/build/static/layout/Breadcrumb_cap_w.png

K1000 - Create Smart Group for devices with local account password older than 90 days

Would like use a smart group to audit my Win10 device where a local admin account pw is greater than 90 days. 

I was thinking of creating a CIR using the: net user <username> | fiind /I "password last set" command wiith output:

Password last set            2/6/2019 2:59:22 PM

but not sure how I can leverage a smart group to specifically read the actual date.  

I was thinking I can maybe output part of it to a file on the device and somehow read it that way, or is there a registry entry where the date is stored?

Any advice?


0 Comments   [ + ] Show comments

Answers (3)

Posted by: SMal.tmcc 5 years ago
Red Belt
1

That will bring in a text string not a date string so it is not of much use for what you want.  I would look at powershell for extracting that information.


Do all your local administrators accounts have the same password that you control?


Comments:
  • They do have the same password that we control. I have a script to change it, but also want a smart group for security / auditing purposes.

    Im not very good at powershell so I was hoping to see if there were other options. - KaceBuddy 5 years ago
Posted by: chucksteel 5 years ago
Red Belt
0

Try this:

ShellCommandDateReturn(for /f "usebackq tokens=*" %a in (`net user adminuser ^| find /I "Password last set"`) do echo off & set DT=%a & echo %DT:~28%)


References:

https://ss64.com/nt/syntax-substring.html

https://stackoverflow.com/questions/2768608/batch-equivalent-of-bash-backticks



Comments:
  • Thanks! You got me on the right track. I changed it up a little and it's working this way in command line:

    (for /f "usebackq tokens=*" %a in ('net user adminuser ^| find /I "Password last set"') do @echo off & set DT=%a & @echo on & @echo %DT:~28%) - KaceBuddy 5 years ago
    • Maybe I am a little crazy but I am getting mixed results on output. Sometimes I get the date as the output and sometimes I get %DT:~28% instead. - KaceBuddy 5 years ago
      • Hmm. I would probably connect to a machine remotely with psexec and run the command and see what you get. Could be OS differences? - chucksteel 5 years ago
Posted by: MGruber 5 years ago
Senior White Belt
0

You could also do it this way and check if this is working on all clients:

(for /f "tokens=4,5" %a in ('net user administrator ^| find /I "Password last set"') do echo %a %b )


Comments:
  • That works really well. I can get the output to be 03/01/2019

    Is there a way to create a smart group based off the output date to find passwords not reset before 10/01/2018 for example? - KaceBuddy 5 years ago
    • You can make a custom inventory (new software) with ShellCommandDateReturn. Then you are able to filter in Device Inventory. - MGruber 5 years ago
      • Sorry, I am not following what you mean "Filter In Device Inventory"

        So if I do, ShellCommandDateReturn(for /f "tokens=4,5" %a in ('net user administrator ^| find /I "Password last set"') do @echo %a)

        How do I filter by the result specifically? - KaceBuddy 5 years ago
  • If the computer makes an inventory you will see the result of the command / software in the device inventory under Software --> Custom Inventory Fields. If you then go to the list of all your computers you can make an advanced search. Go to the bottom to see the custom inventory fields. - MGruber 5 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