Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I exclude disabled Active Directory user accounts from Splunk?

Chubbybunny
Splunk Employee
Splunk Employee
‎04-09-2015 10:53 AM

When a user leaves the company, our IT department has a strict policy in place to deactivate the UserAccount instead of deleting it from the AD. This actually leaves a hole for us because Splunk will continue to sync the account as it does not understand the account has been deactivated within our AD.

While this Answer post seems to fit my situation, I'd prefer to NOT hide the account, and just ignore it.

Anyone know of a workaround to have Splunk ignore disabled accounts??

Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-09-2015 11:50 AM

I'll readily admit that I haven't done such in Splunk, but I've used LDAP queries to find disabled accounts. In Splunk you would modify the user base filter, to include a match that the appropriate bit(s) in the userAccountControl attribute are set or not set.

This site seems to have an excellent guide to all of the bits that are encoded in the userAccountControl attribute. They also have a guide to the bitwise ldap filters

Edit: Maybe a filter like:

(&
    (objectClass=user)
    (userAccountControl:1.2.840.113556.1.4.803:=512)
    (!
        (userAccountControl:1.2.840.113556.1.4.803:=2)
    )
)

A user, who is a normal user and not a computer or something, where the account disable bit is not set. One line for easy copying:

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

View solution in original post

Reply
Solved! Jump to solution

rbal_splunk
Splunk Employee
Splunk Employee
‎04-17-2015 10:44 AM

I have used it. Say I have two users in AD with attributes like

AD User/account 'Rbal' has accountExpires=08/9/2015
and user 'Bill Paul' with accountExpires=never

In Splunk Configured "User base filter" as

User base filter” as (accountExpires=9223372036854775807) ( where 9223372036854775807 is for never)

Now if I check under Access controls » Users found user 'Bill Paul' is filtered.

0 Karma
Reply
Solved! Jump to solution

yungro
Explorer
‎04-09-2015 01:23 PM

To configure Splunk to ignore inactive account, simply add the userAccountControl as follow in the "User base filter" field:

(&(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-09-2015 11:50 AM

I'll readily admit that I haven't done such in Splunk, but I've used LDAP queries to find disabled accounts. In Splunk you would modify the user base filter, to include a match that the appropriate bit(s) in the userAccountControl attribute are set or not set.

This site seems to have an excellent guide to all of the bits that are encoded in the userAccountControl attribute. They also have a guide to the bitwise ldap filters

Edit: Maybe a filter like:

(&
    (objectClass=user)
    (userAccountControl:1.2.840.113556.1.4.803:=512)
    (!
        (userAccountControl:1.2.840.113556.1.4.803:=2)
    )
)

A user, who is a normal user and not a computer or something, where the account disable bit is not set. One line for easy copying:

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...