IBM Endpoint Manager Inspectors Reference

Terminology

Win: Windows
Lin: Red Hat and SUSE Linux
Sol: SUN Solaris
HPUX: Hewlett-Packard UNIX version
AIX: IBM AIX
Mac: Apple Macintosh
Ubu: Ubuntu/Debian
WM: Windows Mobile

The version (e.g. Lin:8.1) corresponds to the version of the IEM product (8.1) in which the inspector was introduced in the client on that platform.
The version number is not shown if it is less than 8.0.

Platform


Contents

Action Objects
Authorization Objects
access control entry
access control list
audit policy
audit policy category
audit policy information
audit policy subcategory
client_cryptography
cryptography
discretionary access control list
local group
local group member
security account
security database
security descriptor
security identifier
system access control list
x509 certificate
Client Objects
Directory Services
Environment Objects
Filesystem Objects
Firewall Objects
Fixlet Objects
Formatting Objects
Installed System Software
Introspectors
License Objects
Microsoft IIS Metabase Objects
Miscellaneous
Networking Objects
Power Objects
Primitive Objects
Registry Objects
Session Objects
Session Statistics
Site Objects
SMBIOS objects
System Objects
Task Objects
User Objects
Windows Mobile Device Objects
WMI Objects
World Objects

IBM Endpoint Manager wiki

Authorization Objects

These inspectors retrieve security and access settings.

access control list

An Access Control List, or ACL, is a list of security protections that applies to an object. An object can be a file, process, event, or anything else having a security descriptor. An entry in an access control list (ACL) is an access control entry (ACE). These Inspectors work by exposing the GetEffectiveRightsFromAcl method, as explained at the MSDN site. Note: Requires Windows XP, Windows 2000 Professional, or Windows NT Workstation 3.1 and later.

Creation Methods

DeclarationDescriptionPlatforms (?)

Properties

DeclarationReturn typeDescriptionPlatforms (?)
effective access mode for <security account> of <access control list><integer>

Plural: effective access modes for		Returns an integer corresponding to the access mode for the trustee specified by the security account of the given access control list.Win:8.0
effective access mode for <string> of <access control list><integer>

Plural: effective access modes for		Returns an integer corresponding to the access mode for the trustee specified by <string> of the given access control list.Win
effective access system security permission for <security account> of <access control list><boolean>

Plural: effective access system security permissions for		Returns TRUE if the trustee specified by the security account has access system security permissions on the given access control list.Win:8.0
effective access system security permission for <string> of <access control list><boolean>

Plural: effective access system security permissions for		Returns TRUE if the trustee specified by <string> has access system security permissions on the given access control list.Win
effective append permission for <security account> of <access control list><boolean>

Plural: effective append permissions for		Returns TRUE if the trustee specified by the security account has append permissions on the given access control list.Win:8.0
effective append permission for <string> of <access control list><boolean>

Plural: effective append permissions for		Returns TRUE if the trustee specified by <string> has append permissions on the given access control list.Win
effective change notification permission for <security account> of <access control list><boolean>

Plural: effective change notification permissions for		Returns TRUE if the trustee specified by the security account has change notification permissions on the given access control list.Win:8.0
effective change notification permission for <string> of <access control list><boolean>

Plural: effective change notification permissions for		Returns TRUE if the trustee specified by <string> has change notification permissions on the given access control list.Win
effective create file permission for <security account> of <access control list><boolean>

Plural: effective create file permissions for		Returns TRUE if the trustee specified by the security account has file creation permissions on the given access control list.Win:8.0
effective create file permission for <string> of <access control list><boolean>

Plural: effective create file permissions for		Returns TRUE if the trustee specified by <string> has file creation permissions on the given access control list.Win
effective create folder permission for <security account> of <access control list><boolean>

Plural: effective create folder permissions for		Returns TRUE if the trustee specified by the security account has folder creation permissions on the given access control list.Win:8.0
effective create folder permission for <string> of <access control list><boolean>

Plural: effective create folder permissions for		Returns TRUE if the trustee specified by <string> has folder creation permissions on the given access control list.Win
effective create link permission for <security account> of <access control list><boolean>

Plural: effective create link permissions for		Returns TRUE if the trustee specified by the security account has link creation permissions on the given access control list.Win:8.0
effective create link permission for <string> of <access control list><boolean>

Plural: effective create link permissions for		Returns TRUE if the trustee specified by <string> has link creation permissions on the given access control list.Win
effective create subkey permission for <security account> of <access control list><boolean>

Plural: effective create subkey permissions for		Returns TRUE if the trustee specified by the security account has subkey creation permissions on the given access control list.Win:8.0
effective create subkey permission for <string> of <access control list><boolean>

Plural: effective create subkey permissions for		Returns TRUE if the trustee specified by <string> has subkey creation permissions on the given access control list.Win
effective delete child permission for <security account> of <access control list><boolean>

Plural: effective delete child permissions for		Returns TRUE if the trustee specified by the security account has child deletion permissions on the given access control list.Win:8.0
effective delete child permission for <string> of <access control list><boolean>

Plural: effective delete child permissions for		Returns TRUE if the trustee specified by <string> has child deletion permissions on the given access control list.Win
effective delete permission for <security account> of <access control list><boolean>

Plural: effective delete permissions for		Returns TRUE if the trustee specified by the security account has delete permissions on the given access control list.Win:8.0
effective delete permission for <string> of <access control list><boolean>

Plural: effective delete permissions for		Returns TRUE if the trustee specified by <string> has delete permissions on the given access control list.Win
effective enumerate subkeys permission for <security account> of <access control list><boolean>

Plural: effective enumerate subkeys permissions for		Returns TRUE if the specified security account provides the right to list the subkeys of a registry key.Win:8.0
effective enumerate subkeys permission for <string> of <access control list><boolean>

