This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SW Admin bailed - Attempting to unscramble an egg

DonkeyBrains over 3 years ago

Hi Guys

I am hoping somebody out there in the world might be able to help me. Our SW admin has left for a better gig and I am trying to work out what he has actually done. His user is still showing up as logging into SW at particular times of day. No activity is being recorded just the user logging in. I have searched services and tasks and can't see anything with his user details. His AD account is disabled so I figure it must be somewhere in a script. Any ideas on where I should be looking to see what is going on?

Any help would be much appreciated.

I have no idea where I should be posting this.

Top Replies

0 Malakai over 3 years ago

You'll want to start looking for his creds in places like this:
https://thwack.solarwinds.com/t5/THWACK-Community-Discussions/Solarwinds-locking-out-AD-account/m-p/267880
Cancel
Vote Up +1 Vote Down

Cancel
0 rschroeder over 3 years ago

A likely spot that will generate that sort of activity is Network Configuration Manager. NCM has a spot with pre-made and customized Jobs that can operate on schedules.
Open up NCM and look for the Jobs. See which ones are enabled, check out their schedules for running. You can edit any job to change its targets, its login user name/password, its actions, and even disable (or delete) the Job.
It can be helpful to have all Jobs using one or more Active Directory service accounts instead of an employee's user name. AD should be configured to give a service account only the rights it requires, and employees must agree to never log in with that account name & password.
Once you've found the Jobs running with the credentials of your former coworker, analyze what they're doing and determine if those tasks are necessary and correctly configured. Edit them (with the approval of your boss or your I.T. Security Director) to change/reschedule/modify/disable/delete them.
Swift Packets!
Rick Schroededer
Cancel
Vote Up +1 Vote Down

Cancel
0 danielleh over 3 years ago

Moving to The Orion Platform until we know which product(s) you're working with.
Cancel
Vote Up 0 Vote Down

Cancel
0 KMSigma.SWI over 3 years ago
I would recommend opening a support case, but if you want try and look at a few things yourself, you can try to get some data directly.

If you can RDP to the Orion server, you might get "some" clue from running a SQL statement directly against the database.

This is not an exhaustive list, but it may be helpful.

On the server, open the Database Manager. Click "Add Orion Server"

Expand the server to list the databases. One will be bolded. Right-click on that and select "New query..."

Copy the below into the window replacing 'searchTerm' with the previous admin's username (leave in the percent signs).

SELECT [CredProp].[CredentialID] ,[CredProp].[Name] ,[CredProp].[Value] ,[CredProp].[Encrypted] ,[Cred].[Description] ,[Cred].[CredentialOwner] FROM [CredentialProperty] AS [CredProp] INNER JOIN [Credential] AS [Cred] ON [CredProp].CredentialID = [Cred].ID WHERE [CredProp].Name = 'Username' AND [CredProp].Value LIKE '%searchTerm%'

Run the script. This will not return credentials from Network Configuration Manager or Server & Application Monitor - it's mostly for the platform level things (device discovery credentials, email authentication, and a few other things.)

Note: DO NOT DELETE ANYTHING FROM THE DATABASE DIRECTLY

All credential management should be done from the Web Console directly.

There also may be reports you can Import into your Orion platform that might help. Like the Windows Credential Report (assuming you are running Server & Application Monitor).
Cancel
Vote Up 0 Vote Down

Cancel