diff --git a/docs/kb/1secure/_category_.json b/docs/kb/1secure/_category_.json new file mode 100644 index 0000000000..bd0adf85a3 --- /dev/null +++ b/docs/kb/1secure/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Knowledge Base Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/1secure/configure_proxy_for_rdp_connections_(installupdate_certificate_to_prevent_rdp_certificate_warnings).md b/docs/kb/1secure/configure_proxy_for_rdp_connections_(installupdate_certificate_to_prevent_rdp_certificate_warnings).md new file mode 100644 index 0000000000..13c3e97e1f --- /dev/null +++ b/docs/kb/1secure/configure_proxy_for_rdp_connections_(installupdate_certificate_to_prevent_rdp_certificate_warnings).md @@ -0,0 +1,153 @@ +--- +description: >- + This article outlines the process for installing or updating a certificate to prevent Remote Desktop Protocol (RDP) certificate warnings during SbPAM workflows. +keywords: + - RDP + - certificate installation + - SbPAM +sidebar_label: Configure Proxy for RDP Connections +tags: [] +title: "Configure Proxy for RDP Connections (Install/Update Certificate to Prevent RDP Certificate Warnings)" +knowledge_article_id: kA04u0000000HRRCA2 +products: + - onesecure +--- + +# Configure Proxy for RDP Connections (Install/Update Certificate to Prevent RDP Certificate Warnings) + +## Overview + +This article outlines the process for installing or updating a certificate to prevent Remote Desktop Protocol (RDP) certificate warnings during SbPAM workflows. + +## Prerequisites + +- Windows Server must have the **Certification Authority** and **Certification Authority Web Enrollment** roles installed and configured. This ensures that the **Certification Authority** utility can be successfully launched and accessed via a web browser (`https:///certsrv`). + + > **IMPORTANT:** The Certification Authority's post-deployment configuration must be completed after installing both prerequisite roles. + + ![Certification Authority post-deployment configuration dialog with required options visible](./images/servlet_image_22726c8e5cb9.png) + +- The domain must have the **Enrollment Policy** set to enable automatic enrollment and renewal. The **Certificate Enrollment Policy** for user and computer certificates is configured in the **Group Policy** snap-in under **Default Domain Policy** (or another group policy applied to all systems that will access an NPS server on a group-by-group basis). To configure this: + + 1. On the Domain Controller, open the **Group Policy** snap-in. + 2. Navigate to **Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies** and enable the **Certificate Services - Certificate Enrollment Policy**. + +## Instructions + +### Generate Certificate + +> **NOTE:** If you already have a certificate to install, you can skip to the **Adding the Certificate to Each SbPAM Proxy Server** section below. + +1. Open **Certification Authority**, open your CA, right-click **Certificate Templates**, and click **Manage**. + ![Certification Authority console with Certificate Templates context menu open](./images/servlet_image_ebb3b2e4c66a.png) + +2. In the **Certificate Templates Console**, right-click **Workstation Authentication**, and click **Duplicate Template**. + ![Certificate Templates Console with Duplicate Template option highlighted](./images/servlet_image_e3eecaa55357.png) + +3. On the **General** tab, change the name to **Client-Server Authentication** and enable the **Publish certificate in Active Directory** checkbox. + ![General tab of template properties with name and publish option highlighted](./images/servlet_image_35245db9daa9.png) + +4. On the **Subject Name** tab, enable the **Supply in the request** radio button. + ![Subject Name tab with Supply in the request option selected](./images/servlet_image_2b1a501d40fd.png) + +5. On the **Extensions** tab, select **Application Policies** and click **Edit**. Click **Add**, then select **Server Authentication**. Click **OK** until you return to the **Properties of New Template** dialog. + ![Extensions tab with Application Policies and Server Authentication highlighted](./images/servlet_image_9ccee298858e.png) + +6. On the **Security** tab, select **Domain Computers** and enable the checkbox to allow **Autoenroll**. Click **OK** and then close the Certificate Templates Console. + ![Security tab with Domain Computers and Autoenroll option checked](./images/servlet_image_d2bd2889a956.png) + +7. Back in **Certification Authority**, right-click **Certificate Templates**, hover over **New**, and click **Certificate Template to Issue**. + ![Certification Authority with Certificate Template to Issue option highlighted](./images/servlet_image_4e7a38bb30d6.png) + +8. Select **Client-Server Authentication** and click **OK**. + ![Certificate Template selection dialog with Client-Server Authentication selected](./images/servlet_image_d8afec47d2b9.png) + +9. On the desktop, create a text file named **request.inf** with the following content (replace the **red** text with your server certificate name): + + ```plaintext + [Version] + Signature="$Windows NT$" + [NewRequest] + Subject = "CN=**sbpam-3.sblab.local**" + KeySpec = 1 + KeyLength = 2048 + Exportable = TRUE + MachineKeySet = FALSE + SMIME = False + PrivateKeyArchive = FALSE + UserProtected = FALSE + UseExistingKeySet = FALSE + ProviderName = "Microsoft RSA SChannel Cryptographic Provider" + ProviderType = 12 + RequestType = PKCS10 + KeyUsage = 0xa0 + HashAlgorithm = SHA256 + [Extensions] + 2.5.29.17 = "{text}" + _continue_ = "dns=**sbpam-3.sblab.local**&" + [EnhancedKeyUsageExtension] + OID=1.3.6.1.5.5.7.3.1 + ``` + +10. Open Command Prompt as Administrator, change directory to the Desktop (or the location of your **request.inf** file), and run: + + ```plaintext + certreq -new request.inf rdp.csr + ``` + + ![Command Prompt showing certreq command execution](./images/servlet_image_117381e3f99f.png) + +11. To sign the certificate request, use your preferred signing mechanism. The following example uses Active Directory Certificate Services (`https:///certsrv`). + ![Certificate Services web enrollment home page](./images/servlet_image_c706e5610294.png) ![Certificate Services advanced certificate request page](./images/servlet_image_0f3e849ec385.png) + + Click **Request a certificate**, then click **advanced certificate request**. + +12. Open the saved certificate signing request (**rdp.csr**) from the previous step in Notepad. Copy the certificate request into the **Saved Request** field. Select **Client-Server Authentication** from the **Certificate Template** dropdown. Click **Submit**. + ![Certificate request submission form with fields filled](./images/servlet_image_21d63c042bef.png) + + Leave other settings at default values, and click **Submit**. + +13. Select **DER encoded** and click **Download certificate**. + ![Certificate download page with DER encoded option selected](./images/servlet_image_ff7ee6960cb2.png) + +14. Open the downloaded certificate and select **Install Certificate**. Proceed with all default values and complete the wizard. + ![Certificate installation wizard with default options](./images/servlet_image_9751657fe7cd.png) + +15. To export the certificate, view certificates for the current user by launching **certmgr.msc** using the Windows **Run** menu. + ![Windows Run dialog with certmgr.msc entered](./images/servlet_image_f5c0eb62aa44.png) + + Right-click the installed certificate (the certificate using the **Client-Server Authentication** template) and click **Export...**. + ![Certificate export context menu](./images/servlet_image_4f237c8e6acb.png) + +16. In the **Certificate Export Wizard**, change the **Export Private Key** option to **Yes, export the private key**. + ![Certificate Export Wizard with Export Private Key option selected](./images/servlet_image_9a7649f21943.png) + +17. For **Export File Format**, select **Personal Information Exchange - PKCS #12 (.PFX)**. Select the following checkboxes: + + - Include all certificates in the certification path if possible + - Enable certificate privacy + + ![Export File Format options with PKCS #12 and checkboxes selected](./images/servlet_image_491abdc2366b.png) + +18. For **Security**, enter a password of your choosing and select the AES256-SHA256 encryption option (3DES is no longer recommended by NIST). + + > **IMPORTANT:** For **File to Export**, the file name **must** be **rdp.pfx**. If it is named anything else, importing the .pfx file on each proxy server will not work. + ![Export dialog with rdp.pfx file name entered](./images/servlet_image_808a1a23eec9.png) + +19. This certificate can now be imported to each SbPAM Proxy Server. + +### Adding the Certificate to Each SbPAM Proxy Server + +1. Copy **rdp.pfx** (from the previous steps) to each SbPAM Proxy Server. + +2. On each SbPAM Proxy Server, run the following command via an elevated **Command Prompt**, and enter the certificate's password when prompted. + + > **IMPORTANT:** The path to **sbpam-proxy.exe** may be different depending on the install path you selected when installing SbPAM and/or distributed proxy services. + + ```plaintext + "C:\Program Files\Stealthbits\PAM\ProxyService\sbpam-proxy.exe" ca import -p [PATH]\rdp.pfx + ``` + + ![Command Prompt showing sbpam-proxy.exe ca import command](./images/servlet_image_07c7409683d2.png) + +3. The new certificate has now been imported to an SbPAM Proxy Server. Repeat this process for all SbPAM Proxy Servers if using more than one. (The default installation of SbPAM uses one proxy service on the SbPAM server itself; however, additional proxy services can be distributed.) \ No newline at end of file diff --git a/docs/kb/1secure/how_to_confirm_permissions_for_active_directory_5._domains_0.collection_ad_domaincontrollers.md b/docs/kb/1secure/how_to_confirm_permissions_for_active_directory_5._domains_0.collection_ad_domaincontrollers.md new file mode 100644 index 0000000000..39fd3dca33 --- /dev/null +++ b/docs/kb/1secure/how_to_confirm_permissions_for_active_directory_5._domains_0.collection_ad_domaincontrollers.md @@ -0,0 +1,100 @@ +--- +description: >- + This article provides step-by-step instructions to verify the permissions of the account used in Netwrix Enterprise Auditor for the AD_DomainControllers job. +keywords: + - Active Directory + - Netwrix Enterprise Auditor + - permissions +sidebar_label: Confirm Permissions for AD Domain Controllers +tags: [] +title: "How to Confirm Permissions for Active Directory > 5. Domains > 0.Collection > AD_DomainControllers" +knowledge_article_id: kA0Qk0000001hNtKAI +products: + - onesecure +--- + +# How to Confirm Permissions for Active Directory > 5. Domains > 0.Collection > AD_DomainControllers + +## Question + +How can you verify if the account used in Netwrix Enterprise Auditor (NEA) for this job has the correct access? + +## Answer + +The AD_DomainControllers job for the NEA Active Directory module uses the following permissions for a least privilege model: + +- [Read access to CN=Servers, %SITEDN% and its children](#testcnsiteandchild) +- [Read access to %PARTITIONDNS% and its children](#testpartandchild) +- [Read access to %SCHEMADN%](#testschem) +- [Read access to %SITESDN% and its children](#testsiteandchild) + +### General Steps to Start with `ldp.exe` + +1. Launch **`ldp.exe`**. + - Press **`Win + R`**, type **`ldp.exe`**, and hit **`Enter`**. +2. Connect to a **Domain Controller**. + - Navigate to **Connection > Connect**. + - Enter the Domain Controller name used by the **AD_DomainControllers job** and port (default is `389` or `636` for LDAPS). + - Click **OK**. +3. Bind Using the **User Account**. + - Go to **Connection > Bind**. + - Enter the **credentials** for the **user account** whose access you want to test. + - Click **OK**. + +### Testing Read Access to CN=Servers, %SITEDN% and Its Children + +1. Navigate to **`CN=Servers,%SITEDN%`**. + - Click **View > Tree**. + - Enter the Base DN: + ``` + CN=Servers,CN=,CN=Sites,CN=Configuration,DC=,DC= + ``` + - Replace **``** with the site name (e.g., `Default-First-Site-Name`). + - If unsure, run **`nltest /dsgetsite`** from AdminPS on the DC to get the SiteName. + - Replace **``** with your domain components (e.g., `example,DC=com`). + - Click **OK**. +2. Verify **Access**. + - Expand **`CN=Servers`** and check if you can browse and view its children. + - If successful, then the user has **Read access**. + +### Testing Read Access to %PARTITIONDNS% and Its Children + +1. Navigate to the **Partition DN**. + - Click **View > Tree**. + - Enter the Base DN: + ``` + DC=,DC= + ``` + - Use your domain's **distinguished name** (e.g., `DC=example,DC=com`). + - Click **OK**. +2. Verify **Access**. + - Expand the **domain node** and check if you can view objects and attributes within it. + - If you can browse the structure, then the user has **Read access**. + +### Testing Read Access to %SCHEMADN% + +1. Navigate to the **Schema DN**. + - Click **View > Tree**. + - Enter the Base DN: + ``` + CN=Schema,CN=Configuration,DC=,DC= + ``` + - Replace **``** with your domain components. + - Click **OK**. +2. Verify **Access**. + - Expand **`CN=Schema`** and check if you can view its objects and attributes. + - If successful, then the user has **Read access** to the schema. + +### Testing Read Access to %SITESDN% and Its Children + +1. Navigate to the **Sites DN**. + - Click **View > Tree**. + - Enter the Base DN: + ``` + CN=Sites,CN=Configuration,DC=,DC= + ``` + - Replace **``** with your **domain components**. + - Click **OK**. +2. Verify **Access**. + - Expand **`CN=Sites`** and check if you can browse through the sites and view their child objects. + - If successful, then the user has **Read access** to the sites. \ No newline at end of file diff --git a/docs/kb/1secure/images/servlet_image_07c7409683d2.png b/docs/kb/1secure/images/servlet_image_07c7409683d2.png new file mode 100644 index 0000000000..ec4c1c0a75 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_07c7409683d2.png differ diff --git a/docs/kb/1secure/images/servlet_image_0f3e849ec385.png b/docs/kb/1secure/images/servlet_image_0f3e849ec385.png new file mode 100644 index 0000000000..6314042be6 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_0f3e849ec385.png differ diff --git a/docs/kb/1secure/images/servlet_image_117381e3f99f.png b/docs/kb/1secure/images/servlet_image_117381e3f99f.png new file mode 100644 index 0000000000..cf9c2f4ed7 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_117381e3f99f.png differ diff --git a/docs/kb/1secure/images/servlet_image_16fc9e2e2432.png b/docs/kb/1secure/images/servlet_image_16fc9e2e2432.png new file mode 100644 index 0000000000..7cff2ec2f2 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_16fc9e2e2432.png differ diff --git a/docs/kb/1secure/images/servlet_image_21d63c042bef.png b/docs/kb/1secure/images/servlet_image_21d63c042bef.png new file mode 100644 index 0000000000..caaf7e1825 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_21d63c042bef.png differ diff --git a/docs/kb/1secure/images/servlet_image_22726c8e5cb9.png b/docs/kb/1secure/images/servlet_image_22726c8e5cb9.png new file mode 100644 index 0000000000..4ceb4abf5b Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_22726c8e5cb9.png differ diff --git a/docs/kb/1secure/images/servlet_image_2b1a501d40fd.png b/docs/kb/1secure/images/servlet_image_2b1a501d40fd.png new file mode 100644 index 0000000000..24aea70253 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_2b1a501d40fd.png differ diff --git a/docs/kb/1secure/images/servlet_image_35245db9daa9.png b/docs/kb/1secure/images/servlet_image_35245db9daa9.png new file mode 100644 index 0000000000..b3ddc65b45 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_35245db9daa9.png differ diff --git a/docs/kb/1secure/images/servlet_image_491abdc2366b.png b/docs/kb/1secure/images/servlet_image_491abdc2366b.png new file mode 100644 index 0000000000..9f08679437 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_491abdc2366b.png differ diff --git a/docs/kb/1secure/images/servlet_image_4e7a38bb30d6.png b/docs/kb/1secure/images/servlet_image_4e7a38bb30d6.png new file mode 100644 index 0000000000..12ffde6a4d Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_4e7a38bb30d6.png differ diff --git a/docs/kb/1secure/images/servlet_image_4f237c8e6acb.png b/docs/kb/1secure/images/servlet_image_4f237c8e6acb.png new file mode 100644 index 0000000000..49e833d91b Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_4f237c8e6acb.png differ diff --git a/docs/kb/1secure/images/servlet_image_808a1a23eec9.png b/docs/kb/1secure/images/servlet_image_808a1a23eec9.png new file mode 100644 index 0000000000..4367d07754 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_808a1a23eec9.png differ diff --git a/docs/kb/1secure/images/servlet_image_9751657fe7cd.png b/docs/kb/1secure/images/servlet_image_9751657fe7cd.png new file mode 100644 index 0000000000..5e629f43cb Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_9751657fe7cd.png differ diff --git a/docs/kb/1secure/images/servlet_image_9a7649f21943.png b/docs/kb/1secure/images/servlet_image_9a7649f21943.png new file mode 100644 index 0000000000..b94070c01e Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_9a7649f21943.png differ diff --git a/docs/kb/1secure/images/servlet_image_9ccee298858e.png b/docs/kb/1secure/images/servlet_image_9ccee298858e.png new file mode 100644 index 0000000000..1149f9c85f Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_9ccee298858e.png differ diff --git a/docs/kb/1secure/images/servlet_image_c706e5610294.png b/docs/kb/1secure/images/servlet_image_c706e5610294.png new file mode 100644 index 0000000000..48554b7058 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_c706e5610294.png differ diff --git a/docs/kb/1secure/images/servlet_image_d2bd2889a956.png b/docs/kb/1secure/images/servlet_image_d2bd2889a956.png new file mode 100644 index 0000000000..1d293ab073 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_d2bd2889a956.png differ diff --git a/docs/kb/1secure/images/servlet_image_d8afec47d2b9.png b/docs/kb/1secure/images/servlet_image_d8afec47d2b9.png new file mode 100644 index 0000000000..55b566df5d Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_d8afec47d2b9.png differ diff --git a/docs/kb/1secure/images/servlet_image_e3eecaa55357.png b/docs/kb/1secure/images/servlet_image_e3eecaa55357.png new file mode 100644 index 0000000000..ca4f18dec2 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_e3eecaa55357.png differ diff --git a/docs/kb/1secure/images/servlet_image_ebb3b2e4c66a.png b/docs/kb/1secure/images/servlet_image_ebb3b2e4c66a.png new file mode 100644 index 0000000000..e650b91b03 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_ebb3b2e4c66a.png differ diff --git a/docs/kb/1secure/images/servlet_image_f5c0eb62aa44.png b/docs/kb/1secure/images/servlet_image_f5c0eb62aa44.png new file mode 100644 index 0000000000..35f212ee7b Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_f5c0eb62aa44.png differ diff --git a/docs/kb/1secure/images/servlet_image_ff7ee6960cb2.png b/docs/kb/1secure/images/servlet_image_ff7ee6960cb2.png new file mode 100644 index 0000000000..4eb35caaf1 Binary files /dev/null and b/docs/kb/1secure/images/servlet_image_ff7ee6960cb2.png differ diff --git a/docs/kb/1secure/index.md b/docs/kb/1secure/index.md new file mode 100644 index 0000000000..170684998f --- /dev/null +++ b/docs/kb/1secure/index.md @@ -0,0 +1,51 @@ +--- +title: "Knowledge Base" +description: Browse our knowledge base articles by category" +--- + +# Knowledge Base + +Welcome to the knowledge base. Browse articles by category below. + +## Categories + +### [Installation & Setup](./installation/) +Articles about installing, uninstalling, and setting up the product + +### [Configuration](./configuration/) +Articles about configuring various product features + +### [Group Management](./group-management/) +Managing groups, smart groups, and dynasties + +### [User Management](./user-management/) +Managing users and user profiles + +### [Reports & Analytics](./reporting/) +Generate reports and export data + +### [Troubleshooting](./troubleshooting/) +Resolve common issues and errors + +### [Integration](./integration/) +Integrate with external services and APIs + +### [Administration](./administration/) +System administration and maintenance + +### [Best Practices](./best-practices/) +Recommended practices and how-to guides + +## Quick Links + +- [Installation & Setup](./installation/) +- [Troubleshooting Guide](./troubleshooting/) +- [Best Practices](./best-practices/) +- [Integration Guide](./integration/) + +## Need Help? + +If you can't find what you're looking for, please: +1. Use the search function above +2. Check the main documentation +3. Contact [support](https://www.netwrix.com/support.html) diff --git a/docs/kb/1secure/password-never-expires-report-shows-incorrect-data.md b/docs/kb/1secure/password-never-expires-report-shows-incorrect-data.md new file mode 100644 index 0000000000..1f3c2b41e3 --- /dev/null +++ b/docs/kb/1secure/password-never-expires-report-shows-incorrect-data.md @@ -0,0 +1,35 @@ +--- +description: >- + Netwrix OneSecutre may report the Password never expires setting as enabled + for accounts even though Active Directory shows it as disabled. This article + explains the cause (a GPO with maxPasswordAge=0) and how to resolve it. +keywords: + - password never expires + - maxPasswordAge + - GPO + - Group Policy + - Active Directory + - Netwrix OneSecutre + - password policy + - report +products: + - onesecure +sidebar_label: Password Never Expires Report Shows Incorrect Data +tags: [] +title: "Password Never Expires Report Shows Incorrect Data" +knowledge_article_id: kA0Qk0000000YkrKAE +--- + +# Password Never Expires Report Shows Incorrect Data + +## Symptom + +In Netwrix 1Secure, the **Password never expires** setting is incorrectly reported as enabled for particular accounts. When you review **Active Directory Users and Computers** settings, the setting is disabled for affected accounts. + +## Cause + +A GPO with the `maxPasswordAge=0` parameter is applied to the affected accounts. The parameter causes Netwrix OneSecutre to report the **Password never expires** setting as enabled. + +## Resolution + +In the corresponding GPO, set the `maxPasswordAge` parameter to any non-zero value. This will allow Netwrix OneSecutre to correctly report the affected accounts. diff --git a/docs/kb/1secure/troubleshoot_failed_action_service_connections_to_windows_resources_(psremotingwinrm).md b/docs/kb/1secure/troubleshoot_failed_action_service_connections_to_windows_resources_(psremotingwinrm).md new file mode 100644 index 0000000000..37ff85939a --- /dev/null +++ b/docs/kb/1secure/troubleshoot_failed_action_service_connections_to_windows_resources_(psremotingwinrm).md @@ -0,0 +1,134 @@ +--- +description: >- + This article provides troubleshooting steps for resolving issues with the NPS Action Service connections to Windows resources using PowerShell Remoting (PSRemoting) and WinRM. +keywords: + - NPS Action Service + - PowerShell Remoting + - WinRM +sidebar_label: Troubleshoot Failed Action Service Connections +tags: [] +title: "Troubleshoot Failed Action Service Connections to Windows Resources (PSRemoting/WinRM)" +knowledge_article_id: kA04u0000000HiICAU +products: + - onesecure +--- + +# Troubleshoot Failed Action Service Connections to Windows Resources (PSRemoting/WinRM) + +## Overview + +The NPS Action Service is used for various workflows, including host scans and performing pre- and post-session actions. The Action Service must establish a connection via PowerShell Remoting (PSRemoting) for Windows target resources. PSRemoting is a PowerShell implementation of WinRM (Windows Remote Management). + +Several variables could affect the successful connection of the NPS Action Service to the target Windows resource via PSRemoting. This article outlines some of those variables and provides ways to troubleshoot and resolve them to establish a connection. + +## Instructions + +Before running tests, complete the following steps on the target resource: + +### Verify PSRemoting and WinRM are enabled + +In PowerShell, run the following command: + +```powershell +Test-WSMan +``` + +The following output will appear if both PSRemoting and WinRM are enabled: + +``` +wsmid: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd +ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd +ProductVendor : Microsoft Corporation +ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0 +``` + +If PSRemoting and/or WinRM are not enabled on the target resource, the following output will appear: + +``` +Test-WSMan : The client cannot connect to the destination specified in the request. Verify that +the service on the destination is running and is accepting requests. Consult the logs and documentation for the +WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, +run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". + +At line:1 char:1 ++ Test-WSMan ++ ~~~~~~~~~~ ++ CategoryInfo : InvalidOperation: (:) [Test-WSMan], InvalidOperationException ++ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand +``` + +**Resolution:** Run the following command in elevated PowerShell to enable PSRemoting/WinRM: + +```powershell +Enable-PSRemoting +``` + +The following output will appear: + +``` +WinRM has been updated to receive requests. +WinRM service type changed successfully. +WinRM service started. + +WinRM has been updated for remote management. +Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. +WinRM firewall exception enabled. +``` + +### Verify ports + +Verify that ports 5985 (HTTP) and/or 5986 (HTTPS) are open in the Windows firewall and any network firewalls. These ports are used for WinRM communications for HTTP and HTTPS, respectively. + +### Review Group Policy settings + +There are Group Policy settings used to filter the origin of WinRM requests via both IPv4 and IPv6 filters. If issues with PSRemoting/WinRM communications persist even after enabling PSRemoting/WinRM and verifying firewall settings, it is possible that the IP filter in Group Policy is affecting the communication. + +Learn more about the **Allow remote server management through WinRM** Group Policy setting in [Configure Remote Management in Server Manager − Enabling or Disabling Remote Management ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager#enabling-or-disabling-remote-management). + +![Windows Group Policy: Allow remote server management through WinRM](./images/servlet_image_16fc9e2e2432.png) + +### Allow full control to Remote Management Users + +Review the access permissions set up for Remote Management Users by running the following command in elevated PowerShell: + +```powershell +Get-PSSessionConfiguration -Name Microsoft.PowerShell +``` + +Review the permissions of the **BUILTIN\Remote Management Users** group under the **Permission** section. If set to **AccessDenied**, then authenticated network users (i.e., remote PSRemoting requests) will be denied access even if credentials and other variables are correct. + +**Solution:** Run the following command in elevated PowerShell to review and change permissions for Remote Management Users: + +```powershell +Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force +``` + +Select **Remote Management Users** and change **Full Control** from **Deny** to **Allow**, then click **Apply** and **OK**. + +## Testing + +Test the ability of the NPS Action Service to connect to a target resource via PowerShell Remoting by running the following PowerShell command on the server running Action Service: + +```powershell +Invoke-Command -ComputerName %target_resource% -Credential (Get-Credential) -ScriptBlock { whoami } +``` + +> **IMPORTANT:** Replace `%target_resource%` with the target FQDN. + +When prompted for credentials, use the credentials of the service account assigned to the target resource in NPS. If the remote request succeeds, it will return the username used for authentication. + +``` +PS C:\Users\admin> Invoke-Command -ComputerName TEST-DC -Credential (Get-Credential) -ScriptBlock { whoami } + +cmdlet Get-Credential at command pipeline position 1 +Supply values for the following parameters: +Credential +test\admin +``` + +The output indicates that the credentials used can run remote PowerShell commands on the target resource from the Action Service server via WinRM. + +## Related articles + +[Configure Remote Management in Server Manager − Enabling or Disabling Remote Management ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager#enabling-or-disabling-remote-management) \ No newline at end of file diff --git a/docs/kb/accessanalyzer/_category_.json b/docs/kb/accessanalyzer/_category_.json new file mode 100644 index 0000000000..31ba0aed9c --- /dev/null +++ b/docs/kb/accessanalyzer/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessanalyzer/access-analyzer-event-log-ids.md b/docs/kb/accessanalyzer/access-analyzer-event-log-ids.md new file mode 100644 index 0000000000..859727b941 --- /dev/null +++ b/docs/kb/accessanalyzer/access-analyzer-event-log-ids.md @@ -0,0 +1,98 @@ +--- +description: >- + This article lists the event IDs that Netwrix Access Analyzer logs, and shows + which actions generate each event and their task categories. +keywords: + - Access Analyzer + - event ID + - event log + - Netwrix Access Analyzer + - audit + - job + - group + - global settings + - task category +products: + - access-analyzer +sidebar_label: Access Analyzer Event Log IDs +tags: [] +title: "Access Analyzer Event Log IDs" +knowledge_article_id: kA04u0000000ItqCAE +--- + +# Access Analyzer Event Log IDs + +## Summary +**Summary:** This is a listing of events within Netwrix Access Analyzer. + +## Instructions + +| Category | Case | Logged? | Comments | EventID | Task Category | +|---|---|---:|---|---:|---| +| Launching Console | Opening Access Analyzer | Yes | | 1000 | Role Based Access | +| | failure of scheduled task to launch | Yes | | 1001 | Role Based Access | +| Role Modifications | Add Role | Yes | | 1002 | Role Based Access | +| | Delete Role | Yes | | 1002 | Role Based Access | +| | Modify Role | Yes | | 1002 | Role Based Access | +| | Closing Access Analyzer | Yes | | 1003 | Role Based Access | +| | Job Locked | Yes | | 1100 | Job | +| Job Scheduling Modifications | Job Scheduled | Yes | | 1102 | Job | +| | schedule deleted | Yes | | 1103 | Job | +| | Job Schedule Modification | Yes | | 1104 | Job | +| Job/Group Executions | Job Execution | Yes | | 1105 | Job | +| Job Deletes | Job Delete | Yes | | 1106 | Job | +| Job and Group Properties/settings Modifications | Job Renamed | Yes | | 1107 | Job | +| | Move | Yes | | 1108 | Job | +| Job Adds | Create Job | Yes | | 1110 | Job | +| | Add Table | Yes | | 1111 | Job | +| Job Query Modifications | Create Query | Yes | | 1111 | Job | +| | Modify Job Query | Yes | | 1111 | Job | +| | Delete Query | Yes | | 1111 | Job | +| | Add Host | Yes | | 1112 | Job | +| | Modify Job>Properties (all tabs) | Yes | | 1112 | Job | +| | Add Report | Yes | | 1112 | Job | +| | Delete Report | Yes | | 1112 | Job | +| | Paste | Yes | | 1112 | Job | +| | Add Analysis | Yes | | 1113 | Job | +| | Modify Analysis | Yes | | 1113 | Job | +| | Delete Analysis | Yes | | 1113 | Job | +| | Job Completion | Yes | | 1114 | Job | +| Jobs Cut/Copy/Paste | Cut | Yes | | 1116 | Job | +| | Copy | Yes | | 1117 | Job | +| Global Settings Modifications | Modify History Settings | Yes | | 1200 | Global Settings | +| | Modify Notification Settings | Yes | | 1200 | Global Settings | +| | Modify Reporting Settings | Yes | | 1200 | Global Settings | +| | Modify Exchange Settings | Yes | | 1200 | Global Settings | +| | Modify Host Discovery Settings | Yes | | 1200 | Global Settings | +| | Modify Host Inventory Settings | Yes | | 1200 | Global Settings | +| | Modify Other Settings | Yes | | 1200 | Global Settings | +| | Set as Default (SP) | Yes | | 1200 | Global Settings | +| | Add SP | Yes | | 1201 | Global Settings | +| | Delete SP | Yes | | 1201 | Global Settings | +| | Modify SP | Yes | | 1201 | Global Settings | +| Connection/Storage Profile Modifications | Add CP | Yes | | 1202 | Global Settings | +| | Delete CP | Yes | | 1202 | Global Settings | +| | Set as Default (CP) | Yes | | 1202 | Global Settings | +| | Add Credential | Yes | | 1202 | Global Settings | +| | Delete Credential | Yes | | 1202 | Global Settings | +| | Use 'Trusted' credentials checkbox | Yes | | 1202 | Global Settings | +| Host List Operations | Add Hosts | Yes | | 1203 | Global Settings | +| | Save Selected to List | Yes | | 1203 | Global Settings | +| | Schedule | Yes | | 1205 | Global Settings | +| Host Discovery/Inventory Queries | Create Query | Yes | | 1206 | Global Settings | +| | Edit Query | Yes | | 1207 | Global Settings | +| | Delete Query | Yes | | 1208 | Global Settings | +| | Run Query | Yes | | 1209 | Global Settings | +| | Modify Report | Yes | | 1215 | Job | +| | Modify Group Settings | Yes | | 1300 | Group | +| | Group Execution | Yes | | 1301 | Group | +| | Group Delete | Yes | | 1302 | Group | +| | Group Creation | Yes | | 1303 | Group | +| | Group Renamed | Yes | | 1304 | | +| | Group Locked | Yes | | 1305 | Group | +| | group scheduled | Yes | | 1307 | Group | + +## Module and Version +**Module:** Netwrix Access Analyzer - Core +**Versions:** `6.3+` +**Legacy Article ID:** `1111` diff --git a/docs/kb/accessanalyzer/access-analyzer-migrating-low-priority-scheduled-tasks-to-normal-priority-to-improve-job-performance.md b/docs/kb/accessanalyzer/access-analyzer-migrating-low-priority-scheduled-tasks-to-normal-priority-to-improve-job-performance.md new file mode 100644 index 0000000000..98497bb9ff --- /dev/null +++ b/docs/kb/accessanalyzer/access-analyzer-migrating-low-priority-scheduled-tasks-to-normal-priority-to-improve-job-performance.md @@ -0,0 +1,87 @@ +--- +description: >- + Use a PowerShell script to change Netwrix Access Analyzer scheduled task + priorities from Below Normal (7) or undefined to Normal (5) so + StealthAUDIT.exe I/O runs at normal priority and job performance improves. +keywords: + - Netwrix Access Analyzer + - scheduled tasks + - priority + - PowerShell + - StealthAUDIT.exe + - I/O priority + - Set-ScheduledTask + - 'C:\Windows\System32\Tasks' +products: + - access-analyzer +sidebar_label: 'Access Analyzer: Migrating Low Priority Scheduled Tasks' +tags: [] +title: "Access Analyzer: Migrating Low Priority Scheduled Tasks to Normal Priority to Improve Job Performance" +knowledge_article_id: kA04u0000000K1CCAU +--- + +# Netwrix Access Analyzer: Migrating Low Priority Scheduled Tasks to Normal Priority to Improve Job Performance + +## Summary + +In some cases, Scheduled Tasks in Netwrix Access Analyzer are created with priority 7 (Below Normal) instead of 5 (Normal), or with no priority set at all. This results in StealthAUDIT.exe I/O to/from Tier 2 databases being Low Priority which could lead to reduced performance. This article outlines how to migrate Scheduled Tasks to be Priority 5 rather than Priority 7 via PowerShell. + +## Instructions + +**Important:** + +- **The credential in the script below is not for permission purposes. Rather, it is the Service Account that will be assigned to each modified Scheduled Task.** +- **This script should be run again any time a new Netwrix Access Analyzer Scheduled Task is created.** + +1. Run the script below in an elevated PowerShell on the Netwrix Access Analyzer server (or download the script here: https://netwrix.com/download/products/KnowledgeBase/SA-ScheduledTaskPriority.ps1): + +```powershell +param ( + +[Parameter(Mandatory=$true)][PSCredential]$TaskServiceAccount + +) + +$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) +if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { + Write-Error "Script must be Run As Admin. Exiting..." + exit +} + +$directories = @("C:\Windows\System32\Tasks", "C:\Windows\Tasks") + +$directories | ForEach-Object { + + $list = Get-ChildItem $_ | ` + Where-Object { $_.name -like "SAJOB*" } | ` + Select-Object Name + + $list | ForEach-Object { + + $taskName = $_.Name + $task = Get-ScheduledTask -TaskName $taskName + $task.Settings.Priority = 5 + + Set-ScheduledTask ` + -TaskName $taskName ` + -Action $task.Actions ` + -Settings $task.Settings ` + -User $TaskServiceAccount.Username ` + -Password $TaskServiceAccount.GetNetworkCredential().Password + } +} +``` + +2. Confirm the script ran successfully by observing output. It should look similar to the example below: + +``` +TaskPath TaskName State +-------- -------- ----- +\ SAJOB~.Active Directory Invent... Ready +\ SAJOB~FSAA~{A5142820-4190-4244... Ready +\ SAJOB~SEEK~{3ABDD931-37EB-4734... Ready +``` + +3. Observe XMLs for scheduled tasks in `C:\Windows\Tasks` or `C:\Windows\System32\Tasks` and confirm priority is now set to `5` (Normal). + +After successfully running the script all Netwrix Access Analyzer Scheduled Tasks will now run with Normal I/O priority. diff --git a/docs/kb/accessanalyzer/access-analyzer-process-running-scheduled-tasks-did-not-end.md b/docs/kb/accessanalyzer/access-analyzer-process-running-scheduled-tasks-did-not-end.md new file mode 100644 index 0000000000..f47dd7feb1 --- /dev/null +++ b/docs/kb/accessanalyzer/access-analyzer-process-running-scheduled-tasks-did-not-end.md @@ -0,0 +1,41 @@ +--- +description: >- + How to verify and resolve when a Netwrix Access Analyzer scheduled task + appears to be stuck in the operating system Task Scheduler. +keywords: + - Netwrix Access Analyzer + - scheduled task + - Task Scheduler + - running.lck + - stuck job + - end task + - processes tab + - command line +products: + - access-analyzer +sidebar_label: Access Analyzer process running scheduled tasks di +tags: [] +title: "Netwrix Access Analyzer process running scheduled tasks did not end" +knowledge_article_id: kA04u0000000INfCAM +--- + +# Netwrix Access Analyzer process running scheduled tasks did not end + +## Summary +Scheduled task appears to be stuck; how to verify and resolve. + +## Issue +While in the operating system's **Task Scheduler**, you notice a scheduled task is running longer than it usually does. The job may be stuck. To verify and/or resolve, follow the steps below. + +## Instructions + +To verify that the job is actually stuck, check the job statistics. If the job's last run is the same time as the scheduled task's start time, and if it has a finish time, it is possible that the process is stuck. + +To remediate the issue: + +1. Right-click on the scheduled task in **Task Scheduler** and select **End**. +2. Check Task Manager for the corresponding Netwrix Access Analyzer process. If you add the **Command line** column to the **Processes** tab, it will show you the job that is running. End the process that is causing the issue. +3. Inspect the folder of the job and remove any `running.lck` files that may be present. Right-click on the job and select **Explore folder**. If a `running.lck` file is present, delete it. + +**Module:** Netwrix Access Analyzer - Core +**Salesforce Article ID:** 000001109 diff --git a/docs/kb/accessanalyzer/access-analyzer-published-reports-with-the-option-to-download-to-csv-opens-directly-in-default-brows.md b/docs/kb/accessanalyzer/access-analyzer-published-reports-with-the-option-to-download-to-csv-opens-directly-in-default-brows.md new file mode 100644 index 0000000000..a84e0398ea --- /dev/null +++ b/docs/kb/accessanalyzer/access-analyzer-published-reports-with-the-option-to-download-to-csv-opens-directly-in-default-brows.md @@ -0,0 +1,60 @@ +--- +description: >- + Netwrix Access Analyzer published reports with the option to download to CSV + may open directly in the default browser if Windows has no application + associated with the .csv extension. Associate .csv files with Notepad or + another application to force a download prompt. +keywords: + - access analyzer + - csv + - download + - Notepad + - default apps + - Windows Server + - Netwrix Access Analyzer + - Netwrix Auditor + - AllData + - file association +products: + - access-analyzer +sidebar_label: "Access Analyzer published reports with the option to download to CSV opens directly in default browser" +tags: [] +title: >- + Access Analyzer published reports with the option to download to CSV opens + directly in default browser instead of as a download +knowledge_article_id: kA04u0000000IxjCAE +--- + +# Access Analyzer published reports with the option to download to CSV opens directly in default browser instead of as a download + +## Summary +**Netwrix Access Analyzer** published reports with the option to download to CSV open directly in the default browser instead of prompting to save. + +## Issue +**Netwrix Access Analyzer** published reports can be configured with the option to download to csv (`AllData`). When you click this, the CSV file opens directly in the default browser rather than prompting you to save. This happens when Windows has no application associated with the file extension `.csv`. + +## Instructions +To resolve the issue, associate the `.csv` file extension with Notepad (or another application of your choice). The steps are Windows OS specific. + +### Server 2016 / 2019 +1. Open **`Windows Settings\Apps`**, then choose **default apps by file type**. +2. Scroll down to file extension `.csv`, select **Choose default app**, and select **Notepad**. + +### Server 2012 / R2 +1. Open **`Control Panel\Programs\Default Programs`**. +2. Select **Associate a file type or protocol with a specific application**. +3. Scroll down to `.csv`, select **Change program**, and select **Notepad**. + +### Server 2008 +1. Open **Control Panel > Default Programs**. +2. Select the `.csv` file type and choose **Change program**, then select **Notepad**. + +### Windows Desktop OS +- If Microsoft Office is installed, CSV files are likely already associated with Excel and you will not need to change this. +- Files may be associated with your choice of program, not just Notepad. + +## Product +- Product: AIC/Netwrix Auditor +- Module: Netwrix Access Analyzer - Reporting +- Versions: All +- Legacy Article ID: 2394 diff --git a/docs/kb/accessanalyzer/access-analyzer-upgrade-faq.md b/docs/kb/accessanalyzer/access-analyzer-upgrade-faq.md new file mode 100644 index 0000000000..f0b68d317d --- /dev/null +++ b/docs/kb/accessanalyzer/access-analyzer-upgrade-faq.md @@ -0,0 +1,40 @@ +--- +description: >- + Answers common questions about upgrading and migrating Netwrix Access + Analyzer, including in-place OS upgrades, migration order, and SQL Server + recovery mode recommendations. +keywords: + - access analyzer + - upgrade + - migration + - SQL Server + - recovery mode + - in-place upgrade + - server migration + - database recovery mode + - Netwrix +products: + - access-analyzer +sidebar_label: Access Analyzer Upgrade FAQ +tags: [] +title: "Access Analyzer Upgrade FAQ" +knowledge_article_id: kA0Qk0000001hHRKAY +--- + +# Access Analyzer Upgrade FAQ + +## Questions + +1. Can I perform an in-place operating system upgrade on the Netwrix Access Analyzer host server? +2. When migrating Access Analyzer to a new server, should I upgrade Access Analyzer before or after migrating? +3. Should the Access Analyzer database be in Simple Recovery Mode or Full Recovery Mode? + +## Answers + +1. We do not recommend performing an in-place upgrade for the Netwrix Application server's Operation System. It has been known to cause issues. We suggest spinning up a new server with the new OS and migrating Netwrix to the new server. +2. We recommend migrating Access Analyzer to the new server first. Then, after confirming everything is working as expected on the new server, upgrade to the latest version. +3. You should keep all of Netwrix's databases on simple recovery mode. For mor information, please see the following article: SQL Server Requirements. + +## Related Articles + +- SQL Server Requirements diff --git a/docs/kb/accessanalyzer/access-analyzer-version-numbers.md b/docs/kb/accessanalyzer/access-analyzer-version-numbers.md new file mode 100644 index 0000000000..f6f9d3366d --- /dev/null +++ b/docs/kb/accessanalyzer/access-analyzer-version-numbers.md @@ -0,0 +1,57 @@ +--- +description: >- + How to find Netwrix Access Analyzer core and installer package version + numbers, and where to locate the `StealthAUDIT.exe` core version and + Add/Remove Programs installer version. +keywords: + - access analyzer + - Netwrix Access Analyzer + - version numbers + - core version + - installer package + - StealthAUDIT.exe + - Add/Remove Programs +products: + - access-analyzer +sidebar_label: Netwrix Access Analyzer Version Numbers +tags: [] +title: "Netwrix Access Analyzer Version Numbers" +knowledge_article_id: kA04u0000000ItwCAE +--- + +# Netwrix Access Analyzer Version Numbers + +## Summary +How to find Netwrix Access Analyzer version numbers. + +## Issue +When you talk about the version of Netwrix Access Analyzer, you're referring to the core version number. +This is what you'll find in **Help** > **About**, and it indicates the version of the `StealthAUDIT.exe` file. + +The Netwrix Access Analyzer build number refers to the installer package version you'll find in **Add/Remove Programs**. + +If you are scanning sensitive data, please also supply the installer package version, which you can find in **Add/Remove Programs**. + +## Instructions + +### Core vs. Installer +- The core version is shown in **Help** > **About** and reflects the `StealthAUDIT.exe` file version. +- The installer package (build) is shown in **Add/Remove Programs**. + +### Versions + +#### 10 +| Version | Core Version (Help > About) | Installer Package (Add/Remove Programs) | +|---|---:|---:| +| `10` | `10.0.1132.702` | `10.0.0.150` | +| `10 SDD` | | `10.0.058` | + +#### 8.1 +| Version | Core Version (Help > About) | Installer Package (Add/Remove Programs) | +|---|---:|---:| +| `8.1 GA` | `8.1.799` | `8.1.0.122` | + +## Product +**Product:** Netwrix Access Analyzer +**Module:** Netwrix Access Analyzer - Core +**Legacy Article ID:** 1310 diff --git a/docs/kb/accessanalyzer/access-information-center-not-reporting-attribute-changes.md b/docs/kb/accessanalyzer/access-information-center-not-reporting-attribute-changes.md new file mode 100644 index 0000000000..0047ece626 --- /dev/null +++ b/docs/kb/accessanalyzer/access-information-center-not-reporting-attribute-changes.md @@ -0,0 +1,48 @@ +--- +description: >- + When the Access Information Center (AIC) shows no attribute updates, + differential scans for Active Directory Inventory may be disabled. Enable + differential scanning to collect and report attribute changes. +keywords: + - access information center + - attribute changes + - active directory + - differential scan + - AD Inventory + - AIC + - 1-AD_Scan + - Collect only updates since the last scan +products: + - access-analyzer +visibility: public +sidebar_label: 'Access Information Center Not Reporting Attribute ' +tags: [] +title: "Access Information Center Not Reporting Attribute Changes" +knowledge_article_id: kA0Qk0000001oQzKAI +--- + +# Access Information Center Not Reporting Attribute Changes + +## Symptom + +When viewing the **Attribute Changes** in the **Reports** section of the Access Information Center (AIC), no updates appear for users, even though changes have been made since the last Active Directory (AD) Inventory scan. + +## Cause + +When differential scans for AD Inventory are not running, attribute changes are not collected. + +## Resolution + +Ensure that differential scans for AD Inventory are enabled and running. This will allow the AIC to capture and report any changes made to AD user attributes. + +- To enable differential scanning of AD Inventory, enable the **Collect only updates since the last scan** option in the query configuration as shown below: + + ![Collect only updates since the last scan](images/servlet_image_bd5be116677a.png) + +- For further information on customizing the `AD > 1-AD_Scan` job, please visit: /docs/auditor/11.6/enterpriseauditor/solutions/activedirectoryinventory + +> Note: This article refers to the Access Information Center within Netwrix Access Analyzer product functionality. + +## Related Article + +- /docs/auditor/11.6/enterpriseauditor/solutions/activedirectoryinventory diff --git a/docs/kb/accessanalyzer/access-information-center-requiring-domain-prefix-to-log-in-to-web-page.md b/docs/kb/accessanalyzer/access-information-center-requiring-domain-prefix-to-log-in-to-web-page.md new file mode 100644 index 0000000000..e0adb904bb --- /dev/null +++ b/docs/kb/accessanalyzer/access-information-center-requiring-domain-prefix-to-log-in-to-web-page.md @@ -0,0 +1,41 @@ +--- +description: >- + Users who belong to subdomains must include their domain prefix before their + username when logging in to the Access Information Center (AIC) due to a + change in the web server. This article explains the symptom, cause, and how to + configure the Default Domain to restore the expected behavior. +keywords: + - Access Information Center + - domain prefix + - AIC + - login + - Default Domain + - Active Directory + - Netwrix Access Analyzer + - multiple domains +products: + - access-analyzer +sidebar_label: 'Access Information Center Requiring Domain Prefix ' +tags: [] +title: "Access Information Center Requiring Domain Prefix to Log In to Web Page" +knowledge_article_id: kA0Qk0000001jO5KAI +--- + +# Access Information Center Requiring Domain Prefix to Log In to Web Page + +## Symptom +You receive the following error when Domain Prefix is required for log-in: + +![image (14).png](images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk00000AGwf1.png) + +## Cause +Due to the change from IIS to a new web server, subdomain users will now need to include their domain prefix before their username when logging in. + +![Login prompt showing username field with domain prefix required.](images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk000009d2RO.png) + +> **NOTE:** You can create a more uniform and consistent log-in experience across all domains connected to the AIC by leaving it as is and requiring the domain prefix. + +## Resolution +Ensure that the **Default Domain** is based on the AIC **Use the following Active Directory account** setting, which must be the desired domain. + +> **NOTE:** All domains enabled to access the AIC must also have data collected by the Netwrix Access Analyzer Active Directory Inventory solution as per the following article: Active Directory—Multiple Domains. diff --git a/docs/kb/accessanalyzer/access-violations.md b/docs/kb/accessanalyzer/access-violations.md new file mode 100644 index 0000000000..23e913e1ff --- /dev/null +++ b/docs/kb/accessanalyzer/access-violations.md @@ -0,0 +1,59 @@ +--- +description: >- + Access violations can occur when running Data Collectors that use associated + .exe files. This article lists affected collectors and provides a workaround + to run those executables with elevated privileges. +keywords: + - access violation + - data collector + - UAC + - run as administrator + - Private Assemblies + - Netwrix Access Analyzer + - StealthAUDIT.exe + - ExchangePS + - PowerShell +products: + - access-analyzer +sidebar_label: Access Violations +tags: [] +title: "Access Violations" +knowledge_article_id: kA04u0000000II7CAM +--- + +# Access Violations + +## Summary: +**Summary:** Access Violation when running Data Collectors that have an `.exe` associated to them + +## Issue: +**Issue:** Experiencing access violations + +## Instructions: +**Instructions:** There are a few data collectors that have associated `.exe` files with them: + +- Blackberry Data Collector +- Powershell Data Collector +- ExchangePS DC +- Exchange2k DC +- Smartlog DC + +This issue can be caused by having UAC turned on, or the account running Netwrix Access Analyzer not having sufficient local administrator privileges. + +A workaround for this is to set all `.exe` files in the Private Assemblies folder to always Run as Administrator. + +1. Go to ` %sainstalldir%\Private Assemblies` +2. Search for `.exe` +3. For each `.exe` file: + 1. Right click > **Properties** + 2. **Compatibility** tab + 3. **Change settings for all users** button + 4. Check the **Run this program as an administrator** box + 5. **OK** > **OK** + +You can do this for the `StealthAUDIT.exe`, as well. + +## Module: +**Module:** Netwrix Access Analyzer - DC - Blackberry; Netwrix Access Analyzer - DC - Exchange2k; Netwrix Access Analyzer - DC - ExchangePS; Netwrix Access Analyzer - DC - PowerShell; Netwrix Access Analyzer - DC - Smartlog EventLog; Netwrix Access Analyzer - DC - Smartlog IIS + +**Salesforce Article ID:** 000001060 diff --git a/docs/kb/accessanalyzer/access_analyzer_11.6_error_data_at_the_root_level_is_invalid_line_3_position_5.md b/docs/kb/accessanalyzer/access_analyzer_11.6_error_data_at_the_root_level_is_invalid_line_3_position_5.md new file mode 100644 index 0000000000..7af4301129 --- /dev/null +++ b/docs/kb/accessanalyzer/access_analyzer_11.6_error_data_at_the_root_level_is_invalid_line_3_position_5.md @@ -0,0 +1,35 @@ +--- +description: >- + This article addresses the error message "Data at the root level is invalid" encountered in Netwrix Access Analyzer version 11.6, detailing its causes and resolutions. +keywords: + - Access Analyzer + - error resolution + - Reports.xml +sidebar_label: Access Analyzer 11.6 Error +tags: [] +title: "Access Analyzer 11.6 Error: Data at the Root Level Is Invalid Line 3 Position 5" +knowledge_article_id: kA0Qk0000001kX3KAI +products: + - access-analyzer +--- + +# Access Analyzer 11.6 Error: Data at the Root Level Is Invalid Line 3 Position 5 + +## Symptom + +When navigating through the **Access Analyzer** console by selecting jobs or job groups to display the job information on the right side of the console in Netwrix Access Analyzer version 11.6, the system generates the following error message: + +``` +Data at the root level is invalid. Line 3, position 5 +``` + +## Cause + +These errors may be caused by any one of the following: + +- The Reports folder at this location: `\%SAInstallDIR%\StealthAudit\Reports>` is missing the **Reports.xml** file. +- The **Reports.xml** file is corrupt. + +## Resolution + +To address these causes, remove the corrupt **Reports.xml** file and reopen the **Access Analyzer application** to generate a new **Reports.xml** file. \ No newline at end of file diff --git a/docs/kb/accessanalyzer/active-directory-permissions-analyzer-reports-are-outdated.md b/docs/kb/accessanalyzer/active-directory-permissions-analyzer-reports-are-outdated.md new file mode 100644 index 0000000000..5eaaca3148 --- /dev/null +++ b/docs/kb/accessanalyzer/active-directory-permissions-analyzer-reports-are-outdated.md @@ -0,0 +1,76 @@ +--- +description: >- + Active Directory Permissions Analyzer (ADPA) reports show old data from + deprecated domains. Create and run a job to remove outdated ADPA tables and + repopulate them for active domains. +keywords: + - ADPA + - Active Directory + - permissions + - Netwrix Auditor + - ADInventory + - ADPERMISSIONS + - SQL + - Drop Domain + - Job +products: + - access-analyzer +sidebar_label: 'Active Directory Permissions Analyzer reports are ' +tags: [] +title: "Active Directory Permissions Analyzer reports are outdated" +knowledge_article_id: kA04u000000HDhRCAW +--- + +# Active Directory Permissions Analyzer reports are outdated + +## Symptoms + +Old data in the Active Directory Permissions Analyzer **(ADPA)** reports from deprecated Domains. +Example of the incorrect data: +![Chart Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aiy.png) + +## Cause + +ADPA Data is not cleared when running only the ADInventory (ADI): Category >> Drop Domain – Remove host domain related data from SQL server option seen under the following: +/docs/auditor/11.5/stealthaudit/data-collectors/adinventory-data-collector/adinventory-query-configurationuration + +## Resolution + +We will need to create a new Job to work with the APDA data in question. +To do so you can follow the steps below. + +1. Create a new Job in the Netwrix Auditor console: right click the **Jobs Node** in the left-hand window and select **Create Job**: + + ![Graphical user interface, application Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aiz.png) + + Select the **Local host** in the jobs host list: + + ![Graphical user interface, application Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj0.png) + +2. Click on the **Create Query**: + + ![Graphical user interface, application, Word Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj1.png) + +3. Configure the jobs query Properties. + Under the **Data Sources** tab, select the **ADPERMISSIONS** option from the dropdown menu then click on **Configure**. + + ![Graphical user interface, application, Word Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj2.png) + + Select **Remove Tables** and click **Next**: + + ![Graphical user interface, text, application, email Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj3.png) + + Check the Results option: Click **Next** → **Finish** → **Ok**. + + ![Graphical user interface, text, application Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj4.png) + +4. Now run the new Job. + +5. Once the job completes run the ADPA report; it should complete with an error. + Examples: + `Invalid object name 'dbo.SA_ADPerms_PermissionsView'.` + `Invalid object name 'dbo.SA_ADPerms_Permissions*View'.` + +Now you can run the Active Directory Permissions Analyzer Job Group to repopulate for the active Domains. + +This will recreate the needed ADPA Tables and Views needed for the Reports. diff --git a/docs/kb/accessanalyzer/ad-securityassessment-explained.md b/docs/kb/accessanalyzer/ad-securityassessment-explained.md new file mode 100644 index 0000000000..9bfa523850 --- /dev/null +++ b/docs/kb/accessanalyzer/ad-securityassessment-explained.md @@ -0,0 +1,115 @@ +--- +description: >- + Lists where the AD_SecurityAssessment report retrieves data for each category, + including the tables/views and jobs you can use to investigate and mitigate + vulnerabilities. +keywords: + - AD_SecurityAssessment + - Active Directory + - SA_ADInventory + - permissions + - AD report + - AD assessment +products: + - access-analyzer +sidebar_label: AD_SecurityAssessment Explained +tags: [] +title: "AD_SecurityAssessment Explained" +knowledge_article_id: kA0Qk0000001gV3KAI +--- + +# AD_SecurityAssessment Explained + +## Question + +Where does the AD_SecurityAssessment report get the data for it's categories and results so the information can be used to investigate and mitigate vulnerabilities? + +## Answer + +| Category | Check | Tables/Views | Job | +|---|---|---:|---| +| AD Objects | Objects created (Past 7 Days) | `SA_ADInventory_PrincipalsView` | `.Active Directory Inventory\1-AD_Scan` | +| AD Objects | Principals with non-default Primary Group IDs | `SA_ADInventory_Users, SA_ADInventory_Computers` | `.Active Directory Inventory\1-AD_Scan` | +| AD Objects | Guest account enabled | `SA_ADInventory_UsersView` | `.Active Directory Inventory\1-AD_Scan` | +| AD Objects | Unprivileged users who can add computer accounts | `SA_ADPerms_PermissionsExtView` | `Active Directory Permissions Analyzer\0. Collection` | +| AD Objects | Computers with SERVER_TRUST_ACCOUNT enabled | `SA_ADInventory_ComputersView` | `.Active Directory Inventory\1-AD_Scan` | +| AD Objects | User accounts with SPN configured | `SA_ADInventory_UsersView` | `.Active Directory Inventory\1-AD_Scan` | +| AD Permissions | Stale users with group membership permissions | `SA_AD_GroupMembershipPermissions_Details` | `Active Directory Permissions Analyzer\2. Groups\AD_GroupPermissions` | +| AD Permissions | Domain users with direct permissions | `SA_AD_GroupPermissions_Details, SA_AD_UserPermissions_Details, SA_AD_ComputerPermissions_Details, SA_AD_ContainerPermissions_Details, SA_AD_OUPermissions_Details` | `Active Directory Permissions Analyzer\2. Groups\AD_GroupPermissions`
`Active Directory Permissions Analyzer\1. Users\AD_UserPermissions`
`Active Directory Permissions Analyzer\4. Computers\AD_ComputerPermissions`
`Active Directory Permissions Analyzer\7. Containers\AD_ContainerPermissions`
`Active Directory Permissions Analyzer\3. OUs\AD_OUPermissions` | +| AD Permissions | Users with Replication Permissions | `SA_AD_DomainReplication_UserSummary` | `Active Directory Permissions Analyzer\8. Domains\AD_DomainReplication` | +| AD Permissions | Non-Default AdminSDHolder | `SA_AD_AdminSDHolder_UserSummary` | `Active Directory Permissions Analyzer\7. Containers\AD_AdminSDHolder` | +| AD Permissions | Users that can reset passwords | `SA_AD_ResetPasswordPermissions_Details` | `Active Directory Permissions Analyzer\1. Users\AD_ResetPasswordPermissions` | +| Administrator Accounts | Unprivileged users with adminCount=1 | `SA_ADInventory_ExtendedAttributes` | `.Active Directory Inventory\1-AD_Scan` | +| Administrator Accounts | Admin accounts with SPN configured | `SA_ADInventory_UsersView` | `.Active Directory Inventory\1-AD_Scan` | +| Administrator Accounts | Admin accounts with unprivileged owners | `SA_ADPerms_Objects` | `Active Directory Permissions Analyzer\0. Collection` | +| Administrator Accounts | Admin accounts without adminCount=1 | `SA_ADInventory_ExtendedAttributes` | `.Active Directory Inventory\1-AD_Scan` | +| Administrator Accounts | Stale admin accounts that are enabled | `SA_AD_SensitiveSecurityGroups_UserList` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Administrator Accounts | # of privileged accounts | `SA_AD_SensitiveSecurityGroups_UserList` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Administrator Accounts | Disabled admin accounts | `SA_AD_SensitiveSecurityGroups_UserList` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Administrator Accounts | Admin accounts not in protected users group | `SA_ADInventory_EffectiveGroupMembersView` | `.Active Directory Inventory\1-AD_Scan` | +| Administrator Accounts | Recently created admins | `SA_AD_SensitiveSecurityGroups_UserList` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Administrator Accounts | Recent logon by BUILTIN\Administrator | `SA_ADInventory_UsersView` | `.Active Directory Inventory\1-AD_Scan` | +| Delegation | Resource-Based Constrained Delegation on a computer | `SA_ADInventory_ComputersView` | `.Active Directory Inventory\1-AD_Scan` | +| Delegation | Domain controllers with Resource-Based Constrained Delegation | `SA_AD_ComputerDelegation_Details` | `Active Directory\3. Computers\AD_ComputerDelegation` | +| Delegation | Non Domain Controllers trusted for delegation | `SA_ADInventory_ComputersView` | `.Active Directory Inventory\1-AD_Scan` | +| Delegation | Non Domain Controllers with Unconstrained Delegation | `SA_ADInventory_ComputersView` | `.Active Directory Inventory\1-AD_Scan` | +| Delegation | Service Acccounts trusted for delegation | `SA_AD_SensitiveSecurityGroups_UserList` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Delegation | Users with Unconstrained Delegation | `SA_ADInventory_UsersView` | `.Active Directory Inventory\1-AD_Scan` | +| Delegation | Write access to Resource-Based Constrained Delegation on Domain Controller | `SA_ADPerms_PermissionsExtView` | `Active Directory Permissions Analyzer\0. Collection` | +| Delegation | Objects with Constrained Delegation | `SA_ADInventory_ExtendedAttributes` | `.Active Directory Inventory\1-AD_Scan` | +| Group Policy | Delegated access to GPO linked on Domain Controller OU | `SA_ADPerms_PermissionsView` | `Active Directory Permissions Analyzer\0. Collection` | +| Group Policy | Delegated access to GPO linked on domain | `SA_ADPerms_PermissionsView` | `Active Directory Permissions Analyzer\0. Collection` | +| Group Policy | Delegated access to GPO linked on AD site | `SA_ADPerms_PermissionsView` | `Active Directory Permissions Analyzer\0. Collection` | +| Infrastructure Security | Domain Controllers with old passwords | `SA_ADInventory_ComputersView` | `.Active Directory Inventory\1-AD_Scan` | +| Infrastructure Security | Print spooler service enabled on Domain Controller | `SA_SG_ServiceAccounts_ServiceAccounts` | `Windows\Priviledged Accounts\Service Accounts\SG_ServiceAccounts` | +| Infrastructure Security | Domain Controllers that have not logged on in 60 days | `SA_ADInventory_ComputersView` | `.Active Directory Inventory\1-AD_Scan` | +| Infrastructure Security | Users with rights to exploit DCShadow | `SA_AD_DCShadowPermissions_Details` | `Active Directory Permissions Analyzer\9. Sites\AD_DCShadowPermissions` | +| Infrastructure Security | Domains with functional level < 2012 R2 | `SA_AD_DomainInfo_Domains` | `Active Directory\5. Domains\AD_DomainInfo` | +| Infrastructure Security | Anonymous bind to AD enabled | `SA_AD_DomainInfo_dSHeuristics_Details` | `Active Directory\5. Domains\AD_DomainInfo` | +| Infrastructure Security | Anonymous NSPI access enabled | `SA_AD_DomainInfo_dSHeuristics_Details` | `Active Directory\5. Domains\AD_DomainInfo` | +| Infrastructure Security | DC computer accounts with unprivileged owner | `SA_ADPerms_Objects` | `Active Directory Permissions Analyzer\0. Collection` | +| Krbtgt Security | Kerberos krbtgt account with old password | `SA_ADInventory_UsersView` | `.Active Directory Inventory\1-AD_Scan` | +| Krbtgt Security | Krbtgt account with Resource-Based Constrained Delegation | `SA_ADPerms_PermissionsExtView` | `Active Directory Permissions Analyzer\0. Collection` | +| Krbtgt Security | Write access to Resource-Based Constrained Delegation on krbtgt account | `SA_ADPerms_PermissionsExtView` | `Active Directory Permissions Analyzer\0. Collection` | +| Password Security | Highest Password Reuse | `SA_AD_WeakPasswords_Count` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Reversible passwords found in GPOs | `SA_AD_CPassword_Sysvol` | `Active Directory\4. Group Policy\AD_CPassword` | +| Password Security | Passwords older than a year | `SA_AD_PasswordStatus_Details` | `Active Directory\2. Users\AD_PasswordStatus` | +| Password Security | Password never expires | `SA_AD_PasswordStatus_Details, SA_AD_SensitiveSecurityGroups_Summary` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Password Security | Password not required | `SA_AD_PasswordStatus_Details` | `Active Directory\2. Users\AD_PasswordStatus` | +| Password Security | Password expired | `SA_AD_PasswordStatus_Details` | `Active Directory\2. Users\AD_PasswordStatus` | +| Password Security | AES Key Missing | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Clear Text Password | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Default Computer Password | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Delegable Admins | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | DES Encryption Only | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Empty Password | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | LM Hash | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Password Never Expires | `SA_AD_WeakPasswords_Results, SA_AD_SensitiveSecurityGroups_Summary` | `Active Directory\2. Users\AD_WeakPasswords`
`Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Password Security | Password Not required | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Shares Common Password | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Weak Historical Password | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Weak Password | `SA_AD_WeakPasswords_Results` | `Active Directory\2. Users\AD_WeakPasswords` | +| Password Security | Passwords stored with reversible encryption | `SA_ADInventory_UsersView` | `.Active Directory Inventory\1-AD_Scan` | +| Password Security | Users with LAPS read permissions | `SA_AD_LAPSPermissions_Results` | `Active Directory Permission Analyzer\4. Computers\AD_LAPSPermissions` | +| Password Security | gMSA not in use | `SA_AD_SensitiveSecurityGroups_UserList` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Password Security | gMSA with old passwords | `SA_ADPerms_Objects` | `Active Directory Permissions Analyzer\0. Collection` | +| Sensitive Security | # of accounts in Pre-Windows 2000 Compatible Access Group | `SA_ADInventory_GroupMembersView` | `.Active Directory Inventory\1-AD_Scan` | +| Sensitive Security Groups | Non standard membership | `SA_ADInventory_GroupsView` | `.Active Directory Inventory\1-AD_Scan` | +| Sensitive Security Groups | Computer accounts | `SA_AD_SensitiveSecurityGroups_Membership` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Sensitive Security Groups | Old password (over 180 days) | `SA_AD_SensitiveSecurityGroups_UserList` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Sensitive Security Groups | Non-admins in DNS admins group | `SA_AD_SensitiveSecurityGroups_Membership` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Sensitive Security Groups | Groups not protected by SDProp | `SA_AD_DomainInfo_dSHeuristics_Details` | `Active Directory\5. Domains\AD_DomainInfo` | +| Sensitive Security Groups | Highest user count | `SA_AD_SensitiveSecurityGroups_Summary` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Sensitive Security Groups | Oldest password | `SA_AD_SensitiveSecurityGroups_Summary` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Sensitive Security Groups | Password not required | `SA_AD_SensitiveSecurityGroups_Summary` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Sensitive Security Groups | Password never expires | `SA_AD_SensitiveSecurityGroups_Summary` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| Sensitive Security Groups | Disabled members | `SA_AD_SensitiveSecurityGroups_Summary` | `Active Directory\1. Groups\AD_SensitiveSecurityGroups` | +| SID History | Historical admin SIDs on non admins | `SA_AD_SIDHistory_Summary` | `Active Directory\2. Users\AD_SIDHistory` | +| SID History | Historical SID from same domain | `SA_AD_SIDHistory_Summary` | `Active Directory\2. Users\AD_SIDHistory` | +| Stale Objects | Stale users count | `SA_ADInventory_UsersView` | `.Active Directory Inventory\1-AD_Scan` | +| Stale Objects | Computers with unsupported Microsoft OS | `SA_ADInventory_ComputersView` | `.Active Directory Inventory\1-AD_Scan` | +| Stale Objects | Computers with old password last set date | `SA_ADInventory_ComputersView` | `.Active Directory Inventory\1-AD_Scan` | +| Trusts | Foreign Security Principals in admin groups | `SA_ADInventory_DistinguishedNames` | `.Active Directory Inventory\1-AD_Scan` | +| Trusts | Insecure trust configuration | `SA_AD_DomainInfo_TrustDetails` | `Active Directory\5. Domains\AD_DomainInfo` | +| Trusts | Outbound trust with SID History enabled | `SA_AD_DomainInfo_Filtering` | `Active Directory\5. Domains\AD_DomainInfo` | + diff --git a/docs/kb/accessanalyzer/audit-mysql-databases-in-netwrix-access-analyzer.md b/docs/kb/accessanalyzer/audit-mysql-databases-in-netwrix-access-analyzer.md new file mode 100644 index 0000000000..1ee8df6165 --- /dev/null +++ b/docs/kb/accessanalyzer/audit-mysql-databases-in-netwrix-access-analyzer.md @@ -0,0 +1,73 @@ +--- +description: >- + Step-by-step instructions to configure MySQL database auditing in Netwrix + Access Analyzer, including prerequisites, creating SQL logins, connection + profiles, host lists, and collection job configuration. +keywords: + - MySQL + - audit + - Netwrix Access Analyzer + - host list + - connection profile + - AWS RDS + - Aurora + - WinRM + - SQL Authentication + - collection job +products: + - access-analyzer +sidebar_label: Audit MySQL Databases in Netwrix Access Analyzer +tags: [] +title: "Audit MySQL Databases in Netwrix Access Analyzer" +knowledge_article_id: kA04u00000111GvCAI +--- + +# Audit MySQL Databases in Netwrix Access Analyzer + +## Question + +How to configure the MySQL databases audit in Netwrix Access Analyzer? + +## Answer + +### Requirements + +- Requirements for Windows (Netwrix Access Analyzer host): + - Windows Management Framework 3+ installed on the Netwrix Access Analyzer Console server (applicable to Windows 2012 and older). +- Requirements for Windows (MySQL host): + - WinRM enabled. +- Requirements for MySQL: + - Read access to all databases contained within each MySQL instance. + - Domain Admin or Local Admin privilege (Windows only). + +### Create the SQL logins + +Create a login on each instance of MySQL to be audited. + +### Configure the connection profile + +While this guide describes the configuration steps to audit MySQL standard edition with MySQL logins, Netwrix Access Analyzer supports Active Directory. If available, Active Directory authentication to MySQL is recommended and supported by Netwrix Access Analyzer. + +1. Open the Netwrix Access Analyzer console. Click **Settings** -> **Connection**. +2. Click **Add Connection Profile**. +3. Replace the default name with **MySQL**. +4. Click **Add User Credential**. +5. Set **Select Account Type** to **SQL Authentication**. +6. Enter the username and password of the MySQL login. +7. If different logins were created on different instances, add them all to the connection profile. + +### Create the host list + +1. Under **Host Management**, click **Add hosts** and enter the domain name or IP address into the **Host name** input box. Repeat this for each instance. + +> **NOTE:** For AWS RDS instances, enter the endpoint. This value may change after saving the list if the instance is part of a cluster. + +2. Click **Next** and name the host list **MySQL Instances**. +3. Select the **MySQL** connection profile as the credentials to use when querying hosts in this list. +4. Click **Finish**. + +### Configure and run the MySQL Collection job set + +1. Go to **Jobs** -> **Databases** -> **MySQL** -> **Settings** -> **Connection**. Select the MySQL connection profile. Click to set all child objects to inherit the setting. Click **Save** and **OK**. +2. Go to **Jobs** -> **Databases** -> **MySQL** -> **Settings** -> **Host List Assignment**. Untick **Use Default Setting**, select the **MySQL Instances** host list and click **Save**. +3. For AWS RDS and Aurora instances, right-click each job in the **MySQL** -> **0.Collection folder** and open the properties window. Ensure the checkbox **Skip Hosts that do not respond to PING** is unchecked in the **Performance** tab. diff --git a/docs/kb/accessanalyzer/audit-postgresql-databases-in-netwrix-access-analyzer.md b/docs/kb/accessanalyzer/audit-postgresql-databases-in-netwrix-access-analyzer.md new file mode 100644 index 0000000000..8cfdda9a61 --- /dev/null +++ b/docs/kb/accessanalyzer/audit-postgresql-databases-in-netwrix-access-analyzer.md @@ -0,0 +1,69 @@ +--- +description: >- + Shows how to set up auditing of PostgreSQL databases in Netwrix Access + Analyzer, including creating SQL logins, connection profiles, host lists, and + configuring the PostgreSQL collection job set. +keywords: + - PostgreSQL + - audit + - Netwrix Access Analyzer + - connection profile + - host list + - AWS RDS + - Aurora + - SQL Authentication + - collection job +products: + - access-analyzer +sidebar_label: Audit PostgreSQL Databases in Netwrix Access Analy +tags: [] +title: "Audit PostgreSQL Databases in Netwrix Access Analyzer" +knowledge_article_id: kA04u00000111H0CAI +--- + +# Audit PostgreSQL Databases in Netwrix Access Analyzer + +## Question + +How to set up the PostgreSQL databases audit in Netwrix Access Analyzer? + +## Answer + +### Requirements + +Requirements for PostgreSQL: + +- Read access to all databases contained within each PostgreSQL instance. +- Domain Admin or Local Admin privilege (Windows only). + +### Create the SQL logins + +Create a login on each instance of PostgreSQL to be audited. + +### Configure the connection profile + +While this guide describes the configuration steps to audit PostgreSQL standard edition with PostgreSQL logins, the GSSAPI protocol support in PostgreSQL allows for the use of Active Directory. If available, Active Directory authentication to PostgreSQL is recommended and supported by Netwrix Access Analyzer. + +1. Open the Netwrix Access Analyzer console. Click **Settings** -> **Connection**. +2. Click **Add Connection Profile**. +3. Replace the default name with **PostgreSQL**. +4. Click **Add User Credential**. +5. Set **Select Account Type** to **SQL Authentication**. +6. Enter the username and password of the PostgreSQL login. +7. If different logins were created on different instances, add them all to the connection profile. + +### Create the host list + +1. Under **Host Management**, click **Add hosts** and enter the domain name or IP address into the **Host name** input box. Repeat this for each instance. + +> **NOTE:** For AWS RDS instances, enter the endpoint. This value may change after saving the list if the instance is part of a cluster. + +2. Click **Next** and name the host list **PostgreSQL Instances**. +3. Select the **PostgreSQL** connection profile as the credentials to use when querying hosts in this list. +4. Click **Finish**. + +### Configure and run the PostgreSQL Collection job set + +1. Go to **Jobs** -> **Databases** -> **PostgreSQL** -> **Settings** -> **Connection**. Select the **PostgreSQL** connection profile. Click to set all child objects to inherit the setting. Click **Save** and **OK**. +2. Go to **Jobs** -> **Databases** -> **PostgreSQL** -> **Settings** -> **Host List Assignment**. Uncheck the **Use Default Setting** checkbox and select the **PostgreSQL Instances** host list and click **Save**. +3. For AWS RDS and Aurora instances, right click each job in the PostgreSQL -> **0.Collection folder** and open the properties window. Ensure the checkbox **Skip Hosts that do not respond to PING** is unchecked in the **Performance** tab. diff --git a/docs/kb/accessanalyzer/blank-reports-in-access-analyzer-web-console.md b/docs/kb/accessanalyzer/blank-reports-in-access-analyzer-web-console.md new file mode 100644 index 0000000000..ad53cd3a71 --- /dev/null +++ b/docs/kb/accessanalyzer/blank-reports-in-access-analyzer-web-console.md @@ -0,0 +1,50 @@ +--- +description: >- + Published reports in the Netwrix Access Analyzer Web Console show blank pages; + you can still run a report by searching for its name. This article explains + causes and two resolutions to restore report display. +keywords: + - blank reports + - web console + - Netwrix Access Analyzer + - Solution.xml + - Reports folder + - StealthAUDIT + - SQL timeout + - reporting + - reports path +products: + - access-analyzer +sidebar_label: Blank Reports in Access Analyzer Web Console +tags: [] +title: "Blank Reports in Access Analyzer Web Console" +knowledge_article_id: kA04u000001119aCAA +--- + +# Blank Reports in Access Analyzer Web Console + +## Symptom + +The published reports in the Web Console of Netwrix Access Analyzer show blank pages. Searching by a report name allows you to run a report. + +## Causes + +- The SQL Server instance times out due to the preexisting query. This issue might arise in larger environments with higher loads. +- The **Reports** folder is corrupted. + +## Resolutions + +### Remove the Solution.xml file + +The `Solution.xml` file queries SQL for a summary of audited systems, and it might be timing out depending on the loads in your environment. Removing it allows the reports to populate in a timely manner. + +1. In the Netwrix Access Analyzer host, navigate to `Installation_Folder\STEALTHbits\StealthAUDIT\Jobs\GROUP_NAME`. +2. Remove the `Solution.xml` file. + +### Recreate the Reports folder + +If the prior resolution did not help, follow these steps: + +1. In Netwrix Access Analyzer, navigate to the **Reporting** node. +2. Review the path to the **Reports** folder in the **Publish Reports:** field. The default path is `C:\Program Files (x86)\STEALTHbits\StealthAUDIT\Reports`. +3. In the Netwrix Access Analyzer host, recreate the **Reports** folder. diff --git a/docs/kb/accessanalyzer/built-in-users-group-permissions.md b/docs/kb/accessanalyzer/built-in-users-group-permissions.md new file mode 100644 index 0000000000..2c22a6574f --- /dev/null +++ b/docs/kb/accessanalyzer/built-in-users-group-permissions.md @@ -0,0 +1,42 @@ +--- +description: >- + Explains whether the built-in Windows Users group (S-1-5-32-545) is required + for Netwrix Access Analyzer and where to find the default installation folder + and role-based access documentation. +keywords: + - Users group + - S-1-5-32-545 + - built-in users + - permissions + - Netwrix Access Analyzer + - installation folder + - STEALTHbits + - StealthAUDIT + - role based access +products: + - access-analyzer +sidebar_label: Built-in Users Group Permissions +tags: [] +title: "Built-in Users Group Permissions" +knowledge_article_id: kA0Qk0000001JDVKA2 +--- + +# Built-in Users Group Permissions + +## Question + +During the security assessment in the Netwrix Access Analyzer environment, the use of the **Users** group (`S-1-5-32-545`) was noted for Access Analyzer services and folders. Does Netwrix Access Analyzer require the use of the **Users** group? + +## Answer + +The use of the **Users** group is not required—Netwrix Access Analyzer implements the **Users** group by default. You can modify the permissions for the installation folder to exclude the group. Refer to the following path for the default installation folder for Access Analyzer: + +```text +C:\Program Files (x86)\STEALTHbits\StealthAUDIT\ +``` + +Refer to the following article for additional information on Role Based Access to the Netwrix Access Analyzer console: /docs/auditor/11.6/enterpriseauditor/admin-guide/settings/access/rolebased (Access — Role Based Access · v11.6). + +## Related Articles + +- /docs/auditor/11.6/enterpriseauditor/admin-guide/settings/access/rolebased (Access — Role Based Access · v11.6) diff --git a/docs/kb/accessanalyzer/bulk-import-error-sql-logic-error-unknown-database-strucmap.md b/docs/kb/accessanalyzer/bulk-import-error-sql-logic-error-unknown-database-strucmap.md new file mode 100644 index 0000000000..7dcb50b9b8 --- /dev/null +++ b/docs/kb/accessanalyzer/bulk-import-error-sql-logic-error-unknown-database-strucmap.md @@ -0,0 +1,74 @@ +--- +description: >- + When the 2-FSAA Bulk Import job returns "SQL logic error unknown database + strucmap.", the database structure map is likely corrupted. This article + describes causes and provides two resolutions: resetting the hosts and + repairing the SQL database. +keywords: + - bulk import + - SQL logic error + - strucmap + - 2-FSAA + - FileSystem + - reset hosts + - repair database + - Netwrix Access Analyzer + - NEA +products: + - access-analyzer +sidebar_label: 'Bulk Import Error: SQL Logic Error Unknown Databas' +tags: [] +title: 'Bulk Import Error: SQL Logic Error Unknown Database Strucmap' +knowledge_article_id: kA0Qk0000001msDKAQ +--- + +# Bulk Import Error: SQL Logic Error Unknown Database Strucmap + +## Symptom + +The 2-FSAA Bulk Import job is returning the following error message: + +```text +SQL logic error unknown database strucmap. +``` + +## Cause + +This error message is the result of a discrepancy or corruption in the database's structure map. It can be caused by configuration changes or other interruptions during a scan or database import. + +## Resolutions + +Please try both of the following resolutions. Start with resetting the hosts, and if the error persists, try [repairing the database](#repair). For both approaches, run the **Bulk Import Maintenance**, targeting the host(s) having the problem. + +### Reset the Host(s) + +1. Navigate to and select the **2-FSAA Bulk Import** job in the Netwrix Access Analyzer (NEA) Job tree. + - The exact location in the Job tree can vary based on your deployment. + - The default location is **Netwrix Access Analyzer (NEA) > Jobs > FileSystem > 0.Collection > 2-FSAA Bulk Import**. +2. Click **Configure > Query > Query properties > Configure**. + - This opens the File System Access Audit Data Collector Wizard. +3. At the bottom of the wizard, click **Maintenance**. +4. Select the Maintenance type: **_Reset Hosts_**, then click **Next**. +5. Select the hosts that are throwing the error. +6. Click **_Reset Hosts_**. + - The maintenance should run immediately. +7. After the maintenance run completes, click through the following dialogs: **Continue > Finish > Next**. +8. Ensure that **Import incomplete scan data** is enabled, then click **Finish**. +9. Try running the **FileSystem** collection again. + + +### Repair the SQL Database + +1. Navigate to and select the **2-FSAA Bulk Import** job in the Netwrix Access Analyzer (NEA) Job tree. + - The exact location in the Job tree can vary based on your deployment. + - The default location is **Netwrix Access Analyzer (NEA) > Jobs > FileSystem > 0.Collection > 2-FSAA Bulk Import**. +2. Click **Configure > Query > Query properties > Configure**. + - This opens the **File System Access Audit Data Collector Wizard**. +3. At the bottom of the wizard, click **Maintenance**. +4. Select the Maintenance type: **_Repair_**, then click **Next**. +5. Select the hosts that are throwing the error. +6. Click **_Run_**. + - The maintenance should run immediately. +7. After the maintenance finishes, click through the following dialogs: **Continue > Finish > Next**. +8. Ensure that **Import incomplete scan data** is enabled, then click **Finish**. +9. Try running the **FileSystem** collection again. diff --git a/docs/kb/accessanalyzer/cannot-connect-to-sql-database.md b/docs/kb/accessanalyzer/cannot-connect-to-sql-database.md new file mode 100644 index 0000000000..2791a53da0 --- /dev/null +++ b/docs/kb/accessanalyzer/cannot-connect-to-sql-database.md @@ -0,0 +1,44 @@ +--- +description: >- + Users other than the `admin` account cannot access Netwrix Access Analyzer + (AIC) when the SQL database password is expired or incorrect; this article + explains how to update the database password in the Configure Console. +keywords: + - SQL + - database + - password + - AIC + - Netwrix Access Analyzer + - Configure Console + - admin + - login + - cannot connect +products: + - access-analyzer +sidebar_label: Cannot Connect to SQL Database +tags: [] +title: "Cannot Connect to SQL Database" +knowledge_article_id: kA0Qk0000001ybdKAA +--- + +# Cannot Connect to SQL Database + +## Symptom +AIC users other than the `admin` user cannot access Netwrix Access Analyzer (AIC) even with the correct password. + +## Cause +The database password in **Home** > **Configure Console** > **Database** has expired or is incorrect. + +## Resolution +1. Ensure that the password for the Netwrix Access Analyzer database has been updated. +2. Log in to AIC using the default `admin` user and password. + +> **NOTE:** If you need to reset the AIC Administrator password, see: /docs/kb/access-analyzer/resetting_the_aic_administrator_password + +3. Navigate to **Home** > **Configure Console** > **Database**, enter the new database password for your SQL account, and click **Save**. +4. Verify that AIC is now functioning correctly. + +> **NOTE:** Other users, apart from the `admin` user, cannot access AIC if the database password is expired or incorrect. It is recommended to log in as the `admin` user to update the database password. + +## Related Link +- Resetting the AIC Administrator Password: /docs/kb/access-analyzer/resetting_the_aic_administrator_password diff --git a/docs/kb/accessanalyzer/cannot-view-published-reports-in-web-console.md b/docs/kb/accessanalyzer/cannot-view-published-reports-in-web-console.md new file mode 100644 index 0000000000..2dd3c0c3fa --- /dev/null +++ b/docs/kb/accessanalyzer/cannot-view-published-reports-in-web-console.md @@ -0,0 +1,48 @@ +--- +description: >- + If you cannot access the Published Reports page in the Web Console, ensure the + account running the Netwrix Access Analyzer Web Server service has permissions + to the Access Analyzer database. This article explains how to verify and + update the service logon account. +keywords: + - published reports + - web console + - Netwrix Access Analyzer + - service account + - database access + - Storage settings + - Scheduled Task Profile + - Access Information Center +products: + - access-analyzer +sidebar_label: Cannot View Published Reports in Web Console +tags: [] +title: "Cannot View Published Reports in Web Console" +knowledge_article_id: kA0Qk0000000Qs9KAE +--- + +# Cannot View Published Reports in Web Console + +## Symptom + +You cannot connect to the **Published Reports** page in the Web Console of Netwrix Access Analyzer. + +## Cause + +The account used to run the `Netwrix Access Analyzer Web Server` service does not have access to the Access Analyzer database. + +## Resolution + +> **NOTE:** If the SQL authentication method is implemented in your Access Analyzer instance to connect to the database, the **Local System** account can be used to run the `Netwrix Access Analyzer Web Server` service. To verify the authentication method, review the **Storage** settings node in Access Analyzer. Refer to the following article for additional information: /docs/access-analyzer/12.0/enterpriseauditor/admin-guide/settings/storage (Administration − Storage). + +1. In the Access Analyzer server, open **Services**. +2. Locate the `Netwrix Access Analyzer Web Server` service, right-click it, and select **Properties**. +3. In the **Log On** tab, specify the account with permissions to access the Access Analyzer database. Save the changes, then restart the service. + +> **TIP:** You can specify any account with permissions to access the Access Analyzer database. It is recommended to use either the Scheduled Task Profile account or the database service account used in Netwrix Access Information Center. Refer to the following articles for additional information: /docs/access-analyzer/12.0/enterpriseauditor/admin-guide/settings (Global Settings − Schedule) and /docs/access-analyzer/12.0/access/informationcenter/admin-guide/configurationuration (Access Information Center − Database Page). + +## Related Articles + +- /docs/access-analyzer/12.0/enterpriseauditor/admin-guide/settings/storage (Administration − Storage) +- /docs/access-analyzer/12.0/enterpriseauditor/admin-guide/settings (Global Settings − Schedule) +- /docs/access-analyzer/12.0/access/informationcenter/admin-guide/configurationuration (Access Information Center − Database Page) diff --git a/docs/kb/accessanalyzer/checkpointing_messages_in_log_during_spaaspseek_scanning.md b/docs/kb/accessanalyzer/checkpointing_messages_in_log_during_spaaspseek_scanning.md new file mode 100644 index 0000000000..fc44681180 --- /dev/null +++ b/docs/kb/accessanalyzer/checkpointing_messages_in_log_during_spaaspseek_scanning.md @@ -0,0 +1,32 @@ +--- +description: >- + This article explains the meaning of the "Checkpointing" entry message found in the DEBUG log during SPAA/SPSEEK System Scanning. +keywords: + - checkpointing + - SPAA + - SPSEEK + - DEBUG log + - system scan +sidebar_label: Checkpointing Messages in Log +tags: [] +title: "Checkpointing Messages in Log During SPAA/SPSEEK Scanning" +knowledge_article_id: kA0Qk0000002lxJKAQ +products: + - access-analyzer +--- + +# Checkpointing Messages in Log During SPAA/SPSEEK Scanning + +## Question + +What does this `Checkpointing` entry message, in the DEBUG log for my SPAA/SPSEEK System Scan, mean? + +```plaintext +DEBUG  SHAREPOINTACCESS  Stealthbits.StealthAUDIT.DataCollectors.SPAA.Tasks.ScanSharePointAccessTask.InternalProcessRecord  "[C:1894] Checkpointing..."  REDACTED.SHAREPOINT.COM +``` + +## Answer + +Checkpointing refers to the process of writing any pending data to the Tier 2 database. This happens throughout the scan and is handled by the main thread, while other types of processing may still be ongoing. Seeing a checkpoint does not necessarily indicate a specific event—the system is just flushing data. + +> **NOTE:** In general, checkpoint messages in the logs are positive. They indicate that the scan is active and not stalled, even if there is no other visible progress at that moment. \ No newline at end of file diff --git a/docs/kb/accessanalyzer/collecting-ad-summary.md b/docs/kb/accessanalyzer/collecting-ad-summary.md new file mode 100644 index 0000000000..bf924c7e07 --- /dev/null +++ b/docs/kb/accessanalyzer/collecting-ad-summary.md @@ -0,0 +1,39 @@ +--- +description: >- + Learn how to collect the Active Directory Summary report values (Total Users + and Disabled Users) for licensing compliance in Netwrix Access Analyzer. +keywords: + - netwrix access analyzer + - active directory + - ad summary + - licensing + - total users + - disabled users + - ad inventory + - jobs + - user count +products: + - access-analyzer +sidebar_label: Collecting AD Summary +tags: [] +title: "Collecting AD Summary" +knowledge_article_id: kA04u000000LLkXCAW +--- + +# Collecting AD Summary + +## Overview + +Licensing of Netwrix Access Analyzer is based on the quantity of enabled AD users in the audited environments. Periodically, you are asked to submit the results of the AD Summary report, specifically the difference between the **Total Users** and **Disabled Users**, to ensure compliance with your licensing agreement. + +## Instructions + +To find this data: + +1. Ensure **.Active Directory Inventory** has recently run or run now. Navigate to **Jobs** > **.Active Directory Inventory** > **1-AD_Scan** and click **Run Now** + ![Group_001.png](images/ka0Qk000000Dl4L_0EM4u000008M8wx.png) + +2. Navigate to **Jobs** > **.Active Directory Inventory** > **1-AD_Scan** > **Results** > **Active Directory Summary** + +3. Take a screenshot or otherwise capture the values displayed in **Total Users** and **Disabled Users** + ![Group_002.png](images/ka0Qk000000Dl4L_0EM4u000008M8x2.png) diff --git a/docs/kb/accessanalyzer/common-applet-related-errors-in-access-analyzer.md b/docs/kb/accessanalyzer/common-applet-related-errors-in-access-analyzer.md new file mode 100644 index 0000000000..3a7bc865d6 --- /dev/null +++ b/docs/kb/accessanalyzer/common-applet-related-errors-in-access-analyzer.md @@ -0,0 +1,62 @@ +--- +description: >- + Common applet errors encountered when running Exchange Metrics, SMARTLog, and + FSAA queries in Access Analyzer, with causes and recommended resolutions. + Includes guidance for WMI memory settings, firewall and port conflicts, and + process termination. +keywords: + - access analyzer + - applet errors + - Exchange Metrics + - SMARTLog + - FSAA + - RPC server unavailable + - out of memory + - WMI + - Windows Firewall +products: + - access-analyzer +sidebar_label: Common Applet-Related Errors in Access Analyzer +tags: [] +title: "Common Applet-Related Errors in Access Analyzer" +knowledge_article_id: kA04u0000000INRCA2 +--- + +# Common Applet-Related Errors in Access Analyzer + +## Summary +Common applet errors in Exchange Metrics, SMARTLog, and FSAA. + +## Issue +1. The applet is already started on host. Process ID = +2. Out of memory +3. "CreateLogProcessorRemote failed - Structured exception -> 0x000006D9 +4. Error in TRemoteHelper.GetStageCode: (0x000006BA) The RPC server is unav + +## Instructions + +1. **The applet is already started on host. Process ID =** + + In most cases, only one instance of an applet can be running on a host at any one time. This error is commonly received if a job running an applet based task is in the process of executing when another job using a similar query routine attempts to execute. In this case, the second task will fail as it will not be able to launch the applet. This error can also be received if the applet is 'hung' open for whatever reason. In hung scenarios, the applet process will need to be killed prior to a successful execution of the applet-based query. This can be done manually or through a job designed specifically to terminate the process. + +2. **Out of memory** + + Host side out of memory errors, where the applet process does not have sufficient memory to perform the processing task, was most common when running Exchange Metrics queries against Exchange servers on Windows Server 2003 operating systems. This is due to a small amount of memory allowed for WMI-based processes. By default, WMI processes are configured to use up to 128 Mb; however, a setting of 512 Mb is recommended. In these scenarios, it is necessary to modify WMI to allow more memory to be used. Warning: this operation requires a server reboot + http://blogs.technet.com/b/askperf/archive/2008/09/16/memory-and-handle-quotas-in-the-wmi-provider-service.aspx + +3. **"CreateLogProcessorRemote failed - Structured exception -> 0x000006D9** + + This error was commonly viewed when attempting to run Exchange Metrics and SmartLog queries against hosts where the Windows Firewall was enabled. To overcome, it would be necessary to disable the firewall or whitelist the applet executable as to not get caught by the firewall rule. + +4. **Error in TRemoteHelper.GetStageCode: (0x000006BA) The RPC server is unavailable** + + This error has been observed when run with Exchange Metrics, SmartLog, and FSAA applet query routines and represents a condition where the port attempting to be used is already in use by another application. The resolve would be to either free up the port or select another port for query purposes. For versions of SmartLOG and Exchange Metrics from later versions of 6.1 forward, port specifications cannot be modified. For FSAA queries, a secondary port could be selected within the configuration of each FSAA applet-based query + +## Module +Access Analyzer - DC - ExchangeMetrics;Access Analyzer - DC - FSAA - Activity;Access Analyzer - DC - FSAA - DFS;Access Analyzer - DC - FSAA - Permissions;Access Analyzer - DC - FSAA - Sensitive Data;Access Analyzer - DC - Smartlog EventLog;Access Analyzer - DC - Smartlog IIS;Access Analyzer - DC - SPAA - Activity;Access Analyzer - DC - SPAA - Permissions + +## Versions +6.3+ + +## Salesforce Article ID +000001046 diff --git a/docs/kb/accessanalyzer/common-sharepoint-on-prem-scanning-permission-errors.md b/docs/kb/accessanalyzer/common-sharepoint-on-prem-scanning-permission-errors.md new file mode 100644 index 0000000000..873d7321aa --- /dev/null +++ b/docs/kb/accessanalyzer/common-sharepoint-on-prem-scanning-permission-errors.md @@ -0,0 +1,57 @@ +--- +description: >- + Lists expected permission-related errors when scanning SharePoint on-premises + and the permissions you should verify for each error. +keywords: + - SharePoint + - on-prem + - permissions + - SPAA + - SP_DataAccess + - Backup Operators + - WSS_WPG + - Central Administration + - database +products: + - access-analyzer +sidebar_label: Common SharePoint On-Prem Scanning Permission Erro +tags: [] +title: "Common SharePoint On-Prem Scanning Permission Errors" +knowledge_article_id: kA04u0000000IfHCAU +--- + +# Common SharePoint On-Prem Scanning Permission Errors + +## Overview + +Getting the permissions right in SharePoint on-premise can be tricky, so here are the expected permission-related errors and what you should check when you see them. + +## Instructions + +Based on the error, check to make sure that the user has the permission(s) associated with it. + +### SPAA against SharePoint 2013/2016 + +| Missing Permission | Expected Error | +| --- | --- | +| Local Group Membership: Backup Operators | `Unable to determine administrative site for (host URL) error accessing remote registry. Requested registry access is not allowed` | +| Local Group Membership: WSS_WPG Group | `Unable to negotiate connection to SharePoint database server (host URL): Error: Access is denied` | +| Full Read Web Application Policy | `Unable to negotiate connection to farm: Unable to negotiate connection to SharePoint server sbpmlab-sp10` | +| Site Collection Admin on Central Administration Site Collection | `Unable to retrieve site collection "URL" Error: Access denied. You do not have permission to perform this action or access this resource.` | +| No DB permissions at all | `Unable to negotiate connection to SharePoint database server (host URL): Error Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was - [Pre-Login] initialization=4943; handshake=1768;` | +| SP_DataAccess Role membership on SharePoint Content Databases | `Unable to negotiate connection to SharePoint database server (host URL): Error Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was - [Pre-Login] initialization=4943; handshake=1768;` | +| SP_DataAccess Role membership on SharePoint Config Database | `Error enumerating ISharePointSiteCollection children of ISharePointWebApplication. The EXECUTE permission was denied on the object 'proc_getSiteNames', database 'SharePoint_Config'` | +| Public membership to SharePoint_Config, Owner on the content DB | `Unable to negotiate connection to SharePoint database server sbnjqasp01: Error: The EXECUTE permission was denied on the object 'proc_getObject', database 'SharePoint_Config', schema 'dbo'` | + +### SPAA against SharePoint 2010 + +| Missing Permission | Expected Error | +| --- | --- | +| Local Group Membership: Backup Operators | `Unable to determine administrative site for (host URL) error accessing remote registry. Requested registry access is not allowed` | +| Local Group Membership: WSS_WPG Group | `Unable to negotiate connection to SharePoint database server (host URL): Error: Access is denied` | +| Full Read Web Application Policy | `Unable to negotiate connection to farm: Unable to negotiate connection to SharePoint server sbpmlab-sp10` | +| Site Collection Admin on Central Administration Site Collection | `Unable to retrieve site collection "URL" Error: Access denied. You do not have permission to perform this action or access this resource.` | +| No DB permissions at all | `Unable to negotiate connection to SharePoint database server (host URL): Error Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was - [Pre-Login] initialization=4943; handshake=1768;` | +| SP_DataAccess Role membership on SharePoint Content Databases | `Unable to negotiate connection to SharePoint database server (host URL): Error Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was - [Pre-Login] initialization=4943; handshake=1768;` | +| SP_DataAccess Role membership on SharePoint Config Database | `Error enumerating ISharePointSiteCollection children of ISharePointWebApplication. The EXECUTE permission was denied on the object 'proc_getSiteNames', database 'SharePoint_Config'` | +| Public membership to SharePoint_Config, Owner on the content DB | `Unable to negotiate connection to SharePoint database server sbnjqasp01: Error: The EXECUTE permission was denied on the object 'proc_getObject', database 'SharePoint_Config', schema 'dbo'` | diff --git a/docs/kb/accessanalyzer/connection-profile-credential-selection.md b/docs/kb/accessanalyzer/connection-profile-credential-selection.md new file mode 100644 index 0000000000..4a3a5458c5 --- /dev/null +++ b/docs/kb/accessanalyzer/connection-profile-credential-selection.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains how Netwrix Access Analyzer selects which credentials from a + Connection Profile to use for a target host, including domain matching rules + and fallback order. +keywords: + - connection profile + - credentials + - domain matching + - WindowsDomain + - DNSDomain + - Netwrix Access Analyzer + - target host +products: + - access-analyzer +sidebar_label: Connection Profile Credential Selection +tags: [] +title: "Connection Profile Credential Selection" +knowledge_article_id: kA04u0000000IwpCAE +--- + +# Connection Profile Credential Selection + +## Summary +This article explains how Netwrix Access Analyzer selects credentials from Connection Profiles. + +Netwrix Access Analyzer tries to match the domain in the **Account** column in the **Connection Profile** to: + +1. The Target Host's `WindowsDomain`, as visible in **Host Management**. +2. The Target Host's `DNSDomain`, as visible in **Host Management** (only if the Target Host's `WindowsDomain` value is blank). + +If neither match, Netwrix Access Analyzer will attempt each credential in the Connection Profile in the order listed within the Connection Profile. + +## Product / Module / Legacy ID +- **Product:** Netwrix Access Analyzer +- **Module:** Netwrix Access Analyzer - Core +- **Legacy Article ID:** 1793 diff --git a/docs/kb/accessanalyzer/console-migration-workflow-step-1-staging-the-backup.md b/docs/kb/accessanalyzer/console-migration-workflow-step-1-staging-the-backup.md new file mode 100644 index 0000000000..21db7c8383 --- /dev/null +++ b/docs/kb/accessanalyzer/console-migration-workflow-step-1-staging-the-backup.md @@ -0,0 +1,102 @@ +--- +description: >- + Lists the steps to stage the backup for a Netwrix Access Analyzer console + migration by creating the NAA_Migration folder and collecting the required + files and folders for the Access Analyzer Console and Access Information + Center. +keywords: + - console migration + - NAA_Migration + - Netwrix Access Analyzer + - Access Information Center + - backup directory + - scheduled tasks + - SSL certificates + - Vault Service +products: + - access-analyzer + - access_info_center +sidebar_label: 'Console Migration Workflow: Step 1—Staging the Bac' +tags: [] +title: 'Console Migration Workflow: Step 1—Staging the Backup' +knowledge_article_id: kA0Qk0000002OnpKAE +--- + +# Console Migration Workflow: Step 1—Staging the Backup + +> **NOTE:** Return to the main workflow page via this link: [Console Migration Workflow](/docs/kb/accessanalyzer/console-migration-workflow.md). +> +> Proceed to the next section via this link: [Console Migration Workflow: Step 2—Prepare the Database](/docs/kb/accessanalyzer/console-migration-workflow-step-2-prepare-the-database). + +## Overview + +This article lists the steps to prepare for the Netwrix Access Analyzer console migration. + +## Create the Backup Directory + +1. On the current Access Analyzer Console Server, create a folder called `NAA_Migration`. +2. Follow the steps below to prepare the key components necessary for data recovery of the Access Analyzer Console Server. + +## Backup Folders and Files + +> **IMPORTANT:** Store the following in the `NAA_Migration` directory. + +### Netwrix Access Analyzer Console + +Within the `NAA_Migration` folder, create a folder named **NAA**, and add the following files and folders: + +> **NOTE:** Stop all currently running jobs and disable all scheduled jobs prior to backing up and migrating the Access Analyzer Console. + +| File/Folder | Purpose | +|---|---| +| `...\STEALTHbits\StealthAUDIT\Jobs` | Contains the jobs from the SA jobs tree. | +| `...\STEALTHbits\StealthAUDIT\StealthAUDIT.lic` | The license key for the Netwrix Auditor product | +| `…\STEALTHbits\StealthAUDIT\Reports` | This will ensure that you do not have to go and republish all reports | +| `…\STEALTHbits\StealthAUDIT\CLU` | Contains any Command Line Utility parameters. | +| `…\STEALTHbits\StealthAUDIT\ODBCProfiles\Custom` | Contains any custom ODBC connect strings for SQL. | +| `…\STEALTHbits\StealthAUDIT\SADatabase\Views` | Contains the host list definitions. | +| `...\STEALTHbits\StealthAUDIT\SecurityMap` | Contains all of the connection profiles. | +| `...\STEALTHbits\StealthAUDIT\GlobalOptions.XML` | Contains the Global Options. | +| `...\STEALTHbits\StealthAUDIT\SPProfiles.XML` | Contains the Storage Profiles. | +| `...\STEALTHbits\StealthAUDIT\rba.conf` | Contains the Role Based Access Configuration. | +| `…\STEALTHbits\StealthAUDIT\rba-reporting.conf` | Published Reports role-based access. | +| `…\STEALTHbits\StealthAUDIT\Web\webserver.exe.config` | Published Reports web server configuration. | +| `…\STEALTHbits\StealthAUDIT\DC\patternsdef.xml` | Configured SDD Criteria | +| `…\STEALTHbits\StealthAUDIT\DC\mypatternsdef.xml` | Custom SDD Criteria | +| `…\STEALTHbits\StealthAUDIT\FSAA` | Contains short term data related to file server collections | +| `C:\Windows\System32\Tasks` | Specifically tasks names beginning with “SA*.job” | + +### Netwrix Access Information Center + +Within the `NAA_Migration` folder, create a folder named **AIC**, and add the following files and folders: + +> **NOTE:** These can be found in the AIC install directory. By default, this is located in `C:\Program Files\STEALTHbits\Access Information Center`. If you are unsure where the install directory is located, use the following registry key to locate it: `HKLM:\SYSTEM\CurrentControlSet\Services\AccessInformationCenter` + +| File/Folder | Purpose | +|---|---| +| `…\Access Information Center\AccessInformationCenter.Service.exe.Config` | Contains the AIC Configuration. | +| `…\Access Information Center\Templates.zip` | Custom email templates used by the AIC. | + +## Important Things to Note Before Migrating + +- What accounts are Netwrix Services currently running as? +- Are the AIC and Published Reports secured with SSL Certificates? + - If **yes**, these will need recreated with the new machine. +- Is the Netwrix Vault Service used? + - If **yes**, disable before migrating, then re-enable post-migration. +- Are you currently scanning SharePoint Online or Exchange Online? + - If **yes**, new certificates will need created after the migration. +- It is recommended to take screenshots of the following: + - NAA Scheduled Tasks + - **Settings** > **Access** + - **Settings** > **Storage** + - Expanded **Settings** > **Host Management** node + - Expanded job tree in NAA Console + - Netwrix Services running in `services.msc` + +> **IMPORTANT:** Once the `NAA_Migration` backup is complete, move it to the new Access Analyzer console server. + +## Related Links + +- [Console Migration Workflow](/docs/kb/accessanalyzer/console-migration-workflow.md) +- [Console Migration Workflow: Step 2—Prepare the Database](/docs/kb/accessanalyzer/console-migration-workflow-step-2-prepare-the-database) diff --git a/docs/kb/accessanalyzer/console-migration-workflow-step-2-prepare-the-database.md b/docs/kb/accessanalyzer/console-migration-workflow-step-2-prepare-the-database.md new file mode 100644 index 0000000000..bcdf01bb1c --- /dev/null +++ b/docs/kb/accessanalyzer/console-migration-workflow-step-2-prepare-the-database.md @@ -0,0 +1,75 @@ +--- +description: >- + Lists the steps to prepare the Netwrix Access Analyzer database for console + migration, including an SQL script to update host names when restoring the + console to a new server. +keywords: + - Netwrix Access Analyzer + - console migration + - database preparation + - host management + - SQL script + - HostMaster_SANodeFilter + - HostListsTbl + - QueryTbl + - Access Analyzer migration +products: + - access-analyzer + - access_info_center +sidebar_label: 'Console Migration Workflow: Step 2—Prepare the Dat' +tags: [] +title: 'Console Migration Workflow: Step 2—Prepare the Database' +knowledge_article_id: kA0Qk0000002OpRKAU +--- + +# Console Migration Workflow: Step 2—Prepare the Database + +> **NOTE:** Return to the main workflow page via this link: [Console Migration Workflow](/docs/kb/accessanalyzer/console-migration-workflow.md). +> +> Return to the previous section via this link: [Console Migration Workflow: Step 1—Staging the Backup](/docs/kb/accessanalyzer/console-migration-workflow-step-1-staging-the-backup). +> +> Proceed to the next section via this link: [Console Migration Workflow: Step 3—Rebuild the Console](/docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console). + +## Overview + +This article lists the steps to prepare the Netwrix Access Analyzer database for the Access Analyzer Migration. + +## New Access Analyzer Console Server Host Name + +For Host Management and Host List Replication, follow these steps to restore the backup of the Access Analyzer console to a new server. + +> **IMPORTANT:** This only applies if the new server name differs from the old server name; otherwise, skip to [Access Analyzer Console Migration Workflow: Step 3 - Rebuild the Console](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA0Qk0000001T1ZKAU.html). + +On the Access Analyzer Database, copy the script below and configure the `OldServer` and `NewServer` values (lines 5 & 6, below), then run: + +1. Copy the SQL script shown below. +2. Edit the `Set @OHost = 'OldServer'` and `Set @NHost = 'NewServer'` lines to match your old and new server host names. Leave the apostrophes. +3. Run the script against the Access Analyzer database. + +```sql +Declare @OHost varchar (128) +Declare @NHost varchar (128) + +-- Configure the correct server names below. Leave the apostrophes! +Set @OHost = 'OldServer' +Set @NHost = 'NewServer' + +Update [HostMaster_SANodeFilter] +SET SA_Node = @NHost +Where SA_Node = @OHost; + +Update [HostListsTbl] +SET SA_Node = @NHost +Where SA_Node = @OHost +and ListID not in (Select ListID from [HostListsTbl] where SA_Node = @NHost); + +Update [QueryTbl] +SET SA_Node = @NHost +Where SA_Node = @OHost; +``` + +## Related Links + +- [Console Migration Workflow](/docs/kb/accessanalyzer/console-migration-workflow.md) +- [Console Migration Workflow: Step 1—Staging the Backup](/docs/kb/accessanalyzer/console-migration-workflow-step-1-staging-the-backup) +- [Console Migration Workflow: Step 3—Rebuild the Console](/docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console) diff --git a/docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console.md b/docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console.md new file mode 100644 index 0000000000..5a302f9b8c --- /dev/null +++ b/docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console.md @@ -0,0 +1,150 @@ +--- +description: >- + Lists the steps to rebuild the Netwrix Access Analyzer console on a new server + during console migration, including restoring backup files, registering + scheduled tasks, and updating configuration files and settings. +keywords: + - Access Analyzer + - console migration + - rebuild console + - scheduled tasks + - webserver.exe.config + - NAA_Migration + - Netwrix Auditor +products: + - access-analyzer + - access_info_center +sidebar_label: 'Console Migration Workflow: Step 3—Rebuild the Con' +tags: [] +title: 'Console Migration Workflow: Step 3—Rebuild the Console' +knowledge_article_id: kA0Qk0000002Or3KAE +--- + +# Console Migration Workflow: Step 3—Rebuild the Console + +> **NOTE:** Return to the main workflow page via this link: [Console Migration Workflow](/docs/kb/accessanalyzer/console-migration-workflow.md). +> +> Return to the previous section via this link: [Console Migration Workflow: Step 2—Prepare the Database](/docs/kb/accessanalyzer/console-migration-workflow-step-2-prepare-the-database). +> +> Proceed to the next section via this link: [Console Migration Workflow: Step 4—Validating the Migration](/docs/kb/accessanalyzer/console-migration-workflow-step-4-validate-the-migration) + +## Overview + +This article lists the steps for rebuilding the Netwrix Access Analyzer console during the Access Analyzer Migration. + +## Installing the Access Analyzer Console + +Follow the steps below to rebuild the Access Analyzer Console on the new server. Before installation, ensure that the `NAA_Migration` folder with the `StealthAUDIT.lic` license file is stored locally on the new Access Analyzer Console so it can be referenced during the installation process. + +1. Confirm that the prerequisites have been met on the Access Analyzer Console Server. + - Netwrix Help Center | Netwrix Access Analyzer 12.0 System Requirements: /docs/access-analyzer/12.0/enterpriseauditor/requirements +2. Install the Access Analyzer application, as well as the Access Information Center (AIC) application if the server will host both. + + > IMPORTANT: Do **NOT** start the Access Analyzer or AIC applications at this time. + +## Restoring the Backup Files + +1. After the initial installation of Access Analyzer and AIC, restore the following contents of the `NAA_Migration` folder: + + | File/Folder | Purpose | + |-------------|---------| + | `%SAInstallDir%\Jobs` | Contains the jobs from the SA jobs tree | + | `%SAInstallDir%\StealthAUDIT.lic` | The license key for the Netwrix Auditor product | + | `%SAInstallDir%\Reports` | Ensures that you do not need to republish all reports | + | `%SAInstallDir%\CLU` | Contains any Command Line Utility parameters | + | `%SAInstallDir%\ODBCProfiles\Custom` | Contains any custom ODBC connect strings for SQL | + | `%SAInstallDir%\SADatabase\Views` | Contains the host list definitions | + | `%SAInstallDir%\SecurityMap` | Contains all of the connection profiles | + | `%SAInstallDir%\GlobalOptions.xml` | Contains the Global Options | + | `%SAInstallDir%\SPProfiles.XML` | Contains the Storage Profiles | + | `%SAInstallDir%\rba.conf` | Contains the Role-Based Access Configuration | + | `%SAInstallDir%\rba-reporting.conf` | Published Reports role-based access | + | `%SAInstallDir%\DC\patternsdef.xml` | Configured SDD Criteria | + | `%SAInstallDir%\DC\mypatternsdef.xml` | Custom SDD Criteria | + | `%SAInstallDir%\FSAA` | Contains short-term data related to file server collections | + | `C:\Windows\System32\Tasks` | Specifically task names beginning with `SA*.job` | + +2. After you have copied the Reports folder from the old server to the new one, change the report hostname path to show it in the web server: + ` %SAInstallDir%Reports\v3\` + +3. After you have copied the Scheduled Tasks to `C:\Windows\System32\Tasks`, run the script below from an Admin PowerShell to register them: + +```powershell +$InstallPath=Get-ItemPropertyValue -Path HKLM:\SOFTWARE\WOW6432Node\STEALTHbits\StealthAUDIT -Name 'InstallPath' +$NewServerInstallerPath =$InstallPath+'StealthAuditStart.exe' +$ScheduledTaskFilePath="C:\Windows\System32\Tasks" + +Get-ChildItem -Path $ScheduledTaskFilePath -Filter SA*.job | Foreach-Object { + +$content = [xml] (Get-Content $_.FullName) +$oldServerInstallerPath= $content.Task.Actions.Exec.Command + +If($oldServerInstallerPath -ne $NewServerInstallerPath) +{ + $Content.Task.Actions.Exec.Command = $NewServerInstallerPath + $Content.Save($_.FullName) +} + +$taskName = ([System.IO.Path]::GetFileNameWithoutExtension($_.FullName)) +$TaskExist=Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue + +if (!$TaskExist) +{ +$UserID=$Content.Task.Principals.Principal.UserId +Register-ScheduledTask -Xml (get-content $_.FullName | out-string) -TaskName $taskName -User $UserID -Force +} + } +``` + +4. Open `\NAA_Migration\NAA\Web\webserver.exe.config` and copy the content between `` and paste it in place of the `` block in `%SAInstallDir%Web\webserver.exe.config`. + + ![webserver config image](images/ka0Qk000000FDY1_0EMQk00000CFkgO.png) + + NOTE: Open the destination `webserver.exe.config` as an administrator by following these steps: + + 1. Search **Notepad** in Start menu. + 2. Right-click > **Run as administrator**. + 3. In Notepad, click **File** > **Open %SAInstallDir%Web\webserver.exe.config**. + +5. Open `\NAA_Migration\AIC\AccessInformationCenter.Service.exe.config` and copy the content between `` and paste it in place of the `` block in `\Program Files\STEALTHbits\Access Information Center\AccessInformationCenter.Service.exe.Config`. + + NOTE: Open the destination `AccessInformationCenter.Service.exe.config` as an administrator by following the steps below: + + 1. Search **Notepad** in Start menu. + 2. Right-click > **Run as administrator**. + 3. In Notepad, click **File** > **Open** … `\Program Files\STEALTHbits\Access Information Center\AccessInformationCenter.Service.exe.Config`. + +6. Open the Netwrix Access Analyzer application and follow through the Access Analyzer Configuration Wizard, selecting **Choose a StealthAUDIT root folder path to copy from** if prompted. + + ![Configuration Wizard image](images/ka0Qk000000FDY1_0EMQk00000CFxaL.png) + + 1. See the following for more information on the Netwrix Access Analyzer Configuration Wizard: Access Analyzer Initial Configuration — /docs/access-analyzer/12.0/enterpriseauditor/installation/application + +7. After completing the Configuration Wizard, the Access Analyzer Application should open automatically. + +8. In the Access Analyzer Console, navigate to **Settings** > **Reporting**, and set the **Website URL** to contain the new console server's name. + + ![Reporting settings image](images/ka0Qk000000FDY1_0EMQk00000CFqfK.png) + +9. If using Windows Authentication to connect Access Analyzer to its database (click **Settings** > **Storage**), open `services.msc` and set the **Netwrix Access Analyzer Web Server** service to log on as a **Windows** service account with appropriate permissions on the Access Analyzer database. + +## Additional Considerations + +If using any of the below, please recreate the certificate for the new NAA Console Server: + +- Netwrix Access Analyzer for SharePoint Online: /docs/access-analyzer/12.0/configuration/sharepointonline +- Netwrix Access Analyzer for Exchange Online: /docs/access-analyzer/12.0/configuration/exchangeonline +- Secured Published Reports Site (HTTPS): /docs/access-analyzer/12.0/enterpriseauditor/installation/application/reports +- Secured AIC Site (HTTPS): /docs/access-analyzer/12.0/access/informationcenter/installationation + +## Related Links + +- Console Migration Workflow: /docs/kb/access-analyzer/console_migration_workflow +- Console Migration Workflow: Step 2—Prepare the Database: /docs/kb/access-analyzer/console_migration_workflow_step_2—prepare_the_database +- Console Migration Workflow: Step 4—Validating the Migration: /docs/kb/access-analyzer/console_migration_workflow_step_4—validate_the_migration +- Netwrix Help Center | Netwrix Access Analyzer 12.0 System Requirements: /docs/access-analyzer/12.0/enterpriseauditor/requirements +- Access Analyzer Initial Configuration: /docs/access-analyzer/12.0/enterpriseauditor/installation/application +- Netwrix Access Analyzer for SharePoint Online: /docs/access-analyzer/12.0/configuration/sharepointonline +- Netwrix Access Analyzer for Exchange Online: /docs/access-analyzer/12.0/configuration/exchangeonline +- Secured Published Reports Site (HTTPS): /docs/access-analyzer/12.0/enterpriseauditor/installation/application/reports +- Secured AIC Site (HTTPS): /docs/access-analyzer/12.0/access/informationcenter/installationation diff --git a/docs/kb/accessanalyzer/console-migration-workflow-step-4-validate-the-migration.md b/docs/kb/accessanalyzer/console-migration-workflow-step-4-validate-the-migration.md new file mode 100644 index 0000000000..3f857f2f62 --- /dev/null +++ b/docs/kb/accessanalyzer/console-migration-workflow-step-4-validate-the-migration.md @@ -0,0 +1,47 @@ +--- +description: >- + Instructions to validate a console migration for Netwrix Access Analyzer. + Verify jobs, schedules, role-based access, published reports, and JobStats + entries after migration. +keywords: + - console migration + - validation + - Netwrix Access Analyzer + - Job Tree + - Published Reports + - Schedules + - Access Information Center + - SA_HOST +products: + - access-analyzer + - access_info_center +sidebar_label: 'Console Migration Workflow: Step 4—Validate the Mi' +tags: [] +title: 'Console Migration Workflow: Step 4—Validate the Migration' +knowledge_article_id: kA0Qk0000002OsfKAE +--- + +# Console Migration Workflow: Step 4—Validate the Migration + +> **NOTE:** Return to the main workflow page via this link: [Console Migration Workflow](/docs/kb/accessanalyzer/console-migration-workflow.md). +> +> Return to the previous section via this link: [Console Migration Workflow: Step 3—Rebuild the Console](/docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console). + +## Overview + +After completing Steps 1-3, please verify the following: + +## Validating the Netwrix Access Analyzer Console Migration + +- The Job Tree contains all expected jobs. +- Verify the **Tasks** under **Schedules** have been carried over. +- If using Role-Based Access, verify that the **Access** tab under **Settings** contains users. +- Confirm that the Access Information Center launches. +- Confirm that the Published Reports web server launches. +- Validate that the reports are published and available in the **Published Reports** site. +- Open ` .Active Directory Inventory\1-AD_Scan\Status\JobStats` in Netwrix Access Analyzer and verify that the `SA_HOST` column contains the new Netwrix Access Analyzer Console server name. + +## Related Links + +- [Console Migration Workflow](/docs/kb/accessanalyzer/console-migration-workflow.md) +- [Console Migration Workflow: Step 3—Rebuild the Console](/docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console) diff --git a/docs/kb/accessanalyzer/console-migration-workflow.md b/docs/kb/accessanalyzer/console-migration-workflow.md new file mode 100644 index 0000000000..b5d2247cd1 --- /dev/null +++ b/docs/kb/accessanalyzer/console-migration-workflow.md @@ -0,0 +1,33 @@ +--- +description: >- + Outlines the upgrade workflow for Netwrix Access Analyzer and links to + step-by-step articles for staging the backup, preparing the database, + rebuilding the console, and validating the migration. +keywords: + - console migration + - Netwrix Access Analyzer + - migration workflow + - staging backup + - database preparation + - rebuild console + - migration validation + - upgrade +products: + - access-analyzer + - access_info_center +sidebar_label: Console Migration Workflow +tags: [] +title: "Console Migration Workflow" +knowledge_article_id: kA0Qk0000002OmDKAU +--- + +# Console Migration Workflow + +## Overview + +This article outlines the upgrade workflow for Netwrix Access Analyzer. Refer to the following list of articles: + +1. [Access Analyzer Console Migration Workflow: Step 1 - Staging the Backup](/docs/kb/accessanalyzer/console-migration-workflow-step-1-staging-the-backup) +2. [Access Analyzer Console Migration Workflow: Step 2 - Prepare the Database](/docs/kb/accessanalyzer/console-migration-workflow-step-2-prepare-the-database) +3. [Access Analyzer Console Migration Workflow: Step 3 - Rebuild the Console](/docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console) +4. [Access Analyzer Console Migration Workflow: Step 4 - Validate the Migration](/docs/kb/accessanalyzer/console-migration-workflow-step-4-validate-the-migration) diff --git a/docs/kb/accessanalyzer/could-not-drop-object-referenced-by-foreign-key-constraint.md b/docs/kb/accessanalyzer/could-not-drop-object-referenced-by-foreign-key-constraint.md new file mode 100644 index 0000000000..685104b243 --- /dev/null +++ b/docs/kb/accessanalyzer/could-not-drop-object-referenced-by-foreign-key-constraint.md @@ -0,0 +1,54 @@ +--- +description: >- + Explains how to resolve the "Could not drop object ... because it is + referenced by a foreign key constraint" error when running the SP_DropTables + job by identifying and removing the blocking foreign key constraints. +keywords: + - foreign key + - SP_DropTables + - DROP TABLE + - SQL Server + - FKTABLE_NAME + - constraint + - SQL Server Management Studio + - drop object + - database cleanup +products: + - access-analyzer +sidebar_label: Could Not Drop Object Referenced by Foreign Key Co +tags: [] +title: "Could Not Drop Object Referenced by Foreign Key Constraint" +knowledge_article_id: kA0Qk0000000IUnKAM +--- + +# Could Not Drop Object Referenced by Foreign Key Constraint + +## Symptom + +When you run the **SP_DropTables** job, the job fails and prompts the following error: + +``` +Could not drop object %table_name% because it is referenced by a foreign key constraint. +``` + +## Cause + +The affected tables reference the foreign key constraint preventing the **SP_DropTables** job from running correctly. + +## Resolution + +Manually release the constraints for the affected tables. + +1. In SQL Server Management Studio, run the following line to output associated foreign key constraints. The example shows the `SA_SPAC_ActivityEvents` table—replace it with the table mentioned in the error message. + +```sql +EXEC sp_fkeys 'SA_SPAC_ActivityEvents' +``` + +2. The results will contain the `FKTABLE_NAME` column—run the following line to release the corresponding constraint. The example shows the `SA_SPAC_ActivityEvents` foreign key. Run the line with each `FKTABLE_NAME` specified in the results. + +```sql +DROP TABLE SA_SPAC_GroupMembershipChanges +``` + +3. After releasing the constraints, rerun the **SP_DropTables** job. diff --git a/docs/kb/accessanalyzer/creating-a-daily-report-on-job-errors.md b/docs/kb/accessanalyzer/creating-a-daily-report-on-job-errors.md new file mode 100644 index 0000000000..bf3d2461cd --- /dev/null +++ b/docs/kb/accessanalyzer/creating-a-daily-report-on-job-errors.md @@ -0,0 +1,37 @@ +--- +description: >- + Shows how to create a scheduled daily report of failed jobs and job errors in + Netwrix Access Analyzer by using the SAS_ExecutionStatistics instant job and + configuring the Job Execution Statistics report. +keywords: + - job errors + - SAS_ExecutionStatistics + - Job Execution Statistics + - schedule + - daily report + - Netwrix Access Analyzer +products: + - access-analyzer +sidebar_label: Creating a Daily Report on Job Errors +tags: [] +title: "Creating a Daily Report on Job Errors" +knowledge_article_id: kA0Qk0000001KXlKAM +--- + +# Creating a Daily Report on Job Errors + +## Question + +Does Netwrix Access Analyzer allow the creation of a daily report on failed jobs and errors in jobs? + +## Answer + +> **NOTE:** To keep track of custom jobs, you can create a separate job group. This article references a custom group as **Sandbox**. + +Refer to the following steps to create a custom report on job errors: + +1. In the Netwrix Access Analyzer console, right-click the **Sandbox** job group and select **Add Instant Job**. +2. Proceed to the **Instant Job** page. Expand the **Netwrix Auditor Utilities** node, select the **SAS_ExecutionStatistics** job and click **Next**. +3. The host assignment does not affect the job—select the **Use default settings** option. Proceed with the wizard steps to save the job and exit the wizard. +4. Right-click the **SAS_ExecutionStatistics** job in the job tree and select **Schedule** to create a scheduled task. In the **Schedule** window, click **New** to define a schedule. Complete the wizard steps to save the schedule. +5. Under the **SAS_ExecutionStatistics** job, navigate to **Configure > Reports**, and configure the **Job Execution Statistics** report. In the **E-mail** page of the wizard, specify the target e-mail. Complete the wizard steps to save the changes. diff --git a/docs/kb/accessanalyzer/deleted-ad-user-s-still-show-in-netwrix-access-analyzer-reports.md b/docs/kb/accessanalyzer/deleted-ad-user-s-still-show-in-netwrix-access-analyzer-reports.md new file mode 100644 index 0000000000..e4f98234f7 --- /dev/null +++ b/docs/kb/accessanalyzer/deleted-ad-user-s-still-show-in-netwrix-access-analyzer-reports.md @@ -0,0 +1,47 @@ +--- +description: >- + Deleted Active Directory user accounts still appear in Netwrix Access Analyzer + reports because the AD Inventory (ADI) scan did not detect deletions; this + article explains how to run a full AD Inventory Scan to resolve the issue. +keywords: + - Active Directory + - AD Inventory + - ADI + - deleted user + - SA_ADInventory_UsersView + - IsDeleted + - Access Analyzer + - 1-AD_Scan +products: + - access-analyzer +sidebar_label: Deleted AD User(s) Still Show In Netwrix Access An +tags: [] +title: "Deleted AD User(s) Still Show In Netwrix Access Analyzer Reports" +knowledge_article_id: kA0Qk0000001i73KAA +--- + +# Deleted AD User(s) Still Show In Netwrix Access Analyzer Reports + +## Symptom + +A deleted user account(s) from AD still shows in Netwrix Access Analyzer Reports and is not flagged as deleted. + +## Cause + +A failure on the ADI scan that could be caused by a myriad of reasons. + +## Resolution + +Run a full **AD Inventory Scan** by disabling differential scanning for the **1-AD_Scan** job using the steps below: + +1. Navigate to **Access Analyzer > Jobs > .Active Directory Inventory > 1-AD_Scan > Configure > Queries > Query Properties > Configure > Options**. + ![Image_2024-11-19_15-36-30.png](images/ka0Qk000000DYa9_0EMQk00000AdoIX.png) +2. Uncheck the box for **Collect only updates since the last scan**. + ![Image_2024-11-19_15-37-33.png](images/ka0Qk000000DYa9_0EMQk00000AdoSD.png) +3. Click **Next** through the end of the Active Directory Inventory DC Wizard. +4. Re-run the **1-AD_Scan** job. +5. Select the previously-unchecked box for **Collect only updates since the last scan**. +6. Re-run the **1-AD_Scan** job. +7. To determine whether the job was successful, verify the results in the `SA_ADInventory_UsersView`. Search for the deleted user to confirm whether it exists or is marked `IsDeleted`. +8. If the deleted user does not exist or is not marked `IsDeleted`, then verify the permissions on the scan account. The permissions must have **List contents & read Property** on the **Deleted Objects** container. +9. For more information, please see the following article: ADInventory Data Collector. diff --git a/docs/kb/accessanalyzer/deleted-objects-in-adinventory.md b/docs/kb/accessanalyzer/deleted-objects-in-adinventory.md new file mode 100644 index 0000000000..407e2f1411 --- /dev/null +++ b/docs/kb/accessanalyzer/deleted-objects-in-adinventory.md @@ -0,0 +1,84 @@ +--- +description: >- + ADInventory may not flag deleted objects unless it can access the Deleted + Objects container or you run a full scan. This article explains why the + IsDeleted column is not populated and how to grant or verify access to the + Deleted Objects container. +keywords: + - ADInventory + - Deleted Objects + - IsDeleted + - Deleted Objects container + - dsacls + - ADAC + - Active Directory + - tombstone + - USNChanged +products: + - access-analyzer +sidebar_label: Deleted Objects in ADInventory +tags: [] +title: "Deleted Objects in ADInventory" +knowledge_article_id: kA04u0000000IpGCAU +--- + +# Deleted Objects in ADInventory + +## Summary +IsDeleted column is not being populated in AD Inventory Users view + +## Issue +Objects are not being flagged as deleted by ADInventory. + +## Instructions +ADInventory uses LDAP queries to enumerate objects from Active Directory. +A full scan will query all objects, updating the full data set each time. + +The option to **Collect only updates since the last scan** only returns user, group and computer objects that have changed since the last scan. +This works by scoping the scan to objects having a `USNChanged` value greater than the highest value recorded for that domain controller at the start of the previous scan. + +In order for the IsDeleted column to be updated properly, you must either have: + +- Access to all Containers with `Users/Computers/Groups/tombstone objects` + +OR + +- You must deselect the option to **Collect only updates since the last scan**. + +If you go the route of granting the service account increased access, the Domain Admins group is not necessarily sufficient to gain proper access in all environments. +The ACL on the all containers including the "delete objects" container should be checked to ensure that the service account has been granted the proper access. + +To verify your account has access to the **Deleted Objects** Container, you are required to log on to a computer with **Active Directory Administrative Center (ADAC)**: + +1. Log on with the account used in the connection profile. +2. Open **ADAC**. +3. Select your domain for the environment you are running Active Directory Inventory. +4. On the right hand pane double click to open **Deleted Objects**. + +This will list the deleted objects. If you are unable to view this with the connection profile account, you will need to ensure that the correct permissions have been assigned. +By default the Builtin Administrators group has access to this container (`BUILTIN\Administrators`). + +One method to grant a credential the necessary rights on the **Deleted Objects** container is using the `dsacls` command with an account that does have access to the container. + +Schema admins may be required to execute this. See Dsacls Technet Article here: https://technet.microsoft.com/en-us/library/cc771151%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396 + +``` +dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G \:LCRP +``` + +This article shows how to modify the permissions on the deleted items container: +https://technet.microsoft.com/en-us/library/cc816824(v=ws.10).aspx + +So, if it helps at all, here's an article with some other information: https://technet.microsoft.com/en-us/library/dd379509(v=WS.10).aspx#BKMK_1 + +By default, builtin\administrator has access to this container. So, by default, domain admins should have access to it. + +## Displaying the Deleted Objects container +When Active Directory objects are deleted, they are placed in the Deleted Objects container. By default, the `CN=Deleted Objects` container is not displayed. You can use the `Ldp.exe` administration tool in Active Directory Domain Services (AD DS) to display the Deleted Objects container. + +--- + +**Product:** Netwrix Auditor +**Module:** SA - DC - ADInventory +**Versions:** all +**Legacy Article ID:** 1193 diff --git a/docs/kb/accessanalyzer/disabling-the-server-header.md b/docs/kb/accessanalyzer/disabling-the-server-header.md new file mode 100644 index 0000000000..4ed9c5f754 --- /dev/null +++ b/docs/kb/accessanalyzer/disabling-the-server-header.md @@ -0,0 +1,59 @@ +--- +description: >- + Shows how to disable the Server HTTP header in Netwrix Access Analyzer by + setting the Windows registry DisableServerHeader value to prevent banner + grabbing. +keywords: + - banner grabbing + - DisableServerHeader + - registry + - server header + - Netwrix Access Analyzer + - HTTP header + - security + - reboot +products: + - access-analyzer + - access_info_center +sidebar_label: Disabling the Server Header +tags: [] +title: "Disabling the Server Header" +knowledge_article_id: kA0Qk0000001yerKAA +--- + +# Disabling the Server Header + +## Overview + +This article explains how to disable the server header in Netwrix Access Analyzer to prevent banner grabbing, which can expose server information. Banner grabbing can occur if the Windows registry `DisableServerHeader` setting is not configured correctly on the host. + +> **NOTE:** Banner grabbing is the process of capturing banner information, such as application type and version, that is transmitted by a remote port when a connection is initiated. For more information, see Banner Grabbing ⸱ NIST 🔗 +> https://csrc.nist.gov/glossary/term/banner_grabbing +> +> ![Screenshot showing server information revealed through banner grabbing](images/ka0Qk000000E74r_0EMQk00000Brg4P.png) + +## Instructions + +Follow these steps to disable the server header in Netwrix Access Analyzer: + +1. Navigate to the **Windows Registry Editor**. +2. Add or update the following registry key: + `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader` +3. Set the value to: + `DWORD: 000002` + + ![Registry editor showing disabled server header](images/ka0Qk000000E74r_0EMQk00000CHuq5.png) +4. Reboot the server to apply the changes. +5. After the reboot, the result should resemble the Edge example below, in which the Server node is no longer listed. + +![Screenshot showing browser developer tools with no server header information displayed](images/ka0Qk000000E74r_0EMQk00000BrSj0.png) + +> **IMPORTANT:** Modifications to this registry setting may occur due to the following reasons: +> - Netwrix Access Analyzer and Netwrix Access Information Center do not modify this setting during patching. +> - Microsoft may release a patch that changes its behavior, or internal configurations may enforce changes to the operating system, altering this setting. +> - Operating system configurations, such as group policy settings, may impact this setting or product functionality. Configuring the operating system is the customer's responsibility. + +## Related Article + +- Banner Grabbing ⸱ NIST 🔗 + https://csrc.nist.gov/glossary/term/banner_grabbing diff --git a/docs/kb/accessanalyzer/display-new-names-of-renamed-files-in-access-information-center.md b/docs/kb/accessanalyzer/display-new-names-of-renamed-files-in-access-information-center.md new file mode 100644 index 0000000000..7c56853f28 --- /dev/null +++ b/docs/kb/accessanalyzer/display-new-names-of-renamed-files-in-access-information-center.md @@ -0,0 +1,34 @@ +--- +description: >- + Shows how to find the new name of a file after it was renamed by enabling the + Target Path column in Activity Details within Netwrix Access Analyzer. +keywords: + - Target Path + - Activity Details + - renamed file + - Access Information Center + - Netwrix Access Analyzer + - file rename + - audit + - rename detection +products: + - access-analyzer +sidebar_label: Display New Names of Renamed Files in Access Infor +tags: [] +title: "Display New Names of Renamed Files in Access Information Center" +knowledge_article_id: kA04u000000wnqlCAA +--- + +# Display New Names of Renamed Files in Access Information Center + +## Question + +How to establish the new name a file was renamed to in Netwrix Access Analyzer? + +## Answer + +1. Open **Activity Details** in Netwrix Access Analyzer. +2. Right-click the header bar and select **Target Path**. +3. The **Target Path** will show the new name of the renamed file. + +![Activity Details showing Target Path](images/ka04u000000wwHf_0EM4u000008pesA.png) diff --git a/docs/kb/accessanalyzer/email_attachments_missing_in_v11.6.0.45_and_older_builds.md b/docs/kb/accessanalyzer/email_attachments_missing_in_v11.6.0.45_and_older_builds.md new file mode 100644 index 0000000000..ddc3ff4537 --- /dev/null +++ b/docs/kb/accessanalyzer/email_attachments_missing_in_v11.6.0.45_and_older_builds.md @@ -0,0 +1,35 @@ +--- +description: >- + This article addresses the issue of missing CSV attachments in email reports for Netwrix Access Analyzer v11.6.0.45 and older builds, providing a resolution through an upgrade. +keywords: + - Netwrix Access Analyzer + - email reports + - CSV attachments + - upgrade + - bug fix +sidebar_label: Missing Email Attachments +tags: [] +title: "Email Attachments Missing in v11.6.0.45 and Older Builds" +knowledge_article_id: kA0Qk0000000LR3KAM +products: + - access-analyzer +--- + +# Email Attachments Missing in v11.6.0.45 and Older Builds + +## Symptom + +CSV attachments are missing in email reports in **Netwrix Access Analyzer** v11.6.0.45 and older builds. + +## Cause + +This is a known issue that has been fixed in **Netwrix Access Analyzer** v11.6.0.46. + +## Resolution + +Upgrade your Access Analyzer instance to version v11.6.0.46 or later. You can download the latest version at [My Products · Netwrix](https://www.netwrix.com/my_products.html). + +## Related Links + +- [My Products · Netwrix](https://www.netwrix.com/my_products.html) +- [Netwrix Access Analyzer v11.6 Bug Fix List](/docs/accessanalyzer/) \ No newline at end of file diff --git a/docs/kb/accessanalyzer/error-cannot-create-a-file-when-that-file-already-exists-ssl-certificate.md b/docs/kb/accessanalyzer/error-cannot-create-a-file-when-that-file-already-exists-ssl-certificate.md new file mode 100644 index 0000000000..c265c02bea --- /dev/null +++ b/docs/kb/accessanalyzer/error-cannot-create-a-file-when-that-file-already-exists-ssl-certificate.md @@ -0,0 +1,63 @@ +--- +description: >- + Explains how to resolve the "Cannot create a file when that file already + exists" (Error 183) when creating an SSL binding for Netwrix Access Analyzer + Access Reports or Access Info Center by unbinding the prior certificate and + binding a new one. +keywords: + - SSL + - certificate + - netsh + - sslcert + - Error 183 + - Cannot create a file when that file already exists + - Netwrix Access Analyzer + - Access Info Center +products: + - access-analyzer + - access_info_center +visibility: public +sidebar_label: 'Error: Cannot Create a File When That File Already' +tags: [] +title: 'Error: Cannot Create a File When That File Already Exists (SSL Certificate)' +knowledge_article_id: kA0Qk0000001JBtKAM +--- + +# Error: Cannot Create a File When That File Already Exists (SSL Certificate) + +## Symptom + +When you attempt to create an SSL binding for Netwrix Access Analyzer Access Reports or Access Info Center, your PowerShell instance prompts the following error: + +``` +SSL Certificate add failed, Error: 183 +Cannot create a file when that file already exists. +``` + +## Cause + +The target port has a bound SSL certificate. If you would like to bind a different certificate, unbind the prior certificate from the target port. + +## Resolution + +Refer to the following steps to verify that the target port has a bound SSL certificate and unbind the certificate: + +1. Run the following line in an elevated Command Prompt instance to generate a `result.txt` file containing certificates bound to ports in your server: + + ```text + netsh http show sslcert > c:\result.txt + ``` + +2. Open the created `result.txt` file and search for the target port. If you confirm the bound certificate, run the following line in the elevated PowerShell instance to unbind the certificate: + + ```text + netsh http delete sslcert ipport=0.0.0.0:481 + ``` + + Replace `481` with the target port. + +3. Bind a new certificate—refer to the following article for additional information: Secure Console Access—Create an SSL Binding · v10.7 (/docs/auditor/10.7/access/reviews/installationation). + +## Related Articles + +- Secure Console Access—Create an SSL Binding · v10.7 (/docs/auditor/10.7/access/reviews/installationation) diff --git a/docs/kb/accessanalyzer/error-code-5-access-is-denied-when-opening-the-console.md b/docs/kb/accessanalyzer/error-code-5-access-is-denied-when-opening-the-console.md new file mode 100644 index 0000000000..a3acd00a87 --- /dev/null +++ b/docs/kb/accessanalyzer/error-code-5-access-is-denied-when-opening-the-console.md @@ -0,0 +1,43 @@ +--- +description: >- + When opening the Netwrix Access Analyzer console, you may see "System Error. + Code: 5. Access is denied." This article explains the cause and provides steps + to resolve the issue by granting the required permissions to the + %SAInstallDir% folder. +keywords: + - code 5 + - access denied + - Netwrix Access Analyzer + - permissions + - Modify + - '%SAInstallDir%' + - schema check + - console error +products: + - access-analyzer +sidebar_label: 'Error: Code: 5 Access is Denied When Opening the C' +tags: [] +title: 'Error: Code: 5 Access is Denied When Opening the C' +knowledge_article_id: kA0Qk0000001rK1KAI +--- + +# Error: Code: 5 Access is Denied When Opening the C + +## Symptom + +When opening the Netwrix Access Analyzer console, you receive the following error message while checking schemas: + +```text +System Error. Code: 5. Access is denied. +``` + +![Error dialog image](images/ka0Qk000000EMFB_0EMQk00000CzhkH.png) + +## Cause + +The current user does not have sufficient permissions to the ` %SAInstallDir%` folder. The user must have at least **Modify** permission access to the folder and all child objects. + +## Resolution + +1. Add the user or group to the security permissions on the ` %SAInstallDir%` folder. +2. Ensure that they have at least **Modify** permission access to the folder and all child objects. diff --git a/docs/kb/accessanalyzer/error-connection-attempt-failed-because-connected-party-did-not-properly-respond.md b/docs/kb/accessanalyzer/error-connection-attempt-failed-because-connected-party-did-not-properly-respond.md new file mode 100644 index 0000000000..92c16ab7a6 --- /dev/null +++ b/docs/kb/accessanalyzer/error-connection-attempt-failed-because-connected-party-did-not-properly-respond.md @@ -0,0 +1,69 @@ +--- +description: >- + File System Scan can fail with a "connection attempt failed" error when the + audited host is unreachable due to blocked ports. This article explains the + cause and shows how to test and resolve connectivity on ports 8767 and 8766. +keywords: + - File System Scan + - connection attempt failed + - 8767 + - 8766 + - proxy + - Test-NetConnection + - firewall + - Netwrix Access Analyzer + - File System Proxy +products: + - access-analyzer +sidebar_label: "Error: Connection Attempt Failed Because Connected Party Did Not Properly Respond" +tags: [] +title: >- + Error: Connection Attempt Failed Because Connected Party Did Not Properly + Respond +knowledge_article_id: kA0Qk0000001hULKAY +--- + +# Error: Connection Attempt Failed Because Connected Party Did Not Properly Respond + +## Symptom + +The File System Scan completes with the following error message: + +``` +Error: A connection attempt failed because the connected party did not properly respond after a period of time, or the established connection failed because connected host +has failed to respond IP:87xx +``` + +## Cause + +A third-party security tool or firewall rule is blocking the needed ports (`8767` and `8766`) for the File System Scan to function correctly. + +## Resolution + +Netwrix Access Analyzer server needs to communicate with the audited host via ports `8767` and `8766` as shown below. You may refer to the following PowerShell commands, but ensure to replace `2019dc` with your needed host name: + +1. Run these PowerShell commands to test connectivity: + +```powershell +$RPC_host= 'REPLACE-WITH-YOUR-PROXY-HOST' +Test-NetConnection -ComputerName $RPC_host -Port 8766 -InformationLevel Detailed +Test-NetConnection -ComputerName $RPC_host -Port 8767 -InformationLevel Detailed +``` + +![Test-NetConnection output image](images/ka0Qk000000E4gT_0EMQk000009AG1X.png) + +2. If the test connections are successful on both ports, then the error should not appear. + +3. If the test connections fail, verify that the proxy is installed and running at that location. + - If the proxy is not installed, then ensure it is installed and running following these steps: Netwrix Access Analyzer v12.0 > **File System Proxy Service Installation**. + - If the proxy is installed and running, then the environment must either have a firewall or other security software preventing communication on ports `8767` and `8766`. + +## Related Articles + +For more information on port requirements, please see the various guides for each scan mode below: + +- Netwrix Access Analyzer v12.0 > **File System Proxy Service Installation** +- Netwrix Access Analyzer v12.0 > **Applet Mode Port Requirements** +- Netwrix Access Analyzer v12.0 > **Proxy Mode with Applet Port Requirements** +- Netwrix Access Analyzer v12.0 > **Proxy Mode as a Service Port Requirements** +- Netwrix Access Analyzer v12.0 > **Local Mode Port Requirements** diff --git a/docs/kb/accessanalyzer/error-getting-scan-database-from-execution-host-one-or-more-errors-occurred.md b/docs/kb/accessanalyzer/error-getting-scan-database-from-execution-host-one-or-more-errors-occurred.md new file mode 100644 index 0000000000..831b3722f7 --- /dev/null +++ b/docs/kb/accessanalyzer/error-getting-scan-database-from-execution-host-one-or-more-errors-occurred.md @@ -0,0 +1,67 @@ +--- +description: >- + Describes how to resolve the "Error getting scan database from execution host: + One or more errors occurred" message when a file system scan using a proxy + fails due to insufficient disk space by migrating the File System Proxy + service to another drive. +keywords: + - file system proxy + - scan database + - execution host + - disk space + - Netwrix Auditor + - FSAA + - proxy service + - StealthAUDIT +products: + - access-analyzer +sidebar_label: 'Error Getting Scan Database from Execution Host — ' +tags: [] +title: "Error Getting Scan Database from Execution Host — One or More Errors Occurred" +knowledge_article_id: kA0Qk0000000awLKAQ +--- + +# Error Getting Scan Database from Execution Host — One or More Errors Occurred + +## Symptom + +A file system scan using a proxy server prompts the following error in Netwrix Auditor: + +```text +Error getting scan database from execution host: One or more errors occurred +``` + +## Causes + +The installation drive for the File System Proxy service is running out of space. + +## Resolution + +Review the installation of the File System Proxy service and verify that there is enough space in the installation drive. Proceed with the following steps to migrate the File System Proxy service to another drive: + +1. Back up the files located in the following folder or a custom install location to the new target installation drive: + + ```text + C:\Program Files (x86)\STEALTHbits\StealthAUDIT\FSAA\ + ``` + +2. Uninstall the File System Proxy service. Refer to the following article for additional information: /docs/auditor/11.6/enterpriseauditor/installation/filesystemproxy (File System Proxy as a Service Overview — Uninstall Proxy Service Process · v11.6). + +3. Install the File System Proxy service to a different drive to allow operation without disk space errors. Refer to the following article for additional information: /docs/auditor/11.6/enterpriseauditor/installation/filesystemproxy (File System Proxy as a Service Overview — File System Proxy Service Installation · v11.6). + +4. Navigate to **Services** and stop the proxy service named **Netwrix Enterprise Auditor FSAA Proxy Scanner**. + +5. Move the backed-up files to the following folder or a custom install location: + + ```text + %x%:\Program Files (x86)\STEALTHbits\StealthAUDIT\FSAA\ + ``` + + > **IMPORTANT:** Replace the `%x%` placeholder with the target drive letter. + +6. In **Services**, start the proxy service. + +## Related Articles + +- /docs/auditor/11.6/enterpriseauditor/installation/filesystemproxy (File System Proxy as a Service Overview — Uninstall Proxy Service Process · v11.6) +- /docs/auditor/11.6/enterpriseauditor/installation/filesystemproxy (File System Proxy as a Service Overview — File System Proxy Service Installation · v11.6) diff --git a/docs/kb/accessanalyzer/error-http-400-bad-request-request-header-too-long.md b/docs/kb/accessanalyzer/error-http-400-bad-request-request-header-too-long.md new file mode 100644 index 0000000000..f7f8581570 --- /dev/null +++ b/docs/kb/accessanalyzer/error-http-400-bad-request-request-header-too-long.md @@ -0,0 +1,68 @@ +--- +description: >- + When using SSO for the Published Reports web console (port 8082), you may + receive an HTTP 400 Bad Request (Request Header too long). This article + explains the cause and how to adjust the IIS HTTP registry limits + (`MaxFieldLength`, `MaxRequestBytes`) to resolve the issue. +keywords: + - HTTP 400 + - Request Header Too Long + - MaxFieldLength + - MaxRequestBytes + - IIS + - SSO + - Kerberos + - WWW-Authenticate + - registry + - Published Reports +products: + - access-analyzer +sidebar_label: 'Error: HTTP 400 Bad Request: Request Header Too Lo' +tags: [] +title: 'Error: HTTP 400 Bad Request: Request Header Too Long' +knowledge_article_id: kA0Qk00000020ITKAY +--- + +# Error: HTTP 400 Bad Request: Request Header Too Long + +## Symptom + +When attempting to use SSO for the **Published Reports** web console (port 8082), you encounter the following error: + +``` +HTTP 400 Bad Request (Request Header too long) responses to HTTP requests +``` + +## Cause + +This issue may occur if the user is a member of many Active Directory user groups. + +The HTTP request to the server contains the Kerberos token in the `WWW-Authenticate` header. The header size increases together with the number of user groups. If the HTTP header or packet size increases past the limits configured on the server, the server may reject the request and send an error message as the response. + +## Resolution + +To resolve this error, follow the steps below: + +1. For IIS 6.0 and later, the `MaxFieldLength` and `MaxRequestBytes` registry keys are located at the following subkey: + + - `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters` + +2. Set the key values as shown in the following table: + + | Name | Value Type | Value Data | + | -------------- | ---------- | ----------------------------- | + | `MaxFieldLength` | DWORD | `(4/3 * T bytes) + 200` | + | `MaxRequestBytes` | DWORD | `(4/3 * T bytes) + 200` | + +3. You can also set the registry keys to their maximum values, as shown in the table below. Consider all potential security ramifications before making any changes to the registry settings: + + | Name | Value Type | Value Data | + | -------------- | ---------- | --------------------------------------------- | + | `MaxFieldLength` | DWORD | `65536 (Decimal) or 10000 (Hexadecimal)` | + | `MaxRequestBytes` | DWORD | `16777216 (Decimal) or 1000000 (Hexadecimal)` | + +For detailed information on this error message, refer to the full Microsoft documentation: [Troubleshooting HTTP 400 Bad Request Responses — Microsoft 🤥](https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/http-bad-request-response-kerberos#workaround-1-decrease-the-number-of-active-directory-groups). + +## Related Article + +- [Troubleshooting HTTP 400 Bad Request Responses — Microsoft 🤥](https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/http-bad-request-response-kerberos#workaround-1-decrease-the-number-of-active-directory-groups) diff --git a/docs/kb/accessanalyzer/error-invalid-local-storage-version.md b/docs/kb/accessanalyzer/error-invalid-local-storage-version.md new file mode 100644 index 0000000000..efbdc6f672 --- /dev/null +++ b/docs/kb/accessanalyzer/error-invalid-local-storage-version.md @@ -0,0 +1,54 @@ +--- +description: >- + An Activity Auditing (SPAC) scan fails after upgrading Netwrix Access Analyzer + with an Invalid local SPAA storage version error; follow the steps to update + the SPAA database schema. +keywords: + - SPAA + - SPAC + - Invalid local storage version + - SPSEEK + - SPAA_BulkImport + - Netwrix Access Analyzer + - database schema + - SystemScans +products: + - access-analyzer +sidebar_label: "Error: Invalid Local Storage Version" +tags: [] +title: 'Error: Invalid Local Storage Version' +knowledge_article_id: kA0Qk0000001RUPKA2 +--- + +# Error: Invalid Local Storage Version + +## Symptom + +After the recent Netwrix Access Analyzer upgrade (`11.6.0.69`), an Activity Auditing (SPAC) scan populates the following error: + +```text +Stealthbits.StealthAUDIT.DataCollectors.SPAA.Storage.InvalidStorageVersionException: +Invalid local SPAA storage version. Expected %x& but found %y%. +``` + +## Cause + +The SPAA database schema is outdated and requires an update. + +## Resolution + +Perform the following steps to update the database schema: + +1. Run either the **1-SPSEEK_SystemScans** or **2-SPAA_SystemScans** job at `level 0`. Refer to the following articles for additional information: + - /docs/auditor/11.6/enterpriseauditor/solutions/sharepoint/collection + - /docs/auditor/11.6/enterpriseauditor/solutions/sharepoint/collection +2. Depending on the previously selected job, run either the **4-SPSEEK_BulkImport** or **5-SPAA_BulkImport** job to update the schema. +3. Run the **3-SPAC_SystemScans** job to verify that the issue is resolved. + +## Related Articles + +- 0.Collection Job Group — 1-SPSEEK_SystemScans Job · v11.6 + /docs/auditor/11.6/enterpriseauditor/solutions/sharepoint/collection + +- 0.Collection Job Group — 2-SPAA_SystemScans Job · v11.6 + /docs/auditor/11.6/enterpriseauditor/solutions/sharepoint/collection diff --git a/docs/kb/accessanalyzer/error-job-connection-profile-is-not-available.md b/docs/kb/accessanalyzer/error-job-connection-profile-is-not-available.md new file mode 100644 index 0000000000..9f840ecde4 --- /dev/null +++ b/docs/kb/accessanalyzer/error-job-connection-profile-is-not-available.md @@ -0,0 +1,44 @@ +--- +description: >- + Explains why a Netwrix Access Analyzer job fails with "Job connection profile + is not available" and how to resolve it by selecting the default connection + profile in job and job group settings. +keywords: + - Job connection profile + - Job connection profile is not available + - connection profile + - Netwrix Access Analyzer + - Use Default Profile + - job properties + - connection settings +products: + - access-analyzer +sidebar_label: 'Error: Job Connection Profile Is Not Available' +tags: [] +title: 'Error: Job Connection Profile Is Not Available' +knowledge_article_id: kA04u00000110lxCAA +--- + +# Error: Job Connection Profile Is Not Available + +## Symptom + +A Netwrix Access Analyzer job fails with the following error: + +``` +Job connection profile is not available +``` + +## Cause + +The connection profile has either never been set up, selected, or has been deleted. + +## Resolution + +Select the **Use(r) default...