Plural: effective enumerate subkeys permissions for		Returns TRUE if the trustee specified by <string> has subkey enumeration permissions on the given access control list.Win
effective execute permission for <security account> of <access control list><boolean>

Plural: effective execute permissions for		Returns TRUE if the trustee specified by the security account has execution permissions on the given access control list.Win:8.0
effective execute permission for <string> of <access control list><boolean>

Plural: effective execute permissions for		Returns TRUE if the trustee specified by <string> has execution permissions on the given access control list.Win
effective generic all permission for <security account> of <access control list><boolean>

Plural: effective generic all permissions for		Returns TRUE if the trustee specified by the security account has all generic permissions on the given access control list.Win:8.0
effective generic all permission for <string> of <access control list><boolean>

Plural: effective generic all permissions for		Returns TRUE if the trustee specified by <string> has all generic permissions on the given access control list.Win
effective generic execute permission for <security account> of <access control list><boolean>

Plural: effective generic execute permissions for		Returns TRUE if the trustee specified by the security account has generic execution permissions on the given access control list.Win:8.0
effective generic execute permission for <string> of <access control list><boolean>

Plural: effective generic execute permissions for		Returns TRUE if the trustee specified by the security account has generic execution permissions on the given access control list.Win
effective generic read permission for <security account> of <access control list><boolean>

Plural: effective generic read permissions for		Returns TRUE if the trustee specified by the security account has generic read permissions on the given access control list.Win:8.0
effective generic read permission for <string> of <access control list><boolean>

Plural: effective generic read permissions for		Returns TRUE if the trustee specified by the security account has generic read permissions on the given access control list.Win
effective generic write permission for <security account> of <access control list><boolean>

Plural: effective generic write permissions for		Returns TRUE if the trustee specified by the security account has generic write permissions on the given access control list.Win:8.0
effective generic write permission for <string> of <access control list><boolean>

Plural: effective generic write permissions for		Returns TRUE if the trustee specified by the security account has generic write permissions on the given access control list.Win
effective list permission for <security account> of <access control list><boolean>

Plural: effective list permissions for		Returns TRUE if the trustee specified by the security account has list permissions on the given access control list.Win:8.0
effective list permission for <string> of <access control list><boolean>

Plural: effective list permissions for		Returns TRUE if the trustee specified by <string> has list permissions on the given access control list.Win
effective maximum allowed permission for <security account> of <access control list><boolean>

Plural: effective maximum allowed permissions for		Returns TRUE if the trustee specified by the security account has maximum allowed permissions on the given access control list.Win:8.0
effective maximum allowed permission for <string> of <access control list><boolean>

Plural: effective maximum allowed permissions for		Returns TRUE if the trustee specified by the security account has maximum allowed permissions on the given access control list.Win
effective query value permission for <security account> of <access control list><boolean>

Plural: effective query value permissions for		Returns TRUE if the trustee specified by the security account has query value permissions on the given access control list.Win:8.0
effective query value permission for <string> of <access control list><boolean>

Plural: effective query value permissions for		Returns TRUE if the trustee specified by <string> has query value permissions on the given access control list.Win
effective read attributes permission for <security account> of <access control list><boolean>

Plural: effective read attributes permissions for		Returns TRUE if the trustee specified by the security account has read attribute permissions on the given access control list.Win:8.0
effective read attributes permission for <string> of <access control list><boolean>

Plural: effective read attributes permissions for		Returns TRUE if the trustee specified by <string> has read attribute permissions on the given access control list.Win
effective read control permission for <security account> of <access control list><boolean>

Plural: effective read control permissions for		Returns TRUE if the trustee specified by the security account has read control permissions on the given access control list.Win:8.0
effective read control permission for <string> of <access control list><boolean>

Plural: effective read control permissions for		Returns TRUE if the trustee specified by <string> has read control permissions on the given access control list.Win
effective read extended attributes permission for <security account> of <access control list><boolean>

Plural: effective read extended attributes permissions for		Returns TRUE if the trustee specified by the security account has extended read attribute permissions on the given access control list.Win:8.0
effective read extended attributes permission for <string> of <access control list><boolean>

Plural: effective read extended attributes permissions for		Returns TRUE if the trustee specified by <string> has extended read attribute permissions on the given access control list.Win
effective read permission for <security account> of <access control list><boolean>

Plural: effective read permissions for		Returns TRUE if the trustee specified by the security account has read permissions on the given access control list.Win:8.0
effective read permission for <string> of <access control list><boolean>

Plural: effective read permissions for		Returns TRUE if the trustee specified by <string> has read permissions on the given access control list.Win
effective set value permission for <security account> of <access control list><boolean>

Plural: effective set value permissions for		Returns TRUE if the trustee specified by the security account has value setting permissions on the given access control list.Win:8.0
effective set value permission for <string> of <access control list><boolean>

Plural: effective set value permissions for		Returns TRUE if the trustee specified by <string> has value setting permissions on the given access control list.Win
effective synchronize permission for <security account> of <access control list><boolean>

Plural: effective synchronize permissions for		Returns TRUE if the trustee specified by the security account has synchronization permissions on the given access control list.Win:8.0
effective synchronize permission for <string> of <access control list><boolean>

Plural: effective synchronize permissions for		Returns TRUE if the trustee specified by <string> has synchronization permissions on the given access control list.Win
effective traverse permission for <security account> of <access control list><boolean>

Plural: effective traverse permissions for		Returns TRUE if the trustee specified by the security account has traverse permissions on the given access control list.Win:8.0
effective traverse permission for <string> of <access control list><boolean>

Plural: effective traverse permissions for		Returns TRUE if the trustee specified by <string> has traverse permissions on the given access control list.Win
effective write attributes permission for <security account> of <access control list><boolean>

