Issues with Admon detecting "user" removed

This plugin monitors local admin group for changes and alerts admins when changes have been made.
Post Reply
kami.mcleod
Posts: 3
Joined: Mon May 20, 2019 5:47 am
4

Issues with Admon detecting "user" removed

Post by kami.mcleod »

Hi Team

I am trying to get this plugin working for my environment but over 2000 tickets logged I'm hitting a bit of a wall.
The addon is constantly 'detecting' that accounts are being removed from the administrator group (and logging a ticket for each account... which adds up!).

It is detecting EVERY administrator - our domain admins group, local user accounts, the local Administrator account, are all being detected as being 'removed' from the local administrators setup. It so far doesn't look to have detected any as being added, but with the amount of tickets being logged I cannot confirm this fully.

I've modified the plugin to only alert us on adding new Administrators, but would like to eventually be alerted on both cases

kami.mcleod
Posts: 3
Joined: Mon May 20, 2019 5:47 am
4

Re: Issues with Admon detecting "user" removed

Post by kami.mcleod »

Hi All

As an update to this, since changing the system to only alert on new user accounts, it appears the script is instead now just updating the SQL DB with all the 'newly scanned' accounts - I added a test admin account to one of my systems, and it has just added it to the list of "these are the local admins" instead of alerting that a new admin has been added.

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Issues with Admon detecting "user" removed

Post by Cubert »

I will look into some of this next week once I get back from ITNation Explore. The monitor is a raw SQL internal monitor I believe if memory serves me well. I will need to have a peek at how it compares current to new?

kami.mcleod
Posts: 3
Joined: Mon May 20, 2019 5:47 am
4

Re: Issues with Admon detecting "user" removed

Post by kami.mcleod »

Hi

Any chance of a look in at this one? We still cannot enable "remove from group" as it just spams our ticketing system!
Thanks

TClayton
Posts: 1
Joined: Fri Aug 23, 2019 4:22 pm
4

Re: Issues with Admon detecting "user" removed

Post by TClayton »

Confirmed this happend to us this week.
Added the plugin, then enabled it on the clients I wanted.
Day later 1000 tickets about accounts being removed.
I unchecked monitor for any removals from admin group and also unchecked create a ticket, for now.

Post Reply

Return to “ADMON Administrators Group Monitor plugin”