** option in both **Connection** and **Job Properties**: + +1. In job group, go to **Settings** > **Connection**. +2. Select **Use Default Profile (Inherit from the parent group, if any, or the global Default setting)**. +3. In the job groups tree, right-click the required job and select **Properties**. +4. Select the **Connection** tab > select **User default (Inherit from the patent group, if any, or use the global default setting)**. +5. Click **OK** to save changes. diff --git a/docs/kb/accessanalyzer/error-length-of-access-control-list-exceed-allowed-maximum.md b/docs/kb/accessanalyzer/error-length-of-access-control-list-exceed-allowed-maximum.md new file mode 100644 index 0000000000..e77c2e274c --- /dev/null +++ b/docs/kb/accessanalyzer/error-length-of-access-control-list-exceed-allowed-maximum.md @@ -0,0 +1,49 @@ +--- +description: >- + Describes an error encountered when an Active Directory Inventory scan detects + an access control list (ACL) that exceeds the allowed maximum size, and + provides steps to prevent the scan from terminating. +keywords: + - ACL + - access control list + - Active Directory + - scan error + - Netwrix Access Analyzer + - 1-AD_Scan + - ACL limit + - maximum size +products: + - access-analyzer +sidebar_label: 'Error: Length of Access Control List Exceed Allowe' +tags: [] +title: 'Error: Length of Access Control List Exceed Allowed Maximum' +knowledge_article_id: kA0Qk0000001gjZKAQ +--- + +# Error: Length of Access Control List Exceed Allowed Maximum + +## Symptoms + +Both of the following symptoms are present in your environment: + +- There is a user that exceeds the access control list (ACL) maximum threshold when running an Active Directory Inventory `\1-AD_Scan` job in the Netwrix Access Analyzer application. +- The system generates the following error message: + +``` +Error on the Active Directory Inventory\1-AD_Scan: REDACTED USER DN 'Length of the access control list exceed the allowed maximum. +``` + +## Cause + +This error is caused when the ACL reaches its maximum size. The size of an ACL varies with the number and size of its access control entries (ACEs). The maximum size of an ACL is 64 kilobytes (KB), or approximately 1,820 ACEs. However, reaching the maximum size can sometimes degrade performance. + +**NOTE:** For more information on ACL Limitations, refer to the official Microsoft documentation: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/error-add-user-to-security-permissions (Maximum number of access control entries in the access control list). + +## Resolution + +To prevent the error from immediately terminating the scan when the ACL maximum size is reached, follow these steps: + +1. Perform a cumulative update to Netwrix Access Analyzer version `11.6.0.114` or later. +2. Follow the steps in this document to perform the upgrade process: Netwrix Access Analyzer Console Upgrade — /docs/auditor/11.6/enterpriseauditor/installation/application/upgrade + +> **IMPORTANT:** This hotfix changes the exception handling so that instead of terminating the scan, a warning is logged about the user not being scanned. diff --git a/docs/kb/accessanalyzer/error-refused-to-connect-in-web-console.md b/docs/kb/accessanalyzer/error-refused-to-connect-in-web-console.md new file mode 100644 index 0000000000..a7d2a2e5a2 --- /dev/null +++ b/docs/kb/accessanalyzer/error-refused-to-connect-in-web-console.md @@ -0,0 +1,90 @@ +--- +description: >- + Describes how to resolve "Refused to connect" errors when accessing Web + Reports by unbinding a conflicting reserved URL on the Netwrix Access Analyzer + host. +keywords: + - refused to connect + - web console + - web reports + - netsh + - urlacl + - sslcert + - BindingURL + - port conflict + - Netwrix Access Analyzer +products: + - access-analyzer +sidebar_label: 'Error: Refused to Connect in Web Console' +tags: [] +title: 'Error: Refused to Connect in Web Console' +knowledge_article_id: kA0Qk0000001LDhKAM +--- + +# Error: Refused to Connect in Web Console + +## Symptoms + +Refer to the following symptoms present in your Netwrix Access Analyzer environment: + +- When you attempt to access reports via Web Reports, the following error appears: + +``` +Refused to connect +``` + +- The ` %sainstalldir%SADatabase\Logs\Web\Service.log` file in Netwrix Access Analyzer contains the following entry: + +```text +%time_stamp% ERROR - Inner Exception +%time_stamp% ERROR - System.Net.HttpListenerException (0x80004005): Failed to listen on prefix 'https://+:8082/' +because it conflicts with an existing registration on the machine. +``` + +> **NOTE:** The prefix may differ in your environment. Alter the prefix as necessary in the following instruction steps. + +## Cause + +An existing application on the Netwrix Access Analyzer host is actively listening on the affected port. Web Reports cannot be bound to the same port. + +## Resolution + +> **NOTE:** If the `BindingURL` node does not contain a port, refer to the default values of `80` and `443` for HTTP and HTTPS correspondingly. + +Unbind the port from the application. Refer to the following steps: + +1. Verify the Web Reports port—review the `BindingURL` node contents in the following document: + + ```text + %sainstalldir%Web\WebServer.exe.config + ``` + + The `BindingURL` includes the port number and the protocol (HTTP or HTTPS). + + ![Config file](images/ka0Qk0000005DxV_0EMQk0000075k4b.png) + +2. On your Netwrix Access Analyzer host, run the following line in an elevated Command Prompt instance to retrieve all reserved URLs: + + ```text + netsh http show urlacl + ``` + +3. Review the list to find the affected port. Run the following line to unbind the reserved URL: + + ```text + netsh http delete urlacl url="%Reserved_URL_value%" + ``` + + The output should read `URL reservation successfully deleted`. + +4. Run the following line to verify that the affected port has a bound SSL certificate: + + ```text + netsh http show sslcert + ``` + + If the output does not include the affected port, refer to the following article to learn more about the SSL binding: /docs/auditor/11.6/enterpriseauditor/installation/application/reports + +## Related Articles + +- /docs/auditor/11.6/enterpriseauditor/installation/application/reports (Reports via the Web Console — Securing the Web Console · v11.6) diff --git a/docs/kb/accessanalyzer/error-removed-host-name-in-aic-andor-fsaa-host-table.md b/docs/kb/accessanalyzer/error-removed-host-name-in-aic-andor-fsaa-host-table.md new file mode 100644 index 0000000000..21cbb064ff --- /dev/null +++ b/docs/kb/accessanalyzer/error-removed-host-name-in-aic-andor-fsaa-host-table.md @@ -0,0 +1,40 @@ +--- +description: >- + This article addresses the issue of seeing !REMOVED- in the Access Information Center (AIC) and/or SA_FSAA_Hosts table after dropping data for a File Server, along with its causes and resolutions. +keywords: + - Access Information Center + - File Server + - host data removal +sidebar_label: Host Name Issue in AIC and FSAA +tags: [] +title: "Error: !REMOVED- Host Name in AIC and/or FSAA Host Table" +knowledge_article_id: kA0Qk0000001qxRKAQ +products: + - access-analyzer +--- + +# Error: !REMOVED- Host Name in AIC and/or FSAA Host Table + +## Symptom + +In the Access Information Center (AIC) and/or SA_FSAA_Hosts table in the SQL database, you see **!REMOVED-** after dropping data for a File Server. + +## Cause + +You have used the **Remove host data** option in the **FILESYSTEMACCESS** Data Collector to try and remove host data, but the job timed out or errored. + +## Resolution + +Re-run the job used to remove the host data against the full **!Removed-…** name. + +- This is typically a custom job that was created. If you are unsure what job was run, please see the following article for how to create a custom job to drop File Server host data: [How to Drop Data for Decommissioned File Servers](/docs/kb/activitymonitor/dropping_file_system_data). + +- If you have already rerun the job and it throws a timeout error, then change the job timeout to a longer value. + + 1. Right-click the job, then select **Properties** and adjust the **Timeout minutes setting** in the General tab. + 2. Setting this value to **1440 minutes (24 hours)** for safety should suffice, although the job is unlikely to take this long. + 3. This is to allow the job to run without timing out if there is much data to be dropped. + +## Related Article + +- [How to Drop Data for Decommissioned File Servers](/docs/kb/activitymonitor/dropping_file_system_data) \ No newline at end of file diff --git a/docs/kb/accessanalyzer/error-request-for-downloading-published-reports-failed.md b/docs/kb/accessanalyzer/error-request-for-downloading-published-reports-failed.md new file mode 100644 index 0000000000..2d82214c3c --- /dev/null +++ b/docs/kb/accessanalyzer/error-request-for-downloading-published-reports-failed.md @@ -0,0 +1,79 @@ +--- +description: >- + You receive "Request for downloading published reports failed: Internal Server + Error" when opening the Reporting web page or encounter a corrupted published + report file in Netwrix Access Analyzer. This article explains the cause and + provides step-by-step instructions to rebuild the Reports folder and republish + reports. +keywords: + - published reports failed + - Internal Server Error + - Reports.xml + - Netwrix Access Analyzer + - rebuild Reports folder + - publish reports + - SADebug +products: + - access-analyzer +sidebar_label: 'Error: Request for Downloading Published Reports F' +tags: [] +title: 'Error: Request for Downloading Published Reports Failed' +knowledge_article_id: kA0Qk000000297FKAQ +--- + +# Error: Request for Downloading Published Reports Failed + +## Symptoms + +Either of the following symptoms is present in your environment: + +- Upon opening the Reporting web page, you receive the following error: + +``` +! Request for downloading published reports failed: Internal Server Error +``` + +![Error message indicating 'Request for downloading published reports failed: Internal Server Error'](images/ka0Qk000000EHKL_0EMQk00000C2keA.png) + +- If the file is corrupted, the following error could appear when opening the Netwrix Access Analyzer console. + +![Console pop-up showing the error message 'Hexadecimal value 0x00, is an invalid character.'](images/ka0Qk000000EHKL_0EMQk00000C2hzg.png) + + - Log entry example: + +```text +DEBUG Netwrix Enterprise Auditor IsGroupPublished "Data at the root level is invalid. Line 1, position 1." +%sainstalldir%\SADatabase\Logs\Application\SADebug-20250306124900-10776.TSV +``` + +## Cause + +The issue is caused by a corrupted `Reports.xml`. + +## Resolution + +To resolve these errors, follow the steps below. + +1. Rebuild the Reports folder under the install path. If you want to back up the folder, archive it prior to deleting the original. + + > **NOTE:** To find the install path, enter the following environmental variable into the application server's Windows File Explorer: ` %sainstalldir%`. Then, right-click the **Reports** folder to archive and/or delete it. + +2. Close and reopen the **Access Analyzer** Console to rebuild the folder. + +3. To publish the report(s) again, right-click a needed Job Group (for example, **Jobs**), and select **Publish** to publish the reports from the selected job group or job without regenerating the report. + +![Publishing from a job group in Access Analyzer](images/ka0Qk000000EHKL_0EMQk00000BzUfZ.png) + +4. Select **Publish Reports** and click **Next**. + +![Navigation and publishing actions in Access Analyzer](images/ka0Qk000000EHKL_0EMQk00000BzScA.png) + +5. Select objects as needed. Then, click **Next** to run the report. + +![Selecting objects to publish](images/ka0Qk000000EHKL_0EMQk00000BzbFd.png) + +6. Once the report has run successfully, click **Finish** to close out of the Reporting web page. + +![Finish publishing reports](images/ka0Qk000000EHKL_0EMQk00000BzVN9.png) + +> **NOTE:** Additionally, reports will be rebuilt when the related job completes its next run. diff --git a/docs/kb/accessanalyzer/error-sequence-contains-more-than-one-matching-element.md b/docs/kb/accessanalyzer/error-sequence-contains-more-than-one-matching-element.md new file mode 100644 index 0000000000..1d3a12a85a --- /dev/null +++ b/docs/kb/accessanalyzer/error-sequence-contains-more-than-one-matching-element.md @@ -0,0 +1,88 @@ +--- +description: >- + Explains how to resolve the "Sequence contains more than one matching + element." error in Netwrix Access Analyzer by removing duplicate entries from + the report.xml file. +keywords: + - Sequence contains more than one matching element + - report.xml + - Netwrix Access Analyzer + - report generation + - duplicate entries + - Reports\report.xml + - report error + - remove duplicate report +products: + - access-analyzer +sidebar_label: 'Error: Sequence Contains More Than One Matching El' +tags: [] +title: 'Error: Sequence Contains More Than One Matching Element' +knowledge_article_id: kA0Qk0000001o7dKAA +--- + +# Error: Sequence Contains More Than One Matching Element + +## Symptom + +When running a job in Netwrix Access Analyzer that generates a report, the report generation fails with the error: + +`Sequence contains more than one matching element.` + +## Cause + +Duplicate entries in the ` %sainstalldir%\Reports\report.xml` file lead to the report failing to populate, as it cannot be determined which field is correct. + +### Report Configuration Example + +```xml + + + {F5BE87EC-11E4-4779-93C9-462DB92F68E4} + Attribute Changes + 3 + Netwrix Corporation + true + Monday, January 27, 2025 5:00 PM + This report tracks attribute changes within Active Directory. + + + + {F5BE87EC-11E4-4779-93C9-462DB92F68E4} + Attribute Changes + 3 + Netwrix Corporation + true + Monday, January 27, 2025 5:00 PM + This report tracks attribute changes within Active Directory. + + + +``` + +## Resolution + +To resolve this issue, follow these steps: + +1. Open the ` %sainstalldir%\Reports\report.xml` file in a text editor. +2. Locate and remove all duplicate entries for the job causing the error. + I. Copy the line that begins and ends with ` ` and ``. Search the file for this line. + II. Remove any duplicates of the corresponding ` ` section. +3. Save the file. +4. Run the job again to generate the report. + +### Report Configuration Example + +```xml + + + {F5BE87EC-11E4-4779-93C9-462DB92F68E4} + Attribute Changes + 3 + Netwrix Corporation + true + Monday, January 27, 2025 5:00 PM + This report tracks attribute changes within Active Directory. + + + +``` diff --git a/docs/kb/accessanalyzer/error-task-name-has-an-incorrect-format-incorrect-number-of-components.md b/docs/kb/accessanalyzer/error-task-name-has-an-incorrect-format-incorrect-number-of-components.md new file mode 100644 index 0000000000..8e3f7ec12d --- /dev/null +++ b/docs/kb/accessanalyzer/error-task-name-has-an-incorrect-format-incorrect-number-of-components.md @@ -0,0 +1,42 @@ +--- +description: >- + When selecting Schedules or any Job you may see an "Error: Failed to + initialize task" pop-up because a Windows Task Scheduler job references the + Netwrix Auditor executable `StealthAUDIT.exe` but lacks required fields. + Delete the failed task from Task Scheduler to resolve the error. +keywords: + - task scheduler + - failed to initialize task + - task format error + - StealthAUDIT.exe + - Netwrix Auditor + - Schedules + - Job error +products: + - access-analyzer +visibility: public +sidebar_label: 'Error: Task Name Has an Incorrect Format: Incorrec' +tags: [] +title: 'Error: Task Name Has an Incorrect Format: Incorrect Number of Components' +knowledge_article_id: kA0Qk0000002gRNKAY +--- + +# Error: Task Name Has an Incorrect Format: Incorrect Number of Components + +## Symptom + +When selecting **Schedules** or any **Job**, the following pop-up task format error message appears: + +![Pop-up error message](images/ka0Qk000000Ea0P_0EMQk00000DDGST.png) + +## Cause + +A job exists in the Windows Task Scheduler that references the Netwrix Auditor executable `StealthAUDIT.exe` but does not have all the required fields. + +## Resolution + +1. Delete the failed task from the Windows Task Scheduler. + +> **NOTE:** The faulting task can be identified from the following part of the pop-up error message: +> +> `Error: Failed to initialize task ` diff --git a/docs/kb/accessanalyzer/error-the-default-schema-name-is-incorrect.md b/docs/kb/accessanalyzer/error-the-default-schema-name-is-incorrect.md new file mode 100644 index 0000000000..8e0cb9be84 --- /dev/null +++ b/docs/kb/accessanalyzer/error-the-default-schema-name-is-incorrect.md @@ -0,0 +1,51 @@ +--- +description: >- + This article describes the "FAILED: the default schema name is incorrect" + error that appears when you open or close Netwrix Access Analyzer and provides + possible causes and resolutions to restore database access. +keywords: + - default schema name + - SQL permissions + - SSMS + - Netwrix Access Analyzer + - '{''FAILED'': ''the default schema name is incorrect''}' + - database access + - Run as different user +products: + - access-analyzer +sidebar_label: 'Error: The Default Schema Name Is Incorrect' +tags: [] +title: 'Error: The Default Schema Name Is Incorrect' +knowledge_article_id: kA04u0000000IILCA2 +--- + +# Error: The Default Schema Name Is Incorrect + +## Symptom + +You see the following error when you open or close Netwrix Access Analyzer (NEA): + +``` +FAILED: the default schema name is incorrect +``` + +## Causes + +Refer to the following possible causes: + +1. You (the user working in NEA) do not have sufficient permissions to access the NEA database. +2. When using the Windows authentication method for the database service account, the account has insufficient permissions to access the database. + +## Resolutions + +Refer to the corresponding resolution: + +1. Log in to Netwrix Access Analyzer (NEA) with a user account that has properly provisioned permissions to the SQL database. Hold **Shift** and right-click the **Netwrix Access Analyzer** icon. Select **Run as different user**. + + ![Netwrix Access Analyzer Run as different user](images/ka0Qk0000006PDR_0EMQk000007SBir.png) + +2. Grant the correct SQL DB permissions to the current user via the SQL Server Management Studio (SSMS) application. Refer to the following article for additional information on required permissions: Netwrix Access Analyzer Database — Database Creation & First Level of Security · v11.6. + +## Related Articles + +- Netwrix Access Analyzer Database — Database Creation & First Level of Security · v11.6 diff --git a/docs/kb/accessanalyzer/error-unable-to-find-domain-for-member-errors-for-expiring-access-to-shares.md b/docs/kb/accessanalyzer/error-unable-to-find-domain-for-member-errors-for-expiring-access-to-shares.md new file mode 100644 index 0000000000..9d4f20365c --- /dev/null +++ b/docs/kb/accessanalyzer/error-unable-to-find-domain-for-member-errors-for-expiring-access-to-shares.md @@ -0,0 +1,47 @@ +--- +description: >- + Describes how to resolve "Unable to find domain for member" errors in the + Access Information Center (AIC) debug log when temporary access to shares + fails to expire. +keywords: + - Access Information Center + - AIC + - Unable to find domain for member + - ExpirationState + - SA_AIC_ResourceAccessRequests + - UserSID + - membership expiration + - debug log +products: + - access-analyzer +visibility: public +sidebar_label: 'Error: Unable to Find Domain for Member Errors for' +tags: [] +title: 'Error: Unable to Find Domain for Member Errors for Expiring Access to Shares' +knowledge_article_id: kA0Qk0000001h7lKAA +--- + +# Error: Unable to Find Domain for Member Errors for Expiring Access to Shares + +## Symptom + +When a membership is failing to expire, you can find the following error message in the Access Information Center (AIC) debug log file, where [User SID] is the user's SID, yyyy-mm-dd is the date, and hh:mm:ss is the time: + +```text +Unable to find domain for member: [User SID] yyyy-mm-dd hh:mm:ss -- Error -- Type: System.InvalidOperationException yyyy-mm-dd hh:mm:ss +-- Error -- StackTrace: at AccessInformationCenter.Model.Membership.ActiveDirectoryMembership.Execute(StorageDataContext dc, String domainName, +MembershipRequest request) at AccessInformationCenter.Model.Membership.MembershipAction.Execute(StorageDataContext dc, String feature, +String invokerName, String invokerSid, IEnumerable`1 changes, Nullable`1 changeId) +``` + +## Cause + +This error occurs when you grant a user temporary permissions to a resource, but the user is deleted prior to the permissions expiring. When the permissions expire, the AIC console continues trying to remove the user but cannot locate the user record. + +## Resolution + +Set the `ExpirationState` to `2` in the `SA_AIC_ResourceAccessRequests` table for each SID encountering the problem using the command below. This will set the permission state to complete. + +```sql +Update dbo.SA_AIC_ResourceAccessRequests SET ExpirationState = 2 where UserSID = '{usersid}' +``` diff --git a/docs/kb/accessanalyzer/error-user-credential-prompts-in-single-sign-on-environment.md b/docs/kb/accessanalyzer/error-user-credential-prompts-in-single-sign-on-environment.md new file mode 100644 index 0000000000..c21eda2a2c --- /dev/null +++ b/docs/kb/accessanalyzer/error-user-credential-prompts-in-single-sign-on-environment.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains why users are prompted for credentials in a Single Sign-On + environment after upgrading to v11.6 and how to resolve it by registering + Service Principal Names (SPNs) for the web server service account. +keywords: + - SSO + - SPN + - Service Principal Name + - Netwrix Access Analyzer + - authentication + - web server + - domain credentials + - Access Information Center +products: + - access-analyzer +sidebar_label: 'Error: User Credential Prompts in Single Sign-On E' +tags: [] +title: 'Error: User Credential Prompts in Single Sign-On E' +knowledge_article_id: kA0Qk00000029IXKAY +--- + +# Error: User Credential Prompts in Single Sign-On E + +## Related Query + +- "SSO is not working after upgrading to 11.6 and also unable to login with domain credentials from other machines." + +## Symptom + +The following symptoms are present in your Netwrix Access Analyzer environment: + +- After the recent upgrade to Netwrix Access Analyzer v11.6, the single sign-on feature in your environment does not work. +- Any attempt to access web-based reports or Access Information Center prompts for user credentials. + +## Cause + +The `Netwrix Enterprise Auditor Web Server` service account misses required the Service Principal Names (SPN). + +## Resolution + +Register SPNs for the `Netwrix Enterprise Auditor Web Server` service account. Refer to the following article for detailed steps on the SPN registration for the service account: File System Proxy Service Installation Guide Appendix · v11.5. + +## Related Article + +- File System Proxy Service Installation Guide Appendix · v11.5 diff --git a/docs/kb/accessanalyzer/error-when-adding-scheduled-task.md b/docs/kb/accessanalyzer/error-when-adding-scheduled-task.md new file mode 100644 index 0000000000..e294a2dd0f --- /dev/null +++ b/docs/kb/accessanalyzer/error-when-adding-scheduled-task.md @@ -0,0 +1,42 @@ +--- +description: >- + When saving a scheduled task, Netwrix Access Analyzer may report a logon + session error caused by a Local Security Policy that prevents storing + passwords and credentials. This article explains the symptom, cause, and + resolution. +keywords: + - scheduled task + - scheduled job + - SECPOL.MSC + - Network access + - Do not allow storage of passwords + - logon session + - credentials + - Local Security Policy +products: + - access-analyzer +sidebar_label: Error When Adding Scheduled Task +tags: [] +title: "Error When Adding Scheduled Task" +knowledge_article_id: kA04u0000000IT9CAM +--- + +# Error When Adding Scheduled Task + +## Symptom + +When you attempt to save a scheduled task, Netwrix Access Analyzer prompts the following error: + +``` +Failed to add scheduled job. Error while saving the task. A specified logon session does not exist. It may already have been terminated. +``` + +## Cause + +This error occurs because in Local Security Policy settings, the tasks are created with this security option enabled: **Run whether user is logged on or not.** + +Within local security policy (`SECPOL.MSC`) | Security Settings | Local Policies | Security Options, this option is enabled: **Network access: Do not allow storage of passwords and credentials for network authentication.** + +## Resolution + +Disable this setting: **Network access: Do not allow storage of passwords and credentials for network authentication.** If this setting is not configurable, it must be changed at the Group Policy level. diff --git a/docs/kb/accessanalyzer/error_cannot_initialize_scan_with_proxy_host_in_access_analyzer_11.6.md b/docs/kb/accessanalyzer/error_cannot_initialize_scan_with_proxy_host_in_access_analyzer_11.6.md new file mode 100644 index 0000000000..0b20b8dc5b --- /dev/null +++ b/docs/kb/accessanalyzer/error_cannot_initialize_scan_with_proxy_host_in_access_analyzer_11.6.md @@ -0,0 +1,71 @@ +--- +description: >- + This article addresses the error encountered when initializing a scan with a proxy host in Netwrix Access Analyzer, detailing symptoms, causes, and resolutions. +keywords: + - Access Analyzer + - FSAAException + - proxy host + - scan initialization + - certificate issues +products: + - access-analyzer +sidebar_label: "Error: Cannot Initialize Scan with Proxy Host" +tags: [] +title: "Error: Cannot Initialize Scan with Proxy Host in Access Analyzer 11.6" +knowledge_article_id: kA0Qk0000000WSvKAM +--- + +# Error: Cannot Initialize Scan with Proxy Host in Access Analyzer 11.6 + +## Symptom + +When running a file system scan using proxies—such as permissions, activity, or sensitive data—you receive the following error message: + +``` +FSAAException: Unable to start scan: Could not initialize scan session with any proxy host supplied +``` + +## Causes + +1. The creation of multiple redundant certificates when targeting a single proxy with multiple hosts for the first time prevents the scan from starting (a certificate creation race condition). +2. Certificates are not stored under the proper user account’s certificate store in multi-user scenarios (e.g., running interactively using one account and as a scheduled task with a different account). +3. The certificate was not properly created by the proxy scan. + +## Resolution + +Upgrade your Netwrix Access Analyzer instance to v11.6.0.65 or above and your File System Proxy Service instance to v11.6.0.19 or above—refer to the following articles for additional information: Access Analyzer Console Upgrade · v11.6 and Upgrade Proxy Service Procedure · v11.6. Download the latest Access Analyzer version from the [My Products](https://www.netwrix.com/my_products.html) page. If you still run into issues with certificate generation on FSAA proxy scans, follow the steps provided below. + +> **IMPORTANT:** If the service account for the `FSAA Proxy Scanner` service in your FSAA proxy server is `LocalSystem`, perform the following steps before deleting the certificates: + +1. On the target proxy server, download **PsExec**. Extract the contents of the downloaded compressed folder to a local folder. Download **PsExec** in [PsExec · Microsoft 🡥](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec). +2. In an elevated Command Prompt instance, navigate to the target folder and run the following line: + + ```plaintext + .\psexec.exe -i -s cmd.exe + ``` + +3. In the new Command Prompt instance, start the Certificate Manager Tool for the SYSTEM account by running the following line: + + ```plaintext + certmgr.msc + ``` + +4. Delete all certificates in the FSAA Certificate Authority Store, FSAA Client Certificate Store, and FSAA Server Certificate Store: + - User certificates on the proxy server under the proxy service user account + - User certificates on the console under the scheduled task account + - User certificates on the console under the FS connection profile account + - User certificates on the console under the interactive user account(s) + +5. Run a single scan with proxy on a single host using a scheduled task to establish new certificates (this should be done once per proxy to properly establish the certificate on the proxy). +6. Verify user certificates on the console and the proxy server (you should have a single FSAA Client Certificate on the console, a single FSAA Server Certificate on the proxy, and a single FSAA Certificate Authority on both). +7. Run all subsequent scans as scheduled tasks (not interactively through the console) until a fix is issued. + +Additionally, the scans run in local mode should not run into this issue. To learn more about local mode, see the following article: Requirements — File System Solution — File System Scan Options — v11.6. + +## Related Articles + +- Installation & Configuration Overview — Access Analyzer Console Upgrade · v11.6 +- File System Proxy as a Service Overview — Upgrade Proxy Service Procedure · v11.6 +- [My Products · Netwrix](https://www.netwrix.com/my_products.html) +- [PsExec · Microsoft 🡥](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) +- Requirements — File System Solution — File System Scan Options — v11.6 \ No newline at end of file diff --git a/docs/kb/accessanalyzer/error_executescalar_requires_an_open_and_available_connection_during_entra_id_collection.md b/docs/kb/accessanalyzer/error_executescalar_requires_an_open_and_available_connection_during_entra_id_collection.md new file mode 100644 index 0000000000..4d388c2cfa --- /dev/null +++ b/docs/kb/accessanalyzer/error_executescalar_requires_an_open_and_available_connection_during_entra_id_collection.md @@ -0,0 +1,41 @@ +--- +description: >- + This article provides troubleshooting steps for resolving the error "ExecuteScalar requires an open and available Connection" during Entra ID collection. +keywords: + - Entra ID + - SQL Server + - ExecuteScalar +products: + - access-analyzer +sidebar_label: "Error: ExecuteScalar Requires an Open and Available Connection" +tags: [] +title: "Error: ExecuteScalar Requires an Open and Available Connection During Entra ID Collection" +knowledge_article_id: kA0Qk0000002AZZKA2 +--- + +# Error: ExecuteScalar Requires an Open and Available Connection During Entra ID Collection + +## Symptom + +Entra ID collection fails after scanning. The process appears to reach the `Adding domain` stage before hanging, and then the following error appears: + +``` +ExecuteScalar requires an open and available Connection. The connection's current state is closed. +``` + +## Cause + +This issue is typically caused by a conflict in the SQL data, most likely due to a failed scan. + +## Resolution + +1. Open the database in **SQL Server Management Studio**. +2. Click **View** and open **Object Explorer Details**. + + > **NOTE:** This allows you to run the delete operation multiple times in the following steps until all tables are removed. This is necessary due to constraints within the tables. + +3. Filter tables by the **`Name`** value of **AAD**. +4. Review all tables listed. You can select and delete all of them. +5. Update the filter to the **`Name`** value of **AzureADInventory**. +6. Repeat step 4. You should see the tables and be able to delete them. +7. Return to the Netwrix Access Analyzer console and rerun the **.Entra ID Inventory** job group. \ No newline at end of file diff --git a/docs/kb/accessanalyzer/error_object_doesn't_support_property_or_method.md b/docs/kb/accessanalyzer/error_object_doesn't_support_property_or_method.md new file mode 100644 index 0000000000..c1619f05d1 --- /dev/null +++ b/docs/kb/accessanalyzer/error_object_doesn't_support_property_or_method.md @@ -0,0 +1,49 @@ +--- +description: >- + This article addresses the error message "Object doesn't support property or method" encountered in the Netwrix Access Analyzer and provides steps to resolve it. +keywords: + - Netwrix Access Analyzer + - error resolution + - interactive grid +products: + - access-analyzer +sidebar_label: "Error: Object Doesn't Support Property or Method" +tags: [] +title: "Error: Object Doesn't Support Property or Method" +knowledge_article_id: kA0Qk0000001nl3KAA +--- + +# Error: Object Doesn't Support Property or Method + +## Symptom + +When you attempt to access the Netwrix Access Analyzer report configuration, you receive the following error: + +``` +Unable to log error to Access Analyzer: Object doesn't support property or method 'LogJSMessage'. +``` + +## Cause + +The exact cause of this error is currently unknown, but it typically occurs after an upgrade. + +## Resolution + +Set the report grid to interactive to resolve the issue. Follow these steps to enable an interactive grid: + +1. In the affected Access Analyzer job **Reports** node, configure the affected report by clicking **Configure**. + ![Configure report in Access Analyzer Reports node](./images/servlet_image_73e60a4574bb.png) + +2. Click **Widgets** and select any Grid-type widget. Check it, then click **Configure**. + ![Select and configure Grid-type widget in Access Analyzer](./images/servlet_image_bd5be116677a.png) + +3. Ensure that the **Table Properties** setting is set to **Interactive grid**. + ![Set Table Properties to Interactive grid in Access Analyzer](./images/servlet_image_a02a8fc4212e.png) + +4. Click **OK** and then **Finish** on the Widget screen to save your changes. + +5. Regenerate the report to verify that the error is resolved: + - Click the **three dots** next to Configure and click **Generate**. + ![Generate report in Access Analyzer](./images/servlet_image_b962017fe9d6.png) + +6. Review the report to confirm that the generation did not error. \ No newline at end of file diff --git a/docs/kb/accessanalyzer/expired-certificate-prevents-sharepoint-online-auditing.md b/docs/kb/accessanalyzer/expired-certificate-prevents-sharepoint-online-auditing.md new file mode 100644 index 0000000000..d643ceb422 --- /dev/null +++ b/docs/kb/accessanalyzer/expired-certificate-prevents-sharepoint-online-auditing.md @@ -0,0 +1,57 @@ +--- +description: >- + Instructions to replace an expired certificate used by Netwrix Access Analyzer + to restore SharePoint Online auditing, including creating/uploading + certificates and updating the connection profile. +keywords: + - SharePoint Online + - expired certificate + - Netwrix Access Analyzer + - certificate upload + - .pfx + - App Registration + - Azure + - connection profile +products: + - access-analyzer +sidebar_label: Expired Certificate Prevents SharePoint Online Aud +tags: [] +title: "Expired Certificate Prevents SharePoint Online Auditing" +knowledge_article_id: kA0Qk00000023UrKAI +--- + +# Expired Certificate Prevents SharePoint Online Auditing + +## Symptom + +The certificate used by Netwrix Access Analyzer (formerly Enterprise Auditor) to audit SharePoint Online has expired. Until the certificate is updated, auditing operations may fail or be interrupted. + +## Cause + +The certificate required for secure communication between Netwrix Access Analyzer and SharePoint Online has reached its expiration date and is no longer valid. + +## Resolution + +1. Create a new certificate for Netwrix Access Analyzer and SharePoint Online. You can obtain this certificate from your organization's Certificate Authority or generate a self-signed certificate. + + > **NOTE:** The following article provides instructions for creating a self-signed certificate: How to Create a Self-Signed Certificate for SharePoint Online Access. + +2. Verify that both the `.cert` and `.pfx` files are located in the `%SAInstallDir%\PrivateAssemblies` folder. + - If you are using a custom certificate from a Certificate Authority, move both the `.cert` and `.pfx` files to this location. + +3. In the Azure Admin Portal, navigate to the App Registration used by Netwrix Access Analyzer for auditing SharePoint Online. + +4. On the **Certificates & secrets** tab, select **Upload certificate** and upload the new `.cert` file. + +5. In the Netwrix Access Analyzer Console, navigate to **Settings > Connection** and edit the key in the Connection Profile used by the SharePoint Online jobs using the following format: `CertLocation,CertPassword,NumericDesignator`. + + - **Numeric Designator:** 0 is the default; use 1 for pre-production environments, 2 for China, 3 for Germany, and 4 for US Government. + - **Example:** `C:\Program Files (x86)\STEALTHbits\StealthAUDIT\PrivateAssemblies\spaa_cert_tenant.pfx,YourPasswordHere,0` + + > **NOTE:** It may be helpful to create this string in a text file and then copy it into the key field of the connection profile. + +6. Save the updated connection profile. The certificate is now updated for SharePoint Online auditing with Netwrix Access Analyzer. + +## Related Link + +- How to Create a Self-Signed Certificate for SharePoint Online Access diff --git a/docs/kb/accessanalyzer/failed-to-create-fsadapter-error-in-netwrix-access-analyzer.md b/docs/kb/accessanalyzer/failed-to-create-fsadapter-error-in-netwrix-access-analyzer.md new file mode 100644 index 0000000000..db80be2b6a --- /dev/null +++ b/docs/kb/accessanalyzer/failed-to-create-fsadapter-error-in-netwrix-access-analyzer.md @@ -0,0 +1,56 @@ +--- +description: >- + Explains the "Failed to create FSAdapter (80070002)" error in Netwrix Access + Analyzer caused by an incompatibility with the Sensitive Data Discovery Add-On + and how to resolve it by updating both components. +keywords: + - Netwrix Access Analyzer + - Sensitive Data Discovery Add-On + - FSAdapter + - 80070002 + - compatibility + - upgrade + - v11.6 + - error +products: + - access-analyzer +sidebar_label: Failed to Create FSAdapter Error in Netwrix Access +tags: [] +title: "Failed to Create FSAdapter Error in Netwrix Access Analyzer" +knowledge_article_id: kA0Qk0000000XTpKAM +--- + +# Failed to Create FSAdapter Error in Netwrix Access Analyzer + +## Symptom + +Netwrix Access Analyzer prompts the following errors: + +```text +Failed to create FSAdapter (80070002): The system cannot find the file specified +``` + +```text +Error during processing: Failed to create FSAdapter +``` + +## Cause + +Your installed versions of Netwrix Access Analyzer and the Sensitive Data Discovery Add-On are incompatible. + +- Netwrix Access Analyzer v11.6.0.59 and higher require Sensitive Data Discovery Add-On v11.6.0.10 and higher. +- The Sensitive Data Discovery Add-On v11.6.0.10 and higher require Netwrix Access Analyzer v11.6.0.59 and higher. + +The incompatibility is caused by an outdated component. + +## Resolution + +Update both Netwrix Access Analyzer and the Sensitive Data Discovery Add-On to their latest versions. Refer to the following articles for additional information: + +- Sensitive Data Discovery Add-On Installation — Upgrade Sensitive Data Discovery Add-on · v11.6 +- Installation & Configuration Overview − Netwrix Access Analyzer Console Upgrade · v11.6 + +## Related articles + +1. Sensitive Data Discovery Add-On Installation — Upgrade Sensitive Data Discovery Add-on · v11.6 +2. Installation & Configuration Overview − Netwrix Access Analyzer Console Upgrade · v11.6 diff --git a/docs/kb/accessanalyzer/file-not-found-reports-error-unable-to-log-error-to-access-analyzer.md b/docs/kb/accessanalyzer/file-not-found-reports-error-unable-to-log-error-to-access-analyzer.md new file mode 100644 index 0000000000..5ec4178042 --- /dev/null +++ b/docs/kb/accessanalyzer/file-not-found-reports-error-unable-to-log-error-to-access-analyzer.md @@ -0,0 +1,64 @@ +--- +description: >- + When exporting the AD Group Members View report as CSV, you may encounter a + '(File not found error)' with 'Unable to log error to Access Analyzer: Object + doesn't support property or method 'LogJSMessage'.' This article explains the + cause and provides step-by-step resolution by enabling the interactive grid + and CSV export option. +keywords: + - file not found + - CSV export + - interactive grid + - Access Analyzer + - AD Group Members + - report grid + - export table data + - Generate + - Run Job +products: + - access-analyzer +sidebar_label: 'File Not Found Reports Error: Unable to Log Error ' +tags: [] +title: 'File Not Found Reports Error: Unable to Log Error to Access Analyzer' +knowledge_article_id: kA0Qk00000022s9KAA +--- + +# File Not Found Reports Error: Unable to Log Error to Access Analyzer + +## Symptom + +When the report grid settings are configured for a non-interactive grid on the AD Group Members View table of the report, and you are attempting to download an exported report as a CSV file, the system generates the following error message: + +```text +(File not found error) + +Unable to log error to Access Analyzer: Object doesn't support property or method 'LogJSMessage'. +``` + +![Error image](images/ka0Qk000000CgOT_0EMQk00000B05RB.png) + +## Cause + +This error message is caused by setting the report grid configuration to Non Interactive grid. + +## Resolution + +To resolve this error, refer to the following steps: + +1. Click **Configure** to access the report settings. + ![Configure button image](images/ka0Qk000000CgOT_0EMQk00000Aq6Zr.png) + +2. Navigate to the **Widgets** node and select **Configure** on the layout location of the report. + ![Widgets configure image](images/ka0Qk000000CgOT_0EMQk00000AqZFF.png) + +3. After clicking **Configure**, select the **Interactive grid** option in the top-right corner under Table Properties. + ![Interactive grid option image](images/ka0Qk000000CgOT_0EMQk00000AqJtg.png) + +4. Ensure that you have the **Export table data as CSV** box checked. + ![Export table data as CSV image](images/ka0Qk000000CgOT_0EMQk00000BF2eH.png) + +5. Confirm that the error has been resolved using either of the following methods: + - Right-click the **Job** itself and select **Run Job**. + ![Run Job image](images/ka0Qk000000CgOT_0EMQk00000Aqj6X.png) + - In the Reports pane, click the **Kebab menu** (three vertical dots) next to **Configure** and select **Generate**. + ![Generate image](images/ka0Qk000000CgOT_0EMQk00000Aqj6Y.png) diff --git a/docs/kb/accessanalyzer/fsaa-failed-to-copy-tier-2.md b/docs/kb/accessanalyzer/fsaa-failed-to-copy-tier-2.md new file mode 100644 index 0000000000..647a2226fd --- /dev/null +++ b/docs/kb/accessanalyzer/fsaa-failed-to-copy-tier-2.md @@ -0,0 +1,41 @@ +--- +description: >- + FSAA Tier 2 copy operations fail when the target or proxy server disk is full; + free or add disk space to resolve the error. +keywords: + - FSAA + - Tier 2 + - disk full + - remote procedure call + - TAppletRPCHelper.GetScanDatabase + - failed to copy + - proxy server + - applet server + - disk space +products: + - access-analyzer +sidebar_label: FSAA Failed to Copy Tier 2 +tags: [] +title: "FSAA Failed to Copy Tier 2" +knowledge_article_id: kA04u0000000IsECAU +--- + +# FSAA Failed to Copy Tier 2 + +## Summary +Tier 2s fail to copy when disk is full. + +## Issue +`Failed to copy database from : Error in TAppletRPCHelper.GetScanDatabase...The remote procedure call failed.` + +## Instructions +The disk drive is likely filling up on the proxy or applet (target) server. + +1. Check the disk usage on the proxy server and on the applet (target) server. +2. Add disk space or free space on the affected drive. + +## Module and Metadata +- Module: SA - DC - FSAA - Activity; SA - DC - FSAA - DFS; SA - DC - FSAA - Permissions; SA - DC - FSAA - Sensitive Data +- Versions: * +- Dev Ticket: 20963, SAFS-2808 +- Legacy Article ID: 1830 diff --git a/docs/kb/accessanalyzer/fsaa-registry-key-error.md b/docs/kb/accessanalyzer/fsaa-registry-key-error.md new file mode 100644 index 0000000000..9f102346c1 --- /dev/null +++ b/docs/kb/accessanalyzer/fsaa-registry-key-error.md @@ -0,0 +1,61 @@ +--- +description: >- + This article explains how to troubleshoot the FSAA registry key error that + occurs when an FSAA scan cannot open a registry key on Windows or NAS hosts. +keywords: + - FSAA + - registry key + - NAS + - access denied + - FSAA scan + - Netwrix Auditor + - SBTLogging + - Host Management +products: + - access-analyzer +sidebar_label: FSAA Registry Key Error +tags: [] +title: "FSAA Registry Key Error" +knowledge_article_id: kA04u0000000IvhCAE +--- + +# FSAA Registry Key Error + +## Summary +**FSAA Registry Key Error on NAS devices** + +## Issue +`Error during processing: Could not open registry key SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters for reading: Access is denied (5); local: False` + +If you get this error after running an FSAA scan, the scan was unable to open a registry key. + +## Instructions + +### Windows +If you get this after scanning a Windows host, either the registry key doesn't exist or access is denied. To investigate: + +1. Open **Regedit**. +2. From **Start**, open **CMD** and run **Regedit** (run it using the same credential as the scan). +3. Navigate to the location in the error message and verify whether the key exists or if you get access denied. + +### NAS +If you get this after scanning a NAS host, check the details in Host Management: + +1. Open the Netwrix Auditor console. +2. Find **Host Management** on the left-hand side. +3. Select **All Hosts**. +4. Find the host that has the issue. +5. Select **View\Edit Host** (top right). +6. Select **Edit Host** (bottom of the right). +7. Locate the **OSName**, **OSType**, **Model**, and **Manufacturer** fields. +8. Change **OSName** and **OSType** to `NAS`. +9. Change **Model** and **Manufacturer** to `N/A`. + +## Product +Netwrix Auditor + +## Module +SA - DC - FSAA - Activity;SA - DC - FSAA - Permissions + +## Legacy Article ID +1200 diff --git a/docs/kb/accessanalyzer/fsaa_error_system_error._code_1009..md b/docs/kb/accessanalyzer/fsaa_error_system_error._code_1009..md new file mode 100644 index 0000000000..44ef4cd402 --- /dev/null +++ b/docs/kb/accessanalyzer/fsaa_error_system_error._code_1009..md @@ -0,0 +1,36 @@ +--- +description: >- + This article addresses the FSAA error 'System Error. Code: 1009' encountered during FSAA scans, detailing its causes and resolutions. +keywords: + - FSAA + - System Error + - Access Analyzer +sidebar_label: FSAA Error 1009 +tags: [] +title: "FSAA Error: System Error. Code: 1009" +knowledge_article_id: kA04u0000000Ix9CAE +products: + - access-analyzer +--- + +# FSAA Error: System Error. Code: 1009 + +## Summary + +FSAA Scan shows error 'System Error. Code: 1009'. + +## Issue + +FSAA Scan shows *Error 'System Error. Code: 1009'.* +*The configuration registry database is corrupt and trying to process object of type FSAA. Skipping object.* + +## Cause + +This error may be caused when **Access Analyzer** is not running as an Administrator. + +## Product Information + +**Product:** Access Analyzer +**Module:** Access Analyzer - DC - FSAA - Activity; Access Analyzer - DC - FSAA - DFS; Access Analyzer - DC - FSAA - Permissions; Access Analyzer - DC - FSAA - Sensitive Data +**Versions:** 8+ +**Legacy Article ID:** 1727 \ No newline at end of file diff --git a/docs/kb/accessanalyzer/host-is-offline-error.md b/docs/kb/accessanalyzer/host-is-offline-error.md new file mode 100644 index 0000000000..9e19bc1b16 --- /dev/null +++ b/docs/kb/accessanalyzer/host-is-offline-error.md @@ -0,0 +1,45 @@ +--- +description: >- + This article explains the "Host is offline" error during a job run in Netwrix + Access Analyzer and how to resolve it by disabling the Skip Hosts that do not + respond to PING option. +keywords: + - host offline + - ping + - job error + - Netwrix Access Analyzer + - Skip Hosts + - job properties + - performance tab + - troubleshooting +products: + - access-analyzer +sidebar_label: Host Is Offline Error +tags: [] +title: "Host Is Offline Error" +knowledge_article_id: kA0Qk0000000L2rKAE +--- + +# Host Is Offline Error + +## Symptom + +- The following error is prompted upon a job run in Netwrix Access Analyzer: + +``` +Host is offline +``` + +- The remote server is up and functional. + +## Cause + +The **Skip Hosts that do not respond to PING** option is enabled in the affected job. This might directly affect the job in case the target host has been configured to not respond to ping requests. + +## Resolution + +Disable the **Skip Hosts that do not respond to PING** option in the affected job. Refer to the following article for additional information: /docs/auditor/11.6/enterpriseauditor/admin-guide/jobs/job/properties (Job Properties − Performance Tab · v11.6). + +## Related articles + +- /docs/auditor/11.6/enterpriseauditor/admin-guide/jobs/job/properties (Job Properties − Performance Tab · v11.6) diff --git a/docs/kb/accessanalyzer/how-to-add-site-collection-administrators-for-sharepoint-online.md b/docs/kb/accessanalyzer/how-to-add-site-collection-administrators-for-sharepoint-online.md new file mode 100644 index 0000000000..f4f183937f --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-add-site-collection-administrators-for-sharepoint-online.md @@ -0,0 +1,43 @@ +--- +description: >- + Use this article to add a scanning account as a Site Collection Administrator + in SharePoint Online so SharePoint (SPAA) scans can run. Without the proper + site collection permission, scans fail with the `401: Unauthorized` error. +keywords: + - SharePoint + - site collection administrator + - SharePoint Online + - SPAA + - scan + - 401 Unauthorized + - Microsoft 365 admin center + - site permissions +products: + - access-analyzer +sidebar_label: How to Add Site Collection Administrators for Shar +tags: [] +title: "How to Add Site Collection Administrators for SharePoint Online" +knowledge_article_id: kA04u0000000IsxCAE +--- + +# How to Add Site Collection Administrators for SharePoint Online + +## Overview + +This article describes how to configure site collection permissions so you can run SharePoint (SPAA) scans. Without the proper site collection permission, the scan will fail with the `401: Unauthorized` error. + +## Instructions + +1. Establish the account used to scan SharePoint sites. Alternatively, establish the account to be used for scans. +2. Sign in to Microsoft 365 with an account that can access the Microsoft 365 admin center. +3. In the left navigation pane, under **Admin Centers**, select **SharePoint**. +4. Select the checkboxes for the sites you'd like to grant access. + + > **NOTE:** You can only add the account to one site at a time. + +5. Click **Owners** > **Manage Administrators**. +6. Add the account configured in the SPAA scan job to access sites to the **Site Collection Administrators** field. + + ![Site Collection Administrators dialog](images/ka0Qk0000006P8b_0EMQk000007UAdp.png) + +7. Click **OK** to save changes. diff --git a/docs/kb/accessanalyzer/how-to-add-the-jobs-for-a-newly-licensed-solution-to-an-existing-application-installation.md b/docs/kb/accessanalyzer/how-to-add-the-jobs-for-a-newly-licensed-solution-to-an-existing-application-installation.md new file mode 100644 index 0000000000..d43b09d5d0 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-add-the-jobs-for-a-newly-licensed-solution-to-an-existing-application-installation.md @@ -0,0 +1,69 @@ +--- +description: >- + Shows how to add jobs for a newly licensed solution to an existing Netwrix + Access Analyzer installation using either the Instant Solutions wizard or File + Explorer. +keywords: + - Netwrix Access Analyzer + - license + - Instant Solutions + - jobs + - '%SAInstallDir%' + - GROUP_Windows + - installation + - Jobs folder +products: + - access-analyzer +sidebar_label: "How To Add the Jobs for a Newly Licensed Solution to an Existing Application Installation" +tags: [] +title: >- + How To Add the Jobs for a Newly Licensed Solution to an Existing Application + Installation +knowledge_article_id: kA0Qk0000001lOHKAY +--- + +# How To Add the Jobs for a Newly Licensed Solution to an Existing Application Installation + +## Overview + +This article explains how to add jobs for a newly licensed solution to an existing Netwrix Access Analyzer installation. You can use one of the two methods described below after applying the new license file. + +> **NOTE:** For instructions on how to apply a new license key to Netwrix Access Analyzer, please visit: How to Update the License Key in Access Analyzer. + +## Instructions + +### Add Solution via Instant Solutions + +1. Open the Netwrix Access Analyzer console, right-click the **Jobs** folder, and select **Add Instant Job**. + ![image](images/ka0Qk000000DDCL_0EMQk00000Bv4AE.png) + +2. In the Instant Job Wizard, expand **Library Name: Instant Solutions** by clicking the **+** icon. + ![Instant Solutions library with newly licensed module selected](images/ka0Qk000000DDCL_0EMQk00000BvBy5.png) + +3. Select the newly licensed module (e.g., `.Active Directory Inventory`), then click **Next**. + ![image](images/ka0Qk000000DDCL_0EMQk00000BvEJF.png) + +4. On the Summary page of the Instant Job Wizard, select **Save & Exit**. + ![Summary page of Instant Job Wizard with Save & Exit button highlighted](images/ka0Qk000000DDCL_0EMQk00000Bv76U.png) + +5. Your newly licensed module should now appear in the Netwrix Access Analyzer Job Tree. + +### Add Solution via File Explorer + +1. With the Netwrix Access Analyzer console closed, navigate to the **Instant Solutions** folder in Netwrix Access Analyzer's installation directory (`%SAInstallDir%InstantSolutions`). + ![Instant Solutions folder in installation directory](images/ka0Qk000000DDCL_0EMQk00000ArqFd.png) + +2. Locate the **GROUP_** folder for the new solution and copy it to the Jobs folder (`%SAInstallDir%Jobs`). + + - Example: Adding the Windows Solution + - From: `%SAInstallDir%InstantSolutions\GROUP_Windows` + - To: `%SAInstallDir%Jobs\GROUP_Windows` + +3. Launch Netwrix Access Analyzer, and your newly licensed module should now appear in the Netwrix Access Analyzer Job Tree. + +> **NOTE:** For further details on job configuration, see Netwrix Access Analyzer Solutions Overview. + +## Related Articles + +- How to Update the License Key in Access Analyzer +- Netwrix Access Analyzer Solutions Overview diff --git a/docs/kb/accessanalyzer/how-to-adjust-the-log-level-of-the-fsaa-applet-server-logs.md b/docs/kb/accessanalyzer/how-to-adjust-the-log-level-of-the-fsaa-applet-server-logs.md new file mode 100644 index 0000000000..3c3d86c1a2 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-adjust-the-log-level-of-the-fsaa-applet-server-logs.md @@ -0,0 +1,68 @@ +--- +description: >- + Learn how to reduce excessive FSAA_Applet_Server log growth by changing the + logging level in the NLog.config file and restarting the service. +keywords: + - FSAA + - FSAA_Applet_Server + - NLog.config + - logs + - log level + - Debug + - Error + - StealthAUDIT + - STEALTHbits +products: + - access-analyzer +sidebar_label: How to Adjust the Log Level of the FSAA_Applet_Ser +tags: [] +title: "How to Adjust the Log Level of the FSAA_Applet_Server Logs" +knowledge_article_id: kA0Qk00000022KHKAY +--- + +# How to Adjust the Log Level of the FSAA_Applet_Server Logs + +## Symptoms + +- The `FSAA_Applet_Server` logs are growing excessively. +- The log that it is written to is located at the following path: + - `\%SAINSTALLDIR%\FSAA\FSAA_Applet_Server__9492_YYMMDDHHMISSMSX.log` + + Example: + - `E:\Program Files (x86)\STEALTHbits\StealthAUDIT\FSAA\FSAA_Applet_Server__9492_250227095535674.log` + +## Cause + +The FSAA Applet server log level settings default to `Debug`, which can lead to rapid log growth in certain environments. + +## Resolution + +1. Locate the `NLog.config` file to adjust the logging level: + - For proxy servers installed as a service, the file is located in: + - `C:\Program Files (x86)\STEALTHbits\StealthAUDIT\FSAA\NLog.config` + - For automatic deployments, the file is located on the application server in: + - `StealthAUDIT\PrivateAssemblies\FILESYSTEMACCESS\Applet` + +2. Open the `NLog.config` file using Notepad++ or a similar text/code editor. + +3. Edit the logging level configuration to reduce log growth: + - Locate the logger settings in the `NLog.config` file. + - Set the `minlevel` attribute to one of the following levels based on your needs: + - `Error` – Recommended for minimal logging. + - `Info` – Provides informational logs. + - `Warn` – Captures warnings and errors. + - **IMPORTANT:** A level lower than `Error` is *not* recommended. + + Example logger configuration: + ```xml + + + + + + + ``` + +4. Save the changes to the `NLog.config` file. + +5. Restart the FSAA Applet Server or Proxy Host to apply the changes. diff --git a/docs/kb/accessanalyzer/how-to-configure-file-system-scans-to-look-for-sensitive-data-discovery.md b/docs/kb/accessanalyzer/how-to-configure-file-system-scans-to-look-for-sensitive-data-discovery.md new file mode 100644 index 0000000000..cbd23f82b8 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-configure-file-system-scans-to-look-for-sensitive-data-discovery.md @@ -0,0 +1,62 @@ +--- +description: >- + Shows how to configure Netwrix Access Analyzer to scan file systems for + sensitive data using the Sensitive Data Discovery (SDD) module and the SEEK + jobs. +keywords: + - sensitive data discovery + - file system scan + - SDD + - SEEK + - Netwrix Access Analyzer + - Licensed Features + - bulk import +products: + - access-analyzer +sidebar_label: How to Configure File System Scans to Look for Sen +tags: [] +title: "How to Configure File System Scans to Look for Sensitive Data Discovery" +knowledge_article_id: kA0Qk0000001Ym1KAE +--- + +# How to Configure File System Scans to Look for Sensitive Data Discovery + +## Question + +How do you configure Netwrix Access Analyzer (NEA) to scan File Systems for Sensitive Data? + +## Answer + +Scanning file systems for sensitive data has the following prerequisites: + +1. You have a valid license for the Sensitive Data Discovery (SDD) module. + - The SDD module is licensed separately, and an active license is required for all Sensitive Data auditing. You can confirm which modules are actively licensed in NEA via **NEA > Help > About**. The SDD module will appear as **Sensitive Data** on the **Licensed Features** list. + +2. The SDD Add-On is installed on the NEA Console server (see Sensitive Data Discovery Add-On Installation). + - If you are using either of the File System Proxy scan modes, the SDD Add-on must also be installed on the server where the proxy service is installed. + +Once the prerequisites are in place, SDD scans are found in the NEA Job tree under the FileSystem group. The scan for sensitive data consists of two jobs, which are both found under **Jobs > FileSystem > 0.Collection**: + +- **1-SEEK System Scans** – scans files for the sensitive data. +- **2-SEEK Bulk Import** – uploads the results to the database. + +A guide to configure the **SEEK System Scans** job can be found here: /docs/auditor/11.6/enterpriseauditor/solutions/filesystem/collection + +## Additional Information + +An overview of the SDD Add-On can be found here: /docs/auditor/11.6/enterpriseauditor/sensitivedatadiscovery + +You can modify what classifies as Sensitive Data by configuring criteria in the **Global Sensitive Data Settings**. Please refer to the following configuration guides in our Help Center: + +- /docs/auditor/11.6/enterpriseauditor/admin-guide/settings/sensitivedata +- /docs/auditor/11.6/enterpriseauditor/sensitivedatadiscovery/criteriaeditor + +> IMPORTANT: If running SDD scans, it will be necessary to increase the minimum amount of RAM. Each thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is configured to scan 8 hosts at a time, then an extra 16 GB of RAM are required (8x2=16). + +## Related Articles + +- Sensitive Data Discovery Add-On Installation: /docs/auditor/11.6/enterpriseauditor/installation/sensitivedatadiscovery +- 1-SEEK System Scans Job: /docs/auditor/11.6/enterpriseauditor/solutions/filesystem/collection +- Sensitive Data Discovery Add-On: /docs/auditor/11.6/enterpriseauditor/sensitivedatadiscovery +- Sensitive Data: /docs/auditor/11.6/enterpriseauditor/admin-guide/settings/sensitivedata +- Sensitive Data Criteria Editor: /docs/auditor/11.6/enterpriseauditor/sensitivedatadiscovery/criteriaeditor diff --git a/docs/kb/accessanalyzer/how-to-correctly-apply-the-preserve-last-access-time-lat-option-to-fsaa-scans.md b/docs/kb/accessanalyzer/how-to-correctly-apply-the-preserve-last-access-time-lat-option-to-fsaa-scans.md new file mode 100644 index 0000000000..9710287ab5 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-correctly-apply-the-preserve-last-access-time-lat-option-to-fsaa-scans.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains how to apply the Preserve Last Access Time (LAT) option in FSAA scans + in Netwrix Access Analyzer and which settings to configure to avoid modifying + last access times, with cautions for NAS devices. +keywords: + - FSAA + - LAT + - Last Access Time + - NAS + - Windows File Server + - FSAA Data Collector Wizard + - Scan Settings + - Netwrix Access Analyzer + - file access preservation +products: + - access-analyzer +sidebar_label: "How to Correctly Apply the Preserve Last Access Time (LAT) Option to FSAA Scans" +tags: [] +title: >- + How to Correctly Apply the Preserve Last Access Time (LAT) Option to FSAA + Scans +knowledge_article_id: kA04u00000111GWCAY +--- + +# How to Correctly Apply the Preserve Last Access Time (LAT) Option to FSAA Scans + +## Questions + +- Why are scans of my NAS failing to open files or skipping them? +- If we select the **Last Access Time (LAT) Preservation** option, can we avoid a situation in which our FSAA job has changed the time of the last access? +- What other options must be configured in the FSAA Data Collector Wizard when choosing the LAT Preservation? + +## Answer + +Follow the recommendations below: + +- The **Only return file types with these comma-separated values (without leading dots)** option changes the LAT. Therefore, if you want to preserve it, unselect this option. To find this option, go to the **FSAA Data Collector Wizard** > **Default Scoping Options** step > **File Properties (Folder Summary)** tab. +- It is impossible to preserve LAT on a directory. It can be enabled for files only. +- *LAT Preservation is only applicable to Windows File Servers.* Enabling **Preserve LAT** on NAS and other file servers may cause unexpected results. + +For more information, please see the following article: /docs/auditor/11.6/enterpriseauditor/admin-guide/datacollector/fsaa/defaultscopingoptions (Scan Settings Tab). + +## Related Articles + +- /docs/auditor/11.6/enterpriseauditor/admin-guide/datacollector/fsaa/defaultscopingoptions (Scan Settings Tab) diff --git a/docs/kb/accessanalyzer/how-to-drop-data-collected-from-sql-servers-using-the-databases-module.md b/docs/kb/accessanalyzer/how-to-drop-data-collected-from-sql-servers-using-the-databases-module.md new file mode 100644 index 0000000000..a1b2d61ad9 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-drop-data-collected-from-sql-servers-using-the-databases-module.md @@ -0,0 +1,71 @@ +--- +description: >- + Explains how to drop data collected from SQL Servers using the Databases + Module. Includes steps to drop all collected SQL Server data or to drop data + for specific hosts or instances. +keywords: + - SQL Servers + - Databases Module + - Remove Storage Tables + - Remove Storage Data + - drop data + - queries + - job + - filters + - permissions + - sensitive data +products: + - access-analyzer + - access_info_center +sidebar_label: 'How to Drop Data Collected from SQL Servers Using ' +tags: [] +title: "How to Drop Data Collected from SQL Servers Using the Databases Module" +knowledge_article_id: kA0Qk0000001lGDKAY +--- + +# How to Drop Data Collected from SQL Servers Using the Databases Module + +## Overview + +This article explains how to drop data collected from SQL Servers using the Databases Module. Follow the instructions below to drop data for all SQL Servers or for specific hosts/instances. + +## Instructions + +### Drop All Data for SQL Servers + +> **NOTE:** You can create a separate folder (e.g., Sandbox) for custom jobs. + +1. Right-click the **custom** or **Jobs** folder and select **Create Job** `Ctrl+Alt+A`. + ![ ](images/ka0Qk000000DG6z_0EMQk00000BvYY7.png) +2. Navigate to the **Configure** node of the NewJob and select the **Queries** node. + ![ ](images/ka0Qk000000DG6z_0EMQk00000BvhTJ.png) +3. Click the **Create Query** button. + ![ ](images/ka0Qk000000DG6z_0EMQk00000BvhZl.png) +4. In the General tab, designate a clear **Name** and **Description** (e.g., `DropSQLHostData`). +5. In the Data Source tab, select **SQL** from the **Data Collector** dropdown menu. + ![ ](images/ka0Qk000000DG6z_0EMQk00000Bvheb.png) +6. Click **Configure** to launch the SQL Data Collector Configuration Wizard. + ![ ](images/ka0Qk000000DG6z_0EMQk00000BvhgD.png) +7. On the Wizard Category page, select the **Utilities > Remove Storage Tables** option under the appropriate database type and click **Next** to drop all collected SQL data for SQL Servers. + ![Category page with Utilities > Remove Storage Tables option highlighted](images/ka0Qk000000DG6z_0EMQk00000BvdWA.png) +8. To complete the query, ensure you have selected the desired Available Properties, click **Next**, and then **Finish**. Last, click **OK**. +9. To run the job, you can either select **Run now** from the job windowpane or right-click the job and select **Run Job**. + ![ ](images/ka0Qk000000DG6z_0EMQk00000Bvjzl.png) + +### Drop Data for Specific Hosts/Instances for SQL Servers or Drop Specific Data for SQL Hosts/Instances + +1. Follow steps 1–6 detailed above. +2. On the SQL Data Collector Configuration Wizard Category page, select the **Utilities > Remove Storage Data** option and click **Next**. + ![Category page with Utilities > Remove Storage Data option highlighted](images/ka0Qk000000DG6z_0EMQk00000Bvk6D.png) +3. On the Filters page, select the databases/instances via the **Filter Options** drop-down menu: + - All database objects + - Only select database objects + - When using this option, select the database objects you want to delete in the **Available database objects** pane, then click **Add**. + ![Available database objects pane with Add highlighted](images/ka0Qk000000DG6z_0EMQk00000Bvbfg.png) +4. On the Settings page, select the type of data you would like to remove for your specified hosts: + - Permissions + - Audits + - Sensitive Data + - Orphaned Rows +5. On the Results page, enable all of the available properties. +6. Run the job. diff --git a/docs/kb/accessanalyzer/how-to-enable-debug-logging-manually.md b/docs/kb/accessanalyzer/how-to-enable-debug-logging-manually.md new file mode 100644 index 0000000000..491f741c78 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-enable-debug-logging-manually.md @@ -0,0 +1,45 @@ +--- +description: >- + This article explains how to manually enable debug logging in Netwrix Access + Analyzer by editing the GlobalOptionsconfig.xml file and setting the LOGLEVEL + value to 0 so you can access detailed application logs. +keywords: + - debug logging + - GlobalOptionsconfig.xml + - LOGLEVEL + - Netwrix Access Analyzer + - application logs + - '%sainstalldir%' + - debug mode + - troubleshooting +products: + - access-analyzer +sidebar_label: How to Enable Debug Logging Manually +tags: [] +title: "How to Enable Debug Logging Manually" +knowledge_article_id: kA0Qk0000001HrdKAE +--- + +# How to Enable Debug Logging Manually + +## Question + +How can you manually enable the debug logging mode in Netwrix Access Analyzer? + +## Answer + +Refer to the following steps to manually enable the debug mode in Netwrix Access Analyzer: + +1. Locate the `GlobalOptionsconfig.xml` file in the Netwrix Access Analyzer installation folder. Use the following variable to locate the folder: + + ```text + %sainstalldir% + ``` + +2. In the `GlobalOptionsconfig.xml` file, change the `` value to `0` to enable debug logging. Save the changes. + +3. Open the **Netwrix Access Analyzer console** to access the application logs. + +Refer to the example of the value in the configuration file that must be changed to `0`: + +![Configuration example](images/ka0Qk00000056mL_0EMQk000006Clm6.png) diff --git a/docs/kb/accessanalyzer/how-to-identify-active-transactions-filling-the-tempdb.md b/docs/kb/accessanalyzer/how-to-identify-active-transactions-filling-the-tempdb.md new file mode 100644 index 0000000000..e7e6326ff6 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-identify-active-transactions-filling-the-tempdb.md @@ -0,0 +1,66 @@ +--- +description: >- + Provides T-SQL queries to identify active transactions that are consuming + TempDB and guidance about a temporary restart as a workaround. +keywords: + - TempDB + - SQL Server + - transactions + - DBCC OPENTRAN + - DBCC SQLPERF + - sys.databases + - sys.dm_tran_active_transactions +products: + - access-analyzer +sidebar_label: How to Identify Active Transactions Filling the Te +tags: [] +title: "How to Identify Active Transactions Filling the TempDB" +knowledge_article_id: kA0Qk0000001sETKAY +--- + +# How to Identify Active Transactions Filling the TempDB + +## Related Query + +- "Our application is not functioning, and we are receiving reports that the TempDB is full. What is filling up the TempDB?" + +## Question + +How can you identify which transactions are active and clogging the TempDB? + +## Answer + +The following statements will help to identify which transactions are active and filling the TempDB. Analysis of these results will help to isolate which transactions are at fault. + +> **NOTE:** The data in TempDB is retained until the restart of the server. If you are in critical need of space after running the below queries, please restart your SQL Server as a temporary fix. + +- Determines Size and Usage of Transaction Log: +```sql +DBCC SQLPERF(LOGSPACE); +``` + +- Checks for Active Transactions: +```sql +SELECT + database_id, + DB_NAME(database_id) AS DatabaseName, + log_reuse_wait_desc +FROM + sys.databases; +``` + +- Finds Open Transactions: +```sql +DBCC OPENTRAN; +``` + +- Checks for Uncommitted Transactions +```sql +SELECT + transaction_id, + transaction_state, + name AS TransactionName, + transaction_begin_time +FROM + sys.dm_tran_active_transactions; +``` diff --git a/docs/kb/accessanalyzer/how-to-locate-database-files-and-applet-logs-for-all-fsaa-scan-types.md b/docs/kb/accessanalyzer/how-to-locate-database-files-and-applet-logs-for-all-fsaa-scan-types.md new file mode 100644 index 0000000000..2f3bf74f92 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-locate-database-files-and-applet-logs-for-all-fsaa-scan-types.md @@ -0,0 +1,156 @@ +--- +description: >- + Describes Tier 2 database and log locations for FSAA scan modes in Netwrix + Access Analyzer, plus conditions for sending Tier 2 databases, scan run logic, + GUID mismatches, and moving FSAA folders. +keywords: + - FSAA + - Tier 2 + - database files + - applet logs + - Netwrix Access Analyzer + - proxy mode + - local mode + - sensitive data logs + - RPC logs +products: + - access-analyzer +sidebar_label: How to Locate Database Files and Applet Logs for A +tags: [] +title: "How to Locate Database Files and Applet Logs for All FSAA Scan Types" +knowledge_article_id: kA04u0000000IvJCAU +--- + +# How to Locate Database Files and Applet Logs for All FSAA Scan Types + +## Overview + +This article describes Tier 2 database and log locations for the various FSAA scans (Netwrix Access Analyzer 9.0+). Additionally, this document covers the following related topics: + +- Conditions for Sending Tier 2 Databases from Netwrix Access Analyzer Console to Proxy Server or Applet Host in 9.0+ FSAA +- How FSAA Determines if a Scan Should Run +- Tier 1 vs. Tier 2 GUID Mismatch +- Moving the Location of the FSAA Folder on Proxy Servers or Applet Hosts + +## Instructions + +There are several different scan modes that the FS Data Collector can leverage. The location of the Tier 2 databases and logs will vary, depending on that mode. + +This article assumes that Netwrix Access Analyzer is installed with a path ending in ...\Netwrix Enterprise Auditor\. Otherwise, the FSAA folder will be located in ...\Netwrix Enterprise Auditor\FSAA in the parent folder of the installation directory. + +The registry key containing the `SAINSTALLDIR` value is: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment` + +That registry key’s existence is checked when the Netwrix Access Analyzer applet is deployed. If it doesn’t exist, then the default path for `SAINSTALLDIR` is used: `C:\Program Files (x86)\STEALTHbits\Netwrix Enterprise Auditor` + +### Log Types + +Below are various logs associated with FSAA scans and jobs. The locations of these logs are included with the scan mode information to follow. In addition to these logs, Tier 2s should be included for relevant hosts when troubleshooting scan or bulk import issues. + +- **Applet Logs** – Often contains the most important troubleshooting information. Host scanning is performed by the applet, and these logs contain information, warnings, and errors experienced during FSAA scans. Applet logs should be included when troubleshooting scan and bulk import issues. +- **RPC Logs** – Contains information, warnings, and errors related to communication (e.g., network, I/O) during scans. RPC logs should be included when troubleshooting scan and communication issues. +- **Job Logs** – Contains information, warnings, and errors related to Netwrix Access Analyzer Console setup before the FSAA applet is launched. Job logs may also contain certain scan messages, although applet logs typically have more information in that regard. All bulk import messages are also included in the job logs. Job logs should be included when troubleshooting scan and bulk import issues. +- **Sensitive Data Logs** – There are two new logs in v10.0+ that include information about sensitive data scans. These are ScannerLib and Extractor. Both logs will be in a host’s specific FSAA directory and should be included when troubleshooting issues regarding sensitive data. When running sensitive data scans with multiple threads, there will be one ScannerLib and one Extractor log per thread. By default, FSAA sensitive data scans run with four threads, so there will be four ScannerLib logs and four Extractor logs. + +### Common Scenarios & What to Include + +In all troubleshooting scenarios, various database and log files will be requested. Please provide all requested materials, as each piece provides important troubleshooting information. If unsure of what to provide, at a minimum please provide each affected host’s `FSAA\` folder. + +In various specific troubleshooting scenarios, the following database and log files must be provided: + +- **Scan & Network Issues** – Applet logs, job logs, RPC logs +- **Data Validity Concerns** – Tier 2 database files, screenshot showing data validity concern +- **Bulk Import Issues** – Tier 2 database files, job logs +- **Sensitive Data Issues** – Applet logs, job logs, and sensitive data logs (ScannerLib/Extractor) + +### Local Mode + +A persistent network connection is used to collect data from the target and send it to the Netwrix Access Analyzer Console server. + +Tier 2 databases are created locally on the Netwrix Access Analyzer Console while the scan is running, in per-host folders in the `FSAA` directory. + +Applet logs are stored on the Netwrix Access Analyzer Console in: `FSAA\` + +RPC logs are stored on the Netwrix Access Analyzer Console in: `FSAA` for the parent RPC logs, `FSAA\` for each child RPC log + +Job logs are stored on the Netwrix Access Analyzer Console in: `%SAINSTALLDIR%\Jobs\Output` + +### Applet Mode + +An applet is deployed to the Windows scan target, and the scan runs on the target instead of collecting data over the network. For non-Windows hosts, an active network connection is used to collect data from the target and send it to the Netwrix Access Analyzer Console server. + +Tier 2 databases are sent to the applet host if they exist on the Netwrix Access Analyzer Console server. Otherwise, they are created on the applet host. In either case, Tier 2s are then zipped and copied to the Netwrix Access Analyzer Console’s per-host `FSAA` folders when the target scan is finished. + +Applet logs are stored in `FSAA\` folders on each applet host. The logs are copied to the Netwrix Access Analyzer Console when the target scan is finished. + +RPC logs are stored in the `FSAA` folder and in `FSAA\` folders on each applet host. The logs are copied to the Netwrix Access Analyzer Console when the target scan is finished. + +Job logs are stored on the Netwrix Access Analyzer Console in: `%SAINSTALLDIR%\Jobs\Output` + +### Proxy Mode + +Scans are performed from a remote proxy server to help distribute resources and localize scans geographically to improve performance for large deployments and slow links. Proxy servers act like a Netwrix Access Analyzer Console scanning in local mode. + +Tier 2 databases are sent to the proxy server if they exist on the Netwrix Access Analyzer Console server. Otherwise, they are created on the proxy server. Tier 2s are then zipped and copied to the Netwrix Access Analyzer Console’s per-host `FSAA` folders when the target scans are finished. + +Proxy Mode has two workflow options: + +- **Standard Proxy** – An applet is sent from the Netwrix Access Analyzer Console to the proxy server and started through a remote scheduled task. +- **FSAA as a Service** – FSAA is installed on the proxy server as a service, rather than sending a proxy applet during each scan. + +In both modes, FSAA uses a persistent network connection between the proxy server and the target hosts for collecting data. + +Applet logs are stored in `FSAA\` folders on the proxy server. The logs are copied to the Netwrix Access Analyzer Console when the target scan is finished. + +RPC logs are stored in the `FSAA` folder and in `FSAA\` folders on the proxy server. The logs are copied to the Netwrix Access Analyzer Console when the target scan is finished. + +Job logs are stored on the Netwrix Access Analyzer Console in: `%SAINSTALLDIR%\Jobs\Output` + +## Related Topics + +### Conditions for Sending Tier 2 Databases from Netwrix Access Analyzer Console to Proxy Server or Applet Host in 9.0+ FSAA + +FSAA collects the GUID, USN, and ScanCompleted values from the `TBL_FSAA_Sequence` table on the proxy server or applet host (e.g., `RemoteGUID`, `RemoteUSN`, and `RemoteScanCompleted`). FSAA also collects the GUID, USN, and ScanCompleted values from `TBL_FSAA_Sequence` table from the local Netwrix Access Analyzer Console (e.g., `LocalGUID`, `LocalUSN`, and `LocalScanCompleted`). + +If one of the following conditions is true, then FSAA sends the Tier 2s from the Netwrix Access Analyzer Console to the proxy server or applet host: + +- RemoteGUID is blank +- RemoteGUID is not equal to LocalGUID +- RemoteUSN is not equal to LocalUSN +- RemoteScan is not complete and local Tier 2 is newer than remote Tier 2 (based on `TBL_FSAA_StatusScanTime`) +- Remote Tier 2s have an older schema version + +If sent, FSAA automatically unzips the Tier 2s on the proxy server or applet host. The Tier 2s on the proxy server or applet host are only replaced with Tier 2s from the zip if a Tier 2 from the zip is newer than proxy/applet Tier 2. + +### How FSAA Determines if a Scan Should Run + +FSAA first checks for the following conditions: + +- No Tier 2s exist +- Previous scan was not completed, and Tier 2 databases are older than the value for Restart Incomplete Scan After... (or if it is set to 0) +- Tier 2 databases are older than the value for Rescan Unimported Hosts After... (or if it is set to 0) + +If any of the above conditions are met, then FSAA will start a new scan, unless one of the following conditions is met: + +- Tier 1's GUID no longer matches Tier 2's GUID, indicating Tier 1 and Tier 2 databases do not match +- Tier 2's USN is greater than Tier 1's USN, indicating there is data for bulk import + +### Tier 1 vs. Tier 2 GUID Mismatch + +Tier 1 and Tier 2 databases need to match, as FSAA uses numbers to identify objects such as folders or users. If Tier 1 and Tier 2 GUIDs do not match, FSAA cannot confirm that those numbers represent the same object(s) in Tier 1 and Tier 2 (making the scan data invalid). + +If FSAA detects a GUID mismatch upon import, FSAA will throw an error indicating that and provide instructions on how to reset Tier 1. For assistance, contact Netwrix Support and halt all further actions (support@stealthbits.com, https://www.stealthbits.com/support). + +### Moving the Location of the FSAA Folder on Proxy Servers or Applet Hosts + +1. Move the `FSAA` folder on the target host to the new location. The location must be within a folder named `Netwrix Enterprise Auditor`. +2. Update the `SAINSTALLDIR` Environment Variable on the target host to point to the new `Netwrix Enterprise Auditor` folder from the previous step. + +- To open Environment Variables in Windows, search the Start Menu for Environment Variables and open **Edit the System Environment Variables**. +- Click **Environment Variables** near the bottom of the System Properties > **Advanced** tab. +- Highlight `SAINSTALLDIR` under System Variables and click **Edit**. + +The default path for `SAINSTALLDIR` is: `C:\Program Files (x86)\STEALTHbits\Netwrix Enterprise Auditor\` + +The FSAA Data Collector references: `%SAINSTALLDIR%\..\Netwrix Enterprise Auditor\FSAA` + +That means it will remove the last folder from the `SAINSTALLDIR` path and will add `Netwrix Enterprise Auditor\FSAA` (e.g., if `SAINSTALLDIR` is set to `D:\Temp`, then FSAA Tier 2s will be stored in `D:\Netwrix Enterprise Auditor\FSAA` in per-host folders). diff --git a/docs/kb/accessanalyzer/how-to-optimize-seek-system-scans-with-system-resources.md b/docs/kb/accessanalyzer/how-to-optimize-seek-system-scans-with-system-resources.md new file mode 100644 index 0000000000..c70cbbe7c4 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-optimize-seek-system-scans-with-system-resources.md @@ -0,0 +1,73 @@ +--- +description: >- + Learn how to improve SEEK scan performance by verifying system resources and + adjusting FSAA Data Collector job query settings, including an example + resource configuration and tuning recommendations. +keywords: + - SEEK + - SDD + - FSAA + - scan performance + - Netwrix Access Analyzer + - RAM + - CPU + - SDD scan processes + - data collector + - job query +products: + - access-analyzer +sidebar_label: How to Optimize SEEK System Scans with System Reso +tags: [] +title: "How to Optimize SEEK System Scans with System Resources" +knowledge_article_id: kA0Qk000000227NKAQ +--- + +# How to Optimize SEEK System Scans with System Resources + +## Related Query + +- "SEEK scans are taking a long time. Some scans are taking 70-80-90 hours. Looking for improvements and recommendations." + +## Question + +How can you improve SEEK scan performance? + +## Answer + +If running SDD scans, you must increase the minimum amount of RAM. Each thread requires a minimum of `2GB` of RAM per host (example configuration below). To improve SEEK scan performance, verify the resources and job query configuration, and tweak the job query. + +### Example + +To comfortably scan 4 file systems using a dedicated proxy server, the optimized resource configuration should reflect: + +- **Proxy Server System Resources** + `CPU: 4 Core | 8 Threads` + `RAM: 32GB` (`4 Target Hosts x 4 SDD Scan Processes x 2GB RAM per Target Host`) + +- **FSAA Data Collector Query Settings** + `Number of SDD Scan Processes: 4` + +### Verify Resources and Job Query Configuration + +1. Verify that the Netwrix Access Analyzer (NEA) database has the appropriate resource allotment according to our product requirements. + - If running multiple solutions simultaneously, compile the required resources. + - Additional requirements for File Activity, SDD, and File Tag collection can be found below the requirements table. + +2. Verify the number of SDD scan processes: + - On the **Sensitive Data Settings** page of the FSAA Data Collector query settings, set the **Number of SDD Scan Processes** to reflect the available CPU threads on the scanning server. This number should not exceed `1-2x` the number of available CPU threads. By default, this is set to `2`. + + ![Sensitive Data Settings page example](images/ka0Qk000000D59x_0EMQk00000BK3Rd.png) + + > **NOTE:** If the scan server has other responsibilities (e.g., NEA Console server, busy file server, SQL server), take those into account when configuring how many CPU threads should be allocated for SDD scan processes. + +3. Verify the total amount of RAM on the Scan Server: + - For SEEK scanning, each SDD scan process requires `2GB` per Target Host being concurrently scanned. Ensure that the minimum RAM requirements are met for optimal performance. + +### Tweaking Job Query + +1. Review the FSAA Data Collector query settings and adjust the following parameters: + - Set the **Number of SDD Scan Processes** to reflect the available CPU threads on the server, ensuring it does not exceed `1-2x` the available threads. + - Reduce the scope of the scan to focus on specific directories or file types if possible. This can help reduce the overall resource load. + - Schedule scans during off-peak hours to avoid conflicts with other server processes. + +2. Enable logging and review the logs to identify bottlenecks or errors during the scan process. Adjust the query settings based on the findings. diff --git a/docs/kb/accessanalyzer/how-to-remove-servers-from-host-lists.md b/docs/kb/accessanalyzer/how-to-remove-servers-from-host-lists.md new file mode 100644 index 0000000000..f38f04af66 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-remove-servers-from-host-lists.md @@ -0,0 +1,43 @@ +--- +description: >- + Describes how to remove servers from host lists and explains why removed + machines may reappear if still present in Active Directory. +keywords: + - remove servers + - host lists + - Host Management + - Active Directory + - AD discovery + - delete hosts + - HostStatus + - ADInventory +products: + - access-analyzer +sidebar_label: How to Remove Servers from Host Lists +tags: [] +title: "How to Remove Servers from Host Lists" +knowledge_article_id: kA04u0000000IPDCA2 +--- + +# How to Remove Servers from Host Lists + +## Overview + +Delete servers no longer in the environment from host lists, as these lists contain machines that have been removed from the network. + +## Instructions + +### Remove a machine from the Host Management + +1. Select the **Host Management** node in the top-left corner. +2. Search for the required machine. + +> **TIP:** The name column can be sorted alphabetically by clicking the Name column header (once for ascending, a second time for descending), or filtered for a specific host by clicking on the drop-down option on the right hand side of the column header. Additionally you may search for hosts with an offline status in the same manner using the **HostStatus** column. + +3. Right click the machine, and select **Delete Host(s)**. Multiple sequential hosts can be selected by holding down the 'shift' key while selecting hosts or multiple non-sequential hosts can be selected by holding down the 'ctrl' key while selecting hosts. + +### Removed machine is still in the list + +If you have removed the machine from the host management, and the next day you see it in the list again, it is possible that the machine is still in AD. During an AD host discovery query, all computers in AD will be added to the host list. Once the machine is removed from AD, and then removed from the host list, it should no longer show on the host lists. + +**Module:** SA - DC - Active Directory; SA - DC - ADInventory diff --git a/docs/kb/accessanalyzer/how-to-troubleshoot-a-failed-job-execution.md b/docs/kb/accessanalyzer/how-to-troubleshoot-a-failed-job-execution.md new file mode 100644 index 0000000000..b7d1b5f45b --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-troubleshoot-a-failed-job-execution.md @@ -0,0 +1,77 @@ +--- +description: >- + Describes how to troubleshoot a failed job execution in Netwrix Auditor, + including checks of job stats, task stats, runstats files, logs, uptime, and + applet/agent log locations. +keywords: + - job execution + - troubleshooting + - logs + - runstats.ini + - Task Scheduler + - SQL Server + - Netwrix Auditor + - SADebug + - applet logs +products: + - access-analyzer +sidebar_label: How to Troubleshoot a Failed Job Execution +tags: [] +title: "How to Troubleshoot a Failed Job Execution" +knowledge_article_id: kA04u0000000ISGCA2 +--- + +# How to Troubleshoot a Failed Job Execution + +## Overview + +This article describes how to troubleshoot a failed job execution in Netwrix Auditor. + +## Instructions + +- Check Job Stats. + - In the console expand the **Job > Status Node** and Select the **Job Stats Table**. This will allow you to verify if a failure is a one-time occurrence or a recurring issue. + +- Check Job TaskStats. + - In the console, expand **Job > Status Node** and select the **Task Stats Table**. Tthis will allow you to verify if all job components are failing or just specific tasks. + +- Check `Runstats.ini`. + - Right-click the job and select the **Explore folder** option. + - Open the runstats_prev.ini in a plain-text editor. + - Check the run statistics for the previous saved runs (five is the default in the application settings node). + +- Check Server Uptime. + - Open Task Manager. + - Select the **Performance** tab. + - Check server uptime. If server uptime is greater than 30 days, make sure that there are no MSFT patches with pending reboots. + +- Check Job Log. + - Right-click on the job and select the **Explore folder** option. + - Enter the output folder and locate a file named in the following fashion: + - JobName_log.tsv (Example: the first job in the tree should be 1-AD_Scan for the .Active Directory Inventory group. The log for this job will be named 1-AD_Scan_log.tsv) + - Review any messages leading up to end of file or leading up to end of processing for a given host: + - Search for the failed host name. + - Search for the words ERROR or WARNING and select the match case option. + - Get the timestamp of the last line in file. + +- Check SQL Server uptime and service uptime. + +- Check Windows Event Logs around that time. Look for errors and warnings that could indicate failure. + - Application (e.g., crash) + - Security (e.g., logoff) + +- Check Task Scheduler history (Task Scheduler Event Log). + +- Check Netwrix Auditor Event Log (`%sainstalldir%logs`). + +- Check SADebug Logs: + - Application + - JobEngine + - These logs are found in both the SADatabase Folder and in the root of the installation directory (`%sainstalldir%sadatabase`). + +- Check Applet/Agent logs (e.g., FSAA, SPAA On-Prem, Exchange Metrics, PowerShell). These logs are found in various places: + - ExchangePS engine - `%sainstalldir%Private Assemblies\Folders identified by query GUID and job runtime` + - PowerShell Applet - `%sainstalldir%jobs\SA_CommonData\PowerShell` + - SQL DC - `%sainstalldir%jobs\SA_CommonData\SQLDC` + - Smartlog Applet - `%sainstalldir%jobs\SA_CommonData\SmartLog` + - FSAA Applet - `C:\Program Files(x86)\STEALTHbits\StealthAUDIT\FSAA\HOST` diff --git a/docs/kb/accessanalyzer/how-to-view-stored-sensitive-data-discovery-sdd-matches.md b/docs/kb/accessanalyzer/how-to-view-stored-sensitive-data-discovery-sdd-matches.md new file mode 100644 index 0000000000..12f9d04575 --- /dev/null +++ b/docs/kb/accessanalyzer/how-to-view-stored-sensitive-data-discovery-sdd-matches.md @@ -0,0 +1,88 @@ +--- +description: >- + Explains how to view stored Sensitive Data Discovery (SDD) matches in + FileSystem Sensitive Data (SEEK) using the Access Information Center reports, + resource reviews, and a custom report in Netwrix Access Analyzer. +keywords: + - Sensitive Data Discovery + - SDD + - SEEK + - Sensitive Content Details + - Access Information Center + - Netwrix Access Analyzer + - FS_DLPResults + - SA_FSDLP_MatchHitsView +products: + - access-analyzer + - access_info_center +visibility: public +sidebar_label: 'How to View Stored Sensitive Data Discovery (SDD) ' +tags: [] +title: "How to View Stored Sensitive Data Discovery (SDD) Matches" +knowledge_article_id: kA0Qk0000000QLtKAM +--- + +# How to View Stored Sensitive Data Discovery (SDD) Matches + +## Question + +How can you view stored Sensitive Data Discovery (SDD) matches in FileSystem Sensitive Data (SEEK)? + +> **NOTE:** To be able to view populated **Sensitive Content Details** reports, enable the **Store discovered sensitive data** option for the corresponding collector in **Sensitive Data Settings**. For additional information on the initial SDD setup in specific collectors, refer to the following documentation section: Administration − Data Collectors · v11.6. + +## Answer + +> **NOTE:** The Sensitive Data Discovery criteria searches in Access Information Center can be run exclusively by users with either the **Security Team** or **Console Administrator** role. Users with the **Reader** role will receive blank reports. + +You can view stored SDD matches using one of the following methods. + +### Access Information Center − Sensitive Content Reports + +1. Select the server. +2. In the right **Reports** pane, select **Sensitive Content Details**. + +![rtaImage.png](images/ka0Qk0000009j17_00N0g000004CA0p_0EMQk000002m1YX.png) + +For additional information, refer to: Resource Audit Overview − Sensitive Content Reports · v11.6 +(/docs/access-analyzer/11.6/access/resource-audit-guide) + +### Access Information Center − Resource Review + +1. Assign Resource Owners. Refer to: Resource Owners Overview · v11.6 + (/docs/access-analyzer/11.6/access/informationcenter/resourceowners) +2. Create a Sensitive Data Resource review. Refer to: Resource Ownership with the Access Information Center − Perform a Sensitive Data Review · v11.6 + (/docs/access-analyzer/11.6/access/informationcenter/resourcereviews/review) + +> **IMPORTANT:** Check the **Reviewers are able to see the sensitive data match if available** checkbox for the review to contain sensitive data matches. + +![rtaImage1.png](images/ka0Qk0000009j17_00N0g000004CA0p_0EMQk000002m1a9.png) + +### Netwrix Access Analyzer − Custom report + +1. Create a new report under the **FileSystem** > **7.Sensitive Data** > **FS_DLPResults** Job. + > **NOTE:** For additional information on custom reports, refer to: Reporting − Report Configuration Wizard · v11.6 + > (/docs/auditor/11.6/enterpriseauditor/admin-guide/report/wizard) +2. In the **Authoring** page of the Report Configuration Wizard, specify the report name and title. +3. In **E-mail** and **Publish Security** pages, specify the recipients and intended audience for the report − refer to: + - Report Configuration Wizard − E-mail Page · v11.6 + (/docs/auditor/11.6/enterpriseauditor/admin-guide/report/wizard) + - Report Configuration Wizard − Publish Security Page · v11.6 + (/docs/auditor/11.6/enterpriseauditor/admin-guide/report/wizard) +4. In the **Layout** page, select the single block option and set the **Select the number of rows** counter to **1 row**. +5. In the **Widgets** page, configure the report layout − refer to: Report Configuration Wizard − Widgets Page · v11.6 + (/docs/auditor/11.6/enterpriseauditor/admin-guide/report/wizard) +6. In the **DataSource Options** window, uncheck the **Current Job Only** checkbox and select the `SA_FSDLP_MatchHitsView` table. + > **NOTE:** You can omit the data columns included in the report via **Column Chooser**. +7. After saving the report, generate it either by clicking the three-dot icon (the **More** button) > **Generate**, or by running the `FS_DLPResults` Job. + +## Related articles + +- Administration − Data Collectors · v11.6 +- Resource Audit Overview − Sensitive Content Reports · v11.6 +- Resource Owners Overview · v11.6 +- Resource Ownership with the Access Information Center − Perform a Sensitive Data Review · v11.6 +- File System Solution − 7.Sensitive Data > FS_DLPResults Job · v11.6 +- Reporting − Report Configuration Wizard · v11.6 +- Report Configuration Wizard − E-mail Page · v11.6 +- Report Configuration Wizard − Publish Security Page · v11.6 +- Report Configuration Wizard − Widgets Page · v11.6 diff --git a/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aiy.png b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aiy.png new file mode 100644 index 0000000000..d696cceed4 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aiy.png differ diff --git a/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aiz.png b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aiz.png new file mode 100644 index 0000000000..0e84493ed1 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aiz.png differ diff --git a/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj0.png b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj0.png new file mode 100644 index 0000000000..dc2304f540 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj0.png differ diff --git a/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj1.png b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj1.png new file mode 100644 index 0000000000..650f33fdc7 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj1.png differ diff --git a/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj2.png b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj2.png new file mode 100644 index 0000000000..a2b08d0f5c Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj2.png differ diff --git a/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj3.png b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj3.png new file mode 100644 index 0000000000..e9c1b8ccdd Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj3.png differ diff --git a/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj4.png b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj4.png new file mode 100644 index 0000000000..56a60b6468 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka04u000000HdDV_0EM4u0000084aj4.png differ diff --git a/docs/kb/accessanalyzer/images/ka04u000000wwHf_0EM4u000008pesA.png b/docs/kb/accessanalyzer/images/ka04u000000wwHf_0EM4u000008pesA.png new file mode 100644 index 0000000000..3bea9866df Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka04u000000wwHf_0EM4u000008pesA.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk00000056mL_0EMQk000006Clm6.png b/docs/kb/accessanalyzer/images/ka0Qk00000056mL_0EMQk000006Clm6.png new file mode 100644 index 0000000000..b7f08ad6b9 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk00000056mL_0EMQk000006Clm6.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk0000005DxV_0EMQk0000075k4b.png b/docs/kb/accessanalyzer/images/ka0Qk0000005DxV_0EMQk0000075k4b.png new file mode 100644 index 0000000000..9b3a5a9b0b Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk0000005DxV_0EMQk0000075k4b.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk0000006P8b_0EMQk000007UAdp.png b/docs/kb/accessanalyzer/images/ka0Qk0000006P8b_0EMQk000007UAdp.png new file mode 100644 index 0000000000..67c4feeb09 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk0000006P8b_0EMQk000007UAdp.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk0000006PDR_0EMQk000007SBir.png b/docs/kb/accessanalyzer/images/ka0Qk0000006PDR_0EMQk000007SBir.png new file mode 100644 index 0000000000..2ba7a1e819 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk0000006PDR_0EMQk000007SBir.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk0000009j17_00N0g000004CA0p_0EMQk000002m1YX.png b/docs/kb/accessanalyzer/images/ka0Qk0000009j17_00N0g000004CA0p_0EMQk000002m1YX.png new file mode 100644 index 0000000000..2b4bafe531 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk0000009j17_00N0g000004CA0p_0EMQk000002m1YX.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk0000009j17_00N0g000004CA0p_0EMQk000002m1a9.png b/docs/kb/accessanalyzer/images/ka0Qk0000009j17_00N0g000004CA0p_0EMQk000002m1a9.png new file mode 100644 index 0000000000..f57a767beb Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk0000009j17_00N0g000004CA0p_0EMQk000002m1a9.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk0000009j17_0EMQk000002m1YX.png b/docs/kb/accessanalyzer/images/ka0Qk0000009j17_0EMQk000002m1YX.png new file mode 100644 index 0000000000..2b4bafe531 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk0000009j17_0EMQk000002m1YX.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk0000009j17_0EMQk000002m1a9.png b/docs/kb/accessanalyzer/images/ka0Qk0000009j17_0EMQk000002m1a9.png new file mode 100644 index 0000000000..f57a767beb Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk0000009j17_0EMQk000002m1a9.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000C8rR_0EMQk000007oXpZ.png b/docs/kb/accessanalyzer/images/ka0Qk000000C8rR_0EMQk000007oXpZ.png new file mode 100644 index 0000000000..89fb7adcdc Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000C8rR_0EMQk000007oXpZ.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000C8rR_0EMQk000007oXrB.png b/docs/kb/accessanalyzer/images/ka0Qk000000C8rR_0EMQk000007oXrB.png new file mode 100644 index 0000000000..cb2c3794e9 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000C8rR_0EMQk000007oXrB.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008vjWt.png b/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008vjWt.png new file mode 100644 index 0000000000..15f2c22891 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008vjWt.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008w1gf.png b/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008w1gf.png new file mode 100644 index 0000000000..749a728450 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008w1gf.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008w3KH.png b/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008w3KH.png new file mode 100644 index 0000000000..552fd696ca Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CDO5_0EMQk000008w3KH.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CW0v_0EMQk00000AxazR.png b/docs/kb/accessanalyzer/images/ka0Qk000000CW0v_0EMQk00000AxazR.png new file mode 100644 index 0000000000..1124bfaff3 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CW0v_0EMQk00000AxazR.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CW0v_0EMQk00000Axnrl.png b/docs/kb/accessanalyzer/images/ka0Qk000000CW0v_0EMQk00000Axnrl.png new file mode 100644 index 0000000000..849323c2ab Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CW0v_0EMQk00000Axnrl.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aq6Zr.png b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aq6Zr.png new file mode 100644 index 0000000000..9848cbe3bb Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aq6Zr.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000AqJtg.png b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000AqJtg.png new file mode 100644 index 0000000000..22626b1575 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000AqJtg.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000AqZFF.png b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000AqZFF.png new file mode 100644 index 0000000000..4f61e8199b Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000AqZFF.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aqj6X.png b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aqj6X.png new file mode 100644 index 0000000000..0c1d8925f2 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aqj6X.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aqj6Y.png b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aqj6Y.png new file mode 100644 index 0000000000..f3e72e9941 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000Aqj6Y.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000B05RB.png b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000B05RB.png new file mode 100644 index 0000000000..787f82b06f Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000B05RB.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000BF2eH.png b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000BF2eH.png new file mode 100644 index 0000000000..751c0c003b Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000CgOT_0EMQk00000BF2eH.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000Co13_0EMQk00000AJwk5.png b/docs/kb/accessanalyzer/images/ka0Qk000000Co13_0EMQk00000AJwk5.png new file mode 100644 index 0000000000..5f0c2dacff Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000Co13_0EMQk00000AJwk5.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000D59x_0EMQk00000BK3Rd.png b/docs/kb/accessanalyzer/images/ka0Qk000000D59x_0EMQk00000BK3Rd.png new file mode 100644 index 0000000000..a925581bc6 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000D59x_0EMQk00000BK3Rd.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000ArqFd.png b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000ArqFd.png new file mode 100644 index 0000000000..9e7f90bbed Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000ArqFd.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000Bv4AE.png b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000Bv4AE.png new file mode 100644 index 0000000000..921de03fcc Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000Bv4AE.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000Bv76U.png b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000Bv76U.png new file mode 100644 index 0000000000..c7546122e0 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000Bv76U.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000BvBy5.png b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000BvBy5.png new file mode 100644 index 0000000000..e8a46e34d2 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000BvBy5.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000BvEJF.png b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000BvEJF.png new file mode 100644 index 0000000000..d105917505 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DDCL_0EMQk00000BvEJF.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvYY7.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvYY7.png new file mode 100644 index 0000000000..60f41b95d0 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvYY7.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvbfg.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvbfg.png new file mode 100644 index 0000000000..7e4c58a6c4 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvbfg.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvdWA.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvdWA.png new file mode 100644 index 0000000000..4a1c966b98 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvdWA.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhTJ.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhTJ.png new file mode 100644 index 0000000000..d9d869e85c Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhTJ.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhZl.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhZl.png new file mode 100644 index 0000000000..c0fff3af1b Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhZl.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvheb.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvheb.png new file mode 100644 index 0000000000..63ad29f582 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvheb.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhgD.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhgD.png new file mode 100644 index 0000000000..1c89f9c5f7 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000BvhgD.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvjzl.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvjzl.png new file mode 100644 index 0000000000..3d4b0d6af1 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvjzl.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvk6D.png b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvk6D.png new file mode 100644 index 0000000000..2d5068c42b Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DG6z_0EMQk00000Bvk6D.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk000009d2RO.png b/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk000009d2RO.png new file mode 100644 index 0000000000..f3441e114d Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk000009d2RO.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk00000AGwf1.png b/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk00000AGwf1.png new file mode 100644 index 0000000000..b65b008cd4 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk00000AGwf1.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_0EMQk000009d2RO.png b/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_0EMQk000009d2RO.png new file mode 100644 index 0000000000..f3441e114d Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_0EMQk000009d2RO.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_0EMQk00000AGwf1.png b/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_0EMQk00000AGwf1.png new file mode 100644 index 0000000000..b65b008cd4 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DXNx_0EMQk00000AGwf1.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6d20.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6d20.png new file mode 100644 index 0000000000..853fdd0707 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6d20.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6f5O.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6f5O.png new file mode 100644 index 0000000000..34c8035801 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6f5O.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6fbf.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6fbf.png new file mode 100644 index 0000000000..a6bdfb5e5d Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6fbf.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6i4s.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6i4s.png new file mode 100644 index 0000000000..b42c87d4f9 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6i4s.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6kbK.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6kbK.png new file mode 100644 index 0000000000..1d37c06fa7 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6kbK.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6qwr.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6qwr.png new file mode 100644 index 0000000000..2708e97696 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6qwr.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6ziP.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6ziP.png new file mode 100644 index 0000000000..d79be75f5f Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYVJ_0EMQk00000B6ziP.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYa9_0EMQk00000AdoIX.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYa9_0EMQk00000AdoIX.png new file mode 100644 index 0000000000..efbf50ef5d Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYa9_0EMQk00000AdoIX.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYa9_0EMQk00000AdoSD.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYa9_0EMQk00000AdoSD.png new file mode 100644 index 0000000000..389d0f259d Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYa9_0EMQk00000AdoSD.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DYzx_0EMQk000002q3VJ.png b/docs/kb/accessanalyzer/images/ka0Qk000000DYzx_0EMQk000002q3VJ.png new file mode 100644 index 0000000000..27b2b3e70c Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DYzx_0EMQk000002q3VJ.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000DZ6P_0EM4u000008Ma1V.png b/docs/kb/accessanalyzer/images/ka0Qk000000DZ6P_0EM4u000008Ma1V.png new file mode 100644 index 0000000000..74cac9ac37 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000DZ6P_0EM4u000008Ma1V.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000Dl4L_0EM4u000008M8wx.png b/docs/kb/accessanalyzer/images/ka0Qk000000Dl4L_0EM4u000008M8wx.png new file mode 100644 index 0000000000..f74755cd75 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000Dl4L_0EM4u000008M8wx.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000Dl4L_0EM4u000008M8x2.png b/docs/kb/accessanalyzer/images/ka0Qk000000Dl4L_0EM4u000008M8x2.png new file mode 100644 index 0000000000..b9bba2194b Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000Dl4L_0EM4u000008M8x2.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000E4gT_0EMQk000009AG1X.png b/docs/kb/accessanalyzer/images/ka0Qk000000E4gT_0EMQk000009AG1X.png new file mode 100644 index 0000000000..2df8c58498 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000E4gT_0EMQk000009AG1X.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000BrSj0.png b/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000BrSj0.png new file mode 100644 index 0000000000..e6094e9310 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000BrSj0.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000Brg4P.png b/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000Brg4P.png new file mode 100644 index 0000000000..1720b59cd6 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000Brg4P.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000CHuq5.png b/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000CHuq5.png new file mode 100644 index 0000000000..2841e8d86d Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000E74r_0EMQk00000CHuq5.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000E7EX_0EMQk00000CHoHe.png b/docs/kb/accessanalyzer/images/ka0Qk000000E7EX_0EMQk00000CHoHe.png new file mode 100644 index 0000000000..5ef88ebad3 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000E7EX_0EMQk00000CHoHe.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000E7G9_0EMQk000008ueUQ.png b/docs/kb/accessanalyzer/images/ka0Qk000000E7G9_0EMQk000008ueUQ.png new file mode 100644 index 0000000000..5feea4c71f Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000E7G9_0EMQk000008ueUQ.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLClf.png b/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLClf.png new file mode 100644 index 0000000000..c772b66fc5 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLClf.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLFoN.png b/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLFoN.png new file mode 100644 index 0000000000..6ae6d4943a Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLFoN.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLJX0.png b/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLJX0.png new file mode 100644 index 0000000000..bf98c37dc3 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLJX0.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLJtZ.png b/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLJtZ.png new file mode 100644 index 0000000000..3c97c2e880 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EFs1_0EMQk00000CLJtZ.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzScA.png b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzScA.png new file mode 100644 index 0000000000..19c9ab0219 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzScA.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzUfZ.png b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzUfZ.png new file mode 100644 index 0000000000..9c627612c9 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzUfZ.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzVN9.png b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzVN9.png new file mode 100644 index 0000000000..639163c49d Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzVN9.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzbFd.png b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzbFd.png new file mode 100644 index 0000000000..a4acefe1c8 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000BzbFd.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000C2hzg.png b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000C2hzg.png new file mode 100644 index 0000000000..47634f0344 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000C2hzg.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000C2keA.png b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000C2keA.png new file mode 100644 index 0000000000..69c498e685 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EHKL_0EMQk00000C2keA.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EMFB_0EMQk00000CzhkH.png b/docs/kb/accessanalyzer/images/ka0Qk000000EMFB_0EMQk00000CzhkH.png new file mode 100644 index 0000000000..71ab053dbd Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EMFB_0EMQk00000CzhkH.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000Ea0P_0EMQk00000DDGST.png b/docs/kb/accessanalyzer/images/ka0Qk000000Ea0P_0EMQk00000DDGST.png new file mode 100644 index 0000000000..d8a7fc2bc4 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000Ea0P_0EMQk00000DDGST.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EatF_0EMQk000009FkN9.png b/docs/kb/accessanalyzer/images/ka0Qk000000EatF_0EMQk000009FkN9.png new file mode 100644 index 0000000000..18dda21e88 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EatF_0EMQk000009FkN9.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000EatF_0EMQk000009FrLO.png b/docs/kb/accessanalyzer/images/ka0Qk000000EatF_0EMQk000009FrLO.png new file mode 100644 index 0000000000..02667fab03 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000EatF_0EMQk000009FrLO.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk000009tXe6.png b/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk000009tXe6.png new file mode 100644 index 0000000000..f0a6eae31e Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk000009tXe6.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk000009taX7.png b/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk000009taX7.png new file mode 100644 index 0000000000..d0bb022db1 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk000009taX7.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk00000AqHwf.png b/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk00000AqHwf.png new file mode 100644 index 0000000000..9e7b1c32c1 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F1VF_0EMQk00000AqHwf.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzRON.png b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzRON.png new file mode 100644 index 0000000000..805c4ed1be Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzRON.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzToN.png b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzToN.png new file mode 100644 index 0000000000..47f9d19cee Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzToN.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzUfa.png b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzUfa.png new file mode 100644 index 0000000000..f61147ec70 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzUfa.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzVYQ.png b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzVYQ.png new file mode 100644 index 0000000000..a20b991e78 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzVYQ.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzWUU.png b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzWUU.png new file mode 100644 index 0000000000..87eb38bcb4 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzWUU.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzWiz.png b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzWiz.png new file mode 100644 index 0000000000..ad4da13e70 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000F4L3_0EMQk00000BzWiz.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFkgO.png b/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFkgO.png new file mode 100644 index 0000000000..a0b37501b8 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFkgO.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFqfK.png b/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFqfK.png new file mode 100644 index 0000000000..e472747aa0 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFqfK.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFxaL.png b/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFxaL.png new file mode 100644 index 0000000000..3f5cc46ce4 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000FDY1_0EMQk00000CFxaL.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESYRi.png b/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESYRi.png new file mode 100644 index 0000000000..60e33057e5 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESYRi.