82\x1aTq) \xd4i', node_id='~\x8b*_zh+\xd5N\x0e8\x10nDiscoveredCommandResult')

             

            Then I did insert “groups10   :=    text.rightStrip(groups1, " " ); to strip the space at the end of the group name, but it does not help still there, and I think I need help to this ??

             

                     if groups_raw.result then

             

                        for groups1 in text.split(groups_raw.result, "\n" ) do

                           groups10   := text.rightStrip(groups1, " " );

                           log.info('WINLocalGroup returned first %groups10% ');

             

            group_d := discovery.runCommand(h, 'wmic group where (localaccount=true and name like "%groups10%") get Domain,Description,Localaccount,Name,SID,SIDType,Status ‘);

            • 3. Re: Find Local Groups
              Bob Anderson

              Ok,

               

              help me here...

               

              in your code..

               

              *where setting groups10, remove the second parameter [ it is optional ]

                - removing the optional parameter means all 'white space' will be removed, not just the 'space' characters.  I think you have an additional '\r' in the text as windows always uses \r\n for new lines.

               

              *where you are logging, add pincers(--> and <--) to your logging

                - by adding these pincers, you will be able to see any additional white space, like tabs, or new-line characters, on either side of your data

               

               

                       if groups_raw.result then

                          for groups1 in text.split(groups_raw.result, "\n" ) do

                             groups10   := text.rightStrip(groups1 );

                             log.info('WINLocalGroup returned first -->%groups10%<--');

               

              If you are still having troubles, please include your entire pattern

               

              'grep'ing for the WINLocalGroup may not get all your logged output.

              1 of 1 people found this helpful
              • 4. Re: Find Local Groups
                Arne Kaj Winther

                Thanks

                This was wery helpfull.

                regards