Help with Select Case Construction with root\rsop\

Anything VBScript-related, including Windows Script Host, WMI, ADSI, and more.
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 16 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
goldyfarbs
Posts: 239
Last visit: Thu Mar 07, 2013 8:15 am

Help with Select Case Construction with root\rsop\

Post by goldyfarbs »

Morning fellow scripters -

A while ago, I posted a thread and it kind of died on the vine because I didn't quite understand the whole process of passing a text file into an array

http://www.sapien.com/forums/viewtopic.php?f=19&t=2695


And now I actually want to make this script easier for Windows 2003 servers and above by using the following name space

rootrsopcomputer

rsop_AuditPolicy


So, I am trying to understand the best way to create select case statements and functions to handle this.


For example, I need to pull three properties out

.success

.failure

.category


So I initially created this portion of the script


strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootrsopcomputer")
Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems
Select Case objitem.Category
Case "AuditAccountManage"
sItem = "Audit Account Manage"
Case "AuditSystemEvents"
sItem = "Audit System Events"
Case "AuditLogonEvents"
sItem = "Audit Logon Events"
Case "AuditObjectAccess"
sItem = "Audit Object Access"
Case "AuditPrivilegeUse"
sItem = "Audit Priviledge Use"
Case "AuditPolicyChange"
sItem = "Audit Policy Change"
Case "AuditAccountLogon"
sItem = "Audit Account Logon"

End Select

Next



But I am not sure if I am going along the correct route.


Do I need to create 3 for / Next loops with Select Statements to gather the output that I am looking for.


Eventually the output I am looking for will be


Effective Audit Settings
------------------------
Audit System Events = Success, Failure
Audit Logon Events = Success, Failure
Audit Object Access = Failure
Audit Privilege Use = Failure
Audit Policy Change = Success, Failure
Audit Account Management = Success, Failure
Audit Process Tracking = No Auditing
Audit Directory Service Access = Failure
Audit Account Logon = Success, Failure


So, any help to help me understand the best way to acheive this would be great..


Thanks so much

goldy
Last edited by J A Reif on Thu May 09, 2013 3:09 pm, edited 1 time in total.
Reason: updated url
User avatar
jdelatorre@hfinc.com
Posts: 54
Last visit: Wed Jan 30, 2008 1:42 am

Help with Select Case Construction with root\rsop\

Post by jdelatorre@hfinc.com »

If i understand you correctly no you do not. You can create as many "Select Case" statements inside the For Each loop as you like.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Help with Select Case Construction with root\rsop\

Post by jvierra »

Your case statement is fine however this accomplish the outcome more easily.

Code: Select all

	
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootrsopcomputer")
Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems 
    If objItem.Success Then
        value = "Success"
    Else
        If Len(value) > 0 Then value = value & ","
        value = value & "Failure"
    End If
        WScript.Echo "Audit" & objItem.Category & " " & value
Next


It al ldepends on what you need to accomplish. I always prefer the simplest structure although a case statement will work just fine.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Help with Select Case Construction with root\rsop\

Post by jvierra »

The settings show which of teh audit settings are selected. It is possible for both to be true at the same time. The code concatenates the strings to produce teh output message. I use the string len to determine if the string has already been populated with the "Success" string and then add a comma in between the "Success" and "Failure" settings.
This class only returns the value of those two settings.
I have run it on my server and it works as you expected. It display the output:
Audit System Events = Success, Failure

or whatever the settings are.

What is the output you are getting and what is it you expect? I suspect you may not understand what the class does. Of course I may not completely understand what it is you are trying to report on.

User avatar
goldyfarbs
Posts: 239
Last visit: Thu Mar 07, 2013 8:15 am

Help with Select Case Construction with root\rsop\

Post by goldyfarbs »


So, this is my first attempt, but it isn't working properlly.

strComputer = "."Set objWMIService = GetObject("winmgmts:" & strComputer & "rootrsopcomputer")Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")For Each objItem in colItems Select Case objitem.CategoryCase "AuditAccountManage" sItem = "Audit Account Manage"Case "AuditSystemEvents"sItem = "Audit System Events"Case "AuditLogonEvents"sItem = "Audit Logon Events"Case "AuditObjectAccess"sItem = "Audit Object Access"Case "AuditPrivilegeUse"sItem = "Audit Priviledge Use"Case "AuditPolicyChange"sItem = "Audit Policy Change"Case "AuditAccountLogon"sItem = "Audit Account Logon"
End SelectSelect Case objitem.FailureCase "True"SFailure = "Failure"End Select
Select Case Objitem.SuccessCase "True"sSuccess = "Success"End Select
WScript.Echo sItem & vbTab & sSuccess & vbTab & sFailureNext



Jvierra,

I don't see how your script is working..

