When adding an account to a blocking policy, and selecting the account in the AD tree, with the CN. Does NTP bind the SID to that CN? Meaning, that if the CN changes, but the SID stays they same, does it follow the SID, or does one need to readd the account, if the CN is changed? Appreciate any feedback.
Hello Jay,
It depends from the event type and from the selected filter.
For example, for AD Lockdown event type we have âGUIDsâ section in the âAD Objects and Containersâ filter which allows to point needed object by GIUD.
Can you please clarify what event type and filter you mean?
1 Like
Great to hear from you Alexei! We are using the Active Directory Lockdown Event Type, and are selecting the accounts in the AD perpetrator tab. We have been selecting the accounts by their CN and added them to the allowed perpetrators tab. There isnât an option for a GUID selection on that tab. There is one on the AD Objects and Containers tab, but we have the GUIDS of the groups that we want to have blocked in there. So, we canât have an allow selection on that tab because we are already utilizing the block for that tab. Any further suggestions?
Hi Jay,
AD Lockdown policy evaluated directly inside the AdMonitor library loaded into the LSASS process. So, we canât spend much time there to get any additional information (like CN, DN, and others), therefore in this case we use what we have to make a blocking decision as fast as possible. We get SID in the access token of the processing thread in the LSASS process and compare it with the SID in the filter.
Also for AD Lockdown policy particular you can see nice âRule Previewâ tab which shows exactly what we will do. Here is an example:
- BlkUsers=S-1-5-21-1102125718-4133486684-1617187724-501
- BlkGroups=S-1-5-21-1102125718-4133486684-1617187724-512
- Operations=Add|Remove|Modify|Rename
So, as you can see from this - if you selected group or account in AD Perpetrators for AD Lockdown policy then we will use SID values.