CHECK_ACCOUNT

This policy item checks for the following values defined in “Security Settings -> Local Policies -> Security Options”:

• Accounts: Administrator account status
• Accounts: Guest account status
• Accounts: Rename administrator account
• Accounts: Rename guest account

The check is performed by calling the function LsaQueryInformationPolicy with the level PolicyAccountDomainInformation to obtain the domain/system SID, LsaLookupSid to obtain administrator and guest names and NetUserGetInfo to obtain account information.

Usage

This item uses the account_type field to describe which account must be audited. The allowed types are:

• ADMINISTRATOR_ACCOUNT (“Accounts: Administrator account status”)

  value_type: POLICY_SET

  value_data: "Enabled" or "Disabled"

• GUEST_ACCOUNT (“Accounts: Guest account status”)

  value_type: POLICY_SET

  value_data: "Enabled" or "Disabled"

• ADMINISTRATOR_ACCOUNT (“Accounts: Rename administrator account”)

  value_type: POLICY_TEXT

  value_data: "TEXT HERE" [administrator name]

  check_type: [CHECK_TYPE] (any one of the possible check_type values)

• GUEST_ACCOUNT (“Accounts: Rename guest account”)

  value_type: POLICY_TEXT

  value_data: "TEXT HERE" [guest name]

  check_type: [CHECK_TYPE] (any one of the possible check_type values)

Note: Depending on the Domain credential part, the local system accounts or the domain accounts may be checked.

Example