/build/static/layout/Breadcrumb_cap_w.png
02/13/2019 104 views

Would like use a smart group to audit my Win10 device where a local admin account pw is greater than 90 days. 

I was thinking of creating a CIR using the: net user <username> | fiind /I "password last set" command wiith output:

Password last set            2/6/2019 2:59:22 PM

but not sure how I can leverage a smart group to specifically read the actual date.  

I was thinking I can maybe output part of it to a file on the device and somehow read it that way, or is there a registry entry where the date is stored?

Any advice?

0 Comments   [ + ] Show comments

Comments



Community Chosen Answer

1

That will bring in a text string not a date string so it is not of much use for what you want.  I would look at powershell for extracting that information.


Do all your local administrators accounts have the same password that you control?

Answered 02/14/2019 by: SMal.tmcc
Red Belt

  • They do have the same password that we control. I have a script to change it, but also want a smart group for security / auditing purposes.

    Im not very good at powershell so I was hoping to see if there were other options.

All Answers

0

Try this:

ShellCommandDateReturn(for /f "usebackq tokens=*" %a in (`net user adminuser ^| find /I "Password last set"`) do echo off & set DT=%a & echo %DT:~28%)


References:

https://ss64.com/nt/syntax-substring.html

https://stackoverflow.com/questions/2768608/batch-equivalent-of-bash-backticks


Answered 02/15/2019 by: chucksteel
Red Belt

  • Thanks! You got me on the right track. I changed it up a little and it's working this way in command line:

    (for /f "usebackq tokens=*" %a in ('net user adminuser ^| find /I "Password last set"') do @echo off & set DT=%a & @echo on & @echo %DT:~28%)
    • Maybe I am a little crazy but I am getting mixed results on output. Sometimes I get the date as the output and sometimes I get %DT:~28% instead.
      • Hmm. I would probably connect to a machine remotely with psexec and run the command and see what you get. Could be OS differences?
0

You could also do it this way and check if this is working on all clients:

(for /f "tokens=4,5" %a in ('net user administrator ^| find /I "Password last set"') do echo %a %b )

Answered 02/19/2019 by: MGruber
White Belt