Custom probe/sensor Local Admins on a computer

doug_schulze · ‎09-25-2015

Created a new probe/sensor (available here) to fill the afternoon that pulls back the local administrators configured on a host. You will need to create a new table and in that table a reference field back to computer. As you can see in the sensor I created a table (not extended from anything called Local Administrators and a reference field to cmdb_ci_computer called Configured on. Props to Ryan Zulli for his all star assist

//Note that you should have custom tables that you are inserting the records into and syncing on

this.addToRelatedList('u_local_administrators', adminList, 'u_configured_on', 'name');

Also in the probe you'll see the command that is being run 'net localgroup administrators' well you can easily change that to pull in 'net localgroup "remote desktop users"'

Hope someone can get some good use from it!

And as always, remember sharing is caring..

csargent · ‎10-19-2015

Thank you!

I modified the script as Andrew suggested, added the probe to the classifier and it works beautifully! I also got 'Remote Desktop User' created and working. Thank you both for your help. Great learning experience for me!

csargent · ‎01-12-2016

Doug,

Although discovery runs and populates the local admins and remote desktop users with no errors, data was validated and we have found that regardless of what server is being discovered, the admins and remote desktop users being reported are those of the mid server being used. I verified it on several servers using different mid servers. I checked the ECC queue, and the source value and ci_sys_id are correct. I double-checked the script after making changes Andrew suggested and it appears correct. Also, the list is not being refreshed with each new discovery. Any suggestions?

doug_schulze · ‎01-29-2016

All ,

Our good friend Candy's issue uncovered a problem with the probe. She showed me where the original command: net localgroup administrators just ran the powershell on the midserver (derp). What it should be is: launchProcess -computer $computer -cred $cred -command 'net localgroup administrators'. Actually connect to the remote computer in context and run said command.. heh

Thank you Candy in showing me the errors in my ways, Im that much smarter in powershell commands!

Ive since updated the update set on share including better comments in the sensor to help those implementing it the first time and if you have put this in place at your own spot you'll want to update yours as well so download the new set and see all the changes...