Forum Discussion

ThomasFriisPoulsen's avatar
ThomasFriisPoulsen
Iron Contributor
Jul 03, 2019

ATA showing a user as an member of Domain Admin who has been deleted for 40 days?

Hi all, ATA shows a member of "Domain Admins" who has been deleted for 40 days? I have verified that the user doesn’t exist in AD. When I look at the user in ATA, the last event is: “Account's passw...
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Jul 03, 2019

ThomasFriisPoulsen , see

https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites#before-you-start

"Recommended: User should have read-only permissions on the Deleted Objects container. This allows ATA to detect bulk deletion of objects in the domain. For information about configuring read-only permissions on the Deleted Objects container, see the Changing permissions on a deleted object container section in the View or Set Permissions on a Directory Objectarticle."

 

Besides detection, this can help us know an account was deleted, try this and see if it resolves the issue. 

  • ThomasFriisPoulsen's avatar
    ThomasFriisPoulsen
    Iron Contributor
    Jul 03, 2019

    Thanks. :)
    We will look into it. I'll keep you updated.EliOfek 

  • ThomasFriisPoulsen's avatar
    ThomasFriisPoulsen
    Iron Contributor
    Jul 04, 2019

    EliOfek 
    Thanks again. :)

    OK, we done that wrong and have now change it so ATA has readonly access to Deleted Objects.
    Next question is, how do we get ATA back in sync? Should we just sit back and wait? ;)

     

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft
      Jul 04, 2019

      ThomasFriisPoulsen , I think this will fix the issue only going forward, as we already "missed" the update.

      Which ATA version are you running? 

Resources