Forum Discussion
Windows Compliance - REGISTRY_SETTING check type...
Windows Compliance - REGISTRY_SETTING check type enhancement
Summary
A new tag called reg_include_hku_users was added to the Windows Compliance REGISTRY_SETTING check type. The purpose of this tag is to allow additional filtering of registry locations when checking HKEY_USERS.
For example:
<custom_item>
type: REGISTRY_SETTING
description: "HKU\Control Panel\Desktop\ScreenSaveActive"
value_type: POLICY_DWORD
value_data: 1
reg_key: "HKU\Control Panel\Desktop"
reg_item: "ScreenSaveActive"
</custom_item>
Would loop over:
HKU\S-1-5-18\Control Panel\Desktop\ScreenSaveActive
HKU\S-1-5-19\Control Panel\Desktop\ScreenSaveActive
HKU\S-1-5-20\Control Panel\Desktop\ScreenSaveActive
HKU\S-1-5-21-1004336348-1177238915-682003330-1001\Control Panel\Desktop\ScreenSaveActive
HKU\S-1-5-21-1004336348-1177238915-682003330-1002\Control Panel\Desktop\ScreenSaveActive
HKU\S-1-5-21-1004336348-1177238915-682003330-1003\Control Panel\Desktop\ScreenSaveActive
...
To limit the scope to SIDS that start with S-1-5-21- you can now add the following tag to the check:
reg_include_hku_users: "S-1-5-21-*"
Target Release Date
Immediate
2 Replies
How can I exclude some of the SID from the check because some the reg entry is service accounts and they were not having interactive login. Thus they will not get the group policy and they need to be excluded.
I do not want to exclude all of them from S-1-5-21 because some of the users I need this to be applied. I need only specific users to exclude this check
You can use the reg_ignore_hku_users to exclude that specific sid. For example:
reg_ignore_hku_users : "S-1-5-21-1004336348-1177238915-682003330-1001"
If you want to exclude multiple sids, you can comma separate them:
reg_ignore_hku_users : "S-1-5-21-1004336348-1177238915-682003330-1001,S-1-5-21-1004336348-1177238915-682003330-1002"
