I am hoping somebody out there in the world might be able to help me. Our SW admin has left for a better gig and I am trying to work out what he has actually done. His user is still showing up as logging into SW at particular times of day. No activity is being recorded just the user logging in. I have searched services and tasks and can't see anything with his user details. His AD account is disabled so I figure it must be somewhere in a script. Any ideas on where I should be looking to see what is going on?
Any help would be much appreciated.
I have no idea where I should be posting this.
I would recommend opening a support case, but if you want try and look at a few things yourself, you can try to get some data directly.
If you can RDP to the Orion server, you might get "some" clue from running a SQL statement directly against the database.
This is not an exhaustive list, but it may be helpful.
On the server, open the Database Manager. Click "Add Orion Server"
Expand the server to list the databases. One will be bolded. Right-click on that and select "New query..."
Copy the below into the window replacing 'searchTerm' with the previous admin's username (leave in the percent signs).
SELECT [CredProp].[CredentialID] ,[CredProp].[Name] ,[CredProp].[Value] ,[CredProp].[Encrypted] ,[Cred].[Description] ,[Cred].[CredentialOwner] FROM [CredentialProperty] AS [CredProp] INNER JOIN [Credential] AS [Cred] ON [CredProp].CredentialID = [Cred].ID WHERE [CredProp].Name = 'Username' AND [CredProp].Value LIKE '%searchTerm%'
Run the script. This will not return credentials from Network Configuration Manager or Server & Application Monitor - it's mostly for the platform level things (device discovery credentials, email authentication, and a few other things.)
Note: DO NOT DELETE ANYTHING FROM THE DATABASE DIRECTLY
All credential management should be done from the Web Console directly.
There also may be reports you can Import into your Orion platform that might help. Like the Windows Credential Report (assuming you are running Server & Application Monitor).
A likely spot that will generate that sort of activity is Network Configuration Manager. NCM has a spot with pre-made and customized Jobs that can operate on schedules.
Open up NCM and look for the Jobs. See which ones are enabled, check out their schedules for running. You can edit any job to change its targets, its login user name/password, its actions, and even disable (or delete) the Job.
It can be helpful to have all Jobs using one or more Active Directory service accounts instead of an employee's user name. AD should be configured to give a service account only the rights it requires, and employees must agree to never log in with that account name & password.
Once you've found the Jobs running with the credentials of your former coworker, analyze what they're doing and determine if those tasks are necessary and correctly configured. Edit them (with the approval of your boss or your I.T. Security Director) to change/reschedule/modify/disable/delete them.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.