Integrate AccessChk.exe with DCM Scripts


The DCM feature supports a powerful way for data discovery by using scripting. By invoking AccessChk.exe from DCM scripts, the output of user rights assignment data from AccessChk.exe can be collected by the DCM scripting data discovery provider. The following procedure enables you to use Microsoft Visual Basic Scripting Edition (VBScript) in combination with the DCM feature to collect data about user rights assignments. To use this procedure, you must have access to a computer running Configuration Manager 2007.


To add a setting using the DCM feature that uses VBScript to collect user rights assignment data


1.       In the left pane of the Configuration Manager Console, expand the Desired Configuration Management folder, right-click the folder to access the submenu, and then choose Configuration Item.


2.       In the Create Operating System Configuration Item Wizard, choose to create a new operating system configuration item (CI), and then on the Identification tab, name it. For example, you could name it “User Rights Assignment by AccessChk.”


3.       Type a description for the CI (optional), and then click Next.


4.       On the Microsoft Windows Version page, select or type the corresponding Windows operating system version information, click Next to access the Objects page, and then on this page click Next to access the Settings page.


5.       On the Settings page, select the Settings node, click New, and then in the drop-down menu, select Script to invoke the New Script Setting Properties dialog.


6.       On the General tab of the New Script Setting Properties dialog, provide a setting Display Name. For example, Remove computer from docking station.


7.       Provide Description (optional).


8.       For Script Language, select VBScript (or your preferred language if you integrate AccessChk in another language).


9.       Copy the VBScript from the next section of this article to the Script text box.


10.   Change the second line in the script to the correct input parameters. For example, define the rule for “SeUndockPrivilege,” to “Allowed” in this case. (See the table in the previous section for all available input parameters.)


11.  On the Validation tab of New Script Setting Properties dialog, ensure that Data Type is set to String.


12.   Click New under the Details list box to create a new validation rule.


13.   In the Name and Description fields, provide information for your new validation rule.


14.   Ensure that Operator is set to Equals.


15.   Defined the Value (account list) that you want to allow or deny for the user rights assignment.


16.   Select Severity, and then determine the severity level of the new validation rule.


17.   Click OK of New Script Setting Properties dialog to save the new setting


18.   Click Finish button in Settings tab to Summary page.


19.   Click Next after review the summary


20.   Click Finish in Confirmation page.



 


Sample DCM Feature VBScript for User Rights Assignments


Here is a VBScript that you can use with the DCM feature to obtain user rights assignments:


option explicit


WScript.Echo ValidateSetting(“SeNetworkLogonRight”, “Allowed”, “Administrators,Authenticated Users”)


‘WScript.Echo ValidateSetting(“SeDenyBatchLogonRight”, “Denied”, “Authenticated Users”)


 


 


Function ValidateSetting(userRightProperty, SeType, baselineValue)


 


    on error resume next


 


    ‘ Get expected values and actual valuse we are testing against


    Dim ExpectedValues, ActualValues


    ExpectedValues = baselineValue


 


    ‘ Poll LSA data through accesschk


    ActualValues = PollAccessChkForSettings (userRightProperty)


    If ActualValues = “” Then


    ‘ below line assumes DCM rule value (OperandA) is “NO ONE” if no one is allowed for the user right privilege


        ActualValues = “NO ONE”


    End If


 


    ‘ do our validation


    If SeType = “Allowed” Then


        ValidateSetting = ValidateAllowedResults(ExpectedValues, ActualValues)


    Else


        ValidateSetting = ValidateDeniedResults(ExpectedValues, ActualValues)


    End If


 


    ‘ do error checking, make sure our function return something.


    If ValidateSetting = “” Then


        ValidateSetting = “ValidateSetting return Nothing or Empty”


        If Err.Number <> 0 Then


            ValidateSetting = ValidateSetting & “, Error: “ & Err.Number


            ValidateSetting = ValidateSetting & “, Error (Hex): “ & Hex(Err.Number)


            ValidateSetting = ValidateSetting & “, Source: “ &  Err.Source


            ValidateSetting = ValidateSetting & “, Description: “ &  Err.Description


            Err.Clear


        End If


    End If


 


End Function


 


 


‘ Validate allowed results


Function ValidateAllowedResults(ExpectedValues, ActualValues)


 


    on error resume next


 


    ‘ We are always in compliant if no one has the privilege


    If UCase(Trim(ActualValues)) = “NO ONE” Then


        ValidateAllowedResults = ExpectedValues


        Exit Function


    End If


 


    ‘ Everify that the actual list of users is a sub-set of the expected list of users.


