We are getting some alerts that an SPN has been added to a privileged user. We checked and the user is not privileged (admincount -ne 1). What causes NTM to flag a user a privileged and how to we correct this behavior. I know I can remove the tag easily enough but need to understand why ID’s are flagged this way.
Hey Art,
We’re doing this analysis based on group membership. Is the user a member of any privileged groups? Understanding admincount should get set in AD if they are a part of one, it’s possible they’re a member of something like DNSAdmins?
No, at this time, they are not members or nested members of any elevated groups. We actually run a weekly job that clears admincount, resets inheritance and lets SDProp run so the admincount is actually valid.
So the account is getting tagged as privileged, but you do not believe they are a member of any privileged groups. Is that based on checking against AD or checking against what NTM has identified them as a member of?
So when we got the alert, we checked the ID and found it is not privileged in AD. We just started looking at random ID’s that are marked as privileged and found that many are not. We actually have a few that the only membership they have is Domain Users. Many are service accounts that have “Password never expires” set so not sure if that a trigger, but that would in no way make them privileged.
I’m just concerned if we start alerting on these ID’s with a false positive.
Got another one today, I can open this as a ticket to see if there’s anyway to reset these users to non-privilege or possibly to remove all privilege tags and see if the system would reset them? Just not sure what the system uses to determine if they are privileged or not.
Hi Art,
Please submit this as a ticket with support and we’ll work with support and R&D directly to get to the bottom of it.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.