option explicit WScript.Echo ValidateSetting("SeNetworkLogonRight", "Everyone,Administrators,Authenticated Users,ENTERPRISE DOMAIN CONTROLLERS,Pre-Windows 2000 Compatible Access") Function ValidateSetting(userRightProperty, baselineValue) on error resume next ' Get expected values and actual valuse we are testing against Dim ExpectedValues, ActualValues ExpectedValues = baselineValue ' Poll LSA data through accesschk ActualValues = PollAccessChkForSettings (userRightProperty) if ActualValues = "" then ' below line assumes DCM rule value (OperandA) is "NO ONE" if no one is allowed for the user right privilege ActualValues = "NO ONE" end if ' do our validation ValidateSetting = ValidateResults(ExpectedValues, ActualValues) ' do error checking, make sure our function return something. If ValidateSetting = "" Then ValidateSetting = "ValidateSetting return Nothing or Empty" If Err.Number <> 0 Then ValidateSetting = ValidateSetting & ", Error: " & Err.Number ValidateSetting = ValidateSetting & ", Error (Hex): " & Hex(Err.Number) ValidateSetting = ValidateSetting & ", Source: " & Err.Source ValidateSetting = ValidateSetting & ", Description: " & Err.Description Err.Clear End If End If End Function ' Validate results Function ValidateResults(ExpectedValues, ActualValues) on error resume next ' We are always in compliant if no one has the privilege If UCase(Trim(ActualValues)) = "NO ONE" Then ValidateResults = ExpectedValues Exit Function End If ' Everify that the actual list of users is a sub-set of the expected list of users. Dim ActualValueList, ExpectedValueList, ActualValue, ExpectedValue, Result ActualValueList = Split(UCase(ActualValues), ",") ExpectedValueList = Split(UCase(ExpectedValues), ",") ' Verify all the actual users are in the list of expected users For Each ActualValue in ActualValueList ' Find if actual value is in list of expected values Result = false For Each ExpectedValue in ExpectedValueList If Trim(ActualValue) = Trim(ExpectedValue) Then Result = true Exit For End If Next If Result = false Then ValidateResults = ActualValues Exit Function End If Next ' Passsed all tests ValidateResults = ExpectedValues End Function ' Set ActualValues to a comma deliminated list of values defined by what settings we are polling. Function PollAccessChkForSettings(userRightProperty) on error resume next Dim Result, timeout, accountArray, objWshell, oExec Set objWshell = WScript.CreateObject("WScript.Shell") Set oExec = objWshell.Exec("accesschk.exe -a " & userRightProperty) If oExec is Nothing Then PollAccessChkForSettings = "ERROR: objWshell.Exec return null, please check if accesschk.exe exists." Exit Function End if ' Wait for program to finish timeout = 200 Do While oExec.Status = 0 And timeout > 0 WScript.Sleep 10 timeout = timeout - 1 Loop If oExec.Status = 0 Then PollAccessChkForSettings = "ERROR: Timed Out" Exit Function Else Result = oExec.StdOut.ReadAll If Result = "" Then PollAccessChkForSettings = "ERROR: Get Data Failed" Exit Function Else ' not found any valid data If InStr(Result, "No more data is available") > 0 Then PollAccessChkForSettings = "" Exit Function End If ' concat the account to a string with comma delimiter Dim i, value accountArray = Split(Result, vbCrlf) For i = 0 To UBound(accountArray) - 1 If PollAccessChkForSettings <> "" Then PollAccessChkForSettings = PollAccessChkForSettings + "," End If value = Replace(accountArray(i), Chr(9), "") value = Trim(value) Dim j j = InStrRev(value, "\") If j = 0 Then PollAccessChkForSettings = PollAccessChkForSettings + UCase(value) Else PollAccessChkForSettings = PollAccessChkForSettings + UCase(Right(value, Len(value) - j)) End if Next 'WScript.Echo PollAccessChkForSettings End If End If End Function option explicit WScript.Echo