Plural: effective write attributes permissions for		Returns TRUE if the trustee specified by the security account has attribute writing permissions on the given access control list.Win:8.0
effective write attributes permission for <string> of <access control list><boolean>

Plural: effective write attributes permissions for		Returns TRUE if the trustee specified by <string> has attribute writing permissions on the given access control list.Win
effective write dac permission for <security account> of <access control list><boolean>

Plural: effective write dac permissions for		Returns TRUE if the trustee specified by the security account has dac writing permissions on the given access control list.Win:8.0
effective write dac permission for <string> of <access control list><boolean>

Plural: effective write dac permissions for		Returns TRUE if the trustee specified by <string> has dac writing permissions on the given access control list.Win
effective write extended attributes permission for <security account> of <access control list><boolean>

Plural: effective write extended attributes permissions for		Returns TRUE if the trustee specified by the security account has extended attribute writing permissions on the given access control list.Win:8.0
effective write extended attributes permission for <string> of <access control list><boolean>

Plural: effective write extended attributes permissions for		Returns TRUE if the trustee specified by <string> has extended attribute writing permissions on the given access control list.Win
effective write owner permission for <security account> of <access control list><boolean>

Plural: effective write owner permissions for		Returns TRUE if the trustee specified by the security account has write owner permissions on the given access control list.Win:8.0
effective write owner permission for <string> of <access control list><boolean>

Plural: effective write owner permissions for		Returns TRUE if the trustee specified by <string> has write owner permissions on the given access control list.Win
effective write permission for <security account> of <access control list><boolean>

Plural: effective write permissions for		Returns TRUE if the trustee specified by the security account has write permissions on the given access control list.Win:8.0
effective write permission for <string> of <access control list><boolean>

Plural: effective write permissions for		Returns TRUE if the trustee specified by <string> has write permissions on the given access control list.Win
entry of <access control list><access control entry>

Plural: entries		Iterates the ACEs of an ACL.Win

access control entry

An Access Control Entity, or ACE, is an entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.

Creation Methods

DeclarationDescriptionPlatforms (?)
entry of <access control list>Iterates the ACEs of an ACL.Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
access mode of <access control entry><integer>

Plural: access modes		For a discretionary ACL (DACL), this flag indicates whether the ACL allows (1) or denies (3) the specified access rights.Win
ace flag of <access control entry><integer>

Plural: ace flags		Returns the Access Control Entry (ACE) flag, an unsigned 8-bit integer containing a set of one-bit control flags related to inheritance and auditing. The values include:0x01 - OBJECT_INHERIT_ACE0x02 - CONTAINER_INHERIT_ACE0x04 - NO_PROPAGATE_INHERIT_ACE 0x08 - INHERIT_ONLY_ACE0x10 - INHERITED_ACE0x40 - SUCCESSFUL_ACCESS_ACE_FLAG 0x80 - FAILED_ACCESS_ACE_FLAG Win:8.2
ace type of <access control entry><integer>

Plural: ace types		Returns the Access Control Entry (ACE) type, an unsigned 8-bit integer containing a set of types related to granting and denying access. For more information, see the MSDN article on ACE_HEADER.Win:8.2
append permission of <access control entry><boolean>

Plural: append permissions		For a file ACE, returns TRUE if the ACE grants or denies append permissions.Win
audit failure of <access control entry><boolean>

Plural: audit failures		Returns TRUE if the ACE header flag has the value 0x80, indicating a failed access attempt.Win:8.2
audit success of <access control entry><boolean>

Plural: audit successes		Returns TRUE if the ACE header flag has the value 0x40, indicating a successful access attempt.Win:8.2
change notification permission of <access control entry><boolean>

Plural: change notification permissions		For a registry key ACE, returns TRUE if the ACE grants or denies change notification permissions.Win
container inherit of <access control entry><boolean>

Plural: container inherits		Returns TRUE if the ACE header flag has the value 0x02, indicating that the OBJECT INHERITANCE is set.Win:8.2
create file permission of <access control entry><boolean>

Plural: create file permissions		For a folder ACE, returns TRUE if the ACE grants or denies create file permissions.Win
create folder permission of <access control entry><boolean>

Plural: create folder permissions		For a folder ACE, returns TRUE if the ACE grants or denies create folder permissions.Win
create link permission of <access control entry><boolean>

Plural: create link permissions		For a registry key ACE, returns TRUE if the ACE grants or denies create key link permissions.Win
create subkey permission of <access control entry><boolean>

Plural: create subkey permissions		For a registry key ACE, returns TRUE if the ACE grants or denies creation of subkey permissions.Win
delete child permission of <access control entry><boolean>

Plural: delete child permissions		For a folder ACE, returns TRUE if the ACE grants or denies child deletion permissions.Win
delete permission of <access control entry><boolean>

Plural: delete permissions		For any ACE, returns TRUE if the ACE grants or generic delete permissions.Win
deny type of <access control entry><boolean>

Plural: deny types		Returns TRUE if the ACE header type is ACCESS DENIED.Win:8.2
enumerate subkeys permission of <access control entry><boolean>

Plural: enumerate subkeys permissions		For a registry key ACE, returns TRUE if the ACE grants or enumerate subkey permissions.Win
execute permission of <access control entry><boolean>

Plural: execute permissions		For a file ACE, returns TRUE if the ACE grants or denies execute permissions.Win
generic all permission of <access control entry><boolean>

Plural: generic all permissions		For any ACE, returns TRUE if the ACE grants or denies all generic permissions.Win
generic execute permission of <access control entry><boolean>

Plural: generic execute permissions		For any ACE, returns TRUE if the ACE grants or denies generic execute permissions.Win
generic read permission of <access control entry><boolean>

Plural: generic read permissions		For any ACE, returns TRUE if the ACE grants or denies generic read permissions.Win
generic write permission of <access control entry><boolean>

