topic Re: User-ID agent collecting non-domain user-ip mappings in General Topics

User-ID agent collecting non-domain user-ip mappings

dieter_b — Thu, 03 Oct 2013 14:54:13 GMT

User-ID agent version 5.0.6-6 seems to collect non-domain user to ip mappings.

In fact this is a laptop that is a member of our domain, but I'm logging on with a local administrator. User-ID agent collects it and maps the ip to "hostname\administrator" (as opposed to normal mappings "domainname\username"). User-ID debug logs show it being collected because of the computer account ( DOMAINNAME\hostname$ ) logged on to the domain.

As expected, the user is denied access to websites (Application block page), because he doesn't belong to the allowed AD groups. The user is not even given a CP.

In version 3.1.2 this does not occur and you can actually limit it from collecting those:

under Configure you can enter a domain name
under Filter Group Members you can filter out unwanted AD groups (like domain computers)

I can't find any of these in the new agent...

Most annoying, what can I do to change this behaviour ?

Re: User-ID agent collecting non-domain user-ip mappings

dieter_b — Mon, 07 Oct 2013 08:19:37 GMT

Has anyone else seen this behaviour ?

Re: User-ID agent collecting non-domain user-ip mappings

Retired Member — Mon, 07 Oct 2013 08:28:37 GMT

Probing is enabled ?

Re: User-ID agent collecting non-domain user-ip mappings

dieter_b — Mon, 07 Oct 2013 09:28:41 GMT

Yes, WMI probing. Would that be te reason a non-domain user is mapped ?

Then how can I prevent non-domain users from being collected ?

Re: User-ID agent collecting non-domain user-ip mappings

Retired Member — Mon, 07 Oct 2013 10:44:28 GMT

Can you try if issue is resolved when probing is off

Re: User-ID agent collecting non-domain user-ip mappings

dieter_b — Mon, 07 Oct 2013 10:57:20 GMT

Just tried what you suggested: with client probing disabled, no ip mapping is done.

Is there a way I can filter out WMI probing for non-domain users, but keep it for our domain users ? We need probing because we have some turnaround...

Re: User-ID agent collecting non-domain user-ip mappings

dpalani — Mon, 07 Oct 2013 14:50:16 GMT

Are the mappings (hostname/username) done for a single subnet or just a group of ip-addresses ? Depending on the ips you can use include/exclude list or ignore list.

While using include exclude list you need mention the subnet's who mapping info you need and those you don't.

If its random but same ips you can use the ignore list, which can configured the following way.

How to Ignore Users in User-ID Agent

Re: User-ID agent collecting non-domain user-ip mappings

dieter_b — Mon, 07 Oct 2013 15:02:49 GMT

We are talking about the same subnet as our domain: as described these laptops are in fact domain members. But on some we use local users.

So there is no way I can filter out certain IP's, because then I probably would not have user id for domain users who log on.

The other suggestion is not too good as well:

If I ignore user "administrator", it would also ignore my domain administrator. Idem for local users who are equal to domain users.

Using the netbios\username notation, it would be quite a hassle to administer.

I really wonder why the implementation is so very different with the new agent version in comparison with the old.

Edit:

In 3.1.2 in the config.xml you have a value like

<domain>mydomain.local</domain>

There's no such value in 5.0.6-6 UserIDAgentConfig.xml. Or is it just not documented ??

Re: User-ID agent collecting non-domain user-ip mappings

dpalani — Mon, 07 Oct 2013 15:17:41 GMT

The hostname is unique to each device so you can use a ignore list, the administrator name may be the same but, the domain the user name is in are different.