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESbW1.png b/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESbW1.png new file mode 100644 index 0000000000..6a70dc8833 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESbW1.png differ diff --git a/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESeX7.png b/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESeX7.png new file mode 100644 index 0000000000..7e247ac4f0 Binary files /dev/null and b/docs/kb/accessanalyzer/images/ka0Qk000000FbYj_0EMQk00000ESeX7.png differ diff --git a/docs/kb/accessanalyzer/images/servlet_image_73e60a4574bb.png b/docs/kb/accessanalyzer/images/servlet_image_73e60a4574bb.png new file mode 100644 index 0000000000..3c97c2e880 Binary files /dev/null and b/docs/kb/accessanalyzer/images/servlet_image_73e60a4574bb.png differ diff --git a/docs/kb/accessanalyzer/images/servlet_image_a02a8fc4212e.png b/docs/kb/accessanalyzer/images/servlet_image_a02a8fc4212e.png new file mode 100644 index 0000000000..c772b66fc5 Binary files /dev/null and b/docs/kb/accessanalyzer/images/servlet_image_a02a8fc4212e.png differ diff --git a/docs/kb/accessanalyzer/images/servlet_image_b962017fe9d6.png b/docs/kb/accessanalyzer/images/servlet_image_b962017fe9d6.png new file mode 100644 index 0000000000..6ae6d4943a Binary files /dev/null and b/docs/kb/accessanalyzer/images/servlet_image_b962017fe9d6.png differ diff --git a/docs/kb/accessanalyzer/images/servlet_image_bd5be116677a.png b/docs/kb/accessanalyzer/images/servlet_image_bd5be116677a.png new file mode 100644 index 0000000000..bf98c37dc3 Binary files /dev/null and b/docs/kb/accessanalyzer/images/servlet_image_bd5be116677a.png differ diff --git a/docs/kb/accessanalyzer/isdeleted-not-being-checked-in-adi-scans.md b/docs/kb/accessanalyzer/isdeleted-not-being-checked-in-adi-scans.md new file mode 100644 index 0000000000..d840babad5 --- /dev/null +++ b/docs/kb/accessanalyzer/isdeleted-not-being-checked-in-adi-scans.md @@ -0,0 +1,43 @@ +--- +description: >- + The isDeleted attribute is not being evaluated during ADI scans. Grant List + Contents and Read Properties permissions on the Deleted Objects container so + deleted objects are included in scans. +keywords: + - isDeleted + - ADI + - Deleted Objects + - dsacls + - permissions + - ADInventory + - Netwrix Auditor + - LCRP +products: + - access-analyzer +sidebar_label: isDeleted not being checked in ADI scans +tags: [] +title: "isDeleted not being checked in ADI scans" +knowledge_article_id: kA04u0000000IPgCAM +--- + +# isDeleted not being checked in ADI scans + +## Summary +isDeleted not being checked in ADI scans + +## Issue +isDeleted not being checked in ADI scans + +## Instructions +To correct this behavior, you must grant permissions for List Contents and Read Properties to the Deleted Objects OU, like this: + +1. Run the following command: +```powershell +dsacls "CN=Deleted Objects,DC=domain,DC=com" /g domain\\username:LCRP +``` + +## Product Information +- **Product:** Netwrix Auditor +- **Module:** SA - DC - ADInventory +- **Versions:** All +- **Salesforce Article ID:** 000001543 diff --git a/docs/kb/accessanalyzer/manually-setting-up-entra-id-auditing-for-netwrix-access-analyzer.md b/docs/kb/accessanalyzer/manually-setting-up-entra-id-auditing-for-netwrix-access-analyzer.md new file mode 100644 index 0000000000..b862549ff6 --- /dev/null +++ b/docs/kb/accessanalyzer/manually-setting-up-entra-id-auditing-for-netwrix-access-analyzer.md @@ -0,0 +1,89 @@ +--- +description: >- + Shows how to manually configure Entra ID auditing when you cannot use the + AZ_RegisterAzureAppAuth instant job, and how to create the Netwrix Access + Analyzer connection profile including required permissions and client secret + steps. +keywords: + - Entra ID + - Azure AD + - Netwrix Access Analyzer + - app registration + - client secret + - AuditLog.Read.All + - Directory.Read.All + - AZ_RegisterAzureAppAuth +products: + - access-analyzer +sidebar_label: 'Manually Setting Up Entra ID Auditing for Netwrix ' +tags: [] +title: "Manually Setting Up Entra ID Auditing for Netwrix Access Analyzer" +knowledge_article_id: kA0Qk00000022IfKAI +--- + +# Manually Setting Up Entra ID Auditing for Netwrix Access Analyzer + +## Question + +How do I set up Entra ID Auditing without using the `AZ_RegisterAzureAppAuth` instant job? + +## Answer + +While it is always recommended to use the `AZ_RegisterAzureAppAuth` instant job to set up the Entra app for auditing, it can be done manually if necessary (e.g., when MFA cannot be temporarily disabled for a Global Admin account). + +## Entra ID Inventory Scans & Entra ID Reports + +1. Open the Microsoft Entra admin center: https://entra.microsoft.com/#home. + +2. Navigate to **Identity > Applications > App registrations** and select **+ New registration**. + ![Entra App Registration](images/ka0Qk000000DYVJ_0EMQk00000B6ziP.png) + +3. On the **Register an application** page, set the following: + - **Name:** Something meaningful, e.g., `NEA_EntraID`. + - **Support account types:** Accounts in this org. directory only. + +4. From the **Application Overview** page, navigate to **Manage > API Permissions** and select **Add a permission**. + ![API Permissions](images/ka0Qk000000DYVJ_0EMQk00000B6i4s.png) + +5. From the **Request API permissions** page, select **Microsoft Graph**. + ![Request API permissions](images/ka0Qk000000DYVJ_0EMQk00000B6qwr.png) + + - Add the following **Delegated Permissions**: + - `Group.Read.All` – Read all groups + - `User.Read.All` – Read all users' full profiles + - Add the following **Application Permissions**: + - `AuditLog.Read.All` – Read all audit log data + - `Directory.Read.All` – Read directory data + +6. After adding the aforementioned permissions, grant them admin consent by selecting **Grant admin consent for `\{TENANT NAME\}`**. + ![Grant admin consent](images/ka0Qk000000DYVJ_0EMQk00000B6f5O.png) + +7. Navigate to the Entra app registration and on the **Certificates & secrets** page, select **+ New client secret**. + ![Certificates & secrets](images/ka0Qk000000DYVJ_0EMQk00000B6fbf.png) + +8. On the **Add a client secret** page, add the following: + - **Description:** Something meaningful, e.g., `Access Analyzer Entra ID`. + - **Expires:** Usually recommended to set this to the longest option OR per the organization’s internal certificate expiration timeframe. + +9. After creating the client secret, copy the secret **Value** to a notepad. + ![Client secret value](images/ka0Qk000000DYVJ_0EMQk00000B6d20.png) + +10. Next, navigate to the **Overview** tab and copy the **Application (client) ID** which is needed for the Netwrix Access Analyzer Connection Profile. + ![Application client ID](images/ka0Qk000000DYVJ_0EMQk00000B6kbK.png) + +## Netwrix Access Analyzer Connection Profile + +1. In Netwrix Access Analyzer, navigate to **Global Options > Connection** and create a connection profile with the same name as the Entra app registration, using the following: + - **Account Type:** Azure Active Directory + - **Client ID:** Application (client) ID from Entra App Registration + - **Key:** Secret Value + +2. Create a host list with the Entra site, e.g., https://nwxsupport.sharepoint.com/. + +3. Set the Entra ID Inventory job group to run against the Entra host list. + +4. Set the Entra ID Inventory job group to use the Entra Connection Profile. + +5. Schedule the Entra ID Inventory job group to run every day, or at least before the Entra ID job group. + +> **NOTE:** This job is also required in order to run Exchange Online & SharePoint Online modules. diff --git a/docs/kb/accessanalyzer/merge-statement-conflicted-with-foreign-key-constraint-error-in-spseek-bulk-import-job.md b/docs/kb/accessanalyzer/merge-statement-conflicted-with-foreign-key-constraint-error-in-spseek-bulk-import-job.md new file mode 100644 index 0000000000..2b6b15f1dd --- /dev/null +++ b/docs/kb/accessanalyzer/merge-statement-conflicted-with-foreign-key-constraint-error-in-spseek-bulk-import-job.md @@ -0,0 +1,54 @@ +--- +description: >- + Explains the cause and resolution for the "MERGE statement conflicted with the + FOREIGN KEY SAME TABLE constraint" error when running the SPSEEK Bulk Import + job, and links to related documentation. +keywords: + - spseek + - bulk import + - merge statement + - foreign key + - SP_DropTables + - SharePoint + - SPAA + - Netwrix Access Analyzer +products: + - access-analyzer +sidebar_label: "Merge Statement Conflicted with Foreign Key Constraint Error in SPSEEK Bulk Import Job" +tags: [] +title: >- + Merge Statement Conflicted with the FOREIGN KEY Constraint Error in SPSEEK + Bulk Import Job +knowledge_article_id: kA0Qk0000000IRZKA2 +--- + +# Merge Statement Conflicted with the FOREIGN KEY Constraint Error in SPSEEK Bulk Import Job + +## Symptom + +When you attempt to run the **SPSEEK Bulk Import** job, you see the following error: + +```sql +[C:102] Unable to perform bulk import +Error: The MERGE statement conflicted with the FOREIGN KEY SAME TABLE constraint %FK_constraint%. +The conflict occurred in database %database_name%, table %table_name%. +The statement has been terminated. +``` + +## Cause + +The foreign key constraint conflict was caused during the latest scan. + +## Resolution + +Drop the SharePoint tables and run the scan again. To drop the tables, run the **SP_DropTables** job. For additional information, refer to the following Netwrix Access Analyzer article: + +1. SharePointAccess Data Collector − SPAA Drop Tables & Views Workflow ⸱ v11.6 + /docs/auditor/11.6/enterpriseauditor/admin-guide/datacollector/spaa + +## Related articles + +- SharePointAccess Data Collector − SPAA Drop Tables & Views Workflow ⸱ v11.6 + /docs/auditor/11.6/enterpriseauditor/admin-guide/datacollector/spaa +- Could Not Drop Object Referenced by Foreign Key Constraint + /docs/kb/access-analyzer/could_not_drop_object_referenced_by_foreign_key_constraint diff --git a/docs/kb/accessanalyzer/methods-for-properly-ending-access-analyzer-running-jobs.md b/docs/kb/accessanalyzer/methods-for-properly-ending-access-analyzer-running-jobs.md new file mode 100644 index 0000000000..6d43c49ab7 --- /dev/null +++ b/docs/kb/accessanalyzer/methods-for-properly-ending-access-analyzer-running-jobs.md @@ -0,0 +1,65 @@ +--- +description: >- + This article describes several methods to stop running Netwrix Access Analyzer + jobs safely and outlines emergency procedures to avoid console issues. +keywords: + - Netwrix Access Analyzer + - stop job + - scheduled task + - Task Manager + - graceful abort + - emergency terminate + - scheduled jobs + - console issues +products: + - access-analyzer +sidebar_label: Methods for Properly Ending Netwrix Access Analyzer Running Jobs +tags: [] +title: "Methods for Properly Ending Netwrix Access Analyzer Running Jobs" +knowledge_article_id: kA04u0000000IR8CAM +--- + +# Methods for Properly Ending Netwrix Access Analyzer Running Jobs + +## Summary: +There are many ways to stop a running job in Netwrix Access Analyzer but there are some ways that can cause issues. This article outlines several methods for safely ending a running task. + +## Issue: +Many times while running Netwrix Access Analyzer jobs there are situations that require a job execution to be ended prematurely. Doing so incorrectly can adversely impact the console. For instance, rebooting the machine because a running job is being a resource hog and slowing down the console can result in the job tree being incomplete when the console is next launched. The methods below can be used to gracefully (or not so gracefully) stop job executions without adversely impacting the Netwrix Access Analyzer Console + +## Instructions: + +### Method One for Ending an Interactive Job Execution +1. Select the currently running job in the tree +2. In the action bar click on the **stop button** +3. Wait for Netwrix Access Analyzer to gracefully abort job execution + +### Method Two for Ending an Interactive Job Execution +1. Use the **pick list in the lower right hand corner of the application** to select the option to stop either the currently running job or stop all jobs in the execution queue +2. Wait for Netwrix Access Analyzer to gracefully abort job execution + +### Method Three for Ending an Interactive Job Execution +1. Close the Netwrix Access Analyzer Console and select the option to **forcefully close the console** +2. Wait for Netwrix Access Analyzer to gracefully for the console to close + +### Method One for Ending a Scheduled Job Execution +1. Check Netwrix Access Analyzer Scheduled Task list to see if your task is listed + + 1. (a) From time to time a running task will not be shown because the currently running instance extended past the next scheduled execution time + +2. If your task is listed right click on the task and select the **Stop Option** + +### Method Two for Ending a Scheduled Job Execution +1. If you are running a job via the scheduler and it is not shown in the Netwrix Access Analyzer Scheduled Task List because of condition (a) mentioned above, your next option is to Open **Windows Task Scheduler** +2. Locate your job or the parent group under which the job is being run and right click the running scheduled task and select the **End or Stop Option** + +### Final Acceptable Method for Emergency Situations where the task needs to be ended and there is no time to wait for graceful application closure +1. Open **Task Manager** +2. Identify all Netwrix Access Analyzer Processes +3. Right Click each process and select **End Process Tree** so that all associated peripherals are closed along with the parent process. + +## Product: +- Product: Netwrix Access Analyzer +- Module: Netwrix Access Analyzer - Core; Netwrix Access Analyzer - Job Configuration +- Versions: All +- Salesforce Article ID: 000002625 diff --git a/docs/kb/accessanalyzer/missing-groups-in-aic-access-groups.md b/docs/kb/accessanalyzer/missing-groups-in-aic-access-groups.md new file mode 100644 index 0000000000..fb563f040d --- /dev/null +++ b/docs/kb/accessanalyzer/missing-groups-in-aic-access-groups.md @@ -0,0 +1,59 @@ +--- +description: >- + When you add a new share in Netwrix Access Analyzer (AIC) and see ObjectSID + values instead of group names, the ADInventory scan is likely misconfigured or + unable to target the correct domain controllers. This article describes + symptoms, causes, troubleshooting steps, and resolution to restore group + resolution in AIC. +keywords: + - AIC + - ADInventory + - ObjectSID + - SA_ADInventory_GroupsView + - Resource Audit + - host list + - domain controllers + - access groups + - rescan +products: + - access-analyzer + - access_info_center +sidebar_label: Missing Groups in AIC Access Groups +tags: [] +title: "Missing Groups in AIC Access Groups" +knowledge_article_id: kA0Qk0000000aOTKAY +--- + +# Missing Groups in AIC Access Groups + +## Symptoms + +- When you add a new share in Netwrix Access Analyzer (AIC), access groups show no groups listed. +- When you review the new share path in the **Resource Audit** interface, the group shows the ObjectSID value instead of the group name. + +## Cause + +The ADInventory scan is misconfigured. The scan is unable to target host lists. + +## Troubleshooting + +- Verify the group membership of the affected share via **Resource Audit**. The ObjectSID value instead of the group name indicates that the ADInventory scan is unable to resolve the group name. Refer to the following article for additional information: Resource Audit Interface · v11.6. +- Review the `SA_ADInventory_GroupsView` in `1-AD_Scan` results. If the affected group is missing from the view, the ADInventory scan is unable to resolve the group name. + +## Resolution + +Refer to the following steps to resolve the issue: + +1. Verify the ADInventory scan is correctly set up to target appropriate domain controllers (DCs). Refer to the following article for additional information: Recommended Configurations for the .ADInvetory Solution · v11.6. +2. Verify the connection profile used has appropriate permissions. Refer to the following article for additional information: Active Directory Domain Target Requirements · v11.6. + +> **IMPORTANT:** If the host list or connection profile is not correctly configured, it may result in the ADInventory scan failing to retrieve group information. + +3. Update the ADInventory host list to target valid DCs. Ensure that the host list includes all relevant DCs where group information is stored. After updating the host list, trigger an ADInventory rescan to synchronize the group information. The rescan process will retrieve group information from the updated DCs and ensure that the group memberships are accurately reflected in AIC. Refer to the following article for additional information on updating the ADInventory host list: Recommended Configurations for the .AD Inventory Solution · v11.6. + +## Related Articles + +- Resource Audit Interface · v11.6 +- Recommended Configurations for the .ADInvetory Solution · v11.6 +- Active Directory Domain Target Requirements · v11.6 +- Recommended Configurations for the .AD Inventory Solution · v11.6 diff --git a/docs/kb/accessanalyzer/missing-icons-and-graphical-elements-in-access-analyzer-web-console.md b/docs/kb/accessanalyzer/missing-icons-and-graphical-elements-in-access-analyzer-web-console.md new file mode 100644 index 0000000000..099711a399 --- /dev/null +++ b/docs/kb/accessanalyzer/missing-icons-and-graphical-elements-in-access-analyzer-web-console.md @@ -0,0 +1,56 @@ +--- +description: >- + Icons and graphical elements may not appear in the Netwrix Access Analyzer Web + Console. This article explains possible causes and shows how to restore icons + by checking browser extensions and excluding the console executable from + policies that block untrusted fonts. +keywords: + - icons + - web console + - untrusted fonts + - GPO + - registry + - StealthAUDIT.EXE + - MitigationOptions + - Netwrix Access Analyzer +products: + - access-analyzer +sidebar_label: Missing Icons and Graphical Elements in Access Ana +tags: [] +title: "Missing Icons and Graphical Elements in Netwrix Access Analyzer Web Console" +knowledge_article_id: kA04u00000111JzCAI +--- + +# Missing Icons and Graphical Elements in Netwrix Access Analyzer Web Console + +## Symptom + +You may see icons missing in the Netwrix Access Analyzer Web Console. + +## Causes + +- Local browser extensions are conflicting with the Netwrix Access Analyzer Web Console and are blocking the console elements. +- A GPO to block untrusted fonts is enforced. + +## Resolutions + +- Review the browser extensions blocking web fonts or JavaScript and disable them. +- Exclude Access Analyzer from the GPO blocking untrusted fonts: + + 1. In the Netwrix Access Analyzer server, open Registry Editor, and follow the key provided below: + + ```Registry + Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options + ``` + + 2. Right-click the **Image File Execution Options** node and select **New** > **Key**. Name the new key `StealthAUDIT.EXE`. + + 3. Right-click the `StealthAUDIT.EXE` key and select **New** > **QWORD (64-bit)**. Name the new value `MitigationOptions`. + + 4. Right-click the `MitigationOptions` value and select **Modify**. Verify the **Value data** field states Hexadecimal `2000000000000`. Click **OK** to save changes. + + ![Registry screenshot](images/ka0Qk000000DZ6P_0EM4u000008Ma1V.png) + +### Related articles + +- [Block untrusted fonts in an enterprise ⸱ Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/block-untrusted-fonts-in-enterprise#fix-apps-having-problems-because-of-blocked-fonts) diff --git a/docs/kb/accessanalyzer/netwrix-threat-prevention-agent-not-processing-events.md b/docs/kb/accessanalyzer/netwrix-threat-prevention-agent-not-processing-events.md new file mode 100644 index 0000000000..6db9348c1f --- /dev/null +++ b/docs/kb/accessanalyzer/netwrix-threat-prevention-agent-not-processing-events.md @@ -0,0 +1,70 @@ +--- +description: >- + Explains symptoms, causes, and step-by-step resolutions for Netwrix Threat + Prevention agents that stop processing or lose events during high event + traffic, including log and policy tuning guidance. +keywords: + - threat prevention + - agent + - events + - LdapTrace + - logging.ini + - event queue overflow + - Agent Heartbeat + - EM performance +products: + - access-analyzer + - threat-prevention +sidebar_label: Netwrix Threat Prevention Agent Not Processing Eve +tags: [] +title: "Netwrix Threat Prevention Agent Not Processing Events" +knowledge_article_id: kA0Qk0000001vYvKAI +--- + +# Netwrix Threat Prevention Agent Not Processing Events + +## Related Query + +- At 6:13 am Monday, around 10,000 computers got deleted. SI is not showing these events, but Netwrix Access Analyzer (NEA) is showing them. + Then, on Jan 2nd, they deleted another 5,300 computers at around 10:37 am, and a lot of those are not showing up either, but NEA is able to see them. + +## Symptoms + +The following symptoms are present in your environment: + +- An influx of events occurs during high event traffic hours on any given Netwrix Threat Prevention (NTP) agent causing adverse performance issues. +- This results in the NTP agent not responding, leading to the agent either processing some events and losing others, or completely failing to process events altogether. +- You may also discover **Agent Heartbeat** alerts generating on the affected agent under the Alerts node in the NTP admin console. + +## Cause + +This issue may be caused by any one of the following: + +- Large LDAP Trace logs +- Agents/Admin console left in Debug Mode +- A large quantity of events and types of events being captured by the NTP agent +- Machine performance and other operational loads occurring on the target machine +- Unfiltered LDAP Policies or other high event count generating policies, such as unfiltered Logon policies +- EM/SQL server performance that can hinder the events from being processed and cause events to pile up on the agent, leading to an agent queue overflow + +> NOTE: If the agent is generating large LDAP Trace Logs, verify that the `LdapTrace` is set to **False**. This can be found in the `logging.ini` file at this file path: +> +> `C:\Program Files\Netwrix\Netwrix Threat Prevention\SIWindowsAgent` +> +> ![Screenshot of logging ini file](images/ka0Qk000000Co13_0EMQk00000AJwk5.png) + +## Resolution + +To resolve this issue, refer to the following steps: + +1. Tune the NTP policies to collect and monitor only data that is considered important, while excluding anything that is not. Begin by following the Best Practices documentation: + - /docs/threat-prevention/7.4/threatprevention/troubleshooting +2. Perform mass deletion of AD objects in batches to mitigate the probability of an agent not responding or entering into an event queue overflow. +3. Schedule tasks that result in an abnormal amount of event traffic to be performed during off hours or low traffic periods. +4. Verify that the EM and agent log settings are set to **WARN**. +5. Verify that the `LdapTrace` is set to **False**. + +## Related Article + +- Best Practices and Troubleshooting + /docs/threat-prevention/7.4/threatprevention/troubleshooting diff --git a/docs/kb/accessanalyzer/opening-a-ticket.md b/docs/kb/accessanalyzer/opening-a-ticket.md new file mode 100644 index 0000000000..7d0bc9bd1f --- /dev/null +++ b/docs/kb/accessanalyzer/opening-a-ticket.md @@ -0,0 +1,101 @@ +--- +description: >- + Instructions for collecting logs and environment details when opening a + support ticket for Netwrix Auditor. Includes paths to console, published + reports, and job logs, plus how to find the product build number. +keywords: + - netwrix + - netwrix auditor + - logs + - support ticket + - job logs + - build number + - AIC + - messages table + - troubleshooting +products: + - access-analyzer +sidebar_label: Opening a Ticket +tags: [] +title: "Opening a Ticket" +knowledge_article_id: kA0Qk0000001TMXKA2 +--- + +# Opening a Ticket + +## Overview + +This article provides guidance on collecting logs and other relevant information when submitting a support ticket for Netwrix Auditor (NEA). + +## Instructions + +Follow the steps below to gather the necessary logs and details required for troubleshooting your NEA instance. + +### Logs + +Follow these steps to gather logs: + +- Depending on your current **AIC** version, refer to one of the following default paths: + + - AIC v11.5: + + ```text + C:\inetpub\wwwroot\StealthAUDIT Compliance\ + ``` + + - AIC v11.6: + + ```text + C:\Program Files\STEALTHbits\Access Information Center + ``` + +- Navigate to the following path to collect the **NEA Console logs**: + + ```text + %SAInstallDir%SADatabase\Logs\Application + ``` + +- Gather the **Published Reports logs** from the following path: + + ```text + %SAInstallDir%SADatabase\Logs\Web + ``` + +- Collect the **job logs** using one of the following methods: + + - On the home page of the job, click **View Log**, and save the log file. + + ![Job View Log screenshot](images/ka0Qk000000C8rR_0EMQk000007oXpZ.png) + + - Locate the **job logs** using the following path: + + ```text + %SAInstallDir%Jobs\%GROUP%\%JOB%\OUTPUT + ``` + + > **NOTE:** Replace `%GROUP%` and `%JOB%` with the appropriate values. For example, to locate logs for the `1-AD_Scan` job, use the following path: + > + > ```text + > %SAInstallDir%\Jobs\GROUP_.Active Directory Inventory\JOB_1-AD_Scan\OUTPUT + > ``` + + - In the **Navigation Pane**, right-click the job and select **Export**. In the new window, specify the components to export and proceed with the export. + + ![Export Job screenshot](images/ka0Qk000000C8rR_0EMQk000007oXrB.png) + +## Messages Table + +To export job errors and warnings from the **Messages table**, proceed to the **Navigation Pane**, right-click **%JOB%**\**Status**\**Messages** and select **Export** > **Export to XML**. + +## Product Build Number + +> **IMPORTANT:** Identifying your current NEA build helps determine whether the issue has already been addressed in a newer version. Follow the steps below to establish the build number in your NEA instance. + +- In NEA v11.5: + + - In **Control Panel**, open the **Programs and Features** menu. Locate the NEA line and review the **Version** column value. + - In the **Apps & Features** menu, highlight the NEA entry and review the version. + +- In NEA v11.6: + + - Navigate to **Help** > **About** in the top toolbar. diff --git a/docs/kb/accessanalyzer/out-of-scope_resources_still_appear_in_the_aic_or_reporting_console_after_scoping_changes.md b/docs/kb/accessanalyzer/out-of-scope_resources_still_appear_in_the_aic_or_reporting_console_after_scoping_changes.md new file mode 100644 index 0000000000..b87b1ad35c --- /dev/null +++ b/docs/kb/accessanalyzer/out-of-scope_resources_still_appear_in_the_aic_or_reporting_console_after_scoping_changes.md @@ -0,0 +1,40 @@ +--- +description: >- + This article explains how out-of-scope File System resources continue to appear in the Access Information Center (AIC) and reporting console after scoping changes, along with the steps to resolve this issue. +keywords: + - File System resources + - Access Information Center + - scoping changes +sidebar_label: Out-of-Scope Resources in AIC +tags: [] +title: "Out-of-Scope Resources Still Appear in the AIC or Reporting Console After Scoping Changes" +knowledge_article_id: kA0Qk0000002mDRKAY +products: + - access-analyzer +--- + +# Out-of-Scope Resources Still Appear in the AIC or Reporting Console After Scoping Changes + +## Symptom + +File System resources that were previously scanned and imported continue to appear in the database, even after scoping options have been updated to exclude them. These resources do not show up in new FSAA/SEEK scans but still exist in the backend database, causing them to still show in the Access Information Center (AIC) and reports. + +## Cause + +Scoping options are applied at the time of a scan and are used to determine which resources are included/excluded in that specific FSAA/SEEK scan. If a resource was imported before the scoping rules were put in place, it remains in the database, regardless of whether it is currently in scope. + +## Resolution + +If you no longer want to retain or see data for out-of-scope resources: + +1. **Delete all File System data** for the specific host from the database. + - See the following article for instructions to drop data for a specific file server: [Dropping File System Data](/docs/kb/activitymonitor/dropping_file_system_data). + +2. **Rescan the host** with the updated scoping rules in place. + - This will ensure that only resources matching the current scoping criteria are imported and retained going forward. + +> **NOTE:** While out-of-scope resources remain in the database, they will not be included in future scans or updated during bulk imports unless brought back into scope. + +## Related Link + +- [Dropping File System Data](/docs/kb/activitymonitor/dropping_file_system_data) \ No newline at end of file diff --git a/docs/kb/accessanalyzer/overlapping-words-in-reporting.md b/docs/kb/accessanalyzer/overlapping-words-in-reporting.md new file mode 100644 index 0000000000..175f120b46 --- /dev/null +++ b/docs/kb/accessanalyzer/overlapping-words-in-reporting.md @@ -0,0 +1,45 @@ +--- +description: >- + Netwrix Access Analyzer reports can display overlapping words when Internet + Explorer scripting is disabled. This article explains how to enable Active + Scripting in Internet Explorer to resolve the issue. +keywords: + - overlapping words + - reporting + - Internet Explorer + - Active Scripting + - Netwrix Access Analyzer + - IE scripting + - report display +products: + - access-analyzer +sidebar_label: Overlapping Words in Reporting +tags: [] +title: "Overlapping Words in Reporting" +knowledge_article_id: kA04u0000000IOxCAM +--- + +# Overlapping Words in Reporting + +## Summary +**Overlapping Words in Reporting** + +## Issue +Reporting is hard to read because words are overlapping. + +## Instructions +The problem is the Scripting for IE is disabled. + +### Enable IE Scripting +1. Run IE and go to **Internet Options** +2. Click on the **Security** tab +3. Highlight **Internet** and click **Custom Level** +4. Scroll down and look for **Active Scripting** +5. Put the bubble on **Enabled** +6. Click **OK** to get out and re-run the report + +## Module and Versions +- Module: Netwrix Access Analyzer - Reporting +- Versions: 6.3 and Older +- Resolved In: 7.0 +- Salesforce Article ID: 000001028 diff --git a/docs/kb/accessanalyzer/powershell_modules_required_for_o365_configuration.md b/docs/kb/accessanalyzer/powershell_modules_required_for_o365_configuration.md new file mode 100644 index 0000000000..d47834178e --- /dev/null +++ b/docs/kb/accessanalyzer/powershell_modules_required_for_o365_configuration.md @@ -0,0 +1,57 @@ +--- +description: >- + This article outlines the required PowerShell modules and PackageProviders for configuring Entra, Exchange Online, and SharePoint Online auditing with Access Analyzer. +keywords: + - PowerShell + - Exchange Online + - SharePoint Online + - Entra + - Access Analyzer +sidebar_label: PowerShell Modules for O365 Configuration +tags: [] +title: "PowerShell Modules Required for O365 Configuration" +knowledge_article_id: kA0Qk0000001i3pKAA +products: + - access-analyzer +--- + +# PowerShell Modules Required for O365 Configuration + +## Question + +What PowerShell Modules and PackageProviders are required to use the below instant jobs for setting up Entra, Exchange Online, and SharePoint Online auditing with Access Analyzer? + +- AADI_RegisterAzureAppAuth +- SP_RegisterAzureAppAuth +- EX_RegisterAzureAppAuth + +## Answer + +The following PowerShell Modules and PackageProviders are required for their respective Instant Job: + +### AADI_RegisterAzureAppAuth + +- PowerShellGet +- NuGet +- Az.Accounts +- Microsoft.Graph + +### EX_RegisterAzureAppAuth + +- AzureAD +- ExchangeOnlineManagement + +### SP_RegisterAzureAppAuth + +- AzureAD + +**To install these modules and package providers, the following commands can be run in an Admin PowerShell:** + +```powershell +Install-Module -Name PowerShellGet -Force +Install-PackageProvider -Name NuGet -Force +Install-Module -Name Az.Accounts -Force +Install-Module -Name Microsoft.Graph -Force +Install-Module -Name AzureAD -Force +Install-Module -Name ExchangeOnlineManagement -Force +``` \ No newline at end of file diff --git a/docs/kb/accessanalyzer/remove-domain-audit-data-from-reports-drop-domains.md b/docs/kb/accessanalyzer/remove-domain-audit-data-from-reports-drop-domains.md new file mode 100644 index 0000000000..8a72acdfd8 --- /dev/null +++ b/docs/kb/accessanalyzer/remove-domain-audit-data-from-reports-drop-domains.md @@ -0,0 +1,49 @@ +--- +description: >- + Explains how to remove audit data for a decommissioned or excluded domain by + using the Drop Domain task in Netwrix Auditor to delete the related data from + your SQL Server. +keywords: + - drop domain + - domain audit + - AD inventory + - ADINVENTORY + - Netwrix Auditor + - SQL Server + - remove domain data + - create job +products: + - access-analyzer +sidebar_label: Remove Domain Audit Data from Reports − Drop Domai +tags: [] +title: "Remove Domain Audit Data from Reports − Drop Domains" +knowledge_article_id: kA0Qk0000000R3RKAU +--- + +# Remove Domain Audit Data from Reports − Drop Domains + +## Related Query + +- “Why is data from an old, removed domain still appearing in tables and reports?” + +## Overview + +In case a domain was decommissioned or excluded from the monitoring scope, the Netwrix Auditor reports may still contain audit data for the domain. This article lists the steps to implement the **Drop Domain** task to remove the related domain data from your SQL Server. + +## Instructions + +> **TIP:** You can create a separate folder (e.g., called **Sandbox**) for custom Jobs. + +1. Right-click the custom or **Jobs** folder and select **Create Job**. +2. Navigate to the **Configure** node and select the **Queries** node. +3. Click the **Create Query** button. +4. In the **General** tab, specify the **AD Domain Drop** name in the **Name** field. +5. In the **Data Source** tab, specify `ADINVENTORY` in the **Data Collector** drop-down menu. +6. Click **Configure** to launch Active Directory Inventory DC Wizard. +7. In the **Category** page, select the **Drop Domain** task and click **Next**. +8. In the **Domains** page, select the domains you would like to drop the AD data from. +9. Proceed with the wizard steps and save the configuration. +10. In the **Hosts** node, select the **Local host** checkbox to save the changes. +11. Run the job to drop the target domains. + +> **NOTE:** To update the AD reports results, re-run the reports. diff --git a/docs/kb/accessanalyzer/remove-stale-hosts-from-access-analyzer-console.md b/docs/kb/accessanalyzer/remove-stale-hosts-from-access-analyzer-console.md new file mode 100644 index 0000000000..8b183516bd --- /dev/null +++ b/docs/kb/accessanalyzer/remove-stale-hosts-from-access-analyzer-console.md @@ -0,0 +1,124 @@ +--- +description: >- + Scripts to automatically remove stale hosts from Netwrix Access Analyzer host + lists and console to reduce reporting clutter and remove the "Licensed host + count exceeded" banner. +keywords: + - stale hosts + - purge hosts + - Netwrix Access Analyzer + - HostListsContentTbl + - SA_HostMasterTbl + - LastLogonTimestamp + - LastOnline + - SQL script + - licensed host count +products: + - access-analyzer +sidebar_label: Remove Stale Hosts from Access Analyzer Console +tags: [] +title: "Remove Stale Hosts from Access Analyzer Console" +knowledge_article_id: kA04u0000000IzUCAU +--- + +# Remove Stale Hosts from Access Analyzer Console + +## Summary +Stale hosts clutter reporting and show the "Licensed host count exceeded" banner. + +## Issue +This article describes how to automatically remove (purge) stale hosts from target host lists and the Netwrix Access Analyzer console based on staleness. The stale hosts are defined by their existence in the `#tmp` temp table. + +Two versions are shown below. The first is more complex because it supports multiple consoles and will only purge hosts from the Access Analyzer console specified in the `@SA_Host` variable. The second will purge from all consoles. + +Standard criteria that define a stale host in these scripts are either that the AD Object has a `LastLogonTimestamp` older than 90 days, or that the `LastOnline` value for the host in Host Management is older than 90 days. + +NOTE: This is designed to work for short names, and will not work for FQDNs without further modifications. + +## SQL: Multi-console (only purge from the specified console) +```sql +--define Access Analyzer host so we don't delete from other consoles +declare @SA_Host varchar(64) +set @SA_Host='YourSAHostName' + +--find stale computer objects based on AD or LastOnline in Host Inventory +select name, hostid +into #tmp +from SA_HostMasterTbl +where Name in ( + select substring(SamAccountName, 1, len(samaccountname)-1) + from SA_ADInventory_ComputersView + where LastLogonTimestamp (getdate()-90) +) +or LastOnline (getdate()-90) + +--make hosts no longer visible in the console +delete from HostMaster_SANodeFilter +where HostID in (select hostID from #tmp) and SA_Node=@SA_Host + +--delete from all host lists in the console +delete HLC +from HostListsContentTbl HLC +inner join HostListsTbl HLT + on HLT.listID=HLC.listID and HLT.SA_Node=@SA_Host +where HLC.hostid in (select hostID from #tmp) + +--delete host from host master table if it's not referenced anywhere else +delete from SA_HostMasterTbl +where HostID in ( + select hostid + from SA_HostMasterTbl HMT + where hostid in (select hostid from #tmp) + --it's been identified as stale + and not exists ( + select null from HostMaster_SANodeFilter SANF + where SANF.hostID=HMT.hostID and SANF.SA_Node=@SA_Host + ) --it's not visible in any other consoles + and not exists ( + select null from HostListsContentTbl HLC -- it's not in any host lists on any other consoles + inner join HostListsTbl HLT + on HLT.listID=HLC.listID AND HLT.SA_Node=@SA_Host + where HLC.hostID=HMT.hostID + ) +) + +drop table #tmp +``` + +## Instructions (Single-console scenario) +Assuming you only have one console, this gets considerably easier. The script below assumes a single console and will purge stale hosts accordingly. Just edit the criteria as you wish in the population of `#tmp`. + +```sql +--find stale computer objects based on AD or LastOnline in Host Inventory +select name, hostid +into #tmp +from SA_HostMasterTbl +where Name in ( + select substring(SamAccountName, 1, len(samaccountname)-1) + from SA_ADInventory_ComputersView + where LastLogonTimestamp (getdate()-90) +) +or LastOnline (getdate()-90) + +--make hosts no longer visible in the console +delete from HostMaster_SANodeFilter +where HostID in (select hostID from #tmp) and SA_Node=@SA_Host + +--delete from all host lists in the console +delete from HostListsContentTbl +where hostid in (select hostID from #tmp) + +--delete host from host master table if it's not referenced anywhere else +delete from SA_HostMasterTbl +where HostID in (select hostid from #tmp) --it's been identified as stale + +drop table #tmp +``` + +Just edit the population criteria of `#tmp` as needed. + +## Product +Product: Netwrix Access Analyzer +Module: Netwrix Access Analyzer - Core +Versions: 6.3+ +Legacy Article ID: 2291 diff --git a/docs/kb/accessanalyzer/reports-not-visible-or-name-truncated-after-publishing-in-custom-job-or-group.md b/docs/kb/accessanalyzer/reports-not-visible-or-name-truncated-after-publishing-in-custom-job-or-group.md new file mode 100644 index 0000000000..2f1ef8b0fc --- /dev/null +++ b/docs/kb/accessanalyzer/reports-not-visible-or-name-truncated-after-publishing-in-custom-job-or-group.md @@ -0,0 +1,45 @@ +--- +description: >- + When you publish reports for a custom job or group in Netwrix Access Analyzer, + the report may not appear in the reporting web interface or its name may be + truncated if the job or group name ends with the word Jobs or _Jobs. +keywords: + - Netwrix Access Analyzer + - reports + - publishing + - custom job + - group + - truncation + - Jobs + - reporting web interface +products: + - access-analyzer +sidebar_label: Reports Not Visible or Name Truncated After Publis +tags: [] +title: "Reports Not Visible or Name Truncated After Publishing in Custom Job or Group" +knowledge_article_id: kA0Qk00000023ufKAA +--- + +# Reports Not Visible or Name Truncated After Publishing in Custom Job or Group + +## Symptoms + +When creating a report for a custom job or group, the following issues are present in your environment: + +- The custom job or group name appears normally in the **Netwrix Access Analyzer** console. + ![](images/ka0Qk000000CW0v_0EMQk00000AxazR.png) +- After publishing the report, it does not appear in the reporting web interface. +- The custom job or group name is truncated in the reporting web interface. + ![](images/ka0Qk000000CW0v_0EMQk00000Axnrl.png) + +## Cause + +Netwrix Access Analyzer truncates `Jobs` or `_Jobs` from the end of all job and/or group names. The truncated name then gets displayed in the Reporting console, and settings for published reports in this group may be unpredictably affected. + +## Resolution + +To correct the issue, rename any custom job or group currently using the word `Jobs` to something that does not include the word `Jobs` to prevent truncation. + +1. In the **Netwrix Access Analyzer** console, locate the custom job or group whose name ends with `Jobs` or `_Jobs`. +2. Rename the job or group so the name does not include `Jobs` (for example, change `Accounting Jobs` to `Accounting Tasks`). +3. Republish the report and verify the report appears and the name displays correctly in the reporting web interface. diff --git a/docs/kb/accessanalyzer/resetting-the-aic-administrator-password.md b/docs/kb/accessanalyzer/resetting-the-aic-administrator-password.md new file mode 100644 index 0000000000..6f0dc59b47 --- /dev/null +++ b/docs/kb/accessanalyzer/resetting-the-aic-administrator-password.md @@ -0,0 +1,61 @@ +--- +description: >- + This article describes how to reset the Access Information Center (AIC) + Built-In Administrator password, with steps for when you have access to + another AIC administrator and when you do not. +keywords: + - AIC + - Built-In Administrator + - password reset + - Access Information Center + - Services.msc + - AuthBuiltinAdminPassword3 + - AccessInformationCenter.Service.exe.Config + - Admin + - sb +products: + - access-analyzer + - access_info_center +sidebar_label: Resetting the AIC Administrator Password +tags: [] +title: "Resetting the AIC Administrator Password" +knowledge_article_id: kA0Qk0000001lCzKAI +--- + +# Resetting the AIC Administrator Password + +## Question + +How can you reset the password for the Access Information Center (AIC) Built-In Administrator account? + +## Answer + +### With Access to Another Administrator in AIC + +If you have access to another Administrator within the AIC, follow the steps below to reset the Built-In Administrator password: + +1. Log in to the AIC. +2. Navigate to **Configure Console**. +3. Modify the Built-In Administrator, as shown below: + +![Modify Built-In Administrator](images/ka0Qk000000EatF_0EMQk000009FrLO.png) + +### Without Access to Another Administrator in AIC + +If you do not have access to another AIC Administrator account, perform the following steps to reset the password using the AIC configuration file: + +> **NOTE:** The default AIC Configuration file path is `\Program Files\STEALTHbits\Access Information Center\AccessInformationCenter.Service.exe.Config`. + +1. Open the file as an administrator and remove the hash between " " for the **AuthBuiltinAdminPassword3 key**: + + ![Remove hash for AuthBuiltinAdminPassword3](images/ka0Qk000000EatF_0EMQk000009FkN9.png) + +2. Restart the Netwrix AIC service in `Services.msc`. + +3. Open the AIC and log in using the default AIC Built-in Administrator credentials: + - **Username**: `Admin` + - **Password**: `sb` + +4. You will then be prompted to enter a new password for the AIC Built-in Administrator. + +> **NOTE:** Prior to v11.6, a password reset will not be prompted. It is recommended that you change the password or disable this account. diff --git a/docs/kb/accessanalyzer/resolving-insecure-permissions-for-service-executables.md b/docs/kb/accessanalyzer/resolving-insecure-permissions-for-service-executables.md new file mode 100644 index 0000000000..7bf0829969 --- /dev/null +++ b/docs/kb/accessanalyzer/resolving-insecure-permissions-for-service-executables.md @@ -0,0 +1,54 @@ +--- +description: >- + Explains how to resolve insecure permissions on Windows service executables + used by Netwrix Access Analyzer to prevent privilege escalation. Includes + steps to review and remove excessive file permissions for service executables. +keywords: + - insecure permissions + - service executables + - privilege escalation + - Netwrix Access Analyzer + - VaultService.exe + - WebServer.exe + - '%stealthaudit%' + - Users group +products: + - access-analyzer +sidebar_label: Resolving Insecure Permissions for Service Executa +tags: [] +title: "Resolving Insecure Permissions for Service Executables" +knowledge_article_id: kA0Qk0000001oArKAI +--- + +# Resolving Insecure Permissions for Service Executables + +## Overview + +This article explains how to resolve insecure permissions for Windows service executables in Netwrix Access Analyzer. Services using executables with weak permissions are at risk of privilege escalation attacks. An unprivileged user could modify or overwrite the executable with arbitrary code, which would then execute the next time the service starts. + +This issue occurs when groups such as `Users` have modify or write access to service executables, and the **Access** node in the Global Settings controls these permissions. You should check permissions both before and after installation to ensure no changes have been made and proper permissions are in place. + +In Netwrix Access Analyzer, the `Users` group does not have **Full Control** over these files (`WebServer.exe` or `VaultService.exe`) by default. Permissions are only assigned if configured manually under **Settings** > **Access**. + +Examples of insecure permissions include: + +- Path: `%stealthaudit%\vaultservice.exe` + Used by services: Netwrix Access Analyzer Vault + File write allowed for groups: `Users` (S-1-5-32-545) + +- Path: `%stealthaudit%\web\webserver.exe` + Used by services: Netwrix Access Analyzer Web + File write allowed for groups: `Users` (S-1-5-32-545) + +## Instructions + +Follow the steps below to resolve this issue: + +1. To review the permissions for the service executables identified by the security scanner, navigate to the affected file path. For example, `WebServer.exe` or `VaultService.exe`. +2. Right-click the file, select **Properties** and review the **Security** tab. +3. Remove permissions for groups such as `Users` (S-1-5-32-545) to ensure they cannot modify or write to these files. +4. Ensure groups like `Users` do not have **Full Control** over directories containing these service executables. + +> **NOTE:** This approach ensures secure operation and mitigates the risk of privilege escalation. + +![Screenshot showing the Member Type configuration in Netwrix Access Analyzer settings](images/ka0Qk000000E7EX_0EMQk00000CHoHe.png) diff --git a/docs/kb/accessanalyzer/restoring-a-host-list-in-fsaa.md b/docs/kb/accessanalyzer/restoring-a-host-list-in-fsaa.md new file mode 100644 index 0000000000..e478289d8c --- /dev/null +++ b/docs/kb/accessanalyzer/restoring-a-host-list-in-fsaa.md @@ -0,0 +1,49 @@ +--- +description: >- + Shows how to restore a File System host list after accidental deletion in + Netwrix Auditor by using the FSAA job output file or Task Stats, and how to + reapply the host list to job settings. +keywords: + - host list + - FSAA + - ConnectStatus.csv + - Add Hosts + - Task Stats + - restore hosts + - Netwrix Auditor + - File System + - host import +products: + - access-analyzer +sidebar_label: Restoring a Host List in FSAA +tags: [] +title: "Restoring a Host List in FSAA" +knowledge_article_id: kA0Qk0000001ODBKA2 +--- + +# Restoring a Host List in FSAA + +## Question + +Is it possible to restore a File System host list upon an accidental deletion in Netwrix Auditor? + +## Answer + +Refer to the following options to restore a host list in your environment: + +- The `1-FSAA System Scans` job creates a `ConnectStatus.csv` file upon completion to log the audited hosts. Navigate to the following path to locate the file: + +```text +%SAINSTALLDIR%Jobs\GROUP_FileSystem\GROUP_0.Collection\JOB_1-FSAA System Scans\OUTPUT +``` + +Import a list of audited hosts via **Add Hosts**. Refer to the following articles for additional information: /docs/auditor/11.6/enterpriseauditor/admin-guide/hostmanagement/actions (Host Management Activities — Add Hosts · v11.6); /docs/auditor/11.6/enterpriseauditor/admin-guide/hostmanagement/actions (Import Hosts Option). + +- Review the **Task Stats** of the affected job to collect the list of servers and import the list via **Add Hosts**. + +> **IMPORTANT:** Once you recreate the host list, reapply it in the job settings. + +## Related Articles + +- /docs/auditor/11.6/enterpriseauditor/admin-guide/hostmanagement/actions (Host Management Activities — Add Hosts · v11.6) +- /docs/auditor/11.6/enterpriseauditor/admin-guide/hostmanagement/actions (Import Hosts Option) diff --git a/docs/kb/accessanalyzer/retirement-of-rbac-application-impersonation-in-exchange-online.md b/docs/kb/accessanalyzer/retirement-of-rbac-application-impersonation-in-exchange-online.md new file mode 100644 index 0000000000..1e7c0cb3d3 --- /dev/null +++ b/docs/kb/accessanalyzer/retirement-of-rbac-application-impersonation-in-exchange-online.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains that the retirement of RBAC application impersonation in Exchange + Online does not affect Netwrix Access Analyzer, which uses a service principal + to access Exchange Online. +keywords: + - RBAC + - application impersonation + - Exchange Online + - service principal + - Netwrix Access Analyzer + - Enterprise Auditor + - retirement +products: + - access-analyzer +sidebar_label: Retirement of RBAC Application Impersonation in Ex +tags: [] +title: "Retirement of RBAC Application Impersonation in Exchange Online" +knowledge_article_id: kA0Qk0000001q4bKAA +--- + +# Retirement of RBAC Application Impersonation in Exchange Online + +## Question + +Will the retirement of role-based access control (RBAC) application impersonation in Exchange Online affect Netwrix Access Analyzer? + +## Answer + +No, this change does not impact Netwrix Access Analyzer. It continues to access Exchange Online via a service principal, which does not rely on RBAC application impersonation. + +## Related Article + +- [**Retirement of RBAC Application Impersonation in Exchange Online – Microsoft**](https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-rbac-application-impersonation-in-exchange-online/ba-p/4062671) diff --git a/docs/kb/accessanalyzer/scanning-multiple-microsoft-entra-tenants.md b/docs/kb/accessanalyzer/scanning-multiple-microsoft-entra-tenants.md new file mode 100644 index 0000000000..a46e85de67 --- /dev/null +++ b/docs/kb/accessanalyzer/scanning-multiple-microsoft-entra-tenants.md @@ -0,0 +1,61 @@ +--- +description: >- + How to set up Netwrix Access Analyzer to target multiple Microsoft Entra + tenants for the AADInventory job, by creating separate connection profiles and + duplicated scan jobs. +keywords: + - Microsoft Entra + - Azure AD + - AADInventory + - Netwrix Access Analyzer + - multi-tenant + - connection profile + - AAD Scan + - Azure AD Inventory +products: + - access-analyzer +sidebar_label: Scanning Multiple Microsoft Entra Tenants +tags: [] +title: "Scanning Multiple Microsoft Entra Tenants" +knowledge_article_id: kA04u0000000IhiCAE +--- + +# Scanning Multiple Microsoft Entra Tenants + +## Summary +How to set up Netwrix Access Analyzer to target multiple Microsoft Entra tenants for the AADInventory job. + +## Issue +In order for Netwrix Access Analyzer to be able to inventory Azure AD you require an APP ID and Key pair for the Connection Profile. This key pair is generated when adding a webapp in the Microsoft Entra ID portal (please see the Netwrix Access Analyzer user guide for more information). The limitation here is that Netwrix Access Analyzer has no way of knowing which Tenant to apply the key to; as a result you cannot add multiple accounts to a single Connection Profile. The instructions below describe how to split the collection to enable multi-tenant scanning. + +## Instructions +Azure AD Inventory job consists of the following: + +- 2 Jobs + - 1-AAD Scan + - Single query which uses the AADI data collector + - 6 SQL analysis which import SQL functions and create the underlining views/tables + - 1 Report which is a summary report. + - 2-AAD Exceptions + - 9 SQL analysis which create exception views for toxic conditions in AAD. + +The only part of the solution that we are interested in is job `1-AAD Scan`. To allow you to collect data on multiple tenants you need to create a connection profile for each Tenant. Once this has been completed, take a copy of the `1-AAD Scan` job and append the tenant name at the end. Uncheck all the analysis from the copied jobs, leaving the analysis enabled for the last job in the tree. + +Example: +- `1-AAD Scan_a` (has analysis unchecked) +- `1-AAD Scan_z` (has analysis checked) + +1. Create a connection profile for each Microsoft Entra tenant you want to scan. +2. Copy the `1-AAD Scan` job for each tenant and rename each copy to append the tenant name (for example, `1-AAD Scan_a`, `1-AAD Scan_z`). +3. In each copied job except the final one, uncheck all analysis so they do not run. Leave the analysis checked only on the final job in the sequence. +4. Assign the correct connection profile to the matching `1-AAD Scan` job: + - Right-click the job -> **Job Properties** -> **Connection**, and select the appropriate connection profile. +5. Schedule the solution to run as normal. + +Because the AAD Scan appends the data to the core tables you are able to separate the jobs in this fashion. The subsequent analysis reviews the tables and combines all info. The summary reports will show all domains scanned as normal. + +## Product +- Product: Netwrix Access Analyzer +- Module: Access Analyzer - DC - AzureADInventory +- Versions: 7.0+ +- Legacy Article ID: 2164 diff --git a/docs/kb/accessanalyzer/scheduled-tasks-not-running-in-windows.md b/docs/kb/accessanalyzer/scheduled-tasks-not-running-in-windows.md new file mode 100644 index 0000000000..60ce457cfc --- /dev/null +++ b/docs/kb/accessanalyzer/scheduled-tasks-not-running-in-windows.md @@ -0,0 +1,68 @@ +--- +description: >- + This article describes how to troubleshoot Netwrix Access Analyzer scheduled + tasks that do not run at their scheduled times on Windows. It covers + reproducing the issue, checking Event Viewer, and verifying permissions, + console access, database access, and filesystem access. +keywords: + - scheduled tasks + - Task Scheduler + - Windows Event Viewer + - Netwrix Access Analyzer + - Log On As Batch Job + - permissions + - '%SAINSTALLDIR%SADatabase\Logs\Application' + - 'C:\windows\tasks' + - 'C:\windows\system32\tasks' +products: + - access-analyzer +sidebar_label: Scheduled Tasks Not Running in Windows +tags: [] +title: "Scheduled Tasks Not Running in Windows" +knowledge_article_id: kA04u0000000I7rCAE +--- + +# Scheduled Tasks Not Running in Windows + +## Overview + +This article describes how to troubleshoot Netwrix Access Analyzer tasks not initiating at scheduled times. + +## Instructions + +To troubleshoot Netwrix Access Analyzer/Windows Task Scheduler issues, follow the steps below: + +### Re-create the issue: + +1. Open the **Netwrix Access Analyzer Console**. +2. Click **Schedules**. +3. Right-click on a job (preferably one that runs quickly) and select **Run**. +4. Right-click the **job** and select **Open Task Scheduler**. +5. Locate the job within Windows Task Scheduler and check to see if the job is running. +6. If the task is not running, start the task in the Task Scheduler. +7. Click **History** and check for errors or warnings. + +### Determine the issue with Windows Event Viewer: + +Open **Windows Event Viewer** > Click **Applications and Services Logs** > **Netwrix Access Analyzer** > look in the timeframe of the above job. If errors/warnings are seen, here is what to check: + +### 1. Permissions Check + +Navigate to **Netwrix Access Analyzer** > **Settings** > **Schedule** and ensure the user in this job has the following permissions: + +- Is in the Local Administrators group for the Netwrix Access Analyzer Server. +- Has the appropriate security rights: + - Go to **Administrative Tools** > **Local Security Policy** > **Local Policies** > **User Rights Assignment** > **Log On As Batch Job** + - GPO: `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log On As Batch Job` + +### 2. Console Administrators Group + +If the error in the Netwrix Access Analyzer logs located in ` %SAINSTALLDIR%SADatabase\Logs\Application` states that `User is not a member of the console administrators group`, add the user to the Administrator role by navigating to **Netwrix Access Analyzer** > **Settings** > **Access** and add the user to the Administrator role of the console access. + +### 3. Database Access + +If there are database access errors, ensure that the user is in the **Settings** > **Storage** group to access the database, add them as in step 1. + +### 4. Filesystem Access + +If there are file system access errors, ensure that the schedule user has at least Read/Write/Create access to the `C:\windows\tasks` and `C:\windows\system32\tasks` folders. diff --git a/docs/kb/accessanalyzer/several-sql-database-servers-experience-failed-scans.md b/docs/kb/accessanalyzer/several-sql-database-servers-experience-failed-scans.md new file mode 100644 index 0000000000..8ae8f4f240 --- /dev/null +++ b/docs/kb/accessanalyzer/several-sql-database-servers-experience-failed-scans.md @@ -0,0 +1,51 @@ +--- +description: >- + Several SQL database servers report failed scans with an INSERT NULL error in + collection jobs due to insufficient service account privileges or dynamic host + list additions; this article explains the symptom, possible causes, and + resolution steps. +keywords: + - SQL + - failed scans + - VIEW ANY DEFINITION + - service account + - permissions + - collection jobs + - Netwrix Auditor + - database servers +products: + - access-analyzer +sidebar_label: Several SQL Database Servers Experience Failed Sca +tags: [] +title: "Several SQL Database Servers Experience Failed Scans" +knowledge_article_id: kA0Qk0000000aMrKAI +--- + +# Several SQL Database Servers Experience Failed Scans + +## Symptom + +Several SQL database servers are experiencing failed scans, with collection jobs showing the following error: + +```text +(0x80131904): Cannot insert the value NULL into column 'member_principal', table column does not allow nulls. INSERT fails. The statement has been terminated. +``` + +## Cause + +Refer to the possible causes: + +1. Insufficient privileges of the service account (e.g., the service account lacks **VIEW ANY DEFINITION** permission on the master database), particularly when SQL servers are added dynamically to host lists. +2. Some SQL servers being dynamically added to host lists, leading to errors possibly caused by service account privileges not being properly configured. These errors occur intermittently, which is expected given the dynamic nature of the environment. + +## Resolution + +Ensure that the service account has the necessary privileges, including **VIEW ANY DEFINITION** on the master database. This permission allows the account to view the definition of any object in the SQL server instance. + +While permissions requirements are outlined in existing documentation, for further guidance and troubleshooting, please refer to the following article: /docs/auditor/11.5/access Analyzer/Solutions/SQL_Solution.htm#permissions + +(Reference: Netwrix Auditor documentation linked above.) + +## Related articles + +- /docs/auditor/11.5/access Analyzer/Solutions/SQL_Solution.htm#permissions diff --git a/docs/kb/accessanalyzer/support-for-historical-data-retention-in-access-analyzer-jobs.md b/docs/kb/accessanalyzer/support-for-historical-data-retention-in-access-analyzer-jobs.md new file mode 100644 index 0000000000..0e65fb38f5 --- /dev/null +++ b/docs/kb/accessanalyzer/support-for-historical-data-retention-in-access-analyzer-jobs.md @@ -0,0 +1,112 @@ +--- +description: >- + Describes which Netwrix Access Analyzer solutions and Jobs support historical + data retention and how to adjust retention settings for supported Jobs. +keywords: + - historical data retention + - Netwrix Access Analyzer + - retention settings + - EX_MetricsCollection + - FSAC + - SPAC + - ActivityScan + - Job Group + - EX_Mailflow +products: + - access-analyzer +sidebar_label: Support for Historical Data Retention in Access An +tags: [] +title: "Support for Historical Data Retention in Access Analyzer Jobs" +knowledge_article_id: kA0Qk0000000QlhKAE +--- + +# Support for Historical Data Retention in Access Analyzer Jobs + +## Overview + +Depending on the needs, the historical data retention option can be set up in Netwrix Access Analyzer to allow an in-depth analysis of historical data in your environment. This article lists solutions and Jobs that do and do not support data retention. + +## Supported solutions + +> **IMPORTANT:** Enabling the data retention option in unsupported solutions may cause issues related to data analysis and reporting. + +- Exchange Solution + + 1. **HUB Metrics Job Group** − **0.Collection Job Group** + + The default History Retention setting is set to 6 months for both `EX_MetricsCollection` and `EX_MetricsDetail` Jobs. To adjust it, modify the **SET HISTORY RETENTION** analysis task for the corresponding job. This can be configured for months or days. + + ![histRetention](images/ka0Qk000000DYzx_0EMQk000002q3VJ.png) + + 2. **CAS Metrics Job Group** − **ActiveSync Job Group** − **EX_ActiveSync Job** + + The default History Retention setting is set to 6 months. To adjust it, modify the **SET HISTORY RETENTION** analysis task for the job. + + 3. **CAS Metrics Job Group** − **Outlook Web Access Job Group** − **EX_OWATraffic Job** + + The default History Retention setting is set to 6 months. To adjust it, modify the **SET HISTORY RETENTION** analysis task for the job. + + 4. **Databases Job Group** − **EX_DBSizing Job** + + The default History Retention setting is set to 6 months. To adjust it, modify the **SET HISTORY RETENTION** analysis task for the job. + + 5. **Mailboxes Job Group** − **Logons Job Group** − **EX_MailboxLogons Job** + + The default History Retention setting is set to 6 months. To adjust it, modify the **SET HISTORY RETENTION** analysis task for the job. + + 6. **Mailboxes Job Group** − **Sizing Job Group** − **EX_MailboxSizes Job** + + The default History Retention setting is set to 6 months. To adjust it, modify the **SET HISTORY RETENTION** analysis task for the job. + + 7. **Public Folders Job Group** − **Growth and Size Job Group** − **PF_FolderSize Job** + + The default History Retention setting is set to 6 months. To adjust it, modify the **SET HISTORY RETENTION** analysis task for the job. + + 8. **Exchange Online Job Group** > **Mailflow Job Group** > **EX_Mailflow Job** + + The default History Retention setting is set to 6 months. To adjust it, modify the **SET HISTORY RETENTION** analysis task for the job. + +- File System Solution + + > **IMPORTANT:** To adjust the retention period for the File System Activity (FSAC) historical data, use the **Activity Settings** page of the 1-FSAC System Scan Job. Refer to the following article for additional information: /docs/auditor/11.6/enterpriseauditor/solutions/filesystem/collection + + - **4.Content Job Group** + + The historical data retention is optional for Jobs in the group. Turning the **History** option on or off will not affect analysis tasks or reporting. To adjust the retention settings, right-click Job > select **Properties** > select the **History** tab. + + - **6.Probable Owner Job Group** + + The historical data retention is optional for Jobs in the group. Turning the **History** option on or off will not affect analysis tasks or reporting. To adjust the retention settings, right-click Job > select **Properties** > select the **History** tab. + +- SharePoint Solution + + To adjust the retention period for the SharePoint Activity historical data, use the **Activity Date Scope** page of the SPAC System Scan. Refer to the following article for additional information: /docs/auditor/11.6/enterpriseauditor/admin-guide/datacollector/spaa + +- Databases Solutions + + To adjust the retention period for the Database Activity historical data, use the **Options** page of the corresponding ActivityScan Job. This option is currently available only in SQL and AzureSQL instances. Refer to the following articles for additional information: + - /docs/auditor/11.6/enterpriseauditor/solutions/databases/sql/collection + - /docs/auditor/11.6/enterpriseauditor/solutions/databases/azuresql/collection + +## Solutions not yet supported + +> **IMPORTANT:** Enabling the data retention option in unsupported solutions may cause issues related to data analysis and reporting. + +The following solutions do not yet support any historical data retention: + +- Inventories (Active Directory, Entra ID, NIS). +- Active Directory. +- Active Directory Permissions Analyzer. +- AnyID Connectors. +- AWS. +- Box. +- Dropbox. +- Entra ID. +- Unix. + +## Related articles + +- /docs/auditor/11.6/enterpriseauditor/solutions/filesystem/collection — 0.Collection Job Group − 1-FSAC System Scans Job · v11.6 +- /docs/auditor/11.6/enterpriseauditor/admin-guide/datacollector/spaa — SharePointAccess Data Collector − Activity Date Scope · v11.6 +- /docs/auditor/11.6/enterpriseauditor/solutions/databases/sql/collection — 0.Collection > SQL Job Group − 3-SQL_ActivityScan Job · v11.6 +- /docs/auditor/11.6/enterpriseauditor/solutions/databases/azuresql/collection — 0.Collection > Azure SQL Job Group − 3-AzureSQL_ActivityScan Job · v11.6 diff --git "a/docs/kb/accessanalyzer/system.exception_\342\210\222_new-exopssession_powershell_error_in_netwrix_access_analyzer.md" "b/docs/kb/accessanalyzer/system.exception_\342\210\222_new-exopssession_powershell_error_in_netwrix_access_analyzer.md" new file mode 100644 index 0000000000..10e86af7de --- /dev/null +++ "b/docs/kb/accessanalyzer/system.exception_\342\210\222_new-exopssession_powershell_error_in_netwrix_access_analyzer.md" @@ -0,0 +1,66 @@ +--- +description: >- + This article addresses the PowerShell error encountered when running an Exchange Online job in Netwrix Access Analyzer and provides resolutions for updating necessary modules. +keywords: + - PowerShell + - Exchange Online + - Netwrix Access Analyzer +sidebar_label: PowerShell Error in Netwrix Access Analyzer +tags: [] +title: "System.Exception − New-ExoPSSession PowerShell Error in Netwrix Access Analyzer" +knowledge_article_id: kA04u00000111IrCAI +products: + - access-analyzer +--- + +# System.Exception − New-ExoPSSession PowerShell Error in Netwrix Access Analyzer + +## Symptom + +The following error is prompted when running an Exchange Online job in Netwrix Access Analyzer: + +``` +PowerShell error: System.Exception: New-ExoPSSession: +Connection to the remote server %server% failed with the following error message: +For more information, see the about_Remote_Troubleshooting Help topic. +``` + +## Causes + +1. The **ExchangeOnlineManagement** PowerShell module is outdated. +2. The **PowerShellGet** PowerShell module is outdated. + +## Resolutions + +1. Run the following command in elevated PowerShell to update the **ExchangeOnlineManagement** module: + + ```powershell + Update-Module -Name "ExchangeOnlineManagement" + ``` + + If the error `Update-Module : Module 'ExchangeOnlineManagement' was not installed by using Install-Module` is prompted, refer to the following command to install the module: + + ```powershell + Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.3.0 -Force + ``` + + Follow the instructions to complete the update. + +2. Run the following command in elevated PowerShell to update the **PowerShellGet** module: + + ```powershell + Update-Module -Name "PowerShellGet" + ``` + + If the error `Update-Module : Module 'PowerShellGet' was not installed by using Install-Module` is prompted, refer to the following command to install the module: + + ```powershell + Install-Module -Name PowerShellGet -RequiredVersion 2.2.5 -Force + ``` + + Follow the instructions to complete the update. + +## Related Links + +- [ExchangeOnlineManagement 3.3.0 ⸱ PowerShell Gallery 🡥](https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.3.0) +- [PowerShellGet 2.2.5 ⸱ PowerShell Gallery 🡥](https://www.powershellgallery.com/packages/PowerShellGet/2.2.5) \ No newline at end of file diff --git a/docs/kb/accessanalyzer/the-autodiscover-service-couldn-t-be-located.md b/docs/kb/accessanalyzer/the-autodiscover-service-couldn-t-be-located.md new file mode 100644 index 0000000000..7bae39cf71 --- /dev/null +++ b/docs/kb/accessanalyzer/the-autodiscover-service-couldn-t-be-located.md @@ -0,0 +1,92 @@ +--- +description: >- + Use this article to resolve the "The Autodiscover service couldn't be located" + error when running a job that uses the EWSMailbox Data Collector by updating + the job XML and scan options. +keywords: + - Autodiscover + - EWS + - EWSMailbox + - Exchange + - Office 365 + - Autodiscover service + - EWS_PROPERTIES + - autodiscover-s + - Match job host +products: + - access-analyzer +sidebar_label: The Autodiscover Service Couldn't Be Located +tags: [] +title: The Autodiscover Service Couldn't Be Located +knowledge_article_id: kA0Qk0000001hVxKAI +--- + +# The Autodiscover Service Couldn't Be Located + +## Symptom + +When running a job that uses **EWSMailbox Data Collector**, the following error appears: + +``` +The Autodiscover service couldn't be located +``` + +## Cause + +This error populates due to missing or incorrect Autodiscover settings in the job XML. + +## Resolution + +To resolve this error, follow the steps below: + +1. Open the **Query Properties** for the EWSMailbox task. +2. Select **View XML**. + +![View XML screenshot](images/ka0Qk000000CDO5_0EMQk000008w1gf.png) + +3. Insert the following code that best matches your environment within the ` ` tags. This is located near the bottom of the XML. + +> **NOTE:** The XML will automatically reformat itself upon saving. + +- SCP Disable Variable +```xml + + + +False + +``` + +- Office Online Only +```xml + + +https://outlook.office365.com/EWS/Exchange.asmx + + +https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc + +``` + +- Hybrid Environment (On-Prem & Online) +```xml + + +https://outlook.office365.com/EWS/Exchange.asmx + + +False +https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc + +``` + +4. On the **Query Properties** window, select **Configure**. + +![Configure button screenshot](images/ka0Qk000000CDO5_0EMQk000008vjWt.png) + +5. On the **Scan options** window, uncheck the option for **Match job host against autodiscovered host**. + +![Scan options screenshot](images/ka0Qk000000CDO5_0EMQk000008w3KH.png) + +6. Proceed through the wizard by selecting **Next** and complete the process by clicking **Finish** to close out the **EWSMailbox DC Wizard**. +7. Select **OK** to close the **Query Properties** window. diff --git a/docs/kb/accessanalyzer/time-zone-mismatch-in-access-time-values.md b/docs/kb/accessanalyzer/time-zone-mismatch-in-access-time-values.md new file mode 100644 index 0000000000..ce1fcca902 --- /dev/null +++ b/docs/kb/accessanalyzer/time-zone-mismatch-in-access-time-values.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains why access time values displayed in the Activity Details report in + Netwrix Access Information Center (AIC) differ from those in exported reports + due to server and local time zone handling. +keywords: + - time zone + - access time + - AIC + - Activity Details + - Access Analyzer + - export + - time zone mismatch + - local time + - UTC +products: + - access-analyzer + - access_info_center +sidebar_label: Time Zone Mismatch in Access Time Values +tags: [] +title: "Time Zone Mismatch in Access Time Values" +knowledge_article_id: kA0Qk0000001JF7KAM +--- + +# Time Zone Mismatch in Access Time Values + +## Related Query + +- "In AIC, under **Activity Details**, I see the access time, which looks like it is in EST format. If I export that, it is 6 hours ahead. Why does this happen?" + +## Question + +In the **Activity Details** report in Netwrix Access Information Center (AIC), the access time values mismatch the access time values in the exported AIC reports. Why do the values mismatch? + +## Answer + +Netwrix Access Analyzer collects access time data from the target server. To order the collected data, Netwrix Access Analyzer assigns access time values to events in the time zone of the target server. When you export the collected data via AIC, the access time gets converted to your local time zone. diff --git a/docs/kb/accessanalyzer/too-long-file-names-when-sending-reports-by-email.md b/docs/kb/accessanalyzer/too-long-file-names-when-sending-reports-by-email.md new file mode 100644 index 0000000000..2d12a68662 --- /dev/null +++ b/docs/kb/accessanalyzer/too-long-file-names-when-sending-reports-by-email.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains how to resolve the "path too long" error when emailed + reports fail to compile by enabling long paths or shortening/moving job files + for Netwrix Access Analyzer. +keywords: + - long paths + - LongPathsEnabled + - registry + - file path length + - email report + - scheduled task + - 260 characters + - 248 characters +products: + - access-analyzer +sidebar_label: Too Long File Names when Sending Reports by Email +tags: [] +title: "Too Long File Names when Sending Reports by Email" +knowledge_article_id: kA04u000000HDiKCAW +--- + +# Too Long File Names when Sending Reports by Email + +## Symptom + +The emailed report fails to compile on successful job completion. +The following error message appears: + +``` +"Error in sending an email: The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters." +``` + +## Cause + +Long paths are not enabled on host. This error is relevant only for file paths to job files exceeding 248 characters as stated in the error message. + +## Solution + +The error can be resolved by performing one of the following steps: + +- Enable longer paths by editing the registry key `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled`. For additional information, refer to the following Microsoft article: https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=registry. Group Policy Objects and other security functions might prevent the modification of the key. + +- Shorten the name of the job file path or the job file itself to under 248 characters; this will also enable the report compilation. + +- Move the job file to a higher-level folder; this will resolve the error depending on the length of the name of each folder. + +When moving the job file or renaming the folder, make sure to verify and edit the scheduled task to match the current job file location. + +Once you introduce the changes, you should be able to rerun the job or regenerate the report to test. diff --git a/docs/kb/accessanalyzer/tracking-access-analyzer-console-logons.md b/docs/kb/accessanalyzer/tracking-access-analyzer-console-logons.md new file mode 100644 index 0000000000..5530e66894 --- /dev/null +++ b/docs/kb/accessanalyzer/tracking-access-analyzer-console-logons.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains where Netwrix Access Analyzer records console logon and logoff events + and which Event IDs indicate console access. +keywords: + - Netwrix Access Analyzer + - console logon + - console logoff + - StealthAUDIT.evtx + - Event ID 1000 + - Event ID 1003 + - event log + - Windows Event Viewer +products: + - access-analyzer +visibility: public +sidebar_label: Tracking Access Analyzer Console Logons +tags: [] +title: "Tracking Access Analyzer Console Logons" +knowledge_article_id: kA0Qk0000001JAHKA2 +--- + +# Tracking Access Analyzer Console Logons + +## Question + +Does Netwrix Access Analyzer track console logons and logoffs? + +## Answer + +You can find console logon and logoff events in the Netwrix Access Analyzer event log. The event log file is located at: + +```text +%SystemRoot%\System32\Winevt\Logs\StealthAUDIT.evtx +``` + +Review `Event ID 1000` and `Event ID 1003` to learn more about accounts accessing the Netwrix Access Analyzer console. diff --git a/docs/kb/accessanalyzer/troubleshoot-http-aic-errors.md b/docs/kb/accessanalyzer/troubleshoot-http-aic-errors.md new file mode 100644 index 0000000000..c0bc285f73 --- /dev/null +++ b/docs/kb/accessanalyzer/troubleshoot-http-aic-errors.md @@ -0,0 +1,75 @@ +--- +description: >- + Learn how to enable and configure Failed Request Tracing in IIS to + troubleshoot HTTP errors for Netwrix Access Information Center (AIC) versions + 11.5 and earlier. +keywords: + - AIC + - IIS + - Failed Request Tracing + - HTTP error + - 500.19 + - 403.14 + - tracing + - logs + - Netwrix +products: + - access-analyzer + - access_info_center +sidebar_label: Troubleshoot HTTP AIC Errors +tags: [] +title: "Troubleshoot HTTP AIC Errors" +knowledge_article_id: kA0Qk0000000Ky1KAE +--- + +# Troubleshoot HTTP AIC Errors + +## Question + +What are the recommended steps to troubleshoot IIS-related errors in Netwrix Access Information Center? + +## Answer + +**IMPORTANT:** The steps provided are applicable only to Access Information Center v11.5 and older. Starting v11.6, the steps no longer apply as IIS is no longer used to host the AIC web site. + +It is recommended to enable Failed Request Tracing for the AIC web site: + +1. **Optional:** If the Failed Request Tracing feature is not installed on your IIS server, you can either download it from the Microsoft Download Center, or run the following line in elevated PowerShell: + + ``` + Install-WindowsFeature -Name Web-Http-Tracing + ``` + + You can download Failed Request Tracing in Microsoft Application Request Routing 3.0 (x64): https://www.microsoft.com/en-us/download/details.aspx?id=47333 + +2. Open Internet Information Services Manager. In the left pane, open **%IIS_server%** > **Sites** > **AIC web site**. + +3. In the right pane, click **Failed Request Tracing...** under the **Configure** section. + +4. Check the **Enable** checkbox, and click **OK** to save changes. + + **NOTE:** Take note of the path specified to access the logs later. + +5. In the **IIS** section of the **Home** page, open **Failed Request Tracing Rules**. + +6. In the right pane, select **Add...** under **Actions**. + +7. In the **Specify Content to Trace** window, select **All content (*)** and click **Next**. + +8. In the **Define Trace Conditions** window, check the **Status code(s)** field checkbox and specify the relevant error code. Click **Next**. + +9. Click **Finish** to configure the tracing rule. + +To review trace logs, you can either refer to the path previously specified in the **Failed Request Tracing** settings, or click **View Trace Logs** in the right pane of the **Failed Request Tracing Rules** menu. Learn more about IIS errors and error codes in official Microsoft Documentation at: + +- HTTP Error 500.19 · Microsoft: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/http-error-500-19-webpage +- HTTP Error 403.14 · Microsoft: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/http-403-14-forbidden-webpage + +The Microsoft articles describe IIS errors (e.g., `500.19`, `501`, `405.0`, `403.16`, etc.). + +## Related articles + +- Microsoft Application Request Routing 3.0 (x64) · Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=47333 +- HTTP Error 500.19 · Microsoft: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/http-error-500-19-webpage +- HTTP Error 403.14 · Microsoft: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/http-403-14-forbidden-webpage +- Using Failed Request Tracing Rules to Troubleshoot Application Request Routing · Microsoft: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/troubleshoot-arr-using-frt-rules diff --git a/docs/kb/accessanalyzer/unable-to-write-to-specified-folder-error.md b/docs/kb/accessanalyzer/unable-to-write-to-specified-folder-error.md new file mode 100644 index 0000000000..304ac20d8c --- /dev/null +++ b/docs/kb/accessanalyzer/unable-to-write-to-specified-folder-error.md @@ -0,0 +1,45 @@ +--- +description: >- + You see an "Unable to write to the specified folder" error when installing or + uninstalling the FSAA Proxy Scanner or the Sensitive Data Discovery Add-on in + Netwrix Access Analyzer. This article explains the cause and shows how to + resolve the issue by verifying write permissions and disk space. +keywords: + - FSAA + - Unable to write to the specified folder + - write permissions + - '%SAINSTALLDIR%/FSAA' + - Sensitive Data Discovery + - FSAA Proxy Scanner + - install error + - disk space +products: + - access-analyzer +sidebar_label: Unable to Write to Specified Folder Error +tags: [] +title: "Unable to Write to Specified Folder Error" +knowledge_article_id: kA04u0000000I9OCAU +--- + +# Unable to Write to Specified Folder Error + +## Symptom + +You see the following error when you install or uninstall the FSAA Proxy Scanner or the Sensitive Data Discovery Add-on in Netwrix Access Analyzer: + +```text +Unable to write to the specified folder: %Folder_path% +``` + +## Cause + +The FSAA permissions module must have write permissions for its installation folder. The write permissions are required to update the Tier 2 data after it is received from the target file server. Once updated, the Tier 2 data is transferred to the SQL backend for reporting. + +## Resolutions + +1. Confirm that the account running the installer/uninstaller has permissions to write to the ` %SAINSTALLDIR%/FSAA` folder. + + 1. Right-click the FSAA folder, navigate to **Properties** > **Security**, and ensure the account has "write" permissions for the folder. + 2. To verify the new write permissions, create a new `.txt` file in the FSAA folder and save it. + +2. Confirm the drive containing the FSAA folder is not full. diff --git a/docs/kb/accessanalyzer/using-sql-style-credentials-in-access-analyzer.md b/docs/kb/accessanalyzer/using-sql-style-credentials-in-access-analyzer.md new file mode 100644 index 0000000000..58d643450f --- /dev/null +++ b/docs/kb/accessanalyzer/using-sql-style-credentials-in-access-analyzer.md @@ -0,0 +1,43 @@ +--- +description: >- + Shows how to use SQL style credentials for the ODBC or SQL data collector in + Netwrix Access Analyzer and how to set the connection profile directly on the + job. +keywords: + - SQL credentials + - ODBC + - SQL data collector + - connection profile + - job properties + - Netwrix Access Analyzer + - credentials +products: + - access-analyzer +sidebar_label: Using SQL Style Credentials in Access Analyzer +tags: [] +title: "Using SQL Style Credentials in Access Analyzer" +knowledge_article_id: kA04u0000000INaCAM +--- + +# Using SQL Style Credentials in Access Analyzer + +## Summary +**Summary:** How to use SQL Style Credentials in Netwrix Access Analyzer + +## Issue +**Issue:** Instructions for using SQL style credentials + +## Instructions +**Instructions:** If SQL style credentials for the ODBC or SQL data collector are needed then + +1. Use the domain type of in the connection profile +2. Enter the rest of the credentials as normal. + +Be sure to set the connection profile directly on the job. + +- (Right click job > **Properties** > **Connection** tab > bottom radio option) + +## Module +**Module:** Credentials/Access; Netwrix Access Analyzer - Connection Profile/Credentials + +**Salesforce Article ID:** 000001102 diff --git a/docs/kb/accessanalyzer/using-the-aadi-registerazureappauth-job-to-create-the-modern-auth-connection-profile-for-entra-id.md b/docs/kb/accessanalyzer/using-the-aadi-registerazureappauth-job-to-create-the-modern-auth-connection-profile-for-entra-id.md new file mode 100644 index 0000000000..0f4edcb5cf --- /dev/null +++ b/docs/kb/accessanalyzer/using-the-aadi-registerazureappauth-job-to-create-the-modern-auth-connection-profile-for-entra-id.md @@ -0,0 +1,82 @@ +--- +description: >- + Explains how to use the AADI_RegisterAzureAppAuth instant job to register a + Microsoft Entra ID application and create the Modern Auth connection profile + for Entra ID in Netwrix Access Analyzer. Includes prerequisites, configuration + steps, and post-run tasks. +keywords: + - AADI_RegisterAzureAppAuth + - Entra ID + - Microsoft Entra ID + - Modern Auth + - Connection Profile + - Netwrix Access Analyzer + - instant job + - app registration + - ClientID + - secret +products: + - access-analyzer +sidebar_label: 'Using the AADI_RegisterAzureAppAuth Job to Create ' +tags: [] +title: >- + Using the AADI_RegisterAzureAppAuth Job to Create the Modern Auth Connection + Profile for Entra ID +knowledge_article_id: kA0Qk0000001j4jKAA +--- + +# Using the AADI_RegisterAzureAppAuth Job to Create the Modern Auth Connection Profile for Entra ID + +## Question +How can you use the AADI_RegisterAzureAppAuth job to create the Modern Auth Connection Profile for Entra ID? + +## Answer +The **AADI_RegisterAzureAppAuth** job registers a Microsoft Entra ID (formerly Azure AD) application for authentication and provisions the necessary permissions for Azure Active Directory Online scans. + +### Prerequisites +- A Connection Profile containing a Microsoft Entra ID Global Admin credential with an Account Type of **Task (Local)**. +- An Azure AD PowerShell module installed on targeted hosts. +- Microsoft Edge must be set as your default browser. +- If the module is not already installed, the job will attempt to install it. + +Follow the steps below to configure and run the AADI_RegisterAzureAppAuth job. + +- Creating the AADI_RegisterAzureAppAuth Job +- Configuring the AADI_RegisterAzureAppAuth Job +- Finishing Set Up and Applying the New Connection Profile to the Entra ID Inventory Job + +### Creating the AADI_RegisterAzureAppAuth Job +1. In Netwrix Access Analyzer, create a **Z_RegisterAzureAppAuth Job Group** or use any other Job Group in which you will place the **AADI_RegisterAzureAppAuth** job. +2. Click **Add Instant Job** to open the Instant Job Wizard. +3. To install the **AADI_RegisterAzureAppAuth** job from the Instant Job Library (under **Library Name: Azure**), follow these steps: + 1. Right-click the **Z_RegisterAzureAppAuth** Job Group that you just created and select **Add Instant Job**. + 2. Expand **Library Name: Azure** to select the **AADI_RegisterAzureAppAuth** instant job. + 3. After installation, the job tree automatically refreshes with the new job available within the selected Job Group. For additional information, see the Instant Job Wizard topic: /docs/auditor/11.6/enterpriseauditor/admin-guide/jobs/instantjobs + +### Configuring the AADI_RegisterAzureAppAuth Job +1. Navigate to the Configuration section of the job overview and description page then select the **Edit** button for **Name of the app as it will appear in the Azure applications list**. +2. Enter the name that you want to apply to the registered Microsoft Entra ID application and click **Save**. +3. On the **Configure > Hosts** node, select the target hosts. + +> **NOTE:** The targeted host should be the **Microsoft Entra tenant name** (for example, myorg.onmicrosoft.com). + +4. Click **Save**. The job should now be ready to run. +5. Run the **AADI_RegisterAzureAppAuth** job. +6. After the job successfully runs, a browser window opens to Microsoft Entra ID. Log in as a **Global Administrator** and grant administrator consent to the **Application's configured API Permissions**. + +> **IMPORTANT:** If this log-in attempt fails or you close the browser, you will need to manually log in to Microsoft Entra ID as a Global Administrator. Next, navigate to the Application's API Permissions to grant Admin Consent before the application can be used for Azure Active Directory scans in Netwrix Access Analyzer. + +7. The Microsoft Entra ID application is now provisioned with the necessary permissions for Azure Active Directory Inventory Online scans. A new Connection Profile for this application will be available. + +### Finishing Set Up and Applying the New Connection Profile to the Entra ID Inventory Job +1. Restart the **Netwrix Access Analyzer Console** and review the results of the AADI_RegisterAzureAppAuth job. +2. Review the `ClientID_(AppId)` and `Key_(Secret_Value)` values, record them to a password vault or equivalent then return to the new connection profile previously created. +3. Confirm that the `ClientID_(AppId)` value matches the **Client ID:** value. +4. Enter the `Key_(Secret_Value)` in the **Key** value and click **OK** to save. +5. Once you have created and verified your `` connection and `` EntraID host list under the global settings as a result of the process defined in this article, you can configure each of these parameters to run both the **Entra ID Inventory** and **Entra ID** jobs. + +> **IMPORTANT:** The required rights, roles, and configuration for Microsoft Entra ID Auditing must still be configured. For additional information, see the Microsoft Entra ID Auditing Configuration topic: /docs/auditor/11.6/configuration/entraid + +## Related Articles +- Instant Job Wizard: /docs/auditor/11.6/enterpriseauditor/admin-guide/jobs/instantjobs +- Microsoft Entra ID Auditing Configuration: /docs/auditor/11.6/configuration/entraid diff --git a/docs/kb/accessanalyzer/what-does-licensed-host-count-exceeded-mean-in-the-access-analyzer-banner.md b/docs/kb/accessanalyzer/what-does-licensed-host-count-exceeded-mean-in-the-access-analyzer-banner.md new file mode 100644 index 0000000000..6f90881790 --- /dev/null +++ b/docs/kb/accessanalyzer/what-does-licensed-host-count-exceeded-mean-in-the-access-analyzer-banner.md @@ -0,0 +1,48 @@ +--- +description: >- + Explains the meaning and impact of the "Licensed Host Count Exceeded" banner + in Netwrix Access Analyzer and how to determine and resolve host licensing + issues. +keywords: + - licensed host count + - license file + - Netwrix Access Analyzer + - licensed hosts + - watermark + - ADInventory + - host discovery + - support + - sales +products: + - access-analyzer +sidebar_label: What Does "Licensed Host Count Exceeded" Mean in t +tags: [] +title: What Does "Licensed Host Count Exceeded" Mean in the Access Analyzer Banner? +knowledge_article_id: kA04u0000000IvdCAE +--- + +# What Does "Licensed Host Count Exceeded" Mean in the Access Analyzer Banner? + +## Summary +The Netwrix Access Analyzer license mechanism is based on the number of rows in host inventory for legacy reasons. Because the product is now typically licensed based on count of Active Directory users, the banner indicating a problem with licensing can cause concern. + +## Issue +User opens the Netwrix Access Analyzer Console and the application banner contains the message `Licensed Host Count Exceeded`. + +## Instructions +This message is generated when someone has added more hosts to their database than they have been licensed for. To find out how many hosts an environment is licensed for, follow these steps: + +1. On the menu bar, select **Help** > **About** in the Netwrix Access Analyzer console. +2. In the About window, view the licensed modules and the licensed hosts section. This number is controlled by the license file. + +To increase the host count, contact your account manager or email sales@stealthbits.com. In most cases, there is no associated cost because the product is licensed on a per-user basis rather than on a per-host basis. Netwrix Access Analyzer for Windows and Netwrix Access Analyzer for Systems Governance are notable rare exceptions where licensing may be server-based instead of user-based. The error has no impact on functionality of the product, and reports will still be generated for all hosts scanned. The only other noticeable result of exceeding a host count is that there is a watermark on the published report. + +Most often, the reason that there are too many hosts is that there is a host discovery task that is looking at too broad of a scope such as an IP sweep or an Active Directory query that looks at every OU instead of a single OU. If this is what happened in your environment, you can reach out to support@stealthbits.com and an engineer can assist you in removing the excess hosts and properly scoping the discovery query. + +**Internal Note:** Even though they may just need a new license file with a higher host limit, the number of hosts can be considered a proxy for the size of an organization. As such, the `Licensed host count exceeded` message may be an indication that a true-up is in order. Perform a health check on the `ADInventory` job group and verify the number of AD Users in production. + +## Product +**Product:** Netwrix Access Analyzer +**Module:** Netwrix Access Analyzer - Core +**Versions:** All +**Legacy Article ID:** 2423 diff --git a/docs/kb/accessinformationcenter/_category_.json b/docs/kb/accessinformationcenter/_category_.json new file mode 100644 index 0000000000..31ba0aed9c --- /dev/null +++ b/docs/kb/accessinformationcenter/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/administration/_category_.json b/docs/kb/accessinformationcenter/administration/_category_.json new file mode 100644 index 0000000000..5a15299434 --- /dev/null +++ b/docs/kb/accessinformationcenter/administration/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Administration", + "position": 8, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/administration/index.md b/docs/kb/accessinformationcenter/administration/index.md new file mode 100644 index 0000000000..5c7b3b49d7 --- /dev/null +++ b/docs/kb/accessinformationcenter/administration/index.md @@ -0,0 +1,16 @@ +--- +title: "Administration" +description: System administration and maintenance" +--- + +# Administration + +System administration and maintenance + +## Categories + +### [Elasticsearch](./elasticsearch/) +Manage Elasticsearch and replication + +### [Database](./database/) +Database management and queries diff --git a/docs/kb/accessinformationcenter/configuration/_category_.json b/docs/kb/accessinformationcenter/configuration/_category_.json new file mode 100644 index 0000000000..231704b45b --- /dev/null +++ b/docs/kb/accessinformationcenter/configuration/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Configuration", + "position": 2, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/configuration/authentication/_category_.json b/docs/kb/accessinformationcenter/configuration/authentication/_category_.json new file mode 100644 index 0000000000..3094926863 --- /dev/null +++ b/docs/kb/accessinformationcenter/configuration/authentication/_category_.json @@ -0,0 +1,5 @@ +{ + "label": "Authentication & Security", + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/configuration/authentication/index.md b/docs/kb/accessinformationcenter/configuration/authentication/index.md new file mode 100644 index 0000000000..5b41537840 --- /dev/null +++ b/docs/kb/accessinformationcenter/configuration/authentication/index.md @@ -0,0 +1,12 @@ +--- +title: "Authentication & Security" +description: Configure authentication and security settings" +--- + +# Authentication & Security + +Configure authentication and security settings + +## Articles in This Section + +- [Full Ssl And Sso Procedure To Secure And Integrate Access Analyzer Web Reports With Aic](./full-ssl-and-sso-procedure-to-secure-and-integrate-access-analyzer-web-reports-with-aic) diff --git a/docs/kb/accessinformationcenter/configuration/index.md b/docs/kb/accessinformationcenter/configuration/index.md new file mode 100644 index 0000000000..bcf1137adb --- /dev/null +++ b/docs/kb/accessinformationcenter/configuration/index.md @@ -0,0 +1,29 @@ +--- +title: "Configuration" +description: Articles about configuring various product features" +--- + +# Configuration + +Articles about configuring various product features + +## Articles in This Section + +- [Full Ssl And Sso Procedure To Secure And Integrate Access Analyzer Web Reports With Aic](./full-ssl-and-sso-procedure-to-secure-and-integrate-access-analyzer-web-reports-with-aic) +- [Enable Aic Emails To All Resource Owners](./enable-aic-emails-to-all-resource-owners) + +## Categories + +### [Authentication & Security](./authentication/) +Configure authentication and security settings + +### [Portal Configuration](./portal/) +Customize portal appearance and behavior + +### [Email & Notifications](./notifications/) +Set up email notifications and templates + +## Related Documentation + +Configuration Guide +Admin Center diff --git a/docs/kb/accessinformationcenter/configuration/notifications/_category_.json b/docs/kb/accessinformationcenter/configuration/notifications/_category_.json new file mode 100644 index 0000000000..66198c3df0 --- /dev/null +++ b/docs/kb/accessinformationcenter/configuration/notifications/_category_.json @@ -0,0 +1,5 @@ +{ + "label": "Email & Notifications", + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/configuration/notifications/enable-aic-emails-to-all-resource-owners.md b/docs/kb/accessinformationcenter/configuration/notifications/enable-aic-emails-to-all-resource-owners.md new file mode 100644 index 0000000000..cbf16c8577 --- /dev/null +++ b/docs/kb/accessinformationcenter/configuration/notifications/enable-aic-emails-to-all-resource-owners.md @@ -0,0 +1,46 @@ +--- +description: >- + Enable the AIC to send email notifications to all resource owners by changing + the NotifyAllOwners setting in the common.config file. No IIS reset is + required. +keywords: + - AIC + - NotifyAllOwners + - common.config + - email notifications + - resource owners + - Netwrix Access Analyzer + - StealthAudit Compliance + - IIS +products: + - access_info_center +sidebar_label: Enable AIC emails to all Resource Owners +tags: [] +title: "Enable AIC emails to all Resource Owners" +knowledge_article_id: kA04u0000000Is9CAE +--- + +# Enable AIC emails to all Resource Owners + +## Summary +By default, the AIC in Netwrix Access Analyzer only sends emails to the primary owner of resources. This article shows you how to enable email notifications for all users. + +## Issue +The AIC by default will only send email notifications to the assigned primary owner of resources. This can be changed by editing a config file. + +No IIS reset is required. + +## Instructions +1. Open the `C:\inetpub\wwwroot\StealthAudit Compliance\Bin\common.config` file with **Notepad**. +2. Set the `NotifyAllOwners` parameter to `'True'`. +3. Navigate to **File > Save**. + +## Result +All owners assigned to resources should now receive email notifications concerning their resources. + +## Product +- **Product:** Netwrix Access Analyzer +- **Module:** AIC - Manage Resource Ownership +- **Versions:** 8.0 +- **Resolved In:** Netwrix Access Analyzer 8.0 HF 001 +- **Legacy Article ID:** 2274 diff --git a/docs/kb/accessinformationcenter/configuration/notifications/index.md b/docs/kb/accessinformationcenter/configuration/notifications/index.md new file mode 100644 index 0000000000..a9fe021066 --- /dev/null +++ b/docs/kb/accessinformationcenter/configuration/notifications/index.md @@ -0,0 +1,12 @@ +--- +title: "Email & Notifications" +description: Set up email notifications and templates" +--- + +# Email & Notifications + +Set up email notifications and templates + +## Articles in This Section + +- [Enable Aic Emails To All Resource Owners](./enable-aic-emails-to-all-resource-owners) diff --git a/docs/kb/accessinformationcenter/general/_category_.json b/docs/kb/accessinformationcenter/general/_category_.json new file mode 100644 index 0000000000..6b83ab4714 --- /dev/null +++ b/docs/kb/accessinformationcenter/general/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "General", + "position": 99, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/general/aic-branding-customization.md b/docs/kb/accessinformationcenter/general/aic-branding-customization.md new file mode 100644 index 0000000000..f70d9d06fc --- /dev/null +++ b/docs/kb/accessinformationcenter/general/aic-branding-customization.md @@ -0,0 +1,75 @@ +--- +description: >- + Instructions to apply a custom logo and change the banner background color for + the AIC. Includes exact file paths and filenames to update for AIC in Netwrix + Auditor 9.0. +keywords: + - AIC + - branding + - logo + - banner color + - branding.css + - product-logo.png + - Netwrix Auditor + - Sb-branding.css + - SMPC-5582 + - 270x60 +products: + - access_info_center +sidebar_label: AIC Branding Customization +tags: [] +title: "AIC Branding Customization" +knowledge_article_id: kA04u0000000ITECA2 +--- + +# AIC Branding Customization + +## Summary +*Instructions on how to apply a custom logo and banner color for the AIC.* + +## Issue +Customers sometimes request to provide their own logo for the AIC since it is available to their end users who may not be familiar with Netwrix. Branding customizations are done on an as-needed basis and are not generally provided to customers currently. In our 9.0 release we support the ability to change the background color of the banner as well as the supplied logo. + +## Instructions + +### Logo +1. Navigate to the following location: `C:\inetpub\wwwroot\StealthAUDIT Compliance\Content\extras\images` +2. Backup the `product-logo.png` file by renaming it to: `Sb-product-logo.png` +3. Place customer's logo in the directory with the name `product-logo.png` +4. Refresh the AIC + +The `product-logo.png` is `270x60` pixels. + +### Banner Color +1. Navigate to the following location: `C:\inetpub\wwwroot\StealthAUDIT Compliance\Content` +2. Copy the `branding.css` file and rename it to `Sb-branding.css` to backup the existing banner color +3. Open and update the `background` value to correspond to the color of choice. +4. Refresh the AIC + +## Submitted by +Farrah Gamboa + +## Affected Module +- AIC - Entitlement Review +- AIC - Installer +- AIC - Manage Resource Ownership +- AIC - Remediate Open Shares +- AIC - Reporter + +## Dev Ticket +SMPC-5582 + +## Resolved in Version +9.0 + +## KB Type +How To + +--- + +Product: AIC +Module: AIC - Entitlement Review;AIC - Installer;AIC - Manage Resource Ownership;AIC - Remediate Open Shares;AIC - Reporter +Versions: 9.0 +Dev Ticket: SMPC-5582 +Resolved In: 9.0 +Salesforce Article ID: 000002531 diff --git a/docs/kb/accessinformationcenter/general/index.md b/docs/kb/accessinformationcenter/general/index.md new file mode 100644 index 0000000000..e34b30b1ab --- /dev/null +++ b/docs/kb/accessinformationcenter/general/index.md @@ -0,0 +1,13 @@ +--- +title: "General Articles" +description: Miscellaneous knowledge base articles" +--- + +# General Articles + +Articles that don't fit into other categories. + +## Articles + +- [Specify Domains For Aic To Enumerate](./specify-domains-for-aic-to-enumerate) +- [Aic Branding Customization](./aic-branding-customization) diff --git a/docs/kb/accessinformationcenter/general/specify-domains-for-aic-to-enumerate.md b/docs/kb/accessinformationcenter/general/specify-domains-for-aic-to-enumerate.md new file mode 100644 index 0000000000..6f505aa44a --- /dev/null +++ b/docs/kb/accessinformationcenter/general/specify-domains-for-aic-to-enumerate.md @@ -0,0 +1,49 @@ +--- +description: >- + Speed up domain enumeration in the Access Information Center (AIC) by + specifying which domains the AIC enumerates on startup to improve application + startup performance. +keywords: + - Access Information Center + - AIC + - domain enumeration + - web.config + - DNS + - startup performance + - StealthAudit + - domains +products: + - access_info_center +sidebar_label: Specify Domains for AIC to Enumerate +tags: [] +title: "Specify Domains for AIC to Enumerate" +knowledge_article_id: kA04u0000000IT4CAM +--- + +# Specify Domains for AIC to Enumerate + +## Summary: +**Summary:** Speed up domain enumeration in the Access Information Center (AIC) + +## Issue: +**Issue:** You can specify which domains the AIC enumerates, rather than allowing the AIC to try all of them every time. + +It does this every time a user logs into the AIC. + +A comma-separated list of domains that AIC is allowed to enumerate on startup. + +This list is useful because customers often have domains with trust relationships that are unavailable due to being taken down, etc. This makes application startup take significantly longer. + +## Instructions: +**Instructions:** + +In the web.config file (by default `C:\inetpub\wwwroot\StealthAudit Compliance`), enter the DNS names of the domains you'd like in this tag: + +for example: + +## Product / Module / Article +**Product:** AIC +**Module:** AIC - Entitlement Review;AIC - Installer;AIC - Manage Resource Ownership;AIC - Remediate Open Shares;AIC - Reporter +**Salesforce Article ID:** 000001223 + +https://stealthbits.my.salesforce.com/kA0j0000000bng5?srPos=0&srKp=ka0&lang=en_US diff --git a/docs/kb/accessinformationcenter/group-management/_category_.json b/docs/kb/accessinformationcenter/group-management/_category_.json new file mode 100644 index 0000000000..17dae6c71a --- /dev/null +++ b/docs/kb/accessinformationcenter/group-management/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Group Management", + "position": 3, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/group-management/index.md b/docs/kb/accessinformationcenter/group-management/index.md new file mode 100644 index 0000000000..b969222824 --- /dev/null +++ b/docs/kb/accessinformationcenter/group-management/index.md @@ -0,0 +1,24 @@ +--- +title: "Group Management" +description: Managing groups, smart groups, and dynasties" +--- + +# Group Management + +Managing groups, smart groups, and dynasties + +## Categories + +### [Smart Groups](./smart-groups/) +Configure and manage smart groups + +### [Dynasties](./dynasties/) +Set up and maintain group dynasties + +### [Group Policies](./policies/) +Group governance and compliance policies + +## Related Documentation + +Group Management Guide +Group APIs diff --git a/docs/kb/accessinformationcenter/index.md b/docs/kb/accessinformationcenter/index.md new file mode 100644 index 0000000000..21336d10c5 --- /dev/null +++ b/docs/kb/accessinformationcenter/index.md @@ -0,0 +1,52 @@ +--- +title: "Troubleshooting Articles" +description: Browse our troubleshooting articles by category" +--- + +# Knowledge Base + +Welcome to the knowledge base. Browse articles by category below. + +## Categories + +### [Installation & Setup](./installation/) +Articles about installing, uninstalling, and setting up the product + +### [Configuration](./configuration/) +Articles about configuring various product features + +### [Group Management](./group-management/) +Managing groups, smart groups, and dynasties + +### [User Management](./user-management/) +Managing users and user profiles + +### [Reports & Analytics](./reporting/) +Generate reports and export data + +### [Troubleshooting](./troubleshooting/) +Resolve common issues and errors + +### [Integration](./integration/) +Integrate with external services and APIs + +### [Administration](./administration/) +System administration and maintenance + +### [Best Practices](./best-practices/) +Recommended practices and how-to guides + +## Quick Links + +- [Installation & Setup](./installation/) +- [Troubleshooting Guide](./troubleshooting/) +- [Best Practices](./best-practices/) +- [Integration Guide](./integration/) + +## Need Help? + +If you can't find what you're looking for, please: +1. Use the search function above +2. Check the main documentation +3. Contact [support](https://www.netwrix.com/support.html) +slug: kb/accessinformationcenter diff --git a/docs/kb/accessinformationcenter/integration/_category_.json b/docs/kb/accessinformationcenter/integration/_category_.json new file mode 100644 index 0000000000..0808fc705a --- /dev/null +++ b/docs/kb/accessinformationcenter/integration/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Integration", + "position": 7, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/integration/index.md b/docs/kb/accessinformationcenter/integration/index.md new file mode 100644 index 0000000000..79cb68325b --- /dev/null +++ b/docs/kb/accessinformationcenter/integration/index.md @@ -0,0 +1,21 @@ +--- +title: "Integration" +description: Integrate with external services and APIs" +--- + +# Integration + +Integrate with external services and APIs + +## Categories + +### [Microsoft Services](./microsoft/) +Microsoft Entra ID, Graph API, and Office 365 + +### [Workflows & Automation](./workflows/) +Workflow automation and triggers + +## Related Documentation + +APIs Reference +Microsoft Entra ID Configuration diff --git a/docs/kb/accessinformationcenter/reporting/_category_.json b/docs/kb/accessinformationcenter/reporting/_category_.json new file mode 100644 index 0000000000..37fc04a2e3 --- /dev/null +++ b/docs/kb/accessinformationcenter/reporting/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Reports & Analytics", + "position": 5, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/reporting/exclude-trustees-from-entitlement-reviews.md b/docs/kb/accessinformationcenter/reporting/exclude-trustees-from-entitlement-reviews.md new file mode 100644 index 0000000000..b85ecfd04b --- /dev/null +++ b/docs/kb/accessinformationcenter/reporting/exclude-trustees-from-entitlement-reviews.md @@ -0,0 +1,129 @@ +--- +description: >- + Explains how to exclude trustees (users or groups) from Access Information + Center entitlement reviews by adding their SID and trustee type to the + SA_AIC_ResourceReviewIgnoredTrustees table. Includes a Netwrix Access Analyzer + job and SQL examples to automate or manually perform the exclusion. +keywords: + - Access Information Center + - entitlement review + - exclude trustees + - SA_AIC_ResourceReviewIgnoredTrustees + - Netwrix Access Analyzer + - SID + - trustee type + - SQL + - exclusions +products: + - access_info_center +sidebar_label: Exclude Trustees from Entitlement Reviews +tags: [] +title: "Exclude Trustees from Entitlement Reviews" +knowledge_article_id: kA04u0000000IueCAE +--- + +# Exclude Trustees from Entitlement Reviews + +## Symptom + +Customers may want to exclude admins, other user accounts or groups, from appearing in Access Information Center (AIC) Entitlement Reviews. + +## Cause + +In certain cases, customers may want to exclude certain admins, other users, or groups from appearing in Access Information Center (AIC) Entitlement Reviews. This may be useful, so that end users don’t see what access admins and other users have over various resources. + +## Instructions + +To exclude a user or group from Entitlement Reviews, the object's SID and Trustee Type need to be added to the following database table: + +`[SA_AIC_ResourceReviewIgnoredTrustees]` + +A Netwrix Access Analyzer job has been created that automates this process, which can be downloaded here: + +https://downloads.stealthbits.com/access/files/Utilities/Jobs/AICExclusions.zip + +1. Unzip `GROUP_Exclusions` from `AICExclusions.zip` to: ` %sainstallerdir%Jobs` +2. Refresh the Netwrix Access Analyzer job tree, or restart Netwrix Access Analyzer, to see the new **Exclusions** job group. + +Before running the job, edit the following CSV with trustees (including the trustee type) that should be excluded from appearing in AIC Entitlement Reviews: + +`%sainstalldir%Jobs\GROUP_Exclusions\JOB_0.Import\Exclusions.csv` + +Each trustee should go on their own line, in the following format including the trustee type (a full list of trustee type values can be found below): + +`MYDOMAIN\MyUser,4` + +> NOTE: This Netwrix Access Analyzer job will only work for trustee types 4 and 5 (AD user and AD group, respectively). Other trustee types can be manually added with SQL scripts (examples below). + +> NOTE: There cannot be a space after the comma, otherwise the user/group will not be properly added to the exclusions table. + +Specifying a trustee type supports the ability to specify any account type (e.g. not just groups and their members). + +### Trustee Type Values + +| Trustee Type | Description | +|--------------|-------------------------------------------| +| 0 | Unknown / Unresolved SID | +| 1 | Security Principle | +| 2 | Local User | +| 3 | Local Group | +| 4 | Global User | +| 5 | Global Group | +| 6 | SharePoint User | +| 7 | SharePoint Group | +| 8 | Unsupported / Possible Collection Issue | +| 9 | Service Account | +| 10 | Computer | +| 11 | Unresolved Domain Principal | +| 20 | Unix User | +| 21 | Unix Group | + +Trustees can also be excluded via manual SQL scripts, rather than using the provided Netwrix Access Analyzer job. + +> NOTE: To be added to the exclusion list, users must already exist in [SA_ADInventory_UsersView], and groups must already in exist in [SA_ADInventory_GroupsView] (from Netwrix Access Analyzer scans). + +### Example SQL to add multiple Domain Users (trustee type 4) to the exclusion list: + +```sql +INSERT INTO [SA_AIC_ResourceReviewIgnoredTrustees] + +SELECT ObjectSid,4 FROM SA_ADInventory_UsersView WHERE SamAccountName IN ('DomainUserA','DomainUserB') +``` + +### Example SQL to add a Domain Group (trustee type 5) to the exclusion list: + +```sql +INSERT INTO [SA_AIC_ResourceReviewIgnoredTrustees] + +SELECT ObjectSid,5 FROM SA_ADInventory_GroupsView WHERE SamAccountName IN ('Administrators') AND domainname = 'MYDOMAIN' +``` + +### Example SQL to display excluded trustees: + +```sql +SELECT * FROM [SA_AIC_ResourceReviewIgnoredTrustees] +``` + +> NOTE: In older versions of the AIC this table (`[SA_AIC_ResourceReviewIgnoredTrustees]`) will need to be manually created. In all newer versions the table is created automatically. + +### SQL table creation (`[SA_AIC_ResourceReviewIgnoredTrustees]`), if needed: + +```sql +IF object_id('[SA_AIC_ResourceReviewIgnoredTrustees]','table') IS NOT NULL + +DROP TABLE [SA_AIC_ResourceReviewIgnoredTrustees] + +CREATE TABLE [dbo].[SA_AIC_ResourceReviewIgnoredTrustees]( + + [ObjectSid] [varchar](184) NOT NULL, + + [TrusteeType] [smallint] NOT NULL, + +CONSTRAINT [PK_SA_AIC_ResourceReviewIgnoredTrustees] PRIMARY KEY CLUSTERED( + + [ObjectSid] ASC) + +WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) + +ON [PRIMARY]) ON [PRIMARY] +``` diff --git a/docs/kb/accessinformationcenter/reporting/index.md b/docs/kb/accessinformationcenter/reporting/index.md new file mode 100644 index 0000000000..686e50c6ed --- /dev/null +++ b/docs/kb/accessinformationcenter/reporting/index.md @@ -0,0 +1,12 @@ +--- +title: "Reports & Analytics" +description: Generate reports and export data" +--- + +# Reports & Analytics + +Generate reports and export data + +## Articles in This Section + +- [Exclude Trustees From Entitlement Reviews](./exclude-trustees-from-entitlement-reviews) diff --git a/docs/kb/accessinformationcenter/troubleshooting/_category_.json b/docs/kb/accessinformationcenter/troubleshooting/_category_.json new file mode 100644 index 0000000000..229fa3fd02 --- /dev/null +++ b/docs/kb/accessinformationcenter/troubleshooting/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting", + "position": 6, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/troubleshooting/common-issues/_category_.json b/docs/kb/accessinformationcenter/troubleshooting/common-issues/_category_.json new file mode 100644 index 0000000000..8ead283fdb --- /dev/null +++ b/docs/kb/accessinformationcenter/troubleshooting/common-issues/_category_.json @@ -0,0 +1,5 @@ +{ + "label": "Common Issues", + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/accessinformationcenter/troubleshooting/common-issues/index.md b/docs/kb/accessinformationcenter/troubleshooting/common-issues/index.md new file mode 100644 index 0000000000..f8ebe545e9 --- /dev/null +++ b/docs/kb/accessinformationcenter/troubleshooting/common-issues/index.md @@ -0,0 +1,13 @@ +--- +title: "Common Issues" +description: Solutions for common problems" +--- + +# Common Issues + +Solutions for common problems + +## Articles in This Section + +- [Fix For Aic 500 19 Error](./fix-for-aic-500-19-error) +- [Aic 500 21 Error](./aic-500-21-error) diff --git a/docs/kb/accessinformationcenter/troubleshooting/index.md b/docs/kb/accessinformationcenter/troubleshooting/index.md new file mode 100644 index 0000000000..a2f0cd2f38 --- /dev/null +++ b/docs/kb/accessinformationcenter/troubleshooting/index.md @@ -0,0 +1,26 @@ +--- +title: "Troubleshooting" +description: Resolve common issues and errors" +--- + +# Troubleshooting + +Resolve common issues and errors + +## Articles in This Section + +- [Fix For Aic 500 19 Error](./fix-for-aic-500-19-error) +- [Aic 500 21 Error](./aic-500-21-error) + +## Categories + +### [Logs & Debugging](./logs/) +Working with logs and debugging + +### [Common Issues](./common-issues/) +Solutions for common problems + +## Related Documentation + +Installation Guide +Requirements diff --git a/docs/kb/activitymonitor/.net_dependencies_for_netwrix_access_analyzer.md b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_access_analyzer.md new file mode 100644 index 0000000000..a80322102a --- /dev/null +++ b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_access_analyzer.md @@ -0,0 +1,65 @@ +--- +description: >- + This article outlines the .NET dependencies required for Netwrix Access Analyzer and related products. +keywords: + - .NET Framework + - Netwrix Access Analyzer + - system requirements +products: + - activity-monitor +sidebar_label: .NET Dependencies for Access Analyzer +tags: [] +title: ".NET Dependencies for Netwrix Access Analyzer" +knowledge_article_id: kA0Qk0000001hxNKAQ +--- + +# .NET Dependencies for Netwrix Access Analyzer + +## Related Query + +- ".NET on the Netwrix application server is End-Of-Life (EOL). Is it safe to remove it?" + +## Question + +Which version of .NET is required for Netwrix Access Analyzer and Netwrix Activity Monitor? + +## Answer + +Here is a list of products and their .NET requirements: + +### Netwrix Access Analyzer + +- .NET Framework 4.7.2 or newer + +This includes: + +- Netwrix Enterprise Auditor 11.6 +- Netwrix Access Information Center version 11.6 +- Netwrix Sensitive Data Discovery Add-on version 11.6 +- Netwrix Enterprise Auditor File System Scanning Proxy (FSAA Proxy) 11.6 +- StealthAUDIT 11.5 +- StealthAUDIT Access Information Center version 11.5 +- StealthAUDIT Sensitive Data Discovery Add-on version 11.5 +- StealthAUDIT File System Scanning Proxy (FSAA Proxy) 11.5 + +You can also navigate to the Netwrix Access Analyzer landing page for the product **Requirements** located under **Getting Started**. + +> **NOTE:** .NET Framework is not the same as ASP.NET Core, and having one does not mean you have the other. ASP.NET Core and .NET Desktop Runtime should appear on the list of installed Apps & Features; however, .NET Framework does not appear on that list. You can check which versions of .NET Framework you have installed by running the following command in PowerShell: + +```powershell +Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | +Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | +Select PSChildName, version +``` + +Example: + +![PowerShell Example Output](https://nwxcorp.file.force.com/servlet/rtaImage?eid=ka0Qk000000DG8b&feoid=00N0g000004CA0p&refid=0EMQk00000BprDf) + +## Related Articles + +- Netwrix Access Analyzer +- [.NET Dependencies for Netwrix Threat Prevention](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_prevention) +- [.NET Dependencies for Netwrix Recovery for Active Directory](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_recovery_for_active_directory) +- [.NET Dependencies for Netwrix Threat Manager](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_manager) +- [.NET Dependencies for Netwrix Activity Monitor](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_activity_monitor) \ No newline at end of file diff --git a/docs/kb/activitymonitor/.net_dependencies_for_netwrix_activity_monitor.md b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_activity_monitor.md new file mode 100644 index 0000000000..479db9db75 --- /dev/null +++ b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_activity_monitor.md @@ -0,0 +1,48 @@ +--- +description: >- + This article outlines the .NET Framework requirements for the Netwrix Activity Monitor and provides guidance on checking installed versions. +keywords: + - .NET Framework + - Netwrix Activity Monitor + - PowerShell +sidebar_label: .NET Dependencies for Activity Monitor +tags: [] +title: ".NET Dependencies for Netwrix Activity Monitor" +knowledge_article_id: kA0Qk0000002LBdKAM +products: + - activity-monitor +--- + +# .NET Dependencies for Netwrix Activity Monitor + +## Related Query + +- ".NET on the Netwrix application server is End-Of-Life (EOL). Is it safe to remove it?" + +## Question + +Which version of .NET is required for Netwrix Activity Monitor? + +## Answer + +.NET Framework 4.7.2 or newer is required. You can also navigate to the [Netwrix Activity Monitor](/docs/activitymonitor/) landing page for the product **Requirements** located under **Getting Started**. + +> **NOTE:** .NET Framework is not the same as ASP.NET Core, and having one does not mean you have the other. ASP.NET Core and .NET Desktop Runtime should appear on the list of installed Apps & Features. However, .NET Framework does not appear on that list. + +You can check which versions of .NET Framework you have installed by running the following command in PowerShell: + +```powershell +Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | +Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | +Select PSChildName, version +``` + +![PowerShell Example Output](https://nwxcorp.file.force.com/servlet/rtaImage?eid=ka0Qk000000E7Hl&feoid=00N0g000004CA0p&refid=0EMQk00000BprDf) + +## Related Articles + +- [Netwrix Activity Monitor](/docs/activitymonitor/) +- Netwrix Access Analyzer +- [.NET Dependencies for Netwrix Threat Prevention](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_prevention) +- [.NET Dependencies for Netwrix Recovery for Active Directory](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_recovery_for_active_directory) +- [.NET Dependencies for Netwrix Threat Manager](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_manager) \ No newline at end of file diff --git a/docs/kb/activitymonitor/.net_dependencies_for_netwrix_recovery_for_active_directory.md b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_recovery_for_active_directory.md new file mode 100644 index 0000000000..a78e73f982 --- /dev/null +++ b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_recovery_for_active_directory.md @@ -0,0 +1,48 @@ +--- +description: >- + This article outlines the required .NET version for Netwrix Recovery for Active Directory and provides guidance on checking installed .NET Framework versions. +keywords: + - .NET + - Netwrix Recovery for Active Directory + - ASP.NET Core +products: + - activity-monitor +sidebar_label: .NET Dependencies for Recovery +tags: [] +title: ".NET Dependencies for Netwrix Recovery for Active Directory" +knowledge_article_id: kA0Qk0000002DyrKAE +--- + +# .NET Dependencies for Netwrix Recovery for Active Directory + +## Related Query + +- ".NET on the Netwrix application server is End-Of-Life (EOL). Is it safe to remove it?" + +## Question + +Which version of .NET is required for Netwrix Recovery for Active Directory? + +## Answer + +ASP.NET Core 8.06 or newer is required. You can also navigate to the [Recovery for Active Directory](/docs/recoveryforactivedirectory/) landing page for the product **Requirements** located under **Getting Started**. + +> **NOTE:** .NET Framework is not the same as ASP.NET Core, and having one does not mean you have the other. ASP.NET Core and .NET Desktop Runtime should show on the list of installed Apps & features; however, .NET Framework does not appear on that list. You can check which versions of .NET Framework you have installed by running the following command in PowerShell: + +```powershell +Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | + Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | + Select PSChildName, version +``` + +Example: + +![Dialog box for selecting monitoring plan settings with the Schedule tab active](https://nwxcorp.file.force.com/servlet/rtaImage?eid=ka0Qk000000DMqk&feoid=00N0g000004CA0p&refid=0EMQk00000Bs0kh) + +## Related Articles + +- [Recovery for Active Directory](/docs/recoveryforactivedirectory/) +- [.NET Dependencies for Netwrix Access Analyzer](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_access_analyzer) +- [.NET Dependencies for Netwrix Threat Prevention](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_prevention) +- [.NET Dependencies for Netwrix Threat Manager](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_manager) +- [.NET Dependencies for Netwrix Activity Monitor](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_activity_monitor) \ No newline at end of file diff --git a/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_manager.md b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_manager.md new file mode 100644 index 0000000000..5cff162b03 --- /dev/null +++ b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_manager.md @@ -0,0 +1,48 @@ +--- +description: >- + This article outlines the .NET dependencies required for Netwrix Threat Manager, including installation instructions and verification steps. +keywords: + - .NET dependencies + - Netwrix Threat Manager + - ASP.NET Core +products: + - activity-monitor +sidebar_label: .NET Dependencies for Threat Manager +tags: [] +title: ".NET Dependencies for Netwrix Threat Manager" +knowledge_article_id: kA0Qk0000002E25KAE +--- + +# .NET Dependencies for Netwrix Threat Manager + +## Related Query + +- ".NET on the Netwrix application server is End-Of-Life (EOL). Is it safe to remove it?" + +## Question + +Which version of .NET is required for Netwrix Threat Manager? + +## Answer + +ASP.NET Core 8.0.11 (or newer) and .NET Desktop Runtime 8.0.11 (or newer) are required. You can also navigate to the [Netwrix Threat Manager](/docs/threatmanager/) landing page for the product **Requirements** located under **Getting Started**. + +> **NOTE:** .NET Framework is not the same as ASP.NET Core, and having one does not mean you have the other. ASP.NET Core and .NET Desktop Runtime should show on the list of installed Apps & features; however, .NET Framework does not appear on that list. You can check which versions of .NET Framework you have installed by running the following command in PowerShell: + +```powershell +Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | + Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | + Select PSChildName, version +``` + +Example: + +![Dialog box for selecting monitoring plan settings with the Schedule tab active](https://nwxcorp.file.force.com/servlet/rtaImage?eid=ka0Qk000000DNd7&feoid=00N0g000004CA0p&refid=0EMQk00000BsCU5) + +## Related Articles + +- [Netwrix Threat Manager](/docs/threatmanager/) +- [.NET Dependencies for Netwrix Access Analyzer](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_access_analyzer) +- [.NET Dependencies for Netwrix Recovery for Active Directory](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_recovery_for_active_directory) +- [.NET Dependencies for Netwrix Threat Prevention](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_prevention) +- [.NET Dependencies for Netwrix Activity Monitor](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_activity_monitor) \ No newline at end of file diff --git a/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_prevention.md b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_prevention.md new file mode 100644 index 0000000000..04045d0353 --- /dev/null +++ b/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_prevention.md @@ -0,0 +1,48 @@ +--- +description: >- + This article outlines the required .NET version for Netwrix Threat Prevention and provides guidance on checking installed .NET Framework versions. +keywords: + - .NET Framework + - Netwrix Threat Prevention + - system requirements +sidebar_label: .NET Dependencies for Threat Prevention +tags: [] +title: ".NET Dependencies for Netwrix Threat Prevention" +knowledge_article_id: kA0Qk0000002DxFKAU +products: + - activity-monitor +--- + +# .NET Dependencies for Netwrix Threat Prevention + +## Related Query + +- ".NET on the Netwrix application server is End-Of-Life (EOL). Is it safe to remove it?" + +## Question + +Which version of .NET is required for Netwrix Threat Prevention? + +## Answer + +.NET Framework 4.7.2 or newer is required. You can also navigate to the [Netwrix Threat Prevention](/docs/threatprevention/) landing page for the product **Requirements** located under **Getting Started**. + +> **NOTE:** .NET Framework is not the same as ASP .NET Core, and having one does not mean you have the other. ASP.NET Core and .NET Desktop Runtime should show on the list of installed Apps & features; however, .NET Framework does not appear on that list. You can check which versions of .NET Framework you have installed by running the following command in PowerShell: + +```powershell +Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | + Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | + Select PSChildName, version +``` + +Example: + +![Dialog box for selecting monitoring plan settings with the Schedule tab active](https://nwxcorp.file.force.com/servlet/rtaImage?eid=ka0Qk000000DMp7&feoid=00N0g000004CA0p&refid=0EMQk00000Bq4h7) + +## Related Articles + +- [Netwrix Threat Prevention](/docs/threatprevention/) +- [.NET Dependencies for Netwrix Access Analyzer](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_access_analyzer) +- [.NET Dependencies for Netwrix Recovery for Active Directory](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_recovery_for_active_directory) +- [.NET Dependencies for Netwrix Threat Manager](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_threat_manager) +- [.NET Dependencies for Netwrix Activity Monitor](/docs/kb/activitymonitor/.net_dependencies_for_netwrix_activity_monitor) \ No newline at end of file diff --git a/docs/kb/activitymonitor/_category_.json b/docs/kb/activitymonitor/_category_.json new file mode 100644 index 0000000000..31ba0aed9c --- /dev/null +++ b/docs/kb/activitymonitor/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/activitymonitor/add_an_external_url_to_the_portal_navigation_bar.md b/docs/kb/activitymonitor/add_an_external_url_to_the_portal_navigation_bar.md new file mode 100644 index 0000000000..5651906b2a --- /dev/null +++ b/docs/kb/activitymonitor/add_an_external_url_to_the_portal_navigation_bar.md @@ -0,0 +1,43 @@ +--- +description: >- + This article explains how to add an external or internal URL, such as an intranet link, to the navigation bar of your portal using the Admin Center. +keywords: + - portal navigation + - external URL + - Admin Center +sidebar_label: Add External URL to Navigation Bar +tags: [] +title: "Add an External URL to the Portal Navigation Bar" +knowledge_article_id: kA0Qk0000002QT3KAM +products: + - activity-monitor +--- + +# Add an External URL to the Portal Navigation Bar + +## Related Queries + +- "For adding the external URL (to your intranet), I gave you the following solution:" +- "How to add an external or internal link to the portal navigation bar" + +## Overview + +This article explains how to add an external or internal URL, such as an intranet link, to the navigation bar of your portal using the **Admin Center**. The process involves creating a new navigation bar category and then adding the desired link under that category. + +## Instructions + +1. Log on to the **Admin Center**. +2. Navigate to **Applications** and select the required portal. + ![Applications section in Admin Center with portal selection visible](https://nwxcorp.file.force.com/sfc/servlet.shepherd/version/download/068Qk00000O6hIz?asPdf=false&operationContext=CHATTER) +3. In the portal settings, go to the **Design** node, then select **Navigation Bars**. +4. Switch to the **Navigation Bar Categories** tab. +5. Add a new category for your link. + ![Navigation Bar Categories tab with Add Category option highlighted](https://nwxcorp.file.force.com/sfc/servlet.shepherd/version/download/068Qk00000O6Rvq?asPdf=false&operationContext=CHATTER) +6. Return to the **Navigation Bar** tab. +7. From the drop-down menu, select the newly created category. + ![Drop-down menu for selecting navigation bar category](./images/servlet_image_8261932e8e81.png) +8. Add the new external or internal link as needed. + ![Form for adding a new link to the navigation bar](./images/servlet_image_19807e63605b.png) +9. Scroll down and click **Save** to apply your changes. + +> **NOTE:** You can add multiple links under the same category if required. Be sure to review your navigation bar after saving to confirm the new link appears as expected. \ No newline at end of file diff --git a/docs/kb/activitymonitor/agent-returns-no-results-for-active-directory.md b/docs/kb/activitymonitor/agent-returns-no-results-for-active-directory.md new file mode 100644 index 0000000000..239d139071 --- /dev/null +++ b/docs/kb/activitymonitor/agent-returns-no-results-for-active-directory.md @@ -0,0 +1,55 @@ +--- +description: >- + Describes how to resolve a CannotFindProcess error when SIWindowsAgent cannot + access LSASS.exe on a domain controller due to endpoint protection blocking + the process. +keywords: + - LSASS + - SIWindowsAgent + - CannotFindProcess + - Active Directory + - endpoint protection + - antivirus exclusions + - Task Manager + - SI.ActiveDirectoryMonitor +products: + - activity-monitor + - threat-prevention +sidebar_label: Agent Returns No Results for Active Directory +tags: [] +title: "Agent Returns No Results for Active Directory" +knowledge_article_id: kA04u000000LLO2CAO +--- + +# Agent Returns No Results for Active Directory + +## Symptom + +You have encountered the following `Cannot Find Process` error in the Netwrix Threat Prevention logs: + +```text +Failed loading monitor dll: +C:\Program Files\STEALTHbits\StealthINTERCEPT\SIWindowsAgent\SI.ActiveDirectoryMonitor.dll, status: CannotFindProcess +``` + +When attempting to create a dump of `LSASS.exe` via Task Manager on the affected domain controller, it fails or creates a 0-kb file. If the dump creation succeeds, it does not indicate that `SIWindowsAgent.exe` is not blocked, only that `Taskmgr.exe` is allowed to access `LSASS.exe`. + +## Cause + +Endpoint protection is hiding the `LSASS.exe` process from `SIWindowsagent.exe` or otherwise blocking the hook into the LSASS API. Common EPP solutions include CarbonBlack, Cylance, and CrowdStrike. + +## Resolution + +In the endpoint protection configuration, allow `SIWindowsAgent.exe` and the contents of the SIAgent install directory access to `LSASS.exe`. Refer to the following default folder: + +```text +C:\Program Files\STEALTHBits\StealthINTERCEPT\SIWindowsAgent +``` + +Refer to the following article for additional information on recommended exclusions for your antivirus and endpoint protection solutions: Installation — Antivirus Software Considerations · v7.3 +/docs/threat-prevention/7.3/stealthintercept/installation + +## Related Article + +- Installation — Antivirus Software Considerations · v7.3 + /docs/threat-prevention/7.3/stealthintercept/installation diff --git a/docs/kb/activitymonitor/agents-have-become-unresponsive-error.md b/docs/kb/activitymonitor/agents-have-become-unresponsive-error.md new file mode 100644 index 0000000000..2c8b3def9e --- /dev/null +++ b/docs/kb/activitymonitor/agents-have-become-unresponsive-error.md @@ -0,0 +1,47 @@ +--- +description: >- + Describes why the `Agents have become unresponsive` error appears in Netwrix + Threat Manager when events are processed via Netwrix Activity Monitor and how + to resolve it. +keywords: + - Agents have become unresponsive + - Netwrix Threat Manager + - Netwrix Activity Monitor + - Periodic AD Status Check + - Monitored Domains + - event outputs + - unresponsive agents +products: + - activity-monitor + - threat-manager +sidebar_label: Agents Have Become Unresponsive Error +tags: [] +title: "Agents Have Become Unresponsive Error" +knowledge_article_id: kA0Qk0000000LinKAE +--- + +# Agents Have Become Unresponsive Error + +## Symptoms + +- The `Agents have become unresponsive` error is prompted in Netwrix Threat Manager. +- The environment is set up to process events via **Netwrix Activity Monitor**. + +## Causes + +1. Periodic AD Status Check event reporting is disabled for the monitored domain. +2. The output for the affected domain was disabled in **Netwrix Activity Monitor**. + +## Resolutions + +### Cause #1 + +Enable the **Periodic AD Status Check event reporting** option in **Netwrix Activity Monitor** for the affected domain − refer to the **Netwrix Threat Prevention Output** section of the following article for additional information: Monitored Domains − Domain Event Outputs · v7.0. + +### Cause #2 + +Verify the monitoring for the affected domain is enabled − review the state of the domain in the **Monitored Domains** tab of **Netwrix Activity Monitor**. + +## Related articles + +- Monitored Domains − Domain Event Outputs · v7.0 diff --git a/docs/kb/activitymonitor/agents/_category_.json b/docs/kb/activitymonitor/agents/_category_.json new file mode 100644 index 0000000000..8a4773134f --- /dev/null +++ b/docs/kb/activitymonitor/agents/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Agents & Services", + "position": 1, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/kb/activitymonitor/agents/index.md b/docs/kb/activitymonitor/agents/index.md new file mode 100644 index 0000000000..6a640d2ae0 --- /dev/null +++ b/docs/kb/activitymonitor/agents/index.md @@ -0,0 +1,36 @@ +--- +title: "Agents & Services" +description: Configure and troubleshoot Activity Monitor agents +--- + +# Agents & Services + +Articles about configuring, managing, and troubleshooting Activity Monitor agents and services. + +## Articles in This Section + +- [Agent Returns No Results for Active Directory](./agent-returns-no-results-for-active-directory) +- [Agents Have Become Unresponsive Error](./agents-have-become-unresponsive-error) +- [How to Remove NTP Management of NAM Agents](./how-to-remove-ntp-management-of-nam-agents) +- [NAM Linux Agent: How to Handle Locked Auditd Config](./nam-linux-agent-how-to-handle-locked-auditd-config)" +- [Update Service Account Password Upon Password Change in AD](./update-service-account-password-upon-password-change-in-active-directory-ad) + +## Common Topics + +### NAM Agent Issues +- Configuration problems with NAM Linux agents +- Handling locked auditd configurations +- NTP management removal + +### Service Account Management +- Updating service account passwords +- Active Directory authentication issues + +### Agent Connectivity +- Troubleshooting unresponsive agents +- Resolving "no results" errors + +## Related Documentation + +- Activity Monitor Installation Guide +- Agent Configuration Reference \ No newline at end of file diff --git a/docs/kb/activitymonitor/block_applications_using_content_aware_protection.md b/docs/kb/activitymonitor/block_applications_using_content_aware_protection.md new file mode 100644 index 0000000000..0033acca08 --- /dev/null +++ b/docs/kb/activitymonitor/block_applications_using_content_aware_protection.md @@ -0,0 +1,36 @@ +--- +description: >- + This article provides step-by-step instructions on how to block applications using Content Aware Protection in Endpoint Protector. +keywords: + - Content Aware Protection + - block applications + - deny lists +sidebar_label: Block Applications +tags: [] +title: "Block Applications Using Content Aware Protection" +knowledge_article_id: kA0Qk0000002B2xKAE +products: + - activity-monitor +--- + +# Block Applications Using Content Aware Protection + +## Overview + +In Endpoint Protector, you are able to block or deny applications from running on endpoints by configuring Content Aware Protection policies. Use deny lists to specify which applications you want to prevent from executing and assign these lists to the appropriate policies for your environment. + +## Instructions + +Follow these steps to configure the settings: + +1. Identify the process name of the application you want to block: + - On Windows, find the process name under the **Details** tab in Task Manager. + - On macOS, find the process name under the **Process Name** column in Activity Monitor. +2. Navigate to **Denylists and Allowlists > Denylists > Applications** and click **Add**. +3. Enter the name and description for the deny list. +4. In the **Application & CLI Command** box, enter the process name exactly as it appears on the endpoint operating system. Click **Add to Content**. +5. In the **List of Application & CLI Command** box, check the newly added process name and click **Generate**. +6. The application list is now available to select within a Content Aware Policy. +7. Create a new Content Aware Policy or use an existing one. Navigate to **Policy Denylists > Applications** and select the newly created application list. +8. Select the endpoints to which the policy should apply under **Policy Entities**. Save the Content Aware Policy and wait for the policies to update on the endpoints. +9. Content Aware Protection now prevents the application from running when a user attempts to start it. \ No newline at end of file diff --git a/docs/kb/activitymonitor/bulk_create_groups_with_multiple_additional_owners_from_a_csv_file.md b/docs/kb/activitymonitor/bulk_create_groups_with_multiple_additional_owners_from_a_csv_file.md new file mode 100644 index 0000000000..ba03277b74 --- /dev/null +++ b/docs/kb/activitymonitor/bulk_create_groups_with_multiple_additional_owners_from_a_csv_file.md @@ -0,0 +1,49 @@ +--- +description: >- + This article explains how to bulk create groups in Netwrix Directory Manager using a CSV file and assign multiple additional owners to each group. +keywords: + - bulk create groups + - additional owners + - CSV file +products: + - activity-monitor +sidebar_label: Bulk Create Groups +tags: [] +title: "Bulk Create Groups With Multiple Additional Owners From a CSV File" +knowledge_article_id: kA0Qk0000002mbdKAA +--- + +# Bulk Create Groups With Multiple Additional Owners From a CSV File + +## Related Queries + +- "bulk create groups with additional owners" + +## Overview + +This article explains how to use the Netwrix Directory Manager (formerly GroupID) shell and a properly formatted CSV file to bulk create groups in Directory Manager and assign multiple additional owners to each group. It also covers common pitfalls with CSV formatting and provides a sample script for automation. + +> **IMPORTANT:** Before running the script in production, test with a small sample CSV to confirm that groups and all additional owners are created as expected. Always verify your CSV formatting in a plain text editor (such as Notepad++) to ensure additional owners are properly quoted and separated. Incorrect formatting may result in only the first owner being added. + +## Instructions + +1. Ensure your CSV file includes columns for the group name, primary owner (`managedby`), and a column for additional owners. +2. If you have multiple additional owners, enclose the list in double quotes and separate each owner with a comma. + Example CSV: + ```plaintext + name,managedby,addowner + Group1,Primaryowner1,"AdditionalOwner1,AdditionalOwner2" + Group2,PrimaryOwner2,"AdditionalOwner1,AdditionalOwner3,AdditionalOwner4" + ``` + > **NOTE:** Enclosing the additional owners in double quotes is required if there are multiple owners, so the CSV parser treats them as a single field. + +3. Import the CSV and create groups with owners using the commands below: + ```powershell + $groups = Import-csv "C:\Temp\Groups.csv" + # Create the group with primary owner and mail-enabled + $groups | ForEach-Object {New-Group -OrganizationalUnit "OU=abc,DC=xyz,DC=site" -Name $_.Name -SamAccountName $_.Name -GroupScope "Universal Group" -Type "Security" -SecurityType "Semi_Private" -Managedby $_.Managedby} + # Add additional owners + $groups | ForEach-Object {@{e=foreach($s in $_.AddOwner -split ","){ Set-Group -Identity $_.Name -AdditionalOwners $s}}} + ``` + + > **NOTE:** Run the two commands for group creation and addition one after the other—first to create groups with primary owners, then to add additional owners. Replace `OU=abc,DC=xyz,DC=site` with your actual organizational unit and domain details, and ensure the column names in your CSV match the property names in the script (`name`, `managedby`, `addowner`). \ No newline at end of file diff --git a/docs/kb/activitymonitor/capture_client_logs_using_the_support_tool-v2_on_a_windows_machine.md b/docs/kb/activitymonitor/capture_client_logs_using_the_support_tool-v2_on_a_windows_machine.md new file mode 100644 index 0000000000..da2b655685 --- /dev/null +++ b/docs/kb/activitymonitor/capture_client_logs_using_the_support_tool-v2_on_a_windows_machine.md @@ -0,0 +1,38 @@ +--- +description: >- + This article provides step-by-step instructions on how to capture client logs using the Support Tool-v2 on a Windows machine. +keywords: + - client logs + - Support Tool-v2 + - Windows +sidebar_label: Capture Client Logs +tags: [] +title: "Capture Client Logs Using the Support Tool-v2 on a Windows Machine" +knowledge_article_id: kA0Qk0000002B72KAE +products: + - activity-monitor +--- + +# Capture Client Logs Using the Support Tool-v2 on a Windows Machine + +## Question + +How do you capture client logs using the Support Tool-v2 on a Windows machine? + +## Answer + +To capture client logs using the Support Tool-v2, follow the steps below: + +1. Download the Support Tool from [https://download.endpointprotector.com/Support_files/Support_Tool_V2.zip](https://download.endpointprotector.com/Support_files/Support_Tool_V2.zip). +2. Extract the contents of the ZIP archive to a new folder. +3. Run **SupportTool_x64.exe** with administrator privileges. +4. From the drop-down menu, select **Create Log File** and click **Execute**. +5. From the drop-down menu, select **Create DPI Log File** and click **Execute**. +6. Leave the Support Tool open and running in the background. Reproduce the issue or retest the scenario several times. +7. After reproducing or retesting the issue, return to the Support Tool and click **Export Files**. +8. From the drop-down menu, select **Create Archive** and click **Execute**. +9. An archive containing all the log files will be created in the same folder where the Support Tool files were extracted. +10. Once done, send the ZIP archive to the Netwrix Support team. +11. After the logs have been collected and sent to Netwrix Support, you must stop the log collection. +12. From the drop-down menu, select **Delete Log File** and click **Execute**. +13. From the drop-down menu, select **Delete DPI Log File** and click **Execute**. \ No newline at end of file diff --git a/docs/kb/activitymonitor/configure_security_questions_for_an_identity_store.md b/docs/kb/activitymonitor/configure_security_questions_for_an_identity_store.md new file mode 100644 index 0000000000..17d9478624 --- /dev/null +++ b/docs/kb/activitymonitor/configure_security_questions_for_an_identity_store.md @@ -0,0 +1,37 @@ +--- +description: >- + This article describes how to configure security questions for an identity store in Netwrix Directory Manager. +keywords: + - security questions + - identity store + - multifactor authentication +sidebar_label: Configure Security Questions +tags: [] +title: "Configure Security Questions for an Identity Store" +knowledge_article_id: kA0Qk0000002LpxKAE +products: + - activity-monitor +--- + +# Configure Security Questions for an Identity Store + +## Overview + +This article describes how to configure security questions for an identity store in **Netwrix Directory Manager** (formerly GroupID). + +Each identity store maintains a local pool of security questions, which administrators can modify by adding or removing questions from the global question bank. By default, four questions are added to the local pool when an identity store is created. + +Security questions are supported as an authentication method for multifactor and two-factor authentication. During enrollment, users select a specified number of questions from the local pool and provide answers. For authentication, users must supply the same answers provided at enrollment. + +## Instructions + +1. Log in to the Admin Portal of the identity store with an account that has permissions to manage the identity store. +2. In the Admin Portal, click **Settings**. + + ![Settings option in the Admin Portal](./images/servlet_image_b4cc511f5745.png) + +3. In **Settings**, click **Question Pool**. + + ![Question Pool section in Settings](./images/servlet_image_eb6ac1dac410.png) + +4. From the **Question Pool** section, you can modify existing questions, add new questions, or remove questions as needed. \ No newline at end of file diff --git a/docs/kb/activitymonitor/configuring_the_entra_id_sync_integration.md b/docs/kb/activitymonitor/configuring_the_entra_id_sync_integration.md new file mode 100644 index 0000000000..78c1765f23 --- /dev/null +++ b/docs/kb/activitymonitor/configuring_the_entra_id_sync_integration.md @@ -0,0 +1,65 @@ +--- +description: >- + This article explains how to configure a Microsoft Entra ID integration with Netwrix Threat Manager, including app registration and setting up the integration. +keywords: + - Microsoft Entra ID + - Netwrix Threat Manager + - app registration + - integration setup + - API permissions +sidebar_label: Configuring Entra ID Sync +tags: [] +title: "Configuring the Entra ID Sync Integration" +knowledge_article_id: kA0Qk0000001kVRKAY +products: + - activity-monitor +--- + +# Configuring the Entra ID Sync Integration + +## Overview + +This article explains how to configure a Microsoft Entra ID integration with Netwrix Threat Manager. The process involves registering an application in the Microsoft Entra admin center, configuring permissions, and setting up the Entra ID Sync Integration within Threat Manager. + +## Instructions + +### Create the App Registration in Microsoft Entra Admin Center + +1. Open the **Microsoft Entra admin center** and navigate to **Identity > Applications > App registrations**. +2. Select **+ New registration**. + - ![Entra admin center showing New Registration button](./images/servlet_image_a9d4a36aab05.png) +3. Give the application a name such as "Entra for Netwrix Threat Manager" and select **Register**. + - For the Supported account types option, select **Accounts in this organizational directory only**, then click **Register**. + - ![App registration options in Entra admin center](./images/servlet_image_0e5a156b562c.png) +4. Navigate to **API permissions** within your new app registration and select **+ Add a permission**. +5. Select **Microsoft Graph**. + - ![Selecting Microsoft Graph API permissions](./images/servlet_image_2c936cc3af52.png) +6. Select **Application** and add the permissions outlined in [Threat Manager Server Requirements](/docs/threatmanager/3.0/requirements/server). +7. After adding all the permissions, select **Grant admin consent for [tenant]**. + - > **NOTE:** The status will change to a green checkmark when complete. + - ![Granting admin consent in Entra admin center](./images/servlet_image_590daa2ead13.png) +8. Navigate to the **Certificates & secrets** page and select **+ New client secret**. +9. Give the client secret a description, set the desired expiration time (according to your organization's internal policies; 24 months is recommended), and select **Add**. + - ![Creating a new client secret in Entra admin center](./images/servlet_image_761d2f787fb4.png) +10. Copy the **Secret Value** to a notepad. + - > **NOTE:** The value will be obscured after leaving the page. + - ![Copying client secret value in Entra admin center](./images/servlet_image_5516dc91a692.png) +11. In the same notepad, also add the Application ID (Client ID) from the Overview page and the tenant name. + - ![Copying Application ID from Entra admin center](./images/servlet_image_a04e32646a9b.png) + - ![Copying tenant name from Entra admin center](./images/servlet_image_a55f51b6c382.png) + +### Set Up Entra ID Sync Integration in Netwrix Threat Manager + +1. Log in to the Threat Manager Dashboard as an administrator and navigate to the **Integrations** menu. + - ![Threat Manager dashboard Integrations menu](./images/servlet_image_6a3341c6a97a.png) +2. Select the **Add new integration** button, and set the **Credential Profile Integration** as shown below and click **Add** once enabled. + - ![Credential Profile Integration settings in Threat Manager](./images/servlet_image_68f21544913c.png) +3. Select **Add New Integration** again. +4. Set the Entra ID Sync Integration as shown below, then select **Test Connection** and **Add** (once enabled). + - ![Entra ID Sync Integration settings in Threat Manager](./images/servlet_image_b184f052a03b.png) +5. Allow a few minutes for the initial sync to begin. You can then navigate to the new Entra ID Sync Integration. + - ![Viewing Entra ID Sync Integration in Threat Manager](./images/servlet_image_ca88af5d8db8.png) + +## Related Link + +- [Threat Manager Server Requirements](/docs/threatmanager/3.0/requirements/server) \ No newline at end of file diff --git a/docs/kb/activitymonitor/disable_ad_authentication_on_the_portal.md b/docs/kb/activitymonitor/disable_ad_authentication_on_the_portal.md new file mode 100644 index 0000000000..f4c17ebdb6 --- /dev/null +++ b/docs/kb/activitymonitor/disable_ad_authentication_on_the_portal.md @@ -0,0 +1,36 @@ +--- +description: >- + This article explains how to disable Active Directory authentication on the Netwrix Directory Manager Portal, allowing users to authenticate solely via Single Sign-On (SSO). +keywords: + - Active Directory + - authentication + - Single Sign-On +products: + - activity-monitor +sidebar_label: Disable AD Authentication +tags: [] +title: "How to Disable AD Authentication on the Portal" +knowledge_article_id: kA0Qk0000002bebKAA +--- + +# How to Disable AD Authentication on the Portal + +## Overview + +By default, users can authenticate to the Netwrix Directory Manager (formerly GroupID) Portal using either Active Directory (AD) credentials or Single Sign-On (SSO). This article explains how to disable AD authentication so that users can only authenticate via SSO. + +## Instructions + +1. Log in to the Directory Manager Admin Center with an account that has administrative credentials. +2. Click the **Monitor** icon in the top right corner of the screen to navigate to the **Authenticate** portal. A new browser window will appear. + ![Monitor icon to access Authenticate portal](./images/servlet_image_586cee925a98.png) + +3. Click **Edit** for the **SAML Identity Provider** for which you want to disable AD authentication. + ![Edit SAML Identity Provider](./images/servlet_image_c063b0ef4b7f.png) + +4. Click **Advanced**. +5. Navigate to **Disable GroupID Authentication** and select **Yes** to disable AD authentication. By default, this option is set to **No**. + ![Disable GroupID Authentication option](./images/servlet_image_c547e60a2228.png) + +6. Click **Update** to apply the changes to the SSO settings for the selected SAML Provider. +7. Launch the Directory Manager Portal. Only SSO-based authentication will be available. \ No newline at end of file diff --git a/docs/kb/activitymonitor/displays_data_for_resources_that_are_out_of_scope.md b/docs/kb/activitymonitor/displays_data_for_resources_that_are_out_of_scope.md new file mode 100644 index 0000000000..c741979e8c --- /dev/null +++ b/docs/kb/activitymonitor/displays_data_for_resources_that_are_out_of_scope.md @@ -0,0 +1,58 @@ +--- +description: >- + This article explains how Netwrix Access Analyzer displays data for file system resources that are out of scope and provides options for removing such data. +keywords: + - Netwrix Access Analyzer + - out of scope resources + - data removal +sidebar_label: Out of Scope Data in Access Analyzer +tags: [] +title: "Displays Data for Resources That Are Out of Scope" +knowledge_article_id: kA0Qk0000002tEvKAI +products: + - activity-monitor +--- + +# Displays Data for Resources That Are Out of Scope + +## Symptom + +Netwrix Access Analyzer (formerly Enterprise Auditor) displays data for file system resources that are no longer within the defined scan scope. + +## Cause + +The resources in question were previously within the scan scope and were collected by Access Analyzer. Once removed from scope, Access Analyzer no longer updates or scans them—by design—but does not automatically purge them from the database. + +Scoping in Access Analyzer controls what is collected or updated going forward, not retroactively removing previously scanned data. Therefore, out-of-scope resources can still appear in reports and interfaces, although they are no longer maintained. + +## Resolution + +There are two options for removing out-of-scope data: + +### Option 1: Full Host Data Removal + +Netwrix Support can assist with dropping all file system data for the specified host. This removes all collected data for that host, not just the out-of-scope folders. + +Refer to [Dropping File System Data](/docs/kb/activitymonitor/dropping_file_system_data) for detailed instructions. + +**Considerations:** + +- This action is irreversible and deletes historical activity not preserved in the Netwrix Activity Monitor. +- There is no impact on sensitive data or permissions. +- A new scan must be performed afterward using updated scoping rules. + +### Option 2: Custom Cleanup via Professional Services + +For more granular removal (e.g., specific folders or paths), a one-time cleanup can be arranged through a paid Professional Services engagement. + +**Details:** + +- Tailored script-based cleanup of only the out-of-scope items. +- Maintains in-scope data and avoids a full purge. +- Requires coordination with the Professional Services team. + +> **Best Practice:** When setting the scan scope, define exclusions first. Then, add inclusions to target only the desired resources. + +## Related Link + +- [Dropping File System Data](/docs/kb/activitymonitor/dropping_file_system_data) \ No newline at end of file diff --git a/docs/kb/activitymonitor/dropping_file_system_data.md b/docs/kb/activitymonitor/dropping_file_system_data.md new file mode 100644 index 0000000000..527195a466 --- /dev/null +++ b/docs/kb/activitymonitor/dropping_file_system_data.md @@ -0,0 +1,83 @@ +--- +description: >- + This article provides step-by-step instructions for removing decommissioned file server data from the Netwrix Access Analyzer database. +keywords: + - Netwrix Access Analyzer + - file server data removal + - database management +sidebar_label: Dropping File System Data +tags: [] +title: "How to Drop File System Data from Netwrix Access Analyzer" +knowledge_article_id: kA0Qk0000001qvpKAA +products: + - activity-monitor +--- + +# How to Drop File System Data from Netwrix Access Analyzer + +## Overview + +A file server has been decommissioned, and/or its data is no longer needed in the Netwrix Access Analyzer (formerly Enterprise Auditor) database. Follow the steps below to remove decommissioned file server data from both the Access Analyzer Console and the database. + +## Instructions + +> **IMPORTANT:** Applying this query will permanently delete collected data. Before running the job, ensure all configurations are correct. To prevent rescanning the same hosts, remove the host from the host list first, as described in [How to Remove Servers from Host Lists](/docs/kb/accessanalyzer/how-to-remove-servers-from-host-lists). + +1. Create a new job in Access Analyzer by selecting **Job > Create a New Job** from the top taskbar. You can also right-click **any job folder in the job tree** and select **Create New Job**. + > **NOTE:** It is recommended to add the job to a **Sandbox folder**, if available. + +2. Name the job **DropFSHostData**. + +3. If the server cannot be pinged, clear the **Skip Hosts that do not respond to the PING** box by following the steps below: + 1. Right-click the newly created **DropFSHostData** job. + 2. Select **Properties**. + 3. Click the **Performance** tab. + 4. Clear the **Skip Hosts that do not respond to the PING** box. + ![Performance tab with Skip Hosts that do not respond to the PING option](./images/servlet_image_5085710697d8.png) + +4. Navigate to **Configure > Queries** under the new job. + +5. Select **Create Query**. + +6. On the Data Source tab, use the dropdown to set the Data Collector to **`FILESYSTEMACCESS`** then click **Configure**. + +7. On the Query Selection page of the File System Access Auditor Data Collector Wizard, select the option for **Remove host data** under the **Maintenance** section, and then click **Finish**. + ![Query Selection page with Remove host data option](./images/servlet_image_22428c95d7b3.png) + +8. Navigate to **Configure > Analysis** under the new job. + +9. Select **Create Analysis**. + +10. Set the Analysis Module to **SQL scripting** then click **Configure Analysis**. + 1. Set the Table Name to **SA_FSAA_Hosts**. + 2. Use the SQL script: + ```sql + SELECT * from [SA_FSAA_Hosts] + ``` + ![SQL scripting with SA_FSAA_Hosts table](./images/servlet_image_1773855cdc8d.png) + +11. After saving and closing the analysis, right-click **the analysis** and select **Execute Analyses**. This will list all the file system hosts in the Access Analyzer database under the Results node of the job. + +12. Navigate to **Configure > Hosts** under the new job and under the Individual Hosts panel then add **the file server(s) to be removed**. + +13. Enter **the name as it appears in the Host column** in the FSAA Hosts table. + +14. After setting the hosts, right-click **the job** and select **Schedule**. + +15. In the Schedule wizard, select **Options** from the steps menu then click **Finish**. There is no need to add a trigger or schedule this job to run repeatedly, but it is recommended to run it from **the Schedules node**. + +16. After the job is scheduled, navigate to the Schedules node then right-click **DropFSHostData** and select **Run**. + +17. Once the job is complete, check the **FSAA Hosts table** under **DropFSHostData > Results** to confirm it was removed. + +18. After confirming the host has been properly removed from the database, remove **the server from the Host Lists**. + +19. Navigate to the **`%SAInstallDir%FSAA`** folder on the Access Analyzer console and remove the folder for the dropped host. + > **NOTE:** If using an applet or proxy for file system scanning, the host folder should also be removed from the same location on the applet/proxy server. + +> **IMPORTANT:** If this job returns a time-out error, refer to the following article to resolve it: [!REMOVED-...Host Name in AIC and/or FSAA Host Table](/docs/kb/accessanalyzer/error-removed-host-name-in-aic-andor-fsaa-host-table). + +## Related Links + +- [How to Remove Servers from Host Lists](/docs/kb/accessanalyzer/how-to-remove-servers-from-host-lists) +- [!REMOVED-...Host Name in AIC and/or FSAA Host Table](/docs/kb/accessanalyzer/error-removed-host-name-in-aic-andor-fsaa-host-table) \ No newline at end of file diff --git a/docs/kb/activitymonitor/error_'dbo.sa_fsaa_resources.id'_is_not_the_same_data_type_as_referencing_column.md b/docs/kb/activitymonitor/error_'dbo.sa_fsaa_resources.id'_is_not_the_same_data_type_as_referencing_column.md new file mode 100644 index 0000000000..c112b72e31 --- /dev/null +++ b/docs/kb/activitymonitor/error_'dbo.sa_fsaa_resources.id'_is_not_the_same_data_type_as_referencing_column.md @@ -0,0 +1,86 @@ +--- +description: >- + This article provides troubleshooting steps for resolving the error related to data type mismatches in the Netwrix Access Analyzer. +keywords: + - Netwrix Access Analyzer + - data type mismatch + - SQL script + - foreign key error + - FS_MigrateSchema +products: + - activity-monitor +sidebar_label: "Error: 'dbo.SA_FSAA_Resources.ID' Is Not the Same Data Type as Referencing Column" +tags: [] +title: "Error: 'dbo.SA_FSAA_Resources.ID' Is Not the Same Data Type as Referencing Column" +knowledge_article_id: kA0Qk0000002RLtKAM +--- + +# Error: ‘dbo.SA_FSAA_Resources.ID’ Is Not the Same Data Type as Referencing Column + +## Symptom + +When running the File System `0-Create Schema` job in Netwrix Access Analyzer, the job fails with the following errors: + +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_AzureFilesShares_ResourceID'. Could not create constraint or index.