Plural: generic write permissions		For any ACE, returns TRUE if the ACE grants or denies generic write permissions.Win
grant type of <access control entry><boolean>

Plural: grant types		Returns TRUE if the ACE header type is ACCESS ALLOWED.Win:8.2
inherit only of <access control entry><boolean>

Plural: inherit onlys		Returns TRUE if the ACE header flag has the value 0x08, indicating that the OBJECT INHERITANCE flag is set.Win:8.2
inheritance of <access control entry><integer>

Plural: inheritances		A set of bit flags that determines whether other containers or objects can inherit the ACE from the primary object to which the ACL is attached. The actual values of the constants are:NO_INHERITANCE = 0SUB_OBJECTS_ONLY_INHERIT = 1SUB_CONTAINERS_ONLY_INHERIT = 2SUB_CONTAINERS_AND_OBJECTS_INHERIT = 3OJECT_INHERIT_ACE = 1CONTAINER_INHERIT_ACE = 2NO_PROPAGATE_INHERIT_ACE = 4INHERIT_ONLY_ACE = 8.Win
inherited of <access control entry><boolean>

Plural: inheriteds		Returns TRUE if the ACE header flag has the value 0x10, indicating that the INHERITED flag is set.Win:8.2
list permission of <access control entry><boolean>

Plural: list permissions		For a folder ACE, returns TRUE if the ACE grants or denies list permissions.Win
maximum allowed permission of <access control entry><boolean>

Plural: maximum allowed permissions		For any ACE, returns TRUE if the ACE grants or denies maximum allowed permissions.Win
no propagate inherit of <access control entry><boolean>

Plural: no propagate inherits		Returns TRUE if the ACE header flag has the value 0x04, indicating that the NO PROPAGATE INHERIT flag is set.Win:8.2
object inherit of <access control entry><boolean>

Plural: object inherits		Returns TRUE if the ACE header flag has the value 0x01, indicating that the OBJECT INHERIT flag is set.Win:8.2
query value permission of <access control entry><boolean>

Plural: query value permissions		For a registry key ACE, returns TRUE if the ACE grants or denies query value permissions.Win
read attributes permission of <access control entry><boolean>

Plural: read attributes permissions		For a file or folder ACE, returns TRUE if the ACE grants or denies read attributes permissions.Win
read control permission of <access control entry><boolean>

Plural: read control permissions		For any ACE, returns TRUE if the ACE grants or denies reading access control permissions.Win
read extended attributes permission of <access control entry><boolean>

Plural: read extended attributes permissions		For a file or folder ACE, returns TRUE if the ACE grants or denies read extended attributes permissions.Win
read permission of <access control entry><boolean>

Plural: read permissions		For a file ACE, returns TRUE if the ACE grants or denies read permissions.Win
set value permission of <access control entry><boolean>

Plural: set value permissions		For a registry key ACE, returns TRUE if the ACE grants or denies set value permissions.Win
synchronize permission of <access control entry><boolean>

Plural: synchronize permissions		For any ACE, returns TRUE if the ACE grants or denies synchronize permissions.Win
traverse permission of <access control entry><boolean>

Plural: traverse permissions		For the specified folder ACE, returns TRUE if it grants or denies traversefolder permission.Win
trustee of <access control entry><security identifier>

Plural: trustees		Returns the trustee to whom the specified ACE applies.Win
trustee type of <access control entry><integer>

Plural: trustee types		Returns the type of trustee to whom the specified ACE applies.Win
write attributes permission of <access control entry><boolean>

Plural: write attributes permissions		For a file or folder ACE, returns TRUE if the ACE grants or denies write attribute permissions.Win
write dac permission of <access control entry><boolean>

Plural: write dac permissions		For any ACE, returns TRUE if the ACE grants or denies write DAC permissions.Win
write extended attributes permission of <access control entry><boolean>

Plural: write extended attributes permissions		For a file or folder ACE, returns TRUE if the ACE grants or denies write extended attribute permissions.Win
write owner permission of <access control entry><boolean>

Plural: write owner permissions		For any ACE, returns TRUE if the ACE grants or denies write owner permissions.Win
write permission of <access control entry><boolean>

Plural: write permissions		For a file ACE, returns TRUE if the ACE grants or denies write permissions.Win

system access control list

The <system access control list> Inspectors retrieve information from the access control list that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.

Creation Methods

DeclarationDescriptionPlatforms (?)
sacl of <security descriptor>Returns the system access control list (SACL), an ACL that controls the generation of audit messages for attempts to access a securable object.Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
<system access control list> as string<string>Converts the specified system access control list (SACL) into a string value in the Microsoft Security Descriptor String Format.Win

discretionary access control list

The <discretionary access control list> Inspectors retrieve information from the access control list that is monitored by the owner of the object and specifies what kinds of access particular users or groups can have to the specified object.

Creation Methods

DeclarationDescriptionPlatforms (?)
dacl of <security descriptor>Returns the discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access to the specified security descriptor.Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
<discretionary access control list> as string<string>Converts the discretionary system access control list (DACL) into a string value in the Microsoft Security Descriptor String Format.Win

security account

The <security account> type serves as a base type for the "user" and "local group" types and for properties common to users and groups.

