Forum Discussion
ATP sensors...download report shows far more domain controllers than expected
MicrosoftStuartH . It's a known issue in case the read only AD user account supplied to AATP does not have access to the AD Deleted objects folder.
We are working on discovering this info in another way that won't need special permissions.
This feature is now tested with select customers, and when it will be mature enough will be released to everyone, after which the mentioned report should look fine.
EliOfek Appreciated.
Having enabled the directory account read rights to our multiple \Deleted Objects containers (we have single forest, multiple domains)...we are still seeing the "retired" sensors in the list. Something else need to be done to kick this into life to prune things away?
How close are you to the new "feature", where this wouldn't be needed ?
- EliOfek
StuartH . giving access after the fact will not always solve the issue.
We are still perfecting the new solution, and although we do have progress I don't have a release date yet.
I hope it will be few weeks before we can deploy it globally.
EliOfek Well, I wondered how, after the fact, that would work....as I assumed that the service account would compare what was deleted to what was existing...but after the tombstone lifetime, how would that ever know the retired DC would exist?
No way to clean up those retired DCs some other way ?