` +- `Foreign key 'FK_SA_FSAA_AzureFilesShareProperties_AzureShareID' references invalid table 'dbo.SA_FSAA_AzureFileShares'. Could not create constraint or index.` +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_ResourceMap_ID' in foreign key 'FK_SA_FSAA_ResourceMap_ID'. Could not create constraint or index.` +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_ResourcesScanTypeDetails.ID' in foreign key 'FK_SA_FSAA_ResourcesScanTypeDetails_ID'. Could not create constraint or index.` +- `Invalid object name 'dbo.SA_FSAA_ResourceMap'.` + +## Cause + +These errors may be caused by one of the following: + +- The Access Analyzer database was originally created **before** StealthAUDIT v10.0. +- The ID column of the SA_FSAA_Resources table has a data type of **`int`** instead of **`bigint`**. + +## Resolution + +1. In the Access Analyzer database, run the following SQL script: + + ```sql + SELECT + t.name AS TableName, + c.name AS ColumnName, + tp.name AS DataType, + CASE + WHEN tp.name = 'bigint' THEN 'FS_MigrateSchema job not needed.' + WHEN tp.name = 'int' THEN 'Run FS_MigrateSchema job from InstantJobs before running 0.CreateSchema job.' + ELSE 'Unknown data type.' + END AS ActionMessage + FROM + sys.tables AS t + INNER JOIN + sys.columns AS c ON t.object_id = c.object_id + INNER JOIN + sys.types AS tp ON c.user_type_id = tp.user_type_id + WHERE + t.name = 'SA_FSAA_Resources' AND + c.name = 'ID' AND + tp.name IN ('int', 'bigint') + ORDER BY + t.name, c.name; + ``` + +2. If the script result says: **`Run FS_MigrateSchema job from InstantJobs before running 0-Create Schema job`**, then open the Access Analyzer console and add the **`FS_MigrateSchema`** job from the **InstantJob** Library. + + > **NOTE:** For more information on pulling jobs from the **InstantJob** Library, see [InstantJobs Overview in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview). + +3. Configure the job with the following runtime details: + + > **NOTE:** For more information on the **`FS_MigrateSchema`** job, see [FS_MigrateSchema Job in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema). + + - **Hosts:** localhost + - **Connection Profile:** Account with DBO permissions on the Access Analyzer database + +4. Create a scheduled task for the **`FS_MigrateSchema`** job with the following criteria: + + - Do not include a schedule or trigger. + - Ensure that the **Stop the task if it runs for** option is unchecked. + +5. From the **Schedules** menu, right-click the **`FS_MigrateSchema`** scheduled task and select **Run**. + +## Related Links + +- [InstantJobs Overview in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview) +- [FS_MigrateSchema Job in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema) \ No newline at end of file diff --git a/docs/kb/activitymonitor/error_dbo_backup.md b/docs/kb/activitymonitor/error_dbo_backup.md new file mode 100644 index 0000000000..c112b72e31 --- /dev/null +++ b/docs/kb/activitymonitor/error_dbo_backup.md @@ -0,0 +1,86 @@ +--- +description: >- + This article provides troubleshooting steps for resolving the error related to data type mismatches in the Netwrix Access Analyzer. +keywords: + - Netwrix Access Analyzer + - data type mismatch + - SQL script + - foreign key error + - FS_MigrateSchema +products: + - activity-monitor +sidebar_label: "Error: 'dbo.SA_FSAA_Resources.ID' Is Not the Same Data Type as Referencing Column" +tags: [] +title: "Error: 'dbo.SA_FSAA_Resources.ID' Is Not the Same Data Type as Referencing Column" +knowledge_article_id: kA0Qk0000002RLtKAM +--- + +# Error: ‘dbo.SA_FSAA_Resources.ID’ Is Not the Same Data Type as Referencing Column + +## Symptom + +When running the File System `0-Create Schema` job in Netwrix Access Analyzer, the job fails with the following errors: + +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_AzureFilesShares_ResourceID'. Could not create constraint or index.` +- `Foreign key 'FK_SA_FSAA_AzureFilesShareProperties_AzureShareID' references invalid table 'dbo.SA_FSAA_AzureFileShares'. Could not create constraint or index.` +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_ResourceMap_ID' in foreign key 'FK_SA_FSAA_ResourceMap_ID'. Could not create constraint or index.` +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_ResourcesScanTypeDetails.ID' in foreign key 'FK_SA_FSAA_ResourcesScanTypeDetails_ID'. Could not create constraint or index.` +- `Invalid object name 'dbo.SA_FSAA_ResourceMap'.` + +## Cause + +These errors may be caused by one of the following: + +- The Access Analyzer database was originally created **before** StealthAUDIT v10.0. +- The ID column of the SA_FSAA_Resources table has a data type of **`int`** instead of **`bigint`**. + +## Resolution + +1. In the Access Analyzer database, run the following SQL script: + + ```sql + SELECT + t.name AS TableName, + c.name AS ColumnName, + tp.name AS DataType, + CASE + WHEN tp.name = 'bigint' THEN 'FS_MigrateSchema job not needed.' + WHEN tp.name = 'int' THEN 'Run FS_MigrateSchema job from InstantJobs before running 0.CreateSchema job.' + ELSE 'Unknown data type.' + END AS ActionMessage + FROM + sys.tables AS t + INNER JOIN + sys.columns AS c ON t.object_id = c.object_id + INNER JOIN + sys.types AS tp ON c.user_type_id = tp.user_type_id + WHERE + t.name = 'SA_FSAA_Resources' AND + c.name = 'ID' AND + tp.name IN ('int', 'bigint') + ORDER BY + t.name, c.name; + ``` + +2. If the script result says: **`Run FS_MigrateSchema job from InstantJobs before running 0-Create Schema job`**, then open the Access Analyzer console and add the **`FS_MigrateSchema`** job from the **InstantJob** Library. + + > **NOTE:** For more information on pulling jobs from the **InstantJob** Library, see [InstantJobs Overview in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview). + +3. Configure the job with the following runtime details: + + > **NOTE:** For more information on the **`FS_MigrateSchema`** job, see [FS_MigrateSchema Job in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema). + + - **Hosts:** localhost + - **Connection Profile:** Account with DBO permissions on the Access Analyzer database + +4. Create a scheduled task for the **`FS_MigrateSchema`** job with the following criteria: + + - Do not include a schedule or trigger. + - Ensure that the **Stop the task if it runs for** option is unchecked. + +5. From the **Schedules** menu, right-click the **`FS_MigrateSchema`** scheduled task and select **Run**. + +## Related Links + +- [InstantJobs Overview in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview) +- [FS_MigrateSchema Job in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema) \ No newline at end of file diff --git a/docs/kb/activitymonitor/error_ini_section_does_not_exist_in_sbtfilemon.ini.md b/docs/kb/activitymonitor/error_ini_section_does_not_exist_in_sbtfilemon.ini.md new file mode 100644 index 0000000000..b15ba8a82c --- /dev/null +++ b/docs/kb/activitymonitor/error_ini_section_does_not_exist_in_sbtfilemon.ini.md @@ -0,0 +1,53 @@ +--- +description: >- + This article addresses the warning message encountered during the File Server Activity auditing scan in Netwrix Access Analyzer, detailing its causes and resolutions. +keywords: + - Netwrix Access Analyzer + - File Server Activity auditing + - Ini section error +sidebar_label: Ini Section Error Resolution +tags: [] +title: "Error: Ini Section Does Not Exist in SBTFileMon.ini" +knowledge_article_id: kA0Qk0000001M05KAE +products: + - activity-monitor +--- + +# Error: Ini Section Does Not Exist in SBTFileMon.ini + +## Symptom + +Netwrix Access Analyzer (formerly Enterprise Auditor) prompts the following warning message during the File Server Activity auditing (FSAC) scan: + +``` +Error during processing: GetFSACIniAttributeValue: +Error: Ini section for %hostname% does not exist in ini file C:\Program Files\STEALTHbits\StealthAUDIT\FSAC\SBTFileMon.ini. +``` + +> **NOTE:** This article references the `%hostname%` variable as the expected name. + +## Causes + +- The name of the monitored host in **Netwrix Activity Monitor** mismatches the expected name. +- The echo ping is disabled in your environment. +- The affected server is missing the `OSType` value in the **Host Management** settings. + +## Resolutions + +Refer to the appropriate resolution steps to resolve the issue in your environment: + +1. Set up the **Report Hostname As** parameter of the affected output to match the expected host name. Follow these steps: + 1. In **Netwrix Activity Monitor**, select the target output and click **Edit**. + 2. In the **Additional Properties** tab, specify the expected host name in the **Report Hostname As** field. Click **OK** to save changes. + + > **NOTE:** Alternatively, in **Netwrix Activity Monitor**, select the target host, click **Edit**, and alter the **Report the Host Name As** value to reflect the expected name. + +2. Disable the **Stop on Failed Ping** rule via **Host Inventory**. Refer to the following article for additional information: Global Settings — Host Inventory · v11.6. + +3. Manually specify the `OSType` value for the affected server. Use the following values for the corresponding systems: + - Specify `Windows` for any Windows File System. + - Specify `NAS` for any NetApp, Isilon, Nasuni, Qumolo, and other systems. + +## Related Article + +- Global Settings — Host Inventory · v11.6 \ No newline at end of file diff --git "a/docs/kb/activitymonitor/error_invalid_credentials\342\200\224client_idsecret_combo_may_be_incorrect_or_expired.md" "b/docs/kb/activitymonitor/error_invalid_credentials\342\200\224client_idsecret_combo_may_be_incorrect_or_expired.md" new file mode 100644 index 0000000000..5f62bff040 --- /dev/null +++ "b/docs/kb/activitymonitor/error_invalid_credentials\342\200\224client_idsecret_combo_may_be_incorrect_or_expired.md" @@ -0,0 +1,45 @@ +--- +description: >- + This article addresses the error encountered when the Client ID/Secret combination is incorrect or expired while configuring the API in Netwrix Activity Monitor and Netwrix Access Analyzer. +keywords: + - invalid credentials + - client ID + - secret combo + - API configuration + - Netwrix Access Analyzer +sidebar_label: Invalid Credentials Error +tags: [] +title: "Error: Invalid Credentials—Client ID/Secret Combo May Be Incorrect or Expired" +knowledge_article_id: kA0Qk00000027rpKAA +products: + - activity-monitor +--- + +# Error: Invalid Credentials—Client ID/Secret Combo May Be Incorrect or Expired + +## Symptom + +After configuring the API in **Netwrix Activity Monitor** and adding the client ID/secret as a connection profile in **Netwrix Access Analyzer** (formerly **Enterprise Auditor**), the following error appears when trying to get the refresh token from the AD Activity Data Collector: + +``` +Could not connect: +One of more errors occurred. +- Invalid credentials. The Client ID/Secret combo may be incorrect or expired. +``` + +![Error message indicating invalid credentials](./images/servlet_image_4ca84d0f3bd4.png) + +## Cause + +These errors may be caused by any one of the following: + +- An expired Client ID/Secret combo +- An open API Configuration window in **Netwrix Activity Monitor** + + > **NOTE:** This results in the Client ID/Secret combo being inactive. + +## Resolution + +If the Client ID/Secret combo is new and not expired, make sure the API Configuration window and **Agent Properties** windows are closed. + +![API Configuration window](./images/servlet_image_a445105a92a3.png) \ No newline at end of file diff --git a/docs/kb/activitymonitor/error_the_applet_is_not_running_or_port_8767_is_blocked.md b/docs/kb/activitymonitor/error_the_applet_is_not_running_or_port_8767_is_blocked.md new file mode 100644 index 0000000000..ce8042ada1 --- /dev/null +++ b/docs/kb/activitymonitor/error_the_applet_is_not_running_or_port_8767_is_blocked.md @@ -0,0 +1,50 @@ +--- +description: >- + This article addresses the error encountered when connecting to the FSAA applet, detailing symptoms, causes, and resolutions. +keywords: + - FSAA applet + - RPC error + - port configuration +sidebar_label: FSAA Applet Connection Error +tags: [] +title: "Error: The Applet Is Not Running or Port 8767 Is Blocked" +knowledge_article_id: kA0Qk0000001o9FKAQ +products: + - activity-monitor +--- + +# Error: The Applet Is Not Running or Port 8767 Is Blocked + +## Symptom + +When attempting to connect to the FSAA applet, the following errors appear: + +``` +RPC: Checking the connection to host . +Debug: RPC: **Failed** to bind. Protocol: ncacn_ip_tcp, Host: , Endpoint: 8767, Secure: False. **Error**: The remote procedure call was **cancelled**. +Debug: **Cannot connect to the applet** RPC on ''. **The applet is not running or port 8767 is blocked**. The remote procedure call was **cancelled**. +``` + +## Cause + +The Proxy and File Action Module are using the same port. + +## Resolution + +You must adjust the ports for the FSAA scan. Set the **port of the Applet** plus 1 as the **port for the certificate exchange**. + +![FSAA scan configuration showing Applet port and certificate exchange port settings](./images/servlet_image_d0e555d9fde1.png) + +1. Stop the **Netwrix Access Analyzer FSAA Proxy scanner** service. +2. Update the **Applet port** on the proxy. Run the following command to change the port based on the updated Applet port (the path may vary depending on your installation): + + ```plaintext + sc config StealthAUDITFSAA binPath=""C:\Program Files (x86)\STEALTHbits\StealthAUDIT\FSAA\FSAAAppletServer.EXE" -e 8769" + ``` + +3. Start the service in **Services**. +4. Verify in **Task Manager** that the service is running on the new port (e.g., `8769`). +5. In the FSAA scan configuration, set the **Applet port** to the new port. +6. In the FSAA scan configuration, set the port for the certificate exchange to the new port plus 1. + +Once the scan is run, the proxy service will free up the port for the File Action Service. \ No newline at end of file diff --git a/docs/kb/activitymonitor/error_the_process_cannot_access_sadictionary_hashed_sorted.dat_because_it_is_being_used_by_another_p.md b/docs/kb/activitymonitor/error_the_process_cannot_access_sadictionary_hashed_sorted.dat_because_it_is_being_used_by_another_p.md new file mode 100644 index 0000000000..3d462505a3 --- /dev/null +++ b/docs/kb/activitymonitor/error_the_process_cannot_access_sadictionary_hashed_sorted.dat_because_it_is_being_used_by_another_p.md @@ -0,0 +1,73 @@ +--- +description: >- + This article addresses the error where the process cannot access the file `sadictionary_hashed_sorted.dat` due to it being used by another process, detailing symptoms, causes, and resolutions. +keywords: + - Active Directory + - file access error + - password dictionary +sidebar_label: Process Access Error +tags: [] +title: "Error: The Process Cannot Access sadictionary_hashed_sorted.dat Because It Is Being Used By Another Process" +knowledge_article_id: kA0Qk000000336DKAQ +products: + - activity-monitor +--- + +# Error: The Process Cannot Access sadictionary_hashed_sorted.dat Because It Is Being Used By Another Process + +## Related Queries + +- "Reports are not running, some time out." +- "The process cannot access the file `D:\Program Files (x86)\STEALTHbits\StealthAUDIT\Jobs\SA_CommonData\PasswordSecurity\Dictionaries\sadictionary_hashed_sorted.dat` because it is being used by another process." +- "Could not update dictionary: Dictionary signature failure: invalid match" + +## Symptom + +Several Active Directory–related jobs and reports (ccAD Scan, AD Changes, and AD Weak Passwords) fail to complete or time out. The job log contains a `System.IO.IOException` similar to the following: + +``` +The process cannot access the file 'D:\Program Files (x86)\STEALTHbits\StealthAUDIT\Jobs\SA_CommonData\PasswordSecurity\Dictionaries\sadictionary_hashed_sorted.dat' because it is being used by another process. +``` + +Attempts to update the password dictionary from the user interface also fail, and job runs show the dictionary file update activity in the logs without a successful update. + +## Causes + +- Concurrent worker threads are causing resource contention. The default value of 10 concurrent worker threads can allow multiple workers to attempt to access or update the same dictionary file simultaneously, resulting in a file lock and I/O exceptions. +- The dictionary file was locked by another process or a concurrent job, preventing the PasswordSecurity module from replacing or updating the file. +- In some cases, a corrupted or partially downloaded dictionary or a signature mismatch can also cause update failures. + +## Resolution + +Follow these steps to resolve the issue. After each change, re-run the failing job to confirm the problem is resolved. + +> **IMPORTANT:** Before deleting or replacing system files, stop the job engine and take a backup copy of the file. Deleting system files while jobs or services are running can cause additional errors. + +1. **Reduce Concurrent Worker Threads.** + 1. Open the **Netwrix Access Analyzer** (formerly Enterprise Auditor) administration console. + 2. Navigate to **Administration** > **Jobs Tree** > **Jobs**. + 3. Open the affected job, select the **Performance** tab, and set **Concurrent Worker Threads** to **1** (the default is 10). See the documentation: Job Properties: Performance ⸱ Netwrix Help Center 🡥. + +2. **Stop Relevant Services or Jobs.** + - Before modifying or deleting the dictionary file, stop the job engine or ensure the PasswordSecurity job is not running so the file is not in use. + +3. **Delete and Replace the Locked Dictionary File.** + 1. Back up the existing dictionary file copy if needed. + 2. Delete the file at `D:\Program Files (x86)\STEALTHbits\StealthAUDIT\Jobs\SA_CommonData\PasswordSecurity\Dictionaries\sadictionary_hashed_sorted.dat`. + 3. In the Administration console, navigate to **Administration** > **Data Collectors** > **PasswordSecurity Data Collector** > **PasswordSecurity: Dictionaries** and click the **Query** button to update the dictionary from the console. See: PasswordSecurity: Dictionaries ⸱ Netwrix Help Center 🡥. + 4. If the console update fails, manually download and extract the dictionary file: [dictionary.zip ⸱ Stealthbits 🡥](https://downloads.stealthbits.com/access/files/Passwords/dictionary.zip). Replace the deleted file with the correct file from the archive. + +4. **Verify Antivirus and Proxy Interference.** + - Ensure antivirus or endpoint protection software is not scanning or locking the dictionaries folder. Follow the recommended exclusions: Antivirus Exclusions ⸱ Netwrix Help Center 🡥. + - If dictionary downloads occur from the internet, confirm that proxy and SSL inspection appliances are not altering the files during download. + +5. **Restart Services and Test.** + 1. Start the job engine or scheduled jobs you stopped earlier. + 2. Run the failing job (e.g., **AD_WeakPasswords**) and verify it completes successfully and that the dictionary file is updated in the logs. + +## Related Links + +- Job Properties: Performance ⸱ Netwrix Help Center 🡥 +- PasswordSecurity: Dictionaries ⸱ Netwrix Help Center 🡥 +- Antivirus Exclusions ⸱ Netwrix Help Center 🡥 +- [dictionary.zip ⸱ Stealthbits 🡥](https://downloads.stealthbits.com/access/files/Passwords/dictionary.zip) \ No newline at end of file diff --git "a/docs/kb/activitymonitor/error_\342\200\230dbo.sa_fsaa_resources.id\342\200\231_is_not_the_same_data_type_as_referencing_column.md" "b/docs/kb/activitymonitor/error_\342\200\230dbo.sa_fsaa_resources.id\342\200\231_is_not_the_same_data_type_as_referencing_column.md" new file mode 100644 index 0000000000..5bf7c9bc82 --- /dev/null +++ "b/docs/kb/activitymonitor/error_\342\200\230dbo.sa_fsaa_resources.id\342\200\231_is_not_the_same_data_type_as_referencing_column.md" @@ -0,0 +1,86 @@ +--- +description: >- + This article provides troubleshooting steps for resolving the error related to data type mismatches in the Netwrix Access Analyzer. +keywords: + - Netwrix Access Analyzer + - data type mismatch + - SQL script + - foreign key error + - FS_MigrateSchema +sidebar_label: "Error: 'dbo.SA_FSAA_Resources.ID' Is Not the Same Data Type as Referencing Column" +tags: [] +title: "Error: ‘dbo.SA_FSAA_Resources.ID’ Is Not the Same Data Type as Referencing Column" +knowledge_article_id: kA0Qk0000002RLtKAM +products: + - activity-monitor +--- + +# Error: ‘dbo.SA_FSAA_Resources.ID’ Is Not the Same Data Type as Referencing Column + +## Symptom + +When running the File System `0-Create Schema` job in Netwrix Access Analyzer, the job fails with the following errors: + +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_AzureFilesShares_ResourceID'. Could not create constraint or index.` +- `Foreign key 'FK_SA_FSAA_AzureFilesShareProperties_AzureShareID' references invalid table 'dbo.SA_FSAA_AzureFileShares'. Could not create constraint or index.` +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_ResourceMap_ID' in foreign key 'FK_SA_FSAA_ResourceMap_ID'. Could not create constraint or index.` +- `Column 'dbo.SA_FSAA_Resources.ID' is not the same data type as referencing column 'SA_FSAA_ResourcesScanTypeDetails.ID' in foreign key 'FK_SA_FSAA_ResourcesScanTypeDetails_ID'. Could not create constraint or index.` +- `Invalid object name 'dbo.SA_FSAA_ResourceMap'.` + +## Cause + +These errors may be caused by one of the following: + +- The Access Analyzer database was originally created **before** StealthAUDIT v10.0. +- The ID column of the SA_FSAA_Resources table has a data type of **`int`** instead of **`bigint`**. + +## Resolution + +1. In the Access Analyzer database, run the following SQL script: + + ```sql + SELECT + t.name AS TableName, + c.name AS ColumnName, + tp.name AS DataType, + CASE + WHEN tp.name = 'bigint' THEN 'FS_MigrateSchema job not needed.' + WHEN tp.name = 'int' THEN 'Run FS_MigrateSchema job from InstantJobs before running 0.CreateSchema job.' + ELSE 'Unknown data type.' + END AS ActionMessage + FROM + sys.tables AS t + INNER JOIN + sys.columns AS c ON t.object_id = c.object_id + INNER JOIN + sys.types AS tp ON c.user_type_id = tp.user_type_id + WHERE + t.name = 'SA_FSAA_Resources' AND + c.name = 'ID' AND + tp.name IN ('int', 'bigint') + ORDER BY + t.name, c.name; + ``` + +2. If the script result says: **`Run FS_MigrateSchema job from InstantJobs before running 0-Create Schema job`**, then open the Access Analyzer console and add the **`FS_MigrateSchema`** job from the **InstantJob** Library. + + > **NOTE:** For more information on pulling jobs from the **InstantJob** Library, see [InstantJobs Overview in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview). + +3. Configure the job with the following runtime details: + + > **NOTE:** For more information on the **`FS_MigrateSchema`** job, see [FS_MigrateSchema Job in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema). + + - **Hosts:** localhost + - **Connection Profile:** Account with DBO permissions on the Access Analyzer database + +4. Create a scheduled task for the **`FS_MigrateSchema`** job with the following criteria: + + - Do not include a schedule or trigger. + - Ensure that the **Stop the task if it runs for** option is unchecked. + +5. From the **Schedules** menu, right-click the **`FS_MigrateSchema`** scheduled task and select **Run**. + +## Related Links + +- [InstantJobs Overview in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview) +- [FS_MigrateSchema Job in Netwrix Access Analyzer 12.0](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema) \ No newline at end of file diff --git "a/docs/kb/activitymonitor/high_availability_\342\210\222_enter_or_exit_a_failover_state_using_nps.hamgr.exe.md" "b/docs/kb/activitymonitor/high_availability_\342\210\222_enter_or_exit_a_failover_state_using_nps.hamgr.exe.md" new file mode 100644 index 0000000000..a48f376b91 --- /dev/null +++ "b/docs/kb/activitymonitor/high_availability_\342\210\222_enter_or_exit_a_failover_state_using_nps.hamgr.exe.md" @@ -0,0 +1,51 @@ +--- +description: >- + This article provides step-by-step instructions on how to enter or exit a failover state using NPS.HaMgr.exe in a high availability (HA) setup. +keywords: + - high availability + - failover + - NPS.HaMgr.exe +sidebar_label: High Availability Failover +tags: [] +title: "High Availability − Enter or Exit a Failover State Using NPS.HaMgr.exe" +knowledge_article_id: kA04u000000HDhCCAW +products: + - activity-monitor +--- + +# High Availability − Enter or Exit a Failover State Using NPS.HaMgr.exe + +## Overview + +Failover is required in upgrade scenarios, as well as disaster recovery scenarios. This article discusses how to fail over a secondary node in a high availability (HA) pair, and how to re-establish high availability after failing over. + +## Instructions + +### Step 1 − Fail Over a Secondary Node + +1. In the secondary server, locate `NPS.HaMgr.exe`. As per the recommendations, it should be located in the `%ProgramFiles%\Stealthbits\PAM\HA Tools` directory on the drive where Netwrix Privilege Secure is installed. Otherwise, it will be in the **Extras** folder where the Netwrix Privilege Secure archive file was extracted. Refer to the following article for additional information: [How to Configure High Availability (HA) Using SbPAM.HaMgr.exe](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA04u0000000HfOCAU.html). + +2. Start the HA Manager Tool `NPS.HaMgr.exe`. + +3. Click the **Failover** button − this button appears only when the HA Tool is running on the secondary server, and the secondary node is actively replicating the primary node. + +4. Shortly, PostgreSQL replication will stop. The secondary node should no longer indicate **Running Replica** in the HaMgr interface, and the **Failover** button should be replaced with the **Configure HA** button. + +> **NOTE:** Clicking **Failover** swaps the IP Address of the Primary and the Secondary hosts, moving the secondary IP address to the primary IP address field. After failing over, the HA Tool confirms replication is inactive. + +### Step 2 − Re-establish the HA Connection Between the Primary and Secondary Nodes + +1. Launch the HA Tool on the secondary node. + +2. Enter the primary IP address into the **Primary IP** text box. + +3. Enter the secondary IP address into the **Secondary IP** text box. + +4. Click the **Configure HA** button. + +> **IMPORTANT:** When re-establishing a High Availability pair, confirm the correct IP addresses for both the primary and secondary nodes. These should correspond to the same IP addresses as before the failover was performed. Contact Technical Support for assistance in case the nodes are swapped, and HA is improperly re-established: [Netwrix Support · Netwrix](https://www.netwrix.com/support.html). + +## Related Links + +- [How to Configure High Availability (HA) Using SbPAM.HaMgr.exe](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA04u0000000HfOCAU.html) +- [Netwrix Support · Netwrix](https://www.netwrix.com/support.html) \ No newline at end of file diff --git a/docs/kb/activitymonitor/how-to-remove-ntp-management-of-nam-agents.md b/docs/kb/activitymonitor/how-to-remove-ntp-management-of-nam-agents.md new file mode 100644 index 0000000000..abe76269aa --- /dev/null +++ b/docs/kb/activitymonitor/how-to-remove-ntp-management-of-nam-agents.md @@ -0,0 +1,41 @@ +--- +description: >- + Shows how to remove Netwrix Threat Prevention (NTP) management from Netwrix + Activity Monitor (NAM) agents by updating the agent configuration to use a + local SAMConfig.xml and restarting the agent service. +keywords: + - NTP + - NAM + - SIWindowsAgent.exe.Config + - managerAddress + - SAMConfig.xml + - agent management + - restart service + - Netwrix Threat Prevention + - Netwrix Activity Monitor + - remove management +products: + - activity-monitor + - threat-prevention +sidebar_label: How To Remove NTP Management of NAM Agents +tags: [] +title: "How To Remove NTP Management of NAM Agents" +knowledge_article_id: kA0Qk0000001quDKAQ +--- + +# How To Remove NTP Management of NAM Agents + +## Question + +How can you remove the Netwrix Threat Prevention (NTP) management of Netwrix Activity Monitor (NAM) agents? + +## Answer + +To adjust the management of the NAM agents, follow the steps below: + +1. Edit the `SIWindowsAgent.exe.Config` file in the agent install directory with an Admin notepad. +2. Change the original `managerAddress` to: +```xml + +``` +3. Restart the agent service. diff --git a/docs/kb/activitymonitor/how_to_change_the_samaccountname,_alias,_and_user_logon_name_format_to_first.last_in_the_portal.md b/docs/kb/activitymonitor/how_to_change_the_samaccountname,_alias,_and_user_logon_name_format_to_first.last_in_the_portal.md new file mode 100644 index 0000000000..ce6977accc --- /dev/null +++ b/docs/kb/activitymonitor/how_to_change_the_samaccountname,_alias,_and_user_logon_name_format_to_first.last_in_the_portal.md @@ -0,0 +1,82 @@ +--- +description: >- + This article explains how to change the format of user identifiers such as samAccountName, alias, and user logon name to First.Last in the Netwrix Directory Manager portal. +keywords: + - samAccountName + - alias + - user logon name + - Directory Manager + - First.Last format +sidebar_label: Change User Identifier Format +tags: [] +title: "How to Change the samAccountName, Alias, and User Logon Name Format to First.Last in the Portal" +knowledge_article_id: kA0Qk0000002QMbKAM +products: + - activity-monitor +--- + +# How to Change the samAccountName, Alias, and User Logon Name Format to First.Last in the Portal + +## Applies To + +Directory Manager 11 + +## Overview + +By default, Netwrix Directory Manager (formerly GroupID) generates user identifiers such as **samAccountName**, **alias**, and **user logon name** in the **LastF** format (for example, DoeJ for John Doe). Some organizations require a more standardized and readable format, such as **FirstName.LastName** (for example, John.Doe), to align with corporate policies and improve consistency. You can change this by modifying the portal’s script file. This article explains how to apply this change. + +## Instructions + +> **NOTE:** Test this change in a non-production environment before implementation. Always back up original files before making modifications. + +### Modify the Naming Format for User Identifiers + +1. Navigate to the following directory on your Directory Manager server: + `C:\Program Files\Imanami\GroupID 11.0\GroupIDPortal\Inetpub\\Web\wwwroot\Scripts` + +2. Locate the following files: + - `CreateWizard.js` + - `CreateWizard.min.js` + +3. Rename `CreateWizard.min.js` to `CreateWizard.min.backup.js`. + +4. Open `CreateWizard.js` in **Notepad++** or another text editor. + +5. Search for the function named `addNamingRules()`. + +6. Replace the existing block: + ```javascript + var lastNameText = lastName.val(); + var logonNameText = ""; + if (lastNameText.length > 0) { + logonNameText = lastNameText; + } + var firstNameText = firstName.val(); + if (firstNameText.length > 0) { + logonNameText += firstNameText[0]; + } + ``` + with the following: + ```javascript + var firstNameText = firstName.val().trim(); + var lastNameText = lastName.val().trim(); + var logonNameText = ""; + if (firstNameText.length > 0 && lastNameText.length > 0) { + logonNameText = firstNameText + "." + lastNameText; + } + ``` + + ![Editing addNamingRules function in CreateWizard.js](./images/servlet_image_996040ecbfe0.png) + +7. Save the file. + +8. Rename `CreateWizard.js` to `CreateWizard.min.js`. + +9. Open **Command Prompt** as Administrator and run the following command: + ```plaintext + iisreset + ``` + +10. After IIS is restarted, log in to the portal and create a new user. The **samAccountName**, **alias**, and **user logon name** will now be generated in the **First.Last** format. + +![User logon name in First.Last format in Directory Manager portal](./images/servlet_image_62cb2d77bb75.png) \ No newline at end of file diff --git a/docs/kb/activitymonitor/how_to_handle_duplicate_first_and_last_names_when_creating_users_with_synchronize_jobs.md b/docs/kb/activitymonitor/how_to_handle_duplicate_first_and_last_names_when_creating_users_with_synchronize_jobs.md new file mode 100644 index 0000000000..0428421463 --- /dev/null +++ b/docs/kb/activitymonitor/how_to_handle_duplicate_first_and_last_names_when_creating_users_with_synchronize_jobs.md @@ -0,0 +1,95 @@ +--- +description: >- + This article explains how to handle duplicate first and last names when creating user accounts with Netwrix Directory Manager Synchronize jobs, ensuring unique Common Names (CN) in Active Directory. +keywords: + - Netwrix Directory Manager + - Active Directory + - Synchronize jobs +sidebar_label: Handle Duplicate Names +tags: [] +title: "How to Handle Duplicate First and Last Names When Creating Users with Synchronize Jobs" +knowledge_article_id: kA0Qk0000002Z1hKAE +products: + - activity-monitor +--- + +# How to Handle Duplicate First and Last Names When Creating Users with Synchronize Jobs + +## Overview + +When using **Netwrix Directory Manager** (formerly GroupID) Synchronize jobs to create user accounts in **Active Directory**, you may encounter a situation where the job fails if the new user's first and last name match those of an existing user. This occurs because Active Directory does not allow duplicate Common Names (CN) within the same Organizational Unit (OU). This article explains how to configure a Synchronize job to automatically append a number to the CN, ensuring each new account has a unique CN. + +## Instructions + +1. In the **Directory Manager Management Console**, expand the **Synchronize** node. +2. Right-click **All Jobs** and select to create a new job or edit the existing job where you are facing the issue. +3. Provide the required information for the **Source** and **Destination** directories on the respective wizard pages. +4. On the **Sync Object** page, select the appropriate user type (for example, User, Mail-enabled User). +5. On the **Select Fields** page, choose the necessary attributes. +6. On the **Field Map(s)** page, click **Edit Global Script**. + + ![Edit Global Script in Field Map page](./images/servlet_image_d62b956ff5b7.png) + +7. In the **Global Script Editor**, click **Tools > Add/Remove Reference**. + + ![Add/Remove Reference dialog](./images/servlet_image_730b8cce535b.png) + +8. Select **Imanami.Synchronize.ActiveDirectoryTool.dll** and click **Apply**. + + ![Build and Compile Script](./images/servlet_image_da0c28343998.png) + +9. Click **Build > Compile Script** to ensure the reference is added successfully. + + ![Global Script Editor in Directory Manager](./images/servlet_image_11b4f3368d5c.png) + +10. On the **Field Map(s)** page, click the **Transform** button next to **cn**. + + ![Transform button for CN field](./images/servlet_image_a42fc80dbf09.png) + +11. In the **Transform** dialog, select **Script** from the drop-down. + + ![Script option in Transform dialog](./images/servlet_image_2b47dbe887ad.png) + +12. Paste the following script, adjusting `DTM.Source("First")` and `DTM.Source("Last")` if your source attribute names differ: + + ```plaintext + ActiveDirectoryTool.ConfigureFromDestination() + + Dim cn As String + Dim baseName As String + Dim num As Integer + Dim isVerified As Boolean + + num = 2 + isVerified = False + + ' Base name: First.Last + baseName = DTM.Source("First") & "." & DTM.Source("Last") + cn = baseName + + ' Try base name first + If ActiveDirectoryTool.VerifyUniqueInDomain("cn=" & cn) Then + isVerified = True + Else + ' Try First.Last2, First.Last3, etc. + Do While Not isVerified + cn = baseName & num + If ActiveDirectoryTool.VerifyUniqueInDomain("cn=" & cn) Then + isVerified = True + Else + num = num + 1 + End If + Loop + End If + + DTM.Result = cn + ``` + + ![Script editor with CN transformation script](./images/servlet_image_ed256235324f.png) + +13. Click the **Build** button and **Test Script**. Use test data with a duplicate first and last name to confirm the CN is generated with a number appended. If it shows ``, you can ignore it as the job will run correctly. +14. Click **OK** to save and close the editor. +15. Finish the remaining wizard steps and run the job. +16. The job will now create accounts with unique CNs, appending a number if a duplicate is detected (for example, `John.Smith2`, `John.Smith3`). + +> **IMPORTANT:** Test this process with non-production data before applying it to your production environment to avoid unintended changes. \ No newline at end of file diff --git a/docs/kb/activitymonitor/how_to_reapply_smartgroup_queries_and_identify_groups_with_disabled_users_in_bulk.md b/docs/kb/activitymonitor/how_to_reapply_smartgroup_queries_and_identify_groups_with_disabled_users_in_bulk.md new file mode 100644 index 0000000000..3600f5f4f2 --- /dev/null +++ b/docs/kb/activitymonitor/how_to_reapply_smartgroup_queries_and_identify_groups_with_disabled_users_in_bulk.md @@ -0,0 +1,255 @@ +--- +description: >- + This article explains how to reapply SmartGroup LDAP queries in bulk, back up SmartGroup criteria, and identify groups with disabled users in large Active Directory environments. +keywords: + - SmartGroup + - LDAP + - PowerShell + - Active Directory + - bulk update +sidebar_label: Reapply SmartGroup Queries +tags: [] +title: "How to Reapply SmartGroup Queries and Identify Groups With Disabled Users in Bulk" +knowledge_article_id: kA0Qk0000002o7BKAQ +products: + - activity-monitor +--- + +# How to Reapply SmartGroup Queries and Identify Groups With Disabled Users in Bulk + +## Related Queries + +- "How to reapply SmartGroup queries in bulk" +- "How to back up and bulk update SmartGroup LDAP criteria" +- "Find all SmartGroups with disabled users in a specific OU" + +## Overview + +This article describes how to reapply SmartGroup LDAP queries in bulk, back up SmartGroup criteria, and identify groups with disabled users in large Active Directory environments. The steps include exporting SmartGroup criteria, filtering groups by organizational unit (OU), and safely reapplying LDAP filters using PowerShell. These procedures are intended for support and consulting teams performing SmartGroup maintenance or troubleshooting at scale. + +## Instructions + +1. Use PowerShell to reapply SmartGroup criteria to a single group: + + ```powershell + Add-PSSnapin 'Imanami.Groups.Management.PowerShell.Admin10' + . 'C:\Program Files\Imanami\GroupID 10.0\GroupID.ps1' + + # Get a specific SmartGroup + $smartGroups = Get-SmartGroup -Identity "All-Marketing Team SR1" + + foreach ($sg in $smartGroups) { + # Reapply the same Criteria using Set-SmartGroup + Set-SmartGroup -Identity $sg.DistinguishedName -LdapFilter $sg.Criteria + Write-Host "Reapplied LDAP filter for SmartGroup: $($sg.Name)" + } + ``` + +2. Back up all SmartGroup LDAP criteria: + + ```powershell + Add-PSSnapin 'Imanami.Groups.Management.PowerShell.Admin10' + . 'C:\Program Files\Imanami\GroupID 10.0\GroupID.ps1' + + # Get all SmartGroups + $smartGroups = Get-SmartGroup + + # Export Name, CN, and Criteria to CSV + $smartGroups | Select-Object Name, Cn, Criteria | + Export-Csv -Path "C:\Temp\SmartGroup_LdapBackup.csv" -NoTypeInformation -Encoding UTF8 + + Write-Host "`nSmartGroup LDAP criteria backup saved to C:\Temp\SmartGroup_LdapBackup.csv" + ``` + +3. Identify groups with disabled users using Directory Manager PowerShell: + + ```powershell + Add-PSSnapin 'Imanami.Groups.Management.PowerShell.Admin10' -ErrorAction SilentlyContinue + . 'C:\Program Files\Imanami\GroupID 10.0\GroupID.ps1' + + $groupsWithDisabledUsers = @() + $log = @() + + Write-Host "Fetching SmartGroups..." + $smartGroups = Get-SmartGroup -AttributesToLoad "Name", "Member" + $total = $smartGroups.Count + $counter = 0 + + foreach ($sg in $smartGroups) { + $counter++ + $groupName = $sg.Name + Write-Host "[$counter of $total] Processing group: $groupName" -ForegroundColor Cyan + + $startTime = Get-Date + $disabledUsers = @() + + foreach ($memberName in $sg.Member) { + $user = Get-ADUser -Filter { SamAccountName -eq $memberName } -Properties Enabled -ErrorAction SilentlyContinue + if ($user -and !$user.Enabled) { + $disabledUsers += $user + } + } + + if ($disabledUsers.Count -gt 0) { + $groupsWithDisabledUsers += [PSCustomObject]@{ + GroupName = $groupName + DisabledUsers = $disabledUsers.SamAccountName -join ", " + } + $log += "Group '$groupName' has $($disabledUsers.Count) disabled user(s)." + } + + $elapsed = (Get-Date) - $startTime + $log += "Processed group '$groupName' in $([math]::Round($elapsed.TotalSeconds, 2)) seconds." + } + + # Output results to table and log file + if ($groupsWithDisabledUsers.Count -gt 0) { + Write-Host "`nGroups with disabled users found:" -ForegroundColor Green + $groupsWithDisabledUsers | Format-Table -AutoSize + } else { + Write-Host "No groups with disabled users found." -ForegroundColor Yellow + } + + $logFile = "C:\Temp\GroupsWithDisabledUsers_Log.txt" + $log | Out-File -FilePath $logFile -Encoding UTF8 + Write-Host "`nProcessing log saved to $logFile" + ``` + +4. Identify groups with disabled users using AD PowerShell (faster for large environments): + + ```powershell + # Get all disabled users from Active Directory + $disabledUsers = Get-ADUser -Filter 'Enabled -eq $false' -Properties MemberOf + + if ($disabledUsers.Count -eq 0) { + Write-Host "No disabled users found." -ForegroundColor Yellow + return + } + + Write-Host "Found $($disabledUsers.Count) disabled users. Gathering groups..." + + $uniqueGroupDNs = New-Object System.Collections.Generic.HashSet[string] + + foreach ($user in $disabledUsers) { + if ($user.MemberOf) { + foreach ($groupDN in $user.MemberOf) { + $uniqueGroupDNs.Add($groupDN) | Out-Null + } + } + } + + Write-Host "Found $($uniqueGroupDNs.Count) unique groups with disabled members." + + # Extract group CN from DN for readability + $groupNames = $uniqueGroupDNs | ForEach-Object { + if ($_ -match '^CN=([^,]+),') { $matches[1] } else { $_ } + } + + # Filter group names to include only those with "GroupID" + $filteredGroupNames = $groupNames | Where-Object { $_ -match 'GroupID' } + + if ($filteredGroupNames.Count -eq 0) { + Write-Host "No groups with 'GroupID' found among disabled users' groups." -ForegroundColor Yellow + } else { + $filteredGroupNames = $filteredGroupNames | Sort-Object + + Write-Host "`nGroups with disabled members containing 'GroupID':" + $filteredGroupNames | ForEach-Object { Write-Host $_ } + + $groupsOutputFile = "C:\Temp\GroupsWithDisabledMembers_Filtered.txt" + $filteredGroupNames | Out-File -FilePath $groupsOutputFile -Encoding UTF8 + + Write-Host "`nFiltered groups list saved to $groupsOutputFile" + } + ``` + +5. (Optional) Filter groups by OU: + + ```powershell + $targetOU = "OU=GROUP-SYNC,OU=ai.com,DC=ai,DC=com".ToLower() + $disabledUsers = Get-ADUser -Filter 'Enabled -eq $false' -Properties MemberOf + + $uniqueGroupDNs = New-Object System.Collections.Generic.HashSet[string] + + foreach ($user in $disabledUsers) { + if ($user.MemberOf) { + foreach ($groupDN in $user.MemberOf) { + if ($groupDN.ToLower().EndsWith($targetOU)) { + $uniqueGroupDNs.Add($groupDN) | Out-Null + } + } + } + } + + $groupNames = $uniqueGroupDNs | ForEach-Object { + if ($_ -match '^CN=([^,]+),') { $matches[1] } else { $_ } + } | Sort-Object + + $outputFile = "C:\Temp\GroupsWithDisabledMembers_InTargetOU.txt" + $groupNames | Out-File -FilePath $outputFile -Encoding UTF8 + + Write-Host "`nGroups list saved to $outputFile" + ``` + +6. Review and reapply LDAP criteria for filtered groups: + + ```powershell + Add-PSSnapin 'Imanami.Groups.Management.PowerShell.Admin10' + . 'C:\Program Files\Imanami\GroupID 10.0\GroupID.ps1' + + # Import CSV with column named "groupname" + $groupEntries = Import-Csv -Path "C:\Temp\GroupsWithDisabledMembers_InTargetOU.txt" + + foreach ($entry in $groupEntries) { + $groupName = $entry.groupname + + # Get the SmartGroup object by name + $sg = Get-SmartGroup -Identity $groupName -ErrorAction SilentlyContinue + + if ($sg) { + Write-Host "Group Name: $($sg.Name)" + Write-Host "LDAP Criteria: $($sg.Criteria)" + Write-Host "--------------------------------------" + } + else { + Write-Host "SmartGroup not found: $groupName" -ForegroundColor Red + } + } + ``` + +7. Bulk reapply LDAP criteria to filtered groups: + + ```powershell + Add-PSSnapin 'Imanami.Groups.Management.PowerShell.Admin10' + . 'C:\Program Files\Imanami\GroupID 10.0\GroupID.ps1' + + # Import CSV with column named "groupname" + $groupEntries = Import-Csv -Path "C:\Temp\GroupsWithDisabledMembers_InTargetOU.txt" + + foreach ($entry in $groupEntries) { + $groupName = $entry.groupname + + # Get the SmartGroup object by name + $sg = Get-SmartGroup -Identity $groupName -ErrorAction SilentlyContinue + + if ($sg) { + Set-SmartGroup -Identity $groupName -LdapFilter $sg.Criteria | Out-Null + Write-Host "Reapplied LDAP filter for SmartGroup: $groupName" + } + else { + Write-Host "SmartGroup not found: $groupName" -ForegroundColor Red + } + } + ``` + +> **IMPORTANT:** Always back up SmartGroup criteria before performing bulk updates. Test scripts on a small set of groups before running them in production. + +## Additional Information + +- For large environments, use native AD PowerShell for initial filtering, then use Directory Manager PowerShell for SmartGroup-specific actions. +- Review and edit exported files before committing changes. +- Scripts can be adapted for other filtering criteria as needed. + +## Related Articles + +- [Get-ADUser ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-aduser) \ No newline at end of file diff --git a/docs/kb/activitymonitor/how_to_set_up_an_offline_temporary_password.md b/docs/kb/activitymonitor/how_to_set_up_an_offline_temporary_password.md new file mode 100644 index 0000000000..171d084dba --- /dev/null +++ b/docs/kb/activitymonitor/how_to_set_up_an_offline_temporary_password.md @@ -0,0 +1,49 @@ +--- +description: >- + This article provides step-by-step instructions for setting up an Offline Temporary Password in environments where the User Remediation feature cannot be used. +keywords: + - Offline Temporary Password + - Endpoint Protector + - temporary access +sidebar_label: Set Up Offline Temporary Password +tags: [] +title: "How to Set Up an Offline Temporary Password" +knowledge_article_id: kA0Qk0000002BAvKAM +products: + - activity-monitor +--- + +# How to Set Up an Offline Temporary Password + +## Overview + +In environments where the **User Remediation** feature cannot be used, the **Offline Temporary Passwords** feature provides an alternative way to bypass a policy. + +Within the Endpoint Protector (EPP) Management Console, administrators can generate Offline Temporary Passwords (OTPs) to grant users temporary access rights. This feature is useful when only temporary access is required or when there is no network connection between protected computers and the Endpoint Protector Server (for example, when User Remediation is unavailable). + +## Instructions + +1. Log in to the EPP Management Console with an account that has permission to generate Offline Temporary Passwords. +2. Navigate to the **Device Control** module. +3. Choose one of the following options, depending on the entity for which you want to generate an OTP: + - For a specific device: + 1. Navigate to the **Computers** section. + 2. Locate the computer and select **Actions > Offline Temporary Password**. + 3. Enter the **Device Code** provided by the user or search for the device in the Endpoint Protector database. You can also enter the **Device Name**; the other field will auto-populate. + - For all devices or all file transfers for a computer and user: + 1. Go to the **Offline Temporary Passwords** section. + 2. Enter the **Computer Name** and/or **Username**. You can provide either field, but to restrict the OTP to a specific computer and user, fill in both fields. + 3. Select whether the OTP applies to all devices or all file transfers. +4. Select the desired **Time Interval** for the OTP. Choose from predefined durations (15 minutes, 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, 1 day, 2 days, 5 days, 14 days, 30 days) or set a custom start and end date/time. +5. Optional: Enter a justification for creating the OTP. This information is useful for auditing purposes. +6. Click **Generate** to create the Offline Temporary Password. +7. Provide the generated OTP to the user. You can send it by email or print it directly from the console. +8. Optional: To enable or restrict the **Universal Offline Temporary Password** feature: + - Navigate to **System Configuration > System Settings > Custom Settings**. + - Enable the Universal Offline Temporary Password option as needed. You can restrict visibility to Super Administrators only. +9. Optional: To edit the administrator contact information displayed to users: + - Go to **System Configuration > System Settings** and update the **Main Administrator Contact Details**. + +> **NOTE:** The OTP is unique to the specified device and computer and cannot be reused for other devices or computers. The OTP must be redeemed on the same day it is generated, unless you use the Universal Offline Temporary Password feature. For multinational environments, adjust the time interval for the OTP based on the time zone difference between the EPP Server and the endpoint. + +For more information, review the documentation: [Offline Temporary Password](/docs/endpointprotector/5.9.4.2/admin/offlinetemporarypassword/overview). \ No newline at end of file diff --git a/docs/kb/activitymonitor/images/ka04u000000HdDY_0EM4u0000084fAY.png b/docs/kb/activitymonitor/images/ka04u000000HdDY_0EM4u0000084fAY.png new file mode 100644 index 0000000000..bf28fdb074 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka04u000000HdDY_0EM4u0000084fAY.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaX4.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaX4.png new file mode 100644 index 0000000000..46575ce7f9 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaX4.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaX9.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaX9.png new file mode 100644 index 0000000000..9f5e04a6fc Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaX9.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXE.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXE.png new file mode 100644 index 0000000000..4d8ea14a17 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXE.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXJ.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXJ.png new file mode 100644 index 0000000000..65595fa85d Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXJ.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXO.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXO.png new file mode 100644 index 0000000000..c80fc430ee Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXO.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXT.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXT.png new file mode 100644 index 0000000000..703b05c42c Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXT.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXY.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXY.png new file mode 100644 index 0000000000..9afcc50210 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EM4u000008LaXY.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EMQk000008pAWz.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EMQk000008pAWz.png new file mode 100644 index 0000000000..3a144e404c Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EMQk000008pAWz.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EMQk000008pAbp.png b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EMQk000008pAbp.png new file mode 100644 index 0000000000..27e3ba8bd7 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000B8wj_0EMQk000008pAbp.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000CnwD_0EMQk00000BF8bi.png b/docs/kb/activitymonitor/images/ka0Qk000000CnwD_0EMQk00000BF8bi.png new file mode 100644 index 0000000000..a97be38ce5 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000CnwD_0EMQk00000BF8bi.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl54M.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl54M.png new file mode 100644 index 0000000000..852e3efca2 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl54M.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5Fe.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5Fe.png new file mode 100644 index 0000000000..873f880814 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5Fe.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5HG.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5HG.png new file mode 100644 index 0000000000..42e2c53e9c Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5HG.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5XQ.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5XQ.png new file mode 100644 index 0000000000..2708e97696 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl5XQ.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl72w.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl72w.png new file mode 100644 index 0000000000..8bd32405db Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl72w.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl7UO.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl7UO.png new file mode 100644 index 0000000000..cb2d9dccca Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl7UO.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl7e3.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl7e3.png new file mode 100644 index 0000000000..c9522e4c2a Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl7e3.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl8rp.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl8rp.png new file mode 100644 index 0000000000..aa7aaea535 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl8rp.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl91V.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl91V.png new file mode 100644 index 0000000000..cb50d4c73b Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl91V.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl9MT.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl9MT.png new file mode 100644 index 0000000000..cb2d9dccca Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl9MT.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl9hR.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl9hR.png new file mode 100644 index 0000000000..5bf3273981 Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bl9hR.png differ diff --git a/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bm95v.png b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bm95v.png new file mode 100644 index 0000000000..cb50d4c73b Binary files /dev/null and b/docs/kb/activitymonitor/images/ka0Qk000000D6nZ_0EMQk00000Bm95v.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_07420143fdc8.png b/docs/kb/activitymonitor/images/servlet_image_07420143fdc8.png new file mode 100644 index 0000000000..6513c97890 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_07420143fdc8.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_0e5a156b562c.png b/docs/kb/activitymonitor/images/servlet_image_0e5a156b562c.png new file mode 100644 index 0000000000..0760b97523 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_0e5a156b562c.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_11b4f3368d5c.png b/docs/kb/activitymonitor/images/servlet_image_11b4f3368d5c.png new file mode 100644 index 0000000000..342e266cb4 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_11b4f3368d5c.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_1773855cdc8d.png b/docs/kb/activitymonitor/images/servlet_image_1773855cdc8d.png new file mode 100644 index 0000000000..d0bb022db1 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_1773855cdc8d.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_19807e63605b.png b/docs/kb/activitymonitor/images/servlet_image_19807e63605b.png new file mode 100644 index 0000000000..68af3f0a46 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_19807e63605b.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_22428c95d7b3.png b/docs/kb/activitymonitor/images/servlet_image_22428c95d7b3.png new file mode 100644 index 0000000000..f0a6eae31e Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_22428c95d7b3.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_2b47dbe887ad.png b/docs/kb/activitymonitor/images/servlet_image_2b47dbe887ad.png new file mode 100644 index 0000000000..c83a25cfc2 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_2b47dbe887ad.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_2c936cc3af52.png b/docs/kb/activitymonitor/images/servlet_image_2c936cc3af52.png new file mode 100644 index 0000000000..0f857e4852 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_2c936cc3af52.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_4096a3e75194.png b/docs/kb/activitymonitor/images/servlet_image_4096a3e75194.png new file mode 100644 index 0000000000..e193d287c2 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_4096a3e75194.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_4ca84d0f3bd4.png b/docs/kb/activitymonitor/images/servlet_image_4ca84d0f3bd4.png new file mode 100644 index 0000000000..48d7d02f63 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_4ca84d0f3bd4.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_5085710697d8.png b/docs/kb/activitymonitor/images/servlet_image_5085710697d8.png new file mode 100644 index 0000000000..9e7b1c32c1 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_5085710697d8.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_51407d87971c.png b/docs/kb/activitymonitor/images/servlet_image_51407d87971c.png new file mode 100644 index 0000000000..4279d26e8d Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_51407d87971c.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_5516dc91a692.png b/docs/kb/activitymonitor/images/servlet_image_5516dc91a692.png new file mode 100644 index 0000000000..d2d1b59199 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_5516dc91a692.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_586cee925a98.png b/docs/kb/activitymonitor/images/servlet_image_586cee925a98.png new file mode 100644 index 0000000000..fedb7fd6fa Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_586cee925a98.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_590daa2ead13.png b/docs/kb/activitymonitor/images/servlet_image_590daa2ead13.png new file mode 100644 index 0000000000..70cc7ad309 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_590daa2ead13.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_61debddfaf87.png b/docs/kb/activitymonitor/images/servlet_image_61debddfaf87.png new file mode 100644 index 0000000000..6544961ce3 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_61debddfaf87.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_62cb2d77bb75.png b/docs/kb/activitymonitor/images/servlet_image_62cb2d77bb75.png new file mode 100644 index 0000000000..90a8275d30 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_62cb2d77bb75.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_6774db6198b6.png b/docs/kb/activitymonitor/images/servlet_image_6774db6198b6.png new file mode 100644 index 0000000000..bbaa27a646 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_6774db6198b6.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_68f21544913c.png b/docs/kb/activitymonitor/images/servlet_image_68f21544913c.png new file mode 100644 index 0000000000..0c36359e6b Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_68f21544913c.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_6a3341c6a97a.png b/docs/kb/activitymonitor/images/servlet_image_6a3341c6a97a.png new file mode 100644 index 0000000000..450d6c3450 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_6a3341c6a97a.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_730b8cce535b.png b/docs/kb/activitymonitor/images/servlet_image_730b8cce535b.png new file mode 100644 index 0000000000..8d6213da51 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_730b8cce535b.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_761d2f787fb4.png b/docs/kb/activitymonitor/images/servlet_image_761d2f787fb4.png new file mode 100644 index 0000000000..f88f52060a Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_761d2f787fb4.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_8261932e8e81.png b/docs/kb/activitymonitor/images/servlet_image_8261932e8e81.png new file mode 100644 index 0000000000..45386f922c Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_8261932e8e81.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_996040ecbfe0.png b/docs/kb/activitymonitor/images/servlet_image_996040ecbfe0.png new file mode 100644 index 0000000000..c14e72d574 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_996040ecbfe0.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_99952a342a08.png b/docs/kb/activitymonitor/images/servlet_image_99952a342a08.png new file mode 100644 index 0000000000..b054e3351e Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_99952a342a08.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_a04e32646a9b.png b/docs/kb/activitymonitor/images/servlet_image_a04e32646a9b.png new file mode 100644 index 0000000000..064757c52a Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_a04e32646a9b.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_a42fc80dbf09.png b/docs/kb/activitymonitor/images/servlet_image_a42fc80dbf09.png new file mode 100644 index 0000000000..0881537977 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_a42fc80dbf09.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_a445105a92a3.png b/docs/kb/activitymonitor/images/servlet_image_a445105a92a3.png new file mode 100644 index 0000000000..a612684caf Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_a445105a92a3.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_a55f51b6c382.png b/docs/kb/activitymonitor/images/servlet_image_a55f51b6c382.png new file mode 100644 index 0000000000..751d5c2f7e Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_a55f51b6c382.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_a9d4a36aab05.png b/docs/kb/activitymonitor/images/servlet_image_a9d4a36aab05.png new file mode 100644 index 0000000000..976db0382a Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_a9d4a36aab05.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_b184f052a03b.png b/docs/kb/activitymonitor/images/servlet_image_b184f052a03b.png new file mode 100644 index 0000000000..6500c9f782 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_b184f052a03b.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_b4cc511f5745.png b/docs/kb/activitymonitor/images/servlet_image_b4cc511f5745.png new file mode 100644 index 0000000000..cf77a18dc6 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_b4cc511f5745.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_b62fd3354d8a.png b/docs/kb/activitymonitor/images/servlet_image_b62fd3354d8a.png new file mode 100644 index 0000000000..2154b72125 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_b62fd3354d8a.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_b8e8af049732.png b/docs/kb/activitymonitor/images/servlet_image_b8e8af049732.png new file mode 100644 index 0000000000..01dd3b51d5 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_b8e8af049732.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_c063b0ef4b7f.png b/docs/kb/activitymonitor/images/servlet_image_c063b0ef4b7f.png new file mode 100644 index 0000000000..82660a2115 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_c063b0ef4b7f.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_c18781dc37ee.png b/docs/kb/activitymonitor/images/servlet_image_c18781dc37ee.png new file mode 100644 index 0000000000..a3ba4b7ca3 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_c18781dc37ee.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_c547e60a2228.png b/docs/kb/activitymonitor/images/servlet_image_c547e60a2228.png new file mode 100644 index 0000000000..ae4bf04542 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_c547e60a2228.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_ca88af5d8db8.png b/docs/kb/activitymonitor/images/servlet_image_ca88af5d8db8.png new file mode 100644 index 0000000000..a1cb481e0c Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_ca88af5d8db8.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_d0e555d9fde1.png b/docs/kb/activitymonitor/images/servlet_image_d0e555d9fde1.png new file mode 100644 index 0000000000..fdf5ef7f47 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_d0e555d9fde1.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_d62b956ff5b7.png b/docs/kb/activitymonitor/images/servlet_image_d62b956ff5b7.png new file mode 100644 index 0000000000..5c1f9c415f Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_d62b956ff5b7.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_da0c28343998.png b/docs/kb/activitymonitor/images/servlet_image_da0c28343998.png new file mode 100644 index 0000000000..c870b6570e Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_da0c28343998.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_e566e333ee45.png b/docs/kb/activitymonitor/images/servlet_image_e566e333ee45.png new file mode 100644 index 0000000000..bdc2979cc4 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_e566e333ee45.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_e7fbcc9e2490.png b/docs/kb/activitymonitor/images/servlet_image_e7fbcc9e2490.png new file mode 100644 index 0000000000..c8653b0bad Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_e7fbcc9e2490.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_eb6ac1dac410.png b/docs/kb/activitymonitor/images/servlet_image_eb6ac1dac410.png new file mode 100644 index 0000000000..3f9e965bbf Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_eb6ac1dac410.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_ecf758bc861e.png b/docs/kb/activitymonitor/images/servlet_image_ecf758bc861e.png new file mode 100644 index 0000000000..78e157750c Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_ecf758bc861e.png differ diff --git a/docs/kb/activitymonitor/images/servlet_image_ed256235324f.png b/docs/kb/activitymonitor/images/servlet_image_ed256235324f.png new file mode 100644 index 0000000000..bab0bb9012 Binary files /dev/null and b/docs/kb/activitymonitor/images/servlet_image_ed256235324f.png differ diff --git a/docs/kb/activitymonitor/increase_communication_security_option.md b/docs/kb/activitymonitor/increase_communication_security_option.md new file mode 100644 index 0000000000..45d834a2c9 --- /dev/null +++ b/docs/kb/activitymonitor/increase_communication_security_option.md @@ -0,0 +1,40 @@ +--- +description: >- + This article explains how to use the Increase Communication Security option in Endpoint Protector, enabling certificate-based authentication for enhanced security. +keywords: + - Endpoint Protector + - communication security + - certificate authentication +sidebar_label: Increase Communication Security +tags: [] +title: "Increase Communication Security Option" +knowledge_article_id: kA0Qk0000002B4KKAU +products: + - activity-monitor +--- + +# Increase Communication Security Option + +## Overview + +This article explains how to use the **Increase Communication Security** option in **Endpoint Protector**. This feature allows you to register and verify the **Endpoint Protector Client** certificate signature, enabling certificate-based authentication for enhanced security. + +> **IMPORTANT:** The Client Registration Certificate feature is not available for Linux. + +## Details + +- When the custom certificate is **enabled**, **Endpoint Protector Server** validates the client certificate at registration. The client does not validate the server certificate. +- When the custom certificate is **disabled**, neither the server nor the client performs certificate validation at registration. +- For this feature to work, cryptographic identities signed by the root CA must be deployed on the endpoints. +- On **macOS**, add these identities to the **System Keychain** in the **My Certificates** section. +- On **Windows**, place them in the **Certificate Manager** under **Local Computer\Certificates\Personal**. + +## Instructions + +1. In the **Endpoint Protector** console, navigate to **Appliance > Server Maintenance**. +2. Turn on the **Enable custom certificate** setting then click **Browse...** to upload the certificate chain, Root CA, and Intermediate CA certificates. + ![Increase Communication Security option in Endpoint Protector](./images/servlet_image_51407d87971c.png) +3. Once uploaded, enable the **Test Certificate** setting and upload a certificate signed by the root CA for testing the signature. +4. Click **Save**. Allow two minutes for the certificate to be validated. A success message will appear when the custom certificate has been added and the test certificate is valid. + +> **IMPORTANT:** The client registration authentication certificate and the **Endpoint Protector** server certificate must be issued by the same Certificate Authority (CA). \ No newline at end of file diff --git a/docs/kb/activitymonitor/index.md b/docs/kb/activitymonitor/index.md new file mode 100644 index 0000000000..0aca334b2a --- /dev/null +++ b/docs/kb/activitymonitor/index.md @@ -0,0 +1,42 @@ +--- +title: "Troubleshooting Articles" +description: Browse Activity Monitor knowledge base articles by category" +--- + +# Activity Monitor Knowledge Base + +Welcome to the Activity Monitor knowledge base. Find solutions, troubleshooting guides, and configuration instructions organized by category. + +## Categories + +### [Agents & Services](./agents/) +Configure and troubleshoot Activity Monitor agents, including NAM agents, Active Directory agents, and service account management. + +### [Installation & Configuration](./installation/) +Setup guides, dependencies, system requirements, and initial configuration instructions. + +### [Platform Monitoring](./monitoring/) +Platform-specific monitoring guides for NetApp, Dell Isilon PowerScale, and other storage systems. + +### [Troubleshooting](./troubleshooting/) +Solutions for common errors, connectivity issues, and data collection problems. + +### [Hotfixes & Updates](./hotfixes/) +Latest hotfixes and updates for Activity Monitor version 6.0 and later. + +### [Integrations](./integrations/) +Integrate Activity Monitor with other Netwrix products and third-party systems. + +## Quick Links + +- [NAM Agent Configuration](./agents/nam-linux-agent-how-to-handle-locked-auditd-config) +- [SharePoint Online Setup](./installation/manually-setting-up-sharepoint-online-auditing) +- [NetApp Best Practices](./monitoring/netapp-fpolicy-deployments-best-practices-for-netwrix-activity-monitor) +- [Threat Manager Integration](./integrations/configuring-netwrix-activity-monitor-to-send-to-threat-manager) + +## Need Help? + +If you can't find what you're looking for: +1. Use the search function above +2. Check the main Activity Monitor documentation +3. Contact [Netwrix support](https://www.netwrix.com/support.html)slug: kb/activitymonitor diff --git a/docs/kb/activitymonitor/installation/_category_.json b/docs/kb/activitymonitor/installation/_category_.json new file mode 100644 index 0000000000..c962fec5ee --- /dev/null +++ b/docs/kb/activitymonitor/installation/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Installation & Configuration", + "position": 2, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/kb/activitymonitor/installation/index.md b/docs/kb/activitymonitor/installation/index.md new file mode 100644 index 0000000000..b6e8d32874 --- /dev/null +++ b/docs/kb/activitymonitor/installation/index.md @@ -0,0 +1,36 @@ +--- +title: "Installation & Configuration" +description: Setup guides and configuration instructions for Activity Monitor" +--- + +# Installation & Configuration + +Essential setup guides, system requirements, and configuration instructions for Activity Monitor. + +## Articles in This Section + +- [.NET Dependencies for Netwrix Activity Monitor](./net-dependencies-for-netwrix-activity-monitor) +- [Manually Setting Up SharePoint Online Auditing](./manually-setting-up-sharepoint-online-auditing) +- [Netwrix Activity Monitor NAM 7.0 Paths](./netwrix-activity-monitor-nam-7-0-paths) +- [Recommended Performance Counters for SAM](./recommended-performance-counters-for-sam) +- [SFAM Log Locations](./sfam-log-locations) + +## Key Topics + +### System Requirements +- .NET Framework dependencies +- Performance counter recommendations + +### SharePoint Configuration +- Manual setup for SharePoint Online auditing +- Configuration best practices + +### File Paths & Logs +- NAM 7.0 installation paths +- SFAM log file locations + +## Related Documentation + +- Activity Monitor System Requirements +- Installation Guide +- Post-Installation Configuration \ No newline at end of file diff --git a/docs/kb/activitymonitor/installation/manually-setting-up-sharepoint-online-auditing.md b/docs/kb/activitymonitor/installation/manually-setting-up-sharepoint-online-auditing.md new file mode 100644 index 0000000000..506133142d --- /dev/null +++ b/docs/kb/activitymonitor/installation/manually-setting-up-sharepoint-online-auditing.md @@ -0,0 +1,165 @@ +--- +description: >- + Instructions to manually configure SharePoint Online auditing by creating an + Entra app and granting permissions, importing certificates, and configuring + Netwrix Access Analyzer and Netwrix Activity Monitor. +keywords: + - sharepoint + - sharepoint online + - auditing + - Entra + - Netwrix Access Analyzer + - Netwrix Activity Monitor + - app registration + - certificate + - SPAA + - SPAC +products: + - activity-monitor + - access-analyzer +sidebar_label: Manually Setting Up SharePoint Online Auditing +tags: [] +title: "Manually Setting Up SharePoint Online Auditing" +knowledge_article_id: kA0Qk0000001s6PKAQ +--- + +# Manually Setting Up SharePoint Online Auditing + +## Question + +How do I set up SharePoint Online auditing without using the `SP_RegisterAzureAppAuth` instant job? + +## Answer + +It is always recommended to use the `SP_RegisterAzureAppAuth` instant job to set up the Entra app for auditing. +However, the process can be completed manually if necessary, such as if MFA cannot be temporarily disabled for a Global Admin account. + +### SPAA/SPSEEK Scans + +1. Open the Microsoft Entra admin center: https://entra.microsoft.com/#home. +2. Navigate to **Identity > Applications > App registrations**. +3. Select **+ New registration**. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl72w.png) +4. On the Register an application page, set the following: + - **Name:** Enter a meaningful name, such as `NetwrixAccessAnalyzer_SharePoint`. + - **Supported account types:** Choose **Accounts in this organizational directory only**. +5. From the Application Overview page, navigate to **Manage > API Permissions** and select **Add a permission**. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bm95v.png) +6. From the Request API permissions page, select **Microsoft Graph** and add the following permissions: + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl5XQ.png) + + - Delegated Permissions: + - `Group.Read.All` – Read all groups + - `User.Read.All` – Read all users' full profiles + - Application Permissions: + - `Application.Read.All` – Read all applications + - `AuditLog.Read.All` – Read all audit log data + - `Directory.Read.All` – Read directory data + - `Files.Read.All` – Read files in all site collections +7. From the Request API permissions page, select **Office 365 Management APIs** and add the following permissions: + - `ActivityFeed.Read` – Read activity data for your organization + - `ActivityFeed.ReadDlp` – Read DLP policy events, including detected sensitive data + - `ServiceHealth.Read` – Read service health information for your organization +8. From the Request API permissions page, select **SharePoint** and add the following permissions: + - `Sites.FullControl.All` – Have full control of all site collections + - `Sites.Read.All` – Read items in all site collections + - `TermStore.Read.All` – Read managed metadata + - `User.Read.All` – Read user profiles +9. After adding the permissions, grant admin consent by selecting **Grant admin consent for \{TENANT NAME\}**. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl7UO.png) +10. On the Netwrix Access Analyzer server, import a certificate and PFX file to the ` %SAInstallDir%PrivateAssemblies` location: + + - If necessary, create a self-signed certificate with the following PowerShell commands: + + ```powershell + $cert=New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName stealthbits.com -Subject "CN=StealthAUDIT SharePoint Auditor" -FriendlyName "StealthAUDIT SharePoint Auditor" -KeyAlgorithm RSA -KeyLength 2048 -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddYears(11) + ``` + + - Change the DNS Name to match your domain. + - Change the Subject and FriendlyName to match the App Registration name in Entra (formerly Azure). + + ```powershell + Export-Certificate -Cert $cert -FilePath "$($env:SAINSTALLDIR)PrivateAssemblies\spaa_cert_domain.cer" -Type CERT + ``` + + - Ensure the certificate name includes the domain (e.g., `spaa_cert_NWXSUPPORT.cer`). + + ```powershell + Export-PfxCertificate -Cert $cert -FilePath "$($env:SAINSTALLDIR)PrivateAssemblies\spaa_cert_domain.pfx" -Password (ConvertTo-SecureString -String "PasswordGoesHere" -Force -AsPlainText) + ``` + + - Ensure the PFX file name includes the domain (e.g., `spaa_cert_NWXSUPPORT.pfx`). + - Replace `PasswordGoesHere` with a secure password. + +11. Navigate back to the SharePoint App registrations page, and on the **Certificates & Secrets** page, click **↑ Upload certificate** to upload the `spaa_cert_domain.cert` file. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl8rp.png) +12. Navigate to the **Overview** tab and copy the **Application (client) ID**. This will be used for the Access Analyzer connection profile. +13. In Netwrix Access Analyzer, navigate to **Global Options > Connection** and create a connection profile with the same name as the SharePoint app registration, using the following: + - **Account Type:** Azure Active Directory + - **Client ID:** Application (client) ID from SharePoint App Registration + - **Key:** CertLocation, CertPassword, NumericDesignator + - **Numeric Designator:** `0` is the default. Other options are: + - `1` for pre-production environments + - `2` for China + - `3` for Germany + - `4` for USGovernment + - Example: `C:\Program Files (x86)\STEALTHbits\StealthAUDIT\PrivateAssemblies\spaa_cert_domain.pfx,YourPasswordHere,0` +14. Create a host list with the SharePoint site, for example: `YourOrganization.SharePoint.com`. +15. Set the SharePoint job group to run against the SharePoint host list. +16. Set the SharePoint job group to use the new SharePoint Connection Profile, and SPAA/SPSEEK is now configured for auditing. + +### SPAC Scans + +The SPAC scan can utilize the same app registration as SPAA/SPSEEK. Follow steps 1–4 from the instructions above if an app has not already been created. + +1. From the Application Overview page, navigate to **Manage > API Permissions** and select **Add a permission**. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl91V.png) +2. From the Request API permissions page, select **Microsoft Graph**. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl5XQ.png) + Add the following Application Permissions: + - `Directory.Read.All` – Read directory data + - `Sites.Read.All` – Read items in all site collections + - `User.Read.All` – Read all users' full profiles +3. From the Request API permissions page, select **Office 365 Management APIs**. + Add the following Application Permissions: + - `ActivityFeed.Read` – Read activity data for your organization + - `ActivityFeed.ReadDlp` – Read DLP policy events, including detected sensitive data +4. After adding these permissions, grant admin consent by selecting **Grant admin consent for \{TENANT NAME\}**. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl9MT.png) +5. Navigate to **Manage > Certificates & Secrets** and select **+ New client secret**. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl5HG.png) +6. On the Add a client secret page, set the following: + - **Description:** Enter something meaningful, for example: `NAM SharePoint.` + - **Expires:** Set this to the longest option or per your organization's internal policy. +7. After creating the client secret, copy the **Secret Value** to a secure location. + + > **NOTE:** This value will obfuscate. Make sure you copy it immediately or you will need to create a new client secret. + > ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl5Fe.png) + +8. In Netwrix Activity Monitor, navigate to the **Monitored Hosts** tab and select **Add Host**. + - **Choose Agent:** Specify the agent you would like to use for collecting SharePoint activity logs. + - **Add Host:** Select SharePoint Online and add the SharePoint site as the Domain Name, for example: `YourOrganization.SharePoint.com`. + - **Entra AD / Azure ID Connection:** + - **Domain:** Use the same domain name as before (if it does not auto-populate). + - **Azure Cloud:** Leave set to **Azure** unless it is a government organization. + - **Client ID:** Entra Application (client) ID from the manually created app. + - **Client Secret:** This is the **Secret Value** copied earlier. + - **Region:** Optional – leave blank if not applicable. + - **SharePoint Online Operations:** Select what SharePoint activity is to be collected (all options are selected by default). + - **Users to Exclude:** Add any users you do not want to collect SharePoint activity for. + - **Where to log the activity:** Select **Log File**. + - **File Output:** Select a log file path, set the retention period for activity logs, and ensure the box for **This log file is for Netwrix Access Analyzer** is checked. +9. After completing the above steps, you should see the SharePoint Online host added to the Monitored Hosts tab with green checkmarks, indicating successful connection and setup. +10. In Netwrix Access Analyzer, navigate to **SharePoint > 0.Collection > 3-SPAC_SystemScans > Configure > Queries > Query Properties > Configure**. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl7e3.png) +11. On the **Activity Date Scope**, set how long to retain the SharePoint activity in the Access Analyzer database. +12. On the **Activity Log Locations**, select **Add** and configure the following: + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl9hR.png) + + - **Host name:** This should match the monitored host name in Activity Monitor, e.g., `YourOrganization.SharePoint.com`. + - **Activity log UNC path:** This is the file output path in UNC format, e.g., `\AgentHost\C$\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs`. + + - This value can be found by converting the file output path from the SharePoint monitored host in Activity Monitor to UNC format. + ![](../images/ka0Qk000000D6nZ_0EMQk00000Bl54M.png) + + - **Activity archive UNC path:** UNC Path of agent's archive (on the Agents tab), if applicable. diff --git a/docs/kb/activitymonitor/installation/recommended-performance-counters-for-sam.md b/docs/kb/activitymonitor/installation/recommended-performance-counters-for-sam.md new file mode 100644 index 0000000000..7424d50538 --- /dev/null +++ b/docs/kb/activitymonitor/installation/recommended-performance-counters-for-sam.md @@ -0,0 +1,320 @@ +--- +description: >- + Lists the recommended SAM Agent performance counters, shows system counters to + collect, and provides step-by-step instructions to register, collect, and + unregister SAM performance counters. +keywords: + - SAM + - performance counters + - Performance Monitor + - Get-Counter + - perfcounters + - SAM Agent + - performance monitoring +products: + - activity-monitor +sidebar_label: Recommended Performance Counters for SAM +tags: [] +title: "Recommended Performance Counters for SAM" +knowledge_article_id: kA04u0000000JymCAE +--- + +# Recommended Performance Counters for SAM + +SAM Agent comes with performance counters for some internal runtime data. These counters, along with several standard system-wide counters (memory and CPU usage, TCP disconnections, etc.), can help you diagnose performance issues. + +The following counters are provided by SAM. + +## SAM counters + +| Category | Recommended | Counter | Description | +| --- | ---: | --- | --- | +| Qumulo | | `Activity Monitor - Qumulo\Queue Size` | Number of events waiting in queue to be processed | +| NetApp | ✔ | `Activity Monitor - NetApp\Events Received` | Number of events received from NetApp | +| NetApp | ✔ | `Activity Monitor - NetApp\Events Received/sec` | Rate at which events are received from NetApp | +| NetApp | ✔ | `Activity Monitor - NetApp\Events Reported` | Number of events passed the filters and being reported to outputs | +| NetApp | ✔ | `Activity Monitor - NetApp\Events Reported/sec` | Rate at which events are reported to outputs | +| NetApp | ✔ | `Activity Monitor - NetApp\Session Negotiated` | Number of connections established with ONTAP cluster nodes | +| NetApp | ✔ | `Activity Monitor - NetApp\Active Connections` | Number of active connections with ONTAP cluster nodes | +| NetApp | | `Activity Monitor - NetApp\Outage Files` | Number of outage (resilience) files processed | +| VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Received` | Number of events received from CEE | +| VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Received/sec` | Rate at which events are received from CEE | +| VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Reported` | Number of events passed the filters and being reported to outputs | +| VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Reported/sec` | Rate at which events are reported to outputs | +| VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Queue Size` | Number of events received from CEE and waiting in queue to be processed | +| VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Receive Throttling` | Delay, in milliseconds, introduced to manage the queue | +| Outputs | ✔ | `Activity Monitor - Outputs\Events Reported` | Total number of events reported | +| Outputs | ✔ | `Activity Monitor - Outputs\Events Reported/sec` | Rate at which events are reported | +| Outputs | | `Activity Monitor - Outputs\Events Reported to Files` | Total number of events reported to log files | +| Outputs | | `Activity Monitor - Outputs\Events Reported to Syslog` | Total number of events reported to syslog servers | +| Outputs | | `Activity Monitor - Outputs\Events Reported to AMQP` | Total number of events reported to AMQP servers (not used currently) | +| Outputs | ✔ | `Activity Monitor - Outputs\Resolved SIDs` | Number of attempts, both successful and failed, to resolve SIDs to names | +| Outputs | ✔ | `Activity Monitor - Outputs\Resolved SIDs/sec` | Rate at which SIDs are resolved to names | +| Outputs | ✔ | `Activity Monitor - Outputs\Resolved SIDs Failures` | Number of failed attempts to resolve SIDs to names | +| Outputs | ✔ | `Activity Monitor - Outputs\Resolved SIDs Avg Time` | The moving average length of time, in microseconds, per a SID to name translation | +| Outputs | ✔ | `Activity Monitor - Outputs\Resolved SIDs Max Time` | The moving maximum length of time, in microseconds, per a SID to name translation | +| Outputs | | `Activity Monitor - Outputs\Translated UIDs` | Number of attempts, both successful and failed, to translate UIDs to SIDs | +| Outputs | | `Activity Monitor - Outputs\Translated UIDs/sec` | Rate at which UIDs are translated to SIDs | +| Outputs | | `Activity Monitor - Outputs\Translated UIDs Failures` | Number of failed attempts to translate UIDs to SIDs | +| Outputs | | `Activity Monitor - Outputs\Translated UIDs Avg Time` | The moving average length of time, in microseconds, per a UID to SID translation | +| Outputs | | `Activity Monitor - Outputs\Translated UIDs Max Time` | The moving maximum length of time, in microseconds, per a UID to SID translation | +| Outputs | ✔ | `Activity Monitor - Outputs\DNS Queries` | Number of DNS queries, both successful and failed | +| Outputs | ✔ | `Activity Monitor - Outputs\DNS Queries/sec` | Rate at which DNS queries are executed | +| Outputs | ✔ | `Activity Monitor - Outputs\DNS Queries Failures` | Number of failed DNS queries | +| Outputs | ✔ | `Activity Monitor - Outputs\DNS Queries Avg Time` | The moving average length of time, in microseconds, per a DNS query | +| Outputs | ✔ | `Activity Monitor - Outputs\DNS Queries Max Time` | The moving maximum length of time, in microseconds, per a DNS query | + +It makes sense to monitor DNS and Active Directory queries (`DNS Queries...` and `Resolved SIDs...` counters) as they typically contribute the most to the processing time. + +In addition to the SAM counters, we recommend collecting the following system counters: + +## System counters to collect + +| Counter | Notes | +| --- | --- | +| `\Processor(_Total)\% Processor Time` | | +| `\Memory\Available MBytes` | | +| `\Paging File(_Total)\% Usage` | | +| `\TCPv4\Connections Reset` | | +| `\TCPv4\Segments Received/sec` | | +| `\TCPv4\Segments Retransmitted/Sec` | | +| `\TCPv6\Segments Received/sec` | | +| `\TCPv6\Segments Retransmitted/Sec` | | +| `\Network Interface(*)\Bytes Received/sec` | | +| `\Network Interface(*)\Bytes Sent/sec` | | +| `\Network Interface(*)\Output Queue Length` | | +| `\Network Interface(*)\Packets Received Discarded` | | +| `\Network Interface(*)\Packets Received Errors` | | +| `\Process(FPolicyServerSvc)\% Processor Time` | For NetApp monitoring | +| `\Process(FPolicyServerSvc)\Elapsed Time` | For NetApp monitoring | +| `\Process(FPolicyServerSvc)\Handle Count` | For NetApp monitoring | +| `\Process(FPolicyServerSvc)\Thread Count` | For NetApp monitoring | +| `\Process(FPolicyServerSvc)\Private Bytes` | For NetApp monitoring | +| `\Process(FPolicyServerSvc)\Working Set` | For NetApp monitoring | +| `\Process(CelerraServerSvc)\% Processor Time` | For VNX/Isilon/Unity monitoring | +| `\Process(CelerraServerSvc)\Elapsed Time` | For VNX/Isilon/Unity monitoring | +| `\Process(CelerraServerSvc)\Handle Count` | For VNX/Isilon/Unity monitoring | +| `\Process(CelerraServerSvc)\Thread Count` | For VNX/Isilon/Unity monitoring | +| `\Process(CelerraServerSvc)\Private Bytes` | For VNX/Isilon/Unity monitoring | +| `\Process(CelerraServerSvc)\Working Set` | For VNX/Isilon/Unity monitoring | +| `\Process(FSACLoggingSvc)\% Processor Time` | | +| `\Process(FSACLoggingSvc)\Elapsed Time` | | +| `\Process(FSACLoggingSvc)\Handle Count` | | +| `\Process(FSACLoggingSvc)\Thread Count` | | +| `\Process(FSACLoggingSvc)\Private Bytes` | | +| `\Process(FSACLoggingSvc)\Working Set` | | +| `\Process(HitachiService)\% Processor Time` | | +| `\Process(HitachiService)\Elapsed Time` | | +| `\Process(HitachiService)\Handle Count` | | +| `\Process(HitachiService)\Thread Count` | | +| `\Process(HitachiService)\Private Bytes` | | +| `\Process(HitachiService)\Working Set` | | +| `\Process(SBTService)\% Processor Time` | | +| `\Process(SBTService)\Elapsed Time` | | +| `\Process(SBTService)\Handle Count` | | +| `\Process(SBTService)\Thread Count` | | +| `\Process(SBTService)\Private Bytes` | | +| `\Process(SBTService)\Working Set` | | +| `\Process(MonitorService.exe)\% Processor Time` | | +| `\Process(MonitorService.exe)\Elapsed Time` | | +| `\Process(MonitorService.exe)\Handle Count` | | +| `\Process(MonitorService.exe)\Thread Count` | | +| `\Process(MonitorService.exe)\Private Bytes` | | +| `\Process(MonitorService.exe)\Working Set` | | + +## Prepare for performance monitoring + +The SAM performance counters are not registered by default. You need to register them manually. + +On each SAM Agent server: + +1. Run `cmd.exe` as Administrator. +2. Change the current directory to the agent installation folder (the default path shown here is a file path and must be preserved exactly): + + `cd C:\Program Files\Stealthbits\StealthAUDIT\FSAC` + +3. Register the performance counters manifest file: + + `lodctr /M:PerfCounters.man` + + Expected output: + + `Info: Successfully installed performance counters in C:\Program Files\Stealthbits\StealthAUDIT\FSAC\PerfCounters.man` + +4. Restart the services: + + ``` + sc stop SBFileMonAgentSvc + sc stop FPolicyServerSvc + sc stop CelerraServerSvc + sc stop SBTLoggingSvc + + sc start SBFileMonAgentSvc + sc start SBTLoggingSvc + ``` + +## Collect performance data + +The performance data can be observed or saved using any tool capable of collecting performance counters, for example, Performance Monitor. + +Below is a PowerShell script that collects the counters every second and stores them in `perfcounters_SERVERNAME_TIMESTAMP.csv` files. The expected file size per day is about 50MB. + +Run the script on each agent server using the following command: + +`powershell -file SAM.PerfCollect.ps1` + +To stop the script press Ctrl+C. + +Script (save it to `SAM.PerfCollect.ps1`): + +```powershell +$sampleInterval = 1 +$maxSamples = 0 +$outputFile = "perfcounters_$($env:COMPUTERNAME)_$(Get-Date -Format "yyyy_MM_dd_HH_mm_ss").csv" + +$counters = + @( + "\Processor(_Total)\% Processor Time" + ,"\Memory\Available MBytes" + ,"\Paging File(_Total)\% Usage" + ,"\TCPv4\Connections Reset" + ,"\TCPv4\Segments Received/sec" + ,"\TCPv4\Segments Retransmitted/Sec" + ,"\TCPv6\Connections Reset" + ,"\TCPv6\Segments Received/sec" + ,"\TCPv6\Segments Retransmitted/Sec" + ,"\Network Interface(*)\Bytes Received/sec" + ,"\Network Interface(*)\Bytes Sent/sec" + ,"\Network Interface(*)\Output Queue Length" + ,"\Network Interface(*)\Packets Received Discarded" + ,"\Network Interface(*)\Packets Received Errors" + + ,"\Activity Monitor - Qumulo\Queue Size" + + ,"\Activity Monitor - NetApp\Active Connections" + ,"\Activity Monitor - NetApp\Events Received" + ,"\Activity Monitor - NetApp\Events Received/sec" + ,"\Activity Monitor - NetApp\Events Reported" + ,"\Activity Monitor - NetApp\Events Reported/sec" + ,"\Activity Monitor - NetApp\Outage Files" + ,"\Activity Monitor - NetApp\Overloaded" + ,"\Activity Monitor - NetApp\Queue Size" + ,"\Activity Monitor - NetApp\Session Negotiated" + + ,"\Activity Monitor - EMC\Events Received" + ,"\Activity Monitor - EMC\Events Received/sec" + ,"\Activity Monitor - EMC\Events Reported" + ,"\Activity Monitor - EMC\Events Reported/sec" + ,"\Activity Monitor - EMC\HTTP Active Connections" + ,"\Activity Monitor - EMC\Queue Size" + ,"\Activity Monitor - EMC\Receive Throttling" + + ,"\Activity Monitor - Outputs\DNS Queries" + ,"\Activity Monitor - Outputs\DNS Queries Avg Time" + ,"\Activity Monitor - Outputs\DNS Queries Failures" + ,"\Activity Monitor - Outputs\DNS Queries Max Time" + ,"\Activity Monitor - Outputs\DNS Queries/sec" + ,"\Activity Monitor - Outputs\Events Reported" + ,"\Activity Monitor - Outputs\Events Reported to AMQP" + ,"\Activity Monitor - Outputs\Events Reported to Files" + ,"\Activity Monitor - Outputs\Events Reported to Syslog" + ,"\Activity Monitor - Outputs\Events Reported/sec" + ,"\Activity Monitor - Outputs\Resolved SIDs" + ,"\Activity Monitor - Outputs\Resolved SIDs Avg Time" + ,"\Activity Monitor - Outputs\Resolved SIDs Failures" + ,"\Activity Monitor - Outputs\Resolved SIDs Max Time" + ,"\Activity Monitor - Outputs\Resolved SIDs/sec" + ,"\Activity Monitor - Outputs\Translated UIDs" + ,"\Activity Monitor - Outputs\Translated UIDs Avg Time" + ,"\Activity Monitor - Outputs\Translated UIDs Failures" + ,"\Activity Monitor - Outputs\Translated UIDs Max Time" + ,"\Activity Monitor - Outputs\Translated UIDs/sec" + + ,"\Process(HitachiService)\% Processor Time" + ,"\Process(HitachiService)\Elapsed Time" + ,"\Process(HitachiService)\Handle Count" + ,"\Process(HitachiService)\Thread Count" + ,"\Process(HitachiService)\Private Bytes" + ,"\Process(HitachiService)\Working Set" + ,"\Process(FPolicyServerSvc)\% Processor Time" + ,"\Process(FPolicyServerSvc)\Elapsed Time" + ,"\Process(FPolicyServerSvc)\Handle Count" + ,"\Process(FPolicyServerSvc)\Thread Count" + ,"\Process(FPolicyServerSvc)\Private Bytes" + ,"\Process(FPolicyServerSvc)\Working Set" + ,"\Process(FSACLoggingSvc)\% Processor Time" + ,"\Process(FSACLoggingSvc)\Elapsed Time" + ,"\Process(FSACLoggingSvc)\Handle Count" + ,"\Process(FSACLoggingSvc)\Thread Count" + ,"\Process(FSACLoggingSvc)\Private Bytes" + ,"\Process(FSACLoggingSvc)\Working Set" + ,"\Process(CelerraServerSvc)\% Processor Time" + ,"\Process(CelerraServerSvc)\Elapsed Time" + ,"\Process(CelerraServerSvc)\Handle Count" + ,"\Process(CelerraServerSvc)\Thread Count" + ,"\Process(CelerraServerSvc)\Private Bytes" + ,"\Process(CelerraServerSvc)\Working Set" + ,"\Process(SBTService)\% Processor Time" + ,"\Process(SBTService)\Elapsed Time" + ,"\Process(SBTService)\Handle Count" + ,"\Process(SBTService)\Thread Count" + ,"\Process(SBTService)\Private Bytes" + ,"\Process(SBTService)\Working Set" + ,"\Process(MonitorService.exe)\% Processor Time" + ,"\Process(MonitorService.exe)\Elapsed Time" + ,"\Process(MonitorService.exe)\Handle Count" + ,"\Process(MonitorService.exe)\Thread Count" + ,"\Process(MonitorService.exe)\Private Bytes" + ,"\Process(MonitorService.exe)\Working Set" + + ) + +$variables = @{ + SampleInterval = $sampleInterval + Counter = $counters +} + +if ($maxSamples -eq 0) { + $variables.Add("Continuous", 1)} +else { + $variables.Add("MaxSamples", "$maxSamples")} + +Write-Host "Collecting performance counters to $outputFile... Press Ctrl+C to stop." + +Get-Counter @variables | Export-Counter -FileFormat csv -Path $outputFile -Force +``` + +## Unregister performance counters + +When performance monitoring is not needed anymore, unregister the SAM performance counters. + +On each SAM Agent server: + +1. Run `cmd.exe` as Administrator. +2. Change the current directory to the agent installation folder: + + `cd C:\Program Files\Stealthbits\StealthAUDIT\FSAC` + +3. Unregister the performance counters manifest file: + + `unlodctr /M:PerfCounters.man` + + Expected output: + + `Info: Successfully uninstalled the performance counters from the counter definition XML file PerfCounters.man.` + +4. Restart the services: + + ``` + sc stop SBFileMonAgentSvc + sc stop FPolicyServerSvc + sc stop CelerraServerSvc + sc stop SBTLoggingSvc + + sc start SBFileMonAgentSvc + sc start SBTLoggingSvc + ``` + +Download the sample script: + +https://downloads.stealthbits.com/access/files/KB_Attachments/SAM.PerfCollect.ps1 diff --git a/docs/kb/activitymonitor/installation/sfam-log-locations.md b/docs/kb/activitymonitor/installation/sfam-log-locations.md new file mode 100644 index 0000000000..2d1005d237 --- /dev/null +++ b/docs/kb/activitymonitor/installation/sfam-log-locations.md @@ -0,0 +1,42 @@ +--- +description: >- + Lists the debug log file locations for Netwrix File Activity Monitor on the + console and agents, and explains how to collect logs and manage logging level. +keywords: + - SFAM + - log locations + - debug logs + - Netwrix File Activity Monitor + - agents + - console + - '%ALLUSERSPROFILE%' +products: + - activity-monitor +sidebar_label: SFAM Log Locations +tags: [] +title: "SFAM Log Locations" +knowledge_article_id: kA04u0000000IxYCAU +--- + +# SFAM Log Locations + +## Summary: +Netwrix File Activity Monitor Log Locations + +## Issue: + +## Instructions: +The debug log files are located in the following folders: +On the console: +`%ALLUSERSPROFILE%\STEALTHbits\File Monitoring\Logs` + +On the agents: +`%ProgramFiles%\STEALTHbits\StealthAUDIT\FSAC\*.log` + +SFAM 2.4+ has a function to copy logs from the agents to the console machine, on demand. After you use this function all logs from all SFAM components are in ` %ALLUSERSPROFILE%\STEALTHbits\File Monitoring\Logs` . + +There is a single switch to change the logging level. Whenever the level is changed in the UI, the change is propagated and applied immediately to all the agents. + +**Product:** Netwrix File Activity Monitor +**Module:** File Activity Monitor - EMC/Celerra;File Activity Monitor - NetApp;File Activity Monitor - Windows +**Legacy Article ID:** 1652 diff --git a/docs/kb/activitymonitor/integrations/_category_.json b/docs/kb/activitymonitor/integrations/_category_.json new file mode 100644 index 0000000000..e17157f376 --- /dev/null +++ b/docs/kb/activitymonitor/integrations/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Integrations", + "position": 6, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/kb/activitymonitor/integrations/configuring-netwrix-activity-monitor-to-send-to-threat-manager.md b/docs/kb/activitymonitor/integrations/configuring-netwrix-activity-monitor-to-send-to-threat-manager.md new file mode 100644 index 0000000000..1a3233372f --- /dev/null +++ b/docs/kb/activitymonitor/integrations/configuring-netwrix-activity-monitor-to-send-to-threat-manager.md @@ -0,0 +1,47 @@ +--- +description: >- + This article explains how to configure Netwrix Activity Monitor (SAM) to send + events to Netwrix Threat Manager using an App Token integration. +keywords: + - Netwrix Activity Monitor + - Netwrix Threat Manager + - App Token + - Integrations + - SAM + - Threat Prevention + - send events +products: + - activity-monitor + - threat-manager +sidebar_label: Configuring Netwrix Activity Monitor to Send to Th +tags: [] +title: "Configuring Netwrix Activity Monitor to Send to Threat Manager" +knowledge_article_id: kA04u0000000I5DCAU +--- + +# Configuring Netwrix Activity Monitor to Send to Threat Manager + +The Netwrix Activity Monitor (SAM) can be configured to send events to Netwrix Threat Manager (SD). If Netwrix Threat Prevention (SI) is configured to send events to Netwrix Activity Monitor (SAM), those events will be passed on to whatever applications SAM is configured to send events to. + +## To send events to Netwrix Threat Manager + +1. In Netwrix Threat Manager: + - Navigate to the **Integrations** page. + - Click the **Add New Integration** button. + - Set the **Type** field to **App Token**, enter a **Name**, and (optionally) a **Description**. + - Click the **Add** button. + - Expand the **App Tokens** node on the Integrations tree and select the App Token you just generated. + - Click the **Copy Token** button. + +2. In the Netwrix Activity Monitor: + - Go to the **Monitored Domains** tab, click **Add Output** and select the **Threat Manager** option. + - Set the value of the **Server** in `SERVER[:PORT]` format field to `[DEFENDHOST]:10001`, where `[DEFENDHOST]` is the hostname or IP address of the Netwrix Threat Manager host. + - Paste the **App Token** generated in Netwrix Threat Manager into the **App Token** field. + - Click the **OK** button. + +## Article details + +- **Channel:** Customer-Facing / Public +- **Submitted by:** Michael Olig +- **Product:** Netwrix Activity Monitor, Netwrix Threat Manager +- **KB Type:** How To diff --git a/docs/kb/activitymonitor/integrations/index.md b/docs/kb/activitymonitor/integrations/index.md new file mode 100644 index 0000000000..3299540537 --- /dev/null +++ b/docs/kb/activitymonitor/integrations/index.md @@ -0,0 +1,39 @@ +--- +title: "Integrations" +description: Integrate Activity Monitor with other systems +--- + +# Integrations + +Connect Activity Monitor with other Netwrix products and third-party systems for enhanced monitoring and threat detection. + +## Articles in This Section + +- [Configuring Netwrix Activity Monitor to Send to Threat Manager](./configuring-netwrix-activity-monitor-to-send-to-threat-manager) + +## Integration Guides + +### Netwrix Threat Manager +- Configure Activity Monitor to send events to Threat Manager +- Enable real-time threat detection and response +- Correlate activity data with security incidents + +## Benefits of Integration + +- **Enhanced Security**: Combine activity monitoring with threat detection +- **Centralized Management**: View all security data in one place +- **Automated Response**: Trigger actions based on activity patterns +- **Compliance Reporting**: Unified reports across multiple systems + +## Coming Soon + +Additional integration guides for:" +- SIEM platforms +- Ticketing systems +- Cloud security services + +## Related Documentation + +- [Threat Manager Documentation](/docs/threatmanager/) +- API Reference +- Integration Best Practices \ No newline at end of file diff --git a/docs/kb/activitymonitor/join_or_leave_a_group_on_behalf_of_another_user.md b/docs/kb/activitymonitor/join_or_leave_a_group_on_behalf_of_another_user.md new file mode 100644 index 0000000000..34abb03d07 --- /dev/null +++ b/docs/kb/activitymonitor/join_or_leave_a_group_on_behalf_of_another_user.md @@ -0,0 +1,80 @@ +--- +description: >- + This article explains how to join or leave a group on behalf of another user in Netwrix Directory Manager, detailing the required permissions and step-by-step instructions for different scenarios. +keywords: + - Directory Manager + - group membership + - user permissions +sidebar_label: Join or Leave a Group +tags: [] +title: "Join or Leave a Group on Behalf of Another User" +knowledge_article_id: kA0Qk0000002OkbKAE +products: + - activity-monitor +--- + +# Join or Leave a Group on Behalf of Another User + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows managers and users to request to join or leave groups on behalf of other users. This feature streamlines group membership management, making it easier for managers to add their direct reports to relevant groups or for users to assist peers. Permissions for these actions are controlled by security roles in Directory Manager. + +## Instructions + +### Permissions Required for Join/Leave Requests + +| Feature | Description | Identity Store Permission | +|-------------------------------------|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------| +| Join/Leave on Behalf of Direct Reports | A manager can place a request to join or leave a group on behalf of users who report directly to them. | **Manage My Direct Reports** permission must be set to **Allow** for the security role of the requesting manager. | +| Join/Leave on Behalf of Peers | Users can place a request to join or leave a group on behalf of their peers (users who report to the same manager). | **Join/Leave on Behalf of Peer** permission must be set to **Allow** for the security role of the requesting user. | +| Join/Leave on Behalf of Any User | Any user can place a request to join or leave a group on behalf of any other user. | **Join/Leave on Behalf of Any User** permission must be set to **Allow** for the security role of the requesting user. | + +### Set Permissions for Join/Leave Requests + +1. In the Directory Manager Admin Center, click the identity store node. +2. Go to the properties of the required identity store. +3. On the **Security Roles** tab, select the relevant security role and click **Edit**. +4. On the **Permissions** tab, set the appropriate permission to **Allow**: + - **Manage My Direct Reports** for managers. + - **Join/Leave on Behalf of Peer** for peers. + - **Join/Leave on Behalf of Any User** for any user. + +![Permissions tab in Security Roles for Directory Manager](./images/servlet_image_b62fd3354d8a.png) + +![Join/Leave on Behalf of Peer permission in Directory Manager](./images/servlet_image_61debddfaf87.png) + +![Join/Leave on Behalf of Any User permission in Directory Manager](./images/servlet_image_b8e8af049732.png) + +### Request to Join or Leave a Group on Behalf of Direct Reports + +1. In the Directory Manager portal, search for the group (e.g., Fintech) and open its properties. +2. Click **Join**. A dialog box appears. +3. Click **Other** to place the request on behalf of a direct report. +4. Search for and select the desired direct report, then click **Join**. +5. An email notification is sent to both the group owner and the user. Once the request is approved, all parties are notified of the decision. + +![Join group on behalf of direct report in Directory Manager portal](./images/servlet_image_4096a3e75194.png) + +### Request to Join or Leave a Group on Behalf of Peers + +1. In the Directory Manager portal, search for the group and open its properties. +2. Click **Join**. A dialog box appears. +3. Click **Other**. +4. Search for and select the desired peer, then click **Join**. +5. An email notification is sent to both the group owner and the peer. Once the request is approved, all parties are notified of the decision. + +![Join group on behalf of peer in Directory Manager portal](./images/servlet_image_e7fbcc9e2490.png) + +### Request to Join or Leave a Group on Behalf of Any User + +1. In the Directory Manager portal, search for the group and open its properties. +2. Click **Join**. A dialog box appears. +3. Click **Other**. +4. Search for and select the desired user, then click **Join**. +5. An email notification is sent to both the group owner and the user. Once the request is approved, all parties are notified of the decision. + +![Join group on behalf of any user in Directory Manager portal](./images/servlet_image_ecf758bc861e.png) \ No newline at end of file diff --git a/docs/kb/activitymonitor/latency_with_netapp.md b/docs/kb/activitymonitor/latency_with_netapp.md new file mode 100644 index 0000000000..f82e590c7e --- /dev/null +++ b/docs/kb/activitymonitor/latency_with_netapp.md @@ -0,0 +1,49 @@ +--- +description: >- + This article addresses severe latency issues experienced with Netwrix Activity Monitor when auditing activity logs from a NetApp filer, providing troubleshooting steps and resolutions. +keywords: + - Netwrix Activity Monitor + - NetApp latency + - FPolicy configuration +products: + - activity-monitor +sidebar_label: Latency with NetApp +tags: [] +title: "Latency Issues with Netwrix Activity Monitor and NetApp" +knowledge_article_id: kA0Qk0000002ZsvKAE +--- + +# Latency Issues with Netwrix Activity Monitor and NetApp + +## Related Queries + +- "Netwrix Activity Monitor is causing severe latency with NetApp." +- "The collection is currently disabled with NetApp; the latency is impacting our end users." + +## Symptom + +When using **Netwrix Activity Monitor** to audit activity logs from a **NetApp** filer, severe latency was observed, impacting end users. The collection had to be disabled due to performance issues. + +## Cause + +The latency is linked to a performance bottleneck caused by the **FPolicy** configuration and excessive event volume. This can happen especially when using the **FPolicy Automatic Configuration** option, as the FPolicy automatically generated by **Activity Monitor** is not recommended for large production environments due to its broad scope. + +## Resolution + +1. Verify that the **Persistent Store** is properly configured by referring to [Configuring Persistent Store for ONTAP 9.15.1](/docs/activitymonitor/8.0/netappcmode/configurefpolicy). +2. Increase the **FPolicy Send-Buffer** size to the recommended value of `8388608` using the command: + + ```plaintext + vserver fpolicy policy external-engine modify -vserver -engine-name -send-buffer-size 8388608 + ``` + + If necessary, elevate privileges using the `set -privilege advanced` command. +3. Migrate significant workloads away from the **NetApp** appliance to test latency with the collector enabled. If latency persists, disable the collection. +4. Scope the **FPolicy** to target specific volumes and event types (e.g., disabling Read events) to reduce the load. +5. **Optional:** Use multiple **Activity Monitor** agents to distribute the workload and improve performance. + +> **IMPORTANT:** Automatic **FPolicy** configuration is not recommended for large production environments. Customize the **FPolicy** to target only the volumes and event types of interest. + +## Related Link + +- [Configuring Persistent Store for ONTAP 9.15.1](/docs/activitymonitor/8.0/netappcmode/configurefpolicy) \ No newline at end of file diff --git a/docs/kb/activitymonitor/monitoring/_category_.json b/docs/kb/activitymonitor/monitoring/_category_.json new file mode 100644 index 0000000000..56abd1811a --- /dev/null +++ b/docs/kb/activitymonitor/monitoring/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Platform Monitoring", + "position": 3, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/kb/activitymonitor/monitoring/index.md b/docs/kb/activitymonitor/monitoring/index.md new file mode 100644 index 0000000000..ac2d17d5a9 --- /dev/null +++ b/docs/kb/activitymonitor/monitoring/index.md @@ -0,0 +1,38 @@ +--- +title: "Platform Monitoring" +description: Platform-specific monitoring guides for storage systems" +--- + +# Platform Monitoring + +Configuration and best practices for monitoring specific platforms including NetApp, Dell Isilon PowerScale, and other storage systems. + +## Articles in This Section + +- [Multiple FPolicy Agents for Single NetApp SVM](./multiple-fpolicy-agents-for-single-netapp-svm) +- [NetApp 7-Mode Activity Monitoring Not Working on Windows 2019](./netapp-7-mode-activity-monitoring-is-not-working-when-the-sam-agent-is-installed-on-windows-2019-mac) +- [NetApp FPolicy Deployments Best Practices](./netapp-fpolicy-deployments-best-practices-for-netwrix-activity-monitor) +- [Useful Dell Isilon PowerScale Activity Commands](./useful-dell-isilon-powerscale-activity-commands) + +## Platform Guides + +### NetApp Monitoring +- FPolicy configuration and best practices +- Multiple agent deployments for SVMs +- 7-Mode compatibility issues with Windows Server 2019 + +### Dell Isilon/PowerScale +- Useful commands for activity monitoring +- Configuration tips and tricks + +## Best Practices + +- Optimize FPolicy deployments for performance +- Configure multiple agents for high availability +- Platform-specific troubleshooting steps + +## Related Documentation + +- Supported Platforms +- NetApp Configuration Guide +- Storage System Monitoring \ No newline at end of file diff --git a/docs/kb/activitymonitor/monitoring/multiple-fpolicy-agents-for-single-netapp-svm.md b/docs/kb/activitymonitor/monitoring/multiple-fpolicy-agents-for-single-netapp-svm.md new file mode 100644 index 0000000000..f407e79e7f --- /dev/null +++ b/docs/kb/activitymonitor/monitoring/multiple-fpolicy-agents-for-single-netapp-svm.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains support and caveats for configuring multiple FPolicy servers with a + single NetApp SVM when monitored by Netwrix Activity Monitor (SAM). +keywords: + - NetApp + - FPolicy + - SVM + - SAM + - Netwrix Activity Monitor + - Smart Office Filtering + - FPolicy servers + - failover +products: + - activity-monitor +sidebar_label: Multiple FPolicy Agents for Single NetApp SVM +tags: [] +title: "Multiple FPolicy Agents for Single NetApp SVM" +knowledge_article_id: kA04u0000000ILZCA2 +--- + +# Multiple FPolicy Agents for Single NetApp SVM + +## Summary +Support for Multiple FPolicy Servers in SAM + +## Issue +NetApp supports multiple FPolicy servers, but there are some caveats. + +## Instructions +- Netwrix Activity Monitor (SAM) supports multiple primary servers out of the box (i.e., a single SVM can be monitored by several SAM Agents). +- If **Configure FPolicy** is enabled, each SAM Agent will add itself to the primary servers on start, and remove itself on shutdown. +- However, this configuration does not work well with our "Smart Office Filtering". Because events are distributed in round-robin fashion, an agent may not be able to detect a sequence of 15-25 expected events and replace them with a single user action, since it's not guaranteed that all events will go to the same FPolicy server. +- Secondary servers are supported, but not out of the box. Manual setup is required. Because secondary FPolicy Servers are only leveraged when something goes wrong with the primary, there are no expected issues for Smart Office Filtering, unless the failover to the secondary FPolicy server occurs while an Office change is happening. + +### Important Note +Netwrix Auditor does not support this configuration yet, but it's on the roadmap for 2021 as of the writing of this article (August 2020). + +## Product +Netwrix Activity Monitor (SAM) + +## Module +File Activity Monitor + +## Versions +3.0+ diff --git a/docs/kb/activitymonitor/monitoring/netapp-7-mode-activity-monitoring-is-not-working-when-the-sam-agent-is-installed-on-windows-2019-mac.md b/docs/kb/activitymonitor/monitoring/netapp-7-mode-activity-monitoring-is-not-working-when-the-sam-agent-is-installed-on-windows-2019-mac.md new file mode 100644 index 0000000000..eed6c7291a --- /dev/null +++ b/docs/kb/activitymonitor/monitoring/netapp-7-mode-activity-monitoring-is-not-working-when-the-sam-agent-is-installed-on-windows-2019-mac.md @@ -0,0 +1,53 @@ +--- +description: >- + NetApp 7-mode activity monitoring can fail when the SAM agent runs on Windows + Server 2019 because SMB1 is disabled by default. Enable SMB2 on the NetApp or + (less recommended) re-enable SMB1 on the Windows 2019 host to restore + communication. +keywords: + - NetApp + - NetApp 7-mode + - SMB1 + - SMB2 + - Windows Server 2019 + - SAM agent + - Netwrix Activity Monitor + - certificate error + - TCP session +products: + - activity-monitor +sidebar_label: "NetApp 7-mode activity monitoring_is not working w" +tags: [] +title: "NetApp 7-mode activity monitoring_is not working w on Windows 2019 machine" +knowledge_article_id: kA04u0000000IK7CAM +--- + +# NetApp 7-mode activity monitoring is not working when the SAM agent is installed on Windows 2019 machine + +## Summary +**Summary:** NetApp 7-mode activity monitoring is not working when the SAM agent is installed on Windows 2019 machine + +## Issue +**Issue:** You are attempting to monitor NetApp in 7-mode via a Netwrix Activity Monitor agent running on a Windows 2019 machine. When trying to use the **Connect** button during configuration setup, you see messages about a being unable to open a TCP session or certificate error. Note that other issues can also cause the certificate error. Try with the **HTTP ignore certificate errors** option. Communication from the agent to the NetApp cannot be established, so scanning is not possible. + +## Instructions +NetApp 7-mode by default requires the SMB1 protocol. Windows 2019 by default disables SMB1 protocol. The preferred method to resolve this issue is to enable SMB2 communication on the NetApp device by using the following setting in the NetApp configuration: + +`options cifs.smb2.client.enable on` + +This method is the most secure. + +Alternative (less secure): +1. Enable SMB1 on the Windows 2019 machine. +2. Restart the SAM agent. + +> Note: Enabling SMB1 on Windows 2019 is less secure and is not the preferred option. + +## Metadata +- **Submitted by:** Robert Parsons +- **Product:** SAM & NetApp +- **Affected Versions:** SAM v4.1 & NetApp in 7-mode [possibly other combinations too] +- **Affected Module:** Communication between SAM and NetApp +- **Dev Ticket:** 38299 +- **Resolved In Version:** N/A for Netwrix, requires settings change on Win2019 box or NetApp device +- **KB Type:** Known Issue diff --git a/docs/kb/activitymonitor/monitoring/netapp-fpolicy-deployments-best-practices-for-netwrix-activity-monitor.md b/docs/kb/activitymonitor/monitoring/netapp-fpolicy-deployments-best-practices-for-netwrix-activity-monitor.md new file mode 100644 index 0000000000..c1095d2c6b --- /dev/null +++ b/docs/kb/activitymonitor/monitoring/netapp-fpolicy-deployments-best-practices-for-netwrix-activity-monitor.md @@ -0,0 +1,101 @@ +--- +description: >- + Best practices for deploying NetApp FPolicy with Netwrix Activity Monitor, + including Netwrix and NetApp recommendations, configuration tips, and relevant + ONTAP commands for send-buffer-size and request abort timeout. +keywords: + - Netwrix Activity Monitor + - NetApp FPolicy + - ONTAP + - send-buffer-size + - reqs-abort-timeout + - LIF + - SVM + - FlexCache +products: + - activity-monitor +sidebar_label: Netapp Fpolicy Deployments Best Practices for Netw +tags: [] +title: "Netapp Fpolicy Deployments Best Practices for Netwrix Activity Monitor" +knowledge_article_id: kA04u000000LLQXCA4 +--- + +# Netapp Fpolicy Deployments Best Practices for Netwrix Activity Monitor + +## Netwrix Specific Recommendations + +- **Netwrix Specific Recommendations** + + - Per Netwrix guidelines, ensure Netwrix version is up to date including the enhancements for this hotifx SAM_6.0_029. + https://files.mtstatic.com/site_13085/102679/0?Expires=1669664946&Signature=laWSub3qi2IDdz7MRLdrypEzNqzhyuiriw6yFnRZgDfzd-2-Qo6BJkPGdxDHQ7OaJll2SW45nvIRg~bBizGLguhZlMFrPQshSClty2JUosV3dM0RMLwteWtx5AXJnKprSN8xEIbCyHjeUjCzcwxOv0mfMkBV0oV23mWuF5IR5ZI_&Key-Pair-Id=APKAJ5Y6AV4GI7A555NA + + - The new version will handle burst of activity events better, optimized for improved processing of events and other enhancements. + +## Other Netwrix specific Best Practices + +- Consider using multiple primary servers for scale out and fault tolerance purposes. +- Use low-latency links between ONTAP and Activity Monitor Agent. For example, Activity Monitor Agents should be located in the same datacenter as the monitored NetApp appliances. +- Reduce the monitoring scope (what operations, shares, volumes are being monitored). It is not recommended to monitor Directory Read operations on loaded servers. +- Ensure that each ONTAP cluster node has a LIF per SVM to connect to Agents. + +## NetApp Specific Recommendations + +- Upgrade to the appropriate versions of ONTAP that have fixes for known Fpolicy related issues (1438207 - FPolicy might stop sending screen requests to the external engine if it enters a throttling state) + https://mysupport.netapp.com/site/bugs-online/product/ONTAP/BURT/1438207 + +- For Netwrix External Engines, set `send-buffer-size` to `7895160` (Netwrix best practice is to set to maximum value: "The FPolicy Send-Buffer size is set to 7895160")" + + Use the following command: + + ```bash + vserver fpolicy policy external-engine modify -vserver -engine-name send-buffer-size 7895160 + ``` + +- For more information on how to set send-buffer size: + + - How to calculate send buffer for ONTAP 9 FPolicy + https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_calculate_send_buffer_for_ONTAP_9_FPolicy + + - Write EAGAIN errors found in EMS and Fpolicy.log + https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Write_EAGAIN_errors_found_in_EMS_and_Fpolicy.log + +- To lessen the potential impact of latency, with Netwrix guidance, set abort timeout lower, for example: `10s`. + + If there is a large amount of latency between the Agent and the SVM, it can cause a delay in the TCP acknowledgements, and potential impact to latency in very rare occasions. To decrease end-user latency in cases where there are connection issues or CPU starvation on the Agent, it is recommended to lower the "Timeout for Aborting a Request" from 40 to 10 seconds. + + Use the following command: + + ```bash + vserver fpolicy policy external-engine modify -vserver -reqs-abort-timeout 10s + ``` + + Please refer to the following documentation: Vserver fpolicy policy external-engine commands - vserver fpolicy policy external-engine show + https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-910%2Fvserver__fpolicy__policy__external-engine__show.html + +## General Recommendations + +Review the following sections of the Technical Report. FPolicy Solution Guide for ONTAP: +https://www.netapp.com/pdf.html?item=/media/17001-tr4696pdf.pdf + +- Managing FPolicy Workflow and Dependency on Other Technologies (7.5) + +NetApp recommends disabling an FPolicy policy before making any configuration changes. For example, if you want to add or modify an IP address in the external engine configured for the enabled policy, then first disable the policy. + +If you configure FPolicy to monitor NetApp FlexCache® volumes, NetApp recommends that you do not configure FPolicy to monitor read and getattr file operations. Monitoring these operations in ONTAP requires the retrieval of inode-to-path (I2P) data. Because I2P data cannot be retrieved from FlexCache volumes, it must be retrieved from the origin volume. Therefore, monitoring these operations eliminates the performance benefits that FlexCache can provide. + +When both FPolicy and an off-box antivirus (AV) solution are deployed, the AV solution receives notifications first. FPolicy processing starts only after AV scanning is complete. A slow AV scanner could affect overall performance, so AV solutions must be sized properly. + +When defining the scope, add all the shares you want to monitor or audit into the share/include list. Turn off monitoring on the file server if you do not want to monitor the shares. Disabling FPolicy on the SVM is not helpful because the Netwrix Activity Monitor activity agent periodically checks on the file server and automatically disables or enables FPolicy if it notices a disconnection (if the Enable and connect FPolicy option was selected). + +- Sizing Considerations (7.6) + +FPolicy performs inline monitoring of CIFS operations, sends notifications to the external server, and waits for a response, depending on the mode of external engine communication (synchronous or asynchronous). This process affects the performance of CIFS access and CPU resources. To mitigate any issues, NetApp recommends assessing and sizing the environment before enabling FPolicy. + +Performance is affected by the number of users, workload characteristics such as operations per user, data size, and network latency. + +- Netwrix File Activity Monitor Best Practices (8) + +The following best practices are recommended when using the Netwrix File Activity Monitor with a NetApp file server: +- Restrain the FPolicy configuration to specific volumes, shares, and operations to decrease the impact on the SVM. +- Consider deploying multiple Netwrix Activity Monitor activity agents for load balancing and fault tolerance. +- Use the Enable and Connect FPolicy option to keep the SVM connected and consistently sending events to the Netwrix Activity Monitor activity agents. diff --git a/docs/kb/activitymonitor/monitoring/useful-dell-isilon-powerscale-activity-commands.md b/docs/kb/activitymonitor/monitoring/useful-dell-isilon-powerscale-activity-commands.md new file mode 100644 index 0000000000..b7c5610f94 --- /dev/null +++ b/docs/kb/activitymonitor/monitoring/useful-dell-isilon-powerscale-activity-commands.md @@ -0,0 +1,96 @@ +--- +description: >- + Reference of useful Dell Isilon / PowerScale OneFS audit commands to + troubleshoot activity sync issues and inspect audit-forwarding state when + using Netwrix Activity Monitor. +keywords: + - Dell Isilon + - PowerScale + - OneFS + - audit + - activity + - CEE + - syslog + - Netwrix Activity Monitor + - audit logs +products: + - activity-monitor +sidebar_label: Useful Dell Isilon / PowerScale Activity commands +tags: [] +title: "Useful Dell Isilon / PowerScale Activity commands" +knowledge_article_id: kA04u0000000IgTCAU +--- + +# Useful Dell Isilon / PowerScale Activity commands + +## Summary +Useful Dell Isilon / PowerScale Activity commands when troubleshooting activity sync issues. + +## Issue +When investigating why events are not up to date in the Netwrix Activity Monitor console/Logs, it is beneficial to view from an SSH session to the Isilon / PowerScale what the current state of audit logs is. Starting with OneFS 8.0.1, Dell introduced several commands that assist in viewing the audit log process. A few of these commands are listed below with explanations on usage. + +## Instructions + +### AUDIT LOG PROGRESS +To check the last captured audit event and the event time of the last event to be sent to the CEE server, run the `isi audit progress view` command to view the forwarder log position of the CEE server. The command shows the times for the node the command is run on. + +A sample output of the `isi audit progress view` is shown: + +``` +Protocol Audit Log Time: Tue Mar 29 13:32:38 2016 +Protocol Audit Cee Time: Tue Mar 29 13:32:38 2016 +Protocol Audit Syslog Time: Fri Mar 25 17:00:28 2016 +``` + +The output for Audit Log Time and Audit Cee Time are the ones we are interested in and should match or at least be close to matching. + +You can use `isi_for_array` to gather the time for all nodes in the cluster. +Example command: +``` +isi_for_array isi audit progress view +``` + +Additionally you can target particular nodes by using `--Inn`. Example command: +``` +isi audit progress view --Inn=2 +``` +this will display the stats for logical node 2. + +In 8.0.1 a new command was introduced to get a global view of the oldest **Unsent** protocol audit event for the cluster. Command: +``` +isi audit progress global view +``` +If the Oldest Audit Cee time is months behind the Audit Log this shows the oldest log STILL to be sent to the CEE. + +Sample output: + +``` +Protocol Audit Latest Log Time: Fri Sep 2 10:06:36 2016 +Protocol Audit Oldest Cee Time: Fri Sep 2 10:02:28 2016 +Protocol Audit Oldest Syslog Time: Fri Sep 2 10:02:28 2016 +``` + +### AUDIT LOG TIME ADJUSTMENT +In a scenario where auditing on the cluster has been configured and enabled prior to setting up CEE and/or Syslog, the cluster will attempt to forward all events from the time auditing was configured. + +OneFS provides a configuration setting to manually update the time to begin forwarding events from. By setting the `--cee-log-time`, you can advance the point of time from where to start to forward. + +Example: The following will update the pointer to forward events after Nov 19, 2023 at 2pm + +``` +isi audit settings global modify --cee-log-time "Protocol@2023-11-19 14:00:00" +``` + +The ability to "check point or book mark" a date in time is especially useful when seeing a very large backlog of events. + +Note: doubled hyphens (`--`) used in the commands above are required. + +## Further reading +https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h12428-wp-best-practice-guide-isilon-file-system-auditing.pdf + +## Product +**Netwrix Activity Monitor** + +**Module:** Activity Monitor - Isilon/PowerScale +**Versions:** OneFS 8.0.1+ +**Legacy Article ID:** 2432 diff --git a/docs/kb/activitymonitor/monitoring_microsoft_sql_-_log_tracker_vs._change_tracker.md b/docs/kb/activitymonitor/monitoring_microsoft_sql_-_log_tracker_vs._change_tracker.md new file mode 100644 index 0000000000..42f2978089 --- /dev/null +++ b/docs/kb/activitymonitor/monitoring_microsoft_sql_-_log_tracker_vs._change_tracker.md @@ -0,0 +1,69 @@ +--- +description: >- + This article explains how to monitor Microsoft SQL Servers using Netwrix Log Tracker and Change Tracker, detailing their functionalities and compliance checks. +keywords: + - Microsoft SQL Server + - Netwrix Log Tracker + - Netwrix Change Tracker +sidebar_label: Monitoring SQL Servers +tags: [] +title: "Monitoring Microsoft SQL - Log Tracker vs. Change Tracker" +knowledge_article_id: kA04u0000000JWACA2 +products: + - activity-monitor +--- + +# Monitoring Microsoft SQL - Log Tracker vs. Change Tracker + +## Overview + +Do you want to monitor Microsoft SQL Servers? Are you not quite sure how Netwrix can help you achieve that? - GREAT! All the information you need is displayed below. + +Using **Netwrix Log Tracker** will enable you to keep track of and report on SQL database audit events such as successful or failed logins, user account changes, or schemas being created, just to name a few. All of these SQL audit events can either be written to the normal Windows event logs, which a Netwrix Log Tracker agent monitors and forwards through events to the Log Tracker server as they are seen. If the SQL audit events were written to a custom log file stored elsewhere, we can configure the Netwrix Log Tracker agent to tail the log file and forward through syslog events whenever new entries are seen within the file. + +Once the events are on the Log Tracker server, we can configure correlation threads to group together different types of events depending on their contents. Once grouped together, you can configure alerts and ticketing for when different scenarios occur – one example may be that a ticket is created and emailed to a member of staff when a certain number of failed SQL login attempts are made within a short period, which may signify a brute force attack. + +Once the SQL audit events are on the Netwrix Log Tracker server, you can also run queries looking for specific events, from specific dates or users, and then create reports using the results, which can be saved in .PDF/.CSV/.TXT/.HTML formats. + +Just so you are aware, different versions of SQL offer different levels of auditing. Below is a table that shows what auditing is available in each version and how the server and database auditing differs. + +| **Edition** | **SQL Server 2008 and 2008 R2** | **SQL Server 2012 and 2014** | +|-----------------------------------|----------------------------------|-------------------------------| +| **Enterprise** | Server- and database-level | Server- and database-level | +| **Evaluation** | Server- and database-level | Server- and database-level | +| **Developer** | Server- and database-level | Server- and database-level | +| **Datacentre** | Server- and database-level | N/A | +| **Business Intelligence** | None | Server-level | +| **Standard** | None | Server-level | +| **Web** | None | Server-level | +| **Express** | None | Server-level | + +- **Server-level auditing** consists of server-level audit action groups, which include server operations, such as security operations involving logins, roles and permissions, logon and logoff operations, database backup and restore, manipulation of certain database, server, and schema objects. + +- **Database-level auditing** is auditing at the database scope, and it is set on each database individually. This feature is not available in all editions of SQL Server, only in Enterprise editions. Database-level auditing utilizes database-level audit action groups and database-level audit actions. + - The *database-level audit action groups* cover some similar areas as the server-level audit groups, if applicable, but at the database level. + - Additionally, database-level auditing also enables auditing certain individual actions, such as `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `EXECUTE`, `RECEIVE`, and `REFERENCES`. These database-level audit actions can be restricted to a specific database, an object (such as table, view, stored procedure), or a schema. + +Using **Netwrix Change Tracker** will enable you to check the integrity of a database stored on an SQL server in line with the CIS standard. This is achieved using our SQL compliance reports, which enable us to run specific queries against the database to see if it is configured in a way that the CIS deems ‘secure’. Below is a list of different rules/checks that we make against the database to check its integrity: + +--- + +**Rule 1** - Revoke Execute on `xp_regwrite` to PUBLIC +**Description:** Writes key values to the server's registry. +**Rationale:** Ensuring this procedure is disabled will prevent a SQL Server user from writing to the Windows registry via SQL Server. + +--- + +**Rule 2** - Set the `CHECK_POLICY` Option to ON for All SQL Authenticated Logins +**Description:** Applies the same password complexity policy used in Windows to passwords used inside SQL Server. +**Rationale:** Ensuring SQL logins comply with the secure password policy applied by the Windows Server Benchmark will ensure SQL logins are not blank and cannot be easily compromised via brute force attack. + +--- + +**Rule 3** - Revoke CONNECT permissions on the `guest user` within all SQL Server databases excluding the master, msdb, and tempdb +**Description:** Removes the right of guest users to connect to SQL Server user databases. +**Rationale:** A login assumes the identity of the guest user when a login has access to SQL Server but does not have access to a database through its own account and the database has a guest user account. Revoking the connect permission for the guest user will ensure that a login is not able to access database information without explicit access to do so. + +--- + +As you can see from above, the use of a compliance report within Change Tracker will not enable you to keep track of audit logs and report when changes are made to a database. We are simply making checks on the database and configuring it in a way that is secure. Using CIS standards will ensure that inside/outside attackers will not be able to exploit well-known vulnerabilities within SQL, which they could use to access a database and from there either create, edit, or delete data. \ No newline at end of file diff --git a/docs/kb/activitymonitor/multiple_licenses_assigned_to_the_same_computer.md b/docs/kb/activitymonitor/multiple_licenses_assigned_to_the_same_computer.md new file mode 100644 index 0000000000..01e0f031ce --- /dev/null +++ b/docs/kb/activitymonitor/multiple_licenses_assigned_to_the_same_computer.md @@ -0,0 +1,35 @@ +--- +description: >- + This article provides guidance on resolving issues when multiple licenses are assigned to the same computer by reviewing license assignments and enabling the appropriate system settings. +keywords: + - license management + - virtual desktop clones + - Endpoint Protector +sidebar_label: Multiple Licenses on Computer +tags: [] +title: "Multiple Licenses Assigned to the Same Computer" +knowledge_article_id: kA0Qk0000002B2fKAE +products: + - activity-monitor +--- + +# Multiple Licenses Assigned to the Same Computer + +## Question + +What should you do if multiple licenses are assigned to the same computer? + +## Answer + +To resolve issues with multiple licenses assigned to the same computer, you will review license assignments and enable the appropriate system setting to prevent duplicates. Follow the steps below to complete this process: + +> **NOTE:** The Endpoint Protector Server needs to properly identify virtual desktop clones. + +1. To view the license IDs associated with each machine, navigate to the **Endpoint Protector Console** > **System Configuration** > **System Licensing** > **View Licenses**. + ![View Licenses screen in System Licensing](./images/servlet_image_c18781dc37ee.png) + ![List of licenses assigned to computers](./images/servlet_image_e566e333ee45.png) + +2. If duplicates exist (more than one license associated with the same machine name), then navigate to **System Configuration** > **System Settings** and enable the option **Virtual Desktop Clones Support**. + ![Virtual Desktop Clones Support option in System Settings](./images/servlet_image_6774db6198b6.png) + +The **Virtual Desktop Clones Support** setting allows the server to identify virtual desktop clones and interact accordingly with the client. \ No newline at end of file diff --git a/docs/kb/activitymonitor/nam-linux-agent-how-to-handle-locked-auditd-config.md b/docs/kb/activitymonitor/nam-linux-agent-how-to-handle-locked-auditd-config.md new file mode 100644 index 0000000000..fcb596f703 --- /dev/null +++ b/docs/kb/activitymonitor/nam-linux-agent-how-to-handle-locked-auditd-config.md @@ -0,0 +1,87 @@ +--- +description: >- + Explains why auditd configuration lock prevents Netwrix Activity Monitor from + modifying audit rules and how to remove the lock so activity monitoring can be + configured. +keywords: + - auditd + - auditctl + - audit.rules + - locked + - Netwrix Activity Monitor + - Linux + - rules.d + - '-e 2' + - audit +products: + - activity-monitor +sidebar_label: NAM Linux Agent - How to handle locked auditd conf +tags: [] +title: "NAM Linux Agent - How to handle locked auditd config" +knowledge_article_id: kA04u000000HDi0CAG +--- + +# NAM Linux Agent - How to handle locked auditd config + +### Your auditd configuration is locked. Netwrix Activity Monitor needs to modify audit rules. Please, unlock auditd configuration. + + +*Figure 1: Auditd configuration lock error message* + +This KB article explains why the user can receive such error message and how to handle it. + +Activity monitoring for Linux is based on auditd, a part of the built-in Linux Auditing System. Netwrix Activity Monitor uses auditd and needs to be able to control it. Therefore Netwrix Activity Monitor requires write access to auditd configuration (`auditctl`) and specifically to auditing rules (`audit.rules`). + +There is an `enabled` flag in `auditctl` that can lock the rules. When locked, it prevents the rules from being changed until the system is rebooted. +When auditd configuration is locked Netwrix Activity Monitor is not able to control auditing and set up audit rules and therefore activity monitoring cannot be correctly configured. Netwrix Activity Monitor is able to detect the lock and show an appropriate error message to the user (Figure 1). + +The current version of Netwrix Activity Monitor (7.0) does not automatically handle the locked auditd configuration. +When you receive such an error you need to manually remove the lock in order to have activity monitoring enabled. Automatic handling of auditd lock is planned in the next version of Netwrix Activity Monitor. + +The following commands may be helpful to identify the rule that locks the configuration and disable it: + +1. Show current status + ``` + auditctl -s + ``` + Example output: + ``` + enabled 2 + failure 1 + pid 1006 + rate_limit 0 + backlog_limit 8192 + lost 0 + backlog 0 + backlog_wait_time 60000 + backlog_wait_time_actual 0 + loginuid_immutable 0 unlocked + ``` + + Note: `enabled 2` indicates the locked flag. + +2. List currently loaded rules + ``` + cat /etc/audit/audit.rules + ``` + Example output: + ``` + -a always,exit -F dir=/home/maxim/3 -F perm=w -F filetype=dir -k xsfam_000_003_d_w + -a always,exit -F dir=/home/maxim/3 -F perm=a -F filetype=dir -k xxfam_000_003_d_a + --backlog_wait_time 60000 + -e 2 + ``` + + Note: `-e 2` is the line that sets the locked flag. + +3. Find the rule that enables the lock + ``` + grep -R "\-e 2" /etc/audit/rules.d + ``` + Example output: + ``` + /etc/audit/rules.d/x002.rules:-e 2 + ``` + `/etc/audit/rules.d/x002.rules` is the path to the file containing the locking rule. + +4. Edit the file and remove the locking rule (for example replace `-e 2` with `-e 1`), then reboot the system in order to have the changes applied. diff --git a/docs/kb/activitymonitor/netwrix_activity_monitor_(nam)_7.0_paths.md b/docs/kb/activitymonitor/netwrix_activity_monitor_(nam)_7.0_paths.md new file mode 100644 index 0000000000..b4c1403c86 --- /dev/null +++ b/docs/kb/activitymonitor/netwrix_activity_monitor_(nam)_7.0_paths.md @@ -0,0 +1,205 @@ +--- +description: >- + This article outlines the installation and configuration paths for Netwrix Activity Monitor (NAM) 7.0, detailing the various locations and files used for the NAM agent and console. +keywords: + - Netwrix Activity Monitor + - installation paths + - configuration files + - NAM agent + - NAM console +sidebar_label: NAM 7.0 Paths +tags: [] +title: "Netwrix Activity Monitor (NAM) 7.0 Paths" +knowledge_article_id: kA04u00000111AOCAY +products: + - activity-monitor +--- + +# Netwrix Activity Monitor (NAM) 7.0 Paths + +## Overview + +NAM 7.0 has changed its installation and configuration paths from 6.0. This article explains all the different locations and files that are used for the NAM agent and console. + +## Installation Binaries (Default Location) + +*Only includes installation binaries; doesn't include config files or logs.