Removing NPS users from local admin on computers that were offline when session ended in NPS

I’m trying to determine the best way to clean up computers that were offline when a session ended in NPS and left NPS users as local admins on those computers. Is this outside the scope of NPS or could it be leveraged to clean these up?

3 Likes

Hello Ashley,

Thank you for posting to the Netwrix community! Since the computer was offline when the session ended, that will cause the session to report an error.

You can use Protection Policies to enforce group membership on a schedule. This can be a bit tricky to set up, since you want to make sure that any Groups / Users that MUST remain in the group are present. The best way to test is to set up a machine that have the “MUST HAVE” local administrators, enroll that in a protection policy and then make sure your policy does not remove those users.

https://helpcenter.netwrix.com/bundle/PrivilegeSecure_4.2/page/Content/PrivilegeSecure/AccessManagement/Admin/Policy/Page/ProtectionPolicies.htm

Protection policies are scheduled using the Platform policies, you can also run those policy on demand by creating an Activity that then invokes the protection policies for the resource.

I recommend creating the Activity to test first with your test box, when you are satisfied, then add the resource you are concerned to the protection policy.

Next this resource to your Activity Policy, and test it manually. Once you are satisfied with your results, you can create the protection schedule in the platform that the resource belongs to.

That will ensure NPS applies the protection policy on a schedule.

7 Likes

Hey Ashley. There is a feature in NPS call protection policies that can assist you in this scenario. The policies can be defined and run on a scheduled basis as well as run as a post session step in an activity. Here are the docs to help you get started.

https://helpcenter.netwrix.com/bundle/PrivilegeSecure_4.2/page/Content/PrivilegeSecure/AccessManagement/Admin/Policy/Page/ProtectionPolicies.htm

Let us know how you get along and if you need additional help please reach out!

Cheers!
Jerome.

5 Likes

And another approach to this would be to add an AD Group to the local Administrators, and manage the membership of the AD Group with NPS. The downside to this approach is making sure you manage the number of Endpoints that you have that group on.

The upside is the state of the endpoint doesn’t impact the ability of NPS to manage the membership of the group, since it is using AD instead of directly connecting to the endpoint.

A good strategy for this would be to create targeted AD Groups for different security needs or departments if needed.

4 Likes

Thanks guys. I’ll definitely take a look at Protection Policies. I believe I saw something about it a while back but couldn’t quite wrap my head around it. Does this take the place of or work with Restricted Groups in Group Policy?

Ashley

3 Likes

It doesn’t appear you can add Resource Groups when adding Resources to a Protection Policy. Am I missing something?

2 Likes

Hi Ashley,

It can augment Restricted Groups. It is a separate process within NPS so it doesn’t interact with GPOs.

Protection Policies are currently defined at the Resource level and we don’t have a way to apply that Policy to a Resource Group. That is a really good idea, @ben.warren we should add this as a feature request in our backlog!

Thanks again for the questions!

4 Likes

I’m not sure it’s a huge benefit if it cannot be applied to Resource Groups. We are adding many computers daily so we would have to add them as resources in the protection policy manually.

3 Likes

Ok - so that would really help you to have that feature. I might be able to create a script that can help you automate adding a policy to endpoints. I will do some thinking on this. I will post to Privilege Secure > Privilege Secure Show & Tell when it is complete.

3 Likes

@kevin.horvatin Is it possible that in the future we may have a “Disallowed Members” tab in the protection policy?

If wildcards or regex are supported, we could add the prefix or suffix of the Activity Tokens or Managed accounts of Activities in the “Disallowed Members” tab.

This way, the protection policy could remove the accounts when it runs.

4 Likes

I just did a little test with a protection policy. Added one computer as a resource, a computer I am connected to via NPS as an admin with my NPS user account. I added my regular domain user as a local admin to the computer. For allowed members in the Administrators group I only added the local administrator account. I let the policy run after an hour and it successfully removed my regular domain account but not my NPS account I was logged in with. Is this expected because I am logged in with the NPS account? If I was not logged in but it had the NPS account left on there (Such as if it was offline when session ended) would it remove the NPS account?

I did notice it left the 2 domain groups that were in local admin so that is good.

1 Like

After further testing I realized the two domain groups I had in Administrators were removed as well. They were added back by group policy though. I’m testing if I can add the two groups to Allowed Members now.

1 Like

If by NPS account you’re referring to an account you’ve targeted as part of an access policy activity then yes it will keep that account in the group(s) specified through the access policy, if the session is still alive. If for some reason that user is still a member of the group(s) after the activity has expired then the next scheduled Protection Policy run will enforce the protection policy. You can also incorporate the protection policy “Invoke Protection Policy” as a post session activity.

Netwrix Documentation

3 Likes

For the domain groups you will need to use DOMAIN\Name as the name of the group. Otherwise NPS will assume it is referring to a local group.

2 Likes

We do not support a “Disallowed” the protection policy is always the full list of allowed members.

1 Like

@nirajl Sorry I just saw the “In the future” part. This is something we could add to our feature request list. It is not currently in our backlog as a to do item. Adding an “always remove” this user seems like less secure approach than an always allow this user.

But we can certainly add it to the feature request list so we can discuss it futher with Product Management.

4 Likes

Hi Ashley,
Were you able to add the two groups to Allowed Members?

@derek.putnam Yes, I was able to add the groups. This works great.

4 Likes