Morning fellow scripters -
A while ago, I posted a thread and it kind of died on the vine because I didn't quite understand the whole process of passing a text file into an array
http://www.sapien.com/forums/viewtopic.php?f=19&t=2695
And now I actually want to make this script easier for Windows 2003 servers and above by using the following name space
rootrsopcomputer
rsop_AuditPolicy
So, I am trying to understand the best way to create select case statements and functions to handle this.
For example, I need to pull three properties out
.success
.failure
.category
So I initially created this portion of the script
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootrsopcomputer")
Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems
Select Case objitem.Category
Case "AuditAccountManage"
sItem = "Audit Account Manage"
Case "AuditSystemEvents"
sItem = "Audit System Events"
Case "AuditLogonEvents"
sItem = "Audit Logon Events"
Case "AuditObjectAccess"
sItem = "Audit Object Access"
Case "AuditPrivilegeUse"
sItem = "Audit Priviledge Use"
Case "AuditPolicyChange"
sItem = "Audit Policy Change"
Case "AuditAccountLogon"
sItem = "Audit Account Logon"
End Select
Next
But I am not sure if I am going along the correct route.
Do I need to create 3 for / Next loops with Select Statements to gather the output that I am looking for.
Eventually the output I am looking for will be
Effective Audit Settings
------------------------
Audit System Events = Success, Failure
Audit Logon Events = Success, Failure
Audit Object Access = Failure
Audit Privilege Use = Failure
Audit Policy Change = Success, Failure
Audit Account Management = Success, Failure
Audit Process Tracking = No Auditing
Audit Directory Service Access = Failure
Audit Account Logon = Success, Failure
So, any help to help me understand the best way to acheive this would be great..
Thanks so much
goldy
Help with Select Case Construction with root\rsop\
Forum rules
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
- goldyfarbs
- Posts: 239
- Last visit: Thu Mar 07, 2013 8:15 am
Help with Select Case Construction with root\rsop\
Last edited by J A Reif on Thu May 09, 2013 3:09 pm, edited 1 time in total.
Reason: updated url
Reason: updated url
- jdelatorre@hfinc.com
- Posts: 54
- Last visit: Wed Jan 30, 2008 1:42 am
Help with Select Case Construction with root\rsop\
If i understand you correctly no you do not. You can create as many "Select Case" statements inside the For Each loop as you like.
Help with Select Case Construction with root\rsop\
Your case statement is fine however this accomplish the outcome more easily.
It al ldepends on what you need to accomplish. I always prefer the simplest structure although a case statement will work just fine.
Code: Select all
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootrsopcomputer")
Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems
If objItem.Success Then
value = "Success"
Else
If Len(value) > 0 Then value = value & ","
value = value & "Failure"
End If
WScript.Echo "Audit" & objItem.Category & " " & value
Next
It al ldepends on what you need to accomplish. I always prefer the simplest structure although a case statement will work just fine.
Help with Select Case Construction with root\rsop\
The settings show which of teh audit settings are selected. It is possible for both to be true at the same time. The code concatenates the strings to produce teh output message. I use the string len to determine if the string has already been populated with the "Success" string and then add a comma in between the "Success" and "Failure" settings.
This class only returns the value of those two settings.
I have run it on my server and it works as you expected. It display the output:
Audit System Events = Success, Failure
or whatever the settings are.
What is the output you are getting and what is it you expect? I suspect you may not understand what the class does. Of course I may not completely understand what it is you are trying to report on.
This class only returns the value of those two settings.
I have run it on my server and it works as you expected. It display the output:
Audit System Events = Success, Failure
or whatever the settings are.
What is the output you are getting and what is it you expect? I suspect you may not understand what the class does. Of course I may not completely understand what it is you are trying to report on.
- goldyfarbs
- Posts: 239
- Last visit: Thu Mar 07, 2013 8:15 am
Help with Select Case Construction with root\rsop\
So, this is my first attempt, but it isn't working properlly.
strComputer = "."Set objWMIService = GetObject("winmgmts:" & strComputer & "rootrsopcomputer")Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")For Each objItem in colItems Select Case objitem.CategoryCase "AuditAccountManage" sItem = "Audit Account Manage"Case "AuditSystemEvents"sItem = "Audit System Events"Case "AuditLogonEvents"sItem = "Audit Logon Events"Case "AuditObjectAccess"sItem = "Audit Object Access"Case "AuditPrivilegeUse"sItem = "Audit Priviledge Use"Case "AuditPolicyChange"sItem = "Audit Policy Change"Case "AuditAccountLogon"sItem = "Audit Account Logon"
End SelectSelect Case objitem.FailureCase "True"SFailure = "Failure"End Select
Select Case Objitem.SuccessCase "True"sSuccess = "Success"End Select
WScript.Echo sItem & vbTab & sSuccess & vbTab & sFailureNext
Jvierra,
I don't see how your script is working..
Also, what is wrong with my attempt up above? Where am I going wrong?
thx
Help with Select Case Construction with root\rsop\
I changed the code to give it to you the way you need. My first cut was just a demo of how to do the steps. This is what you are looking for with an added feature.
