Getting Data In

Splunk Docs Locked me out of my DC

mnarkiewicz
Explorer

While I was trying to install the splunk forwarder for windows I was following this guide to give the proper permissions to the splunk user. http://docs.splunk.com/Documentation/Splunk/5.0.4/Installation/PrepareyourWindowsnetworkforaSplunkin...
The problem with this guide is that it creates a restricted group for administrators which only contains the splunk accounts. This has overwritten the default administrators group and removed the default "domain admins" and "enterprise admins" from having administrator privileges. This caused all admin accounts to be locked out from logging into the domain controller. This caused a bit of panic amongst the admins, however we were able to login as the Administrator account and fix the issue.

This isn't so much a question but more of a suggestion to explain this GPO change a little better and explain its impact on the domain.

0 Karma

malmoore
Splunk Employee
Splunk Employee

Hi,

Is it possible that you missed a step?

This page does not say to remove Enterprise Admins or Domain Admins from any group policy object security filtering. It says to remove the Authenticated Users group to prevent the GPO from applying except for the Splunk user and Splunk computer accounts.

Also, the GPO that the page asks you to build for the purposes of running Splunk as a domain user does not reduce rights, it increases them. This is another reason why we limit its application to only the Splunk user and computer accounts, and not any authenticated user.

We have tested these user rights assignments with success and even run networks here with the GPO we ask customers to build.

It seems as though we do not have the full story here. Can you please provide additional information about your setup?

malmoore
Splunk Employee
Splunk Employee

Not sure, sorry. I can't think of any way a GPO would remove users from a group without an intermediate script doing the actual group changes. We don't provide or ask you to install any scripts in these instructions.

What appears to be the case here is a misstep in removing users from a group versus removing users from a GPO's security filter.

mnarkiewicz
Explorer

Hey, I went through and verified that the GPO settings have been applied correctly. I spun up a new test environment in which the policies are identical to our production system. I reapplied the settings in this document and as you had said, nobody was locked out.

When this problem was originally discovered, the built in Administrator's group only had the "Splunk Accounts" group as members, all other default groups had been removed, nobody manually modified this group. Do you know what type of change or misconfiguration could do something like this?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...