* + +### Console + +**NAM Console** + +``` +%PROGRAMFILES%\Netwrix\Activity Monitor\Console +``` + +**NAM Agent install packages** (that the console uses for deployments, includes Windows Agent, Linux Agent, and SI Agent): + +``` +%PROGRAMFILES%\Netwrix\Activity Monitor\Console\Agents +``` + +### Windows Agent + +**NAM Agent** + +``` +%PROGRAMFILES%\Netwrix\Activity Monitor\Agent +``` + +**SBTService** (Only for SBTService / Windows Monitoring) + +``` +%PROGRAMFILES%\Stealthbits\StealthAUDIT\FSAC +``` + +**Windows Activity driver sys file** + +``` +%WINDIR%\System32\drivers\SBTFSF.sys +``` + +**SI Agent** (only used for AD Activity) + +``` +%PROGRAMFILES%\Stealthbits\StealthINTERCEPT\SIWindowsAgent +``` + +### Linux Agent + +**NAM Agent** + +``` +/usr/bin/activity-monitor-agentd +``` + +## Program Data + +*Includes config files, logs, and additional data.* + +### Console + +**Console’s list of agents and encrypted credentials** (access given to SYSTEM and BUILTIN\Administrators only) + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Console\Agents.ini +``` + +**NAM Console’s license file** + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Console\FileMonitor.lic +``` + +**NAM Console’s Debug Logs** + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Console\DebugLogs +``` + +### Windows Agent + +**NAM Agent’s config file** + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\SBTFileMon.ini +``` + +**NAM Agent’s SI config File** (only used for AD Activity) + +``` +%PROGRAMFILES%\Stealthbits\StealthINTERCEPT\SIWindowsAgent\SAMConfig.xml +``` + +**Main SI Agent’s Config File** (only used for AD Activity) + +``` +%PROGRAMFILES%\Stealthbits\StealthINTERCEPT\SIWindowsAgent\SIWindowsAgent.exe.Config +``` + +**NAM Agent’s debug logs** + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\DebugLogs +``` + +**NAM Windows Driver ETW Logs** + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\DebugLogs +``` + +**Saved Crash Dumps of NAM Services** + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\Dumps +``` + +**NAM Audit Logs** - History of all config changes; this is also included in the Windows Event Log (Application) + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\Audit +``` + +**NAM Journal Logs** - History of hosts and output statuses + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\Journal +``` + +**NAM Activity Logs** (Default location, can be customized) + +``` +%PROGRAMDATA%\Netwrix\Activity Monitor\Agent\ActivityLogs +``` + +### Linux Agent + +**NAM Agent’s config file** + +``` +/usr/bin/activity-monitor-agentd/config/SBTFileMon.ini +``` + +**NAM Agent’s debug logs** + +``` +/usr/bin/activity-monitor-agentd/DebugLogs +``` + +**NAM Audit Logs** - History of all config changes; this is also included in the Windows Event Log (Application) + +``` +/usr/bin/activity-monitor-agentd/Audit +``` + +**NAM Journal Logs** - History of hosts and output statuses + +``` +/usr/bin/activity-monitor-agentd/Journal +``` + +**NAM Activity Logs** (Default location, can be customized) + +``` +/usr/bin/activity-monitor-agentd/ActivityLogs +``` + +## Windows Registry Key Location + +``` +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters +``` + +### Values: + +- **ConfigPath** – String (REG_SZ) + - Full path of config `SBTFileMon.ini` file that the agent is currently using + +- **TraceLevel** – DWORD 32-bit (REG_DWORD) + - The integer value of the trace level that the product is currently using (for console and agents) + - 0 – Trace + - 1 – Debug + - 2 – Information + - 3 – Warning + - 4 – Fatal \ No newline at end of file diff --git a/docs/kb/activitymonitor/not_receiving_threat_events.md b/docs/kb/activitymonitor/not_receiving_threat_events.md new file mode 100644 index 0000000000..a386842bb1 --- /dev/null +++ b/docs/kb/activitymonitor/not_receiving_threat_events.md @@ -0,0 +1,62 @@ +--- +description: >- + This article provides troubleshooting steps for resolving issues related to not receiving threat events in Netwrix Threat Manager. +keywords: + - Netwrix Threat Manager + - App Token + - threat events +sidebar_label: Not Receiving Threat Events +tags: [] +title: "Not Receiving Threat Events" +knowledge_article_id: kA0Qk0000001ZYPKA2 +products: + - activity-monitor +--- + +# Not Receiving Threat Events + +## Symptom + +Netwrix Threat Manager (formerly StealthDEFEND) does not appear to be gathering threat events. + +## Cause + +The App Token within Threat Manager is no longer valid or is not working between the required application servers. + +## Resolution + +To resolve this issue, you must generate a new App Token in Threat Manager and update it in the sending application servers. + +1. Generate a new **App Token** in Netwrix Threat Manager: + 1. In Threat Manager v2.8, go to **Administration** > **Configuration Menu** > **Integrations Interface** > **App Tokens** page. + 2. Follow the steps in the [Generate an App Token](/docs/threatmanager/2.8/administration/configuration/integrations/apptoken) guide to create a new token. + ![App Tokens page in Netwrix Threat Manager showing token details](https://helpcenter-be.netwrix.com/bundle/ThreatManager_2.8/page/Content/Resources/Images/ThreatManager/Admin/Configuration/Integrations/AppTokens/Details.png?_LANG=enus) + +2. Update the new **App Token** in the sending application servers: + - **Netwrix Activity Monitor** (formerly Stealthbits Activity Monitor) v7.1: + 1. Go to the **Administration** > **Output Types** > **Threat Manager** tab. + 2. Enter the new **App Token** as described in the [Threat Manager Tab](/docs/activitymonitor/7.1/admin/outputs/threatmanager) documentation. + ![Threat Manager tab in Netwrix Activity Monitor Output Types](./images/servlet_image_07420143fdc8.png) + + - **Netwrix Activity Monitor File System (UDP)**: + - No App Token is needed for UDP output. For configuration, see [Syslog output](/docs/activitymonitor/7.1/admin/outputs/syslog). + + ![Syslog output configuration in Netwrix Activity Monitor](./images/servlet_image_07420143fdc8.png) + + - **Netwrix Threat Prevention** (formerly StealthINTERCEPT) v7.4: + 1. Go to the **Administration** > **Netwrix Threat Manager Configuration Window** > **Event Sink** tab. + 2. Enter the new **App Token** as described in the [Event Sink Tab](/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration) documentation. + + +> **IMPORTANT:** Because Threat Manager receives data from the following applications, verify that each is functioning properly after updating the App Token: +> - Netwrix Activity Monitor: For more information, see [Output for Monitored Hosts](/docs/activitymonitor/7.1/admin/monitoredhosts/output). +> - Netwrix Threat Prevention Server (SI): For more information, see [Agents](/docs/threatprevention/7.4/admin/agents/overview). + +## Related Links + +- [Generate an App Token in Netwrix Threat Manager 2.8](/docs/threatmanager/2.8/administration/configuration/integrations/apptoken) +- [Threat Manager Tab in Netwrix Activity Monitor 7.1](/docs/activitymonitor/7.1/admin/outputs/threatmanager) +- [Syslog Output in Netwrix Activity Monitor 7.1](/docs/activitymonitor/7.1/admin/outputs/syslog) +- [Event Sink Tab in Netwrix Threat Prevention 7.4](/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration) +- [Output for Monitored Hosts in Netwrix Activity Monitor 7.1](/docs/activitymonitor/7.1/admin/monitoredhosts/output) +- [Agents in Netwrix Threat Prevention 7.4](/docs/threatprevention/7.4/admin/agents/overview) \ No newline at end of file diff --git a/docs/kb/activitymonitor/set_the_do_not_notify_feature_for_additional_owners_in_the_portal.md b/docs/kb/activitymonitor/set_the_do_not_notify_feature_for_additional_owners_in_the_portal.md new file mode 100644 index 0000000000..35f3fdc71b --- /dev/null +++ b/docs/kb/activitymonitor/set_the_do_not_notify_feature_for_additional_owners_in_the_portal.md @@ -0,0 +1,62 @@ +--- +description: >- + This article explains how to set the Do Not Notify feature for additional owners in Netwrix Directory Manager, allowing you to restrict email notifications for group changes. +keywords: + - Directory Manager + - Do Not Notify + - Additional Owners +sidebar_label: Set Do Not Notify for Additional Owners +tags: [] +title: "Set the Do Not Notify Feature for Additional Owners in the Portal" +knowledge_article_id: kA0Qk0000002R2XKAU +products: + - activity-monitor +--- + +# Set the Do Not Notify Feature for Additional Owners in the Portal + +## Applies To + +Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to restrict individual additional owners from receiving email notifications for group changes. The **Do Not Notify** feature can be set for additional owners, so they do not receive notification emails, including those triggered by workflow actions. You can configure this feature using the Directory Manager Portal or the Management Shell. + +## Instructions + +### Set Do Not Notify for Additional Owners Using the Portal + +1. Log in to the Directory Manager Portal. +2. Go to the **Properties** of the group for which you want to set **Do Not Notify**. +3. Click the **Owner** tab. You will see a check box next to each **Additional Owner** in the grid. +4. Select the check box to set **Do Not Notify** for the required additional owners and click **Save**. + +![Do Not Notify option for additional owners in Directory Manager Portal](./images/servlet_image_99952a342a08.png) + +### Set Do Not Notify for Additional Owners Using the Management Shell + +> **NOTE:** Before running these cmdlets in your production environment, it is recommended to test them on sample groups to verify the results. + +The **Do Not Notify** feature can also be set using the Management Shell with the **NotifyOptOutAdditionalOwners** parameter. This parameter is part of the **Additional Owner** attribute and cannot be set independently. You can set **Do Not Notify** while adding new additional owners or by modifying existing ones. + +### Set Do Not Notify for New Additional Owners + +```powershell +Set-Group -Identity "Group Name" -Add @{"AdditionalOwners" = "Name of the Additional Owner"} -NotifyOptOutAdditionalOwners "Name of the Additional Owner" +``` + +### Set Do Not Notify for Existing Additional Owners + +```powershell +Set-Group -Identity "Group Name" -Replace @{"AdditionalOwners" = "Name of the Additional Owner","Name of the Additional Owner"} -NotifyOptOutAdditionalOwners "Name of the Additional Owner" +``` + +### Bulk Set Do Not Notify for All Additional Owners + +```powershell +$i=Get-Group -Identity "Group Name"| Select -ExpandProperty AdditionalOwner +foreach($j in $i.split(",")){ + Set-Group -Identity "Group Name" -Replace @{"AdditionalOwners" = $j,$j} -NotifyOptOutAdditionalOwners $j +} +``` \ No newline at end of file diff --git a/docs/kb/activitymonitor/troubleshooting/_category_.json b/docs/kb/activitymonitor/troubleshooting/_category_.json new file mode 100644 index 0000000000..528546d241 --- /dev/null +++ b/docs/kb/activitymonitor/troubleshooting/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting", + "position": 4, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/kb/activitymonitor/troubleshooting/error-fsac-system-scan-job-targets-incorrect-host.md b/docs/kb/activitymonitor/troubleshooting/error-fsac-system-scan-job-targets-incorrect-host.md new file mode 100644 index 0000000000..c4b7d24501 --- /dev/null +++ b/docs/kb/activitymonitor/troubleshooting/error-fsac-system-scan-job-targets-incorrect-host.md @@ -0,0 +1,45 @@ +--- +description: >- + The FSAC System Scan job in Netwrix Access Analyzer targets the agent server + instead of the NAS device, preventing the NAS from being scanned. This article + explains how to update the job's host list so the scan targets the correct NAS + device. +keywords: + - FSAC + - FSAC System Scan + - NAS + - host list + - Netwrix Access Analyzer + - agent + - job configuration + - data collection + - NAS device + - scan +products: + - activity-monitor + - access-analyzer +sidebar_label: 'Error: FSAC System Scan Job Targets Incorrect Host' +tags: [] +title: 'Error: FSAC System Scan Job Targets Incorrect Host' +knowledge_article_id: kA0Qk00000020DdKAI +--- + +# Error: FSAC System Scan Job Targets Incorrect Host + +## Symptom +The FSAC System Scan job in Netwrix Access Analyzer fails to collect data from the intended NAS device. Instead, the job attempts to target the agent server, resulting in incomplete or missing data collection from the NAS device. + +## Cause +The host list for the FSAC System Scan job was configured to target the agent server rather than the NAS device. As a result, Netwrix Access Analyzer did not collect the required FSAC data from the NAS device. + +## Resolution +1. Open Netwrix Access Analyzer. +2. Navigate to the **Jobs** section. +3. Locate and select the **FSAC System Scan** job. +4. Navigate to **Configure > Hosts** and find the **Host List**. +5. Deselect any host list that is pointing to an agent. +6. Add the NAS device to the host list using either of the following methods: + - Enter its hostname or IP address. + - Select a host list that contains the NAS. +7. Save the changes to the job configuration. +8. Run the **FSAC System Scan** job again to verify that data is now collected from the NAS device. diff --git a/docs/kb/activitymonitor/troubleshooting/index.md b/docs/kb/activitymonitor/troubleshooting/index.md new file mode 100644 index 0000000000..ee93e8ff01 --- /dev/null +++ b/docs/kb/activitymonitor/troubleshooting/index.md @@ -0,0 +1,47 @@ +--- +title: "Troubleshooting" +description: Solutions for common Activity Monitor issues and errors +--- + +# Troubleshooting + +Find solutions to common errors, connectivity issues, and data collection problems in Activity Monitor. + +## Articles in This Section + +- [Error: Cannot Initialize Scan with Proxy Host in Access Analyzer 11.6](./error-cannot-initialize-scan-with-proxy-host-in-access-analyzer-11-6) +- [Error: FSAC System Scan Job Targets Incorrect Host](./error-fsac-system-scan-job-targets-incorrect-host) +- [Error: Invalid Credentials - Client ID/Secret May Be Incorrect or Expired](./error-invalid-credentials-client-id-secret-combo-may-be-incorrect-or-expired) +- [Activity Monitor Report Shows Successful But Is Not Updating Data](./netwrix-activity-monitor-report-shows-successful-but-is-not-updating-data) +- [SharePoint Online Activity Scan Warning: Unknown Item Type](./sharepoint-online-activity-scan-warning-unknown-item-type) + +## Common Issues + +### Authentication Errors +- Invalid credentials or expired client secrets +- Service account authentication failures + +### Data Collection Problems +- Reports showing successful but no data updates +- Scan jobs targeting incorrect hosts + +### SharePoint Issues +- Unknown item type warnings +- Activity scan failures + +### Proxy Configuration +- Cannot initialize scan with proxy host +- Network connectivity issues + +## Troubleshooting Steps + +1. Check agent connectivity and status +2. Verify credentials and permissions +3. Review error logs in SFAM locations +4. Confirm network connectivity and proxy settings + +## Related Documentation + +- Troubleshooting Guide +- Error Code Reference +- [Support Resources](https://www.netwrix.com/support.html)" \ No newline at end of file diff --git a/docs/kb/activitymonitor/troubleshooting/netwrix-activity-monitor-report-shows-successful-but-is-not-updating-data.md b/docs/kb/activitymonitor/troubleshooting/netwrix-activity-monitor-report-shows-successful-but-is-not-updating-data.md new file mode 100644 index 0000000000..3f7a203ce6 --- /dev/null +++ b/docs/kb/activitymonitor/troubleshooting/netwrix-activity-monitor-report-shows-successful-but-is-not-updating-data.md @@ -0,0 +1,56 @@ +--- +description: >- + Explains why Netwrix Activity Monitor FSAC system scans report successful but + do not update data, shows the observed error messages, identifies missing + licenses as the cause, and gives steps to verify licensing in Netwrix Access + Analyzer. +keywords: + - FSAC + - File System + - licensing + - Netwrix Activity Monitor + - Netwrix Access Analyzer + - File Activity + - FILESYSTEMACCESS + - 1-FSAC System Scans_Log.tsv +products: + - activity-monitor + - access-analyzer +sidebar_label: Netwrix Activity Monitor Report Shows Successful B +tags: [] +title: "Netwrix Activity Monitor Report Shows Successful But is Not Updating Data" +knowledge_article_id: kA0Qk0000001y8bKAA +--- + +# Netwrix Activity Monitor Report Shows Successful But is Not Updating Data + +## Symptoms + +In the FSAC System scan log (`1-FSAC System Scans_Log.tsv`), the following errors are observed: + +``` +ERROR TDCThread TDCThread.LoadSourceItf "No DC installed to handle source: FILESYSTEMACCESS" +``` + +``` +ERROR TDCThread TDCThread.PrepareForTask "The 'FILESYSTEMACCESS' data collector has not been installed" +``` + +## Cause + +There is no license for one or more of the following features in **Netwrix Activity Monitor** (NAM): + +- File System +- File System Actions +- File System Reports + +> **NOTE:** There may only be a license for **File Activity** in NAM and not for **File System Reports**, **File System Actions**, or **File System** in **Netwrix Access Analyzer (NEA)**. Sometimes, leftover reports from a sales or professional services demo may still be present in NEA. + +## Resolution + +To verify a feature's licensing in NEA, refer to the following steps: + +1. Navigate to **Help > About**. +2. Scroll down to the **File System Licensed Features** section to confirm the licensed features. + +If needed, contact the Netwrix Account Owner, Enterprise Account Manager (EAM), or Customer Success Manager (CSM) to negotiate the proper functionality and licensing required for the customer. diff --git a/docs/kb/activitymonitor/troubleshooting/sharepoint-online-activity-scan-warning-unknown-item-type.md b/docs/kb/activitymonitor/troubleshooting/sharepoint-online-activity-scan-warning-unknown-item-type.md new file mode 100644 index 0000000000..1f6286b1a3 --- /dev/null +++ b/docs/kb/activitymonitor/troubleshooting/sharepoint-online-activity-scan-warning-unknown-item-type.md @@ -0,0 +1,54 @@ +--- +description: >- + When you run SPAC System Scans for SharePoint Online, an "Unknown item type" + warning can appear in Netwrix Access Analyzer. This article explains the cause + and provides three resolutions: ignore the warning, upgrade, or disable + collection of Other events in Netwrix Activity Monitor. +keywords: + - SharePoint Online + - SPAC + - Unknown item type + - Netwrix Access Analyzer + - Netwrix Activity Monitor + - System Scan + - Other events + - data collection + - warning +products: + - activity-monitor + - access-analyzer +sidebar_label: 'Sharepoint Online Activity Scan Warning: Unknown I' +tags: [] +title: 'Sharepoint Online Activity Scan Warning: Unknown Item Type' +knowledge_article_id: kA0Qk00000020K5KAI +--- + +# Sharepoint Online Activity Scan Warning: Unknown Item Type + +## Symptom + +When you run SPAC System Scans for SharePoint Online in **Netwrix Access Analyzer** (NEA), the system generates the following error message: + +``` +[8] Unknown item type +``` + +## Cause + +This issue occurs because these are newer event types being collected by **Netwrix Activity Monitor** for which NEA does not have mappings. + +## Resolutions + +To address this issue, you can do one of the following: + +- Ignore the warnings, as they do not inhibit data collection. + +- Upgrade to the latest version of **Netwrix Access Analyzer (NEA)**, which should include all SharePoint Online activity types known up until the most recent release date. + + > **NOTE:** If you are on the latest released version of NEA and are still encountering this issue, please submit an escalation to have new event types added to a future release. + +- Disable the collection of **Other event types** in **Netwrix Activity Monitor**: + + 1. Open **Netwrix Activity Monitor** and navigate to the SharePoint Online file output in the **Monitored Hosts** tab. + 2. On the **Other** tab, uncheck the **Other events** option: + ![SharePoint Online Other events option screenshot](../images/ka0Qk000000CnwD_0EMQk00000BF8bi.png) diff --git a/docs/kb/activitymonitor/uninstall_endpoint_protector_linux_clients_older_than_version_2.0.0.0.md b/docs/kb/activitymonitor/uninstall_endpoint_protector_linux_clients_older_than_version_2.0.0.0.md new file mode 100644 index 0000000000..9b18d679d4 --- /dev/null +++ b/docs/kb/activitymonitor/uninstall_endpoint_protector_linux_clients_older_than_version_2.0.0.0.md @@ -0,0 +1,28 @@ +--- +description: >- + This article provides instructions on how to uninstall Endpoint Protector Linux clients that are older than version 2.0.0.0. +keywords: + - Endpoint Protector + - Linux client + - uninstall +sidebar_label: Uninstall Endpoint Protector Linux Clients +tags: [] +title: "Uninstall Endpoint Protector Linux Clients Older Than Version 2.0.0.0" +knowledge_article_id: kA0Qk0000002B6pKAE +products: + - activity-monitor +--- + +# Uninstall Endpoint Protector Linux Clients Older Than Version 2.0.0.0 + +## Question + +How can you uninstall Endpoint Protector Linux clients older than version 2.0.0.0? + +## Answer + +To uninstall an Endpoint Protector (EPP) Linux client older than version 2.0.0.0, use the `uninstall.sh` script that was provided with the same version of the client. + +If you no longer have the installer or the uninstall script for that version, submit a support ticket through the [Netwrix Support Portal](https://www.netwrix.com/support.html) and request the kit corresponding to your EPP client version. The support team will provide you with a download link. + +After uninstalling the old version, it is recommended to restart the computer. \ No newline at end of file diff --git a/docs/kb/activitymonitor/update-service-account-password-upon-password-change-in-active-directory-ad.md b/docs/kb/activitymonitor/update-service-account-password-upon-password-change-in-active-directory-ad.md new file mode 100644 index 0000000000..3bd732511b --- /dev/null +++ b/docs/kb/activitymonitor/update-service-account-password-upon-password-change-in-active-directory-ad.md @@ -0,0 +1,88 @@ +--- +description: >- + Explains how to update service account passwords after they change in Active + Directory (AD) for Netwrix products and related components, including Netwrix + Access Analyzer, Netwrix Activity Monitor, Access Information Center, and FSAA + Proxy. +keywords: + - service account + - password + - Active Directory + - Netwrix Access Analyzer + - Netwrix Activity Monitor + - Access Information Center + - FSAA Proxy + - NetApp +products: + - activity-monitor + - access-analyzer + - access_info_center +visibility: public +sidebar_label: Update Service Account Password Upon Password Chan +tags: [] +title: "Update Service Account Password Upon Password Change in Active Directory (AD)" +knowledge_article_id: kA04u0000000IKbCAM +--- + +# Update Service Account Password Upon Password Change in Active Directory (AD) + +## Overview + +When passwords for service accounts get reset in Active Directory (AD), the passwords do not update and propagate automatically − they should be updated manually. + +## Instructions + +> **NOTE:** In case Windows auth is used for the SQL database connection, no changes to the Netwrix Access Analyzer connection settings are required. The Windows auth method allows you to connect to your SQL Server using the currently logged-in Windows user credentials when the Netwrix Access Analyzer console is opened. If the credentials are valid, the SQL database connection will be established. + +### Netwrix Access Analyzer + +- Change the service account password in **Netwrix Access Analyzer** > **Settings** > **Connection**. + + *Screenshot: Netwrix Access Analyzer Settings > Connection* + +- Change the service account password in **Netwrix Access Analyzer** > **Settings** > **Schedule**. + + *Screenshot: Netwrix Access Analyzer Settings > Schedule* + +### Netwrix Activity Monitor + +- If a Netwrix Activity Monitor (NAM) agent runs the agent service with the service account, the password in NAM should also be updated. While the service may run using the Local System account, make sure to confirm it is. If you need to change the password, right-click the NAM agent service (in Windows Services), and navigate to **Properties** > **Logon** tab. + + *Screenshot: Windows Service Properties > Logon tab* + +Agent settings + +- Select the agent and click **Edit**. Under the **Connection** tab, update the password if a specific account was used. + + *Screenshot: Agent settings Connection tab* + +Monitored Host (NAS devices) + +- Select the Host and click **Edit**. Under the **Auditing** tab, update the user's password to connect to the OneFS Platform API. + + *Screenshot: Host settings Auditing tab* + +### Access Information Center + +- Reinstall Access Information Center (AIC) in case the service account is used to establish the connection to the SQL database for Windows authentication. The repair option will not reset the database connection. + + + *Screenshots: AIC reinstallation process* + +> **NOTE:** If any customizations have been made to the AIC (enabling SSL, SSO, ownership workflow, etc.), then it is advised to make a backup of the Netwrix Access Analyzer compliance folder so the customizations can be restored after the AIC reinstall. Refer to the default location: + +```text +C:\inetpub\wwwroot\StealthAUDIT Compliance +``` + +### FSAA Proxy + +- If using the FSAA Proxy stand-alone application, you will need to change the password in the **Properties** > **Log On** tab in Windows Services for the service (`StealthAUDIT FSAA Proxy Scanner`). + + *Screenshot: FSAA Proxy service Properties > Log On tab* + +### Netwrix Activity Monitor (NetApp NAS monitoring) + +- If using a NAM agent to monitor a NetApp NAS with this service account, it may also be necessary to update the credentials for the `Stealthbits NetApp File Monitoring Service` (in Windows Services): + + *Screenshot: NetApp File Monitoring Service properties* diff --git a/docs/kb/auditor/0x80040605-error-connection-failed.md b/docs/kb/auditor/0x80040605-error-connection-failed.md new file mode 100644 index 0000000000..f5d6a50735 --- /dev/null +++ b/docs/kb/auditor/0x80040605-error-connection-failed.md @@ -0,0 +1,57 @@ +--- +description: >- + Explains how to resolve 0x80040605 "Connection failed" errors in Netwrix + Auditor when the target server is unreachable, including likely causes and + remediation steps. Provides guidance about required services and disk space + considerations for the Long-Term Archive. +keywords: + - 2147747333 + - Connection failed + - Health Log + - Netwrix Auditor + - services + - Long-Term Archive + - disk space + - audit data collection +products: + - auditor +sidebar_label: 0x80040605 Error − Connection Failed +tags: [] +title: "0x80040605 Error − Connection Failed" +knowledge_article_id: kA00g000000H9YWCA0 +--- + +# 0x80040605 Error − Connection Failed + +## Symptoms + +Either of the following error messages is prompted in your Health Log or upon the Netwrix Auditor launch: + +```text +Connection failed +0x80040605 Failed to process a request because the target server is unreachable +``` + +```text +An error occurred while sending email: +0x80040605 Failed to process a request because the target server is unreachable +``` + +## Causes + +One (or more) of the following services has stopped in the Netwrix Auditor server: + +- Netwrix Auditor Archive Service +- Netwrix Auditor Configuration Server Service +- Netwrix Auditor Core Service +- Netwrix Auditor Data Collection Service + +## Resolution + +Review the services running in the Netwrix Auditor server − make sure the services are running with their startup type set to **Automatic**. + +> **IMPORTANT:** If the disk storing Long-Term Archive is running out of space, you'll corresponding events in Health Log. When the free disk space is below 3GB, the Netwrix services responsible for audit data collection will be stopped, preventing the data collection. For additional information on reducing disk space consumption, refer to the following article: [Netwrix Auditor Consumes Disk Space — Recommendations](/docs/kb/auditor/netwrix-auditor-consumes-disk-space-recommendations). + +## Related articles + +- [Netwrix Auditor Consumes Disk Space — Recommendations](/docs/kb/auditor/netwrix-auditor-consumes-disk-space-recommendations) diff --git a/docs/kb/auditor/0x800706d3-error-authentication-service-is-unknown.md b/docs/kb/auditor/0x800706d3-error-authentication-service-is-unknown.md new file mode 100644 index 0000000000..a81faacaa0 --- /dev/null +++ b/docs/kb/auditor/0x800706d3-error-authentication-service-is-unknown.md @@ -0,0 +1,59 @@ +--- +description: >- + Health Log shows error 0x800706D3 (The authentication service is unknown) for + file server monitoring plans in Netwrix Auditor after installing Microsoft + updates KB5003646/KB5003638; upgrade to v10.5.11059 or later to resolve the + issue. +keywords: + - 2147944147 + - authentication service is unknown + - file server monitoring + - KB5003646 + - KB5003638 + - Netwrix Auditor + - Windows Server 2019 + - event log + - 8007060000 +products: + - auditor +sidebar_label: 0x800706D3 Error − Authentication Service Is Unkno +tags: [] +title: "0x800706D3 Error − Authentication Service Is Unknown" +knowledge_article_id: kA04u000000PdInCAK +--- + +# 0x800706D3 Error − Authentication Service Is Unknown + +## Symptom + +Either of the following errors is prompted in Health Log for file server monitoring plans in Netwrix Auditor: + +``` +Source: File Storage Audit Service +Event ID:6104 +Description:Monitoring plan: %File_Servers_Monitoring_Plan% +Item: %item_name% +Unable to process item: Cannot connect to file server (0x800706D3 The authentication service is unknown). +``` + +``` +Backup event log seek failed. Error details: Access is denied +``` + +``` +Failed to open the event log. Error details: The requested operation is not supported. Error code: 800706e4 +``` + +## Cause + +Microsoft released security updates KB5003646/KB5003638 to fix security vulnerabilities. These updates installed in Windows Server 2019 servers would affect the Netwrix Auditor data collection. Learn more about the updates in [KB5003646 · Microsoft Support](https://support.microsoft.com/en-us/topic/june-8-2021-kb5003646-os-build-17763-1999-81e2ff5a-0769-4e56-8762-059dd6e0d6bb). + +## Resolution + +Upgrade your Netwrix Auditor instance to `v10.5.11059` or the latest version available. Refer to the following article for additional information on the upgrade process: Installation − Upgrade to the Latest Version · v10.6. + +## Related articles + +- [KB5003646 · Microsoft Support](https://support.microsoft.com/en-us/topic/june-8-2021-kb5003646-os-build-17763-1999-81e2ff5a-0769-4e56-8762-059dd6e0d6bb) +- Installation − Upgrade to the Latest Version · v10.6 +- [Netwrix Auditor v10.5 Bug Fix List](https://helpcenter-be.netwrix.com/bundle/Auditor_10.5_ReleaseNotes/raw/resource/enus/Netwrix_Auditor_10.5_BugFixList.pdf) diff --git a/docs/kb/auditor/_category_.json b/docs/kb/auditor/_category_.json new file mode 100644 index 0000000000..31ba0aed9c --- /dev/null +++ b/docs/kb/auditor/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/auditor/aal-test.md b/docs/kb/auditor/aal-test.md new file mode 100644 index 0000000000..8fb269dadc --- /dev/null +++ b/docs/kb/auditor/aal-test.md @@ -0,0 +1,60 @@ +--- +description: >- + Shows PowerShell test steps to validate Administrator Audit Logging + connectivity from the Netwrix host to Exchange and how to troubleshoot the + "Administrator Audit Logging is not configured" error. +keywords: + - Administrator Audit Logging + - Exchange + - Netwrix Auditor + - PowerShell + - AdminAuditLogConfig + - Invoke-Command + - New-PSSession +products: + - auditor +sidebar_label: AAL test +tags: [] +title: "AAL test" +knowledge_article_id: kA00g000000H9SECA0 +--- + +# AAL test + +You have already configured **Administrator Audit Logging** on your Exchange Server but still receive the following error in the Netwrix Auditor change reports: "Administrator Audit Logging is not configured for the %Organization name% Exchange organization..." Please perform the following test steps on the Netwrix host server using **PowerShell**:" + +## Test steps + +1. Validate your user principal name (UPN): + - ` $UserCredential = Get-Credential` +2. Create remote session: + - ``` + $ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http:// mailbox01.domain.local/PowerShell/ -Authentication Kerberos -Credential $UserCredential + ``` + - **Note:** Replace `mailbox01.domain.local` with the fully qualified domain name of your Exchange server +3. Check the session status: + - `$ExSession` +4. Try to read AdminAuditLog: + - ``` + Invoke-Command -Session $Exsession -scriptBlock {Get-AdminAuditLogConfig } + ``` +5. As a last step, execute: + - ``` + Invoke-Command -Session $Exsession -scriptBlock {Search-AdminAuditLog } + ``` + +If the session has been successfully created (steps 1 and 2 were successful), but step 3 returns an error, please try to check the **AdminAuditLog** content manually using the following cmdlet: `Get-AdminAuditLogConfig.` + +## Example error + +If you get the following error: + +``` +"PS C:Users%username%> Invoke-Command -Session $Exsession -scriptBlock {$AALC onfig = Get-AdminAuditLogConfig } The term 'Get-AdminAuditLogConfig' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo : ObjectNotFound: (Get-AdminAuditLogConfig:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException" +``` + +This error means that there is not enough rights to run this cmdlet: please check the service account rights assignment. + +## More information + +This guide from Microsoft will help you remotely connecting to Exchange Server using Powershell: https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps diff --git a/docs/kb/auditor/access-errors-for-user-activity-monitoring-plan.md b/docs/kb/auditor/access-errors-for-user-activity-monitoring-plan.md new file mode 100644 index 0000000000..78d03c922f --- /dev/null +++ b/docs/kb/auditor/access-errors-for-user-activity-monitoring-plan.md @@ -0,0 +1,63 @@ +--- +description: >- + Shows how to resolve "Requested registry access is not allowed" and related + access errors for a User Activity monitoring plan by checking Remote Registry + service configuration and winreg registry permissions. +keywords: + - user activity + - UAVR + - access denied + - winreg + - Remote Registry + - HKEY_LOCAL_MACHINE + - registry permissions + - monitoring plan + - Netwrix Auditor +products: + - auditor +sidebar_label: Access Errors for User Activity Monitoring Plan +tags: [] +title: "Access Errors for User Activity Monitoring Plan" +knowledge_article_id: kA04u00000110zkCAA +--- + +# Access Errors for User Activity Monitoring Plan + +## Symptom + +A User Activity (UAVR) monitoring plan generates errors on missing access permissions: + +```text +Requested registry access is not allowed +``` + +```text +Cannot open HKEY_Local_Machine: error while opening key +``` + +```text +Access is denied +``` + +## Causes + +- Misconfigured Remote Registry service. +- Misconfigured permissions for the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg` registry subkey on the affected client. + +## Resolution + +- Review the Remote Registry service configuration. Refer to the following article for additional information on configuration steps: Configure IT Infrastructure — Windows Event Logs. + +- Review the permissions to the `SYSTEM\CurrentControlSet\Control\winreg` registry subkey. Refer to the following steps to configure the permissions for the affected client: + + 1. Run Registry Editor on the affected client. + 2. Either expand the registry nodes in the left pane to reach the subkey, or enter the following path in the corresponding path window: + + ```text + Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg + ``` + + 3. Right-click **winreg**, and click **Permissions**. + 4. Click **Add**, and enter **local service** in the **Enter the object names to select**. Click **OK** to save the changes. + 5. Select the **LOCAL SERVICE** user and check the **Read — Allow** checkbox under the **Permissions** section. Click **Apply** to save the changes. + 6. Restart the client. diff --git a/docs/kb/auditor/access-is-denied-error-in-event-log-manager-health-log.md b/docs/kb/auditor/access-is-denied-error-in-event-log-manager-health-log.md new file mode 100644 index 0000000000..233f798a3e --- /dev/null +++ b/docs/kb/auditor/access-is-denied-error-in-event-log-manager-health-log.md @@ -0,0 +1,52 @@ +--- +description: >- + Explains why the 'Access is denied' error appears in the Netwrix Auditor Event + Log Manager health log and how to resolve it by ensuring the data collection + account has correct permissions and password. +keywords: + - Event Log Manager + - Access is denied + - Event Log Compression Service + - data collection account + - permissions + - service account password + - Netwrix Auditor + - health log +products: + - auditor +sidebar_label: Access Is Denied Error in Event Log Manager Health +tags: [] +title: "Access Is Denied Error in Event Log Manager Health Log" +knowledge_article_id: kA04u000001118mCAA +--- + +# Access Is Denied Error in Event Log Manager Health Log + +## Symptom + +The following error is prompted in Netwrix Auditor Health Log for your Event Log Manager monitoring plan: + +```text +Event ID:2002 +Computer: %computer_name% +User:N/A +Description:Monitoring plan: %Event_Log_Manager_monitoring_plan_name% +The following error has occurred while processing '%computer_name%': +Unable to open the Event Log Compression Service. +Error details: Access is denied. +``` + +## Causes + +- The data collection account used does not have sufficient permissions to collect data. +- The data collection account password is incorrect. + +## Resolution + +- Configure the permissions for the data collection account used in the Event Log Manager. For additional information, refer to the following article: Windows Server — Permissions for Windows Server Auditing. +- Configure the password for your data collection account in Event Log Manager. Refer to the following article for additional information: [Failed Logon Attempts after Recent Service Account Password Change](/docs/kb/auditor/failed-logon-attempts-after-recent-service-account-password-change.md). + +## Related articles + +- Windows Server — Permissions for Windows Server Auditing — 10.6 +- [Failed Logon Attempts after Recent Service Account Password Change](/docs/kb/auditor/failed-logon-attempts-after-recent-service-account-password-change.md) diff --git a/docs/kb/auditor/account-and-password-expiration-mismatch-in-netwrix-auditor-password-expiration-notifier.md b/docs/kb/auditor/account-and-password-expiration-mismatch-in-netwrix-auditor-password-expiration-notifier.md new file mode 100644 index 0000000000..ec0637055a --- /dev/null +++ b/docs/kb/auditor/account-and-password-expiration-mismatch-in-netwrix-auditor-password-expiration-notifier.md @@ -0,0 +1,50 @@ +--- +description: >- + Explains why Netwrix Password Reset reports can show accounts expiring sooner + than Active Directory and how to include or exclude expiring accounts from + reports. +keywords: + - password expiration + - account expiration + - Active Directory + - Netwrix Password Reset + - accountExpires + - expiring accounts + - report settings + - PEN +products: + - auditor +sidebar_label: Account and Password Expiration Mismatch in Netwri +tags: [] +title: "Account and Password Expiration Mismatch in Netwrix Password Reset" +knowledge_article_id: kA04u00000111FiCAI +--- + +# Account and Password Expiration Mismatch in Netwrix Password Reset + +## Question + +Reports in Netwrix Password Reset (PEN) state users are to expire sooner than what is stated in Active Directory. What could be causing this? + +## Answer + +Password Expiration Notifier may include data on expiring accounts, if enabled. If the account is to expire sooner than the password, the account expiration date will be stated in the report instead of the password expiration date. Refer to the following steps to either track both expiring passwords and accounts or disable the option to track expiring accounts: + +1. In your **Start** menu, select **Netwrix Password Reset**. +2. Select the monitoring plan, and click **Edit**. +3. Select the **Advanced** tab, and either check or uncheck the **Include data on expiring accounts**. +4. The next report will be affected. + +![Include data on expiring accounts](images/ka04u00000117wO_0EM4u000008MQhR.png) + +To verify the account expiration date, refer to the following steps: + +1. Open **Active Directory Users and Computers** either via **Server Manager** > **Tools**, or the Search bar. +2. Right-click the user, and select **Properties**. +3. The account expiration date is provided in the **Account** tab > **Account expires**, and the **Attribute Editor** tab > `accountExpires` attribute. + +![Account expires and accountExpires attribute](images/ka04u00000117wO_0EM4u000008MQmb.png) + +### Related articles + +- [How Long Until My Password Expires? ⸱ Microsoft 🙅](https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/scripting-articles/ms974598(v=msdn.10)?redirectedfrom=MSDN) diff --git a/docs/kb/auditor/account-is-not-shown-in-a-report-after-netwrix-inactive-users-tracker-resets-its-password.md b/docs/kb/auditor/account-is-not-shown-in-a-report-after-netwrix-inactive-users-tracker-resets-its-password.md new file mode 100644 index 0000000000..0349cb3410 --- /dev/null +++ b/docs/kb/auditor/account-is-not-shown-in-a-report-after-netwrix-inactive-users-tracker-resets-its-password.md @@ -0,0 +1,26 @@ +--- +description: Explains why an account that had its password reset by Netwrix Inactive + Users Tracker does not appear in the next report and where the product stores a + list of reset accounts. +keywords: +- inactive users +- password reset +- Inactive users.txt +- Netwrix Inactive Users Tracker +- report +- C:ProgramDataNetWrixInactive Users Tracker +products: +- auditor +sidebar_label: Account is not shown in a report after Netwrix... +tags: [] +title: "Account is not shown in a report after Netwrix Inactive Users Tracker resets its password" +knowledge_article_id: kA00g000000H9TuCAK +--- + +# Account is not shown in a report after Netwrix Inactive Users Tracker resets its password + +I have received a report from Netwrix Inactive Users Tracker, and it says that the password of the inactive user had been reset. But why cannot I find this user in the next report? + +--- + +After a password has been reset, the account is added to the `Inactive users.txt` file stored at `C:ProgramDataNetWrixInactive Users Tracker`. This happens to prevent automatic changing of the inactive user password every time the product runs. This user account will be shown in a report next time when any new action is performed on it (such as move to OU, disable and so on). diff --git a/docs/kb/auditor/account-lockout-events-for-domain-administrator-account.md b/docs/kb/auditor/account-lockout-events-for-domain-administrator-account.md new file mode 100644 index 0000000000..97dc4415be --- /dev/null +++ b/docs/kb/auditor/account-lockout-events-for-domain-administrator-account.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains why Netwrix Auditor may report "User Account Locked Out" for a domain + administrator account that cannot actually be locked out, and why such events + are included in reports and alerts. +keywords: + - account lockout + - domain administrator + - false lockout + - Netwrix Auditor + - lockout events + - Windows + - account policies + - reports + - alerts +products: + - auditor +sidebar_label: Account lockout events for domain administrator ac +tags: [] +title: "Account lockout events for domain administrator account" +knowledge_article_id: kA00g000000H9UlCAK +--- + +# Account lockout events for domain administrator account + +I get a report showing a change with details: “User Account Locked Out” for the domain administrator account that cannot be locked out. What does this change mean? + +--- + +The domain administrator account cannot be locked out. Windows may generate "false" lockout events triggered by changes that could potentially cause this account lockout based on your account policies. The event is generated as a result of the actions that were performed on the domain administrator account, for example when someone entered the domain administrator’s password incorrectly several times in a row. Netwrix Auditor includes "false" lockout events in reports and alerts since they cannot be differentiated from "real" lockouts. diff --git a/docs/kb/auditor/account-lockout-examiner-generates-excessive-traffic-in-the-network.md b/docs/kb/auditor/account-lockout-examiner-generates-excessive-traffic-in-the-network.md new file mode 100644 index 0000000000..887e7880e6 --- /dev/null +++ b/docs/kb/auditor/account-lockout-examiner-generates-excessive-traffic-in-the-network.md @@ -0,0 +1,48 @@ +--- +description: >- + Explains how to reduce network bandwidth usage by changing how Netwrix Account + Lockout Examiner collects events and how to disable workstation examination. +keywords: + - account lockout + - lockout examiner + - bandwidth + - registry + - HKLM + - Netwrix + - workstations + - WMI + - UseWatcher + - readlog +products: + - auditor +sidebar_label: Account Lockout Examiner generates excessive traff +tags: [] +title: "Account Lockout Examiner generates excessive traffic in the network" +knowledge_article_id: kA00g000000H9cACAS +--- + +# Account Lockout Examiner generates excessive traffic in the network + +Netwrix Account Lockout Examiner gets information from Windows security logs. The product connects to domain controllers (DCs) to find lockout events. Then it connects to workstations to find detailed information about the invalid logon attempts, which caused the lockouts. When the product is configured to monitor all DCs in your domain, it establishes connections with all DCs as well as their subject workstations. + +## To reduce the bandwidth usage + +1. Run Registry Editor: navigate to **Start** > **Run**, type in `regedit` and click **OK**. +2. Navigate to `HKLMSoftware[Wow6432Node]NetWrixAccount Lockout Examiner (Wow6432Node only for x64 OS).` +3. Set `readlog` to `0`. +4. Create a new DWORD value `UseWatcher` and set its value to `1`. +5. Set `UseWMI_Workstations` to `1` +6. Restart Netwrix Account Lockout Examiner Service via the **Services** snap-in. + +This will change method of event collection and should reduce bandwidth utilization. + +There is also an option to disable examination of workstations. In this case name of the process that cause invalid logon will never be shown.. + +## To disable examination of workstations + +1. Run Registry Editor: navigate to **Start** > **Run**, type in `regedit` and click **OK**. +2. Navigate to `HKLMSoftware[Wow6432Node]NetWrixAccount Lockout Examiner (Wow6432Node only for x64 OS).` +3. Create a new DWORD value `PF_Enabled` and set its value to `0`. +4. Restart Netwrix Account Lockout Examiner Service via the **Services** snap-in. + +![User-added image](images/ka04u000000HcUv_0EM700000004wr4.png) diff --git a/docs/kb/auditor/account-lockout-examiner-works-very-slowly.md b/docs/kb/auditor/account-lockout-examiner-works-very-slowly.md new file mode 100644 index 0000000000..495b60159d --- /dev/null +++ b/docs/kb/auditor/account-lockout-examiner-works-very-slowly.md @@ -0,0 +1,38 @@ +--- +description: >- + Resolve slow performance in Netwrix Account Lockout Examiner by stopping the + service, removing stale XML files, and restarting the service. +keywords: + - account lockout + - performance + - ALEService.exe + - allinfo.xml + - inv_logon.xml + - readEvents.xml + - sessions.xml + - Netwrix + - troubleshooting +products: + - auditor +sidebar_label: Account Lockout Examiner works very slowly +tags: [] +title: "Account Lockout Examiner works very slowly" +knowledge_article_id: kA00g000000H9dZCAS +--- + +# Account Lockout Examiner works very slowly + +To address the slow performance issue, perform the following steps: + +1. Stop the Netwrix Account Lockout Examiner service via the **Services snap-in**. If the service fails to stop, kill the `ALEService.exe` process via **Task Manager**. +2. Go to the **Account Lockout Examiner installation directory**. +3. Delete or rename the following files: + - `allinfo.xml` + - `inv_logon.xml` + - `readEvents.xml` + - `sessions.xml` + + **NOTE**: This will remove info about all old lockouts from Account Lockout Examiner. Backup this files if you need them for the further access. +4. Start Netwrix Account Lockout Examiner Service + +[![User-added image](images/ka04u000000HcWK_0EM700000004wmE.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAbJ&feoid=00N700000032Pj2&refid=0EM700000004wmE) diff --git a/docs/kb/auditor/account-lockouts-are-displayed-with-delay.md b/docs/kb/auditor/account-lockouts-are-displayed-with-delay.md new file mode 100644 index 0000000000..e74c22e571 --- /dev/null +++ b/docs/kb/auditor/account-lockouts-are-displayed-with-delay.md @@ -0,0 +1,59 @@ +--- +description: >- + Explains why account lockouts may appear with a delay in NetWrix Account + Lockout Examiner and how to resolve the issue by monitoring all domain + controllers and changing event processing settings. +keywords: + - account lockout + - ALE + - Account Lockout Examiner + - delay + - domain controller + - PDC + - replication + - event processing + - registry + - UseWatcher +products: + - auditor +sidebar_label: Account lockouts are displayed with delay +tags: [] +title: "Account lockouts are displayed with delay" +knowledge_article_id: kA00g000000H9cBCAS +--- + +# Account lockouts are displayed with delay + +It takes a long time for account lockouts to be reflected in NetWrix Account Lockout Examiner (ALE). + +--- + +This might happen if ALE is set to monitor the Primary Domain Controller (PDC) only. If an account gets locked on a different domain controller, it takes time for the lockout event to replicate to the PDC, and this causes the delay. + +Another possible reason is very high activity in your domain that generates more events per second than the product can handle. As a result an event queue and a delay occurs. + +--- + +## Resolution + +To fix the issue, set the product to monitor all DCs in the monitored domain and change event processing method. + +### Monitor all domain controllers + +To change to all DCs mode, perform the following steps: + +1. In NetWrix Account Lockout Examiner navigate to **File > Settings > Managed Objects**. +2. Select your domain and click **Edit**. +3. Select **All DCs** radio button and click **OK** to save the changes. + +![User-added image](images/ka04u000000HcUw_0EM700000004wlz.png) + +### Change event processing method + +1. Open the Registry Editor (navigate to **Start > Run** and type `regedit`). +2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\NetWrix\Account Lockout Examiner` (use `Wow6432Node` only for x64 OS). +3. Locate the `readlog` key and set its value to `0`. +4. Create a new value called `UseWatcher`, set its type to `DWORD` and value to `1`. +5. Restart NetWrix Account Lockout Examiner Service via `services.msc`. + +![User-added image](images/ka04u000000HcUw_0EM700000004wm4.png) diff --git a/docs/kb/auditor/active-directory-compression-service-continuously-starting-and-stopping.md b/docs/kb/auditor/active-directory-compression-service-continuously-starting-and-stopping.md new file mode 100644 index 0000000000..993dc8e02a --- /dev/null +++ b/docs/kb/auditor/active-directory-compression-service-continuously-starting-and-stopping.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains why the Active Directory Compression Service starts and stops every + 60 seconds and why Event ID 7036 entries appear; confirms this is expected + Windows behavior that cannot be suppressed. +keywords: + - Active Directory + - Compression Service + - Event ID 7036 + - Windows System + - service start stop + - event logs + - expected behavior +products: + - auditor +sidebar_label: 'Active Directory Compression Service Continuously ' +tags: [] +title: "Active Directory Compression Service Continuously Starting and Stopping" +knowledge_article_id: kA04u0000000HjzCAE +--- + +# Active Directory Compression Service Continuously Starting and Stopping + +## Symptoms +You may see the following symptoms in your environment: + +- The **Active Directory Compression Service** starts and stops every 60 seconds. +- There are many events with `Event ID 7036` stating that the **Active Directory Compression Service** entered the Started or Stopped state. + +## Cause +Windows generates these events as they are hard coded into the Windows System. + +## Resolution +This notification is expected behavior. If you see these information messages, it means that the Active Directory collection works correctly. Unfortunately, these notifications cannot be stopped as they are hard coded into the Windows System, and it is Windows that generates these events. diff --git a/docs/kb/auditor/active-directory-exchange-and-group-policy-changes-reported-as-made-by-system.md b/docs/kb/auditor/active-directory-exchange-and-group-policy-changes-reported-as-made-by-system.md new file mode 100644 index 0000000000..8109a11ac2 --- /dev/null +++ b/docs/kb/auditor/active-directory-exchange-and-group-policy-changes-reported-as-made-by-system.md @@ -0,0 +1,34 @@ +--- +description: >- + Lists common Active Directory, Exchange, and Group Policy changes that Netwrix + Auditor may report as performed by System, with links to related KB articles. +keywords: + - Active Directory + - Exchange + - Group Policy + - System + - Netwrix Auditor + - alerts + - duplicate changes + - workstation + - service principal +products: + - auditor +sidebar_label: 'Active Directory, Exchange and Group Policy Change' +tags: [] +title: 'Active Directory, Exchange and Group Policy Changes Reported as Made by System' +knowledge_article_id: kA00g000000H9SmCAK +--- + +# Active Directory, Exchange and Group Policy Changes Reported as Made by System + +This article contains references to the most popular Active Directory, Exchange, and Group Policy changes which may be reported as made by **System** by Netwrix Auditor: + +- [Who Changed Shows System for Real Time Alerts](/docs/kb/auditor/alert-reported-change-made-by-system.md). +- [System Changed Object Path after Account Name Change](/docs/kb/auditor/system-changed-object-path-after-account-name-change.md). +- [System Changed Client Operating System](/docs/kb/auditor/system-changed-client-operating-system.md). +- [Active Directory Changes Duplicated in Reports with System and Unknown](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA00g000000H9RyCAK.html). +- [System Changed Directory Objects for Foreign Security Principals](/docs/kb/auditor/system-changed-directory-objects-for-foreign-security-principals.md). +- Workstation Field Reported as Unknown. +- [Duplicate Configuration and Schema Changes for All Monitored Domains in Forest Made by System](/docs/kb/auditor/duplicate-configuration-and-schema-changes-for-all-monitored-domains-in-forest-made-by-system.md). +- [System Changed Service Principle Name Attribute](/docs/kb/auditor/system-changed-service-principle-name-attribute.md). diff --git a/docs/kb/auditor/active-directory-object-restore.md b/docs/kb/auditor/active-directory-object-restore.md new file mode 100644 index 0000000000..511b2506c0 --- /dev/null +++ b/docs/kb/auditor/active-directory-object-restore.md @@ -0,0 +1,47 @@ +--- +description: >- + Explains what the Netwrix Active Directory Object Restore tool can and cannot + recover, the account requirements for recovery, and related documentation + links. +keywords: + - Active Directory + - object restore + - Netwrix Auditor + - AD Tombstone + - GPO + - OU + - forest + - domain +products: + - auditor +sidebar_label: Active Directory Object Restore +tags: [] +title: "Active Directory Object Restore" +knowledge_article_id: kA00g000000H9UxCAK +--- + +# Active Directory Object Restore + +## Question + +Can Netwrix Active Directory Object Restore restore and recover the following? + +- AD Group Policy Objects +- OU hierarchy +- Complete AD Forest +- Complete AD Domain +- Changed AD Object attributes + +## Answer + +The Netwrix Active Directory Object Restore tool recovers removed Active Directory objects from the Netwrix Auditor snapshots or AD Tombstones and does not depend on the functional level of the Active Directory. The tool does not recover DNS zones into Active Directory. If you change some attribute values in the Configuration or Schema, the tool can restore them using the data collected by Netwrix Auditor earlier. + +The account used for recovery and restore is the same account used for data collection in your Netwrix Auditor Active Directory monitoring plan. + +
![Active](images/servlet_image_3823966b1661.png)
+ +> **NOTE:** This tool should **NOT** be used to revert the changes caused by raising the forest functional level. For additional information, refer to the following article: Object Restore for Active Directory. + +## Related Link + +- Object Restore for Active Directory diff --git a/docs/kb/auditor/active_directory_collection_jobs_do_not_run_with_gmsa.md b/docs/kb/auditor/active_directory_collection_jobs_do_not_run_with_gmsa.md new file mode 100644 index 0000000000..4bab94915e --- /dev/null +++ b/docs/kb/auditor/active_directory_collection_jobs_do_not_run_with_gmsa.md @@ -0,0 +1,46 @@ +--- +description: >- + This article explains the symptoms, causes, and resolutions for issues related to running Active Directory collection jobs with group Managed Service Accounts (gMSA) in Netwrix Access Analyzer. +keywords: + - Active Directory + - gMSA + - Netwrix Access Analyzer + - collection jobs + - authentication +sidebar_label: Active Directory Collection Jobs with gMSA +tags: [] +title: "Active Directory Collection Jobs Do Not Run with gMSA" +knowledge_article_id: kA0Qk0000002vi9KAA +products: + - auditor +--- + +# Active Directory Collection Jobs Do Not Run with gMSA + +## Symptom + +When you attempt to run the **Active Directory\4. Group Policy** or **Active Directory\5. Domains** collection jobs in Netwrix Access Analyzer (formerly Enterprise Auditor) using a group Managed Service Account (gMSA), the jobs fail to start and report one of the following error messages: + +- `Access Denied` +- `Cannot Connect` +- `Unspecified Error` + +## Cause + +gMSAs do not expose a usable password for network logon or LDAP binds, nor do they support credential delegation for impersonation. As a result, some data collectors cannot authenticate or establish the required sessions when configured with a gMSA. + +## Resolution + +gMSAs are not supported for the **Active Directory\4. Group Policy** or **Active Directory\5. Domains** collection jobs. The following data collectors will fail when configured with direct gMSA credentials: + +- **Group Policy DC** +- **LDAP DC** +- **Registry DC** +- **ActiveDirectory DC** +- **SmartLog DC** + +To run these collections successfully, configure and use a standard domain user account that has the necessary permissions for each target system. For details on the least-privilege permissions model, see: [Active Directory Auditing Least Privilege Model Permissions](/docs/accessanalyzer/12.0/activedirectory/access). + +## Related Link + +- [Active Directory Auditing Least Privilege Model Permissions](/docs/accessanalyzer/12.0/activedirectory/access) \ No newline at end of file diff --git a/docs/kb/auditor/activity_summary_emails_contain_.zip_files.md b/docs/kb/auditor/activity_summary_emails_contain_.zip_files.md new file mode 100644 index 0000000000..976db0238b --- /dev/null +++ b/docs/kb/auditor/activity_summary_emails_contain_.zip_files.md @@ -0,0 +1,29 @@ +--- +description: >- + This article explains the behavior of Activity Summary emails containing compressed attachments and the conditions under which they are sent. +keywords: + - Activity Summary + - compressed attachments + - monitoring plan +sidebar_label: Activity Summary Emails +tags: [] +title: "Activity Summary Emails Contain .zip Files" +knowledge_article_id: kA0Qk0000000KwPKAU +products: + - auditor +--- + +# Activity Summary Emails Contain .zip Files + +## Question + +Activity Summary emails include compressed attachments while attachments are disabled in the monitoring plan settings. Should this behavior be expected? + +## Answer + +The amount of activity records in an Activity Summary email may vary depending on your environment and the monitoring scope of the affected monitoring plan. Compressed attachments are used to optimize daily emails containing Activity Records for the corresponding monitoring plan—this behavior is expected with the following limitations enforced: + +- The email will include an attachment in case the amount of Activity Records in the Summary exceeds 3000. +- The email will include an attachment in case the email size exceeds 10 MB. + +You can select the **Attach Activity Summary as a CSV file** option in the affected monitoring plan settings to receive an uncompressed `.csv` file instead. \ No newline at end of file diff --git a/docs/kb/auditor/ad-hoc-and-email-reports-shows-different-results-in-one-way-trust-forests-environment.md b/docs/kb/auditor/ad-hoc-and-email-reports-shows-different-results-in-one-way-trust-forests-environment.md new file mode 100644 index 0000000000..76c8fa1ebd --- /dev/null +++ b/docs/kb/auditor/ad-hoc-and-email-reports-shows-different-results-in-one-way-trust-forests-environment.md @@ -0,0 +1,59 @@ +--- +description: >- + Explains why Password Expiration email reports and Ad-hoc reports can show + different user counts in one-way-trust forest environments and how to grant + the Data Processing Account read access to the Password Settings Container. +keywords: + - password expiration + - ad-hoc report + - one-way trust + - Password Settings Container + - ADSI Edit + - Data Processing Account + - Fine Grained Password Policy + - PSO + - Netwrix Auditor +products: + - auditor +sidebar_label: Ad-Hoc and Email reports shows different results i +tags: [] +title: "Ad-Hoc and Email reports shows different results in one-way-trust forests environment" +knowledge_article_id: kA00g000000H9Z0CAK +--- + +# Ad-Hoc and Email reports shows different results in one-way-trust forests environment + +Password Expiration email report (being delivered automatically) and Ad-hoc report (generated manually) provide a different number of user accounts in the following operating environment: + +## Environment +- Netwrix Auditor is configured to monitor password expirations in a domain which belongs to the forest with one-way trusts established. +- The password policy in the target domain is set granularly by using the Fine Grained Password Policy (FGP). +- Netwrix Auditor is set to report on users with Fine Grained Policy Settings (the **Only report on users with Fine Grained Policy Settings** checkbox is checked). + +--- + +This could happen because the Data Processing Account that is being used to collect data does not have enough permissions to read the Password Settings Container from the target domain. While the Ad-Hoc is being run under a different account which can read the Password Settings Container + +--- + +## To check Data Processing Account permissions +To check if the Data Processing Account has enough permissions please perform the following steps: + +1. Run ADSI Edit as the Data Processing Account (refer to the KB if you need to install ADSI Edit utility): https://kb.netwrix.com/743 +2. Connect to the target domain Default Naming Context. +3. Navigate to the `CN=System`. +4. Try to open `CN=Password Settings Container` and read the PSO. + +If you do not see the `CN=Password Settings Container` under the `CN=System` node or cannot read the properties this indicates Data Processing Account does have read rights (see the screenshot below: the account does not have rights to access the Password Settings Container). + +![User-added image](images/ka04u000000HcS1_0EM700000007Jf8.png) + +## To provide read permissions to the Data Processing Account +1. Run ADSI Edit as a domain Administrator. +2. Connect to the target domain Default Naming Context. +3. Navigate to the `CN=System`. +4. Right-click `CN=Password Settings Container`, select **Properties**, go to the **Security** tab and add the Data Processing Account and specify Read permissions. + +Once the read permission for the Data Processing Account is set, verify the access by opening the `CN=Password Settings Container` properties with the Data Processing Account. This time you should be able to see `CN=Password Settings Container` under the `CN=System` node and read its properties (see the screenshot below). + +![User-added image](images/ka04u000000HcS1_0EM700000007JfD.png) diff --git a/docs/kb/auditor/additional-audit-details-how-it-works.md b/docs/kb/auditor/additional-audit-details-how-it-works.md new file mode 100644 index 0000000000..38e07fc57f --- /dev/null +++ b/docs/kb/auditor/additional-audit-details-how-it-works.md @@ -0,0 +1,74 @@ +--- +description: >- + Explains the additional audit details that Netwrix Auditor can + collect—originating workstation and group membership—and lists the reports + that include these details, plus configuration considerations for Security + event log and Audit logon events. +keywords: + - Active Directory + - Exchange + - Group Policy + - originating workstation + - Security event log + - group membership + - reports + - Netwrix Auditor + - Audit logon events +products: + - auditor +sidebar_label: 'Additional Audit Details: How it Works' +tags: [] +title: 'Additional Audit Details: How it Works' +knowledge_article_id: kA00g000000H9SBCA0 +--- + +# Additional Audit Details: How it Works + +Netwrix Auditor provides reports on Active Directory, Exchange Server and Group Policy changes with extended audit data. When a new Managed Object is created, you are prompted to select whether you want to collect the following additional audit details from the monitored domain: + +- Originating workstation +- Group membership + +If these options are enabled, additional events are written to the Security event log. Note that this may lead to data overwrites. To prevent data loss it is recommended to configure the maximum size and retention settings of the Security event log as described in the Netwrix Auditor Installation and Configuration Guide: https://www.netwrix.com/download/documents/Netwrix_Auditor_Installation_Configuration_Guide.pdf + +## 1. Reports With Originating Workstation + +Netwrix Auditor contains a number of reports on Active Directory, Exchange Servers and Group Policy changes that, in addition to the standard WHO, WHAT, WHERE and WHEN fields, provide the information on the originating workstation, that is the name of the computer where the user was logged on when they made the change. + +The following reports with the **Workstation** field are available for each audited system: + +### Active Directory +- All Active Directory Changes by Groups With Originating Workstation +- All Active Directory Changes by Object Type With Originating Workstation +- All Active Directory Changes by User With Originating Workstation + +### Exchange Servers +- All MS Exchange Changes by Groups With Originating Workstation +- All MS Exchange Changes by Object Type With Originating Workstation +- All MS Exchange Changes by Server With Originating Workstation +- All MS Exchange Changes by User With Originating Workstation + +### Group Policy +- All Group Policy Changes by Groups With Originating Workstation +- All Group Policy Changes With Originating Workstation + +If the **Originating workstation** option is enabled, the **Workstation** field under each change in these reports contains the name/IP address and the MAC address of the computer from which the change was made. + +**NOTE:** For the product to be able to collect the information on the originating workstation, you must configure the Audit logon events policy. If automatic audit configuration is enabled, this setting is adjusted automatically. For instructions on how to configure it manually, refer to the Netwrix Auditor Installation and Configuration Guide: https://www.netwrix.com/download/documents/Netwrix_Auditor_Installation_Configuration_Guide.pdf + +## 2. Reports With Data Filtering by Groups + +If the **Group membership** option is enabled, the product will collect the information on the group membership of the users who make the changes. This information can be used to apply filters to the collected audit data and get the information on changes performed by members of specific groups only. + +This functionality is available in the following reports for each audited system: + +### Active Directory +- All Active Changes by Groups With Originating Workstation + +### Exchange Servers +- All MS Exchange Changes by Group With Originating Workstation + +### Group Policy +- All Group Policy Changes by Groups With Originating Workstation + +By default, these reports show all changes to the monitored environment grouped by the groups to which users who made the changes belong. If you want to get the information on the changes performed by members of a specific group, select this group (or several groups) in the corresponding filter, and the report will return data on the changes performed only by members of the selected. diff --git a/docs/kb/auditor/administrator-audit-logging-aal-configuration-details.md b/docs/kb/auditor/administrator-audit-logging-aal-configuration-details.md new file mode 100644 index 0000000000..94aa43831e --- /dev/null +++ b/docs/kb/auditor/administrator-audit-logging-aal-configuration-details.md @@ -0,0 +1,105 @@ +--- +description: >- + Explains why and how to enable Administrator Audit Logging (AAL) on Exchange + servers for Netwrix Auditor, including the required commands and details about + excluded cmdlets. +keywords: + - AAL + - Administrator audit logging + - Exchange + - Netwrix Auditor + - Set-AdminAuditLogConfig + - SetAALExcludedCmdlets + - AdminAuditLogs + - arbitration mailbox +products: + - auditor +sidebar_label: Administrator Audit Logging (AAL) configuration de +tags: [] +title: "Administrator Audit Logging (AAL) configuration details" +knowledge_article_id: kA00g000000H9SDCA0 +--- + +# Administrator Audit Logging (AAL) configuration details + +**Q:** Why do you need to enable AAL (Administrator audit logging) on your Exchange servers? +**A:** AAL is one of the necessary components which must be enabled for successful auditing by Netwrix Auditor for Exchange. Netwrix Auditor uses AAL data to identify an account which made a change in Exchange 2010+ server configuration. When AAL is not configured, Netwrix Auditor detects changes (which were made on Exchange servers) but includes “System” as WHO CHANGED instead of the real account name. + +**Q:** How does administrator audit logging work? +**A:** Please refer to the following Microsoft KB article: https://learn.microsoft.com/en-us/exchange/policy-and-compliance/admin-audit-logging/admin-audit-logging + +**Q:** How does Netwrix Auditor for Exchange deal with Exchange servers after the AAL is configured? +**A:** Netwrix Auditor reads the AAL mailbox on specified Exchange servers. Considering the fact AAL data is being replicated within its exchange organization, Netwrix Auditor needs to connect to just one Exchange server. The server which will be used to read AAL data can be specified manually. + +**Q:** What is the command we need to run to enable and configure AAL consist of? What does it do? +**A:** To enable and configure AAL you need to run 2 commands: + +1. Exchange 2010: + ```powershell + Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogAgeLimit 30 -AdminAuditLogCmdlets * + ``` + + Exchange 2013+: + ```powershell + Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogAgeLimit 30 -AdminAuditLogCmdlets * -LogLevel Verbose + ``` + + - `Set-AdminAuditLogConfig` cmdlet is being used to configure the administrator audit logging configuration settings + - `AdminAuditLogEnabled` cmdlet with ` $true` parameter enables the administrator audit logging + - `AdminAuditLogAgeLimit ` cmdlet with `30` parameter specifies how long audit log entries will be retained (30 days in our case) + - `AdminAuditLogCmdlets ` cmdlet determines which cmdlets will be audited. Running this cmdlet with `* ` parameter we configuring administrator audit logging to audit all cmdlets + - **LogLevel** cmdled determines the level of detalization for generated logs. With **Verbose** Exchange also logs previous values of any changed attributes. + + For more details regarding these cmdlets please refer to the same article: https://learn.microsoft.com/en-us/exchange/policy-and-compliance/admin-audit-logging/admin-audit-logging + +2. `SetAALExcludedCmdlets.ps1` + + This command runs `SetAALExcludedCmdlets.ps1` cmdlet which is located in the Active Directory Auditing subfolder of the Netwrix Auditor installation directory. `SetAALExcludedCmdlets.ps1` cmdlet excludes the following cmdlets from being audited (these cmdlets are being used very often and are not important for auditing): + + - `*-InboxRule` + http://technet.microsoft.com/en-us/library/dd335170%28v=exchg.150%29.aspx + http://technet.microsoft.com/en-us/library/dd351272%28v=exchg.141%29.aspx + http://technet.microsoft.com/en-us/library/dd351062%28v=exchg.150%29.aspx + http://technet.microsoft.com/en-us/library/dd351089%28v=exchg.150%29.aspx + + - `*-MailboxAutoReplyConfiguration` + http://technet.microsoft.com/en-us/library/dd638217%28v=exchg.150%29.aspx + http://technet.microsoft.com/en-us/library/dd638081%28v=exchg.150%29.aspx + + - `Set-MailboxAuditBypassAssociation` + http://technet.microsoft.com/en-us/library/ff696758%28v=exchg.141%29.aspx + + - `Set-MailboxAutoReplyConfiguration` + http://technet.microsoft.com/en-us/library/dd638217%28v=exchg.141%29.aspx + + - `Set-MailboxCalendarConfiguration` + http://technet.microsoft.com/en-us/library/dd335075%28v=exchg.141%29.aspx + + - `Set-MailboxCalendarFolder` + http://technet.microsoft.com/en-us/library/dd298124%28v=exchg.141%29.aspx + + - `Set-MailboxFolderPermission` + http://technet.microsoft.com/en-us/library/ff522363%28v=exchg.141%29.aspx + + - `Set-MailboxJunkEmailConfiguration` + http://technet.microsoft.com/en-us/library/dd979780%28v=exchg.141%29.aspx + + - `Set-MailboxMessageConfiguration` + http://technet.microsoft.com/en-us/library/dd638117%28v=exchg.141%29.aspx + + - `Set-MailboxRegionalConfiguration` + http://technet.microsoft.com/en-us/library/dd351103%28v=exchg.141%29.aspx + + - `Set-MailboxSpellingConfiguration` + http://technet.microsoft.com/en-us/library/dd298020%28v=exchg.141%29.aspx + +**Q:** Can we enable administrator audit logging on just one Exchange server? +**A:** Administrator audit logging is being enabled against all Exchange servers (because Exchange configuration is being shared between all Exchange servers in the Exchange organization) in the managed Exchange organizations. To collect the administrator audit logging data, Netwrix Auditor needs to access just one dedicated Exchange server. + +**Q:** How will enabling administrator audit logging affect Exchange servers performance? +**A:** By default, the admin audit log is enabled in Exchange Server 2010 and newer. The log results are stored in the arbitration mailbox in the AdminAuditLogs folder. If cmdlets are executed in the Exchange Management Shell frequently, multiple log entries are generated, and may cause the size of the database to grow quickly. For more details please refer to the following Microsoft KB article: https://learn.microsoft.com/en-us/exchange/policy-and-compliance/admin-audit-logging/admin-audit-logging + +Please note: while configuring administrator audit logging we exclude several particular cmdlets by running `SetAALExcludedCmdlets.ps1` command (see above command # 2) which decreases the number of auditing records and helps to hold the database size under control. + +**Q:** Can we review the administrator audit logging content? +**A:** Yes. Please please refer to the following Microsoft KB article: https://learn.microsoft.com/en-us/exchange/policy-and-compliance/admin-audit-logging/admin-audit-logging diff --git a/docs/kb/auditor/ale-service-is-unable-to-start-during-installation.md b/docs/kb/auditor/ale-service-is-unable-to-start-during-installation.md new file mode 100644 index 0000000000..13cdb8f4d8 --- /dev/null +++ b/docs/kb/auditor/ale-service-is-unable-to-start-during-installation.md @@ -0,0 +1,41 @@ +--- +description: >- + During installation of NetWrix Account Lockout Examiner on Windows 2003, the + ALE service (ALService) may fail to start with an insufficient permissions + error. This article explains the cause and steps to resolve the issue. +keywords: + - NetWrix Account Lockout Examiner + - ALService + - ALE service + - Windows 2003 + - .NET 3.5 SP1 + - service failed to start + - insufficient permissions +products: + - auditor +sidebar_label: ALE service is unable to start during installation +tags: [] +title: "ALE service is unable to start during installation" +knowledge_article_id: kA00g000000H9YCCA0 +--- + +# ALE service is unable to start during installation + +During installation of NetWrix Account Lockout Examiner on **Windows 2003**, a "Service 'NetWrix Account Lockout Examiner' (ALService) failed to start" message is received that the service cannot be started due to insufficient permissions. The account in use is a domain admin. + +![User-added image](images/ka04u000000HcRH_0EM700000004wmJ.png) + +## Cause + +NetWrix Account Lockout Examiner uses .NET Framework and requires .NET 3.5 SP1. +The message appears if only NET 3.5 is installed. + +## Resolution + +1. Make sure that .NET Framework 3.5 SP1 is installed. +2. If it is installed, reinstall it or upgrade to .NET 4. + +Also: +1. Verify that the account specified during installation is a local admin. +2. Check that there are no restrictive policies for this account to run services. +3. Try entering another local admin or domain admin account during the installation. diff --git a/docs/kb/auditor/alert-reported-change-made-by-system.md b/docs/kb/auditor/alert-reported-change-made-by-system.md new file mode 100644 index 0000000000..9aed1a1cd4 --- /dev/null +++ b/docs/kb/auditor/alert-reported-change-made-by-system.md @@ -0,0 +1,36 @@ +--- +description: >- + Explains why an alert email may show "System" in the WHO field and how Netwrix + Auditor later populates WHO and WHEN data from security event logs for daily + reports and SQL reports. +keywords: + - System + - WHO field + - alert email + - Activity Summary + - security event log + - WHEN field + - Netwrix Auditor + - data collection +products: + - auditor +sidebar_label: Alert Reported Change Made by System +tags: [] +title: "Alert Reported Change Made by System" +knowledge_article_id: kA00g000000H9S1CAK +--- + +# Alert Reported Change Made by System + +## Question + +Why was System stated in the WHO field in alert email instead of a user? + +## Answer + +Alerts may contain System in the WHO field while daily Activity Summary emails or SQL reports will show the correct user. + +Once a change is received, the WHO or WHEN field might be missing. After collecting the change data, Netwrix Auditor will immediately check for the corresponding event in security event logs to collect WHO and WHEN fields data. Depending on the timing of the change and the collection process, this event might be missing from the security event log, e.g. due to a delayed queue of events written at the time for a particular domain controller. +To ensure timely delivery, the alert is sent out with as much data collected at the time. + +During the next quick data collection Netwrix Auditor will attempt to find the corresponding security event to collect data for missing fields of that change as well as new ones. If your Activity Summary report contains the WHO or WHEN data, the security event was properly written and collected. This won't be reflected in the alert, but data will be present for the activity stated in your daily review or in SQL Server report. diff --git a/docs/kb/auditor/an-unknown-file-type-or-a-file-with-a-custom-extension-is-failing-text-extraction.md b/docs/kb/auditor/an-unknown-file-type-or-a-file-with-a-custom-extension-is-failing-text-extraction.md new file mode 100644 index 0000000000..10397c7649 --- /dev/null +++ b/docs/kb/auditor/an-unknown-file-type-or-a-file-with-a-custom-extension-is-failing-text-extraction.md @@ -0,0 +1,31 @@ +--- +description: >- + Shows how to map a custom or incorrect file extension to a known content type + so text extraction succeeds. +keywords: + - text extraction + - file extension + - content type + - Content Type Extension Mappings + - Administration Interface + - Collector service + - Text Processing +products: + - auditor + - data-classification +sidebar_label: An unknown file type or a file with a custom exten +tags: [] +title: "An unknown file type or a file with a custom extension is failing text extraction" +knowledge_article_id: kA00g000000H9e9CAC +--- + +# An unknown file type or a file with a custom extension is failing text extraction + +In some cases **internal** files may have the **wrong extension**, but are a known and supported content type. If that happens, use the following steps to map the **custom extension** to a known **Content Type** so text extraction can succeed. + +1. Navigate to the **Config** section of the **Administration Interface** +2. Expand **Text Processing** +3. Select **Content Type Extension Mappings** +4. Create a new **entry**, mapping the **extension** (such as `".rpt"`) to the correct content type (such as `HTML`) +5. **Restart** the **Collector service** +6. **Re-process** any affected **files** diff --git a/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md b/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md new file mode 100644 index 0000000000..b3b9e6d77a --- /dev/null +++ b/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md @@ -0,0 +1,66 @@ +--- +description: >- + Antivirus scanning can interfere with Netwrix Auditor performance and + operations. This article lists the folders and registry locations you should + exclude from antivirus scans to avoid timeouts and resource strain. +keywords: + - Netwrix Auditor + - antivirus + - exclusions + - Long-Term Archive + - DataPathOverride + - performance + - registry + - audited servers +products: + - auditor +sidebar_label: Antivirus Exclusions for Netwrix Auditor +tags: [] +title: "Antivirus Exclusions for Netwrix Auditor" +knowledge_article_id: kA04u0000000HirCAE +--- + +# Antivirus Exclusions for Netwrix Auditor + +## Question + +Should Netwrix Auditor-related folders be excluded from antivirus scans? + +## Answer + +Your antivirus suite can slow down or even prevent correct operation of Netwrix Auditor. Netwrix Auditor writes information in smaller portions at short intervals — an antivirus will attempt to read the entire file looking for threats after each writing session. This considerably slows down processes of Netwrix Auditor as each short writing session is expected to occur frequently, while a full read of a file might take a long time (especially in a larger environment). This might lead to the following issues: + +- Timeouts for larger files, as your antivirus suite might require additional time to check them. +- Additional strain on RAM to suit Auditor needs. +- Additional strain on CPU to suit antivirus needs. +- Issues when upgrading your Netwrix Auditor instance. + +It is strongly recommended that you add the following paths to the list of exclusions for your antivirus: + +### Netwrix Auditor Server + +- **Long-Term Archive** located by default in `C:\ProgramData\Netwrix Auditor\Data`. If you've previously changed the default location, you can look it up in Netwrix Auditor settings: + - **Main Netwrix Auditor menu** > **Settings** > **Long-Term Archive** + +- **Netwrix Auditor Working Folder** located by default in `C:\ProgramData\Netwrix Auditor`. If you've previously changed the default location, you can look the **Default** value up in the registry key: + - `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride` + +- **Netwrix Auditor Installation Folder** located by default in `C:\Program Files (x86)\Netwrix Auditor`. If you've previously changed the default location, you can look the **InstallPath** value up in the registry key: + - `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor` + +### Audited servers + +- `C:\ProgramData\Netwrix Auditor` +- `C:\Windows\SysWOW64\NwxExeSvc` +- `C:\Windows\Netwrix` +- `C:\Windows\Netwrix Auditor` +- `C:\Program Files (x86)\Common Files\Netwrix Auditor` +- `C:\Windows\ADCR_Agent` +- `C:\Program Files (x86)\Netwrix Auditor\Windows Server Compression Service` +- `C:\Program Files\Microsoft SQL Server\MSSQL.MSSQLSERVER\MSSQL` + +### Access Review for Netwrix Auditor + +- `C:\Program Files\Netwrix\Access Information Center\AccessInformationCenter.Service.Exe` + +> **TIP:** Refer to your antivirus documentation for details on how to exclude certain paths from scanning diff --git a/docs/kb/auditor/archive-service-is-busy-processing-activity-records.md b/docs/kb/auditor/archive-service-is-busy-processing-activity-records.md new file mode 100644 index 0000000000..3fa933fbb9 --- /dev/null +++ b/docs/kb/auditor/archive-service-is-busy-processing-activity-records.md @@ -0,0 +1,88 @@ +--- +description: >- + Explains why Netwrix Auditor displays "Archive Service is busy processing + activity records" and provides troubleshooting steps for SQL Server and + Long-Term Archive causes. +keywords: + - Archive Service busy + - activity records + - Short-Term Storage + - SQL Server + - Long-Term Archive + - SQL Server Express 10GB + - database statistics + - Netwrix Auditor +products: + - auditor +sidebar_label: Archive Service is Busy Processing Activity Record +tags: [] +title: "Archive Service is Busy Processing Activity Records" +knowledge_article_id: kA04u0000000JuQCAU +--- + +# Archive Service is Busy Processing Activity Records + +## Symptom + +Netwrix Auditor prompts the following error in one of your monitoring plans: + +```text +Data collection has failed. +Error: The Netwrix Auditor Archive Service is busy processing activity records +``` + +## Causes + +Netwrix Auditor collects data faster than it transfers data from the Short-Term Storage to the SQL Server instance or the Long-Term Archive. Refer to the following commonly associated causes: + +- SQL Server-based causes: + - The SQL Server Express database size reached 10 GB. + - SQL Server connection issues. +- Long-Term Archive-based causes: + - Long-Term Archive connection issues. + +> **IMPORTANT:** Netwrix Auditor prompts the error once the amount of Activity Records in the Short-Term Storage has reached 5 million. + +## Troubleshooting + +### SQL Server-based Causes + +Refer to the following steps to troubleshoot the SQL Server-based causes: + +1. Review the **Database Statistics** screen: + 1. In the main Netwrix Auditor screen, select **Health Status** and click **View details** in the **Database Statistics** pane. + 2. Review the database states. If a database state reads **Failed to store data**, review the database details. + + > **IMPORTANT:** The SQL Server Express databases have a 10 GB size limit. In case the affected database states **Failed to store data** with the size limit of **10 GB**, refer to the following article: /docs/kb/auditor/sql_server_express_database_size_reached_10gb (SQL Server Express Database Size Reached 10GB). + + 3. If multiple or all databases state **Failed to store data** with no size limits, refer to the following troubleshooting steps. +2. Verify that the SQL Server instance is available. +3. Verify the credentials of the SQL Server instance account: + 1. In the main Netwrix Auditor screen, select **Settings** > **Audit Database**. + 2. Click **Modify** under the **Audit Database Settings** section. + 3. Verify the account credentials and the authentication method. Click **Next** > **Finish** to complete the setup. +4. Optional—Verify the credentials of the custom SQL Server settings for the affected monitoring plan: + 1. In the left pane of the affected monitoring plan, select **Edit settings** under the **Monitoring plan** section. + 2. In the **Audit Database** tab, review the custom connection parameters if set. Verify the authentication method and the credetials used. + 3. Click **Save & Close** to save changes. + +### Long-Term Archive-based Causes + +Refer to the following steps to troubleshoot the Long-Term Archive-based causes: + +1. Verify that the Long-Term Archive can be accessed. Review the Long-Term Archive path in **Settings** > **Long-Term Archive**. +2. If using a custom account to connect to the Long-Term Account, verify the credentials of the account used: + 1. In the main Netwrix Auditor screen, select **Settings** > **Long-Term Archive**. + 2. Click **Modify** under the **Location and Retention Settings** section. + 3. Verify the account credentials. Click **OK** to save the changes. +3. If using a custom account to connect to the Long-Term Account, assign the permissions to the account used. Refer to the following article for additional information on required permissions: /docs/auditor/10.6/auditor/requirements (File-Based Repository for Long-Term Archive — Assign Permissions on the Long-Term Archive Folder · v10.6). + +### Other Causes + +Verify that the Audit Database account has the correct permissions—refer to the following article for additional information: /docs/auditor/10.6/auditor/requirements (Requirements for SQL Server to Store Audit Data — Configure Audit Database Account · v10.6). + +## Related Articles + +- /docs/kb/auditor/sql_server_express_database_size_reached_10gb (SQL Server Express Database Size Reached 10GB) +- /docs/auditor/10.6/auditor/requirements (Requirements for SQL Server to Store Audit Data — Configure Audit Database Account · v10.6) +- /docs/auditor/10.6/auditor/requirements (File-Based Repository for Long-Term Archive — Assign Permissions on the Long-Term Archive Folder · v10.6) diff --git a/docs/kb/auditor/audit-extension-attributes-in-active-directory.md b/docs/kb/auditor/audit-extension-attributes-in-active-directory.md new file mode 100644 index 0000000000..744aeb3155 --- /dev/null +++ b/docs/kb/auditor/audit-extension-attributes-in-active-directory.md @@ -0,0 +1,43 @@ +--- +description: >- + Shows how to enable auditing of Active Directory extension attributes by + editing the `ad2ecr.txt` file in the %Netwrix Auditor installation folder% so + that extension attributes appear in reports when changed. +keywords: + - extension attributes + - Active Directory + - ad2ecr.txt + - Netwrix Auditor + - audit + - proxyAddresses +products: + - auditor +sidebar_label: Audit Extension Attributes in Active Directory +tags: [] +title: "Audit Extension Attributes in Active Directory" +knowledge_article_id: kA04u000000XmF4CAK +--- + +# Audit Extension Attributes in Active Directory + +## Question + +How to audit extension attributes in Active Directory? + +## Answer + +The set of entries specified in `ad2ecr.txt` are reported in Active Directory. In order to track changes to extension attributes in Active Directory, refer to the following steps: + +1. Navigate to `%Netwrix Auditor installation folder%\Active Directory Auditing` folder. +2. Open the `ad2ecr.txt` file. +3. Place a hash symbol in front of each extension attribute to be audited, e.g.: + +``` +#.proxyAddresses +``` + +A hash symbol designates a comment nullifying the entry in the code. + +4. Save changes to the file. + +The extension attributes commented out will now show in reports when they are changed. diff --git a/docs/kb/auditor/audit-policy-settings-for-pci-compliance.md b/docs/kb/auditor/audit-policy-settings-for-pci-compliance.md new file mode 100644 index 0000000000..ef3c139088 --- /dev/null +++ b/docs/kb/auditor/audit-policy-settings-for-pci-compliance.md @@ -0,0 +1,58 @@ +--- +description: >- + Describes the Windows audit policy settings required for PCI Compliance and + recommends which events to enable or leave disabled. +keywords: + - PCI + - PCI Compliance + - audit policy + - Windows auditing + - object access + - account logon + - directory service + - process tracking +products: + - auditor +sidebar_label: Audit Policy settings for PCI Compliance +tags: [] +title: "Audit Policy settings for PCI Compliance" +knowledge_article_id: kA00g000000H9SHCA0 +--- + +# Audit Policy settings for PCI Compliance + +This article describes the audit policy required for **PCI Compliance**. + +## Required Audit Policy + +The following **Audit Policy** is required for **PCI Compliance**: + +- **Account Logon Events** – **Success** and **Failure** +- **Account Management Events** – **Success** and **Failure** +- **Directory Service Access Events** – **Failure** +- **Logon Events** – **Success** and **Failure** +- **Object Access Events** – **Success** and **Failure** +- **Policy Change Events** – **Success** and **Failure** +- **Privilege Use Events** - **Failure** +- **Process Tracking** – **No Auditing** +- **System Events** – **Success** and **Failure** + +**Directory Service Access Events** are available on a **Domain Controller** only. +**Object Access** – used in conjunction with **Folder and File Auditing**. Auditing **Failure** reveals attempted access to forbidden secure objects which may be an attempted security breach. Auditing **Success** is used to provide an audit trail of all access to secured data, for example, card data in a settlement/transaction file or folder. + +## Recommendations + +1. Use **Netwrix File Server Change Reporter** to monitor file changes; do not enable this audit policy for **Event Log Manager**. +2. **NOTE:** When using `Windows Server 2008` / `Windows 7` or later, there is an **Advanced Audit Policy Configuration** option available which allows more precise application of auditing of **Object Access** events and is useful in eliminating unwanted events. If available, enable the **Audit File System** option only for **Success**, and optionally **Failure**, but leave other settings as **Not Configured**. +3. **Process Tracking** – not recommended, as this will generate a large number of events. + +## Recommended Configuration + +You should configure the following policies and leave the other policies as is: + +- **System Events** – **Success** and **Failure** +- **Policy Change Events** – **Success** and **Failure** +- **Account Management Events** – **Success** and **Failure** +- **Account Logon Events** – **Success** and **Failure** +- **Logon Events** – **Success** and **Failure** +- **Privilege Use** – **No auditing** diff --git a/docs/kb/auditor/audit-policy-settings-not-applied-on-domain-controller-locally.md b/docs/kb/auditor/audit-policy-settings-not-applied-on-domain-controller-locally.md new file mode 100644 index 0000000000..7d80c570f3 --- /dev/null +++ b/docs/kb/auditor/audit-policy-settings-not-applied-on-domain-controller-locally.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains how to resolve when Audit Policy settings are not applied on a local + domain controller due to enforced OU policies or obstructing audit.csv files. +keywords: + - audit policy + - domain controller + - gpupdate + - secpol.msc + - audit.csv + - Group Policy Management Console + - Local Security Policy + - OU enforced policies +products: + - auditor +sidebar_label: Audit Policy settings not applied on domain contro +tags: [] +title: "Audit Policy settings not applied on domain controller locally" +knowledge_article_id: kA00g000000H9UqCAK +--- + +# Audit Policy settings not applied on domain controller locally + +The Audit policy settings have not been applied on a local domain controller (DC), though all audit settings were successfully configured by the effective DC policy. + +The issue appears if an organizational unit (OU) from your domain has some enforced policies in **Group Policy Management Console**. This may prevent the audit settings from being implemented. + +To resolve the issue, do the following: + +1. Change all Domain Controllers policies status for the OU to be not Enforced. +2. In the **Command Prompt**, type in `gpupdate/force` command, press Enter and close the dialog after update. +3. Open Local Security Policy: go to **Start** -> **Run**, type in `secpol.msc` and click **OK**. +4. In the left pane, navigate to **Local Policies** -> **Audit Policy**. +5. Make sure the **Audit account management** and **Audit directory service access** policies are set to `Success`. + +This error can also occur when an `audit.csv` file is not allowing the local security policy to be set properly. This can be fixed by removing the `audit.csv` file in the following two locations: + +- `C:\Windows\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv` +- `SYSVOL\domain\Policies\\\{GUID\}\Machine\microsoft\windows nt\Audit` diff --git a/docs/kb/auditor/audit-status-shows-logon-auditing-is-disabled.md b/docs/kb/auditor/audit-status-shows-logon-auditing-is-disabled.md new file mode 100644 index 0000000000..f523916cdc --- /dev/null +++ b/docs/kb/auditor/audit-status-shows-logon-auditing-is-disabled.md @@ -0,0 +1,80 @@ +--- +description: >- + Explains why some Domain Controllers show "Logon Auditing is disabled" in + Audit Status and how to resolve it by configuring audit or advanced audit + policies or by disabling the audit status check. +keywords: + - audit status + - logon auditing + - audit policy + - advanced audit policy + - domain controllers + - gpupdate + - Account Lockout Examiner + - UseWMI_Audit + - registry +products: + - auditor +sidebar_label: Audit Status shows "Logon auditing is disabled" +tags: [] +title: Audit Status shows "Logon auditing is disabled" +knowledge_article_id: kA00g000000H9YbCAK +--- + +# Audit Status shows "Logon auditing is disabled" + +Audit status of some Domain controllers in the list shows that some auditing is disabled, for example "Logon Auditing is disabled, some funcionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy for this DC" + +![User-added image](images/ka04u000000HcRc_0EM700000004wxR.png) + +--- + +This message can occur if audit policies in your domain are not set. In this case product will not work because no lockout events will be present. + +But the message can also occur even if correct audit policy is set in your domain. It can happen because in Windows XP/2003/Vista/2008 Account Lockout Examiner checks only if 3 policies under Local policy - Audit policies node of Group policy are configured, but in Windows 7/2008R2 Account Lockout Examiner checks if Advanced Audit Policies are configured, so you might get such warning even if default 3 Audit policies are set, but advanced are not. + +. + +--- + +To resolve the issue configure audit policies/ advanced audit policies. + +## For Windows 2003/2008 domain + +1. On any DC, launch the **Group Policy Management** console. +2. Right-click the appropriate **Group Policy Object** linked to the **Domain Controllers** container and select **Edit**. +3. Expand the **Computer Configuration** -> **Windows Setting** -> **Security Settings** -> **Local Policies** -> **Audit Policy** node. +4. Configure audit policies as follows: + - **Account Management: Success** + - **Audit account logon events: Failure** + - **Audit logon events: Failure** + + ![User-added image](images/ka04u000000HcRc_0EM700000004wxC.png) + +5. Update group policy an all monitored DCs (for example run `gpupdate /force`) + +## For Windows 2008R2 or above domain + +1. On any DC, launch the **Group Policy Management** console. +2. Right-click the appropriate **Group Policy Object** linked to the **Domain Controllers** container and select **Edit**. +3. Expand the **Computer Configuration** -> **Policies** -> **Windows Settings** -> **Security Settings** -> **Advanced Audit Policy Configuration** node. +4. Configure audit policies according to page 12, Section 4.2: Enabling Audit Policy, of the [Account Lockout Examiner Administrator Guide](https://www.netwrix.com/download/documents/NetWrix_Account_Lockout_Examiner_Administrator_Guide.pdf?_ga=2.126161166.2092059225.1569427026-1766003445.1557946744). + +![User-added image](images/ka04u000000HcRc_0EM7000000054jS.png) ![User-added image](images/ka04u000000HcRc_0EM7000000054jX.png) ![User-added image](images/ka04u000000HcRc_0EM700000004wxH.png) + +5. Update group policy an all monitored DCs (for example run `gpupdate /force`) + +However, Windows 2008R2 and above allows to configure audit policy in the same way as it was in Windows 2003 and 2008. In this case some of required events will be generated and Account Lockout Examiner will work, however the Auditing is disabled message will be shown. + +## Disable Audit status check (optional) + +If you don`t want to configure Advanced audit policies, there is an option to disable Audit status check in Account Lockout Examiner. In this case Audit status will always be shown as OK. + +In order to do this: + +1. Run Registry Editor (Start - Run - `regedit`) +2. Navigate to `HKEY_LOCAL_MACHINESoftware[Wow6432Node]NetWrixAccount Lockout Examiner` (Wow6432Node is present only in 64-bit OS) +3. Change the value of **UseWMI_Audit** to `0`, +4. In the Account Lockout Examiner console go to **File - Settings** and click **OK** to apply registry changes. + +![User-added image](images/ka04u000000HcRc_0EM700000004wxM.png) diff --git a/docs/kb/auditor/audit-trails-are-incorrect-in-netwrix-auditor.md b/docs/kb/auditor/audit-trails-are-incorrect-in-netwrix-auditor.md new file mode 100644 index 0000000000..a51fca2b52 --- /dev/null +++ b/docs/kb/auditor/audit-trails-are-incorrect-in-netwrix-auditor.md @@ -0,0 +1,46 @@ +--- +description: >- + This article explains how to resolve the "Audit trails are incorrect" error in + Netwrix Auditor file server monitoring by correcting object-level auditing and + inheritance settings on the file server. +keywords: + - Netwrix Auditor + - audit trails + - file server + - object-level auditing + - security log + - permissions + - Windows auditing +products: + - auditor +sidebar_label: Audit Trails Are Incorrect in Netwrix Auditor +tags: [] +title: "Audit Trails Are Incorrect in Netwrix Auditor" +knowledge_article_id: kA0Qk0000000YphKAE +--- + +# Audit Trails Are Incorrect in Netwrix Auditor + +## Symptom + +In Netwrix Auditor, file server monitoring generates the following error message: + +```text +Audit trails are incorrect. +``` + +## Cause + +This error message indicates audit configuration issues in the audited environment. + +## Resolution + +Follow the steps below to resolve the issue: + +1. On your file server, navigate to a problematic folder/share. Right-click it and select **Properties**. +2. Select the **Security** tab > **Advanced**. +3. Under the **Audit** tab, disable inheritance. +4. Then, confirm that security principals are configured according to Netwrix documentation: /docs/auditor/10.6/auditor/configurationuration/fileservers/windows (Successful Changes and Failed Reads). +5. Click **Apply**. The server will propagate all permissions to the target folders. + +Setting up permissions manually will ensure that Netwrix is detecting the settings and that correct Security log events are written on the file server. diff --git a/docs/kb/auditor/audit_internet_information_services_(iis)_with_netwrix_auditor.md b/docs/kb/auditor/audit_internet_information_services_(iis)_with_netwrix_auditor.md new file mode 100644 index 0000000000..3ed283e077 --- /dev/null +++ b/docs/kb/auditor/audit_internet_information_services_(iis)_with_netwrix_auditor.md @@ -0,0 +1,48 @@ +--- +description: >- + This article provides step-by-step instructions on configuring Internet Information Services (IIS) events monitoring using Netwrix Auditor. +keywords: + - IIS monitoring + - Netwrix Auditor + - event log configuration +sidebar_label: Configure IIS Monitoring +tags: [] +title: "Audit Internet Information Services (IIS) with Netwrix Auditor" +knowledge_article_id: kA00g000000H9SCCA0 +products: + - auditor +--- + +# Audit Internet Information Services (IIS) with Netwrix Auditor + +## Question + +How to configure Internet Information Services (IIS) events monitoring? + +## Answer + +### Prerequisites + +1. Enable the **Remote Registry** service — for additional information, refer to the following article: Configuration – Windows Server: Windows Event Logs · v10.6. +2. Configure the operational log of Internet Information Services — for additional information, refer to the following article: [Configuration – Windows Server – Internet Information Services (IIS) · v10.6](/docs/auditor/10.6/configuration/windowsserver/iis). + +### Set Up IIS Monitoring Plan + +1. In the **Start** menu, open the **Netwrix Auditor** folder and launch **Netwrix Auditor Event Log Manager**. +2. Create a new monitoring plan by clicking **Add**. +3. Fill in the **Monitoring plan**, **Notification recipients**, and account credentials fields. +4. Specify the IIS server you’d like to monitor — click **Add** to add a computer to your monitoring plan. +5. In the bottom section, click **Configure** for **Audit archiving filters**. + + 1. Click **Add** for **Inclusive Filters**. + 2. Fill in the filter name and description fields. Enter the following line in the **Event Log** field: + + ```plaintext + Microsoft-IIS-Configuration/Operational + ``` + + 3. Switch the **Write to** switch to **Both**. Refer to the following screenshot for reference. + + ![Configuration of Audit Archiving Filters with the Write to switch set to Both](./images/servlet_image_69af0d1737a5.png) + +Dedicated predefined reports are available in Netwrix Auditor. Follow **Reports** > **Predefined** > **Windows Server** > **Event Log** to see both IIS reports, **IIS Application Pool Changes** and **IIS Website Changes**. \ No newline at end of file diff --git a/docs/kb/auditor/auditing-distributed-file-systems-with-replication-in-netwrix-auditor.md b/docs/kb/auditor/auditing-distributed-file-systems-with-replication-in-netwrix-auditor.md new file mode 100644 index 0000000000..f7cd26635b --- /dev/null +++ b/docs/kb/auditor/auditing-distributed-file-systems-with-replication-in-netwrix-auditor.md @@ -0,0 +1,93 @@ +--- +description: >- + Instructions to configure auditing for Distributed File Systems with + replication (DFSR) in Netwrix Auditor, including prerequisites, SACL + replication considerations, staging area sizing, and related resources. +keywords: + - DFSR + - SACL + - file server auditing + - Netwrix Auditor + - replication + - staging area + - UNC path + - object access audit + - data collection account +products: + - auditor +sidebar_label: Auditing Distributed File Systems with Replication +tags: [] +title: "Auditing Distributed File Systems with Replication in Netwrix Auditor" +knowledge_article_id: kA00g000000H9SyCAK +--- + +# Auditing Distributed File Systems with Replication in Netwrix Auditor + +## Question + +How to configure File Servers audit settings for Distributed File Systems with replication? + +## Answer + +### Prerequisites + +> **NOTE:** It is recommended to either check the **Adjust audit settings automatically** checkbox when setting up a new monitoring plan, or to keep the checkbox checked when adding a DFSR file share to the existing monitoring plan. + +Refer to the following steps to ensure the DFSR audit is configured correctly in your environment: + +- The corresponding data collection account should meet requirements for the file server audit. For additional information on the account setup, refer to the following article: /docs/auditor/10.6/auditor/configurationuration/fileservers/windows (Windows File Servers — Permissions for Windows File Server Auditing). + +- Object access audit should be enabled for DFS file shares or every cluster node. For additional information on object access audit, refer to the following article: /docs/auditor/10.6/auditor/configurationuration/fileservers/windows (Windows File Servers — Configure Object-Level Access Auditing). + +- When adding a DFS file share for auditing, specify a Windows file share item and provide the UNC path of the whole namespace or UNC path of the DFS link (folder). + + - `\domain\dfsnamespace\` (domain-based namespace) + - `\server\dfsnamespace\` (in case of stand-alone namespace) + +Refer to the following article for additional information on the initial setup: /docs/auditor/10.6/auditor/configurationuration/fileservers/windows (Configuration — Windows File Servers). + +### SACL replication + +> **NOTE:** During the initial SACL replication, the **Who** field in corresponding Activity Records will state **System**. + +Refer to the following steps to optimize the initial SACL replication: + +1. To approximate the time (in hours) to be spent on the SACL replication, use the following formula: + + ``` + Number of audited objects / 180000 + ``` + + In larger environments, a monitoring plan containing DFSR shares can be created on Friday to allow it to replicate SACL for DFSR during the non-working hours. + +2. In case you're experiencing performance issues, you can increase the staging area. The default setting for the replication staging area size is 4 GB to be increased based on the environment needs. Refer to the following steps for additional information: + + 1. If your staging area is configured to be too small, DFS Replication might consume additional CPU and disk resources to regenerate the staged files. Replication might also slow down, or even stop. Learn more about staging area in How to determine if you have a staging area problem ⸱ Microsoft: https://learn.microsoft.com/en-us/windows-server/troubleshoot/how-to-determine-the-minimum-staging-area-dfsr-needs-for-a-replicated-folder + + 2. Microsoft recommends expanding your staging area to the size of the 32 largest files present in the replicated folder. Run the following lines in elevated PowerShell to calculate the total size of 32 largest files located in your replicated folder: + + ```powershell + $big32 = Get-ChildItem “path_to_the_replicated_folder” -recurse | Sort-Object length -descending | select-object -first 32 | measure-object -property length –sum + $big32.sum /1gb + ``` + + 3. Refer to the following steps to set the staging area size: + + 1. Open the **DFS Management** tool in **Server Management** app. + 2. In the left pane, select **Replication** > corresponding replication group. + 3. Right-click the replicated folder and click **Properties**. + 4. Select the **Staging** tab, and edit the **Quota** window. Specify the folder size you've previously calculated, and save changes. + +### Related articles + +- Windows File Servers — Permissions for Windows File Server Auditing ⸱ v10.6 + /docs/auditor/10.6/auditor/configurationuration/fileservers/windows + +- Windows File Servers — Configure Object-Level Access Auditing ⸱ v10.6 + /docs/auditor/10.6/auditor/configurationuration/fileservers/windows + +- Configuration — Windows File Servers ⸱ v10.6 + /docs/auditor/10.6/auditor/configurationuration/fileservers/windows + +- How to determine the minimum staging area DFSR needs for a replicated folder ⸱ Microsoft + https://learn.microsoft.com/en-us/windows-server/troubleshoot/how-to-determine-the-minimum-staging-area-dfsr-needs-for-a-replicated-folder diff --git a/docs/kb/auditor/auditing-of-configuration-container-and-schema.md b/docs/kb/auditor/auditing-of-configuration-container-and-schema.md new file mode 100644 index 0000000000..e4c82b286c --- /dev/null +++ b/docs/kb/auditor/auditing-of-configuration-container-and-schema.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains how to enable object-level auditing for the Configuration and Schema + containers so the "Who Changed" field is reported correctly in Netwrix + Auditor. Includes a link to detailed steps for Active Directory object-level + auditing. +keywords: + - Configuration Container + - Schema Container + - object-level auditing + - Who Changed + - Netwrix Auditor + - Active Directory + - Group Policy + - Exchange + - auditing + - daily summary +products: + - auditor +sidebar_label: Auditing of Configuration Container and Schema +tags: [] +title: "Auditing of Configuration Container and Schema" +knowledge_article_id: kA00g000000H9ZJCA0 +--- + +# Auditing of Configuration Container and Schema + +The daily summary report shows "**Your default configuration and schema container audit settings may prevent the 'Who Changed' field from being reported correctly**." + +--- + +By default, auditing of Configuration and Schema containers is not enabled and changes made to these objects may not be reported correctly by Netwrix Auditor for Active Directory, Group Policy and Exchange Servers. + +--- + +Please follow these steps to enable object-level auditing: + +1. Open the following link and follow the instructions on the page: + /docs/auditor/10.5/auditor/configurationuration/activedirectory diff --git a/docs/kb/auditor/auditing-policies-are-not-being-enabled-on-all-or-several-domain-controllers-in-monitored-domain.md b/docs/kb/auditor/auditing-policies-are-not-being-enabled-on-all-or-several-domain-controllers-in-monitored-domain.md new file mode 100644 index 0000000000..7c8c2fbfa9 --- /dev/null +++ b/docs/kb/auditor/auditing-policies-are-not-being-enabled-on-all-or-several-domain-controllers-in-monitored-domain.md @@ -0,0 +1,63 @@ +--- +description: >- + If auditing policies are not being applied to some domain controllers, verify + GPO distribution with Resultant Set of Policy and Local Group Policy Editor, + and follow Microsoft troubleshooting resources to resolve GPO inheritance or + application issues. +keywords: + - auditing + - GPO + - domain controllers + - RSoP + - rsop.msc + - secpol.msc + - Group Policy + - Netwrix Auditor +products: + - auditor +sidebar_label: Auditing Policies Not Enabled on Domain Controllers +tags: [] +title: "Auditing policies are not being enabled on all or several domain controllers in monitored domain" +knowledge_article_id: kA00g000000H9ZQCA0 +--- + +# Auditing policies are not being enabled on all or several domain controllers + +You have configured change auditing in accordance with the Installation and Configuration guide (Installation and Configuration Guide)[http://www.netwrix.com/download/documents/NetWrix_Active_Directory_Change_Reporter_Installation_Configuration_Guide.pdf], however auditing policies are not being applied and Netwrix Auditor keeps complaining about audit settings on all or some domain controllers. In addition to this, all or some changes in summary reports are listed as made by the System account. + +The reasons why the auditing policies are not being enabled on domain controllers in the managed domain may be: + +1. The GPO you configured auditing policies in is not being distributed to problematic domain controllers. +2. The GPO you configured auditing policies in is being distributed to problematic domain controllers but auditing policies are not being applied. + +## Verify GPO distribution with Resultant Set of Policy (RSoP) + +1. Make sure the GPO you configured auditing policies in is being distributed to problematic domain controllers. For that please use Resultant Set of Policy (RSoP): http://technet.microsoft.com/en-us/library/cc782615(v=ws.10).aspx + +- Log onto the domain controller which Netwrix Auditor is complaining about. +- Run Resultant Set of Policy (RSoP): `Start > Run` > type `rsop.msc` and press Enter. +- Expand Audit Policy as shown in the picture below and make sure you see the corresponding source GPO (the GPO which you enabled auditing policies in) for auditing policies and ensure there are no warnings or errors. In our case we see that Audit Account Management policy is set to Failure, while for successful auditing we need to have this policy set to Success. + +![rsop](images/ka04u000000HcSR_0EM7000000053Be.png) + +- To fix this problem open **Group Policy Management Console** (**Start > Administrative Tools > Group Policy Management**), select the **Domain Controllers** node, open the **Group Policy Inheritance** tab and in the right pane review the order the GPOs are being applied to the Domain Controllers OU. In our case the Default Domain Policy is enforced and being applied first which causes a GPO conflict. Manage your GPO inheritance to exclude the necessary policy settings from being overridden. For more details regarding GPO inheritance please refer to the following Microsoft KB article: http://technet.microsoft.com/en-us/library/cc757050(v=ws.10).aspx + +![gpmc](images/ka04u000000HcSR_0EM7000000053Bj.png) + +## If GPO distribution is correct but auditing settings still not applied + +If you resolved the inheritance issue and corresponding GPOs are being distributed to the problematic domain controller but Netwrix Auditor still complains about auditing settings, this may indicate that auditing policy settings are not being applied on the domain controller. To troubleshoot this you can use Local Group Policy Editor: http://technet.microsoft.com/en-us/library/cc731745.aspx + +1. Log onto the domain controller which Netwrix Auditor is complaining about. +2. Open Local Group Policy Editor: `Start > Run` > `secpol.msc`. +3. Expand Audit Policy as shown in the picture below and make sure that the necessary auditing policies are set to Success (for example, Audit Account Management, Audit Directory Service Access) and are equal to the ones you see in Resultant Set of Policy (RSoP). + +![secpol](images/ka04u000000HcSR_0EM7000000053Bo.png) + +- If the Local Group Policy Editor indicates different auditing settings (different from the ones you configured and see in Resultant Set of Policy (RSoP)), this may indicate an issue with GPO applying on that particular domain controller. To troubleshoot this issue please refer to the following Microsoft KB articles: + + - Security auditing settings are not applied to Windows Server 2008-based computers when you deploy a domain-based policy: http://support.microsoft.com/kb/921468 + - Troubleshooting Group Policy Problems: http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx + - Group Policy Analysis and Troubleshooting Overview: http://technet.microsoft.com/en-us/library/jj134223.aspx + - Fixing Group Policy problems by using log files: http://technet.microsoft.com/en-us/library/cc775423(WS.10).aspx + - SceCli 1202 events are logged every time Computer Group Policy settings are refreshed on a computer that is running Windows Server 2008 R2: http://support.microsoft.com/kb/974639/en-us diff --git a/docs/kb/auditor/auditing-stored-procedures-on-the-sql-server.md b/docs/kb/auditor/auditing-stored-procedures-on-the-sql-server.md new file mode 100644 index 0000000000..e37cfd251d --- /dev/null +++ b/docs/kb/auditor/auditing-stored-procedures-on-the-sql-server.md @@ -0,0 +1,58 @@ +--- +description: >- + Shows how to enable auditing of the "Date Modified" attribute for stored + procedures in Netwrix Auditor for SQL Server so you can track when procedures + are modified. It explains which file to edit and what lines to add or comment. +keywords: + - SQL Server + - stored procedures + - auditing + - Date Modified + - Netwrix Auditor + - Omitproplist.txt + - SQL Server Auditing + - collection +products: + - auditor +sidebar_label: Auditing stored procedures on the SQL Server +tags: [] +title: "Auditing stored procedures on the SQL Server" +knowledge_article_id: kA00g000000H9eQCAS +--- + +# Auditing stored procedures on the SQL Server + +Netwrix Auditor for SQL Server `reports` creation and `deletion` of the stored procedures by default. However, there is no way to report the `modification` of the stored procedure, e.g. modification of the stored procedure's query. You can adjust Netwrix Auditor configuration to enable auditing of the **"Date Modified"** attribute for stored procedures. This allows you to track the time of the modifications. + +**NOTE:** in that case, Netwrix will only report on the **"Date Modified"** attribute. No additional details about the modification performed will be included in the report. + +Follow the steps below to enable auditing of the **"Date Modified"** attribute for stored procedure objects: + +1. Open `Omitproplist.txt` file located in `%Netwrix Installation folder%\SQL Server Auditing` (default path `C:\Program Files (x86)\Netwrix Auditor\SQL Server Auditing`) +2. Comment `*.Date Modified.*` line by putting the `#` sign in front of the `*` sign. The line should look like this: `#*.Date Modified.*` +3. Exclude **"Date Modified"** attribute for other SQL Server objects by adding the following lines to the same file: + +```text +Application Role.Date Modified.* +Constraints.Date Modified.* +Credential.Date Modified.* +Database.Date Modified.* +Database Role.Date Modified.* +Functions.Date Modified.* +Jobs.Date Modified.* +Jobs Schedules.Date Modified.* +Keys.Date Modified.* +Login.Date Modified.* +Schema.Date Modified.* +Server Instance.Date Modified.* +Server Role.Date Modified.* +#Stored Procedure.Date Modified.* +Table.Date Modified.* +Triggers.Date Modified.* +User.Date Modified.* +View.Date Modified.* +``` + +**You can copy the lines above to the file.