Also, what is wrong with my attempt up above? Where am I going wrong?

thx
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Help with Select Case Construction with root\rsop\

Post by jvierra »

I changed the code to give it to you the way you need. My first cut was just a demo of how to do the steps. This is what you are looking for with an added feature.

Code: Select all

	
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootrsopcomputer")
Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")
	
' send out header
WScript.Echo "Effective Audit Settings"
WScript.Echo "------------------------"
WScript.Echo "Number of items is " & colItems.Count
	
For Each objItem in colItems 
	
    'The following adds either or both "Success"/"Failure" To
    '   value for output later.  If both are added then a comma is inserted between
    value = "" ' to prevent errors later
    If objItem.Success Then
        value = "Success"
    End If
    
    If objItem.Failure Then
        If Len(value) > 0 Then value = value & "," ' string alredy has one item
        value = value & "Failure"
    End If
    
    WScript.Echo "Audit" & objItem.Category & " " & value
    
Next

The issue you are having with "case" is that this is not a "case" condition. It's not select one of the following but select one, the other or both. This can't be handled well with a case statement. In fact to case it would lead to convoluted code and not be at all a "best practices" excersize.
jvierra2008-01-15 13:58:14
User avatar
goldyfarbs
Posts: 239
Last visit: Thu Mar 07, 2013 8:15 am

Help with Select Case Construction with root\rsop\

Post by goldyfarbs »

Jvierra -Ok - I appreciate everything but I am still a little confused... :-( This lineIf objitem.success Then etc...My question is, How come you don't have to do thisif objitem.success = True Thenetc..end ifAlso, I think that I am still going to need that case statement that gives friendlier names to the audit Policies. I am learning everyday and I appreciate it so much.. I will run it later when I am settled from home.Again, I appreciate everythingthx
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Help with Select Case Construction with root\rsop\

Post by jvierra »

This lineIf objitem.success Then etc...My question is, How come you don't have to do thisif objitem.success = True Thenetc..end if

Because it's a boolean alredy (True/False) and the "if" statement takes any expression that resolves to a boolean.

if something = True resolves to "True" when "something" is True.

if something = False resolves to True when something is False. Same as

If Not something

Also, I think that I am still going to need that case statement that gives friendlier names to the audit Policies.
I will show you a way to add teh spaces before each upper case character. You could use the case statement and it will work however ugly it is.
I am learning everyday and I appreciate it so much.. I will run it later when I am settled from home.Learning is fun. You should really try and do a starter book on scripting as it would get you up and running much faster although exoperimenting and asking questions is also important.

Good luck
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Help with Select Case Construction with root\rsop\

Post by jvierra »

I was sitting here working on something when it dawned on me that you can't get the information you want from W2K or from SecEdit.

Here is what you will get from SecEdit:

Mismatch - AuditSystemEvents.Mismatch - AuditLogonEvents.Mismatch - AuditPolicyChange. Analyze event audit settings.
Any settings that match do not produce any output to the file. Settings that don't match only tell you that there is a mismatch but not what that mismatch is.

What you are trying to do has been an issue for years. I have had some interesting arguments with people who insist that it can be had. The only way to get the information is to decode it from the registry. Unfortunately you have to first change the security on the registry key as it is hidden from Admins by default.

Only Windows XP and later have addressed this issue by adding the RSOP subsystem which is what WMI uses to get the audit settings. Even the storage mechanism and format have been changed for XP and later.

There are some third party security analysis tools that have added an agent to teh windows system. The agent can query the running system for this information but it must be installed before it can be of use. These security scanners are not cheep. The free security scanners are not able to obtain these settings.

Go/NoGo testing via secedit is the best you will get and it's log file is the best analysis you can get across systems. The only problem here is that you have to go to each individual system to run the security analyzer.
User avatar
goldyfarbs
Posts: 239
Last visit: Thu Mar 07, 2013 8:15 am

Help with Select Case Construction with root\rsop\

Post by goldyfarbs »

Jv -I am referring to Windows 2000 Server so I am not sure if that is different but you most certainly can attain the data from a server by doingsecedit /export /mergepolicy /cfg c:output.txtThat will dump local policies out without issue.Is that what you are referring to?
This topic is 16 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked