/build/static/layout/Breadcrumb_cap_w.png

Scripting Question


K1000 - Create Smart Group for devices with local account password older than 90 days

02/13/2019 547 views

Would like use a smart group to audit my Win10 device where a local admin account pw is greater than 90 days. 

I was thinking of creating a CIR using the: net user <username> | fiind /I "password last set" command wiith output:

Password last set            2/6/2019 2:59:22 PM

but not sure how I can leverage a smart group to specifically read the actual date.  

I was thinking I can maybe output part of it to a file on the device and somehow read it that way, or is there a registry entry where the date is stored?

Any advice?

0 Comments   [ + ] Show comments

Comments



Community Chosen Answer

1

That will bring in a text string not a date string so it is not of much use for what you want.  I would look at powershell for extracting that information.


Do all your local administrators accounts have the same password that you control?

Answered 02/14/2019 by: SMal.tmcc
Red Belt

  • They do have the same password that we control. I have a script to change it, but also want a smart group for security / auditing purposes.

    Im not very good at powershell so I was hoping to see if there were other options.

All Answers

0

Try this:

ShellCommandDateReturn(for /f "usebackq tokens=*" %a in (`net user adminuser ^| find /I "Password last set"`) do echo off & set DT=%a & echo %DT:~28%)


References:

https://ss64.com/nt/syntax-substring.html

https://stackoverflow.com/questions/2768608/batch-equivalent-of-bash-backticks


Answered 02/15/2019 by: chucksteel
Red Belt

  • Thanks! You got me on the right track. I changed it up a little and it's working this way in command line:

    (for /f "usebackq tokens=*" %a in ('net user adminuser ^| find /I "Password last set"') do @echo off & set DT=%a & @echo on & @echo %DT:~28%)
    • Maybe I am a little crazy but I am getting mixed results on output. Sometimes I get the date as the output and sometimes I get %DT:~28% instead.
      • Hmm. I would probably connect to a machine remotely with psexec and run the command and see what you get. Could be OS differences?
0

You could also do it this way and check if this is working on all clients:

(for /f "tokens=4,5" %a in ('net user administrator ^| find /I "Password last set"') do echo %a %b )

Answered 02/19/2019 by: MGruber
Senior White Belt

  • That works really well. I can get the output to be 03/01/2019

    Is there a way to create a smart group based off the output date to find passwords not reset before 10/01/2018 for example?
    • You can make a custom inventory (new software) with ShellCommandDateReturn. Then you are able to filter in Device Inventory.
      • Sorry, I am not following what you mean "Filter In Device Inventory"

        So if I do, ShellCommandDateReturn(for /f "tokens=4,5" %a in ('net user administrator ^| find /I "Password last set"') do @echo %a)

        How do I filter by the result specifically?
  • If the computer makes an inventory you will see the result of the command / software in the device inventory under Software --> Custom Inventory Fields. If you then go to the list of all your computers you can make an advanced search. Go to the bottom to see the custom inventory fields.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