** + +Starting from the next scheduled collection Netwrix Auditor for SQL Server will collect data about changes made to the **"Date Modified"** attribute for stored procedure objects. diff --git a/docs/kb/auditor/auditor-glossary-abbreviations-and-acronyms.md b/docs/kb/auditor/auditor-glossary-abbreviations-and-acronyms.md new file mode 100644 index 0000000000..0e81f06790 --- /dev/null +++ b/docs/kb/auditor/auditor-glossary-abbreviations-and-acronyms.md @@ -0,0 +1,123 @@ +--- +description: >- + Glossary of abbreviations and acronyms used in Netwrix Auditor to help you + understand folder/file structure and communicate with Technical Support. +keywords: + - auditor + - glossary + - acronyms + - abbreviations + - collectors + - components + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Auditor Glossary: Abbreviations and Acronyms' +tags: [] +title: 'Auditor Glossary: Abbreviations and Acronyms' +knowledge_article_id: kA00g000000H9ecCAC +--- + +# Auditor Glossary: Abbreviations and Acronyms + +To understand the folder / file structure of Netwrix Auditor or to better communicate with Technical Support, it's important to know the acronyms and initialisms used in Netwrix Auditor. + +## Netwrix Auditor Collectors + +**ADA:** Active Directory Auditing - In reference to the Active Directory Monitoring Plan + +**FSA:** File Server Auditing - In reference to the Windows File Server Monitoring Plan + +**NAND:** Netwrix Auditor for Network Devices - In reference to the Network Devices Monitoring Plan + +**NLA:** Network Logon Activity - In reference to the Logon Activity Monitoring Plan + +**NOMBA:** Non-Owner Mailbox Access – In reference to Exchange and Exchange Online Monitoring Plan + +**SP/SPO:** SharePoint/SharePoint Online - In reference to the SharePoint/SharePoint Online Monitoring Plan + +**SQLA:** SQL Auditing - In reference to the SQL Server Monitoring Plan + +**UAVR:** User Activity Video Reporter/Recorder - In reference to the User Activity Monitoring Plan. This initialism is antiquated, since the release of Netwrix Auditor 9.8 allows administrators to audit User Activity without recording the screen. + +**VMA:** VMWare Auditing - In reference to the VMWare Monitoring Plan + +**WSA:** Windows Server Auditing - In reference to the Windows Server Monitoring Plan + +**PEN:** Password Expitation Notifier - Netwrix Password Reset, a standalone Netwrix tool that checks which domain accounts or passwords are about to expire in the specified number of days and sends notifications to users + +**IUT:** Inactive User Tracker - a standalone Netwrix tool that discovers inactive user and computer accounts + +--- + +## Netwrix Auditor Components + +**AIC:** Access Reviews - Enables business owners to conduct resource and group reviews and recommend changes + +**API:** Netwrix Integration API - Provides access to audit data collected by Netwrix Auditor through REST API endpoints + +**AR(s):** Activity Record(s) – Format of changes in the audited infrastructure in Netwrix Auditor reports, search, and alerts + +**DCA/DPA:** Data Processing Account/Data Collection Account - The account used to collect audited data + +**LTA:** Long Term Archive - Long-term storage of activity records + +**MP:** Monitoring Plan + +**NA:** Netwrix Auditor + +**NDC:** Netwrix Data Classification + +**STA:** Short-term Archive - Location used for event processing + +**%PROGRAMDATA%:** Hidden directory in which Netwrix logs and activity records are stored + +--- + +## Auxiliary Components + +> **NOTE:** The components below are not owned or developed by Netwrix. + +**SQL:** SQL Server - Hosts databases used to stored and query audit data + +**SSMS:** SQL Server Management Studio - Program used to interface with the SQL Server + +**SSRS:** SQL Server Reporting Services - Generates reports using audit data in SQL databases + +--- + +## Windows Environment + +**Active Directory (AD):** Microsoft's directory service for managing user and computer information within a network + +**Domain:** A group of networked computers that share a common database and security policy within Active Directory + +**Domain Controller (DC):** A server that manages security authentication requests, including logins and permissions within a Windows domain + +**Event Viewer:** A Windows tool that provides a centralized view of various logs, including system, application, and security logs + +**File System:** The structure and logic used to manage files on a computer. In Windows, common file systems include NTFS (New Technology File System) and FAT32. + +**Group Policy:** A set of rules and configurations that can be applied to user and computer objects in Active Directory to manage their settings + +**PowerShell:** A task-automation framework and scripting language developed by Microsoft for configuration management and automation + +**Registry:** A hierarchical database used to store configuration settings and options on Microsoft Windows operating systems + +**Remote Desktop:** A feature that allows a user to connect to a computer in another location as if they were sitting in front of it + +**Services:** Programs or processes that run in the background and provide core functionality for the operating system + +**Task Manager:** A system monitor and startup manager included with Windows that provides information about computer performance and running applications + +**Task Scheduler:** A tool in Windows that enables users to schedule the launch of programs or scripts at pre-defined times + +**User Account Control (UAC):** A security feature that helps prevent unauthorized changes to a computer by requiring administrators to confirm their actions + +**Windows Defender:** Microsoft's built-in antivirus and anti-malware solution for Windows + +**Windows Firewall:** A software-based firewall included with Windows that monitors and controls incoming and outgoing network traffic + +**Windows Registry Editor:** A tool used to view and modify the Windows Registry + +**Windows Update:** A service provided by Microsoft to keep Windows and other Microsoft software up-to-date with the latest security patches and updates diff --git "a/docs/kb/auditor/auditor_v10.6_known_issue_\342\200\223_cannot_collect_mailbox_audit_data_unhandled_value_sendas_\342\200\223_event_id_2002.md" "b/docs/kb/auditor/auditor_v10.6_known_issue_\342\200\223_cannot_collect_mailbox_audit_data_unhandled_value_sendas_\342\200\223_event_id_2002.md" new file mode 100644 index 0000000000..e337d79eaf --- /dev/null +++ "b/docs/kb/auditor/auditor_v10.6_known_issue_\342\200\223_cannot_collect_mailbox_audit_data_unhandled_value_sendas_\342\200\223_event_id_2002.md" @@ -0,0 +1,36 @@ +--- +description: >- + This article addresses a known issue in Netwrix Auditor version 10.6 related to the inability to collect mailbox audit data due to an unhandled value. +keywords: + - Netwrix Auditor + - mailbox audit data + - Event ID 2002 +sidebar_label: Known Issue - Mailbox Audit Data Collection +tags: [] +title: "Auditor v10.6 Known Issue – Cannot Collect Mailbox Audit Data: Unhandled Value SendAs – Event ID 2002" +knowledge_article_id: kA04u000000wnnhCAA +products: + - auditor +--- + +# Auditor v10.6 Known Issue – Cannot Collect Mailbox Audit Data: Unhandled Value SendAs – Event ID 2002 + +## Symptoms + +- Event ID: 2002 + Cannot collect mailbox audit data: Unhandled value SendAs + Parameter name: source + +- An emailed activity summary includes the following message: + + ``` + Note that Netwrix Auditor encountered errors while collecting audit data. For details, see the System Health dashboard in Netwrix Auditor client. + ``` + +## Cause + +This is a known issue that has been fixed in Netwrix Auditor version 10.6.12332. + +## Resolution + +Upgrade Netwrix Auditor to version 10.6.12332. You can download the latest version from the My Products page: [https://www.netwrix.com/my_products.html](https://www.netwrix.com/my_products.html) \ No newline at end of file diff --git "a/docs/kb/auditor/auditor_v10.6_known_issue_\342\200\223_subscription_plan_for_access_reviews_has_expired_\342\200\223_event_id_2222.md" "b/docs/kb/auditor/auditor_v10.6_known_issue_\342\200\223_subscription_plan_for_access_reviews_has_expired_\342\200\223_event_id_2222.md" new file mode 100644 index 0000000000..1756658907 --- /dev/null +++ "b/docs/kb/auditor/auditor_v10.6_known_issue_\342\200\223_subscription_plan_for_access_reviews_has_expired_\342\200\223_event_id_2222.md" @@ -0,0 +1,34 @@ +--- +description: >- + This article addresses the known issue in Auditor v10.6 where the subscription plan for Access Reviews has expired, resulting in an error message. +keywords: + - Auditor + - Access Reviews + - Event ID 2222 +sidebar_label: Auditor v10.6 Known Issue +tags: [] +title: "Auditor v10.6 Known Issue – Subscription Plan for Access Reviews Has Expired – Event ID 2222" +knowledge_article_id: kA04u000000wnqHCAQ +products: + - auditor +--- + +# Auditor v10.6 Known Issue – Subscription Plan for Access Reviews Has Expired – Event ID 2222 + +## Symptom + +Error message: + +``` +Source: Active Directory Audit Service +Event ID: 2222 +Description: The following error has occurred: Data collection is disabled, Your subscription plan for Access Reviews has expired. To renew your subscription, contact your Account Manager at Netwrix. +``` + +## Cause + +A bug that affects Auditor v.10.6.12299. + +## Resolution + +Upgrade Netwrix Auditor to version 10.6.12322. You can download the latest version from the **My Products** page: [https://www.netwrix.com/my_products.html](https://www.netwrix.com/my_products.html). \ No newline at end of file diff --git a/docs/kb/auditor/authentication-unsuccessful-request-did-not-meet-authentication-criteria-error.md b/docs/kb/auditor/authentication-unsuccessful-request-did-not-meet-authentication-criteria-error.md new file mode 100644 index 0000000000..a772e2cbef --- /dev/null +++ b/docs/kb/auditor/authentication-unsuccessful-request-did-not-meet-authentication-criteria-error.md @@ -0,0 +1,48 @@ +--- +description: >- + You receive this error when configuring SMTP Notifications if the Microsoft + 365 account used for SMTP has multi-factor authentication (MFA) enabled. This + article explains the cause and shows how to resolve it by using the direct + send method. +keywords: + - SMTP + - Microsoft 365 + - MFA + - Authentication unsuccessful + - 535 5.7.139 + - 530 5.7.57 + - Direct send + - Notifications + - Netwrix Auditor +products: + - auditor +sidebar_label: Authentication Unsuccessful − Request Did Not Meet +tags: [] +title: "Authentication Unsuccessful − Request Did Not Meet Authentication Criteria Error" +knowledge_article_id: kA0Qk0000000XDhKAM +--- + +# Authentication Unsuccessful − Request Did Not Meet Authentication Criteria Error + +## Symptom + +Netwrix Auditor (v10.6 and earlier) prompts the following error when configuring SMTP settings for **Notifications**: + +```text +Cannot send an email: SMTP Exception: +Cannot send message: 530 5.7.57 Client not authenticated to send mail. +Error: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. +Contact your administrator. +``` + +## Cause + +The Microsoft 365 account used for SMTP has multi-factor authentication (MFA) enabled. + +## Resolution + +Set up the direct send method for Netwrix Auditor. Refer to the following article for more detailed instructions: Set Up Direct Send for Netwrix Auditor and Netwrix Data Classification. + +## Related articles + +- Set Up Direct Send for Netwrix Auditor and Netwrix Data Classification diff --git a/docs/kb/auditor/auto-archiving-windows-security-log.md b/docs/kb/auditor/auto-archiving-windows-security-log.md new file mode 100644 index 0000000000..2ccb4ff71a --- /dev/null +++ b/docs/kb/auditor/auto-archiving-windows-security-log.md @@ -0,0 +1,58 @@ +--- +description: >- + Shows how to enable automatic archiving of the Windows Security event log + centrally for all domain controllers using Group Policy, and how to adjust + retention settings for the archived logs on the Netwrix Auditor server. +keywords: + - Windows Security log + - auto-archive + - event log + - Group Policy + - Netwrix Auditor + - archive retention + - CleanAutoBackupLogs + - domain controllers + - gpupdate +products: + - auditor +sidebar_label: Auto-archiving Windows Security log +tags: [] +title: "Auto-archiving Windows Security log" +knowledge_article_id: kA04u000000Pcx6CAC +--- + +# Auto-archiving Windows Security log + +To prevent data overwrites, you can increase the maximum size of the Security event log and set the retention method for this log to **Overwrite events as needed**. However, if the **Overwrite** option is not enough to meet your data retention requirements, you can use the *auto-archiving* option for the Security event log. This will allow you to preserve historical event data in the archive files. This option can be enabled centrally for all domain controllers, using the procedure described below. In such a scenario, the logs will be automatically archived when necessary (no events will be overwritten). + +## To enable Security log auto-archiving centrally for all domain controllers + +1. Open the Group Policy Management console on any domain controller in the target domain: navigate to **Start → Windows Administrative Tools** (Windows Server 2016 and higher) or **Administrative Tools** (Windows 2012) → **Group Policy Management**. +2. In the left pane, navigate to Forest: **`<forest_name>` → Domains → `<domain_name>` → Domain Controllers**. +3. Right-click the effective domain controllers policy (by default, it is the **Default Domain Controllers Policy**), and select **Edit** from the pop-up menu. +4. Navigate to **Computer Configuration → Policies**. +5. Right-click **Administrative Templates: Policy definition**s and select **Add / Remove templates**. +6. Click **Add** in the dialog that opens. +7. In the **Policy Templates** dialog, navigate to ` %Netwrix Auditor Server installation folder%/Active Directory Auditing`, select the `Log Autobackup.adm` file (if the product is installed on a different computer, copy this file to the domain controller), and click **Open** to add the template. +8. Navigate to **Computer Configuration → Policies → Administrative Templates: Policy Definitions → Windows Component → Event Log Service → Security**. +9. Check the following: + - For Windows Server 2012 and later, the following options must be enabled: + - **Back up log automatically when full** + - **Control Event Log behavior when the log file reaches its maximum size** + - For Windows Server 2008 / 2008 R2, the following options must be enabled: + - **Back up log automatically when full** + - **Retain old events** +10. Open the command prompt, type `gpupdate /force` and press Enter. The group policy will be updated. + +With the automatic log backup enabled, you may want to adjust the retention settings for log archives (backups). The default retention period for these files is **50 hours**; when it expires, log archives are deleted. To adjust this setting, follow the procedure described below. + +## To adjust retention settings for log archives + +1. On the computer where Netwrix Auditor is installed, open Registry Editor. +2. Navigate to `HKEY_LOCAL_MACHINE → SOFTWARE → Wow6432Node → Netwrix Auditor → AD Change Reporter`. +3. In the right-pane, right-click and select **New → DWORD (32-bit Value)**. +4. For the backup logs retention functionality to work properly, you need to specify the `CleanAutoBackupLogs` name for the newly created registry value. +5. Double-click `CleanAutoBackupLogs`. The **Edit DWORD Value** dialog will open. +6. This value defines the time period (in hours) after which security event logs archives will be automatically deleted from the domain controllers. By default, it is set to `50` (decimal). Modify this value, if necessary, and click **OK** to save the changes. + +**NOTE:** If the `CleanAutoBackupLogs` registry value is set to `0`, you will have to remove the old automatic backups manually, otherwise you may run out of space on your hard drive. diff --git a/docs/kb/auditor/automatic-user-enrollment-failed-server-certificate-revocation-check-failed.md b/docs/kb/auditor/automatic-user-enrollment-failed-server-certificate-revocation-check-failed.md new file mode 100644 index 0000000000..0a341488ab --- /dev/null +++ b/docs/kb/auditor/automatic-user-enrollment-failed-server-certificate-revocation-check-failed.md @@ -0,0 +1,50 @@ +--- +description: >- + Explains how to resolve the "Automatic user enrollment failed: Server + certificate revocation check failed" error during the enrollment wizard, + including causes and steps to disable certificate revocation checking if + necessary. +keywords: + - certificate revocation + - enrollment wizard + - SSL + - Error 12057 + - pmserver + - proxy + - firewall + - Internet Options + - revocation check +products: + - auditor +sidebar_label: 'Automatic user enrollment failed: Server certifica' +tags: [] +title: 'Automatic user enrollment failed: Server certificate revocation check failed' +knowledge_article_id: kA00g000000H9bQCAS +--- + +# Automatic user enrollment failed: Server certificate revocation check failed + +You see the following error when the enrollment wizard starts: + +Automatic user enrollment failed: Server certificate revocation check failed. (Error Code:12057, URL: https://pmserver/gina_isprofilecreated.asp) Please contact your system administrator if this problem persists. + +--- + +## Cause + +The error means that the system was not able to check if the SSL certificate was revoked. In case of third-party certificates, it can be caused by firewall or anti-malware software blocking connections to revocation servers. Self-signed certificates are usually not checked for revocation, however the reason for the issue might be the same - the system cannot reach any certificate authority. + +--- + +## Resolution + +To address the issue: + +1. Make sure firewall or other software is not blocking connection. Enable all connections and launch the wizard. +2. Also make sure that proxy server is not affecting connection. +3. If you use a self-signed certificate - try disabling the proxy and launch the wizard. +4. If the above does not work try disabling revocation check: + + - Open **Control Panel** → **Internet Options**. + - Go to the **Advanced** tab. + - Under the Security group of settings, disable the **Check server certificate for revocation** checkbox. diff --git a/docs/kb/auditor/backup-recommendations.md b/docs/kb/auditor/backup-recommendations.md new file mode 100644 index 0000000000..16c73b8ab8 --- /dev/null +++ b/docs/kb/auditor/backup-recommendations.md @@ -0,0 +1,54 @@ +--- +description: >- + Steps to back up Netwrix Auditor components, including the Long-Term Archive + and configuration file, with exact commands and locations to export the + config. +keywords: + - backup + - Long-Term Archive + - LTA + - Netwrix Auditor + - config export + - configserverDbProcessor + - naconfig.xml + - restore +products: + - auditor +sidebar_label: Backup Recommendations +tags: [] +title: "Backup Recommendations" +knowledge_article_id: kA04u000000wniSCAQ +--- + +# Backup Recommendations + +## Question + +What are the recommended Netwrix Auditor components to be backed up on a regular basis? + +## Answer + +The minimum components to be backed up in Netwrix Auditor are the Long-Term Archive and the configuration file. + +1. Create a separate folder for the Auditor backups − the `C:\NA_Backups\` path is used to reference the process, and it can be altered. +2. Back up the entire Long-Term Archive folder to `C:\NA_Backups\`. + +> **NOTE:** Long-Term Archive is located in `\%ProgramData\%\Netwrix Auditor\Data` by default. You can establish the LTA location by following the main **Netwrix Auditor** menu > the **Settings** button > **Long-Term Archive** tab > **Write audit data to**. + +3. Export the configuration file by running the following lines in elevated Command Prompt on your Netwrix Auditor server: + +```text +cd C:\Program Files (x86)\Netwrix Auditor\Audit Core +configserverDbProcessor.exe export -target "C:\NA_Backups\naconfig.xml" +``` + +> **NOTE:** You can use any target path to export the config file to. Make sure to add the file name and extension (e.g., **naconfig.xml**) to the end of the export path. + +4. Once the components are backed up, you can store them in any location to use once needed. + +For additional information on import, refer to the following article: Migrating Netwrix Auditor to New Server (/docs/kb/auditor/migrating_auditor_to_new_server). + +## Related articles + +- Migrating Netwrix Auditor to New Server: /docs/kb/auditor/migrating_auditor_to_new_server +- How to Move Long-Term Archive to a New Location: /docs/kb/auditor/how_to_move_long-term_archive_to_a_new_location diff --git a/docs/kb/auditor/backups-folder-in-netwrix-auditor.md b/docs/kb/auditor/backups-folder-in-netwrix-auditor.md new file mode 100644 index 0000000000..e3cfa2f8c2 --- /dev/null +++ b/docs/kb/auditor/backups-folder-in-netwrix-auditor.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains whether it is safe to delete the Backups folder at + C:\ProgramData\Netwrix Auditor\Backups after upgrades and provides guidance on + retaining backups for supported versions. +keywords: + - Backups + - Netwrix Auditor + - 'C:\ProgramData\Netwrix Auditor\Backups' + - supported versions + - upgrade + - cleanup + - disk space + - backup retention +products: + - auditor +sidebar_label: Backups Folder in Netwrix Auditor +tags: [] +title: "Backups Folder in Netwrix Auditor" +knowledge_article_id: kA04u000001116vCAA +--- + +# Backups Folder in Netwrix Auditor + +## Question + +The **Backups** folder located in `C:\ProgramData\Netwrix Auditor\Backups` occupies some space after multiple upgrades done previously. Is it safe to delete it? + +## Answer + +It is strongly recommended to keep the backups for supported versions. Once a version is not supported, it is safe to delete the corresponding backups. As of August 2023, there are 3 supported versions (10, 10.5, and 10.6). Refer to the following link for additional information on supported versions of Netwrix Auditor: https://www.netwrix.com/supported_versions.html#na. + +> **NOTE:** The **Backups** folder contains backups for prior versions of Netwrix Auditor in case some files are corrupted during an upgrade. It may contain backups for all versions previously used in your environment. diff --git a/docs/kb/auditor/best-practices-for-securing-netwrix-auditor.md b/docs/kb/auditor/best-practices-for-securing-netwrix-auditor.md new file mode 100644 index 0000000000..36b0b43767 --- /dev/null +++ b/docs/kb/auditor/best-practices-for-securing-netwrix-auditor.md @@ -0,0 +1,89 @@ +--- +description: >- + Best practices for securing Netwrix Auditor, covering host access, role + management, service monitoring, Microsoft security tools, auditing of related + systems, and offline backups of the Long-Term Archive. +keywords: + - Netwrix Auditor + - security + - RBAC + - TDE + - BitLocker + - Long-Term Archive + - backups + - service monitoring + - SQL Server +products: + - auditor +sidebar_label: Best Practices for Securing Netwrix Auditor +tags: [] +title: "Best Practices for Securing Netwrix Auditor" +knowledge_article_id: kA00g000000H9SPCA0 +--- + +# Best Practices for Securing Netwrix Auditor + +## Overview + +This article outlines best practices for securing Netwrix Auditor, including limiting access, maintaining roles, monitoring services, enabling security tools, auditing related systems, and performing regular backups. + +## Instructions + +- [Limiting Access to the Netwrix Auditor Host](#limitaccess) +- [Maintaining Roles in Netwrix Auditor](#maintainroles) +- [Monitoring Netwrix Auditor Services](#monitorservices) +- [Enabling Native Microsoft Security Tools](#MSsectools) +- [Auditing Related Systems via Netwrix Auditor](#auditrelsys) +- [Making Regular Offline Backups of the Long-Term Archive](#offlinebackups) + +### Limiting Access to the Netwrix Auditor Host + +Use Restricted Groups to apply group membership and User Rights Assignment policy settings, limiting access to the Netwrix Auditor host to a select group of users. For additional information, refer to the following articles: + +- [Description of Group Policy Restricted Groups ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/description-of-group-policy-restricted-groups) +- [User Rights Assignment ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment) + +### Maintaining Roles in Netwrix Auditor + +Netwrix Auditor provides a flexible role-based access control (RBAC) model, restricting user actions based on their roles. For more information about RBAC, refer to the following article: + +- Role-Based Access and Delegation + +### Monitoring Netwrix Auditor Services + +Ensure that critical Netwrix Auditor services, such as the Netwrix Auditor Configuration Service and the Netwrix Auditor Archive Service, are always operational. Use the freeware Netwrix Service Monitor tool to monitor startup services on multiple servers and receive email alerts if services stop unexpectedly. For additional information, refer to the following page: + +- [Netwrix Service Monitor](https://www.netwrix.com/windows_services_monitoring_freeware.html) + +### Enabling Native Microsoft Security Tools + +- Enable transparent data encryption (TDE) to secure your SQL database data. For more information, refer to the following article: [Transparent Data Encryption (TDE) ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver16). +- Enable BitLocker encryption to secure your Long-Term Archive. For more information, refer to the following article: [BitLocker Overview ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/). + +### Auditing Related Systems via Netwrix Auditor + +- Enable configuration and logon auditing for your SQL Server: + - Set up alerts for logon activity, role changes, and db_owner role changes for SQL databases. + +- Enable auditing for Local Users and Groups, services, and software installations on your SQL Server and Netwrix Auditor servers: + - Configure alerts for changes to log clearance and Local Administrator groups. + - Enable session recording for SQL Server and the Netwrix Auditor host via User Activity Monitoring. + - Set up alerts for SQL Management Studio or Netwrix Auditor launches. + - Configure alerts for logons to the SQL Server and Netwrix Auditor host. + +- Enable auditing of the Long-Term Archive: + - Exclude the Netwrix data-processing account from the monitoring scope. + - Set up alerts for all read, modify, delete events, and failed activities. + +### Making Regular Offline Backups of the Long-Term Archive + +To prevent data loss due to unexpected archive corruption, malicious actions, ransomware, or other circumstances, regularly back up your Long-Term Archive. Consider off-site or cloud backups to ensure the integrity of your Long-Term Archive data. + +## Related Links + +- [Description of Group Policy Restricted Groups ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/description-of-group-policy-restricted-groups) +- [User Rights Assignment ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment) +- Role-Based Access and Delegation +- [Netwrix Service Monitor](https://www.netwrix.com/windows_services_monitoring_freeware.html) +- [Transparent Data Encryption (TDE) ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver16) +- [BitLocker Overview ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/) diff --git a/docs/kb/auditor/can-any-additional-attribites-be-displayed-in-the-modification-reports.md b/docs/kb/auditor/can-any-additional-attribites-be-displayed-in-the-modification-reports.md new file mode 100644 index 0000000000..7d12e12dcc --- /dev/null +++ b/docs/kb/auditor/can-any-additional-attribites-be-displayed-in-the-modification-reports.md @@ -0,0 +1,54 @@ +--- +description: >- + Shows how to configure SSRS-based reports in Netwrix Auditor to display + additional Active Directory attributes (modification, created, and deleted + reports). +keywords: + - SSRS + - attributes + - Active Directory + - Netwrix Auditor + - modification report + - created report + - deleted report + - processmodifiedprops +products: + - auditor +visibility: public +sidebar_label: 'Can any additional attribites be displayed in the ' +tags: [] +title: "Can any additional attribites be displayed in the modification reports?" +knowledge_article_id: kA00g000000H9VrCAK +--- + +# Can any additional attribites be displayed in the modification reports? + +How do I get the values of the additional attributes to be displayed in any particular SSRS based report. + +--- + +It is possible to make some the following reports display the values of the additional attributes. Usually the reports are called Modification/Created/Deleted with details. The most popular are the following: +- All User Changes with Advanced Attributes; +- User Created with Details; +- User Deleted with Details; + +To do that please follow the steps: + +1. Determine the report you want to show the additional information in: + a. If you want the "Modification" report to show the additional attributes you need - `processmodifiedprops.txt` file located in the installation folder; + b. For "Created" reports - `processaddedprops.txt`; + c. For "Deleted" reports - `processdeletedprops.txt`; + +2. Find out the AD object you are interested in. For example: user, computer, group, etc. + +3. Find out the attribute name you want to be displayed. Like: `mail`, `employeeID`, etc. The attribute can be found in the Attribute editor in Active Directory Users and Computers snap-in. **Note:** it is case sensitive. + +4. Open the text file according to the first step and put the following line: +``` +objectType:Attribute: +``` +Examples: + +![Attr](images/ka04u000000HcP8_0EM7000000051Zt.png) + +**NOTE:** Each attribute should be put in a separate line. The pound key at the beginning of a line means exclusion of the line. diff --git a/docs/kb/auditor/can-i-specify-a-group-other-than-the-everyone-group-in-the-audit-settings.md b/docs/kb/auditor/can-i-specify-a-group-other-than-the-everyone-group-in-the-audit-settings.md new file mode 100644 index 0000000000..6cce5049b4 --- /dev/null +++ b/docs/kb/auditor/can-i-specify-a-group-other-than-the-everyone-group-in-the-audit-settings.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains whether you can specify a group other than the Everyone group in the + audit settings and the implications for monitoring and event volume. +keywords: + - Everyone group + - audit settings + - Netwrix Auditor + - file servers + - Local System + - Users group + - Security event log + - audit configuration +products: + - auditor +sidebar_label: Can I specify a group other than the Everyone group in the audit settings? +tags: [] +title: "Can I specify a group other than the Everyone group in the audit settings?" +knowledge_article_id: kA00g000000H9TVCA0 +--- + +# Can I specify a group other than the Everyone group in the audit settings? + +This is possible, but in this case **Netwrix Auditor** will be informing you about activity of the users belonging to this group only. + +Sometimes, for the file servers with high-level services activity running under the **Local System** account, we recommend using the **Users** local group on the file server to decrease the number of events in the **Security** event log. + +--- + +**NOTE:** **Netwrix Auditor** will send you email reports with warnings about the audit configuration. This will not affect the reporting functionality and the product will monitor user accounts that belong to the selected group successfully. diff --git a/docs/kb/auditor/can-t-find-a-file-share-in-a-report.md b/docs/kb/auditor/can-t-find-a-file-share-in-a-report.md new file mode 100644 index 0000000000..2fc93d861d --- /dev/null +++ b/docs/kb/auditor/can-t-find-a-file-share-in-a-report.md @@ -0,0 +1,40 @@ +--- +description: >- + Explains why file shares with spaces or hidden shares (ending with `$`) may + not appear in activity reports and how to add them to a monitoring plan. +keywords: + - file share + - hidden share + - monitoring plan + - activity report + - report + - share name + - dollar sign + - \\fileserver +products: + - auditor +sidebar_label: Can't Find a File Share in a Report +tags: [] +title: Can't Find a File Share in a Report +knowledge_article_id: kA0Qk0000000NmDKAU +--- + +# Can't Find a File Share in a Report + +## Question + +Two file shares have been added to a monitoring plan. However, When I run a report, I can't see them. Both file shares have a space in their names: `\fileserver\$`. I'm wondering if the space is the issue. + +## Answer + +Spaces in item names don't affect their visibility in reports. + +When adding a hidden share to the monitoring plan, don't forget to add the `$` sign at the end of the share's name. + +Another way to monitor hidden shares is as follows: + +1. Go to the **Monitoring Plans** section and select a monitoring plan. +2. Click **Add item**, select the **Computer** item type and enter a target server name where your hidden shares are located. +3. In the **Scope** section, select **Monitor user-defined hidden shares**. + +Note that if a share has no activity during a reporting period it will not be in an activity report. Feel free to perform a test action, wait for the data collection to complete, and check the report again. diff --git a/docs/kb/auditor/can-t-find-info-about-largest-files-in-the-files-and-folders-created-report.md b/docs/kb/auditor/can-t-find-info-about-largest-files-in-the-files-and-folders-created-report.md new file mode 100644 index 0000000000..8b7024468f --- /dev/null +++ b/docs/kb/auditor/can-t-find-info-about-largest-files-in-the-files-and-folders-created-report.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains how to view file sizes using the Largest Files Report (Reports > File + Servers > File Servers - State-in-Time) when the Files and Folders Created + Report does not show sizes. +keywords: + - largest files + - Files and Folders Created Report + - Largest Files Report + - UNC path + - file sizes + - Netwrix Auditor + - file servers +products: + - auditor +sidebar_label: Can’t Find Info about Largest Files in the Files a +tags: [] +title: "Can’t Find Info about Largest Files in the Files and Folders Created Report" +knowledge_article_id: kA04u000001114VCAQ +--- + +# Can’t Find Info about Largest Files in the Files and Folders Created Report + +## Question + +I tried to detect why there is a large increase in storage for one of our new servers. I ran the **Files and Folders Created Report**, but it doesn’t show the size of files and folders. How can I see the size? + +## Answer + +To see the size of your largest files, use the **Largest Files Report**, which can be found under **Reports** > **File Servers** > **File Servers - State-in-Time**. + +This report shows: + +- Up to 1000 largest files within a specified `UNC` path +- File sizes +- Creation / modification dates +- Owner names diff --git a/docs/kb/auditor/cannot-access-roles-page.md b/docs/kb/auditor/cannot-access-roles-page.md new file mode 100644 index 0000000000..acd0377eb6 --- /dev/null +++ b/docs/kb/auditor/cannot-access-roles-page.md @@ -0,0 +1,50 @@ +--- +description: >- + You cannot access the Roles page in the Administrative portals due to an IIS + ASP setting. This article explains the cause and shows how to enable buffering + to resolve the error. +keywords: + - roles page + - IIS + - Enable Buffering + - ASP + - admin virtual directory + - roles.asp + - localhost + - PM + - server error +products: + - auditor +sidebar_label: Cannot access roles page +tags: [] +title: "Cannot access roles page" +knowledge_article_id: kA00g000000H9c2CAC +--- + +# Cannot access roles page + +All pages on Administrative portals work except the Roles. + +`http://localhost/PM/admin/roles.asp` + +An error occurred on the server when processing the URL. Please contact the system administrator. +If you are the system administrator please click here to find out more about this error. + +![User-added](images/servlet_image_3823966b1661.png) + +--- + +This happens because of invalid IIS settings. + +--- + +## Solution + +Follow these steps to fix the issue: + +1. Open **IIS Manager**. +2. Locate the web-site that is hosting the `PM` virtual directory. +3. Navigate to the **admin** virtual directory. +4. Open **ASP** settings under the **IIS** section. + ![User-added](images/servlet_image_3823966b1661.png) +5. Make sure that **Enable Buffering** is set to `True`. diff --git a/docs/kb/auditor/cannot-access-the-help-desk-portal.md b/docs/kb/auditor/cannot-access-the-help-desk-portal.md new file mode 100644 index 0000000000..10fb95c123 --- /dev/null +++ b/docs/kb/auditor/cannot-access-the-help-desk-portal.md @@ -0,0 +1,55 @@ +--- +description: >- + If the Help-Desk portal repeatedly prompts for a password even when you enter + the correct one, adjust authentication, proxy, and permissions settings as + described to resolve the issue. +keywords: + - Help-Desk portal + - ALE + - Account Lockout Examiner + - IIS authentication + - proxy settings + - Help-desk operator + - local Administrators + - LAN settings +products: + - auditor +sidebar_label: Cannot access the Help-Desk portal +tags: [] +title: "Cannot access the Help-Desk portal" +knowledge_article_id: kA00g000000H9U1CAK +--- + +# Cannot access the Help-Desk portal + +When using the web portal for Netwrix Account Lockout Examiner, you may be repeatedly prompted for a password even after you type the correct one. Why does the password never get accepted? + +This error indicates your authentication settings need to be adjusted to comply with the following: + +1. The account you are using to access the Help-Desk portal is added to the local **Administrators** group or at least granted the **Help-desk operator security role**. For detailed information on the security roles, refer to the following Netwrix KB article: https://kb.netwrix.com/2735 (How to restrict access to the Help-Desk portal and the Administrative Console). + +2. All authentication types except **Windows authentication** or **Basic authentication** are disabled in the **Internet Information Services (IIS) Manager**, and either Windows or Basic authentication is enabled. + + To ensure the required settings are enabled in **IIS6**, do the following: + a) In the **IIS Manager** left pane, navigate to the **ALE** virtual directory (by default `\ -> Web Sites -> Default Web Site -> ALE`). + b) Right-click the **ALE** folder and select **Properties**. + c) In the **Properties** dialog, open the **Directory Security** tab, and select **Edit** for **Authentication and Access Control**. + d) In the **Authentication Methods** dialog, select either the **Integrated Windows authentication** box or **Basic authentication** (password is sent in clear text), and clear all other authentication options for Authentication access. + + ![User-added image](images/ka04u000000HcNm_0EM700000004xES.png) + + To ensure the required settings are enabled in **IIS7**, do the following: + a) In the **IIS Manager** left pane, navigate to the **ALE** virtual directory (by default `\ -> Sites -> Default Web Site -> ALE`). + b) In the Manager central pane, double-click the **Authentication** option. + c) In the Authentication list, enable either the **Windows Authentication** option or **Basic Authentication**, and disable all other authentication options. + + ![User-added image](images/ka04u000000HcNm_0EM700000004xEN.png) + +3. Your proxy server is disabled or bypassed. To check the proxy settings, do the following: + a) Go to **Control panel -> Internet options**. + b) In the **Internet Properties** dialog, open the **Connections** tab and click the **LAN settings** button. + c) Make sure the **Use a proxy server for your LAN** option is not enabled. Otherwise, make sure the **Bypass proxy server for local addresses** option is enabled too; in this case the Help-Desk portal must be a member of the **Local intranet zone**, or specified as exception. + + ![User-added image](images/ka04u000000HcNm_0EM700000004xEI.png) + +4. The account you are using has READ access to the physical directory of the Web-portal (by default `C:Program Files (x86)NetWrixAccount Lockout ExaminerWeb`) diff --git a/docs/kb/auditor/cannot-complete-login-due-to-an-incorrect-user-name-or-password.md b/docs/kb/auditor/cannot-complete-login-due-to-an-incorrect-user-name-or-password.md new file mode 100644 index 0000000000..b214e3ae78 --- /dev/null +++ b/docs/kb/auditor/cannot-complete-login-due-to-an-incorrect-user-name-or-password.md @@ -0,0 +1,32 @@ +--- +description: >- + Describes the "Cannot complete login due to an incorrect user name or + password" error when saving a VMware Virtual Center snapshot in Netwrix + Auditor and instructs you to enter credentials for the Virtual Center or + ESX(i) server. +keywords: + - VMware + - Virtual Center + - snapshot + - login error + - incorrect user name or password + - ESX + - credentials + - Netwrix Auditor +products: + - auditor +sidebar_label: Cannot complete login due to an incorrect user nam +tags: [] +title: "Cannot complete login due to an incorrect user name or password" +knowledge_article_id: kA00g000000H9bPCAS +--- + +# Cannot complete login due to an incorrect user name or password + +`Change analysis completed with error: Error saving current VMware Virtual Center snapshot: Cannot complete login due to an incorrect user name or password.` + +--- + +Select the **Change** button to enter in the credentials for the Virtual Center or ESX(i) Server: + +![User-added](images/servlet_image_3823966b1661.png) diff --git a/docs/kb/auditor/cannot-copy-snapshot-to-long-term-archive-access-to-short-term-archive-is-denied.md b/docs/kb/auditor/cannot-copy-snapshot-to-long-term-archive-access-to-short-term-archive-is-denied.md new file mode 100644 index 0000000000..620f347fb3 --- /dev/null +++ b/docs/kb/auditor/cannot-copy-snapshot-to-long-term-archive-access-to-short-term-archive-is-denied.md @@ -0,0 +1,56 @@ +--- +description: >- + This article explains how to resolve Event ID 2002 when Netwrix Auditor cannot + copy snapshots to the Long-Term Archive due to denied access to the Short-Term + Archive path. It outlines symptoms, cause, and step-by-step resolution. +keywords: + - long-term archive + - short-term archive + - Event ID 2002 + - permissions + - service account + - Netwrix Auditor + - Health Log + - snapshot +products: + - auditor +sidebar_label: Cannot Copy Snapshot to Long-Term Archive − Access +tags: [] +title: "Cannot Copy Snapshot to Long-Term Archive − Access to Short-Term Archive Is Denied" +knowledge_article_id: kA04u00000111ATCAY +--- + +# Cannot Copy Snapshot to Long-Term Archive − Access to Short-Term Archive Is Denied + +## Symptoms + +- The following error is prompted in Health Log for one or multiple monitoring plans set up: + +```text +Event ID: 2002 +Cannot copy the %name% snapshot to the Long-Term Archive +Access to the path %ShortTerm% is denied. +``` + +- Statuses for items and data sources in affected monitoring plans state **Working**/**Take Action** and do not change. + +- No data is collected in the affected monitoring plans. + +## Cause + +Write permissions for the custom Long-Term Archive service account are misconfigured. + +## Resolution + +1. Review the permissions settings for the affected Long-Term Archive service account. Refer to the following article for additional information: Installation − Configure Long-Term Archive Account ⸱ v10.5 (/docs/auditor/10.5/auditor/permissions/archiveaccount). + +2. Allow Full Control permissions to the affected Long-Term Archive service account for the following 2 folders: + + 1. Long-term Archive — you can establish the location by following **Settings** > **Long-Term Archive** > **Write audit data to**. The default location is `%PROGRAMDATA%\Netwrix Auditor\Data`. + + 2. Short-Term Archive — you can establish the location by following **Health Status** > **Open diagnostic logs folder** under **Working folder** > parent folder of the **Logs** folder. The default location is `C:\ProgramData\Netwrix Auditor\ShortTerm`. + +## Related articles + +- Installation − Configure Long-Term Archive Account ⸱ v10.5 + /docs/auditor/10.5/auditor/permissions/archiveaccount diff --git a/docs/kb/auditor/cannot-establish-a-connection-to-a-windows-file-server-compression-service.md b/docs/kb/auditor/cannot-establish-a-connection-to-a-windows-file-server-compression-service.md new file mode 100644 index 0000000000..c9b1a01f92 --- /dev/null +++ b/docs/kb/auditor/cannot-establish-a-connection-to-a-windows-file-server-compression-service.md @@ -0,0 +1,51 @@ +--- +description: >- + Explains how to resolve the "Cannot establish a connection to a Compression + Service (0x80070424)" error in Netwrix Auditor for File Servers by enabling + the Remote Registry Service and rebooting the Netwrix Auditor server. +keywords: + - Netwrix Auditor + - Compression Service + - Remote Registry Service + - 2147943460 + - Application Deployment Service + - Windows File Servers + - file server + - connection error +products: + - auditor +sidebar_label: Cannot Establish a Connection to a Windows File Se +tags: [] +title: "Cannot Establish a Connection to a Windows File Server Compression Service" +knowledge_article_id: kA04u000000wnqMCAQ +--- + +# Cannot Establish a Connection to a Windows File Server Compression Service + +## Symptoms + +1. Symptom 1. The following error appears when trying to process an item with Netwrix Auditor for File Servers: + +```text +Unable to process item: Cannot establish a connection to a Compression Service (0x80070424 The specified service does not exist as an installed service). +``` + +2. Symptom 2. The **Netwrix Auditor Application Deployment Service** is not installed on the target server. + +## Cause + +The error appears when the **Remote Registry Service** was disabled on the target server. + +## Resolution + +To resolve the error, do the following: + +1. Enable the **Remote Registry Service** referencing the following article: /docs/auditor/10.6/auditor/configurationuration/fileservers/windows (Configuration — Windows File Servers — Enable Remote Registry Service — v10.6). +2. Reboot Netwrix Auditor Server. + +After that, the **Netwrix Auditor Application Deployment Service** appears on the target file server. Depending on the amount of audited data, further data collection may take a while. + +### Related Articles + +- /docs/kb/auditor/how_to_investigate_compression_services_errors — How to Investigate Compression Services Errors. +- /docs/auditor/10.6/auditor/configurationuration/fileservers/windows — Configuration — Windows File Servers — Enable Remote Registry Service — v10.6. diff --git a/docs/kb/auditor/cannot-establish-connection-to-compression-service.md b/docs/kb/auditor/cannot-establish-connection-to-compression-service.md new file mode 100644 index 0000000000..8d7a06ea66 --- /dev/null +++ b/docs/kb/auditor/cannot-establish-connection-to-compression-service.md @@ -0,0 +1,54 @@ +--- +description: >- + This article explains how to resolve the "Cannot establish a connection to a + Compression Service" (Event ID 6104) error by restarting the Netwrix Auditor + Application Deployment Service on the audited computer. +keywords: + - compression service + - Event ID 6104 + - Netwrix Auditor + - Application Deployment Service + - services.msc + - 2147943458 + - restart service + - monitoring plan +products: + - auditor +sidebar_label: Cannot Establish Connection to Compression Service +tags: [] +title: "Cannot Establish Connection to Compression Service" +knowledge_article_id: kA04u00000111FTCAY +--- + +# Cannot Establish Connection to Compression Service + +## Symptom + +Error message: + +```text +Source: File Storage Audit Service +Event ID: 6104 +Description: Monitoring plan: +Error: Unable to process item. Cannot establish a connection to a Compression Service +0x80070422 +The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. +``` + +## Cause + +The Netwrix Auditor Application Deployment Service is not running on the audited computer. + +## Resolution + +To restart the Netwrix Auditor Application Deployment Service: + +1. Open Windows Services from the Run dialog box using `services.msc` or access it with the Search. +2. Right click on the **Netwrix Auditor Application Deployment Service** and select **Restart**. + + > **IMPORTANT:** Make sure you use the **Restart** command, not **Refresh**. + +3. Wait for some time. This may take several hours in large environments. +4. Check that the restart is successful: + - Go to a monitoring plan that was mentioned in the error message and confirm that its status has changed to **Ready**. + - Ensure that activity records are being collected again. diff --git a/docs/kb/auditor/cannot-find-the-application-error-in-sharepoint-online-and-ms-teams-monitoring-plan.md b/docs/kb/auditor/cannot-find-the-application-error-in-sharepoint-online-and-ms-teams-monitoring-plan.md new file mode 100644 index 0000000000..9f65d06ac8 --- /dev/null +++ b/docs/kb/auditor/cannot-find-the-application-error-in-sharepoint-online-and-ms-teams-monitoring-plan.md @@ -0,0 +1,65 @@ +--- +description: >- + This article explains how to resolve the "Cannot find the application" error + in SharePoint Online and Microsoft Teams monitoring plans in Netwrix Auditor. + It provides symptoms, causes, and steps to verify the Application ID and API + permissions for the Azure app. +keywords: + - SharePoint Online + - Microsoft Teams + - Application ID + - Azure app + - API permissions + - Netwrix Auditor + - monitoring plan + - State-in-Time + - Cannot find the application +products: + - auditor +sidebar_label: 'Cannot Find the Application Error in SharePoint Online and MS Teams Monitoring Plan' +tags: [] +title: >- + Cannot Find the Application Error in SharePoint Online and MS Teams Monitoring + Plan +knowledge_article_id: kA04u00000111HeCAI +--- + +# Cannot Find the Application Error in SharePoint Online and MS Teams Monitoring Plan + +## Symptoms + +- The following error is prompted in Health Log for your SharePoint Online or Microsoft Teams monitoring plan: + +```text +Source:SharePoint Online Audit Service +Event ID:3205 +Description:Monitoring plan: %monitoring_plan_name% +Item: %name% +The following unexpected error occurred: +Cannot find the application. +``` + +- The State-in-Time data is not collected. + +## Causes + +- Incorrect Application ID provided for the affected item in the monitoring plan. +- Misconfigured API permissions for the corresponding Azure app. + +## Resolutions + +- Review the Application ID provided. You can find the Application ID of your app in the **Overview** page once you select the app in the **App registrations** section. Refer to the following Netwrix Auditor article for additional information on the initial Azure app setup: Netwrix Auditor — Permissions for SharePoint Online Auditing − Creating and registering a new app in Microsoft Entra ID ⸱ v10.6. For additional information on creating an app for Teams auditing, refer to the following Netwrix Auditor article: Netwrix Auditor — Permissions for Teams Auditing − Create and Register a New App in Microsoft Entra ID ⸱ v10.6. + +![SPOAppID](images/ka0Qk0000001L8r_0EM4u000008MV3l.png) + +- Review the app API permissions granted. You can either specify API permissions manually or use a manifest. Refer to the following Netwrix Auditor article for additional information on granting permissions: Netwrix Auditor — Permissions for SharePoint Online Auditing − Granting required permissions ⸱ v10.6. For additional information on permissions for Teams auditing, refer to the following Netwrix Auditor article: Netwrix Auditor — Permissions for Teams Auditing − Grant Required Permissions ⸱ v10.6. + +## Related articles + +- Netwrix Auditor — Permissions for SharePoint Online Auditing − Creating and registering a new app in Microsoft Entra ID ⸱ v10.6 + +- Netwrix Auditor — Permissions for Teams Auditing − Create and Register a New App in Microsoft Entra ID ⸱ v10.6 + +- Netwrix Auditor — Permissions for SharePoint Online Auditing − Granting Required Permissions ⸱ v10.6 + +- Netwrix Auditor — Permissions for Teams Auditing − Grant Required Permissions ⸱ v10.6 diff --git a/docs/kb/auditor/cannot-generate-sspi-context-error-in-sql-server-monitoring-plan.md b/docs/kb/auditor/cannot-generate-sspi-context-error-in-sql-server-monitoring-plan.md new file mode 100644 index 0000000000..da3af1ea67 --- /dev/null +++ b/docs/kb/auditor/cannot-generate-sspi-context-error-in-sql-server-monitoring-plan.md @@ -0,0 +1,113 @@ +--- +description: >- + Shows how to troubleshoot and resolve the "Cannot generate SSPI context" error + when Netwrix Auditor or the SQL Logons Connector for Netwrix OneSecutre DSPM + attempts to connect to a SQL Server instance, including causes and + step-by-step resolutions. +keywords: + - SSPI + - Kerberos + - SPN + - SQL Server + - Netwrix Auditor + - OneSecutre + - setspn + - TLS + - time synchronization +products: + - auditor + - onesecure +sidebar_label: Cannot Generate SSPI Context Error in SQL Server M +tags: [] +title: "Cannot Generate SSPI Context Error in SQL Server Monitoring Plan" +knowledge_article_id: kA04u0000000HefCAE +--- + +# Cannot Generate SSPI Context Error in SQL Server Monitoring Plan + +## Symptom + +The following error is displayed in the Health Log for your SQL Server monitoring plan, or when Netwrix Auditor or the SQL Logons Connector for Netwrix OneSecutre DSPM attempts to connect to a SQL Server instance: + +```text +Source: SQL Server Audit Service +Computer: %affected_Auditor_server% +Description: Unable to retrieve a SQL Server instance name for the item %item_name%. +The instance was unreachable and the item was skipped from processing: +The target principal name is incorrect. +Cannot generate SSPI context. +``` + +This error may also affect the state-in-time snapshot collection, the SQL Server instance used by Netwrix Auditor to store and retrieve audit data, and the SQL Logons Connector for Netwrix OneSecutre DSPM. + +## Causes + +1. The firewall settings either in your SQL Server or Netwrix Auditor server are misconfigured. +2. The service account used to start the SQL Server service does not have a Service Principal Name (SPN) registered, or the SPN is missing or incorrect. +3. The Netwrix Auditor server and SQL Server cannot communicate due to different TLS protocol versions. +4. The SQL Server and the Netwrix Auditor server have a significant time difference. + +## Resolutions + +> **NOTE:** To refresh the monitoring plan after making changes, go to the main **Netwrix Auditor** menu > **Monitoring Plans** > select your SQL Server monitoring plan and click **Edit** > click the **Update** button in the right pane. + +### Cause #1 – Firewall Settings + +Verify the firewall settings in your environment. For additional information on ports required for SQL Server monitoring, see SQL Server – SQL Server Ports · v10.7: /docs/auditor/10.7/auditor/configurationuration/sqlserver + +### Cause #2 – SQL Server Service Accounts and SPN Registration + +> **NOTE:** The SPN must be registered for the service startup account that the SQL Server service is running under. If the SPN is missing or incorrect, Kerberos authentication will fail and this error may occur. + +To troubleshoot possible issues with Service Principal Names (SPNs), consider the following options: + +- You can use Kerberos Configuration Manager on both your Netwrix Auditor and SQL servers to identify and resolve issues related to the service account used by SQL Server. For more information, see Cannot Generate SSPI Context – Fix the Error with Kerberos Configuration Manager · Microsoft: https://learn.microsoft.com/en-US/troubleshoot/sql/database-engine/connect/cannot-generate-sspi-context-error#fix-the-error-with-kerberos-configuration-manager-recommended + +- You can create a `.udl` file to test SQL Server connectivity: + 1. On either the Netwrix Auditor server or SQL Server, open File Explorer > the **View** tab > check the **File name extensions** checkbox. + 2. Create a ` .txt` file. + 3. Change the file extension to `.udl` and open the file. + 4. In the **Connection** tab, specify the SQL Server name and the service account credentials, then click **Test Connection**. + +SPNs for service accounts can be registered both automatically and manually. For information about automatic SPN registration, see Register Service Principal Name for Kerberos Connections – Automatic SPN Registration · Microsoft: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-ver16#Auto + +To register an SPN for a domain account or the Network Service account, use the following steps: + +1. Launch an elevated Command Prompt on any server in the SQL Server forest. +2. If using a domain user account as the service account, run the following command to register an SPN for the server and verify there are no duplicates: + +```bash +setspn -S http/testlab-sql domain\\user +``` + +3. If using the Network Service account as the service account, run the following command to register an SPN for the server and verify there are no duplicates: + +```bash +setspn -s MSSQLSvc/testlab-sql testlab-sql +``` + +To register an SPN for a specific instance (using port 1433 or another port), run: + +```bash +setspn -s MSSQLSvc/testlab-sql:1433 testlab-sql +``` + +> **IMPORTANT:** Replace placeholders with your actual SQL Server name, domain service account, and port. In the examples above, `testlab-sql` stands for the server name. + +If you are unable to resolve the issue with SPN registration, and if your scenario allows, you may use SQL authentication as a workaround. However, SQL authentication is **not available** for SQL Server auditing in Netwrix Auditor. + +### Cause #3 – Different TLS Protocol Versions + +Allow the operating systems to select the protocol for incoming and outgoing communication on both your Netwrix Auditor and SQL servers. For more information, see Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm: /docs/kb/auditor/client_and_server_cannot_communicate,_because_they_do_not_possess_a_common_algorithm + +### Cause #4 – SQL and Netwrix Auditor Servers Time Difference + +Synchronize the time on both SQL and Netwrix Auditor servers to eliminate clock skew. For more information, see Clock Skew Is Too Great: /docs/kb/auditor/clock_skew_is_too_great + +## Related Articles + +- SQL Server – SQL Server Ports · v10.7: /docs/auditor/10.7/auditor/configurationuration/sqlserver +- Cannot Generate SSPI Context – Fix the Error with Kerberos Configuration Manager · Microsoft: https://learn.microsoft.com/en-US/troubleshoot/sql/database-engine/connect/cannot-generate-sspi-context-error#fix-the-error-with-kerberos-configuration-manager-recommended +- Register Service Principal Name for Kerberos Connections – Automatic SPN Registration · Microsoft: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-ver16#Auto +- Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm: /docs/kb/auditor/client_and_server_cannot_communicate,_because_they_do_not_possess_a_common_algorithm +- Clock Skew Is Too Great: /docs/kb/auditor/clock_skew_is_too_great diff --git a/docs/kb/auditor/cannot-obtain-credential-information-for-mapped-drive.md b/docs/kb/auditor/cannot-obtain-credential-information-for-mapped-drive.md new file mode 100644 index 0000000000..d02871f48b --- /dev/null +++ b/docs/kb/auditor/cannot-obtain-credential-information-for-mapped-drive.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains the "Cannot obtain credential information for drive <> mapped by <>" + error returned by Netwrix Account Lockout Examiner and what it means. +keywords: + - account lockout + - mapped drive + - credentials + - Windows registry + - Netwrix + - Account Lockout Examiner + - mapped drives + - error message + - credential information +products: + - auditor +sidebar_label: Cannot obtain credential information for mapped dr +tags: [] +title: "Cannot obtain credential information for mapped drive" +knowledge_article_id: kA00g000000H9T9CAK +--- + +# Cannot obtain credential information for mapped drive + +The following error is returned on account lockout examination: + +`Cannot obtain credential information for drive <> mapped by <>` + +![User-added image](images/ka04u000000HcMw_0EM700000004wzm.png) + +--- + +This error means that there are mapped drives in the system, but Netwrix Account Lockout Examiner for some reason cannot read the information on the credentials used to map drives in the Windows registry of the examined machine. This error usually occurs when the user under whose account a drive is mapped, used their own credentials, or a drive is mapped each time a user logs on with the current crendeitals. diff --git a/docs/kb/auditor/cannot-retrieve-audit-settings-in-audit-configuration-assistant.md b/docs/kb/auditor/cannot-retrieve-audit-settings-in-audit-configuration-assistant.md new file mode 100644 index 0000000000..202251b727 --- /dev/null +++ b/docs/kb/auditor/cannot-retrieve-audit-settings-in-audit-configuration-assistant.md @@ -0,0 +1,52 @@ +--- +description: >- + When using Netwrix Auditor Audit Configuration Assistant, you may see errors + indicating inability to retrieve audit settings or admin audit logging + settings due to insufficient permissions. +keywords: + - audit settings + - Audit Configuration Assistant + - Domain Controllers + - SACL + - admin audit logging + - permissions + - Netwrix Auditor +products: + - auditor +sidebar_label: Cannot Retrieve Audit Settings in Audit Configurat +tags: [] +title: "Cannot Retrieve Audit Settings in Audit Configuration Assistant" +knowledge_article_id: kA04u000001114QCAQ +--- + +# Cannot Retrieve Audit Settings in Audit Configuration Assistant + +## Symptom + +During the assessment via Netwrix Auditor Audit Configuration Assistant you've encountered one of the following errors: + +```text +Cannot retrieve audit settings for these Domain Controllers: +%DC_name% +Could not connect to a remote registry (0x80070005 Access is denied) +``` + +```text +Cannot retrieve audit settings. Make sure that current user account has permissions required to access SACL configuration. +``` + +```text +Cannot retrieve admin audit logging settings. Cannot execute the PowerShell command. +[FailureCategory=AuthZ-CmdletAccessDeniedException] +The user %user% isn't assigned to any management roles. +``` + +![Audit Configuration Assistant error screenshot](images/ka04u00000117HQ_0EM4u000008M035.png) + +## Cause + +The user is not included in any or one of the following groups: Domain Admins, Enterprise Admins, Organization Management of Records Management (in Exchange organization). + +## Resolution + +Configure the user to be used in the Audit Configuration Assistant utility. For additional information on user permissions required for Audit Configuration Assistant utility, refer to the following article: /docs/auditor/10.6/auditor/tools diff --git "a/docs/kb/auditor/cannot_execute_powershell_\321\201ommand_error_in_exchange_online_monitoring_plan.md" "b/docs/kb/auditor/cannot_execute_powershell_\321\201ommand_error_in_exchange_online_monitoring_plan.md" new file mode 100644 index 0000000000..9cc57ea14a --- /dev/null +++ "b/docs/kb/auditor/cannot_execute_powershell_\321\201ommand_error_in_exchange_online_monitoring_plan.md" @@ -0,0 +1,90 @@ +--- +description: >- + This article addresses the "Cannot Execute PowerShell Command" error encountered in the Exchange Online monitoring plan for Netwrix Auditor, detailing symptoms, causes, and resolutions. +keywords: + - PowerShell + - Exchange Online + - Netwrix Auditor +sidebar_label: PowerShell Command Error +tags: [] +title: "Cannot Execute PowerShell Command Error in Exchange Online Monitoring Plan" +knowledge_article_id: kA04u000001112PCAQ +products: + - auditor +--- + +# Cannot Execute PowerShell Command Error in Exchange Online Monitoring Plan + +## Symptom + +One of the following errors is prompted in the Health Log for your Exchange Online monitoring plan: + +``` +Event ID: 2002 +User: N/A +Description: Monitoring Plan: %Exchange Online Monitoring Plan name% + +The following error has occurred while processing '%domain_name%': + +Cannot Execute the PowerShell command. Error. Connecting to the remote server outlook.office365.com failed with the following error message: +For more information, see the about_Remote_Troubleshooting Help topic. +``` + +``` +Event ID: 2002 +User: N/A +Description: Monitoring Plan: %Exchange Online Monitoring Plan name% + +The following error has occurred while processing '%domain_name%': + +Connecting to the remote server outlook.office365.com failed with the following error message: +For more information, see the about_Remote_Troubleshooting Help topic. +``` + +> **NOTE:** The white space after the `following error message:` as well as the absence of the error message itself are both strong indicators for this issue. + +## Cause + +The Exchange Online Management PowerShell module is outdated. + +## Resolution + +### Resolution 1. For Netwrix Auditor v10.5 and older + +Update the Exchange Online Management PowerShell module on your Netwrix Auditor server. Run the following command in the elevated PowerShell prompt: + +```powershell +Update-Module -Name "ExchangeOnlineManagement" +``` + +### Resolution 2. For Netwrix Auditor v10.6 + +> **NOTE:** Netwrix Auditor v10.6.12275 (GA) installs and requires ExchangeOnlineManagement PowerShell module v3.0 to operate. For Netwrix Auditor v10.6.12275 users, it is recommended to upgrade to the latest version available. For additional information, refer to the following link: [Upgrade to the Latest Version ⸱ v10.6](/docs/auditor/10.6/install/upgrade). +> Netwrix Auditor v10.6.12299 (Update 1) installs and requires ExchangeOnlineManagement PowerShell module v3.2 to operate. + +1. Netwrix Auditor v10.6.12299 (Update 1) uses the ExchangeOnlineManagement PowerShell (EXO) module v3.2 and newer. + + Upgrade the EXO module by uninstalling the previous version and installing the EXO v3.2 module. Follow the installation steps in this article: [Deprecation of Remote PowerShell (RPS) Protocol in Exchange Online PowerShell – If you have installed any module earlier than v3 ⸱ Microsoft 🡥](https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-deprecation-of-remote-powershell-rps-protocol-in/ba-p/3695597). + +2. Check if Remote PowerShell (RPS) is deprecated by MS. You can find instructions and the deprecation timeline here: [Deprecation of Remote PowerShell in Exchange Online – Re-enabling or Extending RPS support ⸱ Microsoft 🡥](https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-remote-powershell-in-exchange-online-re-enabling/ba-p/3779692). + + If it's disabled, you will need to review the PowerShell installation on the Netwrix Auditor server. + +3. Auditor versions prior to 10.6 used ExchangeOnlineManagement v2. It is now deprecated by MS, so check the ExchangeOnlineManagement installed on your system: + + ``` + get-module -ListAvailable | Where-object {$_.Name -like '*Exchange*'} + ``` + + > **TIP:** If you see a 2.x or 3.0 version, you will need to delete it. Netwrix Auditor will attempt to use it and will not be able to install v3.2.0. + +Steps to remove/update ExchangeOnlineManagement: + +1. Disable the Exchange Online Monitoring Plan in Auditor. +2. Delete all ExchangeOnlineManagement installed on your system: + + ``` + Get-InstalledModule -Name ExchangeOnlineManagement | Uninstall-Module + ``` + +3. Enable the Exchange Online Monitoring Plan in Auditor. Then Netwrix Auditor will install v3.2.0. \ No newline at end of file diff --git a/docs/kb/auditor/cannot_remove_ui_configuration_from_jobs_using_powershell_data_collector_jobs_with_parameters.md b/docs/kb/auditor/cannot_remove_ui_configuration_from_jobs_using_powershell_data_collector_jobs_with_parameters.md new file mode 100644 index 0000000000..70fc2a70ac --- /dev/null +++ b/docs/kb/auditor/cannot_remove_ui_configuration_from_jobs_using_powershell_data_collector_jobs_with_parameters.md @@ -0,0 +1,47 @@ +--- +description: >- + This article explains how to resolve the issue of being unable to remove an output path in the Netwrix Access Analyzer Management Console using the UI, and provides a workaround using PowerShell Data Collector Jobs. +keywords: + - Netwrix Access Analyzer + - PowerShell Data Collector + - job configuration +sidebar_label: Remove UI Configuration from Jobs +tags: [] +title: "Cannot Remove UI Configuration from Jobs Using PowerShell Data Collector Jobs with Parameters" +knowledge_article_id: kA0Qk0000002dmrKAA +products: + - auditor +--- + +# Cannot Remove UI Configuration from Jobs Using PowerShell Data Collector Jobs with Parameters + +## Symptom + +In the **Netwrix Access Analyzer** (formerly **Enterprise Auditor**) Management Console, you cannot remove an unneeded output path in a job's configuration settings via the UI. When the path is removed, the option to save the setting appears disabled as shown below. + +![Output path disabled in UI](./images/servlet_image_b26ce25b201c.png) + +## Cause + +The current design of the **Access Analyzer Management Console** does not allow saving empty values for the UI configuration fields within the job configuration settings. + +## Resolution + +To remove the output path variable, use the **PowerShell Data Collector** wizard as a workaround: + +1. Open the job query in the **Access Analyzer Management Console**. +2. Highlight the needed query and select **Query Properties**. +3. In the **Query Properties** pop-up window, click **Configure**. +4. Select the **Edit Query** option. +5. Click the **Parameters** button on the right side of the Edit PowerShell Query Settings. +6. Select the parameter to be cleared and click **Edit**. + ![Edit parameter](./images/servlet_image_dcd3919a2b21.png) + +7. Once the value box appears, delete the value and click **OK**. + ![Delete value](./images/servlet_image_df5aa01d204f.png) + +8. Complete the rest of the **PowerShell Data Collector** wizard by clicking **Next** and **Finish**. +9. Click **OK** on the query properties box. +10. Return to the job page and verify that the output path variable is empty. + +> **NOTE:** This workaround is temporary. A feature request has been submitted to allow saving empty values directly through the UI in a future release. \ No newline at end of file diff --git a/docs/kb/auditor/certificate-related-and-unauthorized-errors-occur-when-trying-to-review-netwrix-auditor-reports.md b/docs/kb/auditor/certificate-related-and-unauthorized-errors-occur-when-trying-to-review-netwrix-auditor-reports.md new file mode 100644 index 0000000000..54892f299a --- /dev/null +++ b/docs/kb/auditor/certificate-related-and-unauthorized-errors-occur-when-trying-to-review-netwrix-auditor-reports.md @@ -0,0 +1,55 @@ +--- +description: >- + Describes certificate enrollment (RPC server is unavailable) and unauthorized + access errors when running Netwrix Auditor reports, and provides + troubleshooting steps and resolutions. +keywords: + - netwrix + - auditor + - certificate enrollment + - RPC server is unavailable + - unauthorized error + - trusted domain + - data collection + - domains +products: + - auditor +sidebar_label: 'Certificate-related and unauthorized errors occur ' +tags: [] +title: "Certificate-related and unauthorized errors occur when trying to review Netwrix Auditor reports" +knowledge_article_id: kA04u00000110wCCAQ +--- + +# Certificate-related and unauthorized errors occur when trying to review Netwrix Auditor reports + +## Symptoms + +1. Symptom 1. You tried to run an Auditor report and got the following error: + +``` +An error occurred while enrolling for a certificate, the certificate request could not be submitted to the certificate authority. RPC server is unavailable. +``` + +2. Symptom 2. Unauthorized error while accessing a report. + ![User-added image](images/ka04u000001173i_0EM4u000008Liq9.png) + +## Causes + +Here are the possible causes for the issue: + +- For symptom 1. Microsoft lists multiple causes of this error, please use the link to the Microsoft troubleshooting article below for the full list of possible causes and resolution steps. +- For symptom 2. Unauthorized error occurs if the account used to run Netwrix Auditor does not belong to a trusted domain. + +## Resolutions + +Here are possible options to resolve the issue: + +1. For the symptom 1, learn more about the error causes and possible resolution steps in [Error 0x800706ba "The RPC Server is unavailable" when you enroll a certificate ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/error-0x800706ba-certificate-enrollment) + +2. For the symptom 2, do the following: + +- Check how many domains you have. +- Check that the account used for data collection is on the same domain as the Netwrix Auditor Server or another domain. +- Check if those domains are trusted. If not, add the Netwrix Site to the trusted list. + +![User-added image](images/ka04u000001173i_0EM4u000008LirC.png) diff --git a/docs/kb/auditor/change-analysis-completed-with-error-error-saving-current-vmware-virtual-center-snapshot-the-server-.md b/docs/kb/auditor/change-analysis-completed-with-error-error-saving-current-vmware-virtual-center-snapshot-the-server-.md new file mode 100644 index 0000000000..dc13f9bc40 --- /dev/null +++ b/docs/kb/auditor/change-analysis-completed-with-error-error-saving-current-vmware-virtual-center-snapshot-the-server-.md @@ -0,0 +1,45 @@ +--- +description: >- + Explains how to resolve the error "Change analysis completed with an error: + Error saving current VMware Virtual Center snapshot: The server committed a + protocol violation. Section=ResponseStatusLine" by updating the Managed Object + link to use the Virtual Center server name or IP without a port. +keywords: + - VMware + - Virtual Center + - ESX + - snapshot + - protocol violation + - ResponseStatusLine + - Managed Object link + - connection error + - Netwrix Auditor + - troubleshooting +products: + - auditor +sidebar_label: 'Change analysis completed with error: Error saving' +tags: [] +title: "Change analysis completed with error: Error saving current VMware Virtual Center snapshot: The server committed a protocol violation" +knowledge_article_id: kA00g000000H9atCAC +--- + +# Change analysis completed with error: Error saving current VMware Virtual Center snapshot: The server committed a protocol violation + +You receive the error message: + +``` +Change analysis completed with an error: Error saving current VMware Virtual Center snapshot: The server committed a protocol violation. Section=ResponseStatusLine +``` + +## Cause + +The link you are using to connect to the Virtual Center server or ESX(i) host is incorrect. + +## Resolution + +1. Change the Managed Object link to the following: + - `https://VirtualCenterServer` + +Where `VirtualCenterServer` is the network name or IP address of the Virtual Center server or ESX(i) host you are connecting to. + +**Note**: The port number is not needed! diff --git a/docs/kb/auditor/change-data-collecting-account-password-in-netwrix-auditor.md b/docs/kb/auditor/change-data-collecting-account-password-in-netwrix-auditor.md new file mode 100644 index 0000000000..d01d6fcee0 --- /dev/null +++ b/docs/kb/auditor/change-data-collecting-account-password-in-netwrix-auditor.md @@ -0,0 +1,40 @@ +--- +description: >- + Learn how to update the password for the data-collection account used by + multiple monitoring plans in Netwrix Auditor. +keywords: + - Netwrix Auditor + - data-collection account + - change password + - monitoring plans + - accounts and passwords + - Update password + - restart services + - Netwrix Password Reset + - Event Log Manager +products: + - auditor +sidebar_label: Change Data Collecting Account Password in Netwrix +tags: [] +title: "Change Data Collecting Account Password in Netwrix Auditor" +knowledge_article_id: kA04u000001115nCAA +--- + +# Change Data Collecting Account Password in Netwrix Auditor + +## Question + +How can you change the password for the data-collection account in multiple monitoring plans in Netwrix Auditor at once? + +## Answer + +Refer to the following steps to update the password for your data-collection account in Netwrix Auditor: + +1. In the main Netwrix Auditor menu, click **Settings**. +2. In the left pane, select the **General** tab. +3. Click **Manage** under **Accounts and passwords**. +4. In the left pane, select the account whose password you'd like to update. Once selected, click the **Update password** button. +5. Provide a new password, and click **OK** to save changes. +6. In some cases, you might need to restart Netwrix services for the changes to take effect. + +> **NOTE:** A new password won't be applied to Netwrix Password Reset, Event Log Manager, or Inactive User Tracker data-collection accounts. Refer to the following article for additional information: /docs/kb/auditor/failed_logon_attempts_after_recent_service_account_password_change (Failed Logon Attempts after Recent Service Account Password Change). diff --git a/docs/kb/auditor/changes-are-reported-with-incorrect-timestamps-and-change-summaries-are-sent-outside-the-schedule.md b/docs/kb/auditor/changes-are-reported-with-incorrect-timestamps-and-change-summaries-are-sent-outside-the-schedule.md new file mode 100644 index 0000000000..b8e1f70d36 --- /dev/null +++ b/docs/kb/auditor/changes-are-reported-with-incorrect-timestamps-and-change-summaries-are-sent-outside-the-schedule.md @@ -0,0 +1,37 @@ +--- +description: >- + If changes have incorrect timestamps or Change Summaries are sent outside the + schedule, check the computer time settings and restart the Netwrix Auditor + Service for SharePoint. Restarting the service resolves issues that occur + after timezone or manual date/time updates. +keywords: + - Netwrix Auditor + - timestamps + - Change Summaries + - timezone + - service restart + - SharePoint + - monitoring plan + - schedule +products: + - auditor +sidebar_label: Changes are reported with incorrect timestamps and +tags: [] +title: "Changes are reported with incorrect timestamps and Change Summaries are sent outside the schedule" +knowledge_article_id: kA00g000000H9ZdCAK +--- + +# Changes are reported with incorrect timestamps and Change Summaries are sent outside the schedule + +- Сhanges are reported with incorrect timestamps. +- Change Summaries are sent outside the schedule. + +On the computer where **Netwrix Auditor** is installed: + +- The timezone settings were updated. +- The date and time settings were manually updated. + +You must restart the **Netwrix Auditor Service for SharePoint**. To do this: + +1. Navigate to **Control Panel** → **System and Security** → **Administrative Tools** → **Services**. +2. Locate the **Netwrix Auditor Service for SharePoint** (``) and restart it. diff --git a/docs/kb/auditor/changes-reported-in-wrong-time-zone.md b/docs/kb/auditor/changes-reported-in-wrong-time-zone.md new file mode 100644 index 0000000000..6cc266e3cf --- /dev/null +++ b/docs/kb/auditor/changes-reported-in-wrong-time-zone.md @@ -0,0 +1,44 @@ +--- +description: >- + Explains why Netwrix Auditor reports show changes in an incorrect time zone + and how to change the time zone on the SQL Server Reporting Services (SSRS) + server. Also notes which reports are unaffected. +keywords: + - time zone + - SSRS + - SQL Server Reporting Services + - Netwrix Auditor + - reports + - timestamps + - report server + - custom search-based reports + - time +products: + - auditor +sidebar_label: Changes Reported in Wrong Time Zone +tags: [] +title: "Changes Reported in Wrong Time Zone" +knowledge_article_id: kA00g000000H9SWCA0 +--- + +# Changes Reported in Wrong Time Zone + +## Question + +Netwrix Auditor reports changes in a wrong time zone. Is it possible to fix time zone settings? + +## Answer + +> **NOTE:** The SQL Server Reporting Services (SSRS) server time zone change won't affect the prior timestamp values. If you change your SSRS server time zone with a change made at 9:00 AM (as per your SSRS server time zone), it will still be recorded as made at 9:00 AM. + +If Netwrix Auditor and SQL Server Reporting Services do not share the same server, the predefined reports will show both date and time zone based on the SQL Server Reporting Services server settings. Refer to the following steps to change the time zone set locally on your SSRS server: + +1. Open the **Start** menu and select the **Settings** menu. +2. Select the **Time & Language** tab. +3. In the left pane, select the **Date & time** tab. + 1. You can click the **Change** button under the **Change date and time** section to set up the specific time for your SSRS server. Deselect the **Set time automatically** switch to enable the option. + 2. You can also separately set the time zone — deselect the **Set time zone automatically** switch to enable the option. + +> **NOTE:** You must restart SSRS service in order for the time zone change to take effect. + +Custom search-based reports and queries are not affected by the SSRS time zone. Learn more about custom search-based reports in the Reports – Custom Search-Based Reports ⸱ v10.6 article. To learn more about changing SSRS time zone, refer to the [Change Time Zones and Clock Settings on a Report Server · Microsoft 🤝](https://learn.microsoft.com/en-us/sql/reporting-services/subscriptions/change-time-zones-and-clock-settings-on-a-report-server?view=sql-server-ver16) article. diff --git a/docs/kb/auditor/changing-the-name-of-your-sql-server-causes-database-related-errors.md b/docs/kb/auditor/changing-the-name-of-your-sql-server-causes-database-related-errors.md new file mode 100644 index 0000000000..b50d824c92 --- /dev/null +++ b/docs/kb/auditor/changing-the-name-of-your-sql-server-causes-database-related-errors.md @@ -0,0 +1,44 @@ +--- +description: >- + After you change the name of the server that hosts the SQL instance for + Netwrix Auditor databases, the product can no longer connect to SQL Server and + Change Summary emails may show a connection error. This article shows how to + update the SQL Server instance name in the product configuration and verify + SQL settings. +keywords: + - SQL Server + - Netwrix Auditor + - database error + - Error 26 + - Change Summary + - SQL instance + - Report Server URLs +products: + - auditor +sidebar_label: Changing the name of your SQL Server causes databa +tags: [] +title: "Changing the name of your SQL Server causes database related errors" +knowledge_article_id: kA00g000000H9aPCAS +--- + +# Changing the name of your SQL Server causes database related errors + +After changing the name of the server which hosts the SQL Instance for Netwrix Auditor databases you receive the following in Change Summary emails: + +``` +Error saving AD history to database: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) +``` + +--- + +The server name is not correct in the product configuration anymore as well as in the SQL server configuration. + +--- + +## Resolution + +1. Open the **Netwrix Auditor console** +2. Navigate to **Settings** -> **Reports** +3. Click on **Configure** and change the **SQL Server Instance** name to match the new **SQL Server name**. +4. Verify the **Report Server URLs** are still accurate and change them also if necessary and then hit **OK**. +5. Modify the **SQL Configuration** by following the following technet article: http://msdn.microsoft.com/en-us/library/ms143799.aspx diff --git a/docs/kb/auditor/check-tcp-and-udp-ports-required.md b/docs/kb/auditor/check-tcp-and-udp-ports-required.md new file mode 100644 index 0000000000..bbf68f3fb0 --- /dev/null +++ b/docs/kb/auditor/check-tcp-and-udp-ports-required.md @@ -0,0 +1,109 @@ +--- +description: >- + Shows how to use Microsoft PortQry and Windows tools to verify TCP, UDP, and + dynamic ports required by Netwrix Auditor and troubleshoot port-related + connection issues. +keywords: + - ports + - TCP + - UDP + - PortQry + - wbemtest + - dynamic ports + - Netwrix Auditor + - firewall + - troubleshooting +products: + - auditor +sidebar_label: Check TCP and UDP Ports Required +tags: [] +title: "Check TCP and UDP Ports Required" +knowledge_article_id: kA04u000000TsquCAC +--- + +# Check TCP and UDP Ports Required + +## Overview + +> **NOTE:** Refer to the following article for the list of ports and protocols required: Protocols and Ports Required. + +Depending on the data source, Netwrix Auditor requires particular TCP and UDP ports to be open. Follow the steps listed to troubleshoot port-related connection issues. + +## Instructions + +### Install Microsoft PortQry + +> **NOTE:** The PortQry version used in this article is the non-GUI version. You can download the GUI version at [PortQryUI ⸱ Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=24009). To run the PortQry GUI, run the extracted **PortQueryUI** executable. + +1. Download and extract PortQry Command Line Port Scanner. Download PortQry at [PortQry Command Line Port Scanner Version 2.0 ⸱ Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=17148). Learn more about PortQry at [Using the PortQry Command Line Tool ⸱ Microsoft](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/portqry-command-line-port-scanner-v2). +2. Once extracted, run an elevated Command Prompt and navigate to the folder containing the extracted executable: + +```text +cd C:\PortQryV2 +``` + +3. Replace the path with the actual path containing the extracted executable. + +### Check Open Ports + +The steps provided below work for both checking open ports to a target server and the Netwrix server. + +- For TCP ports: + +```text +PortQry.exe -n TEST-SQL -p tcp -e 135 +``` + +> **NOTE:** When checking the 135 TCP port, the first output line must state `Listening`. + +```text +PortQry.exe -n TEST-SQL -p tcp -e 139 +PortQry.exe -n TEST-SQL -p tcp -e 445 +``` + +- For UDP ports: + +```text +PortQry.exe -n TEST-SQL -p udp -e 137 +PortQry.exe -n TEST-SQL -p udp -e 138 +``` + +> **NOTE:** When checking UDP ports, the `Listening or Filtered` output line is expected. + +Replace the `TEST-SQL` placeholder with the target server IP or FQDN. + +### Check Dynamic Ports + +1. In Command Prompt, run the following command: + +```text +wbemtest +``` + +In the Windows Management Instrumentation Tester window, click **Connect** in the **Namespace** section. + +2. Specify the namespace for the target server following the format provided: + +```text +\\root\cimv2 +``` + +Click **Connect** to test the connection. + +3. If you receive the `The RPC server is unavailable` error, the dynamic ports are closed. Otherwise, they are open. + +Alternatively, you can run the following line in Command Prompt: + +```text +netsh int ipv4 show dynamicport tcp +``` + +Learn more in [Default Dynamic Port Range for TCP/IP Changed in Windows Vista and in Server 2008 ⸱ Microsoft](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang). + +## Related Links + +- Protocols and Ports Required +- [PortQryUI ⸱ Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=24009) +- [PortQry Command Line Port Scanner Version 2.0 ⸱ Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=17148) +- [Using the PortQry Command Line Tool ⸱ Microsoft](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/portqry-command-line-port-scanner-v2) +- [Default Dynamic Port Range for TCP/IP Changed in Windows Vista and in Server 2008 ⸱ Microsoft](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang) diff --git a/docs/kb/auditor/child-item-with-this-name-already-exists-in-file-server-monitoring-plan.md b/docs/kb/auditor/child-item-with-this-name-already-exists-in-file-server-monitoring-plan.md new file mode 100644 index 0000000000..1b961345d1 --- /dev/null +++ b/docs/kb/auditor/child-item-with-this-name-already-exists-in-file-server-monitoring-plan.md @@ -0,0 +1,46 @@ +--- +description: >- + This article describes how to resolve the Health Log error "Data collection + has failed. Error: A child item with this name already exists" for a File + Server monitoring plan in Netwrix Auditor. +keywords: + - health log + - file server + - monitoring plan + - event 6100 + - licensing data + - license + - Netwrix Auditor + - data collection +products: + - auditor +sidebar_label: Child Item with This Name Already Exists in File S +tags: [] +title: "Child Item with This Name Already Exists in File Server Monitoring Plan" +knowledge_article_id: kA04u0000011146CAA +--- + +# Child Item with This Name Already Exists in File Server Monitoring Plan + +## Symptom + +You've encountered the following error in Health Log for your File Server monitoring plan: + +``` +Source: File Storage Audit Service +Event ID: 6100 +User: N/A +Computer: %computer% +Description: Monitoring plan: %monitoring_plan_name%. +Data collection has failed. Error: A child item with this name already exists +``` + +## Cause + +The licensing data was corrupted. + +## Resolution + +- In case you've encountered the issue after a recent upgrade, wait for 24 hours to see if the issue is resolved on its own. +- Reapply the license file. Refer to the following article for additional information: [How to Apply Netwrix Auditor License](/docs/kb/auditor/how-to-apply-netwrix-auditor-license.md). +- In case reapplying the license did not help, contact [Netwrix Technical Support](https://www.netwrix.com/open_a_ticket.html). diff --git a/docs/kb/auditor/classifications-for-new-categories-in-opentext-content-server-have-failed-to-write-to-the-documents.md b/docs/kb/auditor/classifications-for-new-categories-in-opentext-content-server-have-failed-to-write-to-the-documents.md new file mode 100644 index 0000000000..b61ad35d2e --- /dev/null +++ b/docs/kb/auditor/classifications-for-new-categories-in-opentext-content-server-have-failed-to-write-to-the-documents.md @@ -0,0 +1,44 @@ +--- +description: >- + One or more categories were added to folders or documents in OpenText Content + Server, but classifications were not written to the documents. Re-index the + affected items so the Classifier can update document classifications. +keywords: + - OpenText + - Content Server + - classification + - re-index + - Collector + - Classifier + - Re-Index + - documents + - folders + - Netwrix Data Classification +products: + - auditor + - data-classification +visibility: public +sidebar_label: Classifications for New Categories in OpenText Con +tags: [] +title: "Classifications for New Categories in OpenText Content Server Have Failed to Write to the Documents" +knowledge_article_id: kA00g000000H9eBCAS +--- + +# Classifications for New Categories in OpenText Content Server Have Failed to Write to the Documents + +## Overview + +One or more categories have been added to folder(s)/document(s) in OpenText Content Server - the documents have been reclassified but classifications have failed to write to the documents. + +## Instructions + +The **Classifier** service relies on data populated by the **Collector** service to process classifications - this improves performance by ensuring that we **cache** the information on which categories are available for each document. When new **categories** are added it is thus necessary to re-index the affected documents. For that: + +1. Open the **Administration Interface**. +2. Click on **Sources** in the top navigation bar. +3. Drill down to the affected level within the **OpenText Content Server source**. +4. Do one of the following: + - Select an individual file and click **Re-Index** + - OR + - Select a folder and click **Re-Index** +5. When you click **Re-Index**, select the scope **Selected Item(s) and All Descendants** to update an entire folder. diff --git a/docs/kb/auditor/client-and-server-cannot-communicate-because-they-do-not-possess-a-common-algorithm.md b/docs/kb/auditor/client-and-server-cannot-communicate-because-they-do-not-possess-a-common-algorithm.md new file mode 100644 index 0000000000..0da2cd1a42 --- /dev/null +++ b/docs/kb/auditor/client-and-server-cannot-communicate-because-they-do-not-possess-a-common-algorithm.md @@ -0,0 +1,64 @@ +--- +description: >- + This article explains the error "The client and server cannot communicate, + because they do not possess a common algorithm." and how to resolve it by + restoring TLS registry settings so the operating system can select protocols + for incoming and outgoing communication. +keywords: + - TLS + - SchUseStrongCrypto + - SystemDefaultTlsVersions + - registry + - Schannel + - TLS 1.2 + - Windows Server Auditing + - compression service +products: + - auditor +sidebar_label: 'Client and Server Cannot Communicate, Because They' +tags: [] +title: "Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm" +knowledge_article_id: kA04u000000PoK4CAK +--- + +# Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm + +## Symptom + +Error: The client and server cannot communicate, because they do not possess a common algorithm. + +## Cause + +Windows Server Auditing host and compression service cannot operate due to different TLS protocol versions. The Windows Server Auditing collector requires the same TLS version running for both host and compression service. Refer to the following link for additional information on TLS protocol versions: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-. + +While usually Windows is able to set the TLS version automatically, the error arises in case changes to the TLS registry settings for either host or compression service were introduced. + +## Solution + +If TLS registry settings were changed to ensure the system operability, you must set the following registry keys to allow the operating system to select the protocol for incoming and outgoing communication: + +```reg +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] +"SystemDefaultTlsVersions"=dword:00000001 +"SchUseStrongCrypto"=dword:00000001 + +[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] +"SystemDefaultTlsVersions"=dword:00000001 +"SchUseStrongCrypto"=dword:00000001 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] +"SystemDefaultTlsVersions"=dword:00000001 +"SchUseStrongCrypto"=dword:00000001 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] +"SystemDefaultTlsVersions"=dword:00000001 +"SchUseStrongCrypto"=dword:00000001 +``` + +If initial changes do not affect the system operability, you can revert them to solve the issue. A reboot of either your host or compression service is required. + +Refer to the following Microsoft article for additional information on best TLS practices: [TLS Best Practices](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls). + +For additional information on mismatched TLS versions and limited ciphers, refer to the following article: Сonnection Issue when TLS 1.2 Is Required. diff --git a/docs/kb/auditor/clock-skew-is-too-great.md b/docs/kb/auditor/clock-skew-is-too-great.md new file mode 100644 index 0000000000..29a43b009b --- /dev/null +++ b/docs/kb/auditor/clock-skew-is-too-great.md @@ -0,0 +1,86 @@ +--- +description: >- + Failed Kerberos logons reported as 'Clock skew is too great' occur when a + workstation's clock differs from the domain controller by five or more + minutes. This article explains how to verify and resynchronize time on the + workstation and domain controller. +keywords: + - clock skew + - Kerberos + - time sync + - w32tm + - domain controller + - time zone + - failed logon + - Netwrix Auditor +products: + - auditor +sidebar_label: Clock Skew Is Too Great +tags: [] +title: "Clock Skew Is Too Great" +knowledge_article_id: kA0Qk0000000LdxKAE +--- + +# Clock Skew Is Too Great + +## Symptom + +Failed logons are reported in Netwrix Auditor with the following **Cause** specified: + +``` +Clock skew is too great: +The workstation's clock too far out of sync with the DC's +``` + +## Cause + +The reported workstation and the DC processing the Kerberos request have a time difference of 5 of more minutes. + +## Resolution + +In both the DC and affected workstation, perform the following steps in elevated Command Prompt: + +1. Run the following line to get the current system time: + + ```bat + time /T + ``` + +2. Run the following line to establish the time zone set up: + + ```bat + systeminfo | findstr /C:"Time Zone" + ``` + +3. Run the following line to confirm the source for the machine: + + ```bat + w32tm /query /status + ``` + +4. Run the following line to force sync the time: + + ```bat + w32tm /resync + ``` + +5. **Optional:** Run the following line again to verify the time was synced: + + ```bat + time /T + ``` + +> **IMPORTANT:** You may encounter the following error when attempting to sync your server to the domain controller time: +> +> ``` +> Sending resync command to local computer +> The computer did not resync because no time data was available. +> ``` +> +> Verify the time source specified in the output of the `w32tm /query /status` line. In case the **Source** line states either **Local CMOS Clock** or **Free-running System Clock**, enable time synchronization with your DC. Run the following lines in elevated Command Prompt: +> +> ```bat +> w32tm /config /syncfromflags:domhier /update +> +> net stop w32time && net start w32time +> ``` diff --git a/docs/kb/auditor/compression-service-does-not-appear-under-installed-programs-but-still-exists-in-the-services-overvi.md b/docs/kb/auditor/compression-service-does-not-appear-under-installed-programs-but-still-exists-in-the-services-overvi.md new file mode 100644 index 0000000000..3e455f906d --- /dev/null +++ b/docs/kb/auditor/compression-service-does-not-appear-under-installed-programs-but-still-exists-in-the-services-overvi.md @@ -0,0 +1,49 @@ +--- +description: >- + After uninstalling the Netwrix Compression Service, it may disappear from the + Control Panel's Programs and Features while remaining in the Services + Overview. This article explains how to remove the leftover service and its + files manually. +keywords: + - compression service + - uninstall + - services overview + - Programs and Features + - sc delete + - Windows Services + - Netwrix Compression Service +products: + - auditor +sidebar_label: Compression Service Not in Installed Programs +tags: [] +title: >- + Compression Service Does Not Appear Under Installed Programs but Still Exists + in The Services Overview +knowledge_article_id: kA0Qk0000000R53KAE +--- + +# Compression Service Does Not Appear Under Installed Programs but Still Exists in The Services Overview + +## Symptom + +After uninstallation of Netwrix Compression Service, it does not appear under **Programs and Features** in the Control Panel, but still exists in the **Services Overview**. + +## Cause + +Compression service components were not completely removed during uninstallation. + +## Resolution + +You can manually delete the Service and its components. For that: + +1. Open the **Services** snap-in and open properties of the problematic service. +2. Copy the full name of the service and the path to executable, for example, to a **Notepad** document. + ![User-added image](images/ka0Qk0000001hxN_0EMQk000002u2KX.png) +3. Run the command prompt as administrator and run the following command: + + ```bat + sc delete + ``` + + where the `` is the full name of the service you copied on the step 2. +4. After that, navigate to the file path you copied earlier and delete all the files. diff --git a/docs/kb/auditor/compression-service-encountered-an-internal-error-in-windows-server-monitoring-plan.md b/docs/kb/auditor/compression-service-encountered-an-internal-error-in-windows-server-monitoring-plan.md new file mode 100644 index 0000000000..98394f9b75 --- /dev/null +++ b/docs/kb/auditor/compression-service-encountered-an-internal-error-in-windows-server-monitoring-plan.md @@ -0,0 +1,111 @@ +--- +description: >- + Explains how to resolve the "Compression Service has encountered an internal + error" (Event ID 2009) in a Windows Server Auditing monitoring plan by + enabling TLS 1.2, configuring .NET and Schannel registry settings, and + reviewing WinHTTP settings. +keywords: + - compression + - schannel + - TLS 1.2 + - Windows Server + - Event ID 2009 + - WinHTTP + - registry + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Compression Service Encountered an Internal Error ' +tags: [] +title: "Compression Service Encountered an Internal Error in Windows Server Monitoring Plan" +knowledge_article_id: kA04u00000111HZCAY +--- + +# Compression Service Encountered an Internal Error in Windows Server Monitoring Plan + +## Symptom + +The following error is prompted in the Health Log for your Windows Server Auditing monitoring plan: + +```text +Source: Windows Server Audit Service +Event ID: 2009 +Description: Monitoring plan: %affected_monitoring_plan% +Item: %affected_server% +The following error has occurred while processing %affected_server%: +The Compression Service has encountered an internal error: The Compression Service has encountered an internal error. +``` + +## Cause + +The Windows Server Auditing host and compression service cannot operate due to different TLS protocol versions. + +## Resolution + +1. Enable TLS 1.2 via SChannel on both your Netwrix server and the target servers affected by the error. Refer to the following registry subkey: + + ```reg + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled + ``` + + The **Enabled** value on both your Netwrix server and the target servers affected should state `0x00000001 (1)` or `1` (hexadecimal). + +2. On both your Netwrix server and the target servers affected, set the following registry keys to allow the operating system to select the protocol for incoming and outgoing communications: + + ```reg + Windows Registry Editor Version 5.00 + + [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] + "SystemDefaultTlsVersions"=dword:00000001 + "SchUseStrongCrypto"=dword:00000001 + + [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] + "SystemDefaultTlsVersions"=dword:00000001 + "SchUseStrongCrypto"=dword:00000001 + + [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] + "SystemDefaultTlsVersions"=dword:00000001 + "SchUseStrongCrypto"=dword:00000001 + + [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] + "SystemDefaultTlsVersions"=dword:00000001 + "SchUseStrongCrypto"=dword:00000001 + ``` + + You can also use the following registry key file to apply the same changes: [TLS Registry Key](https://netwrix.com/download/products/KnowledgeBase/TLSRegkey.reg). + +3. Allow all Schannel event logging levels to be logged. Refer to the following registry key: + + ```reg + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL + ``` + + Change the **EventLogging** subkey value to `7` (hexadecimal). + +4. If the issue persists with all settings above configured correctly, review WinHTTP settings on both your Netwrix server and the target servers affected: + + ```reg + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\ + DefaultSecureProtocols = (DWORD): 0xAA0 + HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\ + DefaultSecureProtocols = (DWORD): 0xAA0 + ``` + +5. After you introduce the changes, close Registry Editor for the changes to take effect. It is recommended that you restart the affected servers. Alternatively, restart **Netwrix Auditor for Windows Server Compression Service** on each affected server. + +> IMPORTANT: Once the issue is solved, limit the Schannel event logging level to `1`. Refer to the following registry key: +> +> ```reg +> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL +> ``` +> +> Change the **EventLogging** subkey value to `1` (hexadecimal). + +## Attached files + +- [TLS Registry Key](https://netwrix.com/download/products/KnowledgeBase/TLSRegkey.reg) + +## Related articles + +- Сonnection Issue when TLS 1.2 Is Required: /docs/kb/auditor/сonnection_issue_when_tls_1.2_is_required +- Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm: /docs/kb/auditor/client_and_server_cannot_communicate,_because_they_do_not_possess_a_common_algorithm diff --git a/docs/kb/auditor/configure-microsoft-365-data-sources-to-use-proxy-server-settings.md b/docs/kb/auditor/configure-microsoft-365-data-sources-to-use-proxy-server-settings.md new file mode 100644 index 0000000000..fa698b07ad --- /dev/null +++ b/docs/kb/auditor/configure-microsoft-365-data-sources-to-use-proxy-server-settings.md @@ -0,0 +1,112 @@ +--- +description: >- + Instructions to configure Microsoft 365 data sources (Exchange Online, + Microsoft Entra ID, SharePoint Online, and Teams) to use proxy server settings + for Netwrix collectors and PowerShell connections. +keywords: + - Microsoft 365 + - proxy + - Exchange Online + - Microsoft Entra ID + - SharePoint Online + - netsh + - winhttp + - Netwrix + - proxyaddress +products: + - auditor + - Azure_AD_and_Office_365 +visibility: public +sidebar_label: 'Configure Microsoft 365 Data Sources to Use Proxy ' +tags: [] +title: "Configure Microsoft 365 Data Sources to Use Proxy Server Settings" +knowledge_article_id: kA00g000000H9V6CAK +--- + +# Configure Microsoft 365 Data Sources to Use Proxy Server Settings + +## Question + +How to configure Microsoft 365 (Office 365) data sources to use proxy server settings? + +## Answer + +### Exchange Online + +Exchange Online relies on PowerShell gathering proxy settings from the network adapter. Browser proxy settings in Windows are not propagated to the network adapter by default. Refer to the following steps to set up proxy settings for Exchange Online: + +1. In elevated Command Prompt, check the network adapter settings: + + ```bash + netsh winhttp show proxy + ``` + + ![netsh winhttp show proxy output](images/ka0Qk0000000ws1_0EM4u000008MMY1.png) + +2. If the system prompts **Direct settings**, configure the network adapter to use the correct proxy settings: + + ```bash + netsh winhttp set proxy proxy-server="http=***.***.***.***:port;https=***.***.***.***:port" + ``` + + Replace the proxy server settings in the line with your actual settings. + + ![netsh winhttp set proxy example](images/ka0Qk0000000ws1_0EM4u000008MMY6.png) + +### Microsoft Entra ID (formerly Azure AD) + +To use proxy server settings for the Microsoft Entra ID audit, edit the following files: + +- `Netwrix.Common.AzureAdHelper.exe.config` +- `Netwrix.O365.AzureAdCollector.exe.config` +- `Netwrix.O365.AzureAdDiffQueryCollector.exe.config` +- `Netwrix.O365.AzureADDumper.exe.config` +- `Netwrix.O365.AzureAdManagementApiCollector.exe.config` +- `Netwrix.O365.AzureAdReporter.exe.config` + +Add the following line at the end of each file before the `` tag: + +```xml + +``` + +Before editing: + +```xml + +``` + +After editing: + +```xml + +``` + +Before editing image: + +![Before editing configuration](images/ka0Qk0000000ws1_0EM4u000008MMXd.png) + +After editing image: + +![After editing configuration](images/ka0Qk0000000ws1_0EM4u000008MMYB.png) + +Replace `***.***.***.***:port` with your actual proxy settings. + +### SharePoint Online + +To use proxy server settings for the SharePoint Online audit, edit the following files: + +- `Netwrix.Common.AzureAdHelper.exe.config` +- `SpaOnlineHost.exe.config` + +Add the following line at the end of each file before the `` tag: + +```xml + +``` + +Replace `proxyaddress="***.***.***.***:port"` with your actual proxy settings. + +### Microsoft Teams + +To use proxy server settings for the Teams audit, set up both Microsoft Entra ID and SharePoint Online settings. diff --git a/docs/kb/auditor/configure-netwrix-auditor-to-use-microsoft-365-for-email-notifications.md b/docs/kb/auditor/configure-netwrix-auditor-to-use-microsoft-365-for-email-notifications.md new file mode 100644 index 0000000000..5388495107 --- /dev/null +++ b/docs/kb/auditor/configure-netwrix-auditor-to-use-microsoft-365-for-email-notifications.md @@ -0,0 +1,53 @@ +--- +description: >- + This article explains how to configure Netwrix Auditor to send email + notifications through Microsoft 365 by configuring SMTP settings in Outlook + and in the product settings. +keywords: + - Microsoft 365 + - SMTP + - email notifications + - Outlook + - Netwrix Auditor + - SSL/TLS + - SMTP authentication + - Office 365 + - MFA +products: + - auditor +sidebar_label: Configure Netwrix Auditor to Use Microsoft 365 for +tags: [] +title: "Configure Netwrix Auditor to Use Microsoft 365 for Email Notifications" +knowledge_article_id: kA00g000000PbdOCAS +--- + +# Configure Netwrix Auditor to Use Microsoft 365 for Email Notifications + +## Question + +How to configure Netwrix Auditor to use Microsoft 365 for email notifications? + +## Answer + +Refer to the following steps to configure Netwrix products to use Microsoft 365 for email notifications: + +1. Open the main Microsoft 365 page — [Microsoft 365 ⸱ Microsoft](https://www.microsoft365.com/). +2. In the left pane, click the **Outlook** logo to proceed to the main Outlook page. +3. Once the main Outlook page opens, click the **Settings** icon in the top right corner. +4. In the left pane, select **Mail** > **Sync email**. +5. Copy the SMTP settings (for example, server name: `outlook.office365.com`, port: `587`). +6. Open Netwrix Auditor. Click **Settings** in the top right corner, select **Notifications** in the left pane, then click **Modify** under **Default SMTP Settings**. +7. Specify the SMTP settings you copied from the Microsoft 365 Outlook page. +8. Specify your Microsoft 365 email address as the **Sender** address. +9. Check the **SMTP authentication** checkbox, and specify your Microsoft 365 account credentials. + +> **NOTE:** The email address specified in the **User name** field must match the email address specified in the **Sender address** field. + +10. Check the **Use Secure Sockets Layer encrypted connection (SSL/TLS)** checkbox. + - Uncheck the **Use implicit SSL authentication** checkbox. + +> **IMPORTANT:** Multi-Factor Authorization is incompatible with this functionality. Learn more in [Fix Issues when Sending Email Using Microsoft 365 ⸱ Microsoft](https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/fix-issues-with-printers-scanners-and-lob-applications-that-send-email-using-off#error-authentication-unsuccessful). + +### Related articles + +- https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/fix-issues-with-printers-scanners-and-lob-applications-that-send-email-using-off#error-authentication-unsuccessful (Fix Issues when Sending Email Using Microsoft 365 ⸱ Microsoft) diff --git a/docs/kb/auditor/configure-sql-server-auditing-to-ignore-addition.md b/docs/kb/auditor/configure-sql-server-auditing-to-ignore-addition.md new file mode 100644 index 0000000000..43a2a05ff4 --- /dev/null +++ b/docs/kb/auditor/configure-sql-server-auditing-to-ignore-addition.md @@ -0,0 +1,80 @@ +--- +description: >- + Shows how to configure SQL Server auditing in Netwrix Auditor to capture + updates and deletions while ignoring insertions by modifying trigger and + stored procedure scripts and using exclusion rules. +keywords: + - SQL Server + - auditing + - triggers + - netwrix auditor + - sp_Netwrix_WriteEvent + - ignore insert + - update + - delete +products: + - auditor +sidebar_label: Configure SQL Server Auditing to Ignore Addition +tags: [] +title: "Configure SQL Server Auditing to Ignore Addition" +knowledge_article_id: kA00g000000H9VoCAK +--- + +# Configure SQL Server Auditing to Ignore Addition + +## Question + +How to configure SQL Server Auditing to monitor modifications and deletion, and ignore addition of data? + +## Answer + +> **IMPORTANT:** An elevated server role in SQL Server is required to perform the following actions. The `sysadmin` role will allow you to follow the instructions. + +1. In your SQL Server monitoring plan, click **Edit data source** in the right pane > select the **Data** tab > switch the **Monitor changes to data in the database tables** switch on. +2. Enable the **Use triggers for detailed monitoring** switch. +3. Add inclusion rules for target databases, tables and columns. Click **Save & Close**. +4. Update your SQL Server monitoring plan by clicking **Update** in the right pane. +5. Once the status switches to **Ready**, open SQL Server Management Studio and connect to your SQL Server instance. +6. In the left pane, select **Databases** > **%target_data_base%** > **%target_table%** > the **Triggers** folder > right-click the **netwrix_audit_trg_%table_name%** trigger > **Script Trigger as** > **CREATE To** > **New Query Editor Window**. +7. Locate the following line: + +```sql +AFTER INSERT, UPDATE, DELETE +``` + + Modify it to read as follows: + +```sql +AFTER UPDATE, DELETE +``` + + Keep the query window open. +8. In the left pane, select **%target_data_base%** > **Programmability** > **Stored Procedures** > right-click **dbo.sp_Netwrix_WriteEvent** and select **Script Stored Procedure** > **CREATE To** > **New Query Editor Window**. Keep the new query window open. +9. Return to your SQL Server monitoring plan menu in Netwrix Auditor. Click **Edit data source** in the right pane > select the **Data** tab > edit the inclusion rule type for the target database, table, etc. > modify the **Type** field to state **Exclude**. Click **Save & Close**. +10. Update your SQL Server monitoring plan by clicking **Update** in the right pane. +11. Once the status switches to **Ready**, return to SQL Server Management Studio, select the **dbo.sp_Netwrix_WriteEvent** query window and click **Execute**. + +> **NOTE:** The **dbo.sp_Netwrix_WriteEvent** query window will contain the `CREATE PROCEDURE [dbo].[sp_Netwrix_WriteEvent]` line. + +The `Commands completed successfully` message will confirm the successful query execution. + +12. Select the **netwrix_audit_trg_%table_name%** query window and click **Execute**. + +> **NOTE:** The **netwrix_audit_trg_%table_name%** query window will contain the `CREATE TRIGGER [dbo].[Netwrix_audit_trg_%table_name%]` line. + +The `Commands completed successfully` message will confirm the successful query execution. + +To run the query against each table, modify the following line in the `CREATE TRIGGER` query window: + +1. Locate the following line: + +```sql +SET @table_name = N'%target_table_name%' +``` + + The placeholder could be represented by any table name (e.g., `dbo.AzureDirectoryRoles`). +2. Replace the placeholder with the target table name. +3. Run the query once you replace the table name. +4. Repeat for every target table. + +While the target database, table, or column will be shown as excluded in Netwrix Auditor, audit data will be collected. diff --git a/docs/kb/auditor/configuring_proxy_scans.md b/docs/kb/auditor/configuring_proxy_scans.md new file mode 100644 index 0000000000..36b1a74bf9 --- /dev/null +++ b/docs/kb/auditor/configuring_proxy_scans.md @@ -0,0 +1,85 @@ +--- +description: >- + This article provides step-by-step instructions for configuring proxy scans in Netwrix Access Analyzer, ensuring optimal scan performance with multiple proxy servers. +keywords: + - proxy scans + - Netwrix Access Analyzer + - scan configuration +sidebar_label: Configuring Proxy Scans +tags: [] +title: "Configuring Proxy Scans in Netwrix Access Analyzer" +knowledge_article_id: kA0Qk0000002L6nKAE +products: + - auditor +--- + +# Configuring Proxy Scans in Netwrix Access Analyzer + +## Overview + +When using a proxy host list in Netwrix Access Analyzer (formerly Enterprise Auditor), it is important to configure your scan settings correctly. Proper configuration ensures that multiple proxy servers can simultaneously scan multiple target hosts, improving efficiency and scan performance. This article outlines the necessary steps and settings to optimize scanning using proxy host lists. + +## Instructions + +### Step 1: Prepare Your Host Lists + +1. Create or review your **Proxy Host List**. + - This list includes the servers that will run the Access Analyzer Proxy Service or applet. + - For help creating host lists, see the Host List Management documentation. + +2. Determine the number of target hosts. + - This is the number of file systems being targeted by the scan. + - To find this, open the host list assigned to the job and note the total number of rows in the top-right corner. + + ![Host list showing total number of target hosts in Access Analyzer](./images/servlet_image_5badb1d5b327.png) + +### Step 2: Configure Applet Settings + +1. Go to the **Applet Settings** page. +2. Set the **Maximum Concurrent Scans** to the number of hosts each proxy should handle at once. + + > **NOTE:** The default value is 10 hosts per proxy. + + ![Applet Settings page showing Maximum Concurrent Scans option](./images/servlet_image_ea6adfe5aae7.png) + +### Step 3: Select Proxy Hosts for Scanning + +1. Go to the **Scan Server Selection** page. +2. Select **Specific Remote Servers by Host List**. +3. Check the box for your **Proxy Host List** to assign it to the scan job. + + ![Scan Server Selection page with Proxy Host List selected](./images/servlet_image_b60fe6913b2e.png) + +### Step 4: Set Job Properties + +1. Open the **Job Properties** settings by right-clicking the system scan job in the Job Tree pane. +2. On the **Performance** tab, set the number of **Worker Threads** using this formula: + **Worker Threads = Number of Proxy Servers × Max Concurrent Scans** + + > **NOTE:** This ensures all proxies are actively scanning and no capacity is wasted. + + ![Job Properties Performance tab showing Worker Threads setting](./images/servlet_image_61a97e6d04cc.png) + +## Configuration Examples + +### Example 1: Large Deployment + +- **Target Host List:** 100 File Servers +- **Proxy Host List:** 5 Proxy Servers +- **Max Concurrent Scans:** 10 +- **Worker Threads:** 5 × 10 = 50 + +![Configuration example for large deployment](./images/servlet_image_1166f08ea416.png) + +### Example 2: Small Deployment + +- **Target Host List:** 6 File Servers +- **Proxy Host List:** 3 Proxy Servers +- **Max Concurrent Scans:** 2 +- **Worker Threads:** 3 × 2 = 6 + +![Configuration example for small deployment](./images/servlet_image_a2750b9c5910.png) + +## Related Link + +- Host List Management documentation \ No newline at end of file diff --git a/docs/kb/auditor/connection-failed-0x80070721-failed-to-process-a-request-because-the-target-server-is-unreachable.md b/docs/kb/auditor/connection-failed-0x80070721-failed-to-process-a-request-because-the-target-server-is-unreachable.md new file mode 100644 index 0000000000..fa19ebbbe4 --- /dev/null +++ b/docs/kb/auditor/connection-failed-0x80070721-failed-to-process-a-request-because-the-target-server-is-unreachable.md @@ -0,0 +1,43 @@ +--- +description: >- + You see the "Connection failed -0x80070721" error when connecting to a + remotely installed Netwrix Auditor Client because the Netwrix Auditor Core + Service must run under the NETWORK SERVICE account on the server. This article + explains the cause and the steps to fix the service account. +keywords: + - Connection failed + - 2147944225 + - Netwrix Auditor + - Core Service + - NETWORK SERVICE + - Services snap-in + - Log On tab +products: + - auditor +sidebar_label: 'Connection failed -0x80070721 - Failed to process ' +tags: [] +title: "Connection failed -0x80070721 - Failed to process a request because the target server is unreachable" +knowledge_article_id: kA04u00000110tmCAA +--- + +# Connection failed -0x80070721 - Failed to process a request because the target server is unreachable + +## Symptom + +You see this error message when you try to connect to the Netwrix Auditor Client installed remotely (not on the computer that hosts the Netwrix Auditor Server). + +```text +Connection failed -0x80070721 - Failed to process a request because the target server is unreachable. A security package specific error occurred. +``` + +## Cause + +This error occurs because the Netwrix Auditor Core Service should run under the `NETWORK SERVICE` account on the computer that hosts the Netwrix Auditor Server. + +## Resolution + +To resolve the issue, check the account the service uses. To do that: + +1. On the computer where the Netwrix Auditor Server resides, navigate to the **Services** snap-in. +2. Right-click the **Netwrix Auditor Core Service** and select **Properties**. +3. Switch to the **Log On** tab and make sure that the **Log on as** option is set to `NETWORK SERVICE`. If not, browse for the `NETWORK SERVICE` account and click **Apply**. diff --git a/docs/kb/auditor/connection-string-is-not-valid-in-sql-server-monitoring-plan.md b/docs/kb/auditor/connection-string-is-not-valid-in-sql-server-monitoring-plan.md new file mode 100644 index 0000000000..a2bcf33aaf --- /dev/null +++ b/docs/kb/auditor/connection-string-is-not-valid-in-sql-server-monitoring-plan.md @@ -0,0 +1,62 @@ +--- +description: >- + This article explains how to resolve the "Connection string is not valid" + error in a SQL Server monitoring plan in Netwrix Auditor by correcting the SQL + Server instance name in the monitoring plan item. It provides steps to review + and edit the monitored instance and shows default vs named instance formats. +keywords: + - SQL Server + - monitoring plan + - connection string + - error 25 + - Netwrix Auditor + - instance name + - MSSQLSERVER + - FQDN + - NetBIOS +products: + - auditor +sidebar_label: Connection String Is Not Valid in SQL Server Monit +tags: [] +title: "Connection String Is Not Valid in SQL Server Monitoring Plan" +knowledge_article_id: kA04u000000wnkxCAA +--- + +# Connection String Is Not Valid in SQL Server Monitoring Plan + +## Symptom + +The following error is prompted in Health Log for your SQL Server monitoring plan in Netwrix Auditor: + +``` +Netwrix Auditor State-in-Time error: +Monitoring plan: %SQL_monitoring_plan_name%. +Item: %SQL_server% +The following error occurred during state-in-time operation snapshot collection: +A network-related or instance-specific error occurred while establishing a connection to SQL Server. +The server was not found or was not accessible. +Verify that the instance name is correct and that SQL Server is configured to allow remote connections. +(provider: SQL Network Interfaces, error: 25 - Connection string is not valid) +``` + +## Cause + +The SQL Server instance name was specified incorrectly in the affected monitoring plan item. + +## Resolution + +Review the affected item in your SQL Server monitoring plan: + +1. In the main Netwrix Auditor menu, click **Monitoring Plans**. +2. Select the affected SQL Server monitoring plan and click **Edit**. Refer to the error message to establish the affected monitoring plan name. +3. Select the affected instance and click **Edit item**. Refer to the error message to establish the affected item name. +4. Review the instance name specified: + - For a default SQL instance name (`MSSQLSERVER`), only specify the server FQDN or NetBIOS name. See the example for a reference. + + ![Default instance example](images/ka04u000000wvzg_0EM4u000008pVor.png) + + - For a named SQL instance, specify `FQDN\Instance_name`. + + ![Named instance example](images/ka04u000000wvzg_0EM4u000008pVow.png) + +5. Once the changes are introduced, click **Save & Close**. diff --git a/docs/kb/auditor/connection-to-microsoft-365-tenant-in-netwrix-auditor-completes-with-error-validating-your-account-s.md b/docs/kb/auditor/connection-to-microsoft-365-tenant-in-netwrix-auditor-completes-with-error-validating-your-account-s.md new file mode 100644 index 0000000000..3740e5766c --- /dev/null +++ b/docs/kb/auditor/connection-to-microsoft-365-tenant-in-netwrix-auditor-completes-with-error-validating-your-account-s.md @@ -0,0 +1,50 @@ +--- +description: >- + When connecting to a Microsoft 365 (Office 365) tenant using modern + authentication in Netwrix Auditor, you may see an error stating the tenant + name is not a valid DNS name. This article explains the cause and shows how to + resolve the issue by ensuring the Directory (tenant) ID and Application + (client) ID match between Netwrix Auditor and the Microsoft Office 365 Admin + center. +keywords: + - Microsoft 365 + - Office 365 + - tenant + - modern authentication + - tenant ID + - Directory (tenant) ID + - Application (client) ID + - application ID + - Netwrix Auditor +products: + - auditor +sidebar_label: Connection to Microsoft 365 Tenant in Netwrix Audi +tags: [] +title: "Connection to Microsoft 365 Tenant in Netwrix Auditor Completes with Error Validating Your Account’s Rights and Permissions" +knowledge_article_id: kA04u000001111bCAA +--- + +# Connection to Microsoft 365 Tenant in Netwrix Auditor Completes with Error Validating Your Account’s Rights and Permissions + +## Symptom + +When trying to connect to Office 365 Tenant using modern authentication, the following error appears: + +``` +Error validating your account’s rights and permissions: Tenant name 'Tenant_name' specified is not a valid DNS name. +``` + +## Cause + +The issue occurred due to incorrect Office 365 tenant credentials provided in Netwrix Auditor. + +## Resolution + +Make sure you provided the same parameters in a Netwrix Auditor monitoring plan and Microsoft Office 365 Admin center. + +1. **Tenant name** in Netwrix should equal the `Directory (tenant) ID` in Microsoft Office 365 Admin center. +2. **Modern authentication application ID** should equal `Application (client) ID` in Microsoft Office 365 Admin center. + +![00371273 O365 Tenant.PNG](images/ka04u00000117A1_0EM4u000008LuEC.png) + +For additional information on configuring Office 365 tenant, refer to the following article: Microsoft 365. Select the data source you want to audit and review the corresponding section. diff --git a/docs/kb/auditor/corruption-of-the-database-owner-record.md b/docs/kb/auditor/corruption-of-the-database-owner-record.md new file mode 100644 index 0000000000..40e6036b04 --- /dev/null +++ b/docs/kb/auditor/corruption-of-the-database-owner-record.md @@ -0,0 +1,38 @@ +--- +description: >- + If you cannot access a database and receive "invalid owner" errors, the + database owner record may be corrupted. This article explains why Netwrix + Auditor can cause this and how to fix it with an ALTER AUTHORIZATION command. +keywords: + - database owner + - invalid owner + - TRUSTWORTHY + - ALTER AUTHORIZATION + - Netwrix Auditor + - SQL Server + - database corruption + - db owner +products: + - auditor +sidebar_label: Corruption of the database owner record +tags: [] +title: "Corruption of the database owner record" +knowledge_article_id: kA00g000000H9bZCAS +--- + +# Corruption of the database owner record + +Database cannot be accessed and you receive an error messages containing the `invalid owner` text. + +## Cause + +When the **Database Content Audit** option is selected, on each data collection Netwrix Auditor checks if the `TRUSTWORTHY` property is enabled on the monitored databases, and enables the property when it is disabled. Sometimes this process can corrupt the database owner record. + +## Resolution + +1. In Microsoft SQL Server Management Studio, run the following command: + ``` + ALTER AUTHORIZATION ON DATABASE::db_name TO user_name + ``` + - Replace `db_name` with the name of the corrupted database. + - Replace `user_name` with the database owner account name. diff --git a/docs/kb/auditor/could-not-allocate-space-for-object-objectname-in-database-databasename.md b/docs/kb/auditor/could-not-allocate-space-for-object-objectname-in-database-databasename.md new file mode 100644 index 0000000000..31e180a668 --- /dev/null +++ b/docs/kb/auditor/could-not-allocate-space-for-object-objectname-in-database-databasename.md @@ -0,0 +1,91 @@ +--- +description: >- + Explains the "Could not allocate space for object" error in Netwrix Auditor, + lists possible causes, and provides long-term and short-term resolutions + including steps to recreate the database. +keywords: + - Netwrix Auditor + - SQL Server + - PRIMARY filegroup + - database full + - autogrowth + - SQL Server Express + - Monitoring Plan + - SSMS + - disk space +products: + - auditor +sidebar_label: Could Not Allocate Space for Object (ObjectName) i +tags: [] +title: "Could Not Allocate Space for Object (ObjectName) in Database (DatabaseName)" +knowledge_article_id: kA00g000000H9WsCAK +--- + +# Could Not Allocate Space for Object (ObjectName) in Database (DatabaseName) + +## Symptom + +The following error message appears in the Netwrix Auditor Health Log or under the database status on the Database Statistics page: + +```text +Error in reports stating Could not allocate space for object '*' in database '*' because the 'PRIMARY' filegroup is full. +Create disk space by deleting unneeded files, dropping objects in the filegroup, adding additional files to the filegroup, +or setting autogrowth on for existing files in the filegroup +``` + +## Cause + +SQL Server is preventing Netwrix Auditor from writing data to the Monitoring Plan Audit Database due to storage constraints. The following factors may contribute to this issue: + +- SQL Server Express Edition is being used for Netwrix Auditor and the database has reached the 10GB limitation. +- The disk where the database's files are stored is full. +- Autogrowth is not properly set for the database. + +> **NOTE:** If the issue is related to Autogrowth, refer to the following resources: +> +> - 'PRIMARY' Filegroup Is Full: https://learn.microsoft.com/en-us/answers/questions/555422/primary-filegroup-is-full +> - Resolving SQL Server Errors: The Primary Filegroup Is Full: https://www.sqlshack.com/resolving-sql-server-errors-the-primary-filegroup-is-full/ +> - Considerations for the Autogrow and Autoshrink Settings in SQL Server: https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/database-file-operations/considerations-autogrow-autoshrink + +## Resolution + +### Long-Term Solutions + +To help prevent recurring database storage issues and support long-term stability, please refer to the solutions below: + +- Upgrade the **SQL Server edition** from Express to Standard or Enterprise. + + > **NOTE:** This is the only long-term option to prevent database size limitations from disrupting Netwrix Auditor data collection. + +- Split the problematic **Monitoring Plan** into several plans, each assigned to its own database. + + > **NOTE:** Ensure when splitting the plan that you do not monitor the same item in multiple plans for the same data source. + +- Narrow the auditing scope by disabling auditing options that generate larger amounts of data, such as **Successful Reads for File Servers** or **Non-interactive logons for Logon Activity** in the monitoring plan settings (**Edit monitoring plan** > **Edit Data Source**). + +### Short-Term Solutions + +The following solutions can temporarily offer more database storage and disk space but do not address the root cause of database size constraints. + +- Disable state-in-time data collection for the File Server monitoring plan by unselecting the **Collect data for state-in-time reports** option in the monitoring plan settings (**Edit monitoring plan** > **Edit Data Source**). +- Allocate additional disk space to Netwrix Auditor and SQL Server. Hardware Requirements: /docs/auditor/10.7/auditor/requirements +- Change the **Database Retention** period via the Netwrix Auditor Console (**Settings** > **Audit Database**) to reduce the amount of time collected data is stored. +- Recreate the database associated with the problematic Monitoring Plan. Since all collected data is also stored in the Long-Term Archive, no data loss is expected. However, recreating the database will remove its data from Searching and Reporting. To access this data, use the Netwrix Auditor Settings – Investigations (v10.6) feature: /docs/auditor/10.6/auditor/admin-guide/settings + +To recreate the database, follow these steps: + +1. Open **SQL Server Management Studio (SSMS)** > Connect to the SQL instance > Expand the **Databases** folder > Right-click the problematic database > **Delete**. +2. Check the box **Close existing connections**, and click **OK** to confirm the deletion. +3. Restart **Netwrix Auditor Management Service** on the Netwrix Auditor Server. +4. Refresh or close out **SSMS** and reconnect to the SQL instance to verify that the database was recreated with the same name. +5. Once confirmed, navigate to **Netwrix Auditor Console** > **Health Status** > **Database Statistics** and check the status of the recreated database. + +> **NOTE:** It may take several minutes for the recreated database to go into an **OK** state. + +## Related Articles + +- 'PRIMARY' Filegroup Is Full: https://learn.microsoft.com/en-us/answers/questions/555422/primary-filegroup-is-full +- Resolving SQL Server Errors: The Primary Filegroup Is Full: https://www.sqlshack.com/resolving-sql-server-errors-the-primary-filegroup-is-full/ +- Considerations for the Autogrow and Autoshrink Settings in SQL Server: https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/database-file-operations/considerations-autogrow-autoshrink +- Netwrix Auditor Settings – Investigations ⸱ v10.6: /docs/auditor/10.6/auditor/admin-guide/settings +- SQL Server Express Database Size Reached 10GB: /docs/kb/auditor/sql_server_express_database_size_reached_10gb diff --git a/docs/kb/auditor/could-not-find-stored-procedure-getallproperties.md b/docs/kb/auditor/could-not-find-stored-procedure-getallproperties.md new file mode 100644 index 0000000000..2d968c7d68 --- /dev/null +++ b/docs/kb/auditor/could-not-find-stored-procedure-getallproperties.md @@ -0,0 +1,51 @@ +--- +description: >- + The ReportServer database is corrupted and must be rebuilt. This article + describes steps to delete and regenerate the ReportServer and ReportServerTemp + databases when you encounter the GetAllProperties stored procedure error. +keywords: + - ReportServer + - GetAllProperties + - stored procedure + - SSRS + - ReportServerTemp + - SQL Server + - Netwrix Auditor + - report server database + - SSMS +products: + - auditor + - Netwrix_Auditor_SQL_Databases +visibility: public +sidebar_label: Could Not Find Stored Procedure GetAllProperties +tags: [] +title: "Could Not Find Stored Procedure GetAllProperties" +knowledge_article_id: kA04u00000110zQCAQ +--- + +# Could Not Find Stored Procedure GetAllProperties + +## Symptom + +You've encountered the following error running reports: + +``` +An error occurred within the report server database. +This may be due to a connection failure, timeout or low disk condition within the database. (rsReportServerDatabaseError) +Could not find stored procedure 'GetAllProperties' +``` + +## Cause + +The ReportServer database is corrupted and has to be rebuilt. + +## Resolution + +1. In your Netwrix Auditor server, disable **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service** via **Services**. +2. Open the SQL server instance used by Netwrix Auditor via SQL Server Management Studio, and delete both the `ReportServer` and `ReportServerTemp` databases. + 1. Once you've opened SSMS, unfold the **Databases** folder in the **Object Explorer** pane on the left. + 2. Right-click each (`ReportServer` and `ReportServerTemp`) database and select **Delete**. + 3. Before confirming the deletion, make sure to check the **Close existing connections** checkbox. +3. Once the databases are deleted, regenerate the `ReportServer` database. Refer to the following article for additional information: /docs/kb/auditor/deploying_the_report_server_database (Deploying the Report Server Database). +4. After you've configured the `ReportServer` database, grant the roles to the SSRS service account the roles required. Refer to the following article for additional information: /docs/auditor/10.5/auditor/permissions/ssrsaccount (Configure SSRS Account). +5. Restart **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service** via **Services**. diff --git a/docs/kb/auditor/could-not-locate-end-of-event-log-error.md b/docs/kb/auditor/could-not-locate-end-of-event-log-error.md new file mode 100644 index 0000000000..2d9cdd382d --- /dev/null +++ b/docs/kb/auditor/could-not-locate-end-of-event-log-error.md @@ -0,0 +1,73 @@ +--- +description: >- + Explains the Event ID 6141 health log error indicating the end of the event + log could not be located and provides causes and step-by-step resolutions for + File Servers monitoring plans. +keywords: + - event log + - Event ID 6141 + - file server + - monitoring plan + - event log retention + - Netwrix Auditor + - health log + - AutoBackupLogFiles + - Retention +products: + - auditor + - File_Server +visibility: public +sidebar_label: Could Not Locate End of Event Log Error +tags: [] +title: "Could Not Locate End of Event Log Error" +knowledge_article_id: kA04u00000110xACAQ +--- + +# Could Not Locate End of Event Log Error + +## Symptom + +The following error is indicated in your Health Log for a File Servers monitoring plan: + +```text +Event ID: 6141 +Description: Monitoring plan: %monitoring_plan_name%. +Item: %item_name%. + +Could not locate the end of the event log for '%item_name%'. The event log might have been overwritten. +``` + +## Causes + +1. The maximum log size of the target event log is configured incorrectly. +2. Insufficient hardware resources of your Netwrix Auditor server affect the data collection process. +3. Network traffic compression option is disabled. +4. Event log settings are not propagated in the corresponding registry key − the settings are reverted after each edit. + +## Resolutions + +### Cause #1 − Incorrectly configured maximum log size + +Review retention settings for the target logs − refer to the following article for additional information: /docs/auditor/10.6/auditor/configurationuration/windowsserver (Windows Server − Adjusting Event Log Size and Retention Settings · v10.6). + +### Cause #2 −Insufficient hardware resources + +Review the hardware resources of your Netwrix Auditor server − refer to the following article for for additional information on sample deployment scenarios depending on the enivornment size: /docs/auditor/10.6/auditor/requirements (Requirements − Sample Deployment Scenarios · v10.6). + +### Cause #3 − Network traffic compression option is disabled + +Enable the network traffic compression option − refer to the following article for additional information: /docs/auditor/10.6/auditor/admin-guide/healthstatus (Netwrix Auditor Operations and Health − Network Traffic Compression · v10.6). + +### Cause #4 − Settings are reverted + +Specify the maximum log size and action settings for the affected event log: + +1. In the target server, open Registry Editor and navigate to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\`. +2. Select the subkey for the affected event log. +3. Review the **AutoBackupLogFiles** and **Retention** values of the subkey − modify both values to state `0`. Right-click a value, select **Modify**, edit the **Value data** field to state `0`, and click **OK** to save changes. Repeat these actions for the second value. + +## Related articles + +- /docs/auditor/10.6/auditor/configurationuration/windowsserver (Windows Server − Adjusting Event Log Size and Retention Settings · v10.6) +- /docs/auditor/10.6/auditor/requirements (Requirements − Sample Deployment Scenarios · v10.6) +- /docs/auditor/10.6/auditor/admin-guide/healthstatus (Netwrix Auditor Operations and Health − Network Traffic Compression · v10.6) diff --git a/docs/kb/auditor/could_not_create_ssltls_secure_channel_error_in_windows_server_monitoring_plan.md b/docs/kb/auditor/could_not_create_ssltls_secure_channel_error_in_windows_server_monitoring_plan.md new file mode 100644 index 0000000000..c9c0f5fdec --- /dev/null +++ b/docs/kb/auditor/could_not_create_ssltls_secure_channel_error_in_windows_server_monitoring_plan.md @@ -0,0 +1,55 @@ +--- +description: >- + This article addresses the "Could Not Create SSL/TLS Secure Channel" error in Windows Server monitoring plans, detailing symptoms, causes, and resolutions. +keywords: + - SSL/TLS + - Windows Server + - Netwrix Auditor + - monitoring plans + - error resolution +sidebar_label: SSL/TLS Secure Channel Error +tags: [] +title: "Could Not Create SSL/TLS Secure Channel Error in Windows Server Monitoring Plan" +knowledge_article_id: kA04u000000wnpYCAQ +products: + - auditor +--- + +# Could Not Create SSL/TLS Secure Channel Error in Windows Server Monitoring Plan + +## Symptoms + +- No data is collected in your Windows Server monitoring plans. +- The affected Windows Server monitoring plans have the network traffic compression option enabled. +- The following error is prompted in the Netwrix Auditor Health Log for your Windows Server monitoring plans: + + ```plaintext + WebException: The request was aborted: Could not create SSL/TLS secure channel. + ``` + +## Causes + +- TLS 1.2 is disabled in your environment. +- TLS protocol versions used differ in the Windows Server host and compression service. +- The Windows Server Auditing certificate has expired. + +## Resolutions + +- Enable TLS 1.2 in your environment − refer to the following article for additional information: Connection Issue when TLS 1.2 Is Required. +- In case TLS protocol versions are limited to specific versions in your environment, make sure to allow the operating system to select the protocol for incoming and outgoing communication. Refer to the following article for additional information: [Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm](/docs/kb/auditor/client-and-server-cannot-communicate-because-they-do-not-possess-a-common-algorithm). +- Review the certificate used for Windows Server auditing: + 1. In the Netwrix Auditor server, either press **Win + R** or launch the **Run** command window. + 2. In the **Run** command window, type `mmc` and press **OK**. Select **Yes** in the following prompt. + 3. In the **Console** window, click **File** > **Add/Remove Snap-in**. + 4. In the left **Available snap-ins** window, select **Certificates**, and click **Add >**. + + > **NOTE:** Once you add the **Certificates** snap-in, the following options should be selected in the prompted pop-up windows: **Computer account** > **Local computer** > **Finish** > **OK**. + + 5. In the left pane, expand the **Certificates (Local Computer)** store, and proceed to **Netwrix Auditor for Windows Server** > **Certificates**. + 6. Review the certificate located in the **Certificates** folder. If expired (or multiple certificates are present), right-click the corresponding certificate and select **Delete**. + 7. Restart the server to reissue the certificate. + +## Related Articles + +- Connection Issue when TLS 1.2 Is Required +- [Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm](/docs/kb/auditor/client-and-server-cannot-communicate-because-they-do-not-possess-a-common-algorithm) \ No newline at end of file diff --git a/docs/kb/auditor/could_not_load_system.net.http_in_exchange_online_monitoring_plan.md b/docs/kb/auditor/could_not_load_system.net.http_in_exchange_online_monitoring_plan.md new file mode 100644 index 0000000000..11312f33cc --- /dev/null +++ b/docs/kb/auditor/could_not_load_system.net.http_in_exchange_online_monitoring_plan.md @@ -0,0 +1,43 @@ +--- +description: >- + This article addresses the error encountered in the Health Log for Exchange Online monitoring plans related to the inability to load the System.Net.Http assembly. +keywords: + - Exchange Online + - System.Net.Http + - .NET Framework +sidebar_label: Could Not Load System.Net.Http +tags: [] +title: "Could Not Load System.Net.Http in Exchange Online Monitoring Plan" +knowledge_article_id: kA04u00000111LWCAY +products: + - auditor +--- + +# Could Not Load System.Net.Http in Exchange Online Monitoring Plan + +## Symptom + +The following error is prompted in the Health Log for your Exchange Online monitoring plan: + +``` +Source: Office 365 Audit Service +Event ID: 2002 +Description: Monitoring Plan: %monitoring_plan_name% +The following error has occurred while processing '%item_name%': +Cannot execute the PowerShell command. Error: +Could not load file or assembly 'System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. +The system cannot find the file specified. +``` + +## Cause + +The .NET Framework version installed in your environment does not comply with the software requirements for **Netwrix Auditor**. Refer to the following article for additional information: [Software Requirements ⸱ v10.6](/docs/auditor/10.6/requirements/software). + +## Resolution + +Update the .NET Framework version in both the **Auditor** server and affected client. For the offline .NET Framework v4.8.1 installer, visit [Download .NET Framework 4.8.1 ⸱ Microsoft 🡥](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net481). + +## Related Articles + +- [Software Requirements ⸱ v10.6](/docs/auditor/10.6/requirements/software) +- [Download .NET Framework 4.8.1 ⸱ Microsoft 🡥](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net481) \ No newline at end of file diff --git a/docs/kb/auditor/create-powershell-session-failed-using-oauth-in-microsoft-365-monitoring-plan.md b/docs/kb/auditor/create-powershell-session-failed-using-oauth-in-microsoft-365-monitoring-plan.md new file mode 100644 index 0000000000..2123058e3c --- /dev/null +++ b/docs/kb/auditor/create-powershell-session-failed-using-oauth-in-microsoft-365-monitoring-plan.md @@ -0,0 +1,59 @@ +--- +description: >- + Netwrix Auditor shows an error in the Health Log that a PowerShell session + creation failed using OAuth for a Microsoft 365-based monitoring plan. This + article explains the cause and the steps to enable basic authentication for + WinRM on the affected server. +keywords: + - WinRM + - basic authentication + - OAuth + - Microsoft 365 + - PowerShell + - Health Log + - Office 365 Audit Service + - Event ID 2002 +products: + - auditor +sidebar_label: Create Powershell Session Failed Using OAuth in Mi +tags: [] +title: "Create Powershell Session Failed Using OAuth in Microsoft 365 Monitoring Plan" +knowledge_article_id: kA04u000000wnlWCAQ +--- + +# Create Powershell Session Failed Using OAuth in Microsoft 365 Monitoring Plan + +## Symptom + +The following error is prompted in Health Log for your Microsoft 365-based monitoring plan in Netwrix Auditor: + +``` +Source: Office 365 Audit Service +Event ID: 2002 +Computer: %affected_server% +Monitoring Plan: %Microsoft_365-based_plan_name% +Cannot execute the PowerShell command. +Error: Create Powershell Session is failed using OAuth +``` + +## Cause + +Basic authentication for Windows Remote Management is disabled in your environment. + +## Resolution + +Enable basic authentication for WinRM in the affected server: + +1. Run the following line in the elevated Command Prompt to review the authentication methods in your environment: + +```text +winrm get winrm/config/client/auth +``` + +2. If the `Basic` option equals `false`, run the following line to enable it: + +```text +winrm set winrm/config/client/auth @{Basic="true"} +``` + +> **IMPORTANT:** If basic authentication is disabled via GPO in your environment, you can create a separate GPO to enable it for the affected server specified in the error message. diff --git a/docs/kb/auditor/credentials-used-by-account-lockout-examiner.md b/docs/kb/auditor/credentials-used-by-account-lockout-examiner.md new file mode 100644 index 0000000000..d2540644fa --- /dev/null +++ b/docs/kb/auditor/credentials-used-by-account-lockout-examiner.md @@ -0,0 +1,31 @@ +--- +description: >- + Lists the accounts that Netwrix Account Lockout Examiner uses, their roles, + and recommendations for permissions and licensing. +keywords: + - Account Lockout Examiner + - credentials + - service account + - help-desk + - license + - permissions + - Account Lockout Examiner Administrator + - Helpdesk Operator + - Netwrix +products: + - auditor +sidebar_label: Credentials used by Account Lockout Examiner +tags: [] +title: "Credentials used by Account Lockout Examiner" +knowledge_article_id: kA00g000000H9UFCA0 +--- + +# Credentials used by Account Lockout Examiner + +What credentials does Netwrix Account Lockout Examiner use? + +Netwrix Account Lockout Examiner uses two types of accounts: + +1. **The service account** - an account used to run the Netwrix Account Lockout Examiner service. This account is used to collect logs and examine machines. It is recommended to use a domain admin account. [Here is the list](https://www.netwrix.com/kb/1396) of all required rights and permissions. +2. **An account to run the console.** By default, credentials of the user that is logged in currently are used. It is counted by the license and is shown as examination initializer. This account must be granted the Account Lockout Examiner Administrator role in the product settings. This role allows access to the Help-desk portal as well. It is recommended to grant the account the local admin role. +3. **An account you enter to access the Help-desk portal.