Configure Windows User Rights Controls

Windows user rights controls are the controls we provide for checking particular Windows user rights on groups and user accounts. For control evaluation to succeed, you'll need to set the values for Windows user rights controls in your compliance policies.  

How do I find these controls?How do I find these controls?

Go to Policies > Controls, select Search above the list and 1) enter the text “right”, 2) select category “Access Control Requirements”, and 3) select Windows technologies.


Make these selections in your policy using the Policy Editor:

1) Add one or more asset groups that have already been scanned for compliance. Remember, when you run a compliance scan, all controls in the Controls Library are included in the scan, so you already have compliance data for your scanned hosts.

2) Keep the default control value as is for now. We recommend that you first create a policy report to see how the value is returned before you change the control value in the policy.

Want to create a new policy? Go to PC > Policies > New > Policy.

Go to PC > Reports > New > Compliance Report > Policy Report.

We recommend that you create the policy report in PDF format because all fields are expanded by default. This makes it easier to see all the values returned and copy/paste the actual value.

Scroll down to the Detailed Results section of the policy report and:

1) Copy the three required accounts from the Actual section for the control. (Do not copy any additional accounts that might have been found.)

2) Paste the Actual value text into your text editor (such as Notepad or TextPad). This ensures that any unseen artifacts from the UI are stripped out.

Update your policy using the Policy Editor.

1) Paste the Actual value text from your text editor (copied from the PDF report) into the Expected value field. If the value has a backslash in it (such as BUILTIN\Administrators) you must add another backslash before it to escape the special character (such as BUILTIN\\Administrators).

2) Change the cardinality from “contains” to “is contained in”. Using the cardinality “is contained in” ensures that the control will pass only if the three required accounts are the only ones detected. If any other account is found, the control will fail.

Check the “Passed” and “Failed” hosts to confirm that the control passes only if one of the three required accounts are found and fails if any additional accounts are found.


Quick Links

Start a compliance scan

Compliance reports