The local user Administrator is logged in on the desktop and he is not allowed to access the internet. But he can access.
When checking in Monitor on PA220, I noticed that another user appears in the Source User column and not the Administrator user.
Has anyone ever experienced this?
Software version 8.0.10
Correct; which is why WMI probing isn't going to help you here, as the firewall sees the old user-mapping and has no reason to immedately trigger a probe. You could potentially get around this by decreasing your timeout value, which still wouldn't eleviate the issue but would probably fit what you are aiming to do better than what you have already.
Just because a new user logs in doesn't mean the user-id information on the firewall will automatically clear, the firewall has 0 knowledge of this event if you're just reading AD logs. Depending on a number of different configuration options ( WMI Probing Interval, User Identification Timeout Value) the mapping will stay present until it is removed or updated.
So if I'm logged into a machine with 'DOMAIN\bpry' as my user-id and then log in with a local admin account, the firewall doesn't have any idea that this local-account was ever used. To account for this either the probe interval can be increased if using WMI, or the identication timeout value can be decreased. Each option has downsides:
- Some find it difficult to setup
- Setting a short WMI Probe interval will cause a large amount of network traffic to all devices.
User Identifcation Timeout:
- Depending on the source of the user-id logs a short timeout value isn't possible if you wish to maintain user-id mappings.
- Setting an artifically high value can also cause issues.
When you're using local accounts there isn't a good way to solve the issue that you are running into. You simply aren't providing the firewall with the required information to update the user-id mapping. This means that regardless of what you do, there is the possibility that for a certain period of time the old user-id mapping will stay active when you log in with a local account.
To properly fix this you need to get rid of local accounts; there isn't another way to get around this issue.
could you not run a script on local group policy that mapped a network drive to an AD share with username
this would then update User-ID to a user that would be denied internet access...
a bit heath robinson but workable...
I favour the banning of local user accounts...
Ya that's not really required at all if your environment is setup to current enterprise standards. For example each of our machines have a local admin account, but the password is controlled by LAPS and nobody logs into the account for anything. Administration of the machine is done through an AD account granted admin rights to all domain-joined computers. There really isn't any need to do this with a local account, and it deffinetly doesn't follow best-practice for Windows administration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!