Overview
The Active Directory User Exceptions addresses a use case with service accounts logging in to perform tasks while an interactive user is also using a workstation.
Many organizations use service accounts in order to perform scheduled tasks or automatic updates. The service account will generate a login event as a user that has a policy assigned in your Active Directory Insights (the AD Users or Computers listed under the Identities section in Step 1 of the Policy Builder). In that situation, the Umbrella Insights AD Connector that monitors who is logged into which computer will notice the new logon event and record that the current user for that computer is the automated update or scheduled task user is running as logged in. The net result is that the policy for the automated user will be applied instead of the user who is actively logged in and using the computer.
The Active Directory User Exception can be applied to service accounts within your organization so their logon events to your Domain Controllers are ignored by the AD Connector.
Setting up Active Directory User Exceptions
- Navigate to Deployments > Service Account Exceptions and click the
(Add icon). - Enter the Account Type as User, and enter the AD Username or login (sAMAccountName) for the account in the format "Username" and not "Username@domain".
IMPORTANT: This is not necessarily the same as the one displayed in the AD Users Identities in the Dashboard. Please confirm the account username in the Active Directory Users and Computers snap-in, not the Umbrella Dashboard. - Click Create.
Note: In multi-AD domain environments, any user exception (sAMAccountName) configured will be blocked for all AD domains.
Setting up Active Directory Group Exceptions
You can add Active Directory Groups to the exception list. The Connector will ignore login events generated by all users and computers belonging to the specified group and any sub-groups and exclude them from the AD mappings. This can be used for AD groups that comprise only service accounts, so that the individual service accounts need not be specified as exceptions.
Note: Adding Active Directory Organization Units (OUs) is not supported.
- Navigate to Deployments > Service Account Exceptions and click the (Add icon).
- Enter the Account Type as Group, and enter the Distinguished Name (DN) for the AD group that you want to add as an exception. For example, enter the AD group name as CN=Engineering,CN=Builtin,DC=mydomain,DC=com
IMPORTANT: This is not the same format as the one displayed in the AD Groups Identities in the Umbrella Dashboard. Please confirm the group DN in the Active Directory Users and Computers snap-in, not the Umbrella Dashboard. The group DN is case sensitive. - Click Create.
Note: You can also use this Powershell command to confirm the distinguished name for AD groups:
Get-ADGroup -Identity <ADGroupName>
When should this feature be used?
- This should be used for any service accounts that perform scheduled tasks, for example software backups.
- This should be used for any service accounts that need to log in to the network to perform updates, for example anti-virus clients.
- Adding the IPs of RODCs which mirror events.
When should this feature not be used?
Do not use this feature with any user accounts you wish to have the login events recorded for, or in other words, accounts whose activity you wish to see in the reporting and that should have policy applied to it.
Adding IP addresses to the Exceptions list
IP addresses can also be added to the Exceptions list. The Connector will ignore all the events generated by the configured IP to exclude it from the AD mappings. An example use case would be the IP address of a Netscaler server or a RODC that mirrors events.
Note: IP address ranges are not supported. Only individual IP addresses, such as 10.20.30.40, are supported.
Other known issue observed in the field?
Customer's Firewall is having the feature of Unified Threat Management (UTM), please disable it and observe if the symptoms persists.
Comments
0 comments
Article is closed for comments.