Creation Methods

DeclarationDescriptionPlatforms (?)
account with privilege <string>Returns a security account constant corresponding to an account with the privilege specified in the string.Win:8.0
account with privilegesReturns a security account constant corresponding to an 'account with privileges'.Win:8.0
anonymous logon groupThis refers to users who have logged in anonymously.Win:8.0
authenticated users groupThis refers to a group including users whose identities were authenticated when they logged on. Membership is controlled by the operating system.Win:8.0
batch groupThis refers to a group including all users who have logged on through a batch queue facility such as the task scheduler. Membership is controlled by the operating system.Win:8.0
builtin administrators groupThis refers to a built-in group . After the initial installation of the OS, the first member of the group is the Administrator account. When a computer then joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group is also added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by any other member of the group.Win:8.0
builtin backup operators groupThis refers to a built-in group which, by default, has no members. Backup Operators can back up and restore all files on a computer, regardless of file permissions. Backup Operators can log on to a computer and shut it down.Win:8.0
builtin guests groupThis refers to a built-in group which, by default, only contains the Guest account. This group allows otherwise unauthorized users to log on with limited privileges to a computer's built-in Guest account.Win:8.0
builtin network configuration operators groupThis refers to XP machines, where some admin privileges include managing the configuration of networking features.Win:8.0
builtin power users groupThis refers to a built-in group which, by default, has no members. This group does not exist for domain controllers. Power Users can create other local users and groups as well as modify and delete accounts. They can also remove users from the other groups. Power Users also can install, manage and delete applications, local printers and file shares.Win:8.0
builtin remote desktop users groupThis refers to the XP only. Members of this group are granted the right to log in remotely.Win:8.0
builtin replicator groupThis refers to Windows NT domains. This group is called Replicators and is used by the directory replication service. In 2K/XP the group is present but is not used.Win:8.0
builtin users groupThis refers to a built-in group. After the initial installation of the OS, the first member is the Authenticated Users group. When a computer subsequently joins a domain, the Domain Users group is added to the Users group. These users can perform tasks such as running applications, using printers, shutting down or locking the computer. Users can install applications for their use only, provided the installation program supports per-user installation.Win:8.0
creator group groupThis refers to a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces the SID with the one from the primary group of the object's current owner. The primary group is used only by the POSIX subsystem.Win:8.0
creator owner groupThis refers to a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the one from the object's current owner.Win:8.0
dialup groupThis refers to a group implicitly including all users who logged in to the system through a dial-up connection. Membership is controlled by the operating system.Win:8.0
everyone groupThis refers to a group including all users, even anonymous users and guests. Membership is controlled by the operating system.Win:8.0
interactive groupThis refers to a group including all users who have logged on interactively. Membership is controlled by the operating system.Win:8.0
local service groupReturns a security account constant corresponding to a 'local service group'.Win:8.0
network groupThis refers to a group implicitly including all users who are logged on through a network connection. Membership is controlled by the operating system.Win:8.0
network service groupReturns a security account constant corresponding to a 'network service group'.Win:8.0
remote interactive logon groupRefers to the group of users who log on using an RDP connection.Win:8.0
security account <string>This is a named Inspector that uses the LookupAccountName API function to return an object representing a user or group.

Example: privileges of security account "Network Service" - Returns a list of privileges for the specified security account, such as SeAuditPrivilege, SeChangeNotifyPrivilege, etcetera.
Win
service groupThis refers to a group including all security principals that have logged on as a service. Membership is controlled by the operating system.Win:8.0
system groupReturns a security account constant corresponding to a 'system group'.Win:8.0
terminal server user groupRefers to a group including all users who have logged on to a Terminal Services server. Membership is controlled by the operating system.Win:8.0
well known account <integer>Returns a security account constant corresponding to a numbered 'well known account'.Win:8.0

Properties

DeclarationReturn typeDescriptionPlatforms (?)
privilege of <security account><string>

Plural: privileges		Returns a string describing the privileges assigned to the specified security account. For more information, see the MSDN article on LsaEnumerateAccountRights. For a description of the possible constants that can be returned, see the articles on Account Rights Constants and Privilege Constants.Win
sid of <security account><security identifier>

Plural: sids		Returns the Security ID (SID) associated with the specified security account.Win

security descriptor

The <security descriptor> objects are structures and associated data that contain the security information for a securable object. A security descriptor identifies the object's owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.

Creation Methods

DeclarationDescriptionPlatforms (?)
security descriptor of <registry key>Specifies the security descriptor associated with the specified registry key.Win
security descriptor of <file>Specifies the security descriptor associated with the specified file.Win
security descriptor of <folder>Specifies the security descriptor associated with the specified folder.Win
security descriptor of <service>This Windows-specific Inspector returns a security descriptor for the specified service.

Example: (DISPLAY name of it, security descriptor of it ) of service "TapiSrv" - Returns the name of the service and its associated security descriptor.
Win
security descriptor of <network share>Specifies the security descriptor associated with the specified network share.Win
security descriptor of <scheduled task>Returns the security descriptor for the specified scheduled task.2.0 interface only.Win:8.0
security descriptor of <task folder>Returns the security descriptor for the specified task folder.Win:8.0
security descriptor of <task registration info>Returns the security descriptor of the scheduled task referred to by the specified task registration information object.Win:8.0

Properties

DeclarationReturn typeDescriptionPlatforms (?)
<security descriptor> as string<string>Returns the security descriptor in string format.Win
control of <security descriptor><integer>

Plural: controls		Returns the integer property obtained by using the Microsoft Windows GetSecurityDescriptorControl API. This integer contains bits that indicate DACL behaviors as well as default behaviors. See the MSDN documentation of SECURITY_DESCRIPTOR_CONTROL for more information.Win
dacl of <security descriptor><discretionary access control list>

Plural: dacls		Returns the discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access to the specified security descriptor.Win
group of <security descriptor><security identifier>

Plural: groups		Returns the security identifier of the group of the specified security descriptor.Win
null dacl of <security descriptor><boolean>

Plural: null dacls		Win:8.2
null sacl of <security descriptor><boolean>

Plural: null sacls		Win:8.2
owner of <security descriptor><security identifier>

Plural: owners		Returns the security identifier of the owner of the specified security descriptor.Win
sacl of <security descriptor><system access control list>

Plural: sacls		Returns the system access control list (SACL), an ACL that controls the generation of audit messages for attempts to access a securable object.Win

security identifier

A Security Identifier, or SID, is a data structure that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name.

