Signs of possible Logon or GPO issues - Windows
Log In or Register to download the BES file, and more.

0 Votes

Description

<enter a description of the analysis here>

Property Details

ID2994789
StatusAlpha - Code that was just developed
TitleSigns of possible Logon or GPO issues - Windows
DomainBESC
Added by on 5/6/2015 10:43:17 AM
Last Modified by on 5/6/2015 10:43:17 AM
Counters 9834 Views / 39 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

Time of latest user logon
Period 6 hours
 
  * Results in a true/false
Show indented relevance
maximum of times generated of records whose(event id of it = 7001) of system event log
Diff of userLO & GPO update
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(maximum of times generated of records whose(event id of it = 1073743528 AND source of it = "SceCli") of application event log) - (maximum of times generated of records whose(event id of it = 7001) of system event log)
Diff of userLO & first GPO update after LO
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(minimum of times generated of records whose(event id of it = 1073743528 AND time generated of it > (maximum of times generated of records whose(event id of it = 7001) of system event log)) of application event log)-(maximum of times generated of records whose(event id of it = 7001) of system event log)
Time of first GPO update after latest userLO
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(minimum of times generated of records whose(event id of it = 1073743528 AND time generated of it > (maximum of times generated of records whose(event id of it = 7001) of system event log)) of application event log)
number of NTP problems
Period 6 hours
 
  * Results in a true/false
Show indented relevance
number of records whose(event id of it = 129 AND source of it = "Microsoft-Windows-Time-Service") of system event log
number of DNS problems
Period 6 hours
 
  * Results in a true/false
Show indented relevance
number of records whose(event id of it = 1014 AND source of it = "Microsoft-Windows-DNS-Client") of system event log
number of GPO problems
Period 6 hours
 
  * Results in a true/false
Show indented relevance
number of records whose(event id of it = 1129 AND source of it = "Microsoft-Windows-GroupPolicy") of system event log
number of DC errors
Period 6 hours
 
  * Results in a true/false
Show indented relevance
number of records whose(event id of it = 5719 AND source of it = "NETLOGON") of system event log
number of GPO successes
Period 6 hours
 
  * Results in a true/false
Show indented relevance
number of records whose(event id of it = 1073743528 AND source of it = "SceCli") of application event log
NTP 129 error
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(minimum of times generated of records whose(event id of it = 129 AND source of it = "Microsoft-Windows-Time-Service" AND time generated of it > (maximum of times generated of records whose(event id of it = 1 AND source of it = "Microsoft-Windows-Power-Troubleshooter") of system event log)) of system event log)
DNS 1014 error
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(minimum of times generated of records whose(event id of it = 1014 AND source of it = "Microsoft-Windows-DNS-Client" AND time generated of it > (maximum of times generated of records whose(event id of it = 1 AND source of it = "Microsoft-Windows-Power-Troubleshooter") of system event log)) of system event log)
GPO 1129 error
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(minimum of times generated of records whose(event id of it = 1129 AND source of it = "Microsoft-Windows-GroupPolicy" AND time generated of it > (maximum of times generated of records whose(event id of it = 1 AND source of it = "Microsoft-Windows-Power-Troubleshooter") of system event log)) of system event log)
DC 5719 error
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(minimum of times generated of records whose(event id of it = 5719 AND source of it = "NETLOGON" AND time generated of it > (maximum of times generated of records whose(event id of it = 1 AND source of it = "Microsoft-Windows-Power-Troubleshooter") of system event log)) of system event log)

Relevance

isWindows (Relevance 1172)
Used in 1155 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 fixlet and 1 analsis   * Results in a true/false
Show indented relevance
/* Windows 7 or later */ version of operating system >= "6.1"
Used in 1 analsis   * Session Relevance
Show indented relevance
"Physical" = (if (mac of operating system) then /* the Mac BES client does not currently support the smbios inspector. This needs refinement, but for now just assuming apple devices are physical since virtualiztion of OS X is relatively rare */ "Physical" else (if ((it contains "VMware" or (it contains "Microsoft" AND /* This check is needed to exclude Microsoft Surface devices */ ((value "product_name" of structure "system_information" of smbios) as string contains "Virtual Machine")) or it contains "Xen" or /* This check is needed to properly identify Parallels VMs as virtual instead of physical */ it contains "Parallels Software") of (value "manufacturer" of structure "system_information" of smbios as string)) then "Virtual" else "Physical"))
Used in 1 analsis   * Results in a true/false
Show indented relevance
"workgroup" != (it as string as lowercase) of (if (exists wmi) then (string value of selects "Domain from Win32_ComputerSystem" of wmi) else ("workgroup"))

Sharing

Social Media:
Share this page on Yammer


Comments

Log In or Register to leave comments!
 

Content

Search
Share
Learn
Projects

Utilities

View SCM Scripts
Base64 Converter
Shell to Action Script

About

About Us
Tour
FAQ
Terms
Contact Us

BigFix Resources

Download BigFix
Support
Forum
Github/Bigfix
bigfix.me All Content
Hosted on bigfixme-as