** Usually the portal prompts for the credentials; otherwise the credentials of the user that is logged in currently are used. This account is also counted by the license. It must be granted the Helpdesk Operator role in the product settings. diff --git a/docs/kb/auditor/customize-notifications-and-reports-in-password-expiration-notifier.md b/docs/kb/auditor/customize-notifications-and-reports-in-password-expiration-notifier.md new file mode 100644 index 0000000000..ed897ca314 --- /dev/null +++ b/docs/kb/auditor/customize-notifications-and-reports-in-password-expiration-notifier.md @@ -0,0 +1,125 @@ +--- +description: >- + Learn how to customize notification and report templates for Netwrix Password + Reset (Password Expiration Notifier), including locating templates, adding + images and links, changing font size, adding Active Directory attributes, and + editing header/footer. +keywords: + - password expiration + - templates + - email templates + - Netwrix Password Reset + - Netwrix Auditor + - notify users + - Active Directory attributes + - UTF-8 +products: + - auditor +sidebar_label: Customize Notifications and Reports in Netwrix Password Reset +tags: [] +title: "Customize Notifications and Reports in Netwrix Password Reset" +knowledge_article_id: kA00g000000H9W8CAK +--- + +# Customize Notifications and Reports in Netwrix Password Reset + +## Question + +How to customize Netwrix Auditor Netwrix Password Reset notifications and reports? + +## Answer + +> **NOTE:** You can find the templates by following the provided path (by default): +> +> ```text +> C:\Program Files (x86)\Netwrix Auditor\Password Expiration Alerting\Templates\%GUID% +> ``` +> +> If you have multiple monitoring plans set up, refer to the Task Scheduler tasks to determine the appropriate GUID for the plan. The Password Expiration task in Task Scheduler will have `Netwrix Auditor - {%GUID_1%} - {%GUID_2%}` name, where `%GUID_2%` will match the corresponding folder name. + +> **IMPORTANT:** Netwrix Password Reset uses UTF-8 encoding. Your email client should be set up to either automatically or explicitly detect UTF-8 encoding to correctly translate characters. + +- [Locate templates](#locateTemplates) +- [Insert an image to the user notification email template](#addImage) +- [Insert a hyperlink to the user notification email template](#addHyperlink) +- [Change the font size of the user notification email template](#changeFontSize) +- [Include an attribute in the email template](#addAttribute) +- [Edit email header and footer](#editHeader) + +### Locate templates + +You can edit and customize the notification and report templates in Netwrix Password Reset: + +1. In the **Start** menu, select the **Netwrix Auditor** folder. +2. Open **Netwrix Password Reset**. +3. Select the monitoring plan you would like to edit the notification and (or) report templates for, and click **Edit**. +4. To change notifications sent to users, select the **Actions** tab. + - Check the **Notify users** checkbox, and click **Customize** to edit the corresponding notification template. + + > **NOTE:** Changes introduced are unique to the template. These changes will not be replicated from **First time when password expires in** template to **Last time when password expires in** template, etc. + +5. To change the report template, select the **Advanced** tab. + - Click **Edit** next to **Customize the report template**. +6. To change the report template for users' managers, select the **Actions** tab. + - Check the **Send reports to the users' managers** checkbox, and click **Customize** to edit the corresponding notification template. + +### Insert an image to the user notification email template + +1. Select the appropriate template and click **Customize**. +2. Add the following HTML tag to the template body: + + ```html + image_description + ``` + + > **NOTE:** The image must be located in a shared folder with permissions to read this folder shared between all users being notified. Alternatively, a URL to the image can be used. + +3. Click the **Test** button in the template editor window to send a test message. + +### Insert a hyperlink to the user notification email template + +1. Select the appropriate template and click **Customize**. +2. Add the following HTML tag to the template body: + + ```html + Hyperlinked text + ``` + +3. Click the **Test** button in the template editor window to send a test message. + +### Change the font size of the user notification email template + +1. Select the appropriate template and click **Customize**. +2. Add the following tag to the template body (with values ranging from 1 to 7): + + ```html + + ``` + +3. Click the **Test** button in the template editor window to send a test message. + +> **NOTE:** The tag affects the lines after the tag. The example provided below affects the lines after `Hi {givenName},`. +> +> + +### Include an attribute in the email template + +> **NOTE:** You can use other attributes in your Netwrix Password Reset emails. Learn more about Active Directory attributes in All attributes ⸱ Microsoft 🡺: https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all + +1. Select the appropriate template and click **Customize**. +2. Add the following attribute to the template body: + + ```text + {CanonicalName} + ``` + +3. Click the **Test** button in the template editor window to send a test message. + +### Edit email header and footer + +You can disable header and footer in Netwrix Password Reset emails. Refer to the following article for additional information: [Hide and Disable Header and Footer in Password Expiration Notifier Emails](/docs/kb/auditor/hide-and-disable-header-and-footer-in-password-expiration-notifier-emails.md). + +## Related articles + +- [Hide and Disable Header and Footer in Password Expiration Notifier Emails](/docs/kb/auditor/hide-and-disable-header-and-footer-in-password-expiration-notifier-emails.md) +- [All attributes ⸱ Microsoft 🡺](https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all) diff --git a/docs/kb/auditor/data-classification-services-do-not-start.md b/docs/kb/auditor/data-classification-services-do-not-start.md new file mode 100644 index 0000000000..894e8b7b5c --- /dev/null +++ b/docs/kb/auditor/data-classification-services-do-not-start.md @@ -0,0 +1,68 @@ +--- +description: >- + Troubleshoot Netwrix Data Classification services that fail to start due to + credential or timeout issues and learn how to verify credentials and increase + the Windows service startup timeout. +keywords: + - data classification + - service start + - ServicesPipeTimeout + - services.msc + - regedit + - Windows services + - startup timeout + - credentials +products: + - auditor + - data-classification +sidebar_label: Data Classification services do not start +tags: [] +title: "Data Classification services do not start" +knowledge_article_id: kA00g000000H9e7CAC +--- + +# Data Classification services do not start + +You may see one of the following errors: + +- The service did not start due to a logon failure +- The service did not respond to the start or control request in a timely fashion +- Service cannot be started. The service process could not connect to the service controller +- A timeout was reached (30000 milliseconds) while waiting for the `` service to connect. + +Typically this is related to one of the following issues: + +- Invalid/Incorrect credentials +- Low service start-up time thresholds for the server specification + +## Verify Credentials + +1. Open the **Run** window by clicking the **Start** button and then clicking **Run**. +2. In the **Run** window, type `services.msc` and then click **OK**. +3. Locate the affected **service**. +4. Right-click and select **Properties**. +5. Select the tab **Log On**. +6. Update the **credentials**. +7. Click **OK**. +8. **Restart** the **service**. + +## Increase Service Start-up Timeout + +We may need to increase the default startup timeout period on the server. Follow the steps below to increase the startup timeout value for all services: + +1. Open the **Run** window by clicking the **Start** button and then clicking **Run**. +2. In the **Run** window, type `regedit` and then click **OK** to open the **Registry Editor**. +3. Locate and then select the following registry subkey: `HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl` +4. In the right pane locate the `ServicesPipeTimeout` entry. +5. Right-click the `ServicesPipeTimeout` entry and select **Modify**. +6. Ensure **Decimal** is selected. +7. Specify a value of `120000` (2 mins). +8. Click **OK**. +9. **Restart** the server. + +## Note + +If the `ServicesPipeTimeout` entry does not exist you should first create it: + +1. On the Edit menu hover over **New** and then select `DWORD` `Value`. +2. Type `ServicesPipeTimeout` and then press **ENTER**. diff --git a/docs/kb/auditor/data-gathering-task-has-not-been-scheduled.md b/docs/kb/auditor/data-gathering-task-has-not-been-scheduled.md new file mode 100644 index 0000000000..d0ace2d556 --- /dev/null +++ b/docs/kb/auditor/data-gathering-task-has-not-been-scheduled.md @@ -0,0 +1,44 @@ +--- +description: >- + Collections show as Not Scheduled because Windows cannot create the required + scheduled task. This article lists checks and steps to identify and resolve + issues that block scheduled task creation on the Netwrix Auditor server. +keywords: + - Not Scheduled + - Windows Task Scheduler + - scheduled task + - UAC + - Group Policy + - credentials + - Netwrix Auditor + - 'C:WindowsTasks' +products: + - auditor +sidebar_label: Data gathering task has not been scheduled +tags: [] +title: "Data gathering task has not been scheduled" +knowledge_article_id: kA00g000000H9auCAC +--- + +# Data gathering task has not been scheduled + +The status of your collections show as Not Scheduled after creation. Following the instructions in the description does not help. + +--- + +Something is blocking the creation of the Windows Scheduled Task. This could be permissions of some kind, group policy or UAC. + +--- + +To ensure that the following KB will be helpful please verify the following: + +1) There is a scheduled task created in the `C:WindowsTasks` folder however the Windows Task Scheduler GUI does not show this task. + +Once that is confirmed please try the following. After each step where a change was made, refresh Windows Task Scheduler to see if the task shows up. + +1) Ensure the Data Processing Account is a local admin and/or disable UAC on the Netwrix Auditor server. +2) Ensure that credentials that are entered in **Settings -> Data Collection -> Modify Button** are not blank. +3) **Right click** each of your managed objects and for each one that is using **custom credentials** also make sure that those are not blank. +4) Ensure that the following **Group Policy** is not applied to the Netwrix Auditor server - **Network access: Do not allow storage of passwords and credentials for network authentication**. You can see if it is by opening **Local Security Policy** and navigating to **Security Settings -> Local Policies -> Security Options**. + +Note #2 and #3 are more likely to occur after a migration as the credentials are encrypted specifically for the original computer and need to be entered manually. diff --git a/docs/kb/auditor/data-matcher-timeout.md b/docs/kb/auditor/data-matcher-timeout.md new file mode 100644 index 0000000000..6cb469ed44 --- /dev/null +++ b/docs/kb/auditor/data-matcher-timeout.md @@ -0,0 +1,47 @@ +--- +description: >- + If Netwrix Data Classification reports show "No Data Found" with a + DataMatchingWorker SQL timeout error, increase the SQLCommandTimeout in + `DDCCoreSettings.xml` and restart the Netwrix Auditor DDC Provider service to + allow the matching process to complete. +keywords: + - Data Matcher Timeout + - DataMatchingWorker + - SQLCommandTimeout + - DDC Provider + - Data Discovery and Classification + - Netwrix Data Classification + - Execution Timeout + - Netwrix Auditor logs +products: + - auditor +sidebar_label: Data Matcher Timeout +tags: [] +title: "Data Matcher Timeout" +knowledge_article_id: kA04u000000XmIXCA0 +--- + +# Data Matcher Timeout + +## Scenario + +Netwrix Data Classification reports are showing No Data Found + +The following error may be present in your instance: + +``` +DataMatchingWorker: Data matching has been terminated by the following error: System.Data.SqlClient.SqlException (0x80131904): Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. ---> System.ComponentModel.Win32Exception (0x80004005): The wait operation timed out +``` + +This error will be found in the **DDC Provider log**, by default located here: (`C:\ProgramData\Netwrix Auditor\Logs\Data Discovery and Classification\Tracing\Netwrix.DDC.Service_FileServers.log`). + +## Solution + +To resolve the issue: + +1. Open `DDCCoreSettings.xml` with a text editor (`C:\ProgramData\Netwrix Auditor\Data Discovery and Classification\DDCCoreSettings.xml`). +2. Increase the `SQLCommandTimeout` from `1200` to `12000`. +3. Save the file. +4. Restart the Netwrix Auditor DDC Provider service. +5. Wait up to 24 hours for the matching process to run. +6. Check Netwrix Data Classification reports. diff --git a/docs/kb/auditor/data-missing-after-the-license-expiration.md b/docs/kb/auditor/data-missing-after-the-license-expiration.md new file mode 100644 index 0000000000..ead0c26cba --- /dev/null +++ b/docs/kb/auditor/data-missing-after-the-license-expiration.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains why activity records are missing for the period when a Netwrix + Auditor license was expired and what to check in event log retention settings + to prevent data loss. +keywords: + - license expiration + - activity records + - event logs + - retention + - Netwrix Auditor + - downtime + - event log size + - overwritten events +products: + - auditor +sidebar_label: Data Missing After the License Expiration +tags: [] +title: "Data Missing After the License Expiration" +knowledge_article_id: kA04u000000wnrZCAQ +--- + +# Data Missing After the License Expiration + +## Question + +Your Netwrix Auditor license has recently expired − a new license has since been applied. Why do activity records from the downtime period are missing? + +## Answer + +Netwrix Auditor stops monitoring corresponding data sources after the license expiration. Once a new license is applied, Auditor will collect all the data present in event logs as of the moment of the license application. This behavior is expected − the event logs are set up to be overwritten to prevent the extra space consumption. Any events that were overwritten will not have activity records generated for them. + +Depending on the size of your environment and the amount of Activity Records generated per day, you might need to increase the event log size. Refer to the following article for additional information: /docs/auditor/10.6/auditor/configurationuration/windowsserver (Adjusting Event Log Size and Retention Settings ⸱ v10.6). + +## Related articles + +- /docs/auditor/10.6/auditor/configurationuration/windowsserver (Adjusting Event Log Size and Retention Settings ⸱ v10.6) diff --git a/docs/kb/auditor/database-contains-tables-not-compatible-with-the-product.md b/docs/kb/auditor/database-contains-tables-not-compatible-with-the-product.md new file mode 100644 index 0000000000..197ce7974d --- /dev/null +++ b/docs/kb/auditor/database-contains-tables-not-compatible-with-the-product.md @@ -0,0 +1,51 @@ +--- +description: >- + Explains how to resolve the "Database contains tables not compatible with the + product" error by granting the Data Processing Account the required SQL Server + permissions for Netwrix Auditor databases. +keywords: + - database + - DB_Owner + - Data Processing Account + - SQL Management Studio + - permissions + - Netwrix Auditor + - reporting database + - history +products: + - auditor +sidebar_label: Database contains tables not compatible with the p +tags: [] +title: "Database contains tables not compatible with the product" +knowledge_article_id: kA00g000000H9a6CAC +--- + +# Database contains tables not compatible with the product + +Your audited system fails with the following error: + +``` +Error saving history to database: Database %name of database% +already contains tables that are not compatible with the product +``` + +--- + +Database permissions for the Data Processing Account are not sufficient. The Data Processing Account must either be a Sysadmin or have `DB_Owner` permission to each Netwrix database in order to upload audit data to the reporting database. + +--- + +## Resolution + +Using SQL Management Studio give the Data Processing Account `DB_Owner` rights to the Netwrix Auditor database in question. + +1) Log into the instance which contains the product database using SQL Management Studio with a **sysadmin account**. + +2) Expand **Security** and then **Logins**. + ![User-added image](images/ka04u000000HcT5_0EM700000008DPW.png) + +3) **Right click** the **Data Processing Account** and go to **Properties** (add the account if it doesn't exist). + ![User-added image](images/ka04u000000HcT5_0EM700000008DPb.png) + +4) Under **Server Roles** you can give **sysadmin** to this account OR alternatively you can go to **User Mapping** and select each Netwrix database individually and add **DB_Owner** permissions. + ![User-added image](images/ka04u000000HcT5_0EM700000008DPg.png) diff --git a/docs/kb/auditor/database-performance-loss.md b/docs/kb/auditor/database-performance-loss.md new file mode 100644 index 0000000000..3aa91f0796 --- /dev/null +++ b/docs/kb/auditor/database-performance-loss.md @@ -0,0 +1,36 @@ +--- +description: >- + There is some performance loss on the database selected for auditing via the + Database Content Audit feature of Netwrix Auditor for SQL Servers. This + article explains why and how to reduce the SQL Server performance impact. +keywords: + - database performance + - Database Content Audit + - SQL Server + - Netwrix Auditor + - auditing overhead + - performance impact + - monitoring +products: + - auditor +sidebar_label: Database performance loss +tags: [] +title: "Database performance loss" +knowledge_article_id: kA00g000000H9bWCAS +--- + +# Database performance loss + +## Overview + +There is some performance loss on the database selected for auditing via the Database Content Audit feature of Netwrix Auditor for SQL Servers. + +--- + +This is a standard overhead inherent in any change auditing systems. This overhead can only affect the database you have selected for monitoring. It is recommended to enable the Database Content Audit feature for the databases with low load only. + +--- + +## Recommendation + +To reduce the SQL Server performance impact, specify the exact databases where you want to track data changes, with exact tables for these databases. diff --git a/docs/kb/auditor/db-owner-has-been-removed-from-databases.md b/docs/kb/auditor/db-owner-has-been-removed-from-databases.md new file mode 100644 index 0000000000..848c110353 --- /dev/null +++ b/docs/kb/auditor/db-owner-has-been-removed-from-databases.md @@ -0,0 +1,38 @@ +--- +description: >- + Explains how to restore a database owner if Database Content Audit in Netwrix + Auditor removes the DB_OWNER role from databases. +keywords: + - DB_OWNER + - database owner + - Database Content Audit + - TRUSTWORTHY + - Netwrix Auditor + - SQL Server + - ALTER AUTHORIZATION + - database recovery +products: + - auditor +sidebar_label: DB_Owner has been removed from Databases +tags: [] +title: "DB_Owner has been removed from Databases" +knowledge_article_id: kA00g000000H9apCAC +--- + +# DB_Owner has been removed from Databases + +You have configured **Database Content Audit** in Netwrix Auditor for SQL Servers and ran a collection and `DB_OWNER` has been removed from your databases. + +--- + +When the **Database Content Audit** option is selected, on each data collection the program checks if the `TRUSTWORTHY` property is enabled on the monitored databases, and enables the property when it is disabled. Sometimes this process can corrupt the database owner record. + +--- + +1. In Microsoft SQL Server Management Studio, run the following command: + +```sql +ALTER AUTHORIZATION ON DATABASE::db_name TO user_name +``` + +where `db_name` is a name of the corrupted database and `user_name` is the db owner account name. diff --git a/docs/kb/auditor/deploying-the-report-server-database.md b/docs/kb/auditor/deploying-the-report-server-database.md new file mode 100644 index 0000000000..a154553d38 --- /dev/null +++ b/docs/kb/auditor/deploying-the-report-server-database.md @@ -0,0 +1,85 @@ +--- +description: >- + How to configure SQL Server Reporting Services for initial setup or during a + Netwrix Auditor migration. Includes steps to initialize Web Service and Web + Portal URLs, create the report server database, and register the Report Server + with Netwrix Auditor. +keywords: + - SQL Server Reporting Services + - Report Server + - Report Server Configuration Manager + - Netwrix Auditor + - Report Manager URL + - Audit Database + - Web Service URL + - Web Portal URL +products: + - auditor +visibility: public +sidebar_label: Deploying the Report Server Database +tags: [] +title: "Deploying the Report Server Database" +knowledge_article_id: kA00g000000H9eUCAS +--- + +# Deploying the Report Server Database + +## Question + +How to set up SQL Server Reporting Services for the first time or during the Netwrix Auditor migration? + +## Answer + +In case you are configuring SQL Server Reporting Services for the first time, grant the appropriate role permissions to the user. Refer to the following link for additional info: /docs/auditor/10.6/auditor/requirements Launch the **Report Server Configuration Manager** and connect to the Report Server. + +> **NOTE:** In most cases, there is only one Report Server to be hosted locally on the same server as SQL. + +### Set Up Web Service URL and Web Portal URL + +In your SQL server, run **Report Server Configuration Manager**. Select the SQL Server to connect to, and click **Connect**. Refer to the following steps to configure your Report Server instance: + +1. In the left pane, select **Web Service URL**. Click **Apply** − this will initialize the Report Server URL. + + > **NOTE:** This action is required only during the initial setup. + +2. In the left pane, select **Web Portal URL**. Click **Apply** − this will initialize the Report Manager URL. + + > **NOTE:** This action is required only during the initial setup. + +### Set Up Report Server Database + +1. In the left pane of **Report Server Configuration Manager**, select **Database**. Click **Change Database**. + +2. Check the **Create a new report server database** check and click **Next**. + +3. In the **Database Server** tab, confirm the SQL Server instance and click **Next**. + + > **NOTE:** In case you are unable to proceed with the authentication type specified, make sure the user has the appropriate role permissions. If you need to review the SQL permissions, refer to the following link: /docs/auditor/10.6/auditor/admin-guide/reports/types/stateintime + +4. In the **Database** tab, you can use the default database name or change it. Click **Next** to proceed to the next setup stage. + +5. In the **Credentials** tab, provide the credentials for the service account to connect to the Report Server database. You can also input credentials for any account with `db_owner` and `db_creator` roles. Click **Next** to proceed. + +6. Review the summary and confirm the configuration by clicking **Next**. + +### Set Up Audit Database in Netwrix Auditor + +Once the database has been successfully deployed, provide the Report Server URL and Report Manager URL in Netwrix Auditor settings. + +1. In the main Netwrix Auditor screen, click **Settings**. In the left pane, select the **Audit Database** tab and click **Modify** under the **Audit Database** section. + + ![Audit Database Modify](images/ka04u000000wvtY_0EM4u000008pRVW.png) + +2. Input the credentials and click **Next**. + +3. Input the Web Service URL in the **Report Server URL** field. Input the Web Portal URL in the **Report Manager URL** field. Click **Finish** to save changes. + +Netwrix Auditor should now be able to process and generate reports. + +## Related articles + +- Requirements – SQL Server Reporting Services · v10.6 + /docs/auditor/10.6/auditor/requirements + +- SQL Server State-In-Time Reports · v10.6 + /docs/auditor/10.6/auditor/admin-guide/reports/types/stateintime diff --git a/docs/kb/auditor/determining-the-number-of-enabled-active-directory-user-accounts.md b/docs/kb/auditor/determining-the-number-of-enabled-active-directory-user-accounts.md new file mode 100644 index 0000000000..5c158831f8 --- /dev/null +++ b/docs/kb/auditor/determining-the-number-of-enabled-active-directory-user-accounts.md @@ -0,0 +1,63 @@ +--- +description: >- + Shows how to determine the number of enabled Active Directory user accounts + for Netwrix Auditor using a provided script or an AD Saved Query, and how to + increase the AD query result limit above 10,000. +keywords: + - enabled AD users + - Active Directory + - user count + - Netwrix Auditor + - Saved Queries + - LDAP filter + - countofusers.vbs + - AD search limit + - Group Policy +products: + - auditor +sidebar_label: Determining the Number of Enabled Active Directory +tags: [] +title: "Determining the Number of Enabled Active Directory User Accounts" +knowledge_article_id: kA00g000000H9UdCAK +--- + +# Determining the Number of Enabled Active Directory User Accounts + +## Overview + +To determine the number of enabled user accounts for Netwrix Auditor, it is important to understand that Netwrix Auditor is licensed per enabled Active Directory (AD) user. + +**What is an enabled AD user?** An enabled AD user is an existing, enabled user account. Computer users, deleted users, group users, and disabled accounts do not constitute enabled AD users and are not factored into licensing. + +## Instructions + +The number of enabled user accounts can be determined one of the following two ways: + +- Use the following link to download a special script: https://www.netwrix.com/download/products/vbs_script/countofusers.zip + 1. Save and unzip `countofusers.zip` and run the `countofusers.vbs` file. + 2. When prompted, enter your domain name. The script will return the number of enabled user accounts in the specified domain. + +- Execute the following steps: + 1. Open the **Active Directory Users and Computers** snap-in. + 2. Right-click the **Saved Queries** node and select **New**. + 3. In the **Name** field, provide the name of the new query. + 4. Specify the **Query Root** of the **Organizational Unit** you want to monitor (or the entire domain). + 5. Click on **Define Query**. + 6. Select **Custom Search** from the **Find** drop-down list. + 7. Open the **Advanced** tab and paste in the following LDAP filter: + + ```text + (&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(name=HealthMailbox*))) + ``` + + 8. Click **OK** to save the changes. + +> **NOTE:** By default, AD queries are limited to 10,000 results. To view more than 10,000 results, take the following steps: + +1. Start the MMC Group Policy Management snap-in. +2. Locate the target domain, right-click the target policy and select **Edit**. +3. Proceed to **User Configuration** > **Policies** > **Administrative Templates** > **Desktop** > **Active Directory**. +4. Double-click the **Maximum size of Active Directory searches** setting. +5. Select **Enabled**, and set the number (e.g., 30000). +6. Click **Apply** > **OK**. +7. Close the Group Policy Editor. diff --git a/docs/kb/auditor/determining-the-number-of-enabled-microsoft-entra-id-accounts.md b/docs/kb/auditor/determining-the-number-of-enabled-microsoft-entra-id-accounts.md new file mode 100644 index 0000000000..0c647a7ab6 --- /dev/null +++ b/docs/kb/auditor/determining-the-number-of-enabled-microsoft-entra-id-accounts.md @@ -0,0 +1,84 @@ +--- +description: >- + Use Microsoft Graph PowerShell or the Azure Active Directory PowerShell 2.0 + module to determine how many enabled Microsoft Entra ID accounts exist in your + environment. This article includes the exact commands and notes about version + behavior and userType assignment. +keywords: + - Microsoft Entra ID + - Azure AD + - Microsoft Graph PowerShell + - Azure AD PowerShell + - enabled accounts + - user count + - userType + - PowerShell +products: + - auditor + - Azure_AD_and_Office_365 +sidebar_label: 'Determining the Number of Enabled Microsoft Entra ' +tags: [] +title: "Determining the Number of Enabled Microsoft Entra ID Accounts" +knowledge_article_id: kA00g000000H9dyCAC +--- + +# Determining the Number of Enabled Microsoft Entra ID Accounts + +## Overview + +This article explains how to determine the number of enabled Microsoft Entra ID (formerly Azure AD) accounts in your environment. The process uses either Microsoft Graph PowerShell or the Azure Active Directory PowerShell 2.0 module, depending on your version and requirements. + +> **NOTE:** This method works **only** for version 9.96 and later. Licensing for version 9.95 counts guest and external users. From version 9.96 and onwards, guest and external users are not included in the license count. + +## Instructions + +> **NOTE:** As the Azure Active Directory PowerShell 2.0 module is planned for deprecation, use the following steps to determine the count of enabled accounts via Microsoft Graph PowerShell. + +### Microsoft Graph PowerShell (recommended) + +1. Ensure you have the **Microsoft Graph PowerShell** module installed. For installation instructions, see Install the Microsoft Graph PowerShell SDK — Microsoft: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0#installation. For migration guidance from Azure AD PowerShell, see Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell — Microsoft: https://learn.microsoft.com/en-us/powershell/microsoftgraph/migration-steps?view=graph-powershell-1.0. +2. Connect to Microsoft Entra ID. For details, see Get Started with the Microsoft Graph PowerShell SDK — Sign in — Microsoft: https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?view=graph-powershell-1.0#sign-in. +3. Run the following command in elevated PowerShell: + +```powershell +Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All" +(Get-MgUser -All -Filter "userType eq 'Member' and accountEnabled eq true").Count +``` + +### Azure AD PowerShell 2.0 + +1. Ensure you have the **Azure Active Directory PowerShell 2.0** module installed. For more information, see Install Azure Active Directory PowerShell for Graph — Installing the Azure AD Module — Microsoft: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0#installing-the-azure-ad-module. +2. Connect to Microsoft Entra ID. For steps, see Install Azure Active Directory PowerShell for Graph — Connect to Azure AD — Microsoft: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0#connect-to-azure-ad. +3. Run the following command: + +```powershell +(Get-AzureADUser -All $true -Filter "userType eq 'Member' and accountEnabled eq true").Count +``` + +After completing these steps, you will see the number of enabled user accounts in Microsoft Entra ID. + +> **NOTE:** If a Microsoft Entra ID account was created prior to 2014, the `usertype` of this account will be blank. For information on how to assign the `usertype` to a user, see Add or Update User Profile Information and Settings — Microsoft: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-user-profile-info. + +Alternatively, you can use one of the following commands depending on the PowerShell module: + +- For **Azure AD PowerShell 2.0**: + +```powershell +Set-MsolUser -UserPrincipalName "user@company.com" -UserType "Member" +``` + +- For **Graph PowerShell** (admin account required): + +```powershell +Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All" +Update-MgUser -UserPrincipalName 'user@company.com' -UserType 'Member' +``` + +## Related Links + +- Install the Microsoft Graph PowerShell SDK — Microsoft: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0#installation +- Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell — Microsoft: https://learn.microsoft.com/en-us/powershell/microsoftgraph/migration-steps?view=graph-powershell-1.0 +- Get Started with the Microsoft Graph PowerShell SDK — Sign in — Microsoft: https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?view=graph-powershell-1.0#sign-in +- Install Azure Active Directory PowerShell for Graph — Installing the Azure AD Module — Microsoft: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0#installing-the-azure-ad-module +- Install Azure Active Directory PowerShell for Graph — Connect to Azure AD — Microsoft: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0#connect-to-azure-ad +- Add or Update User Profile Information and Settings — Microsoft: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-user-profile-info diff --git a/docs/kb/auditor/determining_which_access_analyzer_collectors_support_gmsa.md b/docs/kb/auditor/determining_which_access_analyzer_collectors_support_gmsa.md new file mode 100644 index 0000000000..b5deae7501 --- /dev/null +++ b/docs/kb/auditor/determining_which_access_analyzer_collectors_support_gmsa.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains which Netwrix Access Analyzer data collectors support running under a Group Managed Service Account (gMSA). +keywords: + - Access Analyzer + - gMSA + - data collectors +sidebar_label: gMSA Support in Access Analyzer +tags: [] +title: "Determining Which Access Analyzer Collectors Support gMSA" +knowledge_article_id: kA0Qk00000033UPKAY +products: + - auditor +--- + +# Determining Which Access Analyzer Collectors Support gMSA + +## Related Queries + +- "Which collectors support gMSA in Access Analyzer?" +- "Can I run Access Analyzer collectors with gMSA?" +- "Is SmartLog compatible with gMSA?" + +## Question + +Which Netwrix Access Analyzer (formerly Enterprise Auditor) data collectors support running under a **Group Managed Service Account (gMSA)**? + +## Answer + +Not all data collectors in Netwrix Access Analyzer are compatible with gMSA. gMSAs are used to enhance security and simplify password management for services running on Windows, but they require explicit support within the collector's implementation. + +The following Netwrix Access Analyzer data collectors have been tested and confirmed to support execution under a **gMSA**: + +- **ADActivity** +- **ADInventory** +- **ADPermissions** +- **FSAA** +- **PasswordSecurity** +- **SmartLog** (only when using **Network Query** mode) +- **SPAA** + +> **NOTE:** The **SmartLog** collector supports gMSA only when it is configured to use **Network Query**. It does **not** support gMSA in other modes. + +Ensure that the gMSA account is granted all required permissions as described in the Help Center: + +[Configure a gMSA Account for Collector Connections](/docs/accessanalyzer/12.0/admin/settings/connection/gmsa) + +## Related Link + +- [Configure a gMSA Account for Collector Connections](/docs/accessanalyzer/12.0/admin/settings/connection/gmsa) \ No newline at end of file diff --git a/docs/kb/auditor/difference-between-data-stored-in-sql-versus-the-audit-archive.md b/docs/kb/auditor/difference-between-data-stored-in-sql-versus-the-audit-archive.md new file mode 100644 index 0000000000..6e46dcdda5 --- /dev/null +++ b/docs/kb/auditor/difference-between-data-stored-in-sql-versus-the-audit-archive.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains where Netwrix Auditor stores collected data (SQL databases vs. the + Audit Archive), retention recommendations, and how to import archived data + back into SQL using Investigations. +keywords: + - Netwrix Auditor + - SQL + - Audit Archive + - retention + - archived data + - Investigations + - reporting + - database retention + - compressed files +products: + - auditor +sidebar_label: Difference between data stored in SQL versus the A +tags: [] +title: "Difference between data stored in SQL versus the Audit Archive" +knowledge_article_id: kA00g000000H9SXCA0 +--- + +# Difference between data stored in SQL versus the Audit Archive + +When Netwrix Auditor performs data collections, the data is simultaneously sent and saved in two locations: SQL databases and a disk drive in the Audit Archive location. + +The data in SQL databases is stored in a non-compressed format and used for fast operational reporting. It is not intended for long term storage. The default and recommended retention for SQL is 180 days. If you are collecting huge amounts of data, your SQL DBs might grow too big causing disk space and report generation speed issues. In this case it is recommended to reduce the database retention as explained in this article: /docs/auditor/10.5/auditor/installation/deployment/sqlserverdatabase + +On the other hand the data stored in the audit archive consists of compressed flat files and is intended for long term storage. When you have a compliance or an internal requirement to store audit data for a long period of time this is where you would do that. If at any time you need to report on archived data that is no longer in the SQL database, it is possible to import it back to SQL using Investigations functionality: /docs/auditor/10.5/auditor/admin-guide/reports diff --git a/docs/kb/auditor/disable-multi-factor-authentication-for-microsoft-365-service-accounts.md b/docs/kb/auditor/disable-multi-factor-authentication-for-microsoft-365-service-accounts.md new file mode 100644 index 0000000000..8dd4fd3584 --- /dev/null +++ b/docs/kb/auditor/disable-multi-factor-authentication-for-microsoft-365-service-accounts.md @@ -0,0 +1,74 @@ +--- +description: >- + Explains how to disable multi-factor authentication (MFA) for a Netwrix + Auditor service account used to collect data from Microsoft 365 sources (Entra + ID, Exchange Online, SharePoint Online, Teams) by using Conditional Access + exclusions. +keywords: + - MFA + - Multi-Factor Authentication + - Microsoft 365 + - Entra ID + - Conditional Access + - Netwrix Auditor + - Exchange Online + - SharePoint Online + - Teams + - service account +products: + - auditor + - Azure_AD_and_Office_365 +sidebar_label: 'Disable Multi-Factor Authentication for Microsoft ' +tags: [] +title: "Disable Multi-Factor Authentication for Microsoft 365 Service Accounts" +knowledge_article_id: kA00g000000H9SqCAK +--- + +# Disable Multi-Factor Authentication for Microsoft 365 Service Accounts + +## Question + +How to disable multi-factor authentication (MFA) for a Netwrix Auditor service account for your Microsoft 365 sources — Entra ID (Azure AD), Exchange Online, SharePoint Online and Microsoft Teams? + +## Answer + +> **NOTE:** To manage policies, the Conditional Access Administrator role is required. Learn more about the role in Azure AD Built-in Roles — Conditional Access Administrator ⸱ Microsoft (https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#conditional-access-administrator). + +To disable MFA for your data-collecting account in any Microsoft 365 source, use the **Conditional Access** feature. It lets you exclude particular users and apps from a policy. Follow these steps for the initial setup: + +1. Log in to the Entra ID portal, and go to the **Conditional Access** menu located under the **Protection** section: https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview/fromNav/Identity. +2. If you do not have a policy configured, follow the steps in Common Conditional Access Policy — Require MFA for All Users ⸱ Microsoft (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#create-a-conditional-access-policy). Otherwise, if you have an MFA policy configured, proceed to the next step. +3. In the left pane, select **Policies**. Select the MFA policy to be edited. You can either exclude a user from the MFA policy or exclude a particular app used. + + - To exclude a user from the MFA policy: + 1. Click the highlighted text under the **Users** section. + 2. Click the **Exclude** tab, and check the **Users and groups** checkbox. + 3. Select the service user to be used in the **Select excluded users and groups** window, and click **Select**. + 4. To complete the setup, click **Save** in the bottom left corner. + + ![Exclude user from MFA policy](images/ka0Qk0000001LLl_0EM4u000008MMJG.png) + + - To exclude an app from the MFA policy: + 1. Click the highlighted text under the **Target sources** section. + 2. Click the **Exclude** tab, and click the highlighted text under **Select excluded cloud apps**. + 3. Select the app to be used in the **Select excluded cloud apps** window, and click **Select**. + 4. To complete the setup, click **Save** in the bottom left corner. + + ![Exclude app from MFA policy](images/ka0Qk0000001LLl_0EM4u000008MMJL.png) + +Refer to the following articles for additional information on data-collecting account setup for your Microsoft 365 sources: + +- Microsoft 365 — Permissions for Microsoft Entra ID Auditing ⸱ v10.6 (/docs/auditor/10.6/auditor/configurationuration/microsoft365/microsoftentraid) +- Microsoft 365 — Permissions for Exchange Online Auditing ⸱ v10.6 (/docs/auditor/10.6/auditor/configurationuration/microsoft365/exchangeonline) +- Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6 (/docs/auditor/10.6/auditor/configurationuration/microsoft365/sharepointonline) +- Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6 (/docs/auditor/10.6/auditor/configurationuration/microsoft365/teams) + +### Related articles + +- Azure AD Built-in Roles — Conditional Access Administrator ⸱ Microsoft (https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#conditional-access-administrator) +- Microsoft Entra ID — Conditional Access ⸱ Microsoft (https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview/fromNav/Identity) +- Common Conditional Access Policy — Require MFA for All Users ⸱ Microsoft (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#create-a-conditional-access-policy) +- Microsoft 365 — Permissions for Microsoft Entra ID Auditing ⸱ v10.6 (/docs/auditor/10.6/auditor/configurationuration/microsoft365/microsoftentraid) +- Microsoft 365 — Permissions for Exchange Online Auditing ⸱ v10.6 (/docs/auditor/10.6/auditor/configurationuration/microsoft365/exchangeonline) +- Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6 (/docs/auditor/10.6/auditor/configurationuration/microsoft365/sharepointonline) +- Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6 (/docs/auditor/10.6/auditor/configurationuration/microsoft365/teams) diff --git a/docs/kb/auditor/does-inactive-user-tracking-alert-before-it-performs-any-actions-on-accounts.md b/docs/kb/auditor/does-inactive-user-tracking-alert-before-it-performs-any-actions-on-accounts.md new file mode 100644 index 0000000000..b03cd40b0e --- /dev/null +++ b/docs/kb/auditor/does-inactive-user-tracking-alert-before-it-performs-any-actions-on-accounts.md @@ -0,0 +1,26 @@ +--- +description: >- + Explains that Inactive User Tracking does not alert you before taking actions, + and that Netwrix Auditor will refrain from actions if it cannot gather + timestamps from domain controllers. +keywords: + - Inactive User Tracking + - inactive users + - domain controllers + - timestamps + - Netwrix Auditor + - data collection + - DC availability + - automation + - alerts +products: + - auditor +sidebar_label: Does Inactive User Tracking alert before it perfor +tags: [] +title: "Does Inactive User Tracking alert before it performs any actions on accounts?" +knowledge_article_id: kA00g000000H9WBCA0 +--- + +# Does Inactive User Tracking alert before it performs any actions on accounts? + +Although Inactive User Tracking does not alert you prior to performing actions on a user based on the configuration you selected, it will, as a precaution, choose to not perform any actions on an account or computer if there were any errors gathering the necessary timestamps from domain controllers. Specifically, Netwrix Auditor will NOT perform any actions if any DC was unavailable at the time of data collection. diff --git a/docs/kb/auditor/duplicate-configuration-and-schema-changes-for-all-monitored-domains-in-forest-made-by-system.md b/docs/kb/auditor/duplicate-configuration-and-schema-changes-for-all-monitored-domains-in-forest-made-by-system.md new file mode 100644 index 0000000000..a35db072e9 --- /dev/null +++ b/docs/kb/auditor/duplicate-configuration-and-schema-changes-for-all-monitored-domains-in-forest-made-by-system.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains why configuration and schema changes in an Active Directory forest + generate change reports for all monitored domains and why the WHO field may + show System in some reports. Describes Active Directory replication behavior + and how Netwrix Auditor collects change and security events. +keywords: + - Active Directory + - configuration + - schema + - replication + - domain controllers + - WHO + - System + - Netwrix Auditor + - change reports +products: + - auditor +sidebar_label: Duplicate Configuration and Schema Changes for All +tags: [] +title: "Duplicate Configuration and Schema Changes for All Monitored Domains in Forest Made by System" +knowledge_article_id: kA00g000000H9dhCAC +--- + +# Duplicate Configuration and Schema Changes for All Monitored Domains in Forest + Made by System + +## Symptom + +1. You have Netwrix Auditor set to monitor several domains in the same forest, for example one root and several child domains. +2. The configuration or schema has been changed for one of the child domains. Netwrix Auditor reported several types of configuration changes in separate change reports for each of the monitored domains. + + - Only one report indicates the specific `WHO` that changed the configuration, while other reports state **System** in the `WHO` field. + +## Cause and Resolution + +This behavior is expected due to the Active Directory architecture. Configuration and Schema partitions are shared between all domains in the forest. Changes made to these partitions in one domain are replicated to other domains. + +Security log events that Netwrix Auditor uses to establish the `WHO` value are only generated in the domain where the changes were actually made. For all other domains the reports will show **System**. + +Netwrix Auditor exclusively collects events from domain controllers in domains specified for data collection (in addition to domain controllers in the root domain) and ignores domain controllers in the domains that are not audited. Netwrix Auditor collects changes and security events separately and independently for each managed domain. In the example above, each domain had configuration changes due to replication, but only one had corresponding security events which Netwrix Auditor used to collect the `WHO` value. diff --git a/docs/kb/auditor/emails-are-missing-in-password-expiration-notifier.md b/docs/kb/auditor/emails-are-missing-in-password-expiration-notifier.md new file mode 100644 index 0000000000..28e85c6a97 --- /dev/null +++ b/docs/kb/auditor/emails-are-missing-in-password-expiration-notifier.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains why email notifications and reports from Netwrix Password Reset may + be missing and how to fix it by disabling the custom From address option or + granting proper mailbox permissions to the service account. +keywords: + - Netwrix Password Reset + - email notifications + - missing emails + - Send As + - Send on Behalf + - service account + - notifications + - mailbox permissions + - password expiration +products: + - auditor +sidebar_label: Emails Are Missing in Netwrix Password Reset +tags: [] +title: "Emails Are Missing in Netwrix Password Reset" +knowledge_article_id: kA0Qk0000000XATKA2 +--- + +# Emails Are Missing in Netwrix Password Reset + +## Symptom + +Email notifications and reports from Netwrix Password Reset (PEN) are missing. + +## Cause + +The **Display the following From address in email notifications** option is enabled for a service account with insufficient permissions. + +## Resolutions + +- Disable the **Display the following From address in email notifications** option in Netwrix Password Reset: + + 1. Launch **Netwrix Password Reset**, select the affected monitoring plan, and click **Edit**. + 2. In the **Notifications** tab, uncheck the **Display the following From address in email notifications** checkbox, and click **Save**. + +- Grant the appropriate **Send As** or **Send on Behalf** permissions to the service account sending emails in Netwrix Password Reset. diff --git a/docs/kb/auditor/emc-unity-auditing.md b/docs/kb/auditor/emc-unity-auditing.md new file mode 100644 index 0000000000..feead093a6 --- /dev/null +++ b/docs/kb/auditor/emc-unity-auditing.md @@ -0,0 +1,52 @@ +--- +description: >- + Instructions to configure EMC Unity NAS Server and Netwrix Auditor to collect + audit data using EMC native auditing technologies. +keywords: + - EMC Unity + - EMC VNX + - NAS audit + - Netwrix Auditor + - SMB + - CIFS + - Active Directory + - Audit object access + - Security Event Log +products: + - auditor +sidebar_label: EMC Unity Auditing +tags: [] +title: "EMC Unity Auditing" +knowledge_article_id: kA00g000000H9S9CAK +--- + +# EMC Unity Auditing + +You can use Netwrix Auditor to audit EMC Unity storage systems deployed in your infrastructure. Netwrix Auditor uses EMC native audit technologies and approaches. The procedures in this article explain how you can configure your NAS Server and Netwrix Auditor to collect audit data. + +## Configuring NAS Server + +1. In NAS Server configuration check the following in the **Sharing Protocols** section: + - a. The **Windows Shares (SMB, CIFS)** option is selected. + - b. The **Join to the Active Directory domain** option is selected. + +2. Then use the *EMC Unity/VBX/VNXe NAS Management* utility to enable **Audit object access** policy (both *Success* and *Failure*). + Alternatively, you can follow the steps described in the Dell Data Storage – Configure Audit Object Access Policy ⸱ v10.6 article: + /docs/auditor/10.6/auditor/configurationuration/fileservers/delldatastorage + +3. Ensure that EMC Unity logging options are configured in the NAS Server settings. + +**NOTE:** To configure maximum log size to be processed by Netwrix Auditor, follow the steps described in the Dell Data Storage – Configure Security Event Log Maximum Size ⸱ v10.6 article: +/docs/auditor/10.6/auditor/configurationuration/fileservers/delldatastorage + +## Configuring Netwrix Auditor + +1. Configure a monitoring plan for data collection from the storage system, as described in Netwrix Auditor documentation for EMC storage systems. + +2. When adding an item to be monitored by this monitoring plan, select **EMC VNX/VNXe** item type. + +3. Ensure the account you plan to use for data collection has the following rights and permissions on the target NAS Server: + - a. Read share permissions on the audited shares + - b. Membership in the local Administrators group + +For more information, refer to Netwrix Auditor documentation. diff --git a/docs/kb/auditor/empty-event-id-5356-csv-file-missing-in-event-log-export-add-on.md b/docs/kb/auditor/empty-event-id-5356-csv-file-missing-in-event-log-export-add-on.md new file mode 100644 index 0000000000..42d7b9d461 --- /dev/null +++ b/docs/kb/auditor/empty-event-id-5356-csv-file-missing-in-event-log-export-add-on.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains why empty Event ID 5356/5536 appears and why the CSV file referenced + in the Test Run message is missing; clarifies storage and deletion behavior + for the Event Log Export Add-on in Netwrix Auditor. +keywords: + - Event 5356 + - Event 5536 + - CSV + - Event Log Export Add-on + - Netwrix Auditor + - Test Run + - '%ProgramData% path' + - Csv file missing +products: + - auditor +sidebar_label: Empty Event ID 5356 − CSV File Missing in Event Log Export Add-on +tags: [] +title: "Empty Event ID 5356 − CSV File Missing in Event Log Export Add-on" +knowledge_article_id: kA04u000000wnpsCAA +--- + +# Empty Event ID 5356 − CSV File Missing in Event Log Export Add-on + +## Questions + +1. Empty Events 5356 are logged in Event Log when using Event Log Export Add-on for Netwrix Auditor − is this intended? + +2. Upon a Test Run completion, a message is prompted with the ` %ProgramData%\Netwrix Auditor\AuditCore\AuditArchive\AlertsToolLauncher\Csv\*.csv` path − no `.csv` file is available when browsing the path. Where could I find the `.csv` file? + +## Answers + +1. Upon the Test Run completion, an empty Event 5536 is created logging the **When** timestamp of the run − this behavior is intended. + +2. The path specified in the message is used as a short-term data storage to allow Netwrix Auditor to process data and send an alert. Once completed, the `.csv` file is deleted. The contents of the `.csv` file are logged in Event Log. diff --git a/docs/kb/auditor/empty-password-expiration-notifier-emails.md b/docs/kb/auditor/empty-password-expiration-notifier-emails.md new file mode 100644 index 0000000000..06b9a76472 --- /dev/null +++ b/docs/kb/auditor/empty-password-expiration-notifier-emails.md @@ -0,0 +1,48 @@ +--- +description: >- + Netwrix Password Reset (PEN) sends empty notification emails. This article + describes possible causes and step-by-step resolutions, including TLS 1.2 + configuration and disabling implicit SSL mode. +keywords: + - password expiration + - PEN + - Netwrix Password Reset + - TLS 1.2 + - SMTP + - implicit SSL + - notification emails + - Netwrix Auditor +products: + - auditor +sidebar_label: Empty Password Expiration Notifier Emails +tags: [] +title: "Empty Password Expiration Notifier Emails" +knowledge_article_id: kA04u0000011109CAA +--- + +# Empty Password Expiration Notifier Emails + +## Symptom + +Netwrix Password Reset (PEN) sends empty notification emails. + +## Causes + +One of the following issues is present in your environment: + +1. TLS 1.2 is not configured on the Netwrix Auditor server. +2. The implicit SSL connection mode is not supported by your SMTP server. + +## Resolutions + +Refer to the respective resolution for the cause in your environment: + +1. Verify that TLS 1.2 is correctly configured on your Netwrix Auditor server. Refer to the following article for additional information: Сonnection Issue when TLS 1.2 Is Required. +2. Disable the implicit SSL connection mode in Netwrix Password Reset. + + 1. Run PEN. Select the affected monitoring plan and click **Edit**. + 2. In the **Notifications** tab, uncheck the **Use the Implicit SSL Connection Mode** checkbox. Click **Save** to save changes. + +## Related Articles + +- Сonnection Issue when TLS 1.2 Is Required diff --git a/docs/kb/auditor/empty-report-server-and-report-manager-urls-in-sql-server-reporting-services.md b/docs/kb/auditor/empty-report-server-and-report-manager-urls-in-sql-server-reporting-services.md new file mode 100644 index 0000000000..714d8bc453 --- /dev/null +++ b/docs/kb/auditor/empty-report-server-and-report-manager-urls-in-sql-server-reporting-services.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains why report folders may be empty when accessing Report Server or + Report Manager and how to resolve it by assigning the Content Manager role. +keywords: + - SQL Server Reporting Services + - Report Server + - Report Manager + - Content Manager + - permissions + - Netwrix Auditor + - reports + - access + - reporting services +products: + - auditor +sidebar_label: Empty Report Server and Report Manager URLs in SQL +tags: [] +title: "Empty Report Server and Report Manager URLs in SQL Server Reporting Services" +knowledge_article_id: kA00g000000H9Z8CAK +--- + +# Empty Report Server and Report Manager URLs in SQL Server Reporting Services + +## Symptom + +No report folders are available when accessing Report Server or Report Manager URL via your browser. + +## Cause + +The account used does not have the permissions required to access reports. + +## Resolution + +Assign the **Content Manager** role to the user to be able to view report folders − refer to the following article for additional information: SQL Server Reporting Services − Grant Additional Permissions on Report Server ⸱ v10.6. + +## Related articles + +SQL Server Reporting Services − Grant Additional Permissions on Report Server ⸱ v10.6 diff --git a/docs/kb/auditor/enable_tcpip_protocol_in_sql_server.md b/docs/kb/auditor/enable_tcpip_protocol_in_sql_server.md new file mode 100644 index 0000000000..ae0ca3bf6b --- /dev/null +++ b/docs/kb/auditor/enable_tcpip_protocol_in_sql_server.md @@ -0,0 +1,28 @@ +--- +description: >- + This article provides step-by-step instructions to enable the TCP/IP protocol in your SQL Server instance, which is required for Netwrix Auditor to transfer data to SQL databases. +keywords: + - TCP/IP protocol + - SQL Server + - Netwrix Auditor +sidebar_label: Enable TCP/IP in SQL Server +tags: [] +title: "Enable TCP/IP Protocol in SQL Server" +knowledge_article_id: kA0Qk0000001D6TKAU +products: + - auditor +--- + +# Enable TCP/IP Protocol in SQL Server + +## Overview + +Netwrix Auditor requires the enabled TCP/IP protocol in your SQL Server instance to transfer data to the SQL databases. This article covers the steps to enable the TCP/IP protocol in the SQL Server. + +## Instructions + +Refer to the following steps to enable the TCP/IP protocol in the SQL Server: + +1. Launch **SQL Server Configuration Manager**. +2. In the left pane, select **SQL Server Network Configuration**. +3. Verify the TCP/IP protocol is enabled. Enable the protocol, if needed—right-click it and select **Enable**. \ No newline at end of file diff --git a/docs/kb/auditor/entitlement-reviews-event-id-6527.md b/docs/kb/auditor/entitlement-reviews-event-id-6527.md new file mode 100644 index 0000000000..39944fff26 --- /dev/null +++ b/docs/kb/auditor/entitlement-reviews-event-id-6527.md @@ -0,0 +1,55 @@ +--- +description: >- + Netwrix Auditor logs show Event ID 6527 indicating the Entitlement Reviews + license has expired while Access Reviews collectors remain active. This + article explains the cause and steps to stop the errors using the Access + Reviews Configuration Tool. +keywords: + - Event ID 6527 + - Entitlement reviews + - Access Reviews + - license expired + - Netwrix Auditor + - Health Logs + - configuration tool + - collectors + - error message +products: + - auditor +sidebar_label: Entitlement Reviews — Event ID 6527 +tags: [] +title: "Entitlement Reviews — Event ID 6527" +knowledge_article_id: kA04u00000110hgCAA +--- + +# Entitlement Reviews — Event ID 6527 + +## Symptom + +Either **Netwrix Auditor** Health Logs or Event Viewer logs contain multiple Event ID 6527 errors: + +```text +Event ID: 6527 +License name: Entitlement reviews. + +Your subscription plan for Netwrix Auditor has expired. +``` + +![image001.png](images/ka04u0000011688_0EM4u000008LCjZ.png) + +## Cause + +Netwrix Auditor Access Reviews license has expired with Access Reviews collectors still set up for data collection. + +## Resolution + +1. Run the Access review configuration tool — refer to the following article for information on the location: Set Up the Access Reviews Configuration Tool. +2. Uncheck all the sources checkboxes, click **Save** and close the application. + +In case you receive an error message: + +```text +Netwrix Auditor Access Reviews is no longer installed. +``` + +Click **OK** to proceed to the configuration tool. diff --git a/docs/kb/auditor/error-0x800706ba-rpc-server-is-unavailable.md b/docs/kb/auditor/error-0x800706ba-rpc-server-is-unavailable.md new file mode 100644 index 0000000000..df58236fb8 --- /dev/null +++ b/docs/kb/auditor/error-0x800706ba-rpc-server-is-unavailable.md @@ -0,0 +1,107 @@ +--- +description: >- + Describes causes and resolutions for Error 0x800706BA "The RPC server is + unavailable" as reported in Netwrix Auditor Health Log, including firewall, + service, DNS, and TLS troubleshooting steps. +keywords: + - RPC + - 2147944122 + - RPC server is unavailable + - Netwrix Auditor + - WMI + - Event Viewer + - firewall + - TLS 1.2 + - TCP/IP NetBIOS +products: + - auditor +sidebar_label: Error 0x800706BA − RPC Server Is Unavailable +tags: [] +title: "Error 0x800706BA − RPC Server Is Unavailable" +knowledge_article_id: kA00g000000H9YLCA0 +--- + +# Error 0x800706BA − RPC Server Is Unavailable + +## Symptoms + +The following warnings are prompted in Netwrix Auditor Health Log: + +```text +Failed to process DC: %domain_controller_name%. +Failed to connect to remote service control manager. Error details: The RPC server is unavailable. +(Exception from HRESULT: 0x800706BA). +Make sure that you have administrative privileges, and the Windows Management Instrumentation (WMI) service is running on the target server. +``` + +```text +Failed to open the event log. +The RPC server is unavailable. +``` + +```text +The RPC server is too busy to complete this operation +``` + +```text +The following error occurred when analyzing changes for server %server%: +Agent operation failed due to the following error: +Failed to update the agent on the following server: %server% +``` + +## Causes + +- Errors resolving a DNS or NetBIOS name. +- The RPC service or related services may not be running. +- Network connectivity issues. +- File and printer sharing is not enabled. +- TLS 1.2 is not set up. +- Insufficient server resources. + +## Resolutions + +- Configure firewall policies. + + **NOTE:** If you are using Windows Firewall, open the **Group Policy Object Editor** snap-in (`gpedit.msc`) to edit the Group Policy object (GPO) used to manage Windows Firewall settings in your organization. Navigate to **Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Firewall**, and open either **Domain Profile** or **Standard Profile**, depending on which profile you are using. Enable the following exceptions: + + - Allow Remote Administration Exception + - Allow File and Printer Sharing Exception + +- Review the hostname and IP address. Verify the machine is turned on and reachable. Also make sure the FQDN is resolving to the correct IP address. + +- Verify that the **Windows Management Instrumentation** service is running and set to auto-start after restart. + + > **NOTE:** If you see the following error in the Event Viewer while checking **Event Viewer (Local)** connection to another computer, enable inbound rules (COM+ Network Access and all rules in the Remote Event Log Management group) on the target computer. Refer to the following article for additional information: Configuration − Logon Activity Ports: Configure Windows Firewall Inbound Connection Rules ⸱ v10.6. + > + > ![COM+ Network Access screenshot](images/ka04u000000wvy4_0EM4u000008LkB8.png) + > + > Learn more in: 0x80004027 error when you try to remotely access COM+ object after you upgrade to Windows Server 2016 or later versions ⸱ Microsoft + + For additional information on Windows Firewall configuration, refer to: Logon Activity Ports — Configure Windows Firewall Inbound Connection Rules · v10.6. + +- Verify that the **TCP/IP NetBIOS Helper** service is running and is set to auto-start after restart. + +- Verify the **Remote Procedure Call (RPC)** service is running and set to auto start after restart. + + To check event logs on the target domain controller: + + 1. Log on to the computer where Netwrix Auditor is installed using the Netwrix data processing account. + 2. Go to **Start > Run** and type `eventvwr`, then click **OK**. + 3. Right-click **Event Viewer (Local)** and select **Connect To Another Computer**. + 4. In the **Select Computer** dialog window, type the name of the domain controller reporting the error in the **Another Computer** entry field. Click **OK** to connect to the domain controller. + 5. Select the **Security** log. The list should show valid event entries. + + Learn more in: Windows Server Troubleshooting: RPC server is unavailable ⸱ Microsoft + +- Enable TLS 1.2. For additional information, refer to: Сonnection Issue when TLS 1.2 Is Required. + +- RPC connections might be affected due to insufficient hardware resources. Review the hardware resources of the affected server to possibly increase the resource pool. Learn more in: Server Hardware Performance Considerations ⸱ Microsoft + +## Related articles + +- Configuration – Logon Activity Ports: Configure Windows Firewall Inbound Connection Rules ⸱ v10.6 +- [0x80004027 error when you try to remotely access COM+ object after you upgrade to Windows Server 2016 or later versions ⸱ Microsoft](https://learn.microsoft.com/en-us/troubleshoot/windows-server/application-management/0x80004027-remotely-access-com-plus-object) +- Logon Activity Ports — Configure Windows Firewall Inbound Connection Rules · v10.6 +- [Windows Server Troubleshooting: RPC server is unavailable ⸱ Microsoft](https://social.technet.microsoft.com/wiki/contents/articles/4494.windows-server-troubleshooting-rpc-server-is-unavailable.aspx) +- Сonnection Issue when TLS 1.2 Is Required +- [Server Hardware Performance Considerations ⸱ Microsoft](https://learn.microsoft.com/en-us/windows-server/administration/performance-tuning/hardware/) diff --git a/docs/kb/auditor/error-403.md b/docs/kb/auditor/error-403.md new file mode 100644 index 0000000000..331f3b67cd --- /dev/null +++ b/docs/kb/auditor/error-403.md @@ -0,0 +1,55 @@ +--- +description: >- + This article explains causes and resolutions for "Error 403 - Access is + denied" when accessing portals in Netwrix Auditor. It shows how to verify IIS + SSL and Default Document settings. +keywords: + - error 403 + - access denied + - IIS + - SSL + - Default Document + - PM virtual directory + - Netwrix Auditor + - portal + - troubleshooting +products: + - auditor +sidebar_label: Error 403 +tags: [] +title: "Error 403" +knowledge_article_id: kA00g000000H9TwCAK +--- + +# Error 403 + +When trying to browse to any portal, you get "Error 403 - Access is denied" + +![User-added image](images/ka04u000000HcNi_0EM700000004yKg.png) + +The 403 error can be caused by several reasons. The most common reasons are: + +1. You are trying to access the site via HTTP when HTTPs is required. + To enable access via regular HTTP make sure that **Require SSL** check-box is not enabled. + + 1. Launch the **IIS Manager** + 2. Navigate to the **PM** virtual directory (Default Web Site/PM by default). + 3. In the central pane double-click **SSL Settings** + 4. Check settings, change if necessary + + ![User-added image](images/ka04u000000HcNi_0EM700000004yKq.png) + + ![User-added image](images/ka04u000000HcNi_0EM700000004yKv.png) + +2. Default document IIS feature is not enabled. + + To check this: + + 1. Launch the **IIS Manager** + 2. Navigate to the **PM** virtual directory (Default Web Site/PM by default). + 3. In the central pane double-click **Default Document** + 4. In the right pane click **Enable** (if there is no Enable option there, but **Disable** is, it means that the feature is enabled) + + ![User-added image](images/ka04u000000HcNi_0EM700000004yL0.png) + + ![User-added image](images/ka04u000000HcNi_0EM700000004yL5.png) diff --git a/docs/kb/auditor/error-500-when-viewing-and-accessing-reports.md b/docs/kb/auditor/error-500-when-viewing-and-accessing-reports.md new file mode 100644 index 0000000000..6acce3caf7 --- /dev/null +++ b/docs/kb/auditor/error-500-when-viewing-and-accessing-reports.md @@ -0,0 +1,42 @@ +--- +description: >- + Error 500 occurs when viewing or accessing reports in Netwrix Auditor due to + SSRS service account misconfiguration. This article explains how to configure + SQL Server Reporting Services to use the Network Service account to resolve + the error. +keywords: + - Error 500 + - SSRS + - Report Server Configuration Manager + - Network Service + - SQL Server Reporting Services + - Netwrix Auditor + - Report Manager + - reporting +products: + - auditor +sidebar_label: Error 500 when Viewing and Accessing Reports +tags: [] +title: "Error 500 when Viewing and Accessing Reports" +knowledge_article_id: kA00g000000H9arCAC +--- + +# Error 500 when Viewing and Accessing Reports + +## Symptoms + +- The Error 500 is prompted when you attempt to view or access Netwrix Auditor reports. +- No error is present when accessing the Report Manager URL from the SSRS host. + +## Cause + +The Local Service account is used in SQL Server Reporting Services (SSRS) instead of the Network Service account. + +## Resolution + +Configure SSRS to use the Network Service account: + +1. On the SSRS host, run **Report Server Configuration Manager** and connect to your Report Server instance. +2. In the left pane, select **Service Account** and switch the built-in account used to **Network Service**. +3. Click **Apply** to save changes, and exit **Report Server Configuration Manager**. +4. For changes to take effect, proceed to **Services**, locate the **SQL Server Reporting Services** service and restart it. diff --git a/docs/kb/auditor/error-503-reports-and-subscriptions-not-working.md b/docs/kb/auditor/error-503-reports-and-subscriptions-not-working.md new file mode 100644 index 0000000000..5318e3b80a --- /dev/null +++ b/docs/kb/auditor/error-503-reports-and-subscriptions-not-working.md @@ -0,0 +1,95 @@ +--- +description: >- + Troubleshoot Error 503 when reports and subscriptions in Netwrix Auditor fail. + This article lists symptoms, causes, and step-by-step resolutions, including + how to check and resolve an expired SSRS evaluation license. +keywords: + - SSRS + - Error 503 + - Service Unavailable + - Netwrix Auditor + - reports + - subscriptions + - evaluation license + - Report Server Configuration Manager +products: + - auditor +sidebar_label: Error 503 − Reports and Subscriptions Not Working +tags: [] +title: "Error 503 − Reports and Subscriptions Not Working" +knowledge_article_id: kA04u000000PoK9CAK +--- + +# Error 503 − Reports and Subscriptions Not Working + +## Symptoms + +- Regular reports are missing. +- Attempts to run reports via **Netwrix Auditor** UI return the following error: + +``` +Can't reach this page +``` + +- Attempts to connect to SSRS return the following error: + +``` +Invalid Report Server URL +Update your settings if necessary or proceed with current settings. +``` + +- The **Subscriptions** menu in **Netwrix Auditor** shows at least a single **Report** type subscription with the **Failed** status. +- The **History** tab of the failed report contains entries on failed reports. +- Check the SSRS availability via **Netwrix Auditor**, SSRS or SQL Server to try create a report. In case of a related issue the following error should be present: + +``` +Service Unavailable +HTTP Error 503. The service is unavailable. +``` + +## Causes + +- Incorrectly set Web Service and Web Portal URLs. +- SQL Server Reporting Services has been stopped and is not running. +- The SSRS account is included in the Protected Users security group. +- Expired SSRS Evaluation license. + +## Resolutions + +- Review Web Service and Web Portal URLs — refer to the following article for additional information: Deploying the Report Server Database. + - /docs/kb/auditor/deploying_the_report_server_database +- Verify the `SQL Server Reporting Services` service on your SSRS server is running. You can also run **Report Server Configuration Manager** > the **Report Server Status** tab to verify the report server status. + + IMPORTANT: Refer to the following article if you're unable to start the `SQL Server Reporting Services` service: Error: Service Did Not Respond to Start or Control Request in SSRS. + - /docs/kb/auditor/error_service_did_not_respond_to_start_or_control_request_in_ssrs + +- Remove the SSRS account from the Protected Users security group. Learn more about Protected Users in Protected Users Security Group ⸱ Microsoft. + - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group + +- Review the SSRS Evaluation license used in your environment. If it has expired, follow these steps: + + 1. Follow **Control Panel** > **Uninstall a program** > `Microsoft SQL Server Reporting Services` > **Uninstall/Change**. + 2. Once the SSRS window opens, select **Upgrade Edition** > enter the product key to license your SSRS instance. + +### Troubleshooting the expired evaluation license + +To establish whether your SSRS instance has an evaluation license, open **Start** > **Microsoft SQL Server Reporting Services** folder > **Report Server Configuration Manager**. Once you've connected to the server, check the **Edition** line in the server window. + +If your SSRS instance edition is **Evaluation**, check the install date for the SSRS via **Start** > **Settings** > **Apps & features** or **Control Panel** > **Uninstall a program**. If the period since the installation date exceeds 6 months, your SSRS Evaluation license has expired. + +Review the SSRS logs in `C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\LogFiles:`: + +``` +The report server has encountered a configuration error. +Microsoft.ReportingServices.Diagnostics.EvaluationCopyExpiredException: +The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired. +A license is now required. +``` + +## Related articles + +- Deploying the Report Server Database + /docs/kb/auditor/deploying_the_report_server_database + +- Error: Service Did Not Respond to Start or Control Request in SSRS + /docs/kb/auditor/error_service_did_not_respond_to_start_or_control_request_in_ssrs diff --git a/docs/kb/auditor/error-6503-netwrix-auditor-cannot-configure-nutanix-files-audit-settings-unexpected-http-status-code.md b/docs/kb/auditor/error-6503-netwrix-auditor-cannot-configure-nutanix-files-audit-settings-unexpected-http-status-code.md new file mode 100644 index 0000000000..8e231ea20f --- /dev/null +++ b/docs/kb/auditor/error-6503-netwrix-auditor-cannot-configure-nutanix-files-audit-settings-unexpected-http-status-code.md @@ -0,0 +1,51 @@ +--- +description: >- + After creating a Nutanix Files monitoring plan, Netwrix Auditor may report + Event ID 6503 indicating an unexpected HTTP status because the Netwrix server + is already registered as a Nutanix partner server. This article describes + causes and manual removal steps using the Nutanix File Server REST API + Explorer. +keywords: + - Nutanix Files + - Event ID 6503 + - partner server + - notification policy + - REST API Explorer + - UUID + - Netwrix Auditor + - SMB port +products: + - auditor +sidebar_label: 'Error 6503: Netwrix Auditor cannot configure Nutan' +tags: [] +title: "Error 6503: Netwrix Auditor cannot configure Nutanix files audit settings: Unexpected HTTP status code (Host name or IP already present)" +knowledge_article_id: kA00g000000PbcjCAC +--- + +# Error 6503: Netwrix Auditor cannot configure Nutanix files audit settings: Unexpected HTTP status code (Host name or IP already present) + +## Symptoms +After you created a Nutanix Files monitoring plan, you receive the following error: + +Event ID 6503 Netwrix Auditor cannot configure Nutanix Files audit settings: Unexpected HTTP status code (Host name or ip already present.) + +## Cause +The likely cause: you used to have the Netwrix Auditor add-on for Nutanix Files installed on the Netwrix server and the Netwrix server had already been configured as a partner server for Nutanix Files. + +## Resolution +To address the issue, you can either: + +- Specify another port for incoming connections in the item (`Nutanix SMB shares`). +- If the add-on's installation folder has not been removed, unregister the partner server as described in item 5.7 of the Nutanix Quick-Start Guide: https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_Nutanix_Files_Quick_Start_Guide.pdf +- Remove the partner server and notification policy from Nutanix manually. + +### Remove the partner server and notification policy manually +1. Open the File Server REST API Explorer REST API: `https://:9440/api/nutanix/v3/api_explorer/index.html` +2. Find the **partner server** node and click **Show/Hide**. +3. Expand the **POST /partner_servers/list** node, specify `{}` in the **get_entities_request** field and click **Try it out** to get the list of partner servers. +4. Find the IP address of the Netwrix server and its corresponding UUID. +5. Expand the **DELETE /partner_servers/** node, insert the UUID and click **Try it out**. +6. You will receive an error: "Delete/Modify notification policy `` before deleting `` partner server". Note the UUID of the notification policy. +7. Scroll up, find the **notification_policy** node and click **Show/Hide**. +8. Expand the **DELETE /notification_policies/** node, insert the notification's policy UUID and click **Try it out** to remove the notification policy. +9. Scroll down back to the **DELETE /partner_servers/** node, the UUID of the partner server should still be there, click **Try it out** to remove the partner server. diff --git a/docs/kb/auditor/error-a-required-privilege-is-not-held-by-the-client.md b/docs/kb/auditor/error-a-required-privilege-is-not-held-by-the-client.md new file mode 100644 index 0000000000..c3ddd6b0bd --- /dev/null +++ b/docs/kb/auditor/error-a-required-privilege-is-not-held-by-the-client.md @@ -0,0 +1,55 @@ +--- +description: >- + Describes the Event ID 2009 "A required privilege is not held by the client" + error in the Netwrix Auditor System Health Log and steps to resolve it when + monitoring domain controllers. +keywords: + - Event ID 2009 + - A required privilege is not held by the client + - event log + - domain controller + - Netwrix Auditor + - permissions + - collector Registry data provider + - monitoring plan + - data collecting account +products: + - auditor +sidebar_label: 'Error: A Required Privilege is Not Held by the Cli' +tags: [] +title: 'Error: A Required Privilege is Not Held by the Client' +knowledge_article_id: kA0Qk0000000PjBKAU +--- + +# Error: A Required Privilege is Not Held by the Client + +## Symptoms + +1. The **Netwrix Auditor System Health Log** contains the following error: + +``` + + Source:Windows Server Audit Service + Event ID:2009 + The following error has occurred while processing %affected_domain_controller%: + The collector Registry data provider failed while gathering data on the server %server_name% due to the following error: A required privilege is not held by the client. +``` + +2. Netwrix Auditor is installed in a child domain and the report contains the following error for the root domain controllers: + +``` + + Failed to process DC: %affected_domain_controller%: + Failed to open the event log. Error details: A required privilege is not held by the client. +``` + +## Cause + +- The error occurs due to insufficient permissions for the account specified in the monitoring plan settings or misconfiguration of the target source itself. + +## Resolutions + +Check the following (target system configuration and that the account used for the data collection meet the requirements): + +- Data Source Configuration — v10.6 +- Administration — Monitoring Plans — Data Collecting Account — v10.6 diff --git a/docs/kb/auditor/error-a-transport-level-error-has-occurred-when-sending-the-request-to-the-server.md b/docs/kb/auditor/error-a-transport-level-error-has-occurred-when-sending-the-request-to-the-server.md new file mode 100644 index 0000000000..a95f66bf62 --- /dev/null +++ b/docs/kb/auditor/error-a-transport-level-error-has-occurred-when-sending-the-request-to-the-server.md @@ -0,0 +1,45 @@ +--- +description: >- + Explains how to resolve the "A transport-level error has occurred when sending + the request to the server" error that appears when assigning users read access + to view reports after using the Clear all database entries functionality. +keywords: + - transport-level error + - SQL Database Access + - NetWrix_ReportViewer_ReadOnly + - NetWrix_Windows_Server_Change_Reporter + - Clear all database entries + - report permissions + - Netwrix + - database error +products: + - auditor +sidebar_label: 'Error: A transport-level error has occurred when s' +tags: [] +title: "Error: A transport-level error has occurred when sending the request to the server" +knowledge_article_id: kA00g000000H9bvCAC +--- + +# Error: A transport-level error has occurred when sending the request to the server + +You see this error when assigning users read access permissions to view reports. + +## Cause + +This error occurs because the Clear all database entries functionality has been applied. It allows you to clear all audit data and the information on user access permissions. + +## Resolution + +To resolve the issue, do the following: + +1. Click **OK** on the error message. +2. Close the **SQL Database Access** dialog. + +Note: If you proceed with the user assignment without closing the **SQL Database Access** dialog, the following error message will be displayed: + +```text +The role 'NetWrix_ReportViewer_ReadOnly' does not exist in the current database. +Changed database context to 'NetWrix_Windows_Server_Change_Reporter'. +``` + +3. Click the **Assign** link and specify the users who can access the database. diff --git a/docs/kb/auditor/error-aadsts65001-in-microsoft-365-monitoring-plans-in-netwrix-auditor.md b/docs/kb/auditor/error-aadsts65001-in-microsoft-365-monitoring-plans-in-netwrix-auditor.md new file mode 100644 index 0000000000..8c9d03ba0f --- /dev/null +++ b/docs/kb/auditor/error-aadsts65001-in-microsoft-365-monitoring-plans-in-netwrix-auditor.md @@ -0,0 +1,73 @@ +--- +description: >- + This article explains how to resolve the AADSTS65001 error that appears in the + Health Log for Microsoft 365 monitoring plans in Netwrix Auditor by recreating + the Entra ID app and updating the monitoring plan. +keywords: + - AADSTS65001 + - Microsoft 365 + - Entra ID + - Azure AD + - Netwrix Auditor + - monitoring plan + - app permissions + - admin consent +products: + - auditor + - Azure_AD_and_Office_365 +sidebar_label: Error AADSTS65001 in Microsoft 365 Monitoring Plan +tags: [] +title: "Error AADSTS65001 in Microsoft 365 Monitoring Plans in Netwrix Auditor" +knowledge_article_id: kA00g000000H9a4CAC +--- + +# Error AADSTS65001 in Microsoft 365 Monitoring Plans in Netwrix Auditor + +## Symptom + +The following error is prompted in Health Log for any of your Microsoft 365 (Office 365) monitoring plans (e.g., Microsoft Entra ID (formerly Azure AD), SharePoint Online, Exchange Online, Teams): + +```text +Source: %Affected% Service +Event ID: 3106 +Description:Monitoring plan: %Affected_Microsoft_365% Monitoring Plan +Item: %Affected_item% +Cannot add the item %Affected_item% for auditing due to the following error: +AADSTS65001: The user or administrator has not consented to use the application with ID '%id%' named '%app_name%'. +Send an interactive authorization request for this user and resource. +``` + +## Cause + +- Incorrectly configured permissions for your Entra ID (Azure AD) app. +- Admin consent was not granted to the affected app. + +## Resolution + +Recreate the app named ` %app_name% ` in your Entra ID portal: + +1. Open the Entra ID portal. You can use the following link: [Microsoft Entra Admin Center](https://entra.microsoft.com/#home). +2. In the left pane, select **Applications** > **App registrations**. +3. Select the ` %app_name% ` app affected, and delete it. +4. Recreate the app according to the steps provided in the documentation for the affected data source: + - Microsoft 365 — Permissions for Microsoft Entra ID Auditing ⸱ v10.6 + - Microsoft 365 — Permissions for Exchange Online Auditing ⸱ v10.6 + - Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6 + - Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6 + +Edit the affected monitoring plan to use the new app: + +1. In the main **Netwrix Auditor** menu, select **Monitoring Plans**. +2. In the left pane, select the affected plan, and click **Edit**. +3. Click the affected item, and select **Edit item** under the **Item** section in the right pane. +4. Provide new credentials for the app. +5. Once you've provided the credentials, click **Save & Close**. +6. Click **Update** under the **Monitoring Plan** section in the right pane. + +## Related articles + +- Microsoft 365 — Permissions for Microsoft Entra ID Auditing ⸱ v10.6 +- Microsoft 365 — Permissions for Exchange Online Auditing ⸱ v10.6 +- Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6 +- Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6 +- [Microsoft Entra Admin Center](https://entra.microsoft.com/#home) diff --git a/docs/kb/auditor/error-an-item-with-the-same-key-has-already-been-added.md b/docs/kb/auditor/error-an-item-with-the-same-key-has-already-been-added.md new file mode 100644 index 0000000000..270ec8d0f2 --- /dev/null +++ b/docs/kb/auditor/error-an-item-with-the-same-key-has-already-been-added.md @@ -0,0 +1,47 @@ +--- +description: >- + When the Overview dashboard shows data but reports return "no data found", you + may see an error saving an Active Directory State-in-Time snapshot to the + Audit Database. This article explains the symptom, a common cause (duplicate + Active Directory objects), and points you to Microsoft guidance for finding + and fixing the duplicates. +keywords: + - Active Directory + - state-in-time + - snapshot + - Audit Database + - duplicate object + - same key + - mangled entries + - no data found +products: + - auditor +sidebar_label: 'Error: An Item with the Same Key Has Already Been ' +tags: [] +title: 'Error: An Item with the Same Key Has Already Been Added' +knowledge_article_id: kA0Qk0000000RjNKAU +--- + +# Error: An Item with the Same Key Has Already Been Added + +## Symptoms + +The Overview dashboard shows data, but when you drill down to a report, it says **no data found**. + +When you try to upload a State-in-Time snapshot manually, the following error appears: + +```text + +Cannot apply changes. +Error saving the Active Directory state-in-time snapshot to Audit Database: An item with the same key has already been added. +``` + +## Cause + +There are duplicated items in the monitored environment which led to "mangled" entries. + +It is not the only possible root cause, but it is becoming increasingly more common, especially in customer environments with several organizations within Active Directory or hybridized environments. + +## Resolution + +Review the following Microsoft article that describes how these "mangled" entries are handled by the system, how to find them, and how to fix the duplicates: https://learn.microsoft.com/en-us/archive/technet-wiki/15435.active-directory-duplicate-object-name-resolution (Active Directory: Duplicate Object Name Resolution ⸱ Microsoft 🤝). diff --git a/docs/kb/auditor/error-an-unknown-error-occurred-while-processing-the-request-on-the-server.md b/docs/kb/auditor/error-an-unknown-error-occurred-while-processing-the-request-on-the-server.md new file mode 100644 index 0000000000..d8d81a678e --- /dev/null +++ b/docs/kb/auditor/error-an-unknown-error-occurred-while-processing-the-request-on-the-server.md @@ -0,0 +1,48 @@ +--- +description: >- + This article explains how to resolve a 500 Server Error + (Sys.WebForms.PageRequestManagerServerErrorException) that occurs when running + State-in-Time reports with large amounts of data by extending the report + timeout on the Report Manager URL. +keywords: + - State-in-Time + - Report Manager + - timeout + - 500 + - Sys.WebForms.PageRequestManagerServerErrorException + - Netwrix Auditor + - report timeout +products: + - auditor +sidebar_label: 'Error: An Unknown Error Occurred While Processing ' +tags: [] +title: 'Error: An Unknown Error Occurred While Processing the Request on the Server' +knowledge_article_id: kA0Qk0000000PmPKAU +--- + +# Error: An Unknown Error Occurred While Processing the Request on the Server + +## Symptom + +When running State-in-Time reports for items that contain large amount of data, the report completes with the following error: + +``` + + Sys.WebForms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. + The status code returned from the server was: 500. + +``` + +## Cause + +The error occurs due to large amount of processed data. + +## Resolution + +Extend the report timeout on the on the Report Manager URL. For that: + +1. Go to your Report Manager URL: in Netwrix Auditor, navigate to **Settings** -> **Audit Database** and click the **Report Manager URL** link. +2. Find the problematic report and open it. +3. Click the 3 dots in the Reports Manager for the report itself, then click **Manage**. +4. In the **Advanced** section, modify the report timeout settings. + ![User-added image](images/ka0Qk0000001ZBp_0EMQk000002dUpt.png) diff --git a/docs/kb/auditor/error-auditing-of-directory-service-access-and-successful-account-management-events-is-not-enabled-f.md b/docs/kb/auditor/error-auditing-of-directory-service-access-and-successful-account-management-events-is-not-enabled-f.md new file mode 100644 index 0000000000..3a300f41fe --- /dev/null +++ b/docs/kb/auditor/error-auditing-of-directory-service-access-and-successful-account-management-events-is-not-enabled-f.md @@ -0,0 +1,60 @@ +--- +description: >- + Explains the cause and resolution for the "Auditing of Directory Service + Access and successful Account Management events is not enabled for this DC" + warning in Netwrix Auditor, including steps to enable audit policies or + suppress the warning via a registry key. +keywords: + - auditing + - directory service access + - account management + - domain controller + - group policy + - gpupdate + - registry + - IgnoreAuditCheckResultError + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Error: "Auditing of Directory Service Access and successful Account Management events is not enabled for this DC"' +tags: [] +title: 'Error: "Auditing of Directory Service Access and successful Account Management events is not enabled for this DC. Please adjust audit policy settings"' +knowledge_article_id: kA00g000000H9YjCAK +--- + +# Error: "Auditing of Directory Service Access and successful Account Management events is not enabled for this DC. Please adjust audit policy settings" + +- The Change Summary and the Netwrix Auditor System Health log (Netwrix Auditor log in 6.5 or `warning.txt` file in 5.0) contain the following warning message: "Auditing of Directory Service Access and successful Account Management events is not enabled for this DC. Please adjust audit policy settings". +- The **Who Changed** field contains the `System` value. + +--- + +The Local Security Policy snap-in on the domain controller indicates that the **Audit directory service access** and/or the **Audit account management** options are not set to `Success`. + +If these settings are set to `Success` in the applied effective policy, but you keep receiving this error, this may be due to one of the following reasons: + +- The effective policy applied to domain controllers is not configured properly. +- For some reason, the effective policy is not applied to the domain controller. +- The audit settings are configured using the Advanced Audit Policies. + +--- + +## Enable the required audit settings + +Set the **Audit directory service access** and **Audit account management** options to `Success`. To do this, perform the following steps: + +1. Open the Group Policy Management console on any domain controller in the target domain: navigate to **Start → Administrative Tools → Group Policy Management**. +2. In the left pane, navigate to **Forest: `<domain_name>` → Domains → `<domain_name>` → Domain Controllers**. Right-click the effective domain controllers policy (by default, it is the **Default Domain Controllers Policy**), and select **Edit** from the pop-up menu. +3. Navigate to **Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy**. +4. Make sure that the **Audit directory service access** and **Audit account management** are set to `Success` (or `Success` and `Failure`). +5. Navigate to **Start → Run** and type `cmd`. Input the `gpupdate /force` command and press **Enter**. The group policy will be updated. + +Refer to the Netwrix Auditor Installation and Configuration Guide for more information: http://www.netwrix.com/download/documents/Netwrix_Auditor_Installation_Configuration_Guide.pdf + +- If the effective policy is applied to the domain controller, but you keep receiving this error, contact your Administrator. +- If you are sure that you have the Advanced Audit Policies applied correctly, but keep receiving this error, you can omit it. Perform the following steps to omit the error: + +1. On the computer where Netwrix Auditor is installed, navigate to **Start → Run** and type `regedit`. +2. Navigate to the following node: Versions 6.5 and Below - `HKEY_LOCAL_MACHINESOFTWARE(Wow6432Node)NetwrixAD Change Reporter` and set the `IgnoreAuditCheckResultError` registry key to `1`. If this key does not exist please create it. + +Note: In Netwrix Auditor 7.0 the registry location is `HKEY_LOCAL_MACHINESOFTWARE(Wow6432Node)Netwrix AuditorAD Change Reporter` diff --git a/docs/kb/auditor/error-can-not-process-sql-commands-for-the-netwrix-auditor-self-audit-database.md b/docs/kb/auditor/error-can-not-process-sql-commands-for-the-netwrix-auditor-self-audit-database.md new file mode 100644 index 0000000000..bdf3b1b26e --- /dev/null +++ b/docs/kb/auditor/error-can-not-process-sql-commands-for-the-netwrix-auditor-self-audit-database.md @@ -0,0 +1,56 @@ +--- +description: >- + Explains how to resolve the "can not process SQL commands" error by turning + off Recovery mode for the Netwrix Auditor Self Audit database and reattaching + it. +keywords: + - Netwrix Auditor + - Self Audit + - SQL Server + - Recovery mode + - EMERGENCY + - detach + - reattach + - System Health +products: + - auditor +sidebar_label: 'Error: Can Not Process SQL Commands for the Netwri' +tags: [] +title: "Error: Can Not Process SQL Commands for the Netwrix Auditor Self Audit Database" +knowledge_article_id: kA0Qk0000000LhBKAU +--- + +# Error: Can Not Process SQL Commands for the Netwrix Auditor Self Audit Database + +## Symptom + +You see the following error in the Netwrix Auditor System Health log: + +```text + + Error: can not process SQL commands for the Netwrix Auditor Self Audit database. +``` + +## Cause + +The **Netwrix Auditor Self Audit** database is in the **Recovery** mode. + +## Resolution + +Follow the steps below to turn off the **Recovery** mode for the database: + +1. On the computer that hosts your **Netwrix Auditor** Server, stop all services with the **Netwrix** prefix. +2. Connect to your SQL instance as an administrator. +3. Locate the **Netwrix Auditor Self Audit** database and set it to the **Emergency** mode by running this query on the database: + + ```sql + ALTER DATABASE Netwrix_Auditor_Self_Audit SET EMERGENCY + ``` + +4. Once completed, detach the database. +5. Reattach the database. +6. Start all **Netwrix** services you stopped on the step 1. + +### Related Article: + +- Recovery Mode Changes in SQL Databases: /docs/kb/auditor/recovery_mode_changes_in_sql_databases diff --git a/docs/kb/auditor/error-cannot-create-a-connection-to-data-source-ds.md b/docs/kb/auditor/error-cannot-create-a-connection-to-data-source-ds.md new file mode 100644 index 0000000000..73f6c31f9b --- /dev/null +++ b/docs/kb/auditor/error-cannot-create-a-connection-to-data-source-ds.md @@ -0,0 +1,67 @@ +--- +description: >- + Describe how to resolve the "Cannot create a connection to data source 'DS'" + error in Netwrix Auditor by specifying correct credentials for the SQL Server + Reporting Services database. +keywords: + - SSRS + - SQL Server Reporting Services + - rsProcessingAborted + - rsErroropeningConnection + - DS_Common + - Netwrix Auditor + - report server + - credentials + - data source DS + - report processing +products: + - auditor +visibility: public +sidebar_label: 'Error: Cannot Create a Connection to Data Source D' +tags: [] +title: 'Error: Cannot Create a Connection to Data Source DS' +knowledge_article_id: kA00g000000H9XeCAK +--- + +# Error: Cannot Create a Connection to Data Source DS + +## Symptom + +When you attempt to generate reports in Netwrix Auditor, the following error appears: + +```text +An error has occurred during report processing. (rsProcessingAborted) +Cannot create a connection to data source 'DS'. (rsErroropeningConnection) +For more information about this error navigate to the report server on the local server machine, or enable remote errors +``` + +## Cause + +The affected user tries to access SQL Server Reporting Services reports from a remote machine. The affected user lacks permissions to access the SQL Server Database Engine and the target database. + +## Resolutions + +Refer to the following possible resolutions: + +- Review the required account permissions and roles to access SSRS reports: /docs/auditor/10.6/auditor/requirements and /docs/auditor/10.6/auditor/requirements +- Specify the credentials to access the Reporting Services database. + +Perform the following steps to specify the credentials to access the Reporting Services database: + +1. Proceed to the Report Manager URL on the SQL Server with SSRS. + + > NOTE: Locate the Report Manager URL in Netwrix Auditor via **Settings** > **Audit Database**. + +2. In the top right corner, click **View** / **List** and check the **Show hidden items** checkbox. +3. Navigate to the **Netwrix Auditor** folder > **Netwrix Auditor for `%datasource%`** > **Change Reports**. +4. Right-click **DS_Common** and select **Manage**. +5. In the **Properties** tab, review the **Credentials** section. + - To use a SQL login, select **Database user name and password** in the **Type of credentials** dropdown list. + - To use a Windows login, select **Windows user name and password** in the **Type of credentials** dropdown list. +6. Click **Test connection** to verify the credentials. +7. Click **Apply**, close the browser, and generate the report in Netwrix Auditor. + +## Related Articles + +- Requirements for SQL Server to Store Audit Data — SQL Server · v10.6: /docs/auditor/10.6/auditor/requirements +- SQL Server Reporting Services · v10.6: /docs/auditor/10.6/auditor/requirements diff --git a/docs/kb/auditor/error-certificate-with-identifier-is-not-registered-on-application.md b/docs/kb/auditor/error-certificate-with-identifier-is-not-registered-on-application.md new file mode 100644 index 0000000000..3aab0f6de6 --- /dev/null +++ b/docs/kb/auditor/error-certificate-with-identifier-is-not-registered-on-application.md @@ -0,0 +1,47 @@ +--- +description: >- + Explains the AADSTS700027 certificate error shown in the Health Log for + Microsoft 365 monitoring plans and how to resolve it by using separate Entra + ID applications in Netwrix Auditor. +keywords: + - AADSTS700027 + - certificate + - Entra ID + - Microsoft 365 + - Health Log + - thumbprint + - application + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Error: Certificate With Identifier Is Not Register' +tags: [] +title: 'Error: Certificate With Identifier Is Not Registered on Application' +knowledge_article_id: kA04u00000111FnCAI +--- + +# Error: Certificate With Identifier Is Not Registered on Application + +## Symptom + +The following error appears in the Health Log for your Microsoft 365-based monitoring plan: + +``` +AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. +Reason - The key was not found. Thumbprint of key used by client: '%thumbprint%' +``` + +## Cause + +Multiple Microsoft 365-based items use the same Entra ID application instead of dedicated applications causing the certificate thumbprint overwrites. + +## Resolution + +Set up a separate Entra ID application for every Microsoft 365-based item monitored in your environment. Refer to the related articles for additional information on Microsoft 365-based sources. + +## Related Articles + +- Microsoft 365 — Permissions for Entra ID Auditing ⸱ v10.6 +- Microsoft 365 — Permissions for Exchange Online Auditing ⸱ v10.6 +- Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6 +- Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6 diff --git a/docs/kb/auditor/error-check-your-sql-server-settings-in-audit-database-settings.md b/docs/kb/auditor/error-check-your-sql-server-settings-in-audit-database-settings.md new file mode 100644 index 0000000000..d39ac777c2 --- /dev/null +++ b/docs/kb/auditor/error-check-your-sql-server-settings-in-audit-database-settings.md @@ -0,0 +1,67 @@ +--- +description: >- + This article describes causes and resolutions for the "Error validating + settings. Check your SQL Server settings." message that can occur when you + configure the Audit Database in Netwrix Auditor. +keywords: + - SQL Server + - Audit Database + - connection error + - DBNETLIB + - Netwrix Auditor + - TCP/IP + - remote connections + - SQL listener + - SQL port +products: + - auditor +sidebar_label: 'Error: Check Your SQL Server Settings in Audit Dat' +tags: [] +title: 'Error: Check Your SQL Server Settings in Audit Database Settings' +knowledge_article_id: kA0Qk0000001D85KAE +--- + +# Error: Check Your SQL Server Settings in Audit Database Settings + +## Related Queries + +- "We are moving Netwrix Auditor to a new domain/server and getting a connection error on DB restore." +- "We are migrating our Netwrix DB over to a new domain/server. Netwrix Auditor is installed on the new domain/server. SQL DB is coming from SQL 2019, new DB server is SQL 2022 and we are getting a connection error on the SQL listener." + +## Symptoms + +Netwrix Auditor prompts one of the following error messages when you set up the Audit Database: + +```text +Error validating settings. Check your SQL Server settings. +The network location cannot be reached. For information about network troubleshooting, see Windows Help +``` + +```text +Error validating settings. Check your SQL Server settings. +SQL Server error occurred (17, [DBNETLIB][ConnectionOpen (Connect()).] SQL Server does not exist or access denied.) +``` + +## Causes + +Refer to the list of possible causes for the error: + +1. An incorrect SQL Server name is specified in the Audit Database settings. +2. The SQL Server is not configured to allow remote connections. +3. The SQL Server network protocols are disabled. + +## Resolutions + +1. Verify the SQL Server instance name specified in the Audit Database settings. Refer to the following article for additional information: [Specifying the SQL Server Instance Name](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA0Qk0000001D01KAE.html). +2. Configure your SQL Server instance to allow remote connections. Learn more in [Configure remote access (server configuration option) — Use SQL Server Management Studio ⸱ Microsoft 🧩](https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver16#SSMSProcedure). +3. Enable the TCP/IP protocol in the SQL Server—refer to the following article for additional information: Enable TCP/IP Protocol in SQL Server. + +> **NOTE:** Alternatively, review the TCP port used for SQL Server communication—learn more in [Configure SQL Server to listen on a specific TCP port — Assign a TCP/IP port number to the SQL Server Database Engine ⸱ Microsoft 🧩](https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port?view=sql-server-ver15#assign-a-tcpip-port-number-to-the-sql-server-database-engine). For additional information on setting a custom TCP port in Netwrix Auditor, refer to the following article: [Specify Custom SQL Server Port for Netwrix Auditor Audit Database](/docs/kb/auditor/specify-custom-sql-server-port-for-netwrix-auditor-audit-database.md). + +## Related Articles + +- [Specifying the SQL Server Instance Name](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA0Qk0000001D01KAE.html) +- [Configure remote access (server configuration option) — Use SQL Server Management Studio ⸱ Microsoft 🧩](https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver16#SSMSProcedure) +- Enable TCP/IP Protocol in SQL Server +- [Configure SQL Server to listen on a specific TCP port — Assign a TCP/IP port number to the SQL Server Database Engine ⸱ Microsoft 🧩](https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port?view=sql-server-ver15#assign-a-tcpip-port-number-to-the-sql-server-database-engine) +- [Specify Custom SQL Server Port for Netwrix Auditor Audit Database](/docs/kb/auditor/specify-custom-sql-server-port-for-netwrix-auditor-audit-database.md) diff --git a/docs/kb/auditor/error-content-index-state-failed-when-auditing-mailbox-access-on-exchange-2013.md b/docs/kb/auditor/error-content-index-state-failed-when-auditing-mailbox-access-on-exchange-2013.md new file mode 100644 index 0000000000..15a3bf8858 --- /dev/null +++ b/docs/kb/auditor/error-content-index-state-failed-when-auditing-mailbox-access-on-exchange-2013.md @@ -0,0 +1,43 @@ +--- +description: >- + When auditing mailbox access on Exchange 2013, Netwrix Auditor may fail to + collect audit data if Exchange content indexes are in a failed state. This + article shows how to identify the affected database and how to reseed the + search catalog. +keywords: + - Exchange 2013 + - Content Index State Failed + - Get-MailboxDatabaseCopyStatus + - Search-MailboxAuditLog + - Netwrix Auditor + - reseed search catalog + - mailbox audit +products: + - auditor +sidebar_label: "Error: Content Index State Failed when auditing mailbox access on Exchange 2013" +tags: [] +title: >- + Error: Content Index State Failed when auditing mailbox access on + Exchange 2013 +knowledge_article_id: kA00g000000H9YcCAK +--- + +# Error: "Content Index State Failed" when auditing mailbox access on Exchange 2013 + +When auditing mailbox access on Exchange 2013, you receive the following error: + +**"Cannot audit mailboxes stored in the AAA database on the BBB server. The "Content Index State Failed" error has occurred on your Exchange server."** + +--- + +Your Exchange server databases have unhealthy status "ContextIndexState:Failed". +As a result, Netwrix Auditor cannot collect audit data about mailboxes with the `Search-MailboxAuditLog` cmdlet. + +To determine the exact database that has failed indexes, run the following command: `Get-MailboxDatabaseCopyStatus` +See Microsoft documentation for more information: https://technet.microsoft.com/en-us/library/dd298044%28v=exchg.150%29.aspx + +--- + +Rebuild failed indexes on your Exchange server side. See the Microsoft article "Reseed the search catalog" for more information: https://technet.microsoft.com/EN-US/library/ee633475(v=exchg.150).aspx + +After fixing the failed indexes, restart data collection. diff --git a/docs/kb/auditor/error-could-not-connect-to-server.md b/docs/kb/auditor/error-could-not-connect-to-server.md new file mode 100644 index 0000000000..23a6f64721 --- /dev/null +++ b/docs/kb/auditor/error-could-not-connect-to-server.md @@ -0,0 +1,65 @@ +--- +description: >- + This article explains causes and resolutions for the "Could not connect to the + server" error when configuring the Netwrix Auditor Audit Database and provides + troubleshooting steps for SQL connectivity. +keywords: + - SQL Server + - connection error + - Named Pipes Provider + - TCP/IP + - remote connections + - Netwrix Auditor + - Audit Database + - error 40 + - SQL listener +products: + - auditor +sidebar_label: 'Error: Could Not Connect to Server' +tags: [] +title: 'Error: Could Not Connect to Server' +knowledge_article_id: kA00g000000H9Y2CAK +--- + +# Error: Could Not Connect to Server + +## Related Queries + +- "We are moving Netwrix Auditor to a new domain/server and getting a connection error on DB restore." +- "We are migrating our Netwrix DB over to a new domain/server. Netwrix Auditor is installed on the new domain/server. SQL DB is coming from SQL 2019, new DB server is SQL 2022 and we are getting a connection error on the SQL listener." + +## Symptoms + +When configuring the Audit Database settings in Netwrix Auditor, the following error message appears: + +```text +Could not connect to the server. +A network-related or instance-specific error occurred while establishing a connection to SQL Server. +The server was not found or was not accessible. +Verify that the instance name is correct and that SQL Server is configured to allow remote connections. +(provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) +``` + +## Causes + +Refer to the list of possible causes for the error: + +1. An incorrect SQL Server name is specified in the Audit Database settings. +2. The SQL Server is not configured to allow remote connections. +3. The SQL Server network protocols are disabled. + +## Resolutions + +1. Verify the SQL Server instance name specified in the Audit Database settings. Refer to the following article for additional information: <https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA0Qk0000001D01KAE.html> (Specifying the SQL Server Instance Name). +2. Configure your SQL Server instance to allow remote connections. Learn more in Microsoft's documentation: <https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver16#SSMSProcedure> (Configure remote access (server configuration option) — Use SQL Server Management Studio ⸱ Microsoft). +3. Enable the TCP/IP protocol in the SQL Server—refer to the following article for additional information: </docs/kb/auditor/enable_tcpip_protocol_in_sql_server> (Enable TCP/IP Protocol in SQL Server). + +> **NOTE:** Alternatively, review the TCP port used for SQL Server communication—learn more in Microsoft's documentation: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port?view=sql-server-ver15#assign-a-tcpip-port-number-to-the-sql-server-database-engine (Configure SQL Server to listen on a specific TCP port — Assign a TCP/IP port number to the SQL Server Database Engine ⸱ Microsoft). For additional information on setting a custom TCP port in Netwrix Auditor, refer to the following article: /docs/kb/auditor/specify_custom_sql_server_port_for_netwrix_auditor_audit_database (Specify Custom SQL Server Port for Netwrix Auditor Audit Database). + +## Related Articles + +- https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA0Qk0000001D01KAE.html — Specifying the SQL Server Instance Name +- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver16#SSMSProcedure — Configure remote access (server configuration option) — Use SQL Server Management Studio ⸱ Microsoft +- /docs/kb/auditor/enable_tcpip_protocol_in_sql_server — Enable TCP/IP Protocol in SQL Server +- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port?view=sql-server-ver15#assign-a-tcpip-port-number-to-the-sql-server-database-engine — Configure SQL Server to listen on a specific TCP port — Assign a TCP/IP port number to the SQL Server Database Engine ⸱ Microsoft +- /docs/kb/auditor/specify_custom_sql_server_port_for_netwrix_auditor_audit_database — Specify Custom SQL Server Port for Netwrix Auditor Audit Database diff --git a/docs/kb/auditor/error-current-site-is-not-a-tenant-administration-site-in-microsoft-365-monitoring-plan.md b/docs/kb/auditor/error-current-site-is-not-a-tenant-administration-site-in-microsoft-365-monitoring-plan.md new file mode 100644 index 0000000000..faeb1d4f24 --- /dev/null +++ b/docs/kb/auditor/error-current-site-is-not-a-tenant-administration-site-in-microsoft-365-monitoring-plan.md @@ -0,0 +1,52 @@ +--- +description: >- + Explains the cause and resolution when a Microsoft 365 monitoring plan in + Netwrix Auditor reports "Current site is not a tenant administration site" + (Event ID 3229) in the Health Log. Follow the steps to verify and correct the + tenant name for the monitored item. +keywords: + - Netwrix Auditor + - Microsoft 365 + - tenant administration + - monitoring plan + - Event 3229 + - tenant ID + - Health Log +products: + - auditor +sidebar_label: 'Error: Current Site Is Not a Tenant Administration' +tags: [] +title: "Error: Current Site Is Not a Tenant Administration Site in Microsoft 365 Monitoring Plan" +knowledge_article_id: kA04u00000111K4CAI +--- + +# Error: Current Site Is Not a Tenant Administration Site in Microsoft 365 Monitoring Plan + +## Symptom + +A Microsoft 365-based monitoring plan in Netwrix Auditor prompts the following error in the Health Log: + +```text +Event ID: 3229 +Description: Monitoring plan: %Monitoring_plan_name% +Item: %item_name% +Failed to collect state-in-time data due to the following error: +Error get responce for GetTenant: Current site is not a tenant administration site +``` + +## Cause + +The affected monitored item has an incorrect tenant name. + +## Resolution + +Review the tenant name in the affected monitoring plan. + +1. In the main Auditor screen, click **Monitoring Plans**, select the affected monitoring plan, and click **Edit**. +2. Select a monitored item and click **Edit Item** in the right pane. +3. Review the tenant name value for the item. Refer to the Microsoft guide to locate the correct tenant ID: [Locate important IDs for a user ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names#find-the-microsoft-azure-ad-tenant-id-and-primary-domain-name). +4. Once you introduce the changes, click **Save & Close**. In the right pane, click **Update** to update your monitoring plan. + +## Related articles + +- [Locate important IDs for a user ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names#find-the-microsoft-azure-ad-tenant-id-and-primary-domain-name) diff --git a/docs/kb/auditor/error-database-owner-sid-mismatch.md b/docs/kb/auditor/error-database-owner-sid-mismatch.md new file mode 100644 index 0000000000..0e81cfe11e --- /dev/null +++ b/docs/kb/auditor/error-database-owner-sid-mismatch.md @@ -0,0 +1,72 @@ +--- +description: >- + This article explains how to resolve the "Database owner SID mismatch" error + that prevents data change monitoring in Netwrix Auditor. It includes the + cause, the exact ALTER AUTHORIZATION command to run, and steps to prevent the + issue from recurring. +keywords: + - database owner + - SID mismatch + - SQL Server + - Netwrix Auditor + - ALTER AUTHORIZATION + - triggers + - data changes monitoring + - master database + - Health Log + - database owner account +products: + - auditor +sidebar_label: 'Error: Database Owner SID Mismatch' +tags: [] +title: 'Error: Database Owner SID Mismatch' +knowledge_article_id: kA00g000000H9YICA0 +--- + +# Error: Database Owner SID Mismatch + +## Symptoms + +All of the following symptoms are present in your Netwrix Auditor environment: + +- Netwrix Auditor monitors changes to data in the database tables in your environment. +- The **Use triggers for detailed monitoring** option is enabled. +- Auditor prompts the following error in Health Log for your SQL Server monitoring plan + +```text +Monitoring plan: %SQL_Server_Monitoring_plan_name% +Database owner SID stored in %DB_Name% database differs from database owner SID stored in the master database. +Data changes monitoring will not work. +``` + +## Cause + +Refer to the possible causes: + +- The owner account of the affected database is no longer valid. Learn more about possible causes in MSSQLSERVER_15517 ⸱ Microsoft: http://support.microsoft.com/kb/913423/en-us + +## Resolution + +To resolve the issue and assign a new owner to the affected database, execute the following command in SQL Server Management Studio: + +```sql +ALTER AUTHORIZATION ON DATABASE:: DBName TO [NewLogin] +``` + +Replace the `DBName` value with the name of the affected database. Replace the `NewLogin` value with the new owner value as listed in **Security** > **Logins** of your SQL Server Object Explorer. Refer to the following example: + +```sql +ALTER AUTHORIZATION ON DATABASE:: Netwrix_Auditor_AD TO [SQLAdmin] +``` + +Learn more about the `ALTER AUTHORIZATION` command in ALTER AUTHORIZATION (Transact-SQL) ⸱ Microsoft: https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-authorization-transact-sql?view=sql-server-ver16 + +To prevent this issue from recurring, refer to the following steps: + +1. Verify the database properties. If the **Owner** property is empty, the database owner account is no longer valid. +2. When you restore databases to be audited from backup, verify the database owners specified in the **master** and affected databases match. + +## Related Articles + +- MSSQLSERVER_15517 ⸱ Microsoft: http://support.microsoft.com/kb/913423/en-us +- ALTER AUTHORIZATION (Transact-SQL) ⸱ Microsoft: https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-authorization-transact-sql?view=sql-server-ver16 diff --git a/docs/kb/auditor/error-drive-letter-resolver-is-not-installed-on-the-target-host.md b/docs/kb/auditor/error-drive-letter-resolver-is-not-installed-on-the-target-host.md new file mode 100644 index 0000000000..479e0137a4 --- /dev/null +++ b/docs/kb/auditor/error-drive-letter-resolver-is-not-installed-on-the-target-host.md @@ -0,0 +1,48 @@ +--- +description: >- + Explains the "Drive letter resolver is not installed on the target host" error + for Windows file servers and how to resolve it by deploying the Network + Traffic Compression Service. +keywords: + - drive letter resolver + - Network Traffic Compression Service + - file server + - Netwrix Auditor + - monitored objects + - SACL + - data collection + - network load + - error message +products: + - auditor +sidebar_label: 'Error: Drive Letter Resolver is not Installed on t' +tags: [] +title: 'Error: Drive Letter Resolver is not Installed on the Target Host' +knowledge_article_id: kA00g000000H9WtCAK +--- + +# Error: Drive Letter Resolver is not Installed on the Target Host + +## Symptom +Netwrix Auditor returns the following error for Windows File Servers: + +```text +Drive letter resolver is not installed on the target host +``` + +## Cause +The component responsible for collecting information about the drive letter was not installed on the target file server. It is Network Traffic Compression Service that collects this information to map data in the security events. + +## Resolution +To solve the issue, deploy Network Traffic Compression Service on the audited file server: + +1. In the Netwrix Auditor client, select the corresponding Monitoring Plan. +2. In the **Data source** section on the right, select **Edit data source**. +3. In the dialog displayed, locate the **Specify data collection method** section and select the **Enable network traffic compression** check box. +4. Network Traffic Compression Service will be automatically deployed and launched on the target file server during the next data collection (scheduled or ad hoc), collecting and pre-filtering data. +5. Click **Save & Close**. + +Consider that using this service will also minimize network load and speed up state-in-time snapshot collection and SACL configuration. See also: + +- Monitored Object Types, Actions, and Attributes: File Servers ⸱ v10.5: /docs/auditor/10.5/auditor/admin-guide/monitoredobjects +- Monitored Object Types, Actions, and Attributes: File Servers ⸱ v10.6: /docs/auditor/10.6/auditor/configurationuration/fileservers diff --git a/docs/kb/auditor/error-during-agent-operation-on-server-no-such-host-is-known.md b/docs/kb/auditor/error-during-agent-operation-on-server-no-such-host-is-known.md new file mode 100644 index 0000000000..2382ef49a0 --- /dev/null +++ b/docs/kb/auditor/error-during-agent-operation-on-server-no-such-host-is-known.md @@ -0,0 +1,58 @@ +--- +description: >- + Explains how to resolve the "No such host is known" error reported by Netwrix + Auditor when an agent fails to resolve a server name. Provides checks for + server names and DNS registration steps. +keywords: + - No such host is known + - nslookup + - DNS + - ipconfig /registerdns + - agent error + - Netwrix Auditor + - DNS records + - server name resolution +products: + - auditor +sidebar_label: 'Error During Agent Operation on Server: No Such Ho' +tags: [] +title: 'Error During Agent Operation on Server: No Such Host is Known' +knowledge_article_id: kA00g000000H9XmCAK +--- + +# Error During Agent Operation on Server: No Such Host is Known + +## Symptom + +Activity Summary contains the following error message: + +```text +: Error during agent operation on server . No such host is known. Additional information: none. +``` + +## Causes + +Here are the possible causes for the issue: + +- Cause 1. Incorrect server names are specified. +- Cause 2. DNS-request fails. + +## Resolutions + +Here are possible options to resolve the issue: + +### Check Server Names + +First of all, check that all server names are specified correctly in the program settings. Make sure that your DNS server, has the DNS-records registered for your problematic servers: + +1. On the server running Netwrix Auditor Server host, launch the `nslookup` tool: click **Start** / **Run**, type in `nslookup.exe` and press **Enter**. +2. In the `nslookup` dialog, check all your problematic servers one by one: specify a server name and press **Enter**. +3. If the IP-addresses appear in the command output, your DNS server has the DNS-records registered correctly. + +### Check DNS Records + +If the DNS-records are not registered correctly, perform the steps below: + +1. On each problematic server, launch the command prompt: click **Start /** **Run**, type in `cmd` and press **Enter.** +2. Type in the `ipconfig /registerdns` command and press **Enter**. +3. As a result, the DNS records will be registered for your servers. diff --git a/docs/kb/auditor/error-during-report-processing-rserrorimpersonatinguser-running-reports.md b/docs/kb/auditor/error-during-report-processing-rserrorimpersonatinguser-running-reports.md new file mode 100644 index 0000000000..0d7b42ccb9 --- /dev/null +++ b/docs/kb/auditor/error-during-report-processing-rserrorimpersonatinguser-running-reports.md @@ -0,0 +1,71 @@ +--- +description: >- + This article explains how to resolve the "Cannot impersonate user for data + source" error (rsErrorImpersonatingUser) when running reports in Netwrix + Auditor, including checks for SSRS configuration, account permissions, and + Audit Database credentials. +keywords: + - rsErrorImpersonatingUser + - rsLogonFailed + - SSRS + - Audit Database + - Report Services + - Netwrix Auditor + - impersonation error +products: + - auditor +sidebar_label: Error During Report Processing — rsErrorImpersonat +tags: [] +title: "Error During Report Processing — rsErrorImpersonatingUser Running Reports" +knowledge_article_id: kA04u000001110TCAQ +--- + +# Error During Report Processing — rsErrorImpersonatingUser Running Reports + +## Symptom + +The following error occurred when trying to run Netwrix Auditor reports: + +```text +An error has occurred during report processing. (rsProcessingAborted) +Cannot impersonate user for data source 'DS'. (rsErrorImpersonatingUser) +Log on failed. Ensure the username and password are correct. (rsLogonFailed) +The username or password is incorrect. +``` + +## Cause + +SQL Server Reporting Services (SSRS) connection issues or insufficient permissions for the data collection account. + +## Resolution + +1. Make sure you are using a supported SQL Server edition. Refer to the following article: /docs/auditor/10.7/auditor/requirements + +2. Check the permissions for your Audit Database account. Refer to the following article: /docs/auditor/10.7/auditor/requirements + +3. Check the permissions for the account used to collect data in your environment. Refer to the following article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans + + > **IMPORTANT:** The account should be a member of the local Administrators group. + + If you use a `gMSA` account for data collection, refer to the following article for additional information: /docs/auditor/10.7/auditor/requirements + +4. Check your Report Services configuration. Refer to the following article: /docs/kb/auditor/deploying_the_report_server_database + +5. Check the permissions for your SSRS Account. Refer to the following article: /docs/auditor/10.7/auditor/requirements + + > **IMPORTANT:** The account should be a member of the local Administrators group. + +6. On the computer that hosts the Auditor Server, open the **Services** snap-in and restart the **Netwrix Auditor Management Service**. + +7. Ensure you provide valid credentials to connect to your Audit Database in Netwrix Auditor. To do so, open Netwrix Auditor, navigate to **Settings** > **Audit Database**, click **Configure** under **Audit Database settings**, and verify your credentials. + +**NOTE:** Netwrix also recommends upgrading the product to the latest version to avoid SSRS-related issues. + +## Related Links + +- Requirements for SQL Server to Store Audit Data: /docs/auditor/10.7/auditor/requirements +- Requirements for SQL Server to Store Audit Data: Configure Audit Database Account: /docs/auditor/10.7/auditor/requirements +- Monitoring Plans – Data Collecting Account: /docs/auditor/10.7/auditor/admin-guide/monitoringplans +- Requirements – Use Group Managed Service Account (gMSA): /docs/auditor/10.7/auditor/requirements +- Deploying the Report Server Database: /docs/kb/auditor/deploying_the_report_server_database +- SQL Server Reporting Services: Configure SSRS Account: /docs/auditor/10.7/auditor/requirements diff --git a/docs/kb/auditor/error-event-id-1206-in-health-log.md b/docs/kb/auditor/error-event-id-1206-in-health-log.md new file mode 100644 index 0000000000..8217e45213 --- /dev/null +++ b/docs/kb/auditor/error-event-id-1206-in-health-log.md @@ -0,0 +1,48 @@ +--- +description: >- + Describes the cause and resolution for Event ID 1206 logged in the Netwrix + Auditor System Health Log when the SharePoint Core Service cannot be found. +keywords: + - Netwrix Auditor + - Event ID 1206 + - Health Log + - SharePoint Core Service + - SharePoint Central Administration + - monitoring plan + - data collection +products: + - auditor +sidebar_label: 'Error: Event ID 1206 in Health Log' +tags: [] +title: 'Error: Event ID 1206 in Health Log' +knowledge_article_id: kA00g000000H9d3CAC +--- + +# Error: Event ID 1206 in Health Log + +## Symptom + +The Netwrix Auditor System Health Log contains the following error message: + +``` +Event ID: 1206 +Netwrix Auditor for SharePoint Core Service cannot be found +``` + +## Causes + +This can be due to one of the following reasons: + +- The manual Core Service installation mode was selected when the monitoring plan was created, and the Netwrix Auditor for SharePoint Core Service cannot be found on the computer where SharePoint Central Administration is installed. +- The manual Core Service installation mode was selected when the monitoring plan was created, but the wrong SharePoint Central Administration URL was specified. + +## Resolutions + +- If the manual installation mode was used, check that you have specified a valid SharePoint Central Administration URL. +- Install the Netwrix Auditor for SharePoint Core Service manually. For detailed instructions, refer to the following article: /docs/auditor/10.7/auditor/installation + +> **TIP:** After the successful manual installation, the error will persist until the next scheduled data collection. To start the collection manually, navigate to a SharePoint monitoring plan, select **Edit** and click **Update** on the right pane. + +## Related Article + +- /docs/auditor/10.7/auditor/installation diff --git a/docs/kb/auditor/error-failed-to-check-for-event-log-existence.md b/docs/kb/auditor/error-failed-to-check-for-event-log-existence.md new file mode 100644 index 0000000000..67bd5f8a6c --- /dev/null +++ b/docs/kb/auditor/error-failed-to-check-for-event-log-existence.md @@ -0,0 +1,44 @@ +--- +description: >- + Describes the "Failed to check for event log existence" error, how to test for + loopback-related connectivity issues, and how to resolve the problem by + disabling Network Traffic Compression or applying Microsoft KB 926642. +keywords: + - event log + - loopback + - Event Log Manager + - Network Traffic Compression + - Failed to check for event log existence + - Netwrix + - scheduled task + - data processing account + - Event Viewer + - KB926642 +products: + - auditor +sidebar_label: 'Error: Failed to check for event log existence' +tags: [] +title: 'Error: Failed to check for event log existence' +knowledge_article_id: kA00g000000H9c6CAC +--- + +# Error: Failed to check for event log existence + +## Symptom +You see the following error in the session results or daily change summary email: + +"Failed to check for event log existence". + +## Cause +This problem occurs because the loopback check functionality is active on the problematic server. + +## Test +To diagnose the issue, perform the following test: + +1. Launch **Event Viewer** on the machine where the Netwrix product is installed. +2. From the **Action** menu, select **Connect to another computer** and specify the name of the problematic computer. +3. Select the **Connect as another user** option, click the **Set user** button and specify the account that is used to run the Event Log Manager scheduled task (the default data processing account). + +## Resolution +- If you can connect successfully, resolve the issue by turning off the **Network Traffic Compression** option in the **Event Log Manager** settings. +- Alternatively, perform the procedure described in the Microsoft Knowledge Base article: http://support.microsoft.com/kb/926642. diff --git a/docs/kb/auditor/error-failed-to-copy-remote-distributed-modules.md b/docs/kb/auditor/error-failed-to-copy-remote-distributed-modules.md new file mode 100644 index 0000000000..97d5c9dda5 --- /dev/null +++ b/docs/kb/auditor/error-failed-to-copy-remote-distributed-modules.md @@ -0,0 +1,48 @@ +--- +description: >- + Explains why Netwrix Auditor Event Log Manager (ELM) reports "Failed to copy + remote distributed modules" when the same server is audited twice and provides + options to resolve duplicate audit logs. +keywords: + - Netwrix Auditor + - Event Log Manager + - ELM + - failed to copy remote distributed modules + - duplicate logs + - OU + - IP range + - monitoring +products: + - auditor +sidebar_label: 'Error: Failed to Copy Remote Distributed Modules' +tags: [] +title: 'Error: Failed to Copy Remote Distributed Modules' +knowledge_article_id: kA0Qk0000001OQ5KAM +--- + +# Error: Failed to Copy Remote Distributed Modules + +## Symptoms + +Both of the following symptoms are present in your Netwrix Auditor Event Log Manager (ELM) environment: + +- The **Health Log** prompts the following error message: + +```registry +Failed to copy remote distributed modules. +Error details: The process cannot access the file because it is being used by another process. +``` + +- ELM is set to audit both a domain OU and the servers within that OU by IP address. + +## Cause + +ELM audits the same server twice. This causes duplicates of the audit logs in the Netwrix Auditor ELM monitoring plan. + +## Resolution + +Refer to one of the following options to resolve the issue: + +- Review the list of monitored computers. Remove the IP ranges and only audit OUs. + +- Review the list of monitored computers. Remove the OU and only audit target IP address ranges. diff --git a/docs/kb/auditor/error-failed-to-load-registry-hive-file-is-used-by-another-process.md b/docs/kb/auditor/error-failed-to-load-registry-hive-file-is-used-by-another-process.md new file mode 100644 index 0000000000..9812b32d30 --- /dev/null +++ b/docs/kb/auditor/error-failed-to-load-registry-hive-file-is-used-by-another-process.md @@ -0,0 +1,92 @@ +--- +description: >- + This article explains why the registry hive load fails with "The process + cannot access the file because it is being used by another process" during + Netwrix Auditor data collection and provides step-by-step resolutions, + including antivirus exclusions and registry/profile fixes. +keywords: + - registry hive + - ntuser.dat + - ProfileList + - SID + - antivirus exclusions + - Netwrix Auditor + - registry permissions + - .bak + - ProfileImagePath +products: + - auditor +sidebar_label: 'Error: Failed to Load Registry Hive—File Is Used b' +tags: [] +title: 'Error: Failed to Load Registry Hive—File Is Used by Another Process' +knowledge_article_id: kA00g000000H9ahCAC +--- + +# Error: Failed to Load Registry Hive—File Is Used by Another Process + +## Symptoms + +The following warning appears during each data collection in the Netwrix Auditor Health Log: + +``` +%timestamp%: %server%: +The Add/Remove Software data provider failed to load the user %SID%.bak registry hive on the computer %server% due to the following error: +The process cannot access the file because it is being used by another process. +``` + +``` +%timestamp%: %server%: +The Add/Remove Software data provider failed to load the user %domain\\user% registry hive on the computer %server% due to the following error: +The process cannot access the %PATH%\ntuser.dat file because it is being used by another process. +``` + +## Causes + +This issue may be caused by one or more of the following factors: + +- A third-party service uses the registry when the user profile is loaded. +- The affected user account is used by services that integrate with an existing application during the user logon/logoff process. +- Antivirus exclusions are incorrectly configured. +- The registry hive or profile list has become corrupt. + +## Resolutions + +Apply one or more of the following solutions to resolve this error: + +- Configure antivirus exclusions in your Netwrix Auditor environment. For details, see the following article: /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor (Antivirus Exclusions for Netwrix Auditor). + +- Follow these steps if excluding Auditor-related folders did not resolve the issue: + + 1. Review the registry permissions for the affected SID and compare them to an unaffected SID on the same server. The default permissions are **Admin**, **Users**, **Owner (special)**, and **System**—ensure both SIDs have the correct permissions and make adjustments if necessary. Refer to steps 1 and 2 below to verify the permissions. + + 1. Review the list of users in `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\`. + + 2. Right-click the target user and click **Permissions**. + + 2. Check the **ProfileImagePath** for both SIDs (e.g., `SID-2143` and `SID-2143.bak`). This will display the profile path and username. In `SID-2143.bak`, the username is specified as `%Username%.%domain_name%`. Verify the path in `SID-2143`. + + 3. Verify the folder in the **ProfileImagePath** to confirm the unaffected user SID. + + 4. Once confirmed, rename the affected SID to `SID.tmp`. + + > IMPORTANT: Ensure the unaffected SID does not have any extension. + + 5. Log off and log back in to the same server as the affected user to verify that the error is resolved. + +- Follow these steps if the issue remains unresolved: + + 1. Log in to the server as **administrator** via **Remote Desktop Connection**. + + 2. In **Registry Editor**, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`. + + 3. Select the affected `.bak` SID, and navigate to `C:\Users\%affected_username%` specified in **ProfileImagePath**. Note the original profile name, which should contain the affected SID’s settings. + + 4. In **Registry Editor**, manually edit the `.bak` SID profile location specified in **ProfileImagePath**. It should reflect the **ProfileImagePath** value for the original unaffected SID. + + 5. Save the changes. + +- Alternatively, you can delete the affected profile. + +## Related Article + +- Antivirus Exclusions for Netwrix Auditor: /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor diff --git a/docs/kb/auditor/error-feature-you-are-trying-to-use-is-on-network-resource-that-is-unavailable.md b/docs/kb/auditor/error-feature-you-are-trying-to-use-is-on-network-resource-that-is-unavailable.md new file mode 100644 index 0000000000..6d81b95e0b --- /dev/null +++ b/docs/kb/auditor/error-feature-you-are-trying-to-use-is-on-network-resource-that-is-unavailable.md @@ -0,0 +1,101 @@ +--- +description: >- + Describes how to resolve "The feature you are trying to use is on a network + resource that is unavailable" error during installation or uninstallation of a + Netwrix product, including use of the Windows Install and Uninstall + Troubleshooter and a manual fix. +keywords: + - installation error + - network resource unavailable + - MSI + - uninstall + - Windows Install and Uninstall Troubleshooter + - Netwrix Auditor + - extract MSI + - UACoreSvcSetup.msi + - Netwrix.WSA.CompressionService.Setup.msi +products: + - auditor + - activity-monitor +visibility: public +sidebar_label: 'Error: Feature You Are Trying to Use Is on Network' +tags: [] +title: "Error: Feature You Are Trying to Use Is on Network Resource That Is Unavailable" +knowledge_article_id: kA0Qk0000000MoXKAU +--- + +# Error: Feature You Are Trying to Use Is on Network Resource That Is Unavailable + +## Symptom + +A Netwrix product prompts the following error during uninstallation or installation (upgrade): + +```text +The feature you are trying to use is on a network resource that is unavailable. +Click OK to try again, or enter an alternate path to a folder containing the installation package %.msi_file% in the box below. +``` + +## Causes + +- A Windows system keeps a copy of a version-specific installation executable. The operating system (OS) uses it during uninstallation or installation (upgrade). In case no executable is available on the server, the error is prompted. +- The registry entry for the affected Netwrix product is corrupted—no product code or revision number is available for the current product deployment. The OS cannot proceed with the upgrade as corresponding values mismatch. + +## Resolutions + +There are two possible options to troubleshoot the issue—refer to the following two subsections. + +### Windows Install and Uninstall Troubleshooter + +Windows published a dedicated troubleshooting solution to resolve any uninstallation or installation (upgrade) issues related to this error. Refer to the following steps to implement it in your environment: + +1. On the affected server, download and run the Windows Install and Uninstall Troubleshooter. You can download it here: https://support.microsoft.com/en-us/topic/fix-problems-that-block-programs-from-being-installed-or-removed-cca7d1b6-65a9-3d98-426b-e9f927e1eb4d (Fix Problems that Block Programs from Being Installed or Removed · Microsoft). +2. Proceed with the troubleshooter steps: + 1. Click **Next**. + 2. Select **Installing** or **Uninstalling**. + 3. Select the affected program from the list. + 4. Select the suitable option. + +If the affected program is missing from the list, or if the troubleshooter prompts the `Troubleshooting couldn't identify the problem` error, proceed to the next resolution. + +### Manual Fix + +Refer to the following steps to resolve the error: + +1. Establish the current version of the affected Netwrix product. +2. Obtain the version-specific installation executable of the affected product. Open a ticket to request an executable at https://www.netwrix.com/tickets.html#/tickets/open (My Tickets · Netwrix). +3. Extract the installation executable from the archive. +4. When the wizard prompts the original error, link the new source in the **Use source** field. Click **OK** to proceed. + +## Tips + +- In case you link an incorrectly named file, the installation wizard prompts the following error: + + ```text + The path %path_to_.msi% cannot be found + ``` + + Verify the name of the installation file—it should be named as specified in the error prompt. + +- The Netwrix Auditor installation wizard includes both server and client setup files. Refer to the following options to extract the contents: + - Extract the executable contents via Command Prompt. Refer to the following article for additional information: /docs/auditor/10.6/auditor/installation (Install Client via Group Policy — Extract MSI File · v10.6). + - Extract the executable contents using 7-Zip or alternative software. Link the folder containing the extracted files to proceed with installation\uninstallation. + +- When you upgrade your Netwrix Auditor instance, you might encounter the error during the service upgrade procedure. Refer to the default locations of the service installation files to provide the version-specific executable: + + User Activity Core Service: + + ```text + C:\Program Files (x86)\Netwrix Auditor\User Activity Video Recording\UACoreSvcSetup.msi + ``` + + Windows Server Compression Service: + + ```text + C:\Program Files (x86)\Netwrix Auditor\Windows Server Auditing\Netwrix.WSA.CompressionService.Setup.msi + ``` + +## Related Articles + +- https://support.microsoft.com/en-us/topic/fix-problems-that-block-programs-from-being-installed-or-removed-cca7d1b6-65a9-3d98-426b-e9f927e1eb4d (Fix Problems that Block Programs from Being Installed or Removed · Microsoft) +- https://www.netwrix.com/tickets.html#/tickets/open (My Tickets · Netwrix) +- /docs/auditor/10.7/auditor/installation (Install Client via Group Policy — Extract MSI File · v10.7) diff --git a/docs/kb/auditor/error-generating-a-report-in-ssrs-http-error-401-unauthorized.md b/docs/kb/auditor/error-generating-a-report-in-ssrs-http-error-401-unauthorized.md new file mode 100644 index 0000000000..240f056836 --- /dev/null +++ b/docs/kb/auditor/error-generating-a-report-in-ssrs-http-error-401-unauthorized.md @@ -0,0 +1,123 @@ +--- +description: >- + Describes how to resolve "HTTP Error 401 - Unauthorized" when generating SSRS + reports from Netwrix Auditor, including IE settings, IE Enhanced Security + Configuration, SSRS permissions, Protected Users, Local Intranet settings, and + rebuilding the Reports folder. +keywords: + - SSRS + - HTTP 401 + - Unauthorized + - Netwrix Auditor + - Report Manager + - Internet Explorer + - IE Enhanced Security Configuration + - Protected Users + - Local Intranet +products: + - auditor +sidebar_label: Error Generating a Report in SSRS − HTTP Error 401 +tags: [] +title: "Error Generating a Report in SSRS − HTTP Error 401 − Unauthorized" +knowledge_article_id: kA00g000000H9eACAS +--- + +# Error Generating a Report in SSRS − HTTP Error 401 − Unauthorized + +## Symptom + +You've encountered the following error: + +``` +HTTP Error 401 - Unauthorized. Provide another credentials or change security settings in Internet Explorer. +``` + +## Causes + +- Misconfigured Internet Explorer security settings. +- IE Enhanced Security Configuration enabled on the SQL Server end. +- Incorrect SSRS account permissions. +- SSRS account is included in the Protected Users security group. +- Your SQL Server is not added to the Local Intranet group as a trusted host. +- Your account has insufficient permissions to access the Report Server. + +> IMPORTANT: Unless configured otherwise, SQL Server Reporting Services require NTLM authentication to be enabled to operate. Learn more in Configure Windows Authentication on the Report Server ⸱ Microsoft: https://learn.microsoft.com/en-us/sql/reporting-services/security/configure-windows-authentication-on-the-report-server?view=sql-server-ver16 + +## Resolutions + +- Review the Internet Explorer security settings. + + 1. On the affected server, open **Control Panel** and select **Internet Options**. Alternatively, type **Internet Options** in the **Search** bar. + 2. Select the **Security** tab, select the **Internet** zone, and click **Custom level**. + 3. Locate the **User Authentication** subnode, and select the **Automatic logon with current user name and password** option. Click **OK** to save the changes. + +- Disable IE Enhanced Security Configuration. + + 1. Launch **Server Manager**. + 2. In the left pane, click **Local server**. + 3. Click **On** to the right of **IE Enhanced Security Configuration**. + + ![](images/ka0Qk00000031Iv_0EM4u000008LafD.png) + + 4. In the configuration window, switch both **Administrators** and **Users** categories to **Off**. + 5. Click **OK** to save changes. + + ![](images/ka0Qk00000031Iv_0EM4u000008LafI.png) + +- Review your SSRS account permissions. For additional information, refer to: SQL Server Reporting Services: Configure SSRS Account · v10.6 — /docs/auditor/10.6/auditor/requirements + +- Remove the SSRS account from the Protected Users security group. Learn more about Protected Users: Protected Users Security Group ⸱ Microsoft — https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group + +- Add your SQL Server to the Local Intranet group locally on every server used to access SSRS reports via the Netwrix Auditor administrative console. If setting at GPO level, the settings should be **Level 1**. + + 1. In the Run command, open `inetcpl.cpl`. + 2. In the **Security** tab, select the **Local intranet** zone and click the **Sites** button. + 3. Click the **Advanced** button and enter the SQL Server address to add it to the Local Intranet zone. + +- Make sure your account has the **Browser** role assigned. + + 1. Log in to the Report Manager under the administrator account. + 2. Click the three horizontal dots menu for the **Netwrix Auditor** reports folder and click **Manage**. + 3. In the left pane, select **Security**, and either click **Edit** next to the corresponding user to select a different role or add a new user by clicking **Add group or user**. + 4. Once you've assigned the **Browser** role to the account, save the changes and try accessing the reports while logged in under your usual account. + +- Rebuild the **Reports** folder. + + 1. In elevated PowerShell, execute the following command to stop the corresponding service: + + ```powershell + Stop-Service -DisplayName "Netwrix Auditor Management Service" + ``` + + 2. Open Report Manager in your browser. + + - You can find the Report Manager URL in your main Netwrix Auditor menu > **Settings** > **Audit Database** tab > **Report Manager URL**. + + 3. In the main SQL Server Reporting Services window, locate the **Netwrix Auditor** folder. + 4. Click the meatball **⸱⸱⸱** button, and select **Delete**. + 5. Follow the path provided: + + ``` + C:\ProgramData\Netwrix Auditor\Reports + ``` + + 6. Delete the contents of the **Reports** folder. + 7. Once deleted, follow the path provided to find the `Reports.zip` archive in the root of the folder: + + ``` + C:\ProgramData\Netwrix Auditor + ``` + + 8. Extract the contents of the **Reports.zip** archive to the `C:\ProgramData\Netwrix Auditor\Reports` folder. + 9. In elevated PowerShell, execute the following command to start the corresponding service: + + ```powershell + Start-Service -DisplayName "Netwrix Auditor Management Service" + ``` + + 10. Wait for about 10 minutes for reports to upload to your Report Manager. You can track the progress by following the Report Manager URL and entering the **Netwrix Auditor** folder. + 11. Once the affected report is uploaded, run the report again. + +## Related articles + +- Netwrix Auditor Settings − Investigations · v10.6 — /docs/auditor/10.6/auditor/admin-guide/settings diff --git a/docs/kb/auditor/error-invalid-login-response-in-vmware-monitoring-plan.md b/docs/kb/auditor/error-invalid-login-response-in-vmware-monitoring-plan.md new file mode 100644 index 0000000000..feb16cbe86 --- /dev/null +++ b/docs/kb/auditor/error-invalid-login-response-in-vmware-monitoring-plan.md @@ -0,0 +1,46 @@ +--- +description: >- + Netwrix Auditor may report "Invalid login response from %URL%" for a VMware + monitoring plan. Upgrade Netwrix Auditor to v10.6.12359 or later to resolve + the issue. +keywords: + - Netwrix Auditor + - VMware + - Invalid login response + - Health Log + - monitoring plan + - upgrade + - v10.6.12359 + - snapshot error +products: + - auditor +sidebar_label: 'Error: Invalid Login Response in VMware Monitoring' +tags: [] +title: 'Error: Invalid Login Response in VMware Monitoring Plan' +knowledge_article_id: kA0Qk0000000ZllKAE +--- + +# Error: Invalid Login Response in VMware Monitoring Plan + +## Symptom + +Netwrix Auditor prompts the following error for your VMware monitoring plan in **Health Log**: + +``` +There are errors while creating snapshot. No web api connection available. Reason: Invalid login response from %URL% +``` + +## Cause + +This was a known issue fixed in Netwrix Auditor v10.6.12359 and later versions. + +## Resolution + +1. Upgrade your Netwrix Auditor instance to the latest version. + Download the latest version of Netwrix Auditor from the [Customer Portal · Netwrix 🡥](https://www.netwrix.com/sign_in.html). + Refer to the following article to learn more about the upgrade recommendations: Installation — Upgrade to the Latest Version — v10.6. + +## Related Articles + +- [Customer Portal · Netwrix 🡥](https://www.netwrix.com/sign_in.html) +- Installation — Upgrade to the Latest Version — v10.6 diff --git a/docs/kb/auditor/error-login-failed-cannot-open-database-in-reports.md b/docs/kb/auditor/error-login-failed-cannot-open-database-in-reports.md new file mode 100644 index 0000000000..44acf87f1f --- /dev/null +++ b/docs/kb/auditor/error-login-failed-cannot-open-database-in-reports.md @@ -0,0 +1,57 @@ +--- +description: >- + Shows how to resolve the "Cannot open database ... The login failed" error + when opening Netwrix Auditor reports by assigning the db_owner role to the + Audit Database Account. +keywords: + - Netwrix Auditor + - SQL Server + - login failed + - db_owner + - Audit Database Account + - reports + - rsProcessingAborted + - rsErrorOpeningConnection +products: + - auditor +sidebar_label: 'Error: Login Failed—Cannot Open Database in Report' +tags: [] +title: 'Error: Login Failed—Cannot Open Database in Reports' +knowledge_article_id: kA00g000000H9Z1CAK +--- + +# Error: Login Failed—Cannot Open Database in Reports + +## Symptom + +When you attempt to open a Netwrix Auditor report, you see the following error: + +```text +An error has occurred during report processing. +(rsProcessingAborted) +Cannot create a connection to data source ‘DS’. +(rsErrorOpeningConnection) +"Cannot open database <%Database_name%> requested by the login. +The login failed. Login failed for user <%User_name%>" +``` + +## Cause + +The Audit Database Account used to connect to SQL Server does not have the required permissions to access the target SQL database `%database_name%.