The Active Directory User Exceptions addresses a use case with service accounts logging in to perform tasks while an interactive user is also using a workstation.
Many organizations use service accounts in order to perform scheduled tasks or automatic updates. The service account will generate a login event as a user that has a policy assigned in your Active Directory Insights (the AD Users or Computers listed under the Identities section in Step 1 of the Policy Builder). In that situation, the Umbrella Insights AD Connector that monitors who is logged into which computer will notice the new logon event and record that the current user for that computer is the automated update or scheduled task user is running as logged in. The net result is that the policy for the automated user will be applied instead of the user who is actively logged in and using the computer.
The Active Directory User Exception can be applied to service accounts within your organization so their logon events to your Domain Controllers are ignored by the AD Connector.
Setting up Active Directory User Exceptions
- Navigate to Deployments > Service Account Exceptions (formerly Settings > AD User Exceptions) and click the (Add icon).
- Enter the AD Username or login (SAM Account Name or sAMAccountName) for the account in the format "Username" without the domain defined.
IMPORTANT: This is not necessarily the same as the one displayed in the AD Users Identities in the Dashboard. Please confirm the account username in the Active Directory Users and Computers snap-in, not the Umbrella Dashboard.
- Click Create.
When should this feature be used?
- This should be used for any service accounts that perform scheduled tasks, for example software backups.
- This should be used for any service accounts that need to log in to the network to perform updates, for example anti-virus clients.
When should this feature not be used?
Do not use this feature with any user accounts you wish to have the login events recorded for, or in other words, accounts whose activity you wish to see in the reporting and that should have policy applied to it.
Adding IP addresses to the Exceptions list
If using version 1.2.1 or higher of the Umbrella AD Connector, IP addresses can also be added as a "Username" into the Exceptions list. The Connector will ignore all the events generated by the configured IP to exclude it from the AD mappings. An example use case would be the IP address of a Netscaler server.
Note: IP address ranges are not supported. Only individual IP addresses, such as 10.20.30.40, are supported.
Adding AD Groups to the Exceptions list
If using version 1.2.7 or higher of the Umbrella AD Connector, AD Groups can also be added to the Exceptions list. The Connector will ignore all the events generated by all users and computers belonging to the specified group and any sub-groups and exclude them from the AD mappings. This can be used for AD groups that comprise only service accounts, so that the individual service accounts need not be specified as exceptions.
To specify an AD group as an exception, enter the AD group name on the Active Directory User Exceptions page in Distinguished Name (DN) format with the prefix "Group:" For example, enter the AD group name as Group:CN=Engineering,CN=Builtin,DC=mydomain,DC=com
IMPORTANT: This is not the same format as the one displayed in the AD Groups Identities in the Umbrella Dashboard. Please confirm the group DN in the Active Directory Users and Computers snap-in, not the Umbrella Dashboard. The group DN is case sensitive.