4 Replies Latest reply on Nov 16, 2016 9:45 AM by beckerj99

    Accounts in admin groups without "admin" or "administrator" in the account name


      I may be overthinking this, it seems like it should be easier. We have several accounts that are in Admin groups on several servers, however, their names do not contain admin or administrator or root. After some investigation, we realized that those users are not being treated as administrators. Looking thru windows logs and LEM logs, we see that their group "Administrators", "DNSAdmins", etc are not being inserted into the logs and therefore not being sent to LEM resulting in LEM not recognizing them as admins. I tried adding the User Defined Admin Groups to the rule, however, it still doesn't work since Windows is not sending the group a user belongs to with its logs.


      Is there a way to either:


      Make LEM harvest admins to populate the User Defined admin group


      Add the group a user belongs to in the Windows Logs sent to LEM


      Have LEM call back to a server to see if a user who has failed logon is in an admin group?



        • Re: Accounts in admin groups without "admin" or "administrator" in the account name

          The way I'd handle this would be to:


          1. Setup the Directory Services Query Active Response connector in the LEM web console
            • This is basically the only reason to have this connector configured in LEM 6.3.1 and above
          2. Go to Build → Groups, hit the "+" and pick "Directory Service Group"
          3. Select the Security Group that contains your administrators
            • Has to be a Security Group, can't be an OU or a Distribution Group!
          4. Repeat 1 to 3 for other critical groups
          5. In your rules, you should now be able to do something like "UserLogonFailure.DestinationAccount is contained in {Directory Service Group}"
            • You can add "OR" boxes to have LEM check multiple groups and/or the User Defined Group
            • The "is contained in" will be inserted automatically in the rule when you compare a condition to a group


          There will be a "Directory Service Groups" drawer in the Rules Editor that populates with these groups.  Then LEM can check and see if an account is in the group of admins when evaluating rule criteria, and use those groups in place of the User Defined Group.