IDex Agent exclude specific usernames
Some desktop software uses it's own domain user account to authenticate and communicate with servers. This can cause that user to be logged-in on that workstation rather than the real user.
Option to configure a list of usernames that IDex should ignore if seen by the Agent.
Workaround: Change service usernames to include a $ symbol at the end and they will be ignored by IDex Agent.
We’re planning a small bug-fix update to IDex Agent soon.
If there’s time I’d like to include this feature request too. For now this would likely be an additional configuration field where a list of usernames to exclude can be specified.
Would this fulfil your requirements? Please add your comments to the discussion on uservoice.
Josh Froelich commented
Any news on this? It feels like development of IDex has stalled.
Nothing immediate - will let you know as soon as we can fit it in
Ian North commented
Anything news on this yet?
Chris Histead commented
Any news on when this option will be added as i really want to start using iDex but can't as we have a service account that is stopping us using it?
Hi Marcel, Thanks for the feedback, I can see how that would make managing the excluded users easier within AD. I think this would require extra routines within the IDex Agent in order to check the group membership too since we only see the usernames from the audit log.
Maybe an "Exclude AD Group" option. You can use a default group name in the Active Directory to Exclude on the Smoothwall e.g. "SW IDex agent Excluded"
I think we should be able to get the option added to the graphical installer. Centralised configuration of agent isn't planned yet but something we're thinking about.
Regards including whole OUs, do you find that there are a lot of accounts that need to be excluded from IDex Agent?
I'd like to add that Smoothwall UI would be a good place to exclude usernames. I guess it would also be quite useful if an "Exclude OU" option was there too. Either as part of IDEX client install or in the Smoothy UI. Then all the accounts dropped in that OU that are software app / server resouce access servicing are ignored at a stroke.
Hi Ian, James,
Thanks for the feedback.
To keep it simple and reduce traffic / load into IDex directory we were planning to put it into an IDex Agent additional registry option for now. That way IDex Agent doesn't even need to forward on data for those excluded users.
I believe for multiple servers you should be able to update the registry settings using group policy. Would that make things easier for you Ian?
Hi Chris. I think if we could do this by adding in the excluded usernames manually or from auth cache into the Smoothwall UI, it would fulfill the requirement.
Ian North commented
Where would this field live? In the Smoothwall interface or an option that's configured at the agent level?
An option in the Smoothwall interface would be preferred (I have 11 DCs so setting that option on all of them would be a pain!) but I'd take either option.
A good workaround but would nice to actually exclude the user account or even an entire OU (where all services accounts "could" live.