Fixlet | Enforce Admin Users Compliance

Enforce Admin Users Compliance - superseded
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is an older version.

1	Enforce Admin Users Compliance	9/15/2018 8:37:03 PM
2	Enforce Admin Users Compliance	9/17/2018 9:35:00 PM

Description

This Fixlet removes users from the local "Administrators" group on a computer if they are not listed in a whitelist file deployed using the task:
"Deploy ComplianceWhitelist File"

Action 1:
Compares users who are Members of the local Administrators group on a computer with a "Compliant Admins" Whitelist file that exists on the client. It then instructs the endpoint to remove any users that are NOT on the Compliance White List from the Local Administrators group.

Action 2:
Prompts for a User ID that is then removed from the local "Administrators" group of the target endpoint.

Note:
1. Before running this task you must create the file "ComplianceWhitelist.txt" on the BES Server in the following directory: "<BES Server>\wwwrootbes\CustomDownloads\ComplianceWhitelist"
2. The Task "Deploy ComplianceWhitelist File" must be run before this Fixlet will work properly.

Property Details

ID	25544
Status	Beta - Preliminary testing ready for more
Title	Enforce Admin Users Compliance
Domain	BESC
Category	Utility-Manage Windows Admins
Source	Mike Consuegra
Source Release Date	9/7/2018 12:00:00 AM
Keywords	Manage Local Windows Administrators
Added by	mxc0bbn on 9/15/2018 8:37:03 PM
Last Modified by	mxc0bbn on 9/15/2018 8:37:03 PM
Counters	2213 Views / 2 Downloads
User Rating	* Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Actions

Action 1 (default)

Action Link Remove Users based on a pre-defined whitelist

Script Type BigFix Action Script

// Verify that the whitelist file folder exists in the client directory
if "{exists folder (parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist")}"

	// Delete any old version of the blacklist file
    delete "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt"}"

    

	// Verify that the whitelist file in the ComplianceWhitelist folder exists
    if "{exists file (parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt")}"
    

		// Verify that the whitelist file has not been modified by the user
		// If the hash of the file in the Client folder is the same as the backup file then remove the out-of-compliance admins.  
		// If the file hashes are different (the ELSE condition), copy the backup file to the client folder and remove the out-of-compliance admins.
        if "{sha1 of file (((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt") = sha1 of file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt")}"
        
			// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
            createfile until EOF
            {concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parent folder of regapp "besclient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt")))))}
            EOF
            move __createfile "{(parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist\blacklist.txt")}"

			// Wait until the blacklist.txt is created
            pause while {not exists file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt")}
        
			// Delete any users that are not supposed to be in the admin group 
            dos for /F "usebackq tokens=*" %A in ("{((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt")}") do net localgroup administrators "%A" /delete
        
        else
            delete "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt"}"
            dos copy /Y "{(((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt")}" "{parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt"}"

			// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
            createfile until EOF
            {concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parent folder of regapp "besclient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt")))))}
            EOF
            move __createfile "{(parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist\blacklist.txt")}"

			// Wait until the blacklist.txt is created
            pause while {not exists file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt")}

			// Remove unauthorized users from Admin group 
            dos for /F "usebackq tokens=*" %A in ("{((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt")}") do net localgroup administrators "%A" /delete
    
        endif

    else

        dos copy /Y "{(((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt")}" "{parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt"}"

		// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
        createfile until EOF
        {concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parent folder of regapp "besclient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt")))))}
        EOF
        move __createfile "{(parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist\blacklist.txt")}"

		// Wait until the blacklist.txt is created
        pause while {not exists file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt")}
                
		// Remove unauthorized users from Admin group
        dos for /F "usebackq tokens=*" %A in ("{((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt")}") do net localgroup administrators "%A" /delete

    endif


else

	// Create the ComplianceWhitelist folder in the client directory and copy the ComplianceWhitelist file from the backup file created by the "Deploy ComplianceWhitelist" task
    dos mkdir "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist"}"
    dos copy /Y "{(((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt")}" "{parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt"}"
    
	// Delete any old version of the blacklist file
    delete "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt"}"

	// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
    createfile until EOF
    {concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parent folder of regapp "besclient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt")))))}
    EOF
    move __createfile "{(parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist\blacklist.txt")}"

	// Wait until the blacklist.txt is created
    pause while {not exists file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt")}

	// Remove unauthorized users from Admin group
    dos for /F "usebackq tokens=*" %A in ("{((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt")}") do net localgroup administrators "%A" /delete

endif

Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Remove the specified User

Script Type BigFix Action Script

// Prompt the user for an ID to delete from the Administrators group of every targetted computer
action parameter query "UserID" with description "Enter the User ID to remove from the local Administrators group of targetted endpoints:" 


// Remove each user in the 'blacklist.txt' file from the Local Admin Group
dos net localgroup administrators "{parameter "UserID" of action}" /delete

Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.

Sharing

Social Media:

Search for:	Relevance	Fixlets/Tasks
	Analyses	BFI Signatures
	Dashboard/Wizard

Title	Keywords	Description
Relevance	Domain	ActionScript
Mime	Signature Content	(clear all)


Content Search Share Learn Projects	Utilities View SCM Scripts Base64 Converter Shell to Action Script	About About Us Tour FAQ Terms Contact Us	BigFix Resources Download BigFix Support Forum Github/Bigfix

Enforce Admin Users Compliance - superseded Log In or Register to download the BES file, and more.

Versioning - This is an older version.

Description

Property Details

Relevance

Actions

Action 1 (default)

Action 2

Sharing

Comments

Content

Utilities

About

BigFix Resources

Enforce Admin Users Compliance - superseded
Log In or Register to download the BES file, and more.