Creation Methods

DeclarationDescriptionPlatforms (?)
sid <string>Win:8.2
sid of <active directory group>Returns the security identifier object corresponding to the specified Active Directory groups for the local machine.Win:8.1, Mac:8.1
user of <process>Returns a security identifier associated with the user of specified process. This Inspector requires Terminal Services or Win2000+, and may not be available if the inspector application does not have sufficient permissions. This object corresponds to the 'User Name' column in Task Manager.Win:8.0
user sid of <event log record>Returns the user security ID for the specified record in the event log.

Example: user sid of record (oldest record number of it) of application event log - Returns the user security ID for the oldest record in the application event log, for instance NT AUTHORITY\SYSTEM.
Win
trustee of <access control entry>Returns the trustee to whom the specified ACE applies.Win
sid of <security account>Returns the Security ID (SID) associated with the specified security account.Win
group of <security descriptor>Returns the security identifier of the group of the specified security descriptor.Win
owner of <security descriptor>Returns the security identifier of the owner of the specified security descriptor.Win
sid of <user>Win:8.2
sid of <logged on user>Returns the Security ID (SID) of the user associated with the session's primary access token. With Windows 2003/XP/Vista, this is determined by WTSQueryUserToken. With NT4/2000 it is determined by the apparent shell process running in the given session. This Inspector may fail if run in a non-privileged context. The SID does not exist under Windows 9x.Win

Operators

DeclarationReturn TypeDescriptionPlatforms (?)
<security identifier> = <security identifier><boolean>Tests two <security identifier> (SID) values for equality using EqualSid.Win, Mac:8.1

Properties

DeclarationReturn typeDescriptionPlatforms (?)
<security identifier> as string<string>Returns the security identifier in string format.Win, Mac:8.1
account name of <security identifier><string>

Plural: account names		Retrieves the name of the account for this SID and the name of the first domain on which this SID is found.Win
component string of <security identifier><string>

Plural: component strings		This Windows-specific inspector returns a string formatted using the ConvertSidToStringSid windows API, discussed at: http://msdn2.microsoft.com/en-us/library/aa376399(VS.85).aspx.Win, Mac:8.1
domain name of <security identifier><string>

Plural: domain names		Returns the domain name of the first domain on which the specified SID is found.Win
user of <security identifier><user>

Plural: users		Win:8.2

security database

The <security database> Inspectors retrieve information from the security accounts manager (SAM) database or, in the case of domain controllers, the Active Directory. The Security database and its properties expose the NetUserModalsGet API, levels 0 and 3. For more information, see the NetUserModalsGet Function at the MSDN site: http://msdn.microsoft.com.

Creation Methods

DeclarationDescriptionPlatforms (?)
security databaseReturns the security accounts manager (SAM) database or, in the case of domain controllers, the Active Directory.Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
account lockout duration of <security database><time interval>

Plural: account lockout durations		Returns the time interval corresponding to how long a locked account remains locked before it is automatically unlocked. This may not exist for locked accounts that remain locked until an administrator unlocks them. For more information, see the MSDN article on NetUserModalsGet.Win
account lockout observation window of <security database><time interval>

Plural: account lockout observation windows		Returns a time interval corresponding to the maximum time that can elapse between any two failed logon attempts before lockout occurs. For more information, see the MSDN article on NetUserModalsGet.Win
account lockout threshold of <security database><integer>

Plural: account lockout thresholds		Returns an integer corresponding to the number of invalid password authentications that can occur before an account is marked 'locked out.' For more information, see the MSDN article on NetUserModalsGet.Win
force logoff interval of <security database><time interval>

Plural: force logoff intervals		Returns the time interval between the end of the valid logon time and the time when the user must log off the network. A value of zero indicates that the user must log off immediately as soon as the valid logon time expires. This will not exist if the user is never forced to log off. For more information, see the MSDN article on NetUserModalsGet.Win
maximum password age of <security database><time interval>

Plural: maximum password ages		Returns a time interval corresponding to the maximum password age found in the specified security database. This will not exist if the password never expires.Win
minimum password age of <security database><time interval>

Plural: minimum password ages		Returns a time interval corresponding to the minimum password age found in the specified security database.Win
minimum password length of <security database><integer>

Plural: minimum password lengths		Returns an integer corresponding to the minimum password length found in the specified security database.Win
password history length of <security database><integer>

Plural: password history lengths		Returns the integer length of the password history maintained by the security database. A new password cannot match any of the previous passwords in the specified history. For more information, see the MSDN article on NetUserModalsGet.Win

audit policy

The <audit policy> Inspectors return the policies put in place for recording information about security-related operations on the client computer. For example, you can set a policy to monitor the modification of files. This will trigger an audit entry showing whenever a file is modified, the associated user account, and the date and time of the action. You can audit both successful and failed attempts at actions. Often, the failed attempts are more interesting, as they may indicate attempts to unsuccessfully subvert a policy. For instance, a successful login is not as interesting as a repeated failure might be.

Creation Methods

DeclarationDescriptionPlatforms (?)
audit policyWindows Vista (and later versions of Windows) allows a finer granularity with audit policies by using subcategories. Setting audit policy at the category level overrides the new subcategory feature. A new registry key introduced in Vista is used to manage subcategories without requiring a change to Group Policy. This registry can be set to prevent the application of category-level audit policy from both Group Policy and the Local Security Policy admin tool.

