ATA showing a user as an member of Domain Admin who has been deleted for 40 days?

Iron Contributor

Hi all,

ATA shows a member of "Domain Admins" who has been deleted for 40 days? I have verified that the user doesn’t exist in AD. When I look at the user in ATA, the last event is: “Account's password was set to never expire”.

  • Is it me that don’t understand how ATA is working? So, by design. 😊
  • Could it be a communication error (drop out) between the ATA and one of the Domain Controllers? I have no reason to believe that, but anyway.
    • If that is the case, is there a way that I can get the correct information in to ATA?
    • How do I verify the communication error, and how do I correct it?

The setup is 1 ATA on the same subnet as 4 domain controllers. And everything else seems to be working as expected.
Best regards
Thomas

7 Replies

@ThomasFriisPoulsen , see

https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites#before-you-start

"Recommended: User should have read-only permissions on the Deleted Objects container. This allows ATA to detect bulk deletion of objects in the domain. For information about configuring read-only permissions on the Deleted Objects container, see the Changing permissions on a deleted object container section in the View or Set Permissions on a Directory Objectarticle."

 

Besides detection, this can help us know an account was deleted, try this and see if it resolves the issue. 

Thanks. 🙂
We will look into it. I'll keep you updated.@EliOfek 

@EliOfek 
Thanks again. 🙂

OK, we done that wrong and have now change it so ATA has readonly access to Deleted Objects.
Next question is, how do we get ATA back in sync? Should we just sit back and wait? 😉

 

@ThomasFriisPoulsen , I think this will fix the issue only going forward, as we already "missed" the update.

Which ATA version are you running? 

@ThomasFriisPoulsen 

Try to upgrade to 1.9 Update 2 (1.9.7478.57683).

If the issue is still not resolved, on top of this version, you can induce a forced resync of AD to ATA.

Giving that now we have read access on deleted items, the resync should resolve the issue.

 

You can do this by opening an  elevated command prompt on the Center machine, navigating to the mongo bin folder, and from there issuing the commands:

 

net stop ATACenter
mongo.exe ATA --eval "db.SystemProfile.remove({_t:'DirectoryServicesSystemProfile'})"
net start ATACenter

This will force a resync, which can take from a few hours to a few days, depending on your AD size... for most customers it will complete within a few hours.

There is no UI indication on completion because it is actually an ongoing process, we just tell it here to start from scratch.

Just upgraded, waiting... ... ... ... 🙂

@EliOfek