the problem that you are having with the "AND" option is that the evidence has multiple values and you can't use the AND unless everything matches. The %~ (Contains match) is a better option for looking at this because you can use a regular expression to detail all of your options. There was a similar issue posted earlier by nancy and here is what I replied to her with:
This check can be accomplished, but you have to turn it upside down a bit. Your logic is correct, but since you are dealing with multiple values you will need to do the following:
E0 : User rights (Names): Impersonate a Client after authentication <LIST> =~ /Administrators|Local\s*Service|Network\s*Service/i
E1: User rights (Names): Impersonate a Client after authentication <LIST> !~ /Administrators|Local\s*Service|Network\s*Service/i
E0 and Not E1 will be your formula.
You were close, but the first expression looks to make sure that any of the items in the regex will be found in the list [you needed to drop the parenthesis because that doesn't exist in the data collected]. Then you need to do a double negative to make sure that there are not any other accounts assigned to this user right. so expression E1 reads, User rights (names): Impersonate a client after authentication <List> no match /Administrators|Local\s*Service|Network\s*Service/i then you have to use the "Not" in the formula expression to make sure no other accounts exists for this User right. This is the only way I have been able to accomplish this. I haven't tried it in a while, but you may need to create a separate expression for each account that you want to verify is in the list as well
Hope this helps,
Please refer to this posting to get the full context of this response. I think it will help in building your check.