Example: (name of it, (audit success of it, audit failure of it) of system policy of it) of subcategories of categories of audit policy - This example lists the names along with the success and failure status of all the subcategories of the audit policy.
Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
account logon category of <audit policy><audit policy category>

Plural: account logon categories		Returns an object corresponding to the Account Logon category of the audit policy.Win
account management category of <audit policy><audit policy category>

Plural: account management categories		Returns an object corresponding to the Account Management category of the audit policy.Win
category of <audit policy><audit policy category>

Plural: categories		Returns the categories of the specified audit policy.Win
detailed tracking category of <audit policy><audit policy category>

Plural: detailed tracking categories		Returns an object corresponding to the Detailed Tracking category of the specified audit policy.Win
ds access category of <audit policy><audit policy category>

Plural: ds access categories		Returns an object corresponding to the DS Access category of the audit policy.Win
logon logoff category of <audit policy><audit policy category>

Plural: logon logoff categories		Returns an object corresponding to the Logon/Logoff category of the audit policy.Win
object access category of <audit policy><audit policy category>

Plural: object access categories		Returns an object corresponding to the Object Access category of the audit policy.Win
policy change category of <audit policy><audit policy category>

Plural: policy change categories		Returns an object corresponding to the Policy Change category of the audit policy.Win
privilege use category of <audit policy><audit policy category>

Plural: privilege use categories		Returns an object corresponding to the Privilege Use category of the audit policy.Win
system category of <audit policy><audit policy category>

Plural: system categories		Returns an object corresponding to the System category of the audit policy.Win

audit policy category

Windows audit policies, as of Vista and later, are divided into categories. Currently there are 9 categories, including System, Logon/Logoff, Object Access, Privilege Use, Detailed Tracking, Policy Change, Account Management, DS Access and Account Logon.

Creation Methods

DeclarationDescriptionPlatforms (?)
account logon category of <audit policy>Returns an object corresponding to the Account Logon category of the audit policy.

Example: (name of it, audit success of system policies of it) of subcategories of account logon category of audit policy - Returns the names and the system policy audit success status of the account logon subcategories.
Win
account management category of <audit policy>Returns an object corresponding to the Account Management category of the audit policy.

Example: names of subcategories of account management category of audit policy - Returns a list of the subcategory names of the of the account management categories.
Win
category of <audit policy>Returns the categories of the specified audit policy.

Example: names of categories of audit policy - Returns the names of the audit policy categories, including System, Logon/Logoff, Object Access, Privilege Use, Detailed Tracking, Policy Change, Account Management, DS Access and Account Logon.
Win
detailed tracking category of <audit policy>Returns an object corresponding to the Detailed Tracking category of the specified audit policy.Win
ds access category of <audit policy>Returns an object corresponding to the DS Access category of the audit policy.

Example: names of subcategories of ds access category of audit policy - Returns the names of the specified subcategories. Produces the same result as 'names of subcategories of category whose (name of it is "DS Access") of audit policy'.
Win
logon logoff category of <audit policy>Returns an object corresponding to the Logon/Logoff category of the audit policy.Win
object access category of <audit policy>Returns an object corresponding to the Object Access category of the audit policy.Win
policy change category of <audit policy>Returns an object corresponding to the Policy Change category of the audit policy.Win
privilege use category of <audit policy>Returns an object corresponding to the Privilege Use category of the audit policy.Win
system category of <audit policy>Returns an object corresponding to the System category of the audit policy.Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
name of <audit policy category><string>

Plural: names		Returns the name of the specified audit policy category.Win
subcategory of <audit policy category><audit policy subcategory>

Plural: subcategories		Returns the subcategory for the specified audit policy category.Win

audit policy subcategory

Windows audit policy categories, as of Vista and later, are divided into about 50 subcategories. This level of granularity is designed to narrow in on specific security-related operations on the client computer, helping to filter out the normal noise of an active environment.

Creation Methods

DeclarationDescriptionPlatforms (?)
subcategory of <audit policy category>Returns the subcategory for the specified audit policy category.Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
effective policy <security account> of <audit policy subcategory><audit policy information>

Plural: effective policies		Returns the effective audit policy information for the specified subcategory for the given security account. The effective audit policy is determined by combining the system audit policy with per-user policy.Win
guid of <audit policy subcategory><string>

Plural: guids		Win:8.2
name of <audit policy subcategory><string>

Plural: names		Returns the name of the specified audit policy subcategory.Win
per user policy <security account> of <audit policy subcategory><audit policy information>

Plural: per user policies		Returns the per-user audit policy information for the given audit-policy subcategory and the specified security account.Win
system policy of <audit policy subcategory><audit policy information>

Plural: system policies		Returns the audit policy information (audit success or audit failure) corresponding to the specified audit policy subcategory.Win

audit policy information

The <audit policy information> Inspectors return the two attributes of the audit policy for a given subcategory: whether or not succesful operations will be audited ("audit success"), and whether or not unsuccessful operations will be audited ("audit failure").

Creation Methods

DeclarationDescriptionPlatforms (?)
effective policy <security account> of <audit policy subcategory>Returns the effective audit policy information for the specified subcategory for the given security account. The effective audit policy is determined by combining the system audit policy with per-user policy.

Example: (name of it, audit failure of effective policy (security account "Network Service") of it) of subcategories of categories of audit policy - Returns a list of the names and audit failure states of the all the audit policy subcategories for the specified security account.
Win
per user policy <security account> of <audit policy subcategory>Returns the per-user audit policy information for the given audit-policy subcategory and the specified security account.Win
system policy of <audit policy subcategory>Returns the audit policy information (audit success or audit failure) corresponding to the specified audit policy subcategory.

