Hi Konstantinos
I finally got this working with SCV by using the below option. Please note when we login to our machines, based on the GPO we are placed under Users Group which has a AD group for domain users called "ABC\Domain Users", where ABC is your company domain. Unfortunately there was not a lot of documentation and examples of groupmonitor in either the admin guides, endpoint guides etc, but is working fine with this option below. This is a pretty strong SCV check and hard to fake compared to reg keys or process monitor checks (my 2 cents...)
: (groupmonitor
:type (plugin)
:parameters (
:"builtin\Administrators" (false)
:"builtin\Users=YOURCOMPANY\Domain Users" (true)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Make sure you are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)
Make sure to add this in the end for it to be effective,
:SCVPolicy (
: (groupmonitor)
)