User-ID Agent Ignore a group of users

Thank you vermy much for your replay.

I want to ignore a group of users to prevent the "normal" accounts of the administrators to be overwritten by the administrative account of that user.

For example there is a rule for Internet traffic with User-ID. Traffic is allowed for all normal users. Not for administrative accounts.

I'm working on my computer with my normal account "marco". Then I connect to a Server via RDP using my administrative account "marco-admin". Sometimes User-ID then thinks my computer is assigned to "marco-admin" and i can not access the internet.

hi @Clermont

This is very unfortunate!

Do you have a lot of admins? You can use wildcards in usernames in the ignore list, but only as the last character

so if you could change your usernames, you would be able to ignore all admin-*

wow... how odd... i can understand the "server ip" to marco-admin but was not aware that the "clent device ip" could also be associated to the username used to logon to the server...

is this because of some network level authentication?

I'll need to watch out for that.....

cheers for the info.

ok just rdp'd with my test account and client ip mapping also changed to test account.

I can now see how this could be useful...

thanks again for the info/explanation.

Thanks for your fast reply.

Unfortunatelly our admins end with "*adm" 😕

I have about 30 accounts. I think I will add them manuelly.

Just to make sure: Do I have to add them with the domain prefix "domain\marco-admin" or is the username "marco-admin" enough?

Have a nice weekend

Is this a bug or a feature? We are just getting started with user-ID, and I can see this being an issue for us working in the IT dept. We use RDP a lot.

Maybe something of both, because the RDP-Logon on a Server is linked for your local machine in User-ID.  So we decided to ignore the administrative accounts for User-ID. Which would be much easier with a group.

@TerjeLundbo, not sure if I would class this as a bug, more of a feature with some annoying aspects.

I have used user-id for some time now and have never had this issue, but only because my user logon also has server admin rights.

I have only become aware of this via this post, love this site....

if you use a different account for RDP  then it will/could be an issue.

@Clermont I'd recommend adding the domain while you're at it (not sure if mandatory but have always done it that way)

@TerjeLundbo which part are you referring to exactly? 🙂 the rdp anamoly is kinda how microsoft handles authentications (it passes along your source IP with the auth so the user-id agent gets the log and sees your admin pc's ip even though you're logging in remotely)

The ignore user list is there to help prevent this issue, and also in case there are automated scripts running on a workstation that could trigger after a user has logged on and cause a new authentication log for the workstation's ip, with a service account

If we want to have user-ID based rules also for admin accounts, to grant access to management systems etc, that won't work of course if we filter out those accounts in user-ID agents.

that's correct, depending on the scenario:

when RDPing into a remote system, the ip mapping of the source will be affected, to which the admin is already logged in

If the admin then starts performing locat tasks "as administrator" there'll be a secondary authetication that affects the remoted system

You can also enable probes (netbios or WMI) which will periodically poll workstations for their actually 'logged in' user, so if the ip is hijacked by an admin or service account, the probe will correct that mapping also

Hello,

So I ran into a similar situation and found that using exchange logs instead of a domain controllers security logs refreshed faster since outlook is constantly authenticating to exchange. Not sure if that will work in you environment.

Regards,