An Action Module can be configured with one or more conditions. Conditions are a powerful way to:
Detect machines, users or groups with a particular configuration.
For instance, you want to generate a report of all user accounts with a password age older than 120 days, or, a report of all machines which are Windows XP SP2 and the firewall is turned off.
Target specific child object instances.
For instance, you want to delete all members of the local Administrators group of your machines except for 'Domain Admins', 'Administrator' and 'John Doe' (see Tutorial: Example: Controlling the Local Administrators group's memberships).
Click on the Add/Remove button of the Condition section.
Browse through the attribute selection menu and select the root object attribute or child object attribute to set a condition on.
A new attribute is added to the Users Conditions list.
Click on the Condition cell of the attribute row and select the condition operator.
Note: The available condition operators depend on the attribute type (number, string, date, ...).
Click on the Desired Value cell of the attribute row and enter the value for this condition in the Argument window.
Note: The desired value can be static or dynamic. For more information about dynamic values, see: Using_Dynamic_Values.
If the condition you configured points to a child object (for instance Local Drives, Processes or Software Products), you may need to change the Condition Scope.
The condition scope controls whether the conditions should be applied to one or more instance of the child object or to all instances of the child object.
Example 1 - Reporting machines which have Microsoft Office installed
> Add the condition: Computer Condition.Software Products.Product Name :: Contains :: Office
> Select the condition, click on the Set Scope button, and select: Only one or more instances of Program must pass the condition for the computer object to be accepted.
Example 2 - Reporting machines which DO NOT have Microsoft Office installed
> Add the condition: Computer Condition.Software Products.Product Name :: NOT= :: Office
> Select the condition, click on the Set Scope button, and select: All instances of Program must pass the condition for the computer object to be accepted.
Repeat Steps 1 thru 4 to configure additional conditions.
Note: Most attributes can be selected multiple times for conditions. For instance, you can configure the two conditions: User.Password Age > 30 and User.Password Age < 60.
If you have two or more conditions, they must all be true for the object to pass. This means that you cannot set conditions like: User.Password Age = 0 OR User.Password Age > 120.
To remove a condition, select it from the list and click on the 
button or press the [DEL] key.
One primary purpose of a Condition is to detect objects with a particular configuration.
Add the report action: Computer Property > Software Products > All Product Information to view detailed information about the Office products installed.
Note: You do not need to explicitly report on the computer name. Since the scope target object type is Computer, the computer name is always included in the reports.
Configure the following conditions:
Run the Scope Action and open the HTML - Data Sheet Model format.
Add the report action: Computer Property > Local Drives > All Local Drive Information
Configure the following conditions:
Run the Scope Action and open the HTML - Report Model format.
Another purpose for a Condition is to target a specific child object. By definition, a root object (a computer, user or group) will have one or more instances of a child object (i.e., computer drives, services, processes, etc.).
If you configure a Set or Execute action on a child object, the action is applied to all instances of that child object. If you want to only execute the action on a particular instance of the child object, you need to configure a condition to isolate this instance from the set. Since most Execute actions allow you to specify a child object instance name, this is rarely needed. However, in some advanced cases, it can be useful.
Disabling computer local accounts is one action which can only be done using a condition. This is because the Scope Action > Computer > Local Account Database > Local User category doesn't include a method which allows you to disable a specific account name. However, it allows you to set the value of the Account Disabled attribute of a local user object.
If you were to simply add the set action: Set Computer Property > Local Account Database > Local Users > Account Disable :: = :: TRUE with no condition, all local users in the account database would be disabled. To target only the guest account, add the following condition:
For a more advanced example which uses these types of conditions, see: Example: Controlling the Local Administrators group's memberships