Page 1 of 1

Issues with Admon detecting "user" removed

Posted: Sun May 26, 2019 10:48 pm
by kami.mcleod
Hi Team

I am trying to get this plugin working for my environment but over 2000 tickets logged I'm hitting a bit of a wall.
The addon is constantly 'detecting' that accounts are being removed from the administrator group (and logging a ticket for each account... which adds up!).

It is detecting EVERY administrator - our domain admins group, local user accounts, the local Administrator account, are all being detected as being 'removed' from the local administrators setup. It so far doesn't look to have detected any as being added, but with the amount of tickets being logged I cannot confirm this fully.

I've modified the plugin to only alert us on adding new Administrators, but would like to eventually be alerted on both cases

Re: Issues with Admon detecting "user" removed

Posted: Wed May 29, 2019 3:18 am
by kami.mcleod
Hi All

As an update to this, since changing the system to only alert on new user accounts, it appears the script is instead now just updating the SQL DB with all the 'newly scanned' accounts - I added a test admin account to one of my systems, and it has just added it to the list of "these are the local admins" instead of alerting that a new admin has been added.

Re: Issues with Admon detecting "user" removed

Posted: Thu Jun 13, 2019 1:17 pm
by Cubert
I will look into some of this next week once I get back from ITNation Explore. The monitor is a raw SQL internal monitor I believe if memory serves me well. I will need to have a peek at how it compares current to new?

Re: Issues with Admon detecting "user" removed

Posted: Tue Jul 23, 2019 11:08 pm
by kami.mcleod
Hi

Any chance of a look in at this one? We still cannot enable "remove from group" as it just spams our ticketing system!
Thanks

Re: Issues with Admon detecting "user" removed

Posted: Sat Aug 24, 2019 3:51 pm
by TClayton
Confirmed this happend to us this week.
Added the plugin, then enabled it on the clients I wanted.
Day later 1000 tickets about accounts being removed.
I unchecked monitor for any removals from admin group and also unchecked create a ticket, for now.