ValidateSetting("SeDenyBatchLogonRight", "Everyone") Function ValidateSetting(userRightProperty, baselineValue) on error resume next ' Get expected values and actual valuse we are testing against Dim ExpectedValues, ActualValues ExpectedValues = baselineValue ' Poll LSA data through accesschk ActualValues = PollAccessChkForSettings (userRightProperty) if ActualValues = "" then ' below line assumes DCM rule value (OperandA) is "NO ONE" if no one is allowed for the user right privilege ActualValues = "NO ONE" end if ' do our validation ValidateSetting = ValidateResults(ExpectedValues, ActualValues) ' do error checking, make sure our function return something. If ValidateSetting = "" Then ValidateSetting = "ValidateSetting return Nothing or Empty" If Err.Number <> 0 Then ValidateSetting = ValidateSetting & ", Error: " & Err.Number ValidateSetting = ValidateSetting & ", Error (Hex): " & Hex(Err.Number) ValidateSetting = ValidateSetting & ", Source: " & Err.Source ValidateSetting = ValidateSetting & ", Description: " & Err.Description Err.Clear End If End If End Function ' Validate results Function ValidateResults(ExpectedValues, ActualValues) on error resume next ' We are always in compliant if expected no one has been denied the privilege If UCase(Trim(ExpectedValues)) = "NO ONE" Then ValidateResults = ExpectedValues Exit Function End If ' We are always not in compliant if no one has been denied the privilege but expected someones. If UCase(Trim(ActualValues)) = "NO ONE" Then ValidateResults = ActualValues Exit Function End If ' Everify that the expected list of users is a sub-set of the actual list of users. Dim ActualValueList, ExpectedValueList, ActualValue, ExpectedValue, Result ActualValueList = Split(UCase(ActualValues), ",") ExpectedValueList = Split(UCase(ExpectedValues), ",") ' Verify all the expected users are in the list of actual users For Each ExpectedValue in ExpectedValueList ' Find if expected value is in list of actual values Result = false For Each ActualValue in ActualValueList If Trim(ActualValue) = Trim(ExpectedValue) Then Result = true Exit For End If Next If Result = false Then ValidateResults = ActualValues Exit Function End If Next ' Passsed all tests ValidateResults = ExpectedValues End Function ' Set ActualValues to a comma deliminated list of values defined by what settings we are polling. Function PollAccessChkForSettings(userRightProperty) on error resume next Dim Result, timeout, accountArray, objWshell, oExec Set objWshell = WScript.CreateObject("WScript.Shell") Set oExec = objWshell.Exec("accesschk.exe -a " & userRightProperty) If oExec is Nothing Then PollAccessChkForSettings = "ERROR: objWshell.Exec return null, please check if accesschk.exe exists." Exit Function End if ' Wait for program to finish timeout = 200 Do While oExec.Status = 0 And timeout > 0 WScript.Sleep 10 timeout = timeout - 1 Loop If oExec.Status = 0 Then PollAccessChkForSettings = "ERROR: Timed Out" Exit Function Else Result = oExec.StdOut.ReadAll If Result = "" Then PollAccessChkForSettings = "ERROR: Get Data Failed" Exit Function Else ' not found any valid data If InStr(Result, "No more data is available") > 0 Then PollAccessChkForSettings = "" Exit Function End If ' concat the account to a string with comma delimiter Dim i, value accountArray = Split(Result, vbCrlf) For i = 0 To UBound(accountArray) - 1 If PollAccessChkForSettings <> "" Then PollAccessChkForSettings = PollAccessChkForSettings + "," End If value = Replace(accountArray(i), Chr(9), "") value = Trim(value) Dim j j = InStrRev(value, "\") If j = 0 Then PollAccessChkForSettings = PollAccessChkForSettings + UCase(value) Else PollAccessChkForSettings = PollAccessChkForSettings + UCase(Right(value, Len(value) - j)) End if Next 'WScript.Echo PollAccessChkForSettings End If End If End Function