We've been running into an issue with our User-ID Agent where it seems to not have enough discovered users but its also losing them randomly as well. Running User ID Agent version 4.1.4-3, we have it pointed at 5 DCs and it is picking up around 1500 users, but we are expecting there to be over 3000 users at any given time. After doing some investigation, it appears that this may be a problem with the ignore_user_list functionality that is in place. We have 34 service accounts that are ignored, but the one that seems to be causing the issue is the service account for McAfee. This account connects to each machine periodically and get updated information about the AV status and this is picked up in the DC authentication logs. When this account does one of its checks though it seems to wipe out the existing user to ip mapping that it has previously discovered. If I disable the ignore_user_list, then we get 3500 entries in the mapping table, but most of these then point to the McAfee service account, not the currently logged in user. I've also noticed that even though I have the mapping timeout set to 24 hours the count goes down as well as up, reinforcing the idea that something else is removing the mappings from the table. This is even after restarting the service to reset the timeout timer. I thought if you entered a user into the ignore_user_list file, then it would just ignore logons from that user, not remove any existing mapping that is already in place? Can anyone confirm if this is expected behaviour or if its something wrong in our setup that's causing the issue. Any help anyone can provide would be most appreciated
... View more
