ovaldi currently reports the hidden Windows “None” group in certain situations. If an equals operation is used to collect a local account (any account should work) without using a machine qualifier, the None group will appear as an SC user_item\group. However, if the same evaluation is performed with the machine name qualified in the user_object\user, the None group will not appear as an SC user_item\group. The None group does exist but documentation on it is sparse (see this for a third-party explanation http://marc.info/?l=focus-ms&m=98107787021772&w=2). I recall previous discussion that the user_test should only provide the accounts that appear in the Computer Management UI. If this is the intent, we should filter the “None” group since it does not appear there. This issue also affects group_test in a slightly different way. Ovaldi obtaining all local users by defining “None” in a group_object\group.
Should we report the “None” group as an SC user_item\group for a user? (We should query the community on this.)
Yes: update ovaldi to output group in all cases.
No: update ovaldi to filter the None group.
Examples (current ovaldi behavior):
E1.Input:
<user_object> <user>System1\Guest</user> </user_object>
SC Output:
<user_item> <user>System1\Guest</user> <group>Guests</group> </user_item>
E2. Input:
<user_object> <user>Guest</user> </user_object>
SC Output:
<user_item> <user>Guest</user> <group>Guests</group> <group>None</group> </user_item>
E3. Input:
<group_object> <group>none</group> </group_object>
SC Output:
<group_item> <group>none</group> <user>System1\User1</user> <user>System1\User2</user> <subgroup status="does not exist"/> </group_item>
This is partially addressed in r1785. The "None" group is returned (with proper qualification), whether the user entity value is qualified or not (which is still not technically correct, but is backward-compatible).
As of this writing, in svn trunk, what is still not fixed is that group_test will claim that the group does not exist, even though it does. The reason for this has to do with strange windows API behavior. As far as I've been able to tell, the "None" group is local (it has SID <computer sid>-513), yet only the windows API variants for global groups will return any info about it. Because of the way the windows APIs work, you must first decide whether a given trustee is local or global, and then use that to decide whether to invoke the windows APIs for local or global groups. ovaldi correctly determines that "None" is a local trustee, so it invokes the APIs for local trustees, which indicate that the group doesn't exist. So the "None" group is an annoying special case, which ovaldi doesn't yet handle.
Fyi