Class: Inspec::Resources::WindowsUser
Overview
This optimization was inspired by Alternative solutions are WMI Win32_UserAccount
Instance Attribute Summary
Attributes inherited from UserInfo
#inspec
Instance Method Summary
collapse
Methods inherited from UserInfo
#credentials, #initialize, #meta_info, #user_details
Methods included from Converter
#convert_to_i
Instance Method Details
#collect_user_details ⇒ Object
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
|
# File 'lib/resources/users.rb', line 572
def collect_user_details return @users_cache if defined?(@users_cache)
script = <<~EOH
Function ConvertTo-SID { Param([byte[]]$BinarySID)
(New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
}
Function Convert-UserFlag { Param ($UserFlag)
$List = @()
Switch ($UserFlag) {
($UserFlag -BOR 0x0001) { $List += 'SCRIPT' }
($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' }
($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' }
($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' }
($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' }
($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' }
($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' }
($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' }
($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' }
($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' }
($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' }
($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' }
($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' }
($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' }
($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' }
($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' }
($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' }
($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' }
($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' }
}
$List
}
$Computername = $Env:Computername
$adsi = [ADSI]"WinNT://$Computername"
$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
New-Object PSObject -property @{
uid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
username = $_.Name[0]
description = $_.Description[0]
disabled = $_.AccountDisabled[0]
userflags = Convert-UserFlag -UserFlag $_.UserFlags[0]
passwordage = [math]::Round($_.PasswordAge[0]/86400)
minpasswordlength = $_.MinPasswordLength[0]
mindays = [math]::Round($_.MinPasswordAge[0]/86400)
maxdays = [math]::Round($_.MaxPasswordAge[0]/86400)
warndays = $null
badpasswordattempts = $_.BadPasswordAttempts[0]
maxbadpasswords = $_.MaxBadPasswordsAllowed[0]
gid = $null
group = $null
groups = @($_.Groups() | Foreach-Object { $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null) })
home = $_.HomeDirectory[0]
shell = $null
domain = $Computername
}
} | ConvertTo-Json
EOH
cmd = inspec.powershell(script)
begin
users = JSON.parse(cmd.stdout)
rescue JSON::ParserError => _e
return nil
end
users = [users] if !users.is_a?(Array)
@users_cache = users.map { |user| user.each_with_object({}) { |(k, v), h| h[k.to_sym] = v } }
end
|
#identity(username) ⇒ Object
559
560
561
562
563
564
565
|
# File 'lib/resources/users.rb', line 559
def identity(username)
name, _domain = parse_windows_account(username)
return if collect_user_details.nil?
res = collect_user_details.select { |user| user[:username] == name }
res[0] if !res.empty?
end
|
#list_users ⇒ Object
567
568
569
|
# File 'lib/resources/users.rb', line 567
def list_users
collect_user_details.map { |user| user[:username] }
end
|
#parse_windows_account(username) ⇒ Object
552
553
554
555
556
557
|
# File 'lib/resources/users.rb', line 552
def parse_windows_account(username)
account = username.split('\\')
name = account.pop
domain = account.pop if !account.empty?
[name, domain]
end
|