Recertification of AD Groups Blacklisting problem

Hi All,

I've set up recertification for some folders on servers and had added some groups (Domain Admins / Enterprise Admins and some manually created admin groups etc) to the blacklist so that the names of members of those groups weren't resolved when recertifying folder access (as its too confusing for non-technical users).

With the great new feature of being able to recertify AD Groups I've now been asked to set up recertification for the the Domain Admins and Enterprise Admins groups, however because the groups are Blacklisted none of the members show on the recertification.

Is there any way separate out the black list for groups from the blacklist for folder recertification?

Thanks

Kip

Parents
  • Hi Kip,

    the AD recertifiaction has different settings.

    I found the entries for it, they must be placed in the pnServer.config.xml (these here are the defaults):

    <activeDirectory>
        <recertification>
          <suppressSidsDefault type="System.String"></suppressSidsDefault>
          <suppressSidsByRexExpression type="System.String">-512$;-513$;-515$;-516$;-521$</suppressSidsByRexExpression>
        </recertification>
      </activeDirectory>

    I haven't tested it myself yet, but I think it's very self explanatory.

    Cheers

    Björn

  • Wait, an addition: since you blacklisted them from being resolved it won't help.

    You need this as well:

    <fileSystem>
        <recertification>
          <suppressSidsDefault type="System.String">S-1-3-0;S-1-3-1;S-1-3-2;S-1-3-3;S-1-5-80-0;S-1-5-1;S-1-5-2;S-1-5-3;S-1-5-4;S-1-5-9;S-1-5-18;S-1-5-19;S-1-5-20</suppressSidsDefault>
        </recertification>
      </fileSystem>

    With this you can define SIDs to be not shown in recertification.

    Then you could remove the blacklist entries and it should work.

  • Hi Bjorn,

    Thanks for the info. I'll have a look at that and see if it does the trick.

    Kip

  • Hi Björn,

    nice to see that it is possible to hide accounts in recertification.

    Unfortunately I was not able to get this working.

    I tried to hide multiple SIDS, however without any success.

    I modified the C:\ProgramData\protected-networks.com\8MAN\cfg\pnServerconfig.xml like this (before the closing config block:

    <activeDirectory>

    <recertification>

    <suppressSidsDefault type="System.String">S-1-5-32-544; S-1-5-21-155080423-2660856778-1500682938-512; S-1-5-21-155080423-2660856778-1500682938-1105</suppressSidsDefault>
    <suppressSidsByRexExpression type="System.String">-512$;-513$;-515$;-516$;-521$;-544$;-500$</suppressSidsByRexExpression>

    </recertification>

    </activeDirectory>

    </config>

    Any idea what could be wrong?

    I have restarted ARM Services and I also started a new certification.

    Regards

    Adrian

Reply
  • Hi Björn,

    nice to see that it is possible to hide accounts in recertification.

    Unfortunately I was not able to get this working.

    I tried to hide multiple SIDS, however without any success.

    I modified the C:\ProgramData\protected-networks.com\8MAN\cfg\pnServerconfig.xml like this (before the closing config block:

    <activeDirectory>

    <recertification>

    <suppressSidsDefault type="System.String">S-1-5-32-544; S-1-5-21-155080423-2660856778-1500682938-512; S-1-5-21-155080423-2660856778-1500682938-1105</suppressSidsDefault>
    <suppressSidsByRexExpression type="System.String">-512$;-513$;-515$;-516$;-521$;-544$;-500$</suppressSidsByRexExpression>

    </recertification>

    </activeDirectory>

    </config>

    Any idea what could be wrong?

    I have restarted ARM Services and I also started a new certification.

    Regards

    Adrian

Children
No Data