    Dim ActualValueList, ExpectedValueList, ActualValue, ExpectedValue, Result


    ActualValueList = Split(UCase(ActualValues), “,”)


    ExpectedValueList = Split(UCase(ExpectedValues), “,”)


 


    ‘ Verify all the actual users are in the list of expected users


    For Each ActualValue in ActualValueList


        ‘ Find if actual value is in list of expected values


        Result = false


        For Each ExpectedValue in ExpectedValueList


            If Trim(ActualValue) = Trim(ExpectedValue) Then


                Result = true


                Exit For


            End If


        Next


 


        If Result = false Then


            ValidateAllowedResults = ActualValues


            Exit Function


        End If


    Next


 


    ‘ Passsed all tests


    ValidateAllowedResults = ExpectedValues


 


End Function


 


‘ Validate denied results


Function ValidateDeniedResults(ExpectedValues, ActualValues)


 


    on error resume next


 


    ‘ We are always in compliant if expected no one has been denied the privilege


    If UCase(Trim(ExpectedValues)) = “NO ONE” Then


        ValidateDeniedResults = ExpectedValues


        Exit Function


    End If


 


    ‘ We are always not in compliant if no one has been denied the privilege but expected someones.


    If UCase(Trim(ActualValues)) = “NO ONE” Then


        ValidateDeniedResults = ActualValues


        Exit Function


    End If


 


    ‘ Everify that the expected list of users is a sub-set of the actual list of users.


    Dim ActualValueList, ExpectedValueList, ActualValue, ExpectedValue, Result


    ActualValueList = Split(UCase(ActualValues), “,”)


    ExpectedValueList = Split(UCase(ExpectedValues), “,”)


 


    ‘ Verify all the expected users are in the list of actual users


    For Each ExpectedValue in ExpectedValueList


        ‘ Find if expected value is in list of actual values


        Result = false


        For Each ActualValue in ActualValueList


            If Trim(ActualValue) = Trim(ExpectedValue) Then


                Result = true


                Exit For


            End If


        Next


 


        If Result = false Then


            ValidateDeniedResults = ActualValues


            Exit Function


        End If


    Next


 


    ‘ Passsed all tests


    ValidateDeniedResults = ExpectedValues


 


End Function


 


 


‘ Set ActualValues to a comma deliminated list of values defined by what settings we are polling.


Function PollAccessChkForSettings(userRightProperty)


 


    on error resume next


 


    Dim Result, timeout, accountArray, objWshell, oExec


 


    Set objWshell = WScript.CreateObject(“WScript.Shell”)


    Set oExec = objWshell.Exec(“accesschk.exe -a “ & userRightProperty)


 


    If oExec is Nothing Then


        PollAccessChkForSettings = “ERROR: objWshell.Exec return null, please check if accesschk.exe exists.”


 


        Exit Function


    End if


 


    ‘ Wait for program to finish


    timeout = 200


    Do While oExec.Status = 0 And timeout > 0


        WScript.Sleep 10


        timeout = timeout – 1


    Loop


 


    If oExec.Status = 0 Then


        PollAccessChkForSettings = “ERROR: Timed Out”


        Exit Function


    Else


        Result = oExec.StdOut.ReadAll


        If Result = “” Then


            PollAccessChkForSettings = “ERROR: Get Data Failed”


            Exit Function


        Else


            ‘ not found any valid data


            If InStr(Result, “No more data is available”) > 0 Then


                PollAccessChkForSettings = “”


                Exit Function


            End If


 


            ‘ concat the account to a string with comma delimiter


            Dim i, value


            accountArray = Split(Result, vbCrlf)


            For i = 0 To UBound(accountArray) – 1


                If PollAccessChkForSettings <> “” Then


                    PollAccessChkForSettings = PollAccessChkForSettings + “,”


                End If


 


                value = Replace(accountArray(i), Chr(9), “”)


                value = Trim(value)


 


                Dim j


                j = InStrRev(value, “\”)


                If j = 0 Then


                    PollAccessChkForSettings = PollAccessChkForSettings +  UCase(value)


                Else


                    PollAccessChkForSettings = PollAccessChkForSettings +  UCase(Right(value, Len(value) – j))


                End if


 


            Next


            ‘WScript.Echo PollAccessChkForSettings


 


        End If


    End If


 


End Function


 


If you are intrested in the complete script listing for DCM you can download it from HERE 


To improve accuracy/integrity of Security Compliance Management collecting user rights assignment data from the right location is critical for security compliance reports. Newly updated AccessChk.exe can be integrated into Desired Configuration Management feature of Microsoft Configuration Manager 2007 to achieve the purpose.


 


 


 

Comments (1)

  1. Cui Mei says:

    Hi,

    I tried to access the URL which contains many DCM scripts, but failed, could you please provide the new link or send the script to me?