Enforce Admin Users Compliance
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Enforce Admin Users Compliance9/15/2018 8:37:03 PM
2Enforce Admin Users Compliance9/17/2018 9:35:00 PM

Description

This Fixlet removes users from the local "Administrators" group on a computer if they are not listed in a whitelist file deployed using the task:
"Deploy ComplianceWhitelist File"

 

Action 1:
Compares users who are Members of the local Administrators group on a computer with a "Compliant Admins" Whitelist file that exists on the client.  It then instructs the endpoint to remove any users that are NOT on the Compliance White List from the Local Administrators group.

Action 2:
Prompts for a User ID that is then removed from the local "Administrators" group of the target endpoint.

 

Note:
1.  Before running this task you must create the file "ComplianceWhitelist.txt" on the BES Server in the following directory:
"<BES Server>\wwwrootbes\CustomDownloads\ComplianceWhitelist"
2.  The Task "Deploy ComplianceWhitelist File" must be run before this Fixlet will work properly.


Property Details

ID25547
StatusBeta - Preliminary testing ready for more
TitleEnforce Admin Users Compliance
DomainBESC
CategoryUtility-Manage Windows Admins
SourceMike Consuegra
Source Release Date9/7/2018 12:00:00 AM
KeywordsManage Local Windows Administrators
Added by on 9/17/2018 9:35:00 PM
Last Modified by on 9/17/2018 9:35:00 PM
Counters 164 Views / 3 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance


Actions

Action 1 (default)

Action Link Remove  Users based on a pre-defined whitelist
Script Type BigFix Action Script
///////////////////////////////////
// TO SET DIFFERENT FILE NAMES AND
// LOCATIONS CHANGE THE FOLLOWING
// PARAMETER VALUES
///////////////////////////////////

parameter "primarywhitelist" = "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt"}"
parameter "backupwhitelist" = "{(((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt")}"
parameter "blacklist" = "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt"}"

// -END- PARAMETER DECLARATIONS



// Verify that the whitelist file folder exists in the client directory
if "{exists folder (parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist")}"

// Delete any old version of the blacklist file
    delete "{parameter "blacklist"}"
    
// Verify that the whitelist file in the ComplianceWhitelist folder exists
    if {exists file (parameter "primarywhitelist")}
    
// Verify that the whitelist file has not been modified by the user
// If the hash of the file in the Client folder is the same as the backup file then remove the out-of-compliance admins.
// If the file hashes are different (the ELSE condition), copy the backup file to the client folder and remove the out-of-compliance admins.
        
        if {sha1 of file (parameter "backupwhitelist") = sha1 of file (parameter "primarywhitelist")}
            
// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
            createfile until EOF
            {concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parameter "primarywhitelist")))))}
            EOF

            move __createfile "{(parameter "blacklist")}"
    
// Wait until the blacklist.txt is created
            pause while {not exists file (parameter "blacklist")}
            
// Delete any users that are not supposed to be in the admin group
            dos for /F "usebackq tokens=*" %A in ("{(parameter "blacklist")}") do net localgroup administrators "%A" /delete
            
        else
            delete "{parameter "primarywhitelist"}"
                
            dos copy /Y "{parameter "backupwhitelist"}" "{parameter "primarywhitelist"}"
    
// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
            createfile until EOF
            {concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parameter "primarywhitelist")))))}
            EOF
            
            move __createfile "{(parameter "blacklist")}"
    
// Wait until the blacklist.txt is created
            pause while {not exists file (parameter "blacklist")}
    
// Remove unauthorized users from Admin group
            dos for /F "usebackq tokens=*" %A in ("{(parameter "blacklist")}") do net localgroup administrators "%A" /delete
        
        endif

    else
        
        dos copy /Y "{parameter "backupwhitelist"}" "{parameter "primarywhitelist"}"
    
// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
        createfile until EOF
        {concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parameter "primarywhitelist")))))}
        EOF
        
        move __createfile "{(parameter "blacklist")}"
    

// Wait until the blacklist.txt is created
        pause while {not exists file (parameter "blacklist")}
            
// Remove unauthorized users from Admin group
        dos for /F "usebackq tokens=*" %A in ("{(parameter "blacklist")}") do net localgroup administrators "%A" /delete
    
    endif


else

// Create the ComplianceWhitelist folder in the client directory and copy the ComplianceWhitelist file from the backup file created by the "Deploy ComplianceWhitelist" task
    dos mkdir "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist"}"
    
    dos copy /Y "{parameter "backupwhitelist"}" "{parameter "primarywhitelist"}"
        
// Delete any old version of the blacklist file
    delete "{parameter "blacklist"}"
        
// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
    createfile until EOF
    {concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parameter "primarywhitelist")))))}
    EOF

    move __createfile "{(parameter "blacklist")}"
    
// Wait until the blacklist.txt is created
    pause while {not exists file (parameter "blacklist")}
    
// Remove unauthorized users from Admin group
    dos for /F "usebackq tokens=*" %A in ("{(parameter "blacklist")}") do net localgroup administrators "%A" /delete
    
endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Remove  the specified User
Script Type BigFix Action Script
// Prompt the user for an ID to delete from the Administrators group of every targetted computer
action parameter query "UserID" with description "Enter the User ID to remove from the local Administrators group of targetted endpoints:"


// Remove each user in the 'blacklist.txt' file from the Local Admin Group
dos net localgroup administrators "{parameter "UserID" of action}" /delete
Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!