Forum Discussion
ATA showing a user as an member of Domain Admin who has been deleted for 40 days?
Hi all,
ATA shows a member of "Domain Admins" who has been deleted for 40 days? I have verified that the user doesn’t exist in AD. When I look at the user in ATA, the last event is: “Account's password was set to never expire”.
- Is it me that don’t understand how ATA is working? So, by design. 😊
- Could it be a communication error (drop out) between the ATA and one of the Domain Controllers? I have no reason to believe that, but anyway.
- If that is the case, is there a way that I can get the correct information in to ATA?
- How do I verify the communication error, and how do I correct it?
The setup is 1 ATA on the same subnet as 4 domain controllers. And everything else seems to be working as expected.
Best regards
Thomas
- EliOfek
Microsoft
ThomasFriisPoulsen , see
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites#before-you-start
"Recommended: User should have read-only permissions on the Deleted Objects container. This allows ATA to detect bulk deletion of objects in the domain. For information about configuring read-only permissions on the Deleted Objects container, see the Changing permissions on a deleted object container section in the View or Set Permissions on a Directory Objectarticle."
Besides detection, this can help us know an account was deleted, try this and see if it resolves the issue.
Thanks. :)
We will look into it. I'll keep you updated.EliOfekEliOfek
Thanks again. :)OK, we done that wrong and have now change it so ATA has readonly access to Deleted Objects.
Next question is, how do we get ATA back in sync? Should we just sit back and wait? ;)- EliOfek
ThomasFriisPoulsen , I think this will fix the issue only going forward, as we already "missed" the update.
Which ATA version are you running?
