Hi,
this feature is not showing any users on most computer. Juts some Macs and 2 windows-servers show users.
Can we somehow enforce the scan?
Local Administrators Group Monitor
Re: Local Administrators Group Monitor
The following SQL should generate a list of enabled client's agents that are currently showing as online.
Execute this in your SQL analyzer to see if the missing agents 's IDs show up in list.
Next if agentID is in list then look at agents script logs to see if the Habitat LAGM script is being queued up or not. Should be happening on the half hour as seen in image below.
If that is being queued then it has a response in the script logs. What was that response? It will also have a set of commands that ran during script that will show up in the Commands log what was the output of those commands?
If agent is not in the above list then either Client is disabled for LAGM or "LastContact > date_add(now(),interval -5 minute)" was negative so agent looks to be offline. Remove this from SQL and see if agent ID now shows up in list.
Execute this in your SQL analyzer to see if the missing agents 's IDs show up in list.
Code: Select all
Select DISTINCT ComputerID FROM computers WHERE LastContact > date_add(now(),interval -5 minute)
and ClientID IN (Select ClientID FROM `plugin_p4a_habitat_lagm_config` Where MasterSwitch = 1)
Next if agentID is in list then look at agents script logs to see if the Habitat LAGM script is being queued up or not. Should be happening on the half hour as seen in image below.
If that is being queued then it has a response in the script logs. What was that response? It will also have a set of commands that ran during script that will show up in the Commands log what was the output of those commands?
If agent is not in the above list then either Client is disabled for LAGM or "LastContact > date_add(now(),interval -5 minute)" was negative so agent looks to be offline. Remove this from SQL and see if agent ID now shows up in list.
Code: Select all
Select DISTINCT ComputerID FROM computers WHERE ClientID IN (Select ClientID FROM `plugin_p4a_habitat_lagm_config` Where MasterSwitch = 1)
Re: Local Administrators Group Monitor
I picked on agent. it is in the list of teh SQL-Query, but does not show local admins
Output of the LGAM-log:
The Script(319) was successful in the Then section.
Script: S319 - Starting at Server Time: Mittwoch, 19. Mai 2021 14:32:16
Script step logging has been disabled. Please set @ScriptEngineEnableLogger@ = True in your script to enable function logging.
Output of the LGAM-log:
The Script(319) was successful in the Then section.
Script: S319 - Starting at Server Time: Mittwoch, 19. Mai 2021 14:32:16
Script step logging has been disabled. Please set @ScriptEngineEnableLogger@ = True in your script to enable function logging.
Re: Local Administrators Group Monitor
Good, you are scheduling the script and it does run against agent. Now we need to look at the actual results from those scans.
In the script logs the log should look like so:
It you see this type of log then next lets look at the command that ran.
To find the command note the time that the script ran, in this case it was 9:35am. Now look at the commands log during 9:35am to find the "Invoke script" command that is getting the local admins group from agent.
Highlight that command and look at the results area. What is listed there?
If the result is blank then that would explain the lack of data.
Try running the POSH script locally (Manually)
What kind of output do you get from agent? The POSH script uses the "NET LOCALGROUP" Windows commands to retrieve administrators group users.
If you run the "net localgroup administrators" command in the local command shell of agent do you gets a list of admins?
In the script logs the log should look like so:
It you see this type of log then next lets look at the command that ran.
To find the command note the time that the script ran, in this case it was 9:35am. Now look at the commands log during 9:35am to find the "Invoke script" command that is getting the local admins group from agent.
Highlight that command and look at the results area. What is listed there?
If the result is blank then that would explain the lack of data.
Try running the POSH script locally (Manually)
Code: Select all
$myadmins = net localgroup administrators | where {$_ -AND $_ -notmatch "command completed successfully"} | select -skip 4 -ErrorAction SilentlyContinue
$i = 0
foreach ($admin in $myadmins){
$admin = $admin.Replace("\","\\")
if($i -eq 0){
write-output "( %clientid% , %computerid% , NOW(), '$admin')"
}else{
write-output ",( %clientid% , %computerid% , NOW(), '$admin')"
}
$i++
}
What kind of output do you get from agent? The POSH script uses the "NET LOCALGROUP" Windows commands to retrieve administrators group users.
If you run the "net localgroup administrators" command in the local command shell of agent do you gets a list of admins?