Enforce Admin Users Compliance
0 Votes |
Versioning - This is the latest version.
1 | Enforce Admin Users Compliance | 9/15/2018 8:37:03 PM |
2 | Enforce Admin Users Compliance | 9/17/2018 9:35:00 PM |
Description
This Fixlet removes users from the local "Administrators" group on a computer if they are not listed in a whitelist file deployed using the task:
"Deploy ComplianceWhitelist File"
Action 1:
Compares users who are Members of the local Administrators group on a computer with a "Compliant Admins" Whitelist file that exists on the client. It then instructs the endpoint to remove any users that are NOT on the Compliance White List from the Local Administrators group.
Action 2:
Prompts for a User ID that is then removed from the local "Administrators" group of the target endpoint.
Note:
1. Before running this task you must create the file "ComplianceWhitelist.txt" on the BES Server in the following directory: "<BES Server>\wwwrootbes\CustomDownloads\ComplianceWhitelist"
2. The Task "Deploy ComplianceWhitelist File" must be run before this Fixlet will work properly.
Property Details
25547 | |
Beta - Preliminary testing ready for more | |
Enforce Admin Users Compliance | |
BESC | |
Utility-Manage Windows Admins | |
Mike Consuegra | |
9/7/2018 12:00:00 AM | |
Manage Local Windows Administrators | |
mxc0bbn on 9/17/2018 9:35:00 PM | |
mxc0bbn on 9/17/2018 9:35:00 PM | |
3664 Views / 28 Downloads | |
* Average over 0 ratings. ** Log In or Register to add your rating. |
Relevance
Actions
Action 1 (default)
///////////////////////////////////
// TO SET DIFFERENT FILE NAMES AND
// LOCATIONS CHANGE THE FOLLOWING
// PARAMETER VALUES
///////////////////////////////////
parameter "primarywhitelist" = "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt"}"
parameter "backupwhitelist" = "{(((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt")}"
parameter "blacklist" = "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\blacklist.txt"}"
// -END- PARAMETER DECLARATIONS
// Verify that the whitelist file folder exists in the client directory
if "{exists folder (parent folder of regapp "BESClient.exe" as string & "\ComplianceWhitelist")}"
// Delete any old version of the blacklist file
delete "{parameter "blacklist"}"
// Verify that the whitelist file in the ComplianceWhitelist folder exists
if {exists file (parameter "primarywhitelist")}
// Verify that the whitelist file has not been modified by the user
// If the hash of the file in the Client folder is the same as the backup file then remove the out-of-compliance admins.
// If the file hashes are different (the ELSE condition), copy the backup file to the client folder and remove the out-of-compliance admins.
if {sha1 of file (parameter "backupwhitelist") = sha1 of file (parameter "primarywhitelist")}
// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
createfile until EOF
{concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parameter "primarywhitelist")))))}
EOF
move __createfile "{(parameter "blacklist")}"
// Wait until the blacklist.txt is created
pause while {not exists file (parameter "blacklist")}
// Delete any users that are not supposed to be in the admin group
dos for /F "usebackq tokens=*" %A in ("{(parameter "blacklist")}") do net localgroup administrators "%A" /delete
else
delete "{parameter "primarywhitelist"}"
dos copy /Y "{parameter "backupwhitelist"}" "{parameter "primarywhitelist"}"
// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
createfile until EOF
{concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parameter "primarywhitelist")))))}
EOF
move __createfile "{(parameter "blacklist")}"
// Wait until the blacklist.txt is created
pause while {not exists file (parameter "blacklist")}
// Remove unauthorized users from Admin group
dos for /F "usebackq tokens=*" %A in ("{(parameter "blacklist")}") do net localgroup administrators "%A" /delete
endif
else
dos copy /Y "{parameter "backupwhitelist"}" "{parameter "primarywhitelist"}"
// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
createfile until EOF
{concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parameter "primarywhitelist")))))}
EOF
move __createfile "{(parameter "blacklist")}"
// Wait until the blacklist.txt is created
pause while {not exists file (parameter "blacklist")}
// Remove unauthorized users from Admin group
dos for /F "usebackq tokens=*" %A in ("{(parameter "blacklist")}") do net localgroup administrators "%A" /delete
endif
else
// Create the ComplianceWhitelist folder in the client directory and copy the ComplianceWhitelist file from the backup file created by the "Deploy ComplianceWhitelist" task
dos mkdir "{(parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist"}"
dos copy /Y "{parameter "backupwhitelist"}" "{parameter "primarywhitelist"}"
// Delete any old version of the blacklist file
delete "{parameter "blacklist"}"
// Create the list of users that should NOT be in the Administrators Local Group (blacklist.txt)
createfile until EOF
{concatenation "%0d%0a" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parameter "primarywhitelist")))))}
EOF
move __createfile "{(parameter "blacklist")}"
// Wait until the blacklist.txt is created
pause while {not exists file (parameter "blacklist")}
// Remove unauthorized users from Admin group
dos for /F "usebackq tokens=*" %A in ("{(parameter "blacklist")}") do net localgroup administrators "%A" /delete
endif
This action will be considered successful when the applicability relevance evaluates to false.
Action 2
// Prompt the user for an ID to delete from the Administrators group of every targetted computerSuccess Criteria
action parameter query "UserID" with description "Enter the User ID to remove from the local Administrators group of targetted endpoints:"
// Remove each user in the 'blacklist.txt' file from the Local Admin Group
dos net localgroup administrators "{parameter "UserID" of action}" /delete
This action will be considered successful when all lines of the action script have completed successfully.
Sharing
Social Media: |