Jul 03 2019
01:28 AM
- last edited on
Nov 30 2021
10:05 AM
by
TechCommunityAP
Jul 03 2019
01:28 AM
- last edited on
Nov 30 2021
10:05 AM
by
TechCommunityAP
Hi all,
ATA shows a member of "Domain Admins" who has been deleted for 40 days? I have verified that the user doesn’t exist in AD. When I look at the user in ATA, the last event is: “Account's password was set to never expire”.
The setup is 1 ATA on the same subnet as 4 domain controllers. And everything else seems to be working as expected.
Best regards
Thomas
Jul 03 2019 01:41 AM
@ThomasFriisPoulsen , see
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites#before-you-start
"Recommended: User should have read-only permissions on the Deleted Objects container. This allows ATA to detect bulk deletion of objects in the domain. For information about configuring read-only permissions on the Deleted Objects container, see the Changing permissions on a deleted object container section in the View or Set Permissions on a Directory Objectarticle."
Besides detection, this can help us know an account was deleted, try this and see if it resolves the issue.
Jul 03 2019 03:35 AM
Thanks. 🙂
We will look into it. I'll keep you updated.@EliOfek
Jul 03 2019 11:56 PM
@EliOfek
Thanks again. 🙂
OK, we done that wrong and have now change it so ATA has readonly access to Deleted Objects.
Next question is, how do we get ATA back in sync? Should we just sit back and wait? 😉
Jul 04 2019 02:05 AM
@ThomasFriisPoulsen , I think this will fix the issue only going forward, as we already "missed" the update.
Which ATA version are you running?
Jul 04 2019 10:14 AM
1.9.7412.9649@EliOfek
Jul 07 2019 02:59 AM - edited Jul 08 2019 01:46 AM
Try to upgrade to 1.9 Update 2 (1.9.7478.57683).
If the issue is still not resolved, on top of this version, you can induce a forced resync of AD to ATA.
Giving that now we have read access on deleted items, the resync should resolve the issue.
You can do this by opening an elevated command prompt on the Center machine, navigating to the mongo bin folder, and from there issuing the commands:
net stop ATACenter mongo.exe ATA --eval "db.SystemProfile.remove({_t:'DirectoryServicesSystemProfile'})" net start ATACenter
This will force a resync, which can take from a few hours to a few days, depending on your AD size... for most customers it will complete within a few hours.
There is no UI indication on completion because it is actually an ongoing process, we just tell it here to start from scratch.
Jul 08 2019 12:30 AM
Just upgraded, waiting... ... ... ... 🙂