Apparently blquery won't help, as it only returns the following fields:
NAME GROUP UID GID FULLNAME COMMENT HOME SHELL Administrator group 0 513 Built-in account for administering the computer/domain <null> ASPNET group 0 513 ASP.NET Machine Account Account used for running the ASP.NET worker process (aspnet_wp.exe) <null> BladeLogicRSCD group 0 513 BladeLogicRSCD Internal user for BladeLogic RSCD Agent <null> Guest group 0 513 Built-in account for guest access to the computer/domain <null> HelpDesk group 0 513 HelpDesk <null> IUSR_WIN03-WWW group 0 513 Internet Guest Account Built-in account for anonymous access to Internet Information Services <null> IWAM_WIN03-WWW group 0 513 Launch IIS Process Account Built-in account for Internet Information Services to start out of process applications <null> SUPPORT_388945a0 group 0 513 CN=Microsoft Corporation,L=Redmond,S=Washington,C=US This is a vendor's account for the Help and Support Service <null> test group 0 513 test <null>
add the local users as a part. the compliance rule should be like '* local users any may exist and flags = number'
1 of 1 people found this helpful
It's a flag: shouldn't the user flag be anded against 65536 to see if it is true?
Another way of doing this is to use blquery to enumerate all the local users on the machine, and use "net user" to find the flag. Something like:
nexec $windowsmachine cmd /c net user $user | grep '^Password expires'
This will be much slower since you have to run blquery once to pull the users, and then nexec for every user. This will be much more explicit, though.
Hello, I'm out of office till 04.01.2010 and will have no access to email, so answer will be delayed. In urgent cases please contact our frontdesk at +43 1 24080. Best regards / Mit freundlichen Grüßen, Alexander Raab
That's a kind of helpful answer
Added Local User as a part.
Created rule such as:
Windows User * Must Not Exist OR (Control Flags (Windows) < 65,536)
I may have issue should I need to check for "internal" values, such as 512, 1024, etc., but as I am checking 65536 so far, it works fine.
mmm.. if it works, then it works... Just keep in mind there are other flags larger that 0x10000.
"control flag" < 65536: don't-expire-password not set
"control flag" = 65546: only don't-expire-password is set
"control flag" > 65536: don't-expire-password may or may not be set.
Here's a way that's should be fast, accurate, and explicit:
wmic useraccount get Name,PasswordExpires /format:csv
Run as a remote EO with the csv grammar to get the data for all local users. The output will look like
This look very good.
Unfortunately it's not possible to assume that WMI is installed.
On the first server I attempted, I got the following message:
Please wait while WMIC compiles updated MOF files.
Yes, but that only happens the first time wmic is run. You should still see output pop through. I only have problems on Windows 2000 machines (barring misconfigured machines, etc).