The issue you are having with "case" is that this is not a "case" condition. It's not select one of the following but select one, the other or both. This can't be handled well with a case statement. In fact to case it would lead to convoluted code and not be at all a "best practices" excersize.
jvierra2008-01-15 13:58:14
Code: Select all
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootrsopcomputer")
Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")
' send out header
WScript.Echo "Effective Audit Settings"
WScript.Echo "------------------------"
WScript.Echo "Number of items is " & colItems.Count
For Each objItem in colItems
'The following adds either or both "Success"/"Failure" To
' value for output later. If both are added then a comma is inserted between
value = "" ' to prevent errors later
If objItem.Success Then
value = "Success"
End If
If objItem.Failure Then
If Len(value) > 0 Then value = value & "," ' string alredy has one item
value = value & "Failure"
End If
WScript.Echo "Audit" & objItem.Category & " " & value
Next
The issue you are having with "case" is that this is not a "case" condition. It's not select one of the following but select one, the other or both. This can't be handled well with a case statement. In fact to case it would lead to convoluted code and not be at all a "best practices" excersize.
jvierra2008-01-15 13:58:14
- goldyfarbs
- Posts: 239
- Last visit: Thu Mar 07, 2013 8:15 am
Help with Select Case Construction with root\rsop\
Jvierra -Ok - I appreciate everything but I am still a little confused... This lineIf objitem.success Then etc...My question is, How come you don't have to do thisif objitem.success = True Thenetc..end ifAlso, I think that I am still going to need that case statement that gives friendlier names to the audit Policies. I am learning everyday and I appreciate it so much.. I will run it later when I am settled from home.Again, I appreciate everythingthx
Help with Select Case Construction with root\rsop\
This lineIf objitem.success Then etc...My question is, How come you don't have to do thisif objitem.success = True Thenetc..end if
Because it's a boolean alredy (True/False) and the "if" statement takes any expression that resolves to a boolean.
if something = True resolves to "True" when "something" is True.
if something = False resolves to True when something is False. Same as
If Not something
Also, I think that I am still going to need that case statement that gives friendlier names to the audit Policies.
I will show you a way to add teh spaces before each upper case character. You could use the case statement and it will work however ugly it is.
I am learning everyday and I appreciate it so much.. I will run it later when I am settled from home.Learning is fun. You should really try and do a starter book on scripting as it would get you up and running much faster although exoperimenting and asking questions is also important.
Good luck
Because it's a boolean alredy (True/False) and the "if" statement takes any expression that resolves to a boolean.
if something = True resolves to "True" when "something" is True.
if something = False resolves to True when something is False. Same as
If Not something
Also, I think that I am still going to need that case statement that gives friendlier names to the audit Policies.
I will show you a way to add teh spaces before each upper case character. You could use the case statement and it will work however ugly it is.
I am learning everyday and I appreciate it so much.. I will run it later when I am settled from home.Learning is fun. You should really try and do a starter book on scripting as it would get you up and running much faster although exoperimenting and asking questions is also important.
Good luck
Help with Select Case Construction with root\rsop\
I was sitting here working on something when it dawned on me that you can't get the information you want from W2K or from SecEdit.
Here is what you will get from SecEdit:
Mismatch - AuditSystemEvents.Mismatch - AuditLogonEvents.Mismatch - AuditPolicyChange. Analyze event audit settings.
Any settings that match do not produce any output to the file. Settings that don't match only tell you that there is a mismatch but not what that mismatch is.
What you are trying to do has been an issue for years. I have had some interesting arguments with people who insist that it can be had. The only way to get the information is to decode it from the registry. Unfortunately you have to first change the security on the registry key as it is hidden from Admins by default.
Only Windows XP and later have addressed this issue by adding the RSOP subsystem which is what WMI uses to get the audit settings. Even the storage mechanism and format have been changed for XP and later.
There are some third party security analysis tools that have added an agent to teh windows system. The agent can query the running system for this information but it must be installed before it can be of use. These security scanners are not cheep. The free security scanners are not able to obtain these settings.
Go/NoGo testing via secedit is the best you will get and it's log file is the best analysis you can get across systems. The only problem here is that you have to go to each individual system to run the security analyzer.
Here is what you will get from SecEdit:
Mismatch - AuditSystemEvents.Mismatch - AuditLogonEvents.Mismatch - AuditPolicyChange. Analyze event audit settings.
Any settings that match do not produce any output to the file. Settings that don't match only tell you that there is a mismatch but not what that mismatch is.
What you are trying to do has been an issue for years. I have had some interesting arguments with people who insist that it can be had. The only way to get the information is to decode it from the registry. Unfortunately you have to first change the security on the registry key as it is hidden from Admins by default.
Only Windows XP and later have addressed this issue by adding the RSOP subsystem which is what WMI uses to get the audit settings. Even the storage mechanism and format have been changed for XP and later.
There are some third party security analysis tools that have added an agent to teh windows system. The agent can query the running system for this information but it must be installed before it can be of use. These security scanners are not cheep. The free security scanners are not able to obtain these settings.
Go/NoGo testing via secedit is the best you will get and it's log file is the best analysis you can get across systems. The only problem here is that you have to go to each individual system to run the security analyzer.
- goldyfarbs
- Posts: 239
- Last visit: Thu Mar 07, 2013 8:15 am
Help with Select Case Construction with root\rsop\
Jv -I am referring to Windows 2000 Server so I am not sure if that is different but you most certainly can attain the data from a server by doingsecedit /export /mergepolicy /cfg c:output.txtThat will dump local policies out without issue.Is that what you are referring to?