Local Administrators Group Monitor

Support forums for the Habitat Automate plugin
Post Reply
mwilhelmi
Posts: 37
Joined: Thu Nov 19, 2020 7:16 am
3

Local Administrators Group Monitor

Post by mwilhelmi »

Hi,

this feature is not showing any users on most computer. Juts some Macs and 2 windows-servers show users.
Can we somehow enforce the scan?

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Local Administrators Group Monitor

Post by Cubert »

The following SQL should generate a list of enabled client's agents that are currently showing as online.

Execute this in your SQL analyzer to see if the missing agents 's IDs show up in list.

Code: Select all

Select DISTINCT ComputerID FROM computers WHERE LastContact > date_add(now(),interval -5 minute)
and ClientID IN (Select ClientID FROM `plugin_p4a_habitat_lagm_config` Where MasterSwitch = 1)
Capture1.PNG
Capture1.PNG (34.79 KiB) Viewed 2242 times


Next if agentID is in list then look at agents script logs to see if the Habitat LAGM script is being queued up or not. Should be happening on the half hour as seen in image below.

Capture.PNG
Capture.PNG (30.39 KiB) Viewed 2242 times

If that is being queued then it has a response in the script logs. What was that response? It will also have a set of commands that ran during script that will show up in the Commands log what was the output of those commands?

If agent is not in the above list then either Client is disabled for LAGM or "LastContact > date_add(now(),interval -5 minute)" was negative so agent looks to be offline. Remove this from SQL and see if agent ID now shows up in list.

Code: Select all

Select DISTINCT ComputerID FROM computers WHERE ClientID IN (Select ClientID FROM `plugin_p4a_habitat_lagm_config` Where MasterSwitch = 1)

mwilhelmi
Posts: 37
Joined: Thu Nov 19, 2020 7:16 am
3

Re: Local Administrators Group Monitor

Post by mwilhelmi »

I picked on agent. it is in the list of teh SQL-Query, but does not show local admins
Output of the LGAM-log:
The Script(319) was successful in the Then section.

Script: S319 - Starting at Server Time: Mittwoch, 19. Mai 2021 14:32:16
Script step logging has been disabled. Please set @ScriptEngineEnableLogger@ = True in your script to enable function logging.

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Local Administrators Group Monitor

Post by Cubert »

Good, you are scheduling the script and it does run against agent. Now we need to look at the actual results from those scans.

In the script logs the log should look like so:
Capture.PNG
Capture.PNG (49.03 KiB) Viewed 2214 times


It you see this type of log then next lets look at the command that ran.

To find the command note the time that the script ran, in this case it was 9:35am. Now look at the commands log during 9:35am to find the "Invoke script" command that is getting the local admins group from agent.

Capture1.PNG
Capture1.PNG (103.99 KiB) Viewed 2214 times

Highlight that command and look at the results area. What is listed there?

If the result is blank then that would explain the lack of data.

Try running the POSH script locally (Manually)

Code: Select all

$myadmins = net localgroup administrators | where {$_ -AND $_ -notmatch "command completed successfully"} |  select -skip 4  -ErrorAction SilentlyContinue
$i = 0
foreach ($admin in $myadmins){
              $admin = $admin.Replace("\","\\")
	if($i -eq 0){
		write-output "( %clientid% ,  %computerid% , NOW(), '$admin')"
        }else{
		write-output ",( %clientid% ,  %computerid% , NOW(), '$admin')"
	}
   $i++
}

What kind of output do you get from agent? The POSH script uses the "NET LOCALGROUP" Windows commands to retrieve administrators group users.

If you run the "net localgroup administrators" command in the local command shell of agent do you gets a list of admins?

Capture.PNG
Capture.PNG (14.56 KiB) Viewed 2212 times

Post Reply

Return to “Habitat”