I am trying to enforce windows local group membership. I believe I might be able to do it out of the box but I wanted more flexibility so I went a different route, which I believe may have been a waste of time.
1. I copied the groups.blq to groups_oneline.blq and modified it so the output was
2. I created nsh script that takes as arguments the target host, the group, and the user to be removed and runs net localgroup "groupname" user /delete. This works fine and I created a general NSH script job for it so it can be reused.
3. I wrote a very small perl wrapper called clearNTGroup.pl that takes two arguments (target and group) executes the blquery .. -E groups_oneline.blq, parses the output, finds the group, and then cycles through the users and removes them from the group.
4. Created an nsh script for that as well that passes the two args and it works fine.
Now, I want to define a remediation package that executes the clearNTGroup.pl, passing it the arguments required, and clears the group. Remediation requires a BLPackage and a BLPackage requires something to actually distribute. As I am not actually distributing anything is it possible to run a "Remediation Job"?
The whole purpose of this is to create one package that can be used to clear any group as opposed to hard coding and adding packages every time group compliance changes.
Thanks in advance.
Nevermind, I cannot find anyway to do it out of the box. Distributing a BLPackage with the Group object in it but no members does not clear it.