Removing administrators etc. from recertification

Hi there,

I am just doing my first steps with ARM and right now I am kind of stuck in the recertification process. (among others)

I thought blacklisting would remove the users from in the change configuration settings would help, but this changed nothing.

Then I tried editing the settings in "views and reports" which worked partially. It removed the users, but I can still see the groups in the recertification.

I do not want the data owners to be able to remove the permissions of my admins or backup task users or groups - or any other functional user for that matter.

How can I restrict the recertification process to ... well... pretty much my normal AD users folder. or at least to a select group of hand picked users. Or anything else than what I am seeing now.

Grateful for any thoughts or hints on how I can go about this.


  • Hey  

    Exclude accounts from ARM recertification:

    It can be very useful not to display certain, e.g. technically necessary accounts to the data owners during recertification. This is possible for the recertification of file server permissions as well as for Active Directory group memberships.

    To exclude accounts from recertification, you must make the following changes to the configuration files:

    Configuration file




    Code examples

      <suppressSidsByRexExpression type="System.String">-512$;</suppressSidsByRexExpression>
      <suppressSids type="System.String">S-1-5-32-544;S-1-5-32-551;</suppressSids>

    Possible values

    List of SIDs separated by semicolons or a regular expression to exclude a group of SIDs. For example the regular Expression -512$; excludes domain admin accounts from the recertification.

  • For the record:

    I also checked my ARM for possible data.

    I did find an SID of an admin user, but it is far much longer than the figures you mention

    i.e.: S-1-5-21-4293041663-4232857113-14780292413-7128

Reply Children
No Data