Removing administrators etc. from recertification

Hi there,

I am just doing my first steps with ARM and right now I am kind of stuck in the recertification process. (among others)

I thought blacklisting would remove the users from in the change configuration settings would help, but this changed nothing.

Then I tried editing the settings in "views and reports" which worked partially. It removed the users, but I can still see the groups in the recertification.

I do not want the data owners to be able to remove the permissions of my admins or backup task users or groups - or any other functional user for that matter.

How can I restrict the recertification process to ... well... pretty much my normal AD users folder. or at least to a select group of hand picked users. Or anything else than what I am seeing now.

Grateful for any thoughts or hints on how I can go about this.

-Chris

  • Hey  

    Exclude accounts from ARM recertification:


    It can be very useful not to display certain, e.g. technically necessary accounts to the data owners during recertification. This is possible for the recertification of file server permissions as well as for Active Directory group memberships.

    To exclude accounts from recertification, you must make the following changes to the configuration files:

    Configuration file
    pnServer.config.xml

    Computer
    ARM-Server

    Path

    %ProgramData%\protected-networks.com\8MAN\cfg
    

    Code examples

    <fileSystem>
     <recertification>
      <suppressSidsByRexExpression type="System.String">-512$;</suppressSidsByRexExpression>
     </recertification>
    </fileSystem>
    
    <activeDirectory>
     <recertification>
      <suppressSids type="System.String">S-1-5-32-544;S-1-5-32-551;</suppressSids>
     </recertification>
    </activeDirectory>
    


    Possible values

    List of SIDs separated by semicolons or a regular expression to exclude a group of SIDs. For example the regular Expression -512$; excludes domain admin accounts from the recertification.

  • Hi Parthchandarana07,

    thank you for your response. Ok - I found a similar solution on the web. What doesn't come to me though is where do I find the respective strings? (or regular expressions, or SID) What I mean are these values:

    S-1-5-32-544;S-1-5-32-551
    512$

    I have looked basically everywhere in my Active Directory, but it seems I find them nowhere. Any chance you can provide a hint as to where to look for these?

    Thank you in advance,

    Chris

  • For the record:

    I also checked my ARM for possible data.

    I did find an SID of an admin user, but it is far much longer than the figures you mention

    i.e.: S-1-5-21-4293041663-4232857113-14780292413-7128