User-ID agent collecting non-domain user-ip mappings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID agent collecting non-domain user-ip mappings

L4 Transporter

User-ID agent version 5.0.6-6 seems to collect non-domain user to ip mappings.

In fact this is a laptop that is a member of our domain, but I'm logging on with a local administrator. User-ID agent collects it and maps the ip to "hostname\administrator" (as opposed to normal mappings "domainname\username"). User-ID debug logs show it being collected because of the computer account ( DOMAINNAME\hostname$ ) logged on to the domain.

As expected, the user is denied access to websites (Application block page), because he doesn't belong to the allowed AD groups. The user is not even given a CP.

In version 3.1.2 this does not occur and you can actually limit it from collecting those:

  • under Configure you can enter a domain name
  • under Filter Group Members you can filter out unwanted AD groups (like domain computers)

I can't find any of these in the new agent...

Most annoying, what can I do to change this behaviour ?

8 REPLIES 8

L4 Transporter

Has anyone else seen this behaviour ?

Probing is enabled ?

Yes, WMI probing. Would that be te reason a non-domain user is mapped ?

Then how can I prevent non-domain users from being collected ?

Can you try if issue is resolved when probing is off

Just tried what you suggested: with client probing disabled, no ip mapping is done.

Is there a way I can filter out WMI probing for non-domain users, but keep it for our domain users ? We need probing because we have some turnaround...

L3 Networker

Are the mappings (hostname/username) done for a single subnet or just a group of ip-addresses ? Depending on the ips you can use include/exclude list or ignore list.

While using include exclude list you need mention the subnet's who mapping info you need and those you don't.

If its random but same ips you can use the ignore list, which can configured the following way.

How to Ignore Users in User-ID Agent

We are talking about the same subnet as our domain: as described these laptops are in fact domain members. But on some we use local users.

So there is no way I can filter out certain IP's, because then I probably would not have user id for domain users who log on.

The other suggestion is not too good as well:

If I ignore user "administrator", it would also ignore my domain administrator. Idem for local users who are equal to domain users.

Using the netbios\username notation, it would be quite a hassle to administer.

I really wonder why the implementation is so very different with the new agent version in comparison with the old.

Edit:

In 3.1.2 in the config.xml you have a value like

     <domain>mydomain.local</domain>

There's no such value in 5.0.6-6 UserIDAgentConfig.xml. Or is it just not documented ??

The hostname is unique to each device so you can use a ignore list, the administrator name may be the same but, the domain the user name is in are different.

  • 3261 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!