K1000 - Create Smart Group for devices with local account password older than 90 days
Would like use a smart group to audit my Win10 device where a local admin account pw is greater than 90 days.
I was thinking of creating a CIR using the: net user <username> | fiind /I "password last set" command wiith output:
Password last set 2/6/2019 2:59:22 PM
but not sure how I can leverage a smart group to specifically read the actual date.
I was thinking I can maybe output part of it to a file on the device and somehow read it that way, or is there a registry entry where the date is stored?
Any advice?
Answers (3)
That will bring in a text string not a date string so it is not of much use for what you want. I would look at powershell for extracting that information.
Do all your local administrators accounts have the same password that you control?
Comments:
-
They do have the same password that we control. I have a script to change it, but also want a smart group for security / auditing purposes.
Im not very good at powershell so I was hoping to see if there were other options. - KaceBuddy 5 years ago
Try this:
ShellCommandDateReturn(for /f "usebackq tokens=*" %a in (`net user adminuser ^| find /I "Password last set"`) do echo off & set DT=%a & echo %DT:~28%)
References:
https://ss64.com/nt/syntax-substring.html
https://stackoverflow.com/questions/2768608/batch-equivalent-of-bash-backticks
Comments:
-
Thanks! You got me on the right track. I changed it up a little and it's working this way in command line:
(for /f "usebackq tokens=*" %a in ('net user adminuser ^| find /I "Password last set"') do @echo off & set DT=%a & @echo on & @echo %DT:~28%) - KaceBuddy 5 years ago-
Maybe I am a little crazy but I am getting mixed results on output. Sometimes I get the date as the output and sometimes I get %DT:~28% instead. - KaceBuddy 5 years ago
-
Hmm. I would probably connect to a machine remotely with psexec and run the command and see what you get. Could be OS differences? - chucksteel 5 years ago
You could also do it this way and check if this is working on all clients:
(for /f "tokens=4,5" %a in ('net user administrator ^| find /I "Password last set"') do echo %a %b )
Comments:
-
That works really well. I can get the output to be 03/01/2019
Is there a way to create a smart group based off the output date to find passwords not reset before 10/01/2018 for example? - KaceBuddy 5 years ago-
You can make a custom inventory (new software) with ShellCommandDateReturn. Then you are able to filter in Device Inventory. - MGruber 5 years ago
-
Sorry, I am not following what you mean "Filter In Device Inventory"
So if I do, ShellCommandDateReturn(for /f "tokens=4,5" %a in ('net user administrator ^| find /I "Password last set"') do @echo %a)
How do I filter by the result specifically? - KaceBuddy 5 years ago
-
If the computer makes an inventory you will see the result of the command / software in the device inventory under Software --> Custom Inventory Fields. If you then go to the list of all your computers you can make an advanced search. Go to the bottom to see the custom inventory fields. - MGruber 5 years ago