Example: audit success of system policy of subcategory whose (name of it is "Security Group Management") of account management category of audit policy - Returns the boolean audit success status of the specified system policy.
Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
audit failure of <audit policy information><boolean>

Plural: audit failures		Returns the boolean audit failure status of the specified audit policy information.Win
audit success of <audit policy information><boolean>

Plural: audit successes		Returns the boolean audit success status of the specified audit policy information.Win
guid of <audit policy information><string>

Plural: guids		Win:8.2

cryptography

This is a global object that has several properties that expose the state of the cryptography controls. BigFix uses cryptographic functions throughout the BigFix Platform. Every time an operator logs in to BigFix, creates a new user, starts an action or subscribes to new content, authentication and signature routines are executed using cryptographic libraries based on the FIPS 140-2 standard.

Creation Methods

DeclarationDescriptionPlatforms (?)
cryptographyA global object that implements the FIPS 140-2 standard for secure signing and authentication throughout the BigFix application.Win, Lin, Sol, HPUX, AIX, Mac, Ubu:8.1

Properties

DeclarationReturn typeDescriptionPlatforms (?)
desired fips mode of <cryptography><boolean>

Plural: desired fips modes		Returns TRUE if the application (the client, console, or web reports, depending on the context) tried to enter FIPS 140-2 compliant mode.Win, Lin, Sol, HPUX, AIX, Mac, Ubu:8.1
fips mode failure message of <cryptography><string>

Plural: fips mode failure messages		Returns the error message returned by the cryptographic library if the application (the client, console, or web reports, depending on the context) tried to enter FIPS 140-2 compliant mode and failed.Win, Lin, Sol, HPUX, AIX, Mac, Ubu:8.1
fips mode of <cryptography><boolean>

Plural: fips modes		Returns TRUE if the application (the client, console, or web reports, depending on the context) is operating in FIPS 140-2 mode (the mode provided by openssl). FIPS mode limits the set of ciphers and SSL protocols that can be used in the cryptographic library.Win, Lin, Sol, HPUX, AIX, Mac, Ubu:8.1

client_cryptography

The <client_cryptography> Inspectors expose cryptographic properties exclusive to the client.

Creation Methods

DeclarationDescriptionPlatforms (?)
client cryptographyThis Inspector is similar to the core cryptography object except that it returns properties exclusive to the client (whereas <cryptography> is also available in the Console/Web Reports contexts).Win, Lin, Sol, HPUX, AIX, Mac, WM, Ubu:8.1

Properties

DeclarationReturn typeDescriptionPlatforms (?)
desired encrypt report of <client_cryptography><boolean>

Plural: desired encrypt reports		Returns TRUE if the client is configured to attempt to encrypt reports.Win, Lin, Sol, HPUX, AIX, Mac, WM, Ubu:8.1
encrypt report failure message of <client_cryptography><string>

Plural: encrypt report failure messages		If the client is not successfully encrypting reports, this Inspector returns the failure message.Win, Lin, Sol, HPUX, AIX, Mac, WM, Ubu:8.1
encrypt report of <client_cryptography><boolean>

Plural: encrypt reports		Returns TRUE if the client is successfully encrypting reports.Win, Lin, Sol, HPUX, AIX, Mac, WM, Ubu:8.1

x509 certificate

X.509 is a public key infrastructure standard, specifying formats for public key certificates and revocations. These Inspectors interpret the certificate from a file in the PEM format. They can be used to analyze encryption credentials on decrypting relays or root servers.

Creation Methods

DeclarationDescriptionPlatforms (?)
pem encoded certificate of <file>Reads and returns the certificate from a file in the PEM format. This can be used to analyze encryption credentials on decrypting relays or root servers.Win, WM
encryption certificate of <license>Provides the encryption certificate that is currently active and which will be used by clients to encrypt reports.Win, Lin, Sol, HPUX, AIX, Mac, WM, Ubu:8.1

Properties

DeclarationReturn typeDescriptionPlatforms (?)
invalid before of <x509 certificate><time>

Plural: invalid befores		Returns the date on which the certificate first becomes valid. This is useful for examining encryption certificates, where the 'invalid before date' is the time when the encryption credentials were generated.Win, Lin, Sol, HPUX, AIX, Mac, WM, Ubu:8.1
sha1 of <x509 certificate><string>

Plural: sha1s		Returns the SHA1 hash of the given certificate, which uniquely identifies it.Win, Lin, Sol, HPUX, AIX, Mac, WM, Ubu:8.1

local group

The <local group> Inspectors return information on local groups as defined on the local BES Client computer using the windows NetLocalGroupEnum API, one of Windows Network Management Functions. Local groups have names, comments, members and security IDs.

Creation Methods

DeclarationDescriptionPlatforms (?)
local groupReturns local groups defined on the local computer using the windows NetLocalGroupEnum API. Several local groups are defined simply by a default operating system install, and have names such as Administrators, Backup Operators, Guests, Network Configuration Operators, Power users, Users, etcetera. Some software applications also define local groups in order to help manage protections.Win
local group <string>Returns a local group corresponding to the given name, such as Adminstrator, Guests, and others. For backward compatibility, the 'as string' cast of this Inspector only returns the user name, not the other components of the sid. For all parts, use 'component string' instead.

Example: component strings of sids of members of local group "Administrators" - Returns a list of the member security IDs of the local administrators group.
Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
comment of <local group><string>

Plural: comments		Returns a string containing a comment associated with the specfied local group (Administrator, Guest, Users).Win
member of <local group><local group member>

Plural: members		Returns a list of the members of the specified local group.Win
name of <local group><string>

Plural: names		Returns the name of the local group.Win

local group member

The <local group member> Inspectors return information (such as security IDs) on members of local groups as defined on the local BES Client computer using the windows NetLocalGroupEnum API, one of Windows Network Management Functions.

Creation Methods

DeclarationDescriptionPlatforms (?)
member of <local group>Returns a list of the members of the specified local group.

Example: members of local group "Administrators" - Returns a list of the members of the local administration group.
Win

Properties

DeclarationReturn typeDescriptionPlatforms (?)
<local group member> as string<string>Casts a local group member as a string.Win