` + +## Resolution + +Verify that the **db_owner** role for the target database is assigned to the default Audit Database Account by following the steps below: + +1. Navigate to **Start > All Programs > Microsoft SQL Server > SQL Server Management Studio**. +2. In the **Object Explorer** pane of SQL Server Management Studio, navigate to **Security > Logins >** ` %Audit_Database_account%`. Right-click the account and select **Properties**. +3. In the **User Mapping** tab, locate the affected database and verify that the **db_owner** role is assigned. Click **OK** to save the changes. + +For additional information on required access rights, refer to the following article: /docs/auditor/10.7/auditor/requirements (Configure Audit Database Account — Requirements for SQL Server to Store Audit Data · v10.7). + +> **IMPORTANT:** If your account lacks the correct permissions to assign the roles, you can run your SSMS instance in the single-user mode. Learn more in https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/start-sql-server-in-single-user-mode?view=sql-server-ver16 (Single-user Mode for SQL Server · Microsoft 🡥). + +## Related Articles + +- /docs/auditor/10.7/auditor/requirements (Configure Audit Database Account — Requirements for SQL Server to Store Audit Data · v10.7) +- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/start-sql-server-in-single-user-mode?view=sql-server-ver16 (Single-user Mode for SQL Server · Microsoft 🡥) diff --git a/docs/kb/auditor/error-memory-limit-is-reached.md b/docs/kb/auditor/error-memory-limit-is-reached.md new file mode 100644 index 0000000000..b125065366 --- /dev/null +++ b/docs/kb/auditor/error-memory-limit-is-reached.md @@ -0,0 +1,50 @@ +--- +description: >- + Netwrix Auditor logs Event ID 6316 when the memory limit for the Logs + Collection Service has been reached for a network device monitoring plan. This + article describes the symptom, cause, and steps to resolve the issue. +keywords: + - memory limit + - Event ID 6316 + - Logs Collection Service + - Health Log + - Netwrix Auditor + - resource pool + - hardware requirements + - antivirus exclusions +products: + - auditor +sidebar_label: 'Error: Memory Limit Is Reached' +tags: [] +title: 'Error: Memory Limit Is Reached' +knowledge_article_id: kA0Qk0000001HejKAE +--- + +# Error: Memory Limit Is Reached + +## Symptom + +Netwrix Auditor prompts the following error in the **Health Log** for your network device's monitoring plan: + +```text +Source:Network Devices Audit Service +Event ID:6316 +Computer: %affected_server% +Description:Monitoring plan: %monitoring_plan_name%. +Memory limit for Netwrix Auditor Logs Collection Service is reached. +``` + +## Cause + +The default memory limit has been reached for the process. + +## Resolution + +Increase the resource pool on your Netwrix Auditor server. Refer to the following article for additional information on hardware requirements for different deployment scenarios: /docs/auditor/10.7/auditor/requirements (Requirements — Hardware Requirements · v10.7). + +> **IMPORTANT:** Verify that the antivirus exclusions are in place on your Netwrix Auditor server. Review the following article for recommendations on antivirus exclusions in the Auditor environment: /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor (Antivirus Exclusions for Netwrix Auditor). + +## Related Articles + +- /docs/auditor/10.7/auditor/requirements (Requirements — Hardware Requirements · v10.7) +- /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor (Antivirus Exclusions for Netwrix Auditor) diff --git a/docs/kb/auditor/error-netwrix-auditor-for-file-servers-audit-service-terminated-unexpectedly.md b/docs/kb/auditor/error-netwrix-auditor-for-file-servers-audit-service-terminated-unexpectedly.md new file mode 100644 index 0000000000..2e4f759461 --- /dev/null +++ b/docs/kb/auditor/error-netwrix-auditor-for-file-servers-audit-service-terminated-unexpectedly.md @@ -0,0 +1,62 @@ +--- +description: >- + Describes how to resolve the "Netwrix Auditor for File Servers Audit Service + terminated unexpectedly" error by removing the FileStorageAuditor working + folder, clearing crash dumps, and upgrading to a newer build. +keywords: + - Netwrix Auditor + - File Servers + - Audit Service + - FileStorageAuditor + - crash + - memory dump + - working folder + - upgrade + - nwcoresvc.exe + - troubleshooting +products: + - auditor +sidebar_label: 'Error: Netwrix Auditor for File Servers Audit Serv' +tags: [] +title: 'Error: Netwrix Auditor for File Servers Audit Service Terminated Unexpectedly' +knowledge_article_id: kA04u000001119zCAA +--- + +# Error: Netwrix Auditor for File Servers Audit Service Terminated Unexpectedly + +## Symptoms + +1. Error message: + +``` +The Netwrix Auditor for File Servers Audit Service terminated unexpectedly +``` + +2. After two restarts it crashes the server + +3. An application log shows the following issues: + +- `nwcoresvc.exe` +- `Netwrix.ADA.EventCollector.exe` +- `Netwrix.O365.AdminAuditLogCollector.exe` +- Application: `Netwrix.ADA.SitServiceUpdater.exe` +- Application: `Netwrix.ADA.BackwardDataAnalyzer.exe` +- `Netwrix.ADA.DirSyncCollector.exe` + +## Resolution + +If you are currently on a 10.5 version and build other than 10950, perform the procedure below. + +1. Stop **Netwrix Auditor for File Servers Audit Service** +2. Find the **FileStorageAuditor** folder in Working Folder and delete it or rename it to **FileStorageAuditor.Old** + +> **TIP:** The default location of Working folder is `C:\ProgramData\Netwrix Auditor`. If it does not appear on the default location you may check it at Netwrix Dashboard: **Health Status** > **Working Folder** > **Open diagnostic logs folder** and go one folder back on the prompted location + +3. Delete the memory dump files from `C:\Windows\Temp\` generated by crashes +4. Upgrade to a new build +5. Start **Netwrix Auditor for File Servers Audit Service** +6. Run a **Data Collection** by selecting update on the monitoring plan + +## Related articles + +- [How to Upgrade Netwrix Auditor](/docs/kb/auditor/how-to-upgrade-netwrix-auditor.md) diff --git a/docs/kb/auditor/error-netwrix-auditor-looks-up-additional-system-components-and-updates-required-for-monitoring.md b/docs/kb/auditor/error-netwrix-auditor-looks-up-additional-system-components-and-updates-required-for-monitoring.md new file mode 100644 index 0000000000..2bb4878d00 --- /dev/null +++ b/docs/kb/auditor/error-netwrix-auditor-looks-up-additional-system-components-and-updates-required-for-monitoring.md @@ -0,0 +1,42 @@ +--- +description: >- + When configuring Oracle monitoring in Netwrix Auditor, you may see an error + indicating additional system components and updates are required. This article + explains the cause and how to resolve it. +keywords: + - Netwrix Auditor + - Oracle Instant Client + - Oracle monitoring + - error message + - Software Requirements + - Windows x64 + - troubleshooting +products: + - auditor +sidebar_label: 'Error: Netwrix Auditor Looks Up Additional System ' +tags: [] +title: "Error: Netwrix Auditor Looks Up Additional System Components and Updates Required for Monitoring" +knowledge_article_id: kA0Qk0000001JYTKA2 +--- + +# Error: Netwrix Auditor Looks Up Additional System Components and Updates Required for Monitoring + +## Symptom + +When you set up an Oracle monitoring plan in Netwrix Auditor, the following error message appears: + +``` +Netwrix Auditor looks up additional system components and updates that are required for monitoring. +``` + +## Cause + +The required software Oracle Instant Client for Microsoft Windows x64 is missing. + +## Resolution + +Verify that the Oracle Instant Client is installed in your environment. Refer to the following article: Software Requirements · v10.7. + +## Related Articles + +- Software Requirements · v10.7 diff --git a/docs/kb/auditor/error-no-connection-could-be-made.md b/docs/kb/auditor/error-no-connection-could-be-made.md new file mode 100644 index 0000000000..a88b9f63b3 --- /dev/null +++ b/docs/kb/auditor/error-no-connection-could-be-made.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains how to resolve the "No connection could be made" error in the + Help-Desk portal caused by mismatched web portal and administrative console + versions, and provides a link to download the latest builds. +keywords: + - No connection could be made + - SocketException + - Help-Desk portal + - web portal + - administrative console + - Account Lockout Examiner + - Netwrix + - connection refused + - '127.0.0.1:20345' +products: + - auditor +sidebar_label: 'Error: "No connection could be made"' +tags: [] +title: 'Error: "No connection could be made"' +knowledge_article_id: kA00g000000H9TsCAK +--- + +# Error: "No connection could be made" + +I get the following error in the **Help-Desk portal**: + +``` +"System.Net.Sockets.SecketException: No connection could be made because the target machine actively refused it 127.0.0.1:20345" +``` + +## Cause + +This usually happens when the versions of the product web portal and the administrative console do not match. + +## Resolution + +1. Make sure that the versions of the web portal and the administrative console match. +2. If they do not match, or to ensure you have the latest fixes, download and install the latest versions of both the console and the web portal from here: [http://www.netwrix.com/account_lockout_examiner.html](https://www.netwrix.com/account_lockout_examiner.html) diff --git a/docs/kb/auditor/error-no-more-threads.md b/docs/kb/auditor/error-no-more-threads.md new file mode 100644 index 0000000000..8efd3d2f08 --- /dev/null +++ b/docs/kb/auditor/error-no-more-threads.md @@ -0,0 +1,34 @@ +--- +description: >- + Shows how to resolve the "No more threads..." connection error from NetWrix + Account Lockout Examiner by restarting the WMI service on the target domain + controller. +keywords: + - NetWrix + - account lockout + - WMI + - Windows Management Instrumentation Service + - services.msc + - RDP + - domain controller + - No more threads +products: + - auditor +sidebar_label: 'Error: No more threads' +tags: [] +title: 'Error: No more threads' +knowledge_article_id: kA00g000000H9T8CAK +--- + +# Error: No more threads + +NetWrix Account Lockout Examiner returns the following error in the connection status of the monitored domain controller: "No more threads..." + +To fix the issue, restart the **WMI service** on the **target domain controller**. To do this, perform the following steps: + +1. Connect to the target domain controller via **Remote Desktop Connection** (RDP). +2. Start the **Services snap-in** (navigate to Start → Run and type `services.msc`). +3. Locate the **Windows Management Instrumentation Service** in the list. +4. Right-click this service and select **Restart** from the popup menu. + +![User-added image](images/ka04u000000HcMv_0EM700000004wr9.png) diff --git a/docs/kb/auditor/error-request-operation-timeout.md b/docs/kb/auditor/error-request-operation-timeout.md new file mode 100644 index 0000000000..113c59bb5f --- /dev/null +++ b/docs/kb/auditor/error-request-operation-timeout.md @@ -0,0 +1,63 @@ +--- +description: >- + If you receive a "request timeout" error when launching or using Netwrix + Account Lockout Examiner, follow these steps to change log collection, disable + workstation invalid-logon searches, or limit monitoring to the PDC to resolve + the issue. +keywords: + - request timeout + - timeout error + - Account Lockout Examiner + - Netwrix + - registry + - UseWatcher + - PF_Enabled + - PDC + - invalid logon +products: + - auditor +sidebar_label: 'Error: Request operation timeout' +tags: [] +title: 'Error: Request operation timeout' +knowledge_article_id: kA00g000000H9bxCAC +--- + +# Error: Request operation timeout + +You receive the "request timeout" error message when you launch the Netwrix Account Lockout Examiner console or some time after. + +![User-added image](images/ka04u000000HcUi_0EM700000004xfn.png) + +--- + +The issue occurs when the Account Lockout Examiner service is busy and is not able to respond to any requests. It might happen if Account Lockout Examiner is set to monitor all domain controllers and there are a lot of failed logon events to process tracked from every domain controller, or when domain controllers and workstations have a slow connection to the Account Lockout Examiner server (for example located in a remote office). + +--- + +In order to resolve the issue perform the following steps on the Account Lockout Examiner machine: + +1. Change the method of collecting logs: + a. Run Registry Editor (`Start - Run - regedit`) + b. Navigate to `HKLMSoftware[Wow6432Node]NetWrixAccount Lockout Examiner (Wow6432Node only for x64 OS)` + c. Set `readlog` to `0` + d. Create a DWORD called `UseWatcher` with the value of `1` + e. Set `invLogonKeepTime` to `10 decimal` + f. Set `invLogonCleaningPeriod` to `10 decimal` + g. Restart the NetWrix Account Lockout Examiner service + + ![User-added image](images/ka04u000000HcUi_0EM700000004xfx.png) + +2. If the above does not help, disable searching of invalid logons on workstations. This will reduce the service load. + a. Run Registry Editor (`Start - Run - regedit`) + b. Navigate to `HKLMSoftware[Wow6432Node]NetWrixAccount Lockout Examiner (Wow6432Node only for x64 OS)` + c. Create a DWORD called `PF_Enabled` with the value of `0` + d. Restart the NetWrix Account Lockout Examiner service + + ![User-added image](images/ka04u000000HcUi_0EM700000004xg2.png) + +3. If all of the registry settings did not address the issue set Account Lockout Examiner to monitor the PDC only: + a. In Netwrix Account Lockout Examiner navigate to **File > Settings > Managed Objects**. + b. Select your domain and click **Edit**. + c. Select the **Only PDC emulator** radio button and click **OK** to save the changes. + + ![User-added image](images/ka04u000000HcUi_0EM700000004xg7.png) diff --git a/docs/kb/auditor/error-saving-current-vmware-virtual-center-snapshot-permission-to-perform-this-operation-was-denied.md b/docs/kb/auditor/error-saving-current-vmware-virtual-center-snapshot-permission-to-perform-this-operation-was-denied.md new file mode 100644 index 0000000000..82a98b8c50 --- /dev/null +++ b/docs/kb/auditor/error-saving-current-vmware-virtual-center-snapshot-permission-to-perform-this-operation-was-denied.md @@ -0,0 +1,43 @@ +--- +description: >- + Collections fail with an error indicating insufficient permissions when + Netwrix Auditor attempts to save a VMware Virtual Center snapshot. This + article explains the required permissions and steps to grant Read-only access. +keywords: + - vmware + - virtual center + - snapshot + - permissions + - read-only + - vSphere + - Connect As + - Netwrix Auditor + - Managed Object Browser +products: + - auditor +sidebar_label: Error saving current VMware Virtual Center snapsho +tags: [] +title: "Error saving current VMware Virtual Center snapshot: Permission to perform this operation was denied" +knowledge_article_id: kA00g000000H9aQCAS +--- + +# Error saving current VMware Virtual Center snapshot: Permission to perform this operation was denied + +## Symptoms + +Collections fail with the following error: `Error saving current VMware Virtual Center snapshot Permission to perform this operation was denied` + +## Cause + +There are not enough permissions for the **Connect As** account specified in the product configuration to read the Managed Object Browser of the Virtual Center Server or ESXi host specified. + +This can occur when the account configured in Netwrix Auditor does not have sufficient privileges to browse the vSphere inventory. + +## Resolution + +The **Connect As** account must have at least **Read-only** access at the datacenter level if monitoring a VC or at the host level if monitoring only a host. + +1) To assign this permissions right click the proper node of the vSphere hierarchy and select **Add Permission**. +2) On the right hand side of the **Add Permissions** window you will have a list of **Assigned Roles**. Select the **Read-Only role**. +3) On the left hand side you will see **Users and Groups**. Click the **Add** button. +4) Type in the **account name** that you would like to give Read-Only permissions and hit **Okay**. diff --git a/docs/kb/auditor/error-scale-out-deployment-is-not-supported-in-this-edition-of-reporting-services.md b/docs/kb/auditor/error-scale-out-deployment-is-not-supported-in-this-edition-of-reporting-services.md new file mode 100644 index 0000000000..f99ebff0fa --- /dev/null +++ b/docs/kb/auditor/error-scale-out-deployment-is-not-supported-in-this-edition-of-reporting-services.md @@ -0,0 +1,55 @@ +--- +description: >- + After migrating SQL Server or restoring the Report Server encryption key, + Reporting Services may throw an rsOperationNotSupported error about "Scale-out + deployment." This article explains the cause and gives steps to remove old + encryption key entries from the Report Server database. +keywords: + - Scale-out deployment + - Reporting Services + - SQL Server + - encryption key + - Report Server Configuration Manager + - rsOperationNotSupported + - Keys table + - DELETE statement +products: + - auditor +sidebar_label: 'Error: "Scale-out Deployment" Is Not Supported in This Edition of Reporting Services' +tags: [] +title: 'Error: "Scale-out Deployment" Is Not Supported in This Edition of Reporting Services' +knowledge_article_id: kA0Qk0000000WntKAE +--- + +# Error: "Scale-out Deployment" Is Not Supported in This Edition of Reporting Services + +## Symptom + +After migration to a new SQL Server instance or backup/restore of the SQL Server encryption key, the following error appears in the **SQL Server Reporting Services Manager** + +``` +The feature: “Scale-out deployment” is not supported in this edition of Reporting Services. (rsOperationNotSupported) +``` + +## Cause + +This error indicates that the restored key corresponds to the previous server, leading your Reporting Server instance to perceive itself as part of a multi-server deployment, which is not supported in the standard edition of Reporting Services. + +## Resolution + +To resolve the issue, check the servers currently in use and remove the encryption key of the old server: + +1. Open the **Report Server Configuration Manager**. +2. Navigate to the **Scale-out deployment** tab. +3. Review your current configuration for any old servers. +4. Navigate to your Report Server database and check the [Keys] table. Delete the extra entries with the following statement: + +```sql +DELETE from dbo.Keys WHERE MachineName='X' +``` + +where `'X'` is your old server name. + +### Related Articles: + +- [The feature: "Scale-out deployment" is not supported in this edition of Reporting Services ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/answers/questions/653685/the-feature-scale-out-deployment-is-not-supported) diff --git a/docs/kb/auditor/error-service-did-not-respond-to-start-or-control-request-in-ssrs.md b/docs/kb/auditor/error-service-did-not-respond-to-start-or-control-request-in-ssrs.md new file mode 100644 index 0000000000..0f0c958c0b --- /dev/null +++ b/docs/kb/auditor/error-service-did-not-respond-to-start-or-control-request-in-ssrs.md @@ -0,0 +1,80 @@ +--- +description: >- + This article describes symptoms, cause, and resolutions for Error 1053 when + the SQL Server Reporting Services (SSRS) service fails to start on a Netwrix + Auditor server. It explains how to identify SSRS corruption and how to repair + or reinstall SSRS to resolve the issue. +keywords: + - SSRS + - SQL Server Reporting Services + - Error 1053 + - service did not respond + - Netwrix Auditor + - web.config + - rssrvpolicy.config + - RSPortal.exe.config + - ReportServer +products: + - auditor +sidebar_label: 'Error: Service Did Not Respond to Start or Control' +tags: [] +title: 'Error: Service Did Not Respond to Start or Control Request in SSRS' +knowledge_article_id: kA0Qk0000001PE5KAM +--- + +# Error: Service Did Not Respond to Start or Control Request in SSRS + +## Symptoms + +The following symptoms affect your Netwrix Auditor and SQL Server Reporting Services (SSRS) server: + +- When you attempt to run reports via the Auditor console, you see the following message: + +```text +Can't reach this page. +``` + +- The `SQL Server Reporting Services` service fails to start and displays error 1053: + +```text +Error 1053: The service did not respond to the start or control request in a timely fashion. +``` + +- The SSRS log files located in `C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\LogFiles` contain the following error: + +```text +System.IO.FileLoadException: Could not load file or assembly '%name%' or one of its dependencies. +The located assembly's manifest definition does not match the assembly reference. +(Exception from HRESULT: 0x80131040) +``` + +## Cause + +Your SSRS instance is corrupted. + +> **NOTE:** In some cases of SSRS corruption, the following SSRS files are blank or contain illegible symbols: +> +> ```text +> C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\web.config +> ``` +> +> ```text +> C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\rssrvpolicy.config +> ``` +> +> ```text +> C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\Portal\RSPortal.exe.config +> ``` + +## Resolutions + +Apply one of the following options to resolve the issue: + +- Repair the SSRS instance. + + 1. In **Programs and Features**, select **Microsoft SQL Server Reporting Services** and click **Uninstall/Change**. + 2. In the new window, select **Repair** and proceed with the prompted steps. + +- Uninstall SQL Server Reporting Services and install the application on the Auditor server. + + > **IMPORTANT:** This resolution applies only to SQL Server Standard and Enterprise editions. diff --git a/docs/kb/auditor/error-size-of-collected-data-files-exceeded-limit-in-logon-activity-monitoring-plan.md b/docs/kb/auditor/error-size-of-collected-data-files-exceeded-limit-in-logon-activity-monitoring-plan.md new file mode 100644 index 0000000000..a9e20b8b2b --- /dev/null +++ b/docs/kb/auditor/error-size-of-collected-data-files-exceeded-limit-in-logon-activity-monitoring-plan.md @@ -0,0 +1,39 @@ +--- +description: >- + You may see this Health Log error for a Logon Activity monitoring plan when + collected data exceeds size limits. Upgrade Netwrix Auditor to `v10.6.12359` + or later to resolve the issue. +keywords: + - Netwrix Auditor + - Logon Activity + - Event ID 5004 + - Health Log + - data collection + - file size limit + - monitoring plan + - upgrade +products: + - auditor +sidebar_label: 'Error: Size of Collected Data Files Exceeded Limit' +tags: [] +title: "Error: Size of Collected Data Files Exceeded Limit in Logon Activity Monitoring Plan" +knowledge_article_id: kA04u000001112ZCAQ +--- + +# Error: Size of Collected Data Files Exceeded Limit in Logon Activity Monitoring Plan + +## Symptom + +Netwrix Auditor prompts the following error in the Health Log for your Logon Activity monitoring plan: + +```text +Source:Active Directory Logon Activity Audit Service +Event ID:5004 +Description:Monitoring plan: %Logon_Activity_monitoring_plan_name% + +Data collection has failed. Error: The size of collected data files exceeded the limit. Some information has been lost. +``` + +## Resolution + +Upgrade your Netwrix Auditor instance to `v10.6.12359` and later. Download the executable from [My Products · Netwrix 🤝](https://www.netwrix.com/my_products.html). diff --git a/docs/kb/auditor/error-snapshot-saving-process-was-interrupted.md b/docs/kb/auditor/error-snapshot-saving-process-was-interrupted.md new file mode 100644 index 0000000000..6e24a550cf --- /dev/null +++ b/docs/kb/auditor/error-snapshot-saving-process-was-interrupted.md @@ -0,0 +1,48 @@ +--- +description: >- + Explains the cause and resolution of the "Snapshot saving process was + interrupted" error when collecting snapshot files in Netwrix Auditor, and + recommends adding antivirus exclusions. +keywords: + - snapshot saving + - snapshot + - antivirus exclusions + - EDR + - XDR + - File Storage Audit Service + - Netwrix Auditor + - data collection + - snapshot files +products: + - auditor +sidebar_label: 'Error: Snapshot Saving Process Was Interrupted' +tags: [] +title: 'Error: Snapshot Saving Process Was Interrupted' +knowledge_article_id: kA0Qk0000001LdVKAU +--- + +# Error: Snapshot Saving Process Was Interrupted + +## Symptom + +You receive the following error message while collecting snapshot files: + +```text +Source:File Storage Audit Service + +An error has occurred during the data processing: Snapshot saving process was interrupted. +Some snapshot files failed to be updated and are non-consistent. +Data collection will be performed as initial. . +``` + +## Cause + +An antivirus or EDR/XDR solution in your environment affects the operation of your Netwrix Auditor instance. + +## Resolution + +Add antivirus exclusions to both your Netwrix Auditor monitoring plan and to targets by referring to the following article: [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md). + +## Related Articles + +- [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md) diff --git a/docs/kb/auditor/error-sql-error-invalid-class.md b/docs/kb/auditor/error-sql-error-invalid-class.md new file mode 100644 index 0000000000..77deed1343 --- /dev/null +++ b/docs/kb/auditor/error-sql-error-invalid-class.md @@ -0,0 +1,45 @@ +--- +description: >- + Shows how to resolve the "Invalid class" error when running the Report + Configuration Wizard by compiling the SQL Server MOF provider with mofcomp. +keywords: + - Invalid class + - mofcomp + - sqlmgmproviderxpsp2up.mof + - SQL Server 2012 + - SQL Server 2008 + - MOF Compiler + - Report Configuration Wizard + - Netwrix Auditor +products: + - auditor +sidebar_label: 'ERROR: SQL Error: invalid class' +tags: [] +title: 'ERROR: SQL Error: invalid class' +knowledge_article_id: kA00g000000H9XbCAK +--- + +# ERROR: SQL Error: invalid class + +When you run the Report Configuration Wizard you receive the following error message: "Invalid class." + +--- + +1. Open the following folder for the SQL Server 2012: `"C:ProgramFiles(x86)MicrosoftSQLServer110Shared"` + (Open the following folder for the SQL Server 2008: `"C:Program Files (x86)Microsoft SQL Server100Shared"`) + +2. then run: `mofcomp sqlmgmproviderxpsp2up.mof` + +3. This should give an output like this: + +``` +C:Windowssystem32>cd "C:Program Files (x86)Microsoft SQL Server110Shared" + +C:Program Files (x86)Microsoft SQL Server120Shared>mofcomp sqlmgmproviderxpsp2up.mof +Microsoft (R) MOF Compiler Version 6.1.7600.16385 +Copyright (c) Microsoft Corp. 1997-2006. All rights reserved. +Parsing MOF file: sqlmgmproviderxpsp2up.mof +MOF file has been successfully parsed +Storing data in the repository... +Done! +``` diff --git a/docs/kb/auditor/error-the-maximum-password-age-is-not-set.md b/docs/kb/auditor/error-the-maximum-password-age-is-not-set.md new file mode 100644 index 0000000000..9b2b01219c --- /dev/null +++ b/docs/kb/auditor/error-the-maximum-password-age-is-not-set.md @@ -0,0 +1,46 @@ +--- +description: >- + Shows how to resolve the error when Netwrix Password Reset cannot determine + the Maximum Password Age and cannot send password expiration notifications. +keywords: + - Maximum Password Age + - password expiration + - Netwrix Password Reset + - Fine Grained Password Policy + - Group Policy Management + - gpupdate + - PEN +products: + - auditor +sidebar_label: 'Error: The "Maximum Password Age" is not set' +tags: [] +title: 'Error: The "Maximum Password Age" is not set' +knowledge_article_id: kA00g000000H9bLCAS +--- + +# Error: The "Maximum Password Age" is not set + +Netwrix Password Reset returns the following error instead of sending notifications: + +``` +Failed to obtain password expiration settings for the domain. The "Maximum Password Age" setting is not specified for the domain. +``` + +Netwrix Password Reset uses the Maximum Password Age value from the Password policy to determine the password expiration date. If the Maximum Password Age is not defined or set to 0 (for example, in the case of a Fine Grained password policy in the domain), then Netwrix Password Reset is not able to determine the password expiration date and returns the above error. Netwrix Password Reset is not able to work in mixed mode; it can either use the default general Maximum Password Age policy, or a Fine Grained policy. + +--- + +There are two ways to solve this issue: + +1. Enable the **Only report users with Fine Grained Policy settings** option in the Netwrix Password Reset (PEN) monitoring plan. Note that this will make the product only report users who are affected by Fine Grained policies and ignore those who are not. +2. Configure the Maximum Password Age policy in the domain. + +To set the Maximum Password Age policy for the domain: + +1. Launch **Group Policy Management** +2. Edit the appropriate GPO (for example, Default Domain Policy) +3. Navigate to **Computer Configuration - Policies - Windows settings - Security settings - Account policies - Password policies** +4. In the right pane define the **Maximum password age** value +5. Update policies, for example run `gpupdate /force` + +![User-added image](images/ka04u000000HcU6_0EM7000000054Ba.png) diff --git a/docs/kb/auditor/error-the-new-task-has-been-created-but-may-not-run-because-of-an-error-exception-from-hresult-0x800.md b/docs/kb/auditor/error-the-new-task-has-been-created-but-may-not-run-because-of-an-error-exception-from-hresult-0x800.md new file mode 100644 index 0000000000..dd486bc465 --- /dev/null +++ b/docs/kb/auditor/error-the-new-task-has-been-created-but-may-not-run-because-of-an-error-exception-from-hresult-0x800.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains how to resolve the scheduled task logon session error 0x80070520 by + disabling the Windows policy that prevents storing credentials on the affected + computer. +keywords: + - 2147943712 + - scheduled task + - Network access + - store credentials + - Netwrix Auditor + - rsop.msc + - Resultant Set of Policy +products: + - auditor +sidebar_label: 'Error: "The new task has been created but may not ' +tags: [] +title: "Error: "The new task has been created but may not run because of an error:" Exception from HRESULT: 0x80070520."" +knowledge_article_id: kA00g000000H9ZBCA0 +--- + +# Error: "The new task has been created but may not run because of an error: Exception from HRESULT: 0x80070520." + +## Problem + +The Netwrix Auditor scheduled task does not start and the following error occurs: + +**"The new task has been created but may not run because of an error: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)."** + +--- + +## Cause + +The "**Network access: Do not allow storage of credentials or .NET Passports for network authentication**" policy does not allow to store passwords and credentials in the Netwrix Auditor scheduled task. + +--- + +## Resolution + +Disable the "**Network access: Do not allow storage of passwords and credentials for network authentication**" policy on the computer where this issue appears. + +To disable the policy, please perform the following steps: + +1. Select **Start -> Run** and type `rsop.msc`. +2. In the Resultant Set of Policy dialog, navigate to **Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options**. +3. Select the policy on the right and change the Source GPO accordingly. diff --git a/docs/kb/auditor/error-the-pipe-endpoint-cannot-be-found.md b/docs/kb/auditor/error-the-pipe-endpoint-cannot-be-found.md new file mode 100644 index 0000000000..0a0dd27514 --- /dev/null +++ b/docs/kb/auditor/error-the-pipe-endpoint-cannot-be-found.md @@ -0,0 +1,37 @@ +--- +description: >- + You receive the "pipe endpoint cannot be found" error when launching the + console or after some time; this article explains the cause and how to resolve + it by checking the Netwrix Account Lockout Examiner service and updating the + product. +keywords: + - pipe endpoint + - Account Lockout Examiner + - service + - console error + - Netwrix + - restart service + - update +products: + - auditor +sidebar_label: 'Error: The pipe endpoint cannot be found' +tags: [] +title: 'Error: The pipe endpoint cannot be found' +knowledge_article_id: kA00g000000H9c4CAC +--- + +# Error: The pipe endpoint cannot be found + +You get the "pipe endpoint cannot be found" error when you launch the console, or after some time after launching it. + +![User-added image](images/ka04u000000HcUp_0EM700000004xfs.png) + +The issue occurs when the Account Lockout Examiner does not start or crashes. + +## Resolution + +To resolve the issue please make sure that the Netwrix Account Lockout Examiner service is started, restart it if necessary and re-run the console. + +If the issue persists, please make sure that you are running the latest version of Account Lockout Examiner: + +https://www.netwrix.com/account_lockout_examiner.html diff --git a/docs/kb/auditor/error-the-remote-procedure-call-failed.md b/docs/kb/auditor/error-the-remote-procedure-call-failed.md new file mode 100644 index 0000000000..646cb41f3c --- /dev/null +++ b/docs/kb/auditor/error-the-remote-procedure-call-failed.md @@ -0,0 +1,47 @@ +--- +description: >- + When a monitoring plan health log shows Event ID 5004 with "The remote + procedure call failed", follow these troubleshooting steps to determine + whether ports, antivirus/EDR, or resource issues on the target system are + causing the failure. +keywords: + - remote procedure call failed + - Event ID 5004 + - Health Log + - monitoring plan + - Netwrix Auditor + - ports + - antivirus exclusions + - Logon Activity +products: + - auditor +sidebar_label: 'Error: The Remote Procedure Call Failed' +tags: [] +title: 'Error: The Remote Procedure Call Failed' +knowledge_article_id: kA04u000000wnofCAA +--- + +# Error: The Remote Procedure Call Failed + +## Symptom + +You see the following error in Health Log for a monitoring plan: + +``` +Event ID:5004 +Data collection has failed. Error: The remote procedure call failed. +``` + +## Cause + +The "Remote procedure call failed" error can have a number of root causes such as a closed port, Antivirus or EDR software, resource availability on the target system, etc. + +## Resolution + +Depending on the error cause, follow the resolution steps below: + +1. Make sure you have all required ports opened. For additional information on configuring ports for Netwrix Auditor, refer to the following article: /docs/auditor/10.6/auditor/requirements (Requirements — Protocols and Ports Required — v10.6). +2. Review your Antivirus exclusions. For additional information on required exclusions for your antivirus, refer to the following article: /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor (Antivirus Exclusions for Netwrix Auditor). +3. If the issue occurs during Logon Activity data collection, try to follow the steps in these articles: + - /docs/kb/auditor/system_cannot_find_the_path_specified_in_logon_activity_monitoring_plan (System Cannot Find the Path Specified in Logon Activity Monitoring Plan) + - /docs/kb/auditor/error_size_of_collected_data_files_exceeded_limit_in_logon_activity_monitoring_plan (Size of Collected Data Files Exceeded Limit in Logon Activity Monitoring Plan) diff --git a/docs/kb/auditor/error-user-activity-core-service-has-been-already-launched.md b/docs/kb/auditor/error-user-activity-core-service-has-been-already-launched.md new file mode 100644 index 0000000000..31339a39f9 --- /dev/null +++ b/docs/kb/auditor/error-user-activity-core-service-has-been-already-launched.md @@ -0,0 +1,102 @@ +--- +description: >- + This article explains why the Netwrix Auditor User Activity Core Service shows + as already launched and a monitored server appears as Duplicate, and provides + step-by-step instructions to resolve the issue by removing duplicate agent + entries and reinstalling the Core Service. +keywords: + - Netwrix Auditor + - User Activity + - Core Service + - Duplicate status + - UniqID + - Agents.xml + - NwUserActivitySvc + - monitoring plan +products: + - auditor +sidebar_label: 'Error: User Activity Core Service Has Been Already' +tags: [] +title: 'Error: User Activity Core Service Has Been Already Launched' +knowledge_article_id: kA04u0000011167CAA +--- + +# Error: User Activity Core Service Has Been Already Launched + +## Symptoms + +The following symptoms are present in your Netwrix Auditor environment: + +- Auditor prompts the following error in Health Log for your User Activity monitoring plan: + +```text +Source: User Activity Audit Service +Event ID: 2001 +The Netwrix Auditor User Activity Core Service has been already launched on this computer. +The computer is included in this or another monitoring plan +``` + +- The list of monitored computers in your User Activity monitoring plan states the **Duplicate** status for one or multiple servers. + +![Duplicate status screenshot](images/ka0Qk0000004pqL_0EM4u000008M4JN.png) + +- No monitoring data is available for the **Duplicate** servers. + +## Causes + +- The affected server is monitored by two separate monitoring plans. + +> IMPORTANT: After performing the troubleshooting steps, make sure the server is included in a single User Activity plan. + +- The affected server was previously monitored by a different monitoring plan, and it is now being added to a new monitoring plan. + +## Resolution + +Refer to the following steps to resolve the issue: + +1. Remove the affected server from all existing User Activity monitoring plans. Allow Netwrix Auditor to uninstall the User Activity Core Service—in the monitoring plan screen, click **Edit Data Source** > **Monitored Computers** to track the Core Service status. + + > IMPORTANT: Verify the Netwrix Auditor User Activity Core Service is uninstalled on the affected server—review the list of installed apps on the server and uninstall, if still present. + +2. On the Auditor host, run the following line in an elevated PowerShell instance to stop the User Activity service: + +```powershell +Stop-Service -Name "NwUserActivitySvc" +``` + +3. On the affected server, start the Registry Editor and locate the following key: + +```registry +Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix\User Activity Video Reporter Agent +``` + + ![Registry key screenshot](images/ka0Qk0000004pqL_0EM4u000008M4JS.png) + + Locate the `UniqID` value. Copy the value data and refer to it in the future steps—right-click the key and select **Modify...**. Once you copy the value, delete the `UniqID` value. + +4. On the Auditor host, proceed to the following path to locate the `Agents.xml` document: + +```text +%Working_Folder%\User Activity Video Reporter\Agents.xml +``` + + Refer to the following default Working Folder path: + +```text +%ProgramData%\Netwrix Auditor\ +``` + +5. Open the `Agents.xml` document in a text editor. Locate the node containing the `UniqID` value copied from the affected server. Delete the parent node containing the `UniqID` value and save the changes. + +6. On the Auditor host, run the following line in an elevated PowerShell instance to start the User Activity service: + +```powershell +Start-Service -Name "NwUserActivitySvc" +``` + +7. Re-add the affected server to your User Activity monitoring plan. Allow Netwrix Auditor some time to install the Core Service and verify the new `UniqID` value is created by comparing it to the previously copied value. + +## Related articles + +- Uninstall Netwrix Auditor — Delete Netwrix Auditor User Activity Core Service · v10.7 + /docs/auditor/10.7/auditor/installation diff --git a/docs/kb/auditor/error-when-applying-new-wildcard-certificate-to-ssrs-the-specified-url-was-unexpectedly-reserved.md b/docs/kb/auditor/error-when-applying-new-wildcard-certificate-to-ssrs-the-specified-url-was-unexpectedly-reserved.md new file mode 100644 index 0000000000..eb8e8af5e2 --- /dev/null +++ b/docs/kb/auditor/error-when-applying-new-wildcard-certificate-to-ssrs-the-specified-url-was-unexpectedly-reserved.md @@ -0,0 +1,45 @@ +--- +description: >- + Describes an error that occurs when applying a new wildcard certificate to + SSRS ('The specified URL was unexpectedly reserved') and steps to unbind the + old certificate and bind the new one. +keywords: + - SSRS + - wildcard certificate + - netsh + - sslcert + - 'https:443' + - Reporting Services + - certificate binding + - The specified URL was unexpectedly reserved +products: + - auditor +sidebar_label: Error When Applying New Wildcard Certificate to SS +tags: [] +title: "Error When Applying New Wildcard Certificate to SSRS: The Specified URL Was Unexpectedly Reserved" +knowledge_article_id: kA04u00000111GqCAI +--- + +# Error When Applying New Wildcard Certificate to SSRS: The Specified URL Was Unexpectedly Reserved + +## Symptoms + +- When trying to add new certificate the following error occurs: + + ``` + The specified URL was unexpectedly reserved + ``` + +- When trying to reserve `https:443`, I get another error and the services restarts + +- The certificate is not listed + +## Resolution + +1. Open Command Prompt (CMD) as administrator and unbind the certificate using a command below: + + ```batch + netsh http delete sslcert ipport=[::]:443 + ``` + +2. Bind the new certificate in **Reporting Service Configuration Manager** diff --git a/docs/kb/auditor/error-while-transaction-db-import-operation.md b/docs/kb/auditor/error-while-transaction-db-import-operation.md new file mode 100644 index 0000000000..21f43eac12 --- /dev/null +++ b/docs/kb/auditor/error-while-transaction-db-import-operation.md @@ -0,0 +1,51 @@ +--- +description: >- + When auditing Microsoft Teams with a gMSA, Netwrix Auditor may log Event ID + 2107: Error while Transaction DB Import operation - Access to the path is + denied. This article explains the cause and provides step-by-step resolution. +keywords: + - Event ID 2107 + - DB Import + - tenants.config + - SharePoint Online + - MS Teams + - gMSA + - Netwrix Auditor + - Access denied +products: + - auditor +sidebar_label: Error While Transaction 'DB Import' Operation +tags: [] +title: Error While Transaction 'DB Import' Operation +knowledge_article_id: kA0Qk0000000MerKAE +--- + +# Error While Transaction 'DB Import' Operation + +## Symptom + +When auditing MS Teams with gMSA, the following error appears in the Netwrix Auditor System Health log: + +```text +Event ID:2107 +Error while Transaction 'DB Import' operation. Access to the path is denied. +``` + +## Cause + +The `tenants.config` file was corrupted. + +## Resolution + +First of all, Netwrix recommends checking your current Netwrix Auditor version and upgrading to the latest one. + +Follow the steps below to resolve the error: + +1. On the Netwrix Auditor server host, navigate to `Working Folder\Netwrix Auditor for SharePoint Online` and copy the `Configuration` folder to any other location. +2. Delete the **SharePoint Online** data source from the **Monitoring Plan**: + - Open the problematic monitoring plan. + - Select **SharePoint Online** data source. + - Click **Remove Data Source** in the right panel. +3. Add **SharePoint Online** data source and the item with the tenant account back to the monitoring plan. +4. Create a new client secret for your SharePoint Online app. +5. Update the monitoring plan and check if the removed file was recreated. diff --git a/docs/kb/auditor/error_certificate_with_identifier_is_not_registered_on_application.md b/docs/kb/auditor/error_certificate_with_identifier_is_not_registered_on_application.md new file mode 100644 index 0000000000..e0af5720a6 --- /dev/null +++ b/docs/kb/auditor/error_certificate_with_identifier_is_not_registered_on_application.md @@ -0,0 +1,40 @@ +--- +description: >- + This article addresses the error message indicating that a certificate with a specific identifier is not registered on the application, providing insights into its cause and resolution steps. +keywords: + - certificate error + - Microsoft 365 + - Entra ID +sidebar_label: Certificate Not Registered Error +tags: [] +title: "Error: Certificate With Identifier Is Not Registered on Application" +knowledge_article_id: kA04u000001113hCAA +products: + - auditor +--- + +# Error: Certificate With Identifier Is Not Registered on Application + +## Symptom + +The following error appears in the Health Log for your Microsoft 365-based monitoring plan: + +``` +AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. +Reason - The key was not found. Thumbprint of key used by client: '%thumbprint%' +``` + +## Cause + +Multiple Microsoft 365-based items use the same Entra ID application instead of dedicated applications, causing the certificate thumbprint to overwrite. + +## Resolution + +Set up a separate Entra ID application for every Microsoft 365-based item monitored in your environment. Refer to the related articles for additional information on Microsoft 365-based sources. + +## Related Articles + +- [Microsoft 365 — Permissions for Entra ID Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/microsoftentraid/permissions) +- [Microsoft 365 — Permissions for Exchange Online Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/exchangeonline/permissions) +- [Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/sharepointonline/permissions) +- [Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/teams/permissions) \ No newline at end of file diff --git a/docs/kb/auditor/error_the_custom_attribute_{x}_was_requested,_but_not_set_in_domain_1_for_the_{y}_object_class.md b/docs/kb/auditor/error_the_custom_attribute_{x}_was_requested,_but_not_set_in_domain_1_for_the_{y}_object_class.md new file mode 100644 index 0000000000..7164a3b5d2 --- /dev/null +++ b/docs/kb/auditor/error_the_custom_attribute_{x}_was_requested,_but_not_set_in_domain_1_for_the_{y}_object_class.md @@ -0,0 +1,74 @@ +--- +description: >- + This article addresses the warning message encountered during an Active Directory Inventory (ADI) scan in Netwrix Access Analyzer regarding custom attributes not being set for specific object classes. +keywords: + - Active Directory + - Access Analyzer + - custom attributes +sidebar_label: Custom Attribute Warning +tags: [] +title: "Error: The Custom Attribute {x} Was Requested, but Not Set in Domain 1 for the {y} Object Class" +knowledge_article_id: kA0Qk000000306jKAA +products: + - auditor +--- + +# Error: The Custom Attribute {x} Was Requested, but Not Set in Domain 1 for the {y} Object Class + +## Related Queries + +- “Access Analyzer full scan required warning” +- “Attribute xxx was requested but not set for User object.” +- “ADI scan is missing custom attribute.” +- “Receiving warning about pager or msDS-SupportedEncryptionTypes in Access Analyzer.” + +## Symptom + +During an Active Directory Inventory (ADI) scan in **Netwrix Access Analyzer** (formerly Enterprise Auditor), the following warnings may appear on the **1-AD_Scan** job: + +- `The custom attribute msDS-AllowedToActOnBehalfOfOtherIdentity was requested, but not set in domain 1 for the User object class. A full ADI scan may be required.` +- `The custom attribute msDS-AllowedToDelegateTo was requested, but not set in domain 1 for the User object class. A full ADI scan may be required.` +- `The custom attribute PrimaryGroupID was requested, but not set in domain 1 for the Group object class. A full ADI scan may be required.` +- `The custom attribute msDS-AllowedToActOnBehalfOfOtherIdentity was requested, but not set in domain 1 for the Computer object class. A full ADI scan may be required.` +- `The custom attribute msDS-AllowedToDelegateTo was requested, but not set in domain 1 for the Computer object class. A full ADI scan may be required.` + +This message may appear multiple times for different attributes (e.g., pager, msDS-SupportedEncryptionTypes) and object classes (e.g., User, Computer, Group). + +## Cause + +This warning occurs when a custom or optional attribute is requested during scanning, but it is not populated for one or more objects of the specified class in the domain. + +Key contributing factors include: + +- The attribute is not defined for that object class (e.g., pager is not typically set on Computer objects). +- The attribute exists in the schema but is not populated for any of the scanned users. +- The environment is not using features (e.g., **AIC workflows**, **access reviews**, or **delegation**) that depend on that attribute. +- The attribute was recently added or modified, but the current scan is incremental, so the data has not been picked up yet. + +## Resolution + +This warning is informational and not indicative of a failure. It does **not** interrupt the scan nor cause data loss. However, you may take the following actions depending on your use case: + +### If You Are Not Using the Attribute + +- You can safely ignore the warning. +- These attributes are often included for reporting or access review readiness. If you are not using those features, the missing data does not impact functionality. + +### If You Intend to Use the Attribute + +- Ensure the attribute is properly populated across relevant objects (e.g., Users) in the Active Directory. +- After making changes, perform a **full ADI scan** to ensure the updates are collected and reflected in reports. + +> **NOTE:** Incremental scans may not detect newly populated attributes. Running a full scan ensures all changes are captured. + +### If You Want to Eliminate the Warning + +- You may remove the attribute from the requested attribute list. However, this is not recommended unless you are certain the attribute is not needed for any workflows or reports. + +> **IMPORTANT:** Some reports depend on specific attributes (e.g., delegation, DS heuristics). Removing attributes could impact the completeness of those reports. + +- You can lower the logging level of the job from the default WARNING to ERROR in the [Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/general) window. + +## Related Link + +- [Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/general) \ No newline at end of file diff --git a/docs/kb/auditor/error_web_reports_url_not_working_after_upgrade.md b/docs/kb/auditor/error_web_reports_url_not_working_after_upgrade.md new file mode 100644 index 0000000000..c060ea5b40 --- /dev/null +++ b/docs/kb/auditor/error_web_reports_url_not_working_after_upgrade.md @@ -0,0 +1,41 @@ +--- +description: >- + This article provides a resolution for the issue where the Web Reports URL becomes inaccessible after upgrading Access Analyzer. +keywords: + - Access Analyzer + - Web Reports URL + - upgrade issue +sidebar_label: Web Reports URL Not Working +tags: [] +title: "Error: Web Reports URL Not Working After Upgrade" +knowledge_article_id: kA0Qk0000002nMPKAY +products: + - auditor +--- + +# Error: Web Reports URL Not Working After Upgrade + +## Related Query + +- "Post Upgrading Enterprise Auditor (NEA) Web Report URL is not working." + +## Symptom + +After upgrading **Access Analyzer** (formerly **Netwrix Enterprise Auditor**) to a later version, the Web Reports URL becomes inaccessible or does not load as expected. + +## Cause + +This issue occurs because the upgrade process changes the logon account for the **Access Analyzer** service from the configured service account to the **Local System account**. The **Local System account** may not have the necessary permissions to access resources required for Web Reports. + +## Resolution + +1. Open the **Services** management console on the server where **Access Analyzer** is installed. +2. Locate the **Netwrix Access Analyzer Web Server** service (or **Netwrix Enterprise Auditor Web Server** service, depending on your version). +3. Right-click the service and select **Properties**. +4. Go to the **Log On** tab. +5. Change the logon account from **Local System account** to the dedicated service account previously used. +6. Click **OK** to save changes. +7. Restart the service for the changes to take effect. +8. Verify that the Web Reports URL is now accessible. + +> **IMPORTANT:** Ensure the service account has the necessary permissions to access all required resources for **Access Analyzer** Web Reports. \ No newline at end of file diff --git a/docs/kb/auditor/essential-netwrix-license-usage-data-and-url-resources.md b/docs/kb/auditor/essential-netwrix-license-usage-data-and-url-resources.md new file mode 100644 index 0000000000..9755a31a51 --- /dev/null +++ b/docs/kb/auditor/essential-netwrix-license-usage-data-and-url-resources.md @@ -0,0 +1,43 @@ +--- +description: >- + Describes what license usage data Netwrix Auditor sends to Netwrix and which + URLs to whitelist if a server has limited Internet access. +keywords: + - license usage + - Netwrix Auditor + - whitelist URLs + - license.nwxcorp + - stats.netwrix.com + - updates.netwrix.com + - netwrix.com +products: + - auditor +sidebar_label: Essential Netwrix License Usage Data and URL Resou +tags: [] +title: "Essential Netwrix License Usage Data and URL Resources" +knowledge_article_id: kA04u0000000H4NCAU +--- + +# Essential Netwrix License Usage Data and URL Resources + +## Questions + +1. What license usage data is sent to Netwrix? +2. What resources should be whitelisted in case of limited Internet connection? + +## Answers + +Each data source that Netwrix Auditor audits is associated with a license. For example, Active Directory auditing is associated with an Active Directory license. The license count is determined for each data source and reported under the **Settings** > **Licenses** tab. For Active Directory, the count of enabled users is tracked and displayed as a part of the license usage data. Each licensed instance of Netwrix Auditor reports the corresponding total license usage to the Netwrix company. + +> **Note:** License usage data does not include any sensitive information. See the following screenshot for an example of what data Netwrix receives: + +![User-added image](images/ka04u00000116GR_0EM4u000002PWPR.png) + +If a Netwrix server in your environment has limited Internet access, whitelist the following URLs so Netwrix can collect license usage data: + +```text +https://license.nwxcorp.com/ +http://updates.netwrix.com/ +http://www.netwrix.com/ +https://stats.netwrix.com/ +``` diff --git a/docs/kb/auditor/event-id-1000-application-errors-in-netwrix-auditor-server.md b/docs/kb/auditor/event-id-1000-application-errors-in-netwrix-auditor-server.md new file mode 100644 index 0000000000..ad24953926 --- /dev/null +++ b/docs/kb/auditor/event-id-1000-application-errors-in-netwrix-auditor-server.md @@ -0,0 +1,88 @@ +--- +description: >- + Describes causes and resolutions for Event ID 1000 application errors on the + Netwrix Auditor server, including steps to repair corrupted DLLs and run + system scans. +keywords: + - Event ID 1000 + - Kernelbase.dll + - sfc /scannow + - DISM + - antivirus exclusions + - Netwrix Auditor + - DLL corruption + - application error +products: + - auditor +sidebar_label: Event ID 1000 Application Errors in Netwrix Audito +tags: [] +title: "Event ID 1000 Application Errors in Netwrix Auditor Server" +knowledge_article_id: kA04u000001119VCAQ +--- + +# Event ID 1000 Application Errors in Netwrix Auditor Server + +## Symptoms + +- No data is collected in your Active Directory monitoring plan. +- When attempting to set up a monitoring plan via **Audit Configuration Assistant** in your Netwrix Auditor server, the following error is prompted: + +``` +Cannot display assessment results +Netwrix Auditor Server is unreachable. +Your network settings are not properly configured. +``` + +- The following error is prompted in your server event log: + +``` +Event ID: 1000 +Faulting application name: Netwrix.ADA.DirSyncCollector.exe, version: %current Auditor_version% +Faulting module name: Kernelbase.dll, version: %.dll_version% +Exception code: 0xe0434352 +Faulting application path: %path% +Faulting module path: %path% +``` + +> **IMPORTANT:** Both **Faulting application name** and **Faulting module name** may differ — they depend on the affected monitoring plan. The issue may also affect different Netwrix-related executables (e.g., `Netwrix.ADA.SitServiceUpdater.exe`, `Netwrix.ADA.BackwardDataAnalyzer.exe`, `Netwrix.ADA.EventCollector.exe`, etc.) based on the affected monitoring plans, as well as system and (or) Netwrix-related dynamic-link library files. +> +> It is important to refer to the paths stated in error messages to understand the scope of components affected. + +## Cause + +The **Faulting module name** dynamic-link library file was corrupted. This could happen due to a conflict between your antivirus solution and Netwrix Auditor. + +## Resolutions + +1. Set up antivirus exclusions to prevent both your antivirus solution and Netwrix Auditor from conflicting — refer to the following article for additional information: /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor (Antivirus Exclusions for Netwrix Auditor). + +2. Establish the scope of affected `.dll` files. In case the **Faulting module path** links the system folder (e.g., `C:\Windows\System32`), follow these steps: + + 1. Once the antivirus exclusions are set up, run elevated Command Prompt in your Netwrix Auditor server. In elevated Command Prompt line, run the following command to scan Windows and restore your system-related files: + + ```bash + sfc /scannow + ``` + + 2. Once the scan is finished, run the following commands one by one allowing each to complete to prepare, scan, and restore the Windows system image via Deployment Image Servicing and Management tool: + + ```bash + Dism /Online /Cleanup-Image /CheckHealth + ``` + + ```bash + Dism /Online /Cleanup-Image /ScanHealth + ``` + + ```bash + Dism /Online /Cleanup-Image /RestoreHealth + ``` + + 3. Once the commands are completed and components are restored, restart the server. + +3. In case the **Faulting module path** links a Netwrix-related folder (e.g., `C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing`), repair your Netwrix Auditor installation. Refer to the following article for additional information: /docs/kb/auditor/how_to_repair_netwrix_auditor_installation (How to Repair Netwrix Auditor Installation). + +## Related articles + +- Antivirus Exclusions for Netwrix Auditor: /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor +- How to Repair Netwrix Auditor Installation: /docs/kb/auditor/how_to_repair_netwrix_auditor_installation diff --git a/docs/kb/auditor/event-id-1024-in-health-log.md b/docs/kb/auditor/event-id-1024-in-health-log.md new file mode 100644 index 0000000000..b2d894fb65 --- /dev/null +++ b/docs/kb/auditor/event-id-1024-in-health-log.md @@ -0,0 +1,66 @@ +--- +description: >- + Explains how to resolve Event ID 1024 "Email delivery failed." in the Netwrix + Auditor Health Log for SharePoint monitoring plans by regenerating the + Activity Summary and collecting logs for support. +keywords: + - Event ID 1024 + - Health Log + - SharePoint + - Activity Summary + - Email delivery failed + - Netwrix Auditor + - logs + - wevtutil +products: + - auditor +sidebar_label: Event ID 1024 in Health Log +tags: [] +title: "Event ID 1024 in Health Log" +knowledge_article_id: kA00g000000H9YmCAK +--- + +# Event ID 1024 in Health Log + +## Symptom + +Your SharePoint monitoring plan prompts the following error message under Event ID 1024 in Health Log: + +``` +Email delivery failed. +``` + +## Cause + +An internal error occurred during the Activity Summary generation. + +## Resolution + +Regenerate the Activity Summary: + +1. In the main **Netwrix Auditor** menu, select **Monitoring Plans**. +2. In the left pane, select your SharePoint monitoring plan and click **Edit**. +3. In the right pane, click **Update**. + +> **IMPORTANT:** If the error persists, create a ticket in [My Tickets · Netwrix](https://www.netwrix.com/tickets.html#/tickets/open) and submit the following files from the Auditor server to Netwrix Support: +> +> - All contents of the following path: +> +> ```text +> \%WorkingFolder%\Logs\SharePoint Auditing +> ``` +> +> The default Working Folder path is `C:\ProgramData\Netwrix Auditor`. If unsure, in the main Auditor menu, select **Health Status** > **Open diagnostic logs folder** under the **Working Folder** pane. +> +> - Netwrix Auditor System Health event log. Run the following command in elevated Command Prompt: +> +> ```batch +> wevtutil epl "Netwrix Auditor" %userprofile%\desktop\NASH.evtx +> ``` +> +> Refer to the following article for additional information for an option to manually save the Auditor event log: [How to Save and Zip Netwrix Auditor System Health Event Log](/docs/kb/auditor/how-to-save-and-zip-netwrix-auditor-system-health-event-log.md). + +## Related articles + +- [How to Save and Zip Netwrix Auditor System Health Event Log](/docs/kb/auditor/how-to-save-and-zip-netwrix-auditor-system-health-event-log.md) +- [My Tickets · Netwrix](https://www.netwrix.com/tickets.html#/tickets/open) diff --git a/docs/kb/auditor/event-id-1079-in-health-log.md b/docs/kb/auditor/event-id-1079-in-health-log.md new file mode 100644 index 0000000000..4eced77a2d --- /dev/null +++ b/docs/kb/auditor/event-id-1079-in-health-log.md @@ -0,0 +1,44 @@ +--- +description: >- + Explains Event ID 1079 in the Health Log when a SharePoint monitoring plan + generates an incomplete Change Summary due to a data collection timeout, and + provides steps to generate a new Activity Summary. +keywords: + - Event ID 1079 + - Health Log + - Change Summary + - Activity Summary + - SharePoint monitoring plan + - Netwrix Auditor + - data collection timeout + - monitoring plan +products: + - auditor +sidebar_label: Event ID 1079 in Health Log +tags: [] +title: "Event ID 1079 in Health Log" +knowledge_article_id: kA00g000000H9XdCAK +--- + +# Event ID 1079 in Health Log + +## Symptom + +Your SharePoint monitoring plan prompts the following error message under Event ID 1079 in Health Log: + +```text +The Change Summary may include incomplete data as the data collection was still in progress when the report was sent. +No data loss has occurred, the missing events will be listed in the next Change Summary and added to the database. +``` + +## Cause + +The data collection exceeded the predefined timeout period for its completion (1 hour by default). The Activity Summary was generated while the data collection was still in progress. + +## Resolution + +No data loss has occurred. The next Activity Summary should contain the missing events. Generate a new Activity Summary: + +1. In the main **Netwrix Auditor** menu, select **Monitoring Plans**. +2. In the left pane, select your SharePoint monitoring plan and click **Edit**. +3. In the right pane, click **Update**. diff --git a/docs/kb/auditor/event-id-1203-in-health-log.md b/docs/kb/auditor/event-id-1203-in-health-log.md new file mode 100644 index 0000000000..9d63a133c5 --- /dev/null +++ b/docs/kb/auditor/event-id-1203-in-health-log.md @@ -0,0 +1,45 @@ +--- +description: >- + Explains Event ID 1203 that appears in the Health Log when a SharePoint + monitoring plan fails to start due to missing or inaccessible configuration + files. Provides steps to resolve the issue by recreating the monitoring plan + and links to configuration guidance. +keywords: + - Event ID 1203 + - Health Log + - SharePoint + - monitoring plan + - Netwrix Auditor + - service failed + - configuration files + - troubleshooting +products: + - auditor +sidebar_label: Event ID 1203 in Health Log +tags: [] +title: "Event ID 1203 in Health Log" +knowledge_article_id: kA00g000000H9d1CAC +--- + +# Event ID 1203 in Health Log + +## Symptom + +Your SharePoint monitoring plan prompts the following error message under Event ID 1203 in Health Log: + +```text +The service %service_name% has failed. +``` + +## Cause + +An internal error occurred during the Netwrix Auditor for SharePoint Service startup. There is no access to the configuration files, or some configuration files are missing. + +## Resolution + +1. Recreate your SharePoint monitoring plan. +2. Refer to the following article for additional information on configuration of SharePoint monitoring plans: Monitoring Plans − SharePoint · v10.6. + +## Related articles + +- Monitoring Plans − SharePoint · v10.6 diff --git a/docs/kb/auditor/event-id-1204-in-health-log.md b/docs/kb/auditor/event-id-1204-in-health-log.md new file mode 100644 index 0000000000..69cdc1f70f --- /dev/null +++ b/docs/kb/auditor/event-id-1204-in-health-log.md @@ -0,0 +1,62 @@ +--- +description: >- + This article describes causes and resolutions for Event ID 1204 ("Unable to + establish connection to the remote WebService") that appears in the Health Log + for a SharePoint monitoring plan in Netwrix Auditor. +keywords: + - Event ID 1204 + - Health Log + - SharePoint + - Netwrix Auditor + - WebService + - TCP 10060 + - Central Administration + - Monitoring plan + - IIS Bindings +products: + - auditor +sidebar_label: Event ID 1204 in Health Log +tags: [] +title: "Event ID 1204 in Health Log" +knowledge_article_id: kA00g000000H9dKCAS +--- + +# Event ID 1204 in Health Log + +## Symptom + +The following error message under Event ID 1204 is prompted in Health Log for your SharePoint monitoring plan: + +```text +Unable to establish connection to the remote WebService +``` + +## Causes + +Refer to the following possible causes based on the error description: + +- + ```text + Could not connect to %URL%/_vti_bin/Netwrix/ManagementService.svc. + TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, + or established connection failed because connected host has failed to respond %address% + ``` + - There is no network connection between the Netwrix Auditor host and the SharePoint Central Administration host, or the WebService is not responding. + +- + ```text + The requested service %service_name% could not be activated + ``` + - The system resources of the SharePoint Central Administration host are insufficient. + - Access to the Central Administration site is performed via the https protocol, and it is not specified in the Alternate Access Mapping. + - Access to the Central Administration site is performed via alternative access, and the IIS Bindings contains several host names for the Central Administration site. + +## Resolutions + +1. Verify SharePoint Central Administration is accessible. + +2. Free or add system resources and execute the `iisreset` command in elevated Command Prompt. + +3. Verify the correct SharePoint Central Administration URL is specified in the monitoring plan settings via **Monitoring Plans** > select `%SharePoint_plan%` > **Edit** > select the item and click **Edit item** > modify the **SharePoint Central Administration URL** > click **Save & Close**. + +4. Specify one **Host Name** for the Central Administration site in IIS Bindings. diff --git a/docs/kb/auditor/event-id-1205-in-health-log.md b/docs/kb/auditor/event-id-1205-in-health-log.md new file mode 100644 index 0000000000..0257c4de48 --- /dev/null +++ b/docs/kb/auditor/event-id-1205-in-health-log.md @@ -0,0 +1,64 @@ +--- +description: >- + Explains Event ID 1205 that appears in the Health Log for SharePoint + monitoring in Netwrix Auditor, lists possible causes, and provides resolutions + to troubleshoot the issue. +keywords: + - Event ID 1205 + - Health Log + - SharePoint + - Central Administration + - Netwrix Auditor + - TCP error 10060 + - iisreset + - audit log trimming +products: + - auditor +sidebar_label: Event ID 1205 in Health Log +tags: [] +title: "Event ID 1205 in Health Log" +knowledge_article_id: kA00g000000H9dGCAS +--- + +# Event ID 1205 in Health Log + +## Symptom + +The following error message under Event ID 1205 is prompted in Health Log for your SharePoint monitoring plan: + +```text +The following unexpected error has occurred: <%error_message%>. +``` + +## Causes + +- `Could not connect to /_vti_bin/Netwrix/ManagementService.svc. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
` + - Missing network connection between the computer with Netwrix Auditor installed and the computer hosting SharePoint Central Administration. + - WebService is not responding. +- `Insufficient winsock resources available to complete socket connection initiation.` + - Insufficient system resources on the computer with SharePoint Central Administration installed. +- `The requested service could not be activated` + - Insufficient system resources on the computer with SharePoint Central Administration installed. + - Access to the Central Administration site is performed via the https protocol not specified in the Alternate Access Mapping. + - Access to the Central Administration site is performed through alternative access. + - IIS Bindings contain several Host names for the Central Administration site. +- `Cannot create a file when that file already exists.` + - Audit log trimming is not configured correctly. +- `Access to the path %PATH% is denied.` + - Events auditing settings are not cofigured correctly. + +## Resolutions + +Proceed with one of the following solutions depending on the error: + +- Make sure that SharePoint Central Administration is reachable. +- Free or add system resources and execute the `iisreset` command. +- Specify the URL in the Alternate Access Mapping for the Central Administration site, or use a different URL when creating a monitoring plan. +- Leave one Host Name for the Central Administration site in IIS Bindings. +- Configure Audit log trimming. For additional info, refer to the following article: Configuration – SharePoint: Configure Audit Log Trimming ⸱ v10.6. +- Configure events auditing settings. For additional info, refer to the following link: Configuration – SharePoint: Configure Events Auditing Settings ⸱ v10.6. + +## Related articles + +- Configuration – SharePoint: Configure Audit Log Trimming ⸱ v10.6 +- Configuration – SharePoint: Configure Events Auditing Settings ⸱ v10.6 diff --git a/docs/kb/auditor/event-id-1207-in-health-log.md b/docs/kb/auditor/event-id-1207-in-health-log.md new file mode 100644 index 0000000000..05ab928412 --- /dev/null +++ b/docs/kb/auditor/event-id-1207-in-health-log.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains how to resolve Event ID 1207 in the Health Log when SharePoint + monitoring reports an automatic SharePoint Core Service deployment failure. + Describes the cause and the manual uninstall/reinstall steps for the Netwrix + Auditor for SharePoint Core Service. +keywords: + - Event ID 1207 + - Health Log + - SharePoint Core Service + - Netwrix Auditor + - deployment failed + - SharePoint monitoring + - core service version mismatch + - installation +products: + - auditor +sidebar_label: Event ID 1207 in Health Log +tags: [] +title: "Event ID 1207 in Health Log" +knowledge_article_id: kA00g000000H9d8CAC +--- + +# Event ID 1207 in Health Log + +## Symptom + +Your SharePoint monitoring plan prompts the following error message under Event ID 1207 in Health Log: + +```text +Automatic Netwrix Auditor for SharePoint Core Service deployment failed. +``` + +## Cause + +The Netwrix Auditor for SharePoint Core Service version is different from the current Netwrix Auditor server version. + +## Resolution + +1. Manually uninstall the Netwrix Auditor for SharePoint Core Service from the server hosting SharePoint Central Administration. +2. The Netwrix Auditor server automatically detects the missing core service and installs it on target servers. +3. To manually install the SharePoint Core Service, refer to the following article: Installation — Install for SharePoint Core Service · v10.6. + +## Related articles + +- Installation — Install for SharePoint Core Service · v10.6 diff --git a/docs/kb/auditor/event-id-1208-in-health-log.md b/docs/kb/auditor/event-id-1208-in-health-log.md new file mode 100644 index 0000000000..efcd230e2c --- /dev/null +++ b/docs/kb/auditor/event-id-1208-in-health-log.md @@ -0,0 +1,120 @@ +--- +description: >- + Describes causes and resolutions for Event ID 1208 in the Health Log when + automatic SharePoint Core Service deployment fails in Netwrix Auditor. +keywords: + - Event ID 1208 + - Health Log + - SharePoint + - Core Service + - deployment + - Timeout expired + - Netwrix Auditor + - monitoring plan +products: + - auditor +sidebar_label: Event ID 1208 in Health Log +tags: [] +title: "Event ID 1208 in Health Log" +knowledge_article_id: kA00g000000H9cNCAS +--- + +# Event ID 1208 in Health Log + +## Symptom + +The following error message under Event ID 1208 is prompted in Health Log for your SharePoint monitoring plan: + +`Automatic Netwrix Auditor for SharePoint Core Service deployment failed.` + +## Causes and Resolutions + +Refer to the entries below for possible causes and resolutions based on event descriptions. + +### `Fatal error during installation` + +- Cause: The **Timeout expired** error is prompted after SharePoint Core Service installation has taken over 10 minutes. + **Resolution:** Refer to the following article for additional information: /docs/kb/auditor/timeout_expired_error_on_sharepoint_core_service_deployment (Timeout Expired Error on SharePoint Core Service Deployment). + +- Cause: An invalid SharePoint Central Administration URL was specified during monitoring plan creation. + **Resolution:** + 1. Edit the Item URL via **Monitoring Plans** > select ` %SharePoint_plan% ` > **Edit** > select the item and click **Edit item** > modify the SharePoint Central Administration URL > click **Save & Close**. + +- Cause: An invalid SharePoint Central Administration server was specified during monitoring plan creation. The specified server does not belong to the audited farm. + **Resolution:** + 1. Edit the SharePoint Central Administration server FQDN in **Monitoring Plans** > select ` %SharePoint_plan% ` > **Edit** > select the item and click **Edit item** > **Core Service** tab > modify the FQDN and click **Save & Close**. + +- Cause: SharePoint solution or SharePoint Core Service has already been installed in the SharePoint farm, but the solution has not been deployed yet. + **Resolution:** + 1. Make sure that the list of installed programs on the target computer does not contain **Netwrix Auditor for SharePoint Core Service**, and uninstall it if it does. + 2. If not, open the SharePoint Central Administration site and navigate to **System Settings** > **Manage farm solutions**. Locate the `netwrix.sharepoint.audit.wsp` solution and delete it. + 3. Update the monitoring plan. + +- Cause: The data collecting account does not have the required rights and permissions for automatic Core Service deployment. + **Resolution:** + 1. Specify a different data collecting account for the affected monitoring plan or grant corresponding permissions to the current account: + - Navigate to your SharePoint monitoring plan > **Edit Item** > **General**, and enter user name and password for the custom account. + - Grant the current account the necessary rights and permissions — refer to the following article for additional information: /docs/auditor/10.6/auditor/configurationuration/sharepoint (SharePoint − Permissions for SharePoint Auditing · v10.6). + +- Cause: SharePoint Central Administration is not functioning properly due to connection problems with the SharePoint Configuration Database, or some other unexpected error. + **Resolution:** + 1. Make sure SharePoint Central Administration is functioning properly. + +- Cause: SharePoint Central Administration URL has been specified without a port number (`Fatal error during installation`). + **Resolution:** + 1. Verify the Administration URL — Edit the Item URL via **Monitoring Plans** > select ` %SharePoint_plan% ` > **Edit** > select the item and click **Edit item** > modify the SharePoint Central Administration URL > click **Save & Close**. + +### `Unable to connect to the remote server.` + +- Cause: An invalid SharePoint Central Administration port has been specified. + **Resolution:** + 1. Verify the Administration URL — Edit the Item URL via **Monitoring Plans** > select ` %SharePoint_plan% ` > **Edit** > select the item and click **Edit item** > modify the SharePoint Central Administration URL > click **Save & Close**. + +- Cause: The port of SharePoint Central Administration is blocked in the Windows Firewall settings in the target server, or in the Netwrix Auditor host. + **Resolution:** + 1. Refer to the following article for additional information on required ports: /docs/auditor/10.6/auditor/configurationuration/sharepoint (SharePoint − SharePoint Ports · v10.6). + +- Cause: The computer that hosts SharePoint Central Administration is not reachable. + **Resolution:** + 1. Make sure there is network connection to the Central Administration host. + +### `The remote name could not be resolved.` + +- Cause: An invalid SharePoint Central Administration host has been specified. + **Resolution:** + 1. Verify the Administration URL — Edit the Item URL via **Monitoring Plans** > select ` %SharePoint_plan% ` > **Edit** > select the item and click **Edit item** > modify the SharePoint Central Administration URL > click **Save & Close**. + +### `The network path was not found.` + +- Cause: The target server for Core Service deployment has been specified incorrectly. + **Resolution:** + 1. Edit the SharePoint Central Administration server FQDN in **Monitoring Plans** > select ` %SharePoint_plan% ` > **Edit** > select the item and click **Edit item** > **Core Service** tab > modify the FQDN and click **Save & Close**. + +### `Access is denied.` + +- Cause: The data collecting account used to install Core Service does not have the required rights and permissions in the target server. + **Resolution:** + 1. Specify a different data collecting account for the affected monitoring plan or grant corresponding permissions to the current account: + - Navigate to your SharePoint monitoring plan > **Edit Item** > **General**, and enter user name and password for the custom account. + - Grant the current account the necessary rights and permissions — refer to the following article for additional information: /docs/auditor/10.6/auditor/configurationuration/sharepoint (SharePoint − Permissions for SharePoint Auditing · v10.6). + +### `The system cannot find the file specified.` + +- Cause: The target server for Core Service deployment has been specified as an alias that is not specified in the DNS and that cannot be authenticated in the local admin share (`\serveradmin$`) in the target Core Service deployment server. + **Resolution:** + 1. Edit the SharePoint Central Administration server FQDN in **Monitoring Plans** > select ` %SharePoint_plan% ` > **Edit** > select the item and click **Edit item** > **Core Service** tab > modify the FQDN and click **Save & Close**. + +### `The pipe has been ended.` + +- Cause: The SharePoint Central Administration server was restarted or shut down during the automatic Core Service deployment. Unable to install Netwrix Auditor for SharePoint Core Service on the target server. + **Resolution:** + 1. Retry installation: + - To retry the automatic deployment, update the SharePoint monitoring plan. + - For additional information on manual installation of SharePoint Core Service, refer to the following article: /docs/auditor/10.6/auditor/installation (Installation − Install for SharePoint Core Service · v10.6). + +## Related articles + +- Timeout Expired Error on SharePoint Core Service Deployment — /docs/kb/auditor/timeout_expired_error_on_sharepoint_core_service_deployment +- SharePoint − Permissions for SharePoint Auditing · v10.6 — /docs/auditor/10.6/auditor/configurationuration/sharepoint +- SharePoint − SharePoint Ports · v10.6 — /docs/auditor/10.6/auditor/configurationuration/sharepoint +- Installation − Install for SharePoint Core Service · v10.6 — /docs/auditor/10.6/auditor/installation diff --git a/docs/kb/auditor/event-id-1209-in-health-log.md b/docs/kb/auditor/event-id-1209-in-health-log.md new file mode 100644 index 0000000000..a9c3638676 --- /dev/null +++ b/docs/kb/auditor/event-id-1209-in-health-log.md @@ -0,0 +1,56 @@ +--- +description: >- + Event ID 1209 occurs when Netwrix Auditor cannot obtain SharePoint groups for + a site collection due to permission or lock status issues. This article + explains causes and resolutions. +keywords: + - Event ID 1209 + - Health Log + - SharePoint + - site collection + - Access Denied + - Manage Web Site + - Locked — No Access + - Configure Quotas and Locks + - Netwrix Auditor +products: + - auditor +sidebar_label: Event ID 1209 in Health Log +tags: [] +title: "Event ID 1209 in Health Log" +knowledge_article_id: kA00g000000H9dCCAS +--- + +# Event ID 1209 in Health Log + +## Symptom + +One of the following error messages under Event ID 1209 appears in the Health Log for your SharePoint monitoring plan: + +```text +Unable to obtain the list of SharePoint groups for site collection with ID '{0}': +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). +``` + +```text +Unable to obtain the list of SharePoint groups for site collection with ID '{0}': +Access to this Web site has been blocked. +``` + +## Causes + +The security settings in the audited SharePoint farm do not allow for complete audit data collection. Netwrix Auditor was unable to get a list of security groups from the audited site collection due to one of the following reasons: + +1. The web application hosting the target site collection has insufficient permissions. +2. The affected site collection has the **Locked — No Access** status. + +## Resolutions + +1. Cause #1 − In SharePoint Central Administration, navigate to **Web Applications** > **`%affected_web_application%`** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. +2. Cause #2 − In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **`%affected_web_application%`**, and change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1210-in-health-log.md b/docs/kb/auditor/event-id-1210-in-health-log.md new file mode 100644 index 0000000000..3173ee4fcf --- /dev/null +++ b/docs/kb/auditor/event-id-1210-in-health-log.md @@ -0,0 +1,60 @@ +--- +description: >- + Explains Event ID 1210 entries in the Health Log for SharePoint monitoring + plans and provides causes and resolutions for the two common error messages. +keywords: + - Event ID 1210 + - Health Log + - SharePoint + - permission levels + - Manage Web Site + - site collection lock + - Netwrix Auditor + - access denied +products: + - auditor +sidebar_label: Event ID 1210 in Health Log +tags: [] +title: "Event ID 1210 in Health Log" +knowledge_article_id: kA00g000000H9cSCAS +--- + +# Event ID 1210 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1210 is prompted in Health Log for your SharePoint monitoring plan: + +1. Error 1: + +```text +Unable to obtain the list of SharePoint roles for site collection with ID '{0}': +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) +``` + +2. Error 2: + +```text +Unable to obtain the list of SharePoint roles for site collection with ID '{0}': +Access to this web site has been blocked +``` + +## Causes + +1. Error 1: The security settings in the audited SharePoint farm do not allow Netwrix Auditor to collect complete audit data. Netwrix Auditor is unable to get a list of permission levels for the audited site collection due to insufficient permissions for the web application hosting the target site collection. + +2. Error 2: The security settings in the audited SharePoint farm do not allow Netwrix Auditor to collect complete audit data. Netwrix Auditor is unable to get a list of permission levels for the audited site collection due to the **No Access** status. + +## Resolutions + +Review the resolution for the corresponding error: + +1. Error 1: In SharePoint Central Administration, navigate to **Web Applications** > **%affected_application%** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. + +2. Error 2: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1211-1215-1226-1235-1246-1248-in-health-log.md b/docs/kb/auditor/event-id-1211-1215-1226-1235-1246-1248-in-health-log.md new file mode 100644 index 0000000000..a4b201e853 --- /dev/null +++ b/docs/kb/auditor/event-id-1211-1215-1226-1235-1246-1248-in-health-log.md @@ -0,0 +1,104 @@ +--- +description: >- + Lists Health Log events 1211, 1215, 1226–1235, 1246–1248 related to SharePoint + monitoring, explains causes, and provides resolutions including recreating the + monitoring plan in Netwrix Auditor. +keywords: + - SharePoint + - Health Log + - Event ID 1211 + - Event ID 1215 + - Event ID 1226 + - Audit Archive + - Netwrix Auditor + - monitoring plan + - Event ID 1248 +products: + - auditor +sidebar_label: 'Event ID 1211, 1215, 1226-1235, 1246-1248 in Healt' +tags: [] +title: 'Event ID 1211, 1215, 1226-1235, 1246-1248 in Healt' +knowledge_article_id: kA00g000000H9dACAS +--- + +# Event ID 1211, 1215, 1226-1235, 1246-1248 in Health Log + +## Symptoms + +Your SharePoint monitoring plan in Netwrix Auditor prompts one of the following error messages under Event ID 1211, 1215, 1226, 1227, 1228, 1229, 1230, 1231, 1232, 1233, 1234, 1235, 1246, 1247, and 1248 in Health Log: + +```text +Event ID 1211: An unexpected error occurred while updating the security cache. +``` + +```text +Event ID 1215: Unable to delete temporary files when writing audit data to the SQL database due to the following error. +``` + +```text +Event ID 1226: The following error occurred when trying to compare the configuration snapshots. +``` + +```text +Event ID 1227: Unable to copy file %fileName% to the Audit Archive. +``` + +```text +Event ID 1228: Unable to copy audit data to the Audit Archive. +``` + +```text +Event ID 1229: Unable to save the configuration snapshot to the Audit Archive due to the following... +``` + +```text +Event ID 1230: Unable to delete temporary file %fileName%. +``` + +```text +Event ID 1231: The following unexpected error occurred when trying to delete temporary files from the local repository. +``` + +```text +Event ID 1232: The following unexpected error occurred when trying to generate a zip archive with audit data to be copied to the Audit Archive. +``` + +```text +Event ID 1233: The following error occurred when trying to delete old audit data from the local repository. +``` + +```text +Event ID 1234: Unable to load cache for SharePoint due to the following error: %errormsg%. +``` + +```text +Event ID 1235: Unable to save cache to the local repository. +``` + +```text +Event ID 1246: Unable to delete the following zip archive %fileName% with old audit data from the local repository. +``` + +```text +Event ID 1247: The following error occurred when trying to read audit data from the repository: %errormsg%.This data will be skipped. +``` + +```text +Event ID 1248: Unable to parse an event due to the following error message: %errormsg%. This event will be skipped. +``` + +## Causes + +1. The data located in the target folder is corrupted or used by another process. +2. An unexpected error occurred. + +## Resolutions + +Refer to the following resolutions: + +- In case the error message contains a file name, verify the file is accessible and is not used by another process. +- Recreate your SharePoint monitoring plan in Netwrix Auditor. Refer to the following article for additional information on configuration of SharePoint monitoring plans: Monitoring Plans − SharePoint · v10.6. + +## Related articles + +- Monitoring Plans − SharePoint · v10.6 diff --git a/docs/kb/auditor/event-id-1212-in-health-log.md b/docs/kb/auditor/event-id-1212-in-health-log.md new file mode 100644 index 0000000000..fa8772dd55 --- /dev/null +++ b/docs/kb/auditor/event-id-1212-in-health-log.md @@ -0,0 +1,78 @@ +--- +description: >- + This article explains Event ID 1212 health log errors that occur when Netwrix + Auditor collects SharePoint content events and provides causes and resolutions + for three common error messages. +keywords: + - Event ID 1212 + - SharePoint + - Health Log + - Netwrix Auditor + - monitoring plan + - timeout + - configuration database + - content events +products: + - auditor +sidebar_label: Event ID 1212 in Health Log +tags: [] +title: "Event ID 1212 in Health Log" +knowledge_article_id: kA00g000000H9d7CAC +--- + +# Event ID 1212 in Health Log + +## Symptoms + +Your SharePoint monitoring plan prompts one of the following error messages under Event ID 1212 in Health Log: + +1. Error 1: + +``` +An unexpected error occurred while trying to collect content events from the audited SharePoint farm: +Details: Could not find file: %filePath% +``` + +2. Error 2: + +``` +An unexpected error occurred while trying to collect content events from the audited SharePoint farm: Details: +The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). +If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. +The first 45 bytes of the response were: 'Cannot connect to the configuration database.'. +``` + +3. Error 3: + +``` +An unexpected error occurred while trying to collect content events from the audited SharePoint farm: +The request change timed out while waiting for a reply after 01:00:00. +Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. +The time allotted to this operation may have been a portion of a longer timeout. +``` + +## Causes + +1. Error 1: Netwrix Auditor failed to collect audit data due to an unexpected error in Auditor. There is no access to the configuration files, or the files are corrupt. + +2. Error 2: Netwrix Auditor failed to collect audit data due to an unexpected error in SharePoint. The site collection configuration is corrupt, or there is no access to the SharePoint configuration database. + +3. Error 3: Netwrix Auditor failed to collect audit data as the timeout expired due to SharePoint settings. This could be caused by maintenance activity in your network, resulting in failed process requests to SharePoint. + +## Resolutions + +Follow the resolution for the corresponding error you encounter: + +1. Error 1: Recreate your SharePoint monitoring plan. Refer to the following article for additional information on configuration of SharePoint monitoring plans: /docs/auditor/10.6/auditor/admin-guide/monitoringplans/sharepoint (Monitoring Plans − SharePoint · v10.6). + +2. Error 2: Verify the audited site collection can be reached and is configured correctly − refer to the following article for additional information on the initial setup: /docs/auditor/10.6/auditor/configurationuration/sharepoint (Configuration − SharePoint · v10.6). + +3. Error 3: Verify the audited site collection can be reached. Extend the timeout on a binding − learn more in https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/configuring-timeout-values-on-a-binding (Configuring Timeout Values on a Binding ⸱ Microsoft 🐍). + +> **NOTE:** The recommended timeout value is 2 hours. + +## Related articles + +- /docs/auditor/10.6/auditor/admin-guide/monitoringplans/sharepoint (Monitoring Plans − SharePoint · v10.6) +- /docs/auditor/10.6/auditor/configurationuration/sharepoint (Configuration − SharePoint · v10.6) +- https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/configuring-timeout-values-on-a-binding (Extend the timeout on a binding − learn more in Configuring Timeout Values on a Binding ⸱ Microsoft 🐍) diff --git a/docs/kb/auditor/event-id-1214-in-health-log.md b/docs/kb/auditor/event-id-1214-in-health-log.md new file mode 100644 index 0000000000..8c4483a89d --- /dev/null +++ b/docs/kb/auditor/event-id-1214-in-health-log.md @@ -0,0 +1,50 @@ +--- +description: >- + Explains Event ID 1214 in the Health Log for SharePoint monitoring plans, + lists possible causes, and provides step-by-step resolutions to restore audit + data writes to the SQL database. +keywords: + - Event ID 1214 + - Health Log + - SharePoint + - audit data + - SQL database + - Netwrix Auditor + - Long-Term Archive + - Short-Term Archive + - SSRS +products: + - auditor +sidebar_label: Event ID 1214 in Health Log +tags: [] +title: "Event ID 1214 in Health Log" +knowledge_article_id: kA00g000000H9crCAC +--- + +# Event ID 1214 in Health Log + +## Symptom + +You see the following error message under Event ID 1214 in the Health Log for your SharePoint monitoring plan: + +```text +The following error occurred when trying to write audit data to the SQL database: %error_message% +``` + +## Causes + +1. Your Data Collecting Account has insufficient permissions to create temporary audit files copied to the SQL database. +2. Misconfigured SQL Server Reporting Services (SSRS) settings in Netwrix Auditor. + +## Resolutions + +1. Cause #1 − Allow **Full Control** permissions to the affected Long-Term Archive service account for the following 2 folders: + + - Long-term Archive − you can establish the location by following **Settings** > **Long-Term Archive** > **Write audit data to**. The default location is ` %PROGRAMDATA%\Netwrix Auditor\Data`. + - Short-Term Archive − you can establish the location by following **Health Status** > **Open diagnostic logs folder** under **Working folder** > parent folder of the **Logs** folder. The default location is ` %ProgramData%\Netwrix Auditor\ShortTerm`. + +2. Cause #2 − Verify SQL Server Reporting Services settings − refer to the following article for additional information: /docs/auditor/10.6/auditor/admin-guide/settings (Netwrix Auditor Settings − Audit Database · v10.6). + +## Related articles + +- Netwrix Auditor Settings − Audit Database · v10.6: /docs/auditor/10.6/auditor/admin-guide/settings diff --git a/docs/kb/auditor/event-id-1216-1217-1218-1219-in-health-log.md b/docs/kb/auditor/event-id-1216-1217-1218-1219-in-health-log.md new file mode 100644 index 0000000000..d8471ce37f --- /dev/null +++ b/docs/kb/auditor/event-id-1216-1217-1218-1219-in-health-log.md @@ -0,0 +1,73 @@ +--- +description: >- + Netwrix Auditor reports Event ID 1216, 1217, 1218, or 1219 in the Health Log + when it cannot collect AD group membership information for SharePoint + monitoring. This article lists the error messages, causes, and resolutions, + including file paths for the membership database and configuration. +keywords: + - SharePoint + - Health Log + - Event ID 1216 + - Event ID 1217 + - Event ID 1218 + - Event ID 1219 + - membership database + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Event ID 1216, 1217, 1218, 1219 in Health Log' +tags: [] +title: 'Event ID 1216, 1217, 1218, 1219 in Health Log' +knowledge_article_id: kA00g000000H9cwCAC +--- + +# Event ID 1216, 1217, 1218, 1219 in Health Log + +## Symptoms + +Your SharePoint monitoring plan prompts one of the following error messages under Event ID 1216, 1217, 1218, and 1219 in Health Log: + +``` +Event ID 1216: The following error occurred when trying to launch the component +responsible for collecting AD group membership from forest %forestName%: %errormsg%. +``` + +``` +Event ID 1217: The following error occurred when trying to delete temporary data on AD group membership from the local storage: %errormsg%. +``` + +``` +Event ID 1218: The following unexpected error occurred when trying to collect AD group membership: %errormsg%. +``` + +``` +Event ID 1219: AD group membership was resolved with the following error: %errormsg%. +``` + +## Causes + +Netwrix Auditor is unable to collect data on group membership of users who made changes. This does not affect audit data integrity and only affects the possibility to filter data by groups in audit reports. Most likely, this is due to access issues to the AD domain that users belong to, or the membership database. + +> **NOTE:** Refer to the following default path to the membership database: +> +> ``` +> %ProgramData%\Netwrix Auditor\ShortTerm\Netwrix Auditor for SharePoint\\Temp\AuditArchive\Membership\Memberships.db +> ``` + +## Resolutions + +- If the error message contains a file name, verify the file is accessible and is not used by another process. + +- Alternatively, omit these events from the Netwrix Auditor System Health event log. The `omiteventloglist.txt` list includes a list of omitted events. Refer to the following default path: + + ``` + %Working_Folder%Netwrix Auditor for SharePoint\Configuration\ + ``` + + Refer to the following article for additional information on syntax: SharePoint − SharePoint Monitoring Scope · v10.6 + (/docs/auditor/10.6/auditor/admin-guide/monitoringplans/sharepoint). + +## Related articles + +- Monitoring Plans − SharePoint · v10.6 + (/docs/auditor/10.6/auditor/admin-guide/monitoringplans/sharepoint) diff --git a/docs/kb/auditor/event-id-1223-in-health-log.md b/docs/kb/auditor/event-id-1223-in-health-log.md new file mode 100644 index 0000000000..e3a3952c92 --- /dev/null +++ b/docs/kb/auditor/event-id-1223-in-health-log.md @@ -0,0 +1,49 @@ +--- +description: >- + This article explains Event ID 1223 in the Health Log for SharePoint + monitoring plans and provides causes and step-by-step resolutions for the + "Email delivery to recipient %recepient% failed." error. +keywords: + - Event ID 1223 + - Health Log + - SharePoint + - SMTP + - Email delivery + - Notifications + - Monitoring plan + - Netwrix Auditor +products: + - auditor +sidebar_label: Event ID 1223 in Health Log +tags: [] +title: "Event ID 1223 in Health Log" +knowledge_article_id: kA00g000000H9ctCAC +--- + +# Event ID 1223 in Health Log + +## Symptom + +You see the following error message under Event ID 1223 in the Health Log for your SharePoint monitoring plan: + +``` +Email delivery to recipient %recepient% failed. +``` + +## Causes + +1. The SMTP server is unreachable or the SMTP settings specified in Netwrix Auditor are incorrect. +2. The recipient is unreachable or does not exist. + +## Resolutions + +- Cause #1 − Verify the SMTP settings in Netwrix Auditor. Refer to the following article for additional information: /docs/auditor/10.6/auditor/admin-guide/settings (Netwrix Auditor Settings − Notifications · v10.6). + +- Cause #2 − Verify the `recepient` details in the affected SharePoint monitoring plan. + + 1. Navigate to **Monitoring Plans** > select **%affected_SharePoint_monitoring_plan%** and click **Edit** > click **Edit settings** under the **Monitoring plan** section. + 2. In the **Notifications** tab, verify the `recepients`. When adding a `recepient`, click **Send Test Email** to confirm the email was specified correctly. + +## Related articles + +- /docs/auditor/10.6/auditor/admin-guide/settings (Netwrix Auditor Settings − Notifications · v10.6) diff --git a/docs/kb/auditor/event-id-1225-in-health-log.md b/docs/kb/auditor/event-id-1225-in-health-log.md new file mode 100644 index 0000000000..f55ea9dd1e --- /dev/null +++ b/docs/kb/auditor/event-id-1225-in-health-log.md @@ -0,0 +1,50 @@ +--- +description: >- + You see Event ID 1225 in the Health Log when Netwrix Auditor cannot make a + configuration snapshot of the audited SharePoint farm. This article lists + possible causes and links to related Health Log event articles to help you + troubleshoot. +keywords: + - Event ID 1225 + - Health Log + - SharePoint + - configuration snapshot + - Netwrix Auditor + - Event ID 1204 + - Event ID 1203 +products: + - auditor +sidebar_label: Event ID 1225 in Health Log +tags: [] +title: "Event ID 1225 in Health Log" +knowledge_article_id: kA00g000000H9dHCAS +--- + +# Event ID 1225 in Health Log + +## Symptom + +You see the following error message under Event ID 1225 in the Health Log for your SharePoint monitoring plan: + +```Registry +Unable to make the configuration snapshot of the audited SharePoint farm +``` + +## Causes + +Netwrix Auditor is unable to collect farm configuration changes due to network connection problems, web service issues, or configuration issues at the time of the scheduled or manual Activity Summary generation. Refer to the following list of possible errors prompted in the Health Log for the affected monitoring plan: + +- Event ID 1204 − **Unable to establish connection to the remote WebService.** +- Event ID 1203 − **The following unexpected error has occurred: %error%** + +## Resolutions + +Refer to the corresponding article for additional information on resolution: + +- Event ID 1204 in Health Log: /docs/kb/auditor/event_id_1204_in_health_log +- Event ID 1205 in Health Log: /docs/kb/auditor/event_id_1205_in_health_log + +## Related articles + +- Event ID 1204 in Health Log: /docs/kb/auditor/event_id_1204_in_health_log +- Event ID 1205 in Health Log: /docs/kb/auditor/event_id_1205_in_health_log diff --git a/docs/kb/auditor/event-id-1236-in-health-log.md b/docs/kb/auditor/event-id-1236-in-health-log.md new file mode 100644 index 0000000000..488a4200d8 --- /dev/null +++ b/docs/kb/auditor/event-id-1236-in-health-log.md @@ -0,0 +1,47 @@ +--- +description: >- + Explains Event ID 1236 in the Health Log where Netwrix Auditor cannot parse a + SharePoint event due to a site collection locked as "Locked — No Access", and + shows how to resolve it by unlocking the site collection. +keywords: + - Event ID 1236 + - Health Log + - SharePoint + - site lock + - Locked — No Access + - Unable to parse the following event + - Netwrix Auditor + - Configure Quotas and Locks + - PowerShell +products: + - auditor +sidebar_label: Event ID 1236 in Health Log +tags: [] +title: "Event ID 1236 in Health Log" +knowledge_article_id: kA00g000000H9cvCAC +--- + +# Event ID 1236 in Health Log + +## Symptom + +The following error message under Event ID 1236 is prompted in Health Log for your SharePoint monitoring plan: + +```text +Unable to parse the following event: %event_data%. Skip this event. +``` + +## Cause + +Netwrix Auditor was unable to parse changes in a target site collection due to the **Locked — No Access** status. + +## Resolution + +1. In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **`%affected_web_application%`**. +2. Change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1239-in-health-log.md b/docs/kb/auditor/event-id-1239-in-health-log.md new file mode 100644 index 0000000000..a6f10718a6 --- /dev/null +++ b/docs/kb/auditor/event-id-1239-in-health-log.md @@ -0,0 +1,44 @@ +--- +description: >- + This article explains Event ID 1239 in the Health Log for a SharePoint + monitoring plan, including the cause and steps to configure audit log trimming + to the recommended 7 days. +keywords: + - Event ID 1239 + - Health Log + - SharePoint + - audit log trimming + - monitoring plan + - audit settings + - retention + - Site Collection Audit Settings +products: + - auditor +sidebar_label: Event ID 1239 in Health Log +tags: [] +title: "Event ID 1239 in Health Log" +knowledge_article_id: kA00g000000H9cuCAC +--- + +# Event ID 1239 in Health Log + +## Symptom + +The following error message under Event ID 1239 is prompted in Health Log for your SharePoint monitoring plan: + +```text +The Audit log trimming setting for some SharePoint sites is not configured correctly. +The recommended period is 7 days. +``` + +## Cause + +The audit log trimming setting for the site collection is turned off or exceeds 7 days. + +## Resolution + +1. In the affected site collection, navigate to **Site Settings** > **Site Collection Audit Settings** > **Audit Log Trimming**. +2. Set the **Automatically trim the audit log** option to **Yes**. Set the log retention to 7 days in the **Specify the number of days of audit log data to retain** field. Save the changes. +3. Update the monitoring plan − select the affected monitoring plan, click **Edit**, and click **Update** in the right pane. + +> **NOTE:** Verify the audit settings are set to be adjusted automatically − in the SharePoint monitoring plan, click **Edit data source** and check the **Configure audit settings** checkbox. Save the changes. diff --git a/docs/kb/auditor/event-id-1240-in-health-log.md b/docs/kb/auditor/event-id-1240-in-health-log.md new file mode 100644 index 0000000000..4f4df3e79b --- /dev/null +++ b/docs/kb/auditor/event-id-1240-in-health-log.md @@ -0,0 +1,49 @@ +--- +description: >- + Explains causes and resolutions for Event ID 1240 in the Health Log for a + SharePoint monitoring plan, including permission and site collection lock + status steps and a PowerShell reference. +keywords: + - Event ID 1240 + - Health Log + - SharePoint + - site collection + - Manage Web Site + - Configure Quotas and Locks + - site lock + - PowerShell +products: + - auditor +sidebar_label: Event ID 1240 in Health Log +tags: [] +title: "Event ID 1240 in Health Log" +knowledge_article_id: kA00g000000H9cxCAC +--- + +# Event ID 1240 in Health Log + +## Symptoms + +The following error message under Event ID 1240 is prompted in Health Log for your SharePoint monitoring plan: + +``` +Unable to get site collection configuration to site collection %site_collection% +``` + +## Causes + +- The web application hosting the target site collection was granted insufficient permissions. +- The audited site collection status is **No Access**. + +## Resolutions + +Review the resolution steps for the corresponding error: + +1. In SharePoint Central Administration, navigate to **Web Applications** > ` %affected_application% ` > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. +2. In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > ` %affected_site_collection% `, and change the status to `Not locked`. + +Learn more on management of the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1241-in-health-log.md b/docs/kb/auditor/event-id-1241-in-health-log.md new file mode 100644 index 0000000000..37a2345073 --- /dev/null +++ b/docs/kb/auditor/event-id-1241-in-health-log.md @@ -0,0 +1,44 @@ +--- +description: >- + Describes Event ID 1241 in the Health Log for a SharePoint monitoring plan and + explains how to enable the Editing users and permissions audit to prevent lost + read access events. +keywords: + - Event ID 1241 + - Health Log + - SharePoint + - audit settings + - Editing users and permissions + - Site Collection Audit Settings + - monitoring plan + - Netwrix Auditor +products: + - auditor +sidebar_label: Event ID 1241 in Health Log +tags: [] +title: "Event ID 1241 in Health Log" +knowledge_article_id: kA00g000000H9csCAC +--- + +# Event ID 1241 in Health Log + +## Symptom + +The following error message under Event ID 1241 is prompted in Health Log for your SharePoint monitoring plan: + +```text +Audit settings for security events in site collection %item_ID% are not configured properly. +As a result, some read access events may be lost. +``` + +## Cause + +The `Editing users and permissions` audit is disabled for the site collection. + +## Resolution + +1. In the affected site collection, navigate to **Site Settings** > **Site Collection Administration** > **Site Collection Audit Settings**. +2. Check the **Editing users and permissions** checkbox under the **Lists, Libraries, and Sites** section. Save the changes. +3. Update the monitoring plan − select the affected monitoring plan, click **Edit**, and click **Update** in the right pane. + +> NOTE: Verify the audit settings are set to be adjusted automatically − in the SharePoint monitoring plan, click **Edit data source** and check the **Configure audit settings** checkbox. Save the changes. diff --git a/docs/kb/auditor/event-id-1242-in-health-log.md b/docs/kb/auditor/event-id-1242-in-health-log.md new file mode 100644 index 0000000000..d220337747 --- /dev/null +++ b/docs/kb/auditor/event-id-1242-in-health-log.md @@ -0,0 +1,79 @@ +--- +description: >- + Netwrix Auditor logs Event ID 1242 when it cannot audit a SharePoint site + collection due to site collection locks or insufficient permissions. This + article lists the event messages, explains causes, and provides step-by-step + resolutions. +keywords: + - Event ID 1242 + - Health Log + - SharePoint + - site collection + - audit + - permissions + - Configure Quotas and Locks + - Not locked + - Log on as a batch job +products: + - auditor +sidebar_label: Event ID 1242 in Health Log +tags: [] +title: "Event ID 1242 in Health Log" +knowledge_article_id: kA00g000000H9cYCAS +--- + +# Event ID 1242 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1242 `Unable to audit changes to site collection %site_collection%` is prompted in Health Log for your SharePoint monitoring plan: + +1. Error 1: + +```text +Unable to audit changes to site collection %site_collection%: +Attempted to perform an unauthorized operation. +``` + +2. Error 2: + +```text +Unable to audit changes to site collection %site_collection%: +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). +``` + +3. Error 3: + +```text +Unable to audit changes to site collection %site_collection%: +Access to this Web site has been blocked. +``` + +## Causes + +Review the cause corresponding to the error you see: + +1. Error 1: Netwrix Auditor failed to collect changes from the audited site collection due to the **Adding content prevented** status. Alternatively, the Farm account or the service account for the web application pool hosting the audited site collection has been modified, and has not been granted the **Log on as a batch job** permissions in the server hosting SharePoint Central Administration. + +2. Error 2: Netwrix Auditor failed to collect changes from the audited site collection due to insufficient permissions for the web application hosting the target site collection. + +3. Error 3: Netwrix Auditor failed to collect changes from the audited site collection due to the **No Access** status. + +## Resolutions + +Review the resolution for the corresponding error: + +1. Error 1: + In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **`%affected_site_collection%`**, and change the status to **Not locked**. + +2. Error 2: + In SharePoint Central Administration, navigate to **Web Applications** > **`%affected_application%`** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. + +3. Error 3: + In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **`%affected_site_collection%`**, and change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🤝: https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell + +## Related articles + +- Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🤝: https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell diff --git a/docs/kb/auditor/event-id-1243-in-health-log.md b/docs/kb/auditor/event-id-1243-in-health-log.md new file mode 100644 index 0000000000..1f943f89dc --- /dev/null +++ b/docs/kb/auditor/event-id-1243-in-health-log.md @@ -0,0 +1,72 @@ +--- +description: >- + Describes Event ID 1243 in the Health Log for SharePoint monitoring plans, + including possible error messages, causes, and step-by-step resolutions. +keywords: + - Event ID 1243 + - Health Log + - SharePoint + - site collection + - Access denied + - Configure Quotas and Locks + - Log on as a batch job + - Manage Web Site +products: + - auditor +sidebar_label: Event ID 1243 in Health Log +tags: [] +title: "Event ID 1243 in Health Log" +knowledge_article_id: kA00g000000H9cXCAS +--- + +# Event ID 1243 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1243 `Unable to process events from site collection %site_collection%` is prompted in Health Log for your SharePoint monitoring plan: + +1. Error 1: + +```text +Unable to process events from site collection %site_collection%: +Attempted to perform an unauthorized operation +``` + +2. Error 2: + +```text +Unable to process events from site collection %site_collection%: +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) +``` + +3. Error 3: + +```text +Unable to process events from site collection %site_collection%: +Access to this Web site has been blocked +``` + +## Causes + +1. Error 1: Netwrix Auditor failed to process events from the audited site collection due to the `Adding content prevented` status. Alternatively, the Farm account or the service account for the web application pool hosting the audited site collection has been modified, and has not been granted the `Log on as a batch job` permissions in the server hosting SharePoint Central Administration. + +2. Error 2: Netwrix Auditor failed to process events from the audited site collection due to insufficient permissions for the web application hosting the target site collection. + +3. Error 3: Netwrix Auditor failed to process events from the audited site collection due to the `No Access` status. + +## Resolutions + +Review the resolution for the corresponding error: + +1. Error 1: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +2. Error 2: In SharePoint Central Administration, navigate to **Web Applications** > **%affected_application%** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. + +3. Error 3: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft: +https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell + +## Related articles + +- Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft: https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell diff --git a/docs/kb/auditor/event-id-1244-in-health-log.md b/docs/kb/auditor/event-id-1244-in-health-log.md new file mode 100644 index 0000000000..cddf92c58a --- /dev/null +++ b/docs/kb/auditor/event-id-1244-in-health-log.md @@ -0,0 +1,73 @@ +--- +description: >- + This article describes Event ID 1244 errors in the Health Log when Netwrix + Auditor cannot remove a SharePoint site collection from the auditing scope, + with causes and resolutions for each error variant. +keywords: + - Event ID 1244 + - Health Log + - SharePoint + - site collection + - auditing scope + - Netwrix Auditor + - Access denied + - Configure Quotas and Locks + - Manage Web Site +products: + - auditor +sidebar_label: Event ID 1244 in Health Log +tags: [] +title: "Event ID 1244 in Health Log" +knowledge_article_id: kA00g000000H9cVCAS +--- + +# Event ID 1244 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1244 `Unable to remove site collection %site_collection% from the auditing scope` is prompted in Health Log for your SharePoint monitoring plan: + +1. Error 1: + +```text +Unable to remove site collection %site_collection% from the auditing scope: +Attempted to perform an unauthorized operation. +``` + +2. Error 2: + +```text +Unable to remove site collection %site_collection% from the auditing scope: +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). +``` + +3. Error 3: + +```text +Unable to remove site collection %site_collection% from the auditing scope: +Access to this Web site has been blocked. +``` + +## Causes + +1. Error 1: Netwrix Auditor failed to remove the audited site collection from the auditing scope due to the **Adding content prevented** status. Alternatively, the Farm account or the service account for the web application pool hosting the audited site collection has been modified, and has not been granted the **Log on as a batch job** permissions in the server hosting SharePoint Central Administration. + +2. Error 2: Netwrix Auditor failed to remove the audited site collection from the auditing scope due to insufficient permissions for the web application hosting the target site collection. + +3. Error 3: Netwrix Auditor failed to remove the audited site collection from the auditing scope due to the **No Access** status. + +## Resolutions + +Review the resolution for the corresponding error: + +1. Error 1: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +2. Error 2: In SharePoint Central Administration, navigate to **Web Applications** > **%affected_application%** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. + +3. Error 3: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1245-in-health-log.md b/docs/kb/auditor/event-id-1245-in-health-log.md new file mode 100644 index 0000000000..3a680b2202 --- /dev/null +++ b/docs/kb/auditor/event-id-1245-in-health-log.md @@ -0,0 +1,75 @@ +--- +description: >- + This article explains causes and resolutions for Event ID 1245 in the Health + Log, which reports "Unable to remove the Netwrix Auditor configuration from + site collection with %site_collection%". It helps you identify the specific + error variant and resolve SharePoint site collection lock and permission + issues. +keywords: + - Event ID 1245 + - Health Log + - SharePoint + - Netwrix Auditor + - site collection + - Configure Quotas and Locks + - E_ACCESSDENIED + - audit + - site lock +products: + - auditor +sidebar_label: Event ID 1245 in Health Log +tags: [] +title: "Event ID 1245 in Health Log" +knowledge_article_id: kA00g000000H9cWCAS +--- + +# Event ID 1245 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1245 `Unable to remove the Netwrix Auditor configuration from site collection with %site_collection%` is prompted in Health Log for your SharePoint monitoring plan: + +1. Error 1: + +```text +Unable to exclude events on site collection %site_collection% from the auditing scope due to the following error: +Attempted to perform an unauthorized operation. +``` + +2. Error 2: + +```text +Unable to exclude events on site collection %site_collection% from the auditing scope due to the following error: +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). +``` + +3. Error 3: + +```text +Unable to exclude events on site collection %site_collection% from the auditing scope due to the following error: +Access to this Web site has been blocked. +``` + +## Causes + +1. Error 1: Netwrix Auditor failed to exclude events from the audited site collection due to the **Adding content prevented** status. Alternatively, the Farm account or the service account for the web application pool hosting the audited site collection has been modified, and has not been granted the **Log on as a batch job** permissions in the server hosting SharePoint Central Administration. + +2. Error 2: Netwrix Auditor failed to exclude changes from the audited site collection due to insufficient permissions for the web application hosting the target site collection. + +3. Error 3: Netwrix Auditor failed to exclude changes from the audited site collection due to the **No Access** status. + +## Resolutions + +Review the resolution for the corresponding error: + +1. Error 1: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +2. Error 2: In SharePoint Central Administration, navigate to **Web Applications** > **%affected_application%** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. + +3. Error 3: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🫅](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🫅](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1249-in-health-log.md b/docs/kb/auditor/event-id-1249-in-health-log.md new file mode 100644 index 0000000000..f857c66f67 --- /dev/null +++ b/docs/kb/auditor/event-id-1249-in-health-log.md @@ -0,0 +1,63 @@ +--- +description: >- + Explains Event ID 1249 in the Health Log for Netwrix Auditor SharePoint + monitoring plans and provides causes and step-by-step resolutions when audit + data cannot be written to the SQL database. +keywords: + - Event ID 1249 + - Health Log + - Audit Database + - SQL Server + - permissions + - SharePoint + - Netwrix Auditor + - Data Processing Account + - ping +products: + - auditor +sidebar_label: Event ID 1249 in Health Log +tags: [] +title: "Event ID 1249 in Health Log" +knowledge_article_id: kA00g000000H9cyCAC +--- + +# Event ID 1249 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1249 is prompted in the **Health Log** for your SharePoint monitoring plan: + +``` +The following error occurred when trying to write audit data to the SQL database: +The database is unreachable. +``` + +``` +The following error occurred when trying to write audit data to the SQL database: +Data Processing Account has insufficient permissions to write data to the database. +``` + +## Causes + +1. The Audit Database is unreachable. +2. The Audit Database account has insufficient permissions to write data to the database. + +## Resolutions + +- Cause #1 − Verify the SQL Server instance is reachable and the database is accessible. + + 1. Open Command Prompt. Ping the SQL server the audit data is stored: + + ```bash + ping %SQL_server_IP_or_fqdn% + ``` + 2. In the SQL server, start SQL Server Management Studio, connect to the instance, and make sure the Audit Database exists. + + > **NOTE:** To establish the name of the Audit Database, click **Edit settings** in the monitoring plan view > review the database name in the **Audit Database** tab. + +- Cause #2 − Verify the Data Collecting Account has the correct permissions to write to the Audit Database. Refer to the following article for additional information: /docs/auditor/10.6/auditor/admin-guide/settings (Audit Database − Configure Default SQL Server Settings · v10.6). + +## Related articles + +- Audit Database − Configure Default SQL Server Settings · v10.6 + /docs/auditor/10.6/auditor/admin-guide/settings diff --git a/docs/kb/auditor/event-id-1250-in-health-log.md b/docs/kb/auditor/event-id-1250-in-health-log.md new file mode 100644 index 0000000000..b7be8a92cc --- /dev/null +++ b/docs/kb/auditor/event-id-1250-in-health-log.md @@ -0,0 +1,41 @@ +--- +description: >- + Health Log shows Event ID 1250 when a SharePoint web application URL in a + monitoring plan is invalid. This article explains the cause and steps to + correct the URL in the monitoring plan. +keywords: + - Event ID 1250 + - Health Log + - SharePoint + - monitoring plan + - web application URL + - Netwrix Auditor + - Specific SharePoint objects + - error + - troubleshooting +products: + - auditor +sidebar_label: Event ID 1250 in Health Log +tags: [] +title: "Event ID 1250 in Health Log" +knowledge_article_id: kA00g000000H9ciCAC +--- + +# Event ID 1250 in Health Log + +## Symptom + +The following error message under Event ID 1250 is prompted in Health Log for your SharePoint monitoring plan: + +```text +Web application %URL% cannot be found. +``` + +## Cause + +An invalid web application URL was specified during monitoring plan creation. + +## Resolution + +1. Navigate to **Monitoring Plans** > select the **`%affected_SP_monitoring_plan%`** and click **Edit** > click **Edit item** in the right pane. +2. In the **Changes** tab, verify the affected web application URL under the **Specific SharePoint objects** section. Make sure the web application has not been deleted from the audited SharePoint farm. diff --git a/docs/kb/auditor/event-id-1251-1254-1256-1258-in-health-log.md b/docs/kb/auditor/event-id-1251-1254-1256-1258-in-health-log.md new file mode 100644 index 0000000000..ab692343db --- /dev/null +++ b/docs/kb/auditor/event-id-1251-1254-1256-1258-in-health-log.md @@ -0,0 +1,59 @@ +--- +description: >- + Lists Event IDs 1251–1254 and 1256–1258 that may appear in the Health Log for + a SharePoint monitoring plan and provides causes and resolutions. +keywords: + - SharePoint + - Health Log + - Event ID + - 1251 + - 1252 + - 1253 + - 1254 + - Netwrix Auditor + - site collection +products: + - auditor +sidebar_label: 'Event ID 1251 - 1254, 1256 - 1258 in Health Log' +tags: [] +title: 'Event ID 1251 - 1254, 1256 - 1258 in Health Log' +knowledge_article_id: kA00g000000H9cUCAS +--- + +# Event ID 1251 - 1254, 1256 - 1258 in Health Log + +## Symptoms + +Either of the following error messages under the Event is prompted in Health Log for your SharePoint monitoring plan: + +``` +Netwrix Auditor has been unable to add an object to the auditing scope due to one of the following errors on your SharePoint server +``` + +- `1251 − Unable to find web application %affected_web_application%` +- `1252 − Unable to get a list of web applications from the audited SharePoint farm` +- `1253 − Unable to find the parent web application for site collection %affected_site_collection%` +- `1254 − Unable to find the parent web application %affected_web_application%` +- `1256 − Unable to find site collection %affected_site_collection% due to the following error` +- `1257 − Unable to get a list of web applications from the audited SharePoint farm` +- `1258 − Unable to find the Central Administration web application` + +## Causes + +1. `Access to the affected web site has been blocked` +2. `Access is denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))` +3. `Some or all identity references could not be translated` +4. `Wrong URL was added to the auditing scope or the object available by this link is invalid` + +## Resolutions + +1. Cause #1 − In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_web_application%**, and change the status to **Not locked**. +2. Cause #2 − In SharePoint Central Administration, navigate to **Web Applications** > **%affected_web_application%** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. +3. Cause #3 − This error could be caused by the account running SharePoint service or SharePoint WebApplication Pool removed from the AD domain but left in the service accounts portion of SharePoint. Remove this account from SharePoint service accounts, or join it back to the domain. +4. Cause #4 − Verify the Administration URL − Edit the Item URL via **Monitoring Plans** > select %SharePoint_plan% > **Edit** > select the item and click **Edit item** > modify the SharePoint Central Administration URL > click **Save & Close**. + +Learn more on management of the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1255-in-health-log.md b/docs/kb/auditor/event-id-1255-in-health-log.md new file mode 100644 index 0000000000..4311f58e77 --- /dev/null +++ b/docs/kb/auditor/event-id-1255-in-health-log.md @@ -0,0 +1,49 @@ +--- +description: >- + Explains Event ID 1255 ("Site collection %URL% cannot be found.") in the + Health Log for a SharePoint monitoring plan and provides causes and steps to + resolve it. +keywords: + - Event ID 1255 + - Health Log + - SharePoint + - site collection + - monitoring plan + - Locked — No Access + - Configure Quotas and Locks + - Not locked + - Monitoring Plans +products: + - auditor +sidebar_label: Event ID 1255 in Health Log +tags: [] +title: "Event ID 1255 in Health Log" +knowledge_article_id: kA00g000000H9ckCAC +--- + +# Event ID 1255 in Health Log + +## Symptom + +The following error message under Event ID 1255 is prompted in Health Log for your SharePoint monitoring plan: + +```text +Site collection %URL% cannot be found. +``` + +## Causes + +1. An invalid site collection URL was specified during the monitoring plan creation. +2. The affected site collection has the **Locked — No Access** status. + +## Resolution + +- Cause #1 + 1. Navigate to **Monitoring Plans**. + 2. Select the **%affected_SP_monitoring_plan%** and click **Edit**. + 3. Click **Edit item** in the right pane. + 4. In the **Changes** tab, verify the affected collection URL under the **Specific SharePoint objects** section. + +- Cause #2 + 1. In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks**. + 2. Select **%affected_collection%** and change the status to **Not locked**. diff --git a/docs/kb/auditor/event-id-1259-in-health-log.md b/docs/kb/auditor/event-id-1259-in-health-log.md new file mode 100644 index 0000000000..246487d25f --- /dev/null +++ b/docs/kb/auditor/event-id-1259-in-health-log.md @@ -0,0 +1,43 @@ +--- +description: >- + Explains Event ID 1259 in the Health Log for a SharePoint monitoring plan, its + cause, and how to restart data collection to resolve the issue. +keywords: + - Event ID 1259 + - Health Log + - SharePoint + - Monitoring plan + - Data collection + - Netwrix Auditor + - snapshot + - error +products: + - auditor +sidebar_label: Event ID 1259 in Health Log +tags: [] +title: "Event ID 1259 in Health Log" +knowledge_article_id: kA00g000000H9clCAC +--- + +# Event ID 1259 in Health Log + +## Symptom + +The following error message under Event ID 1259 is prompted in Health Log for your SharePoint monitoring plan: + +``` +Unable to report changes correctly, as the previous configuration snapshot has been removed or is partially invalid +``` + +## Cause + +This issue occurs when you launch the data collection manually while the initial data collection process is already in progress after creating the monitoring plan. This has led to data collection failure. + +## Resolution + +Restart the data collection: + +1. In the main **Netwrix Auditor** menu, select **Monitoring Plans** +2. Select ` %SharePoint_plan% ` +3. Click **Edit** +4. Click **Update** diff --git a/docs/kb/auditor/event-id-1260-1266-in-health-log.md b/docs/kb/auditor/event-id-1260-1266-in-health-log.md new file mode 100644 index 0000000000..f2b1263f2b --- /dev/null +++ b/docs/kb/auditor/event-id-1260-1266-in-health-log.md @@ -0,0 +1,60 @@ +--- +description: >- + Netwrix Auditor SharePoint monitoring may log Event ID 1260–1266 when + configuration snapshots fail; this article describes possible causes and + resolutions to restore correct reporting of farm, web application, site + collection, feature, solution, permission policy, and server configuration + snapshots. +keywords: + - SharePoint + - Health Log + - Event ID 1260 + - configuration snapshot + - site collection + - web application + - E_ACCESSDENIED + - site lock +products: + - auditor +visibility: public +sidebar_label: Event ID 1260 − 1266 in Health Log +tags: [] +title: "Event ID 1260 − 1266 in Health Log" +knowledge_article_id: kA00g000000H9cOCAS +--- + +# Event ID 1260 − 1266 in Health Log + +## Symptom + +You may see any of the following error messages under Event ID 1260, 1261, 1262, 1263, 1264, 1265, and 1266 in the Health Log for your SharePoint monitoring plan. + +## Causes and Resolutions + +Refer to the following possible causes and resolutions: + +Event descriptions: +- 1260 − Unable to make the configuration snapshot of SharePoint farm %affected_Shapoint_farm% due to the following error: %error%. As a result, changes to the farm properties, features and solutions may not be reported correctly. +- 1261 − Unable to make the configuration snapshot of web application %affected_web_application%. +- 1262 − Unable to make the configuration snapshot of site collection %affected_site_collection%. +- 1263 − Unable to make the configuration snapshot for feature %ID%. +- 1264 − Unable to make the configuration snapshot of solution %ID%. +- 1265 − Unable to make the configuration snapshot of permission policy %ID% for web application %affected_web_application%. +- 1266 − Unable to make the configuration snapshot of server %affected_server%. + +Cause: +- Access to the affected web site has been blocked. +- Access is denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). +- Some or all identity references could not be translated. + +**Resolution:** +Refer to the following resolutions depending on the cause: +- In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_web_application%**, and change the status to **Not locked**. +- In SharePoint Central Administration, navigate to **Web Applications** > **%affected_web_application%** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. +- This error could be caused by the account running SharePoint service or SharePoint WebApplication Pool removed from the AD domain but left in the service accounts portion of SharePoint. Remove this account from SharePoint service accounts, or join it back to the domain. + +Learn more on management of the SharePoint site lock status via PowerShell in Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft (https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft (https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1267-1273-in-health-log.md b/docs/kb/auditor/event-id-1267-1273-in-health-log.md new file mode 100644 index 0000000000..c7a4088400 --- /dev/null +++ b/docs/kb/auditor/event-id-1267-1273-in-health-log.md @@ -0,0 +1,64 @@ +--- +description: >- + Explains Event ID 1267–1273 messages that appear in the Health Log for + SharePoint monitoring plans, lists possible causes, and provides resolutions. +keywords: + - SharePoint + - Health Log + - Event ID 1267 + - Event ID 1273 + - monitoring plan + - site lock + - access denied + - snapshot invalid +products: + - auditor +sidebar_label: Event ID 1267 − 1273 in Health Log +tags: [] +title: "Event ID 1267 − 1273 in Health Log" +knowledge_article_id: kA00g000000H9cRCAS +--- + +# Event ID 1267 − 1273 in Health Log + +## Symptoms + +Either of the following error messages under Event ID 1267, 1268, 1269, 1270, 1271, 1272, and 1273 is prompted in Health Log for your SharePoint monitoring plan. + +## Causes and Resolutions + +Refer to the following possible causes and resolutions: + +### Event descriptions + +- 1267 − Unable to report changes to SharePoint farm ` %affected_Shapoint_farm% ` correctly, as the current, previous, or both snapshots are partially invalid. +- 1268 − Unable to report changes to web application `` correctly as the current, previous, or both snapshots are partially invalid. +- 1269 − Unable to report changes to site collection `` correctly as the current, previous, or both snapshots are partially invalid. +- 1270 − Unable to report changes to feature `` correctly as the current, previous, or both snapshots are partially invalid. +- 1271 − Unable to report changes to solution `` correctly as the current, previous, or both snapshots are partially invalid. +- 1272 − Unable to report changes to permission policy `` correctly as the current, previous, or both snapshots are partially invalid. +- 1273 − Unable to report changes to server `` correctly as the current, previous, or both snapshots are partially invalid. + +### Possible causes + +- Access to the affected web site has been blocked. +- Access is denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). +- Some or all identity references could not be translated. +- The previous data collection completed with an error. + +### Resolutions + +Refer to the following resolutions depending on the cause: + +- In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **`%affected_web_application%`**, and change the status to **Not locked**. +- In SharePoint Central Administration, navigate to **Web Applications** > **`%affected_web_application%`** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. +- This error could be caused by the account running SharePoint service or SharePoint WebApplication Pool removed from the AD domain but left in the service accounts portion of SharePoint. Remove this account from SharePoint service accounts, or join it back to the domain. +- Navigate to **Monitoring Plans** > select the **`%affected_monitoring_plan%`** and click **Edit** > click **Update**. + +Learn more on management of the SharePoint site lock status via PowerShell in Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🤝: +https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell + +## Related articles + +- Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🤝 + https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell diff --git a/docs/kb/auditor/event-id-1274-in-health-log.md b/docs/kb/auditor/event-id-1274-in-health-log.md new file mode 100644 index 0000000000..f5baad43d1 --- /dev/null +++ b/docs/kb/auditor/event-id-1274-in-health-log.md @@ -0,0 +1,53 @@ +--- +description: >- + Describes causes and resolutions for Event ID 1274 in the Health Log when + Netwrix Auditor cannot detect the forest hosting a monitored SharePoint farm, + including related events and troubleshooting steps. +keywords: + - Event ID 1274 + - Health Log + - SharePoint + - Netwrix Auditor + - global catalog + - AD group membership + - Event ID 1204 + - Event ID 1205 +products: + - auditor +sidebar_label: Event ID 1274 in Health Log +tags: [] +title: "Event ID 1274 in Health Log" +knowledge_article_id: kA00g000000H9cqCAC +--- + +# Event ID 1274 in Health Log + +## Symptom + +The following error message under Event ID 1274 is prompted in Health Log for your SharePoint monitoring plan: + +```text +The following error occurred when trying to launch the component responsible for collecting AD group membership, +because the product is unable to detect the forest where the audited SharePoint farm is located. +``` + +## Causes + +- Cause #1 − Netwrix Auditor was unable to detect the forest where your SharePoint farm is hosted. There is no network connection to your SharePoint farm. +- Cause #2 − Event ID 1274 could be prompted along with other errors: + - EventID 1204 − `Unable to establish connection to the remote WebService` + - EventID 1205 − `The following unexpected error has occurred: %error%` +- Cause #3 − The global catalog domain controller of the SharePoint farm domain was unreachable during the scheduled data collection process. + +## Resolution + +- Cause #1 − Verify the **SharePoint Central Administration** site is reachable by opening the URL in a browser. +- Cause #2 − Refer to the following articles for additional information: + - Event ID 1204 in Health Log: /docs/kb/auditor/event_id_1204_in_health_log + - Event ID 1205 in Health Log: /docs/kb/auditor/event_id_1205_in_health_log +- Cause #3 − Verify the global catalog domain controller is reachable. + +## Related articles + +- Event ID 1204 in Health Log: /docs/kb/auditor/event_id_1204_in_health_log +- Event ID 1205 in Health Log: /docs/kb/auditor/event_id_1205_in_health_log diff --git a/docs/kb/auditor/event-id-1275-in-health-log.md b/docs/kb/auditor/event-id-1275-in-health-log.md new file mode 100644 index 0000000000..e4664a8b67 --- /dev/null +++ b/docs/kb/auditor/event-id-1275-in-health-log.md @@ -0,0 +1,45 @@ +--- +description: >- + Event ID 1275 indicates that the SharePoint Core Service for Netwrix Auditor + has been removed from the SharePoint Central Administration server. This + article explains the cause and how to let Netwrix Auditor redeploy the service + automatically or how to install it manually. +keywords: + - Event ID 1275 + - SharePoint Core Service + - Health Log + - Netwrix Auditor + - Monitoring Plans + - Data collection + - SharePoint +products: + - auditor +sidebar_label: Event ID 1275 in Health Log +tags: [] +title: "Event ID 1275 in Health Log" +knowledge_article_id: kA00g000000H9d4CAC +--- + +# Event ID 1275 in Health Log + +## Symptom + +The following error message under Event ID 1275 is prompted in Health Log for your SharePoint monitoring plan: + +```text +The Netwrix Auditor for SharePoint Core Service must have been removed +``` + +## Cause + +Netwrix Auditor for SharePoint Core Service has been removed from the SharePoint Central Administration server. + +## Resolutions + +- Netwrix Auditor will deploy SharePoint Core Service automatically on the next data collection. To run the data collection, navigate to the affected SharePoint plan via **Monitoring Plans** > select the affected SharePoint plan and click **Edit** > click **Update** under the **Monitoring Plan** section. + +- To manually install SharePoint Core Service, refer to the following article: /docs/auditor/10.6/auditor/installation (Installation − Install for SharePoint Core Service · v10.6). + +## Related articles + +- Installation − Install for SharePoint Core Service · v10.6: /docs/auditor/10.6/auditor/installation diff --git a/docs/kb/auditor/event-id-1276-in-health-log.md b/docs/kb/auditor/event-id-1276-in-health-log.md new file mode 100644 index 0000000000..e5f27bb475 --- /dev/null +++ b/docs/kb/auditor/event-id-1276-in-health-log.md @@ -0,0 +1,53 @@ +--- +description: >- + Health Log for a SharePoint monitoring plan can show error messages under + Event ID 1259 related to SharePoint audit configuration, SQL Server access, + and operation timeouts. This article lists the possible causes and resolutions + for those errors. +keywords: + - Event ID 1276 + - Event ID 1259 + - Health Log + - SharePoint audit + - SharePoint Core Service + - Central Administration + - SharePoint_Config + - SQL Server + - timeout +products: + - auditor +sidebar_label: Event ID 1276 in Health Log +tags: [] +title: "Event ID 1276 in Health Log" +knowledge_article_id: kA00g000000H9coCAC +--- + +# Event ID 1276 in Health Log + +## Symptom + +One of the following error messages under Event ID 1259 is prompted in Health Log for your SharePoint monitoring plan: + +1. Error #1 − `Unable to verify if SharePoint audit was configured correctly due to the following error: There was no endpoint listening at %Central_Administration_URL%/_vti_bin/Netwrix/ConfigurationService.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.` +2. Error #2 − `Unable to verify if SharePoint audit was configured correctly due to the following error: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - No connection could be made because the target machine actively refused it.)` +3. Error #3 − `Unable to verify if SharePoint audit was configured correctly due to the following error: Cannot open database "SharePoint_Config" requested by the login. The login failed. Login failed for user 'username'.`" +4. Error #4 − `Unable to verify if SharePoint audit was configured correctly due to the following error: "The request channel timed out while waiting for a reply after 01:00:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.` + +## Causes + +1. Error #1 − Netwrix Auditor for SharePoint Core Service was uninstalled. +2. Error #2 − The SQL Server instance hosting SharePoint configuration database is inaccessible. +3. Error #3 − The SharePoint configuration database is offline, or the user acting as Farm Account does not have the required rights and permissions to access the configuration database. +4. Error #4 − The timeout (1 hour by default) for the audit configuration operation has expired. + +## Resolutions + +1. Error #1 − Verify Netwrix Auditor for SharePoint Core Service is still installed in the SharePoint Central Administration server. For additional information on installation, refer to the following article: /docs/auditor/10.6/auditor/installation (Installation − Install for SharePoint Core Service · v10.6). +2. Error #2 − Verify the SQL Server hosting the SharePoint configuration database is accessible, and that the audited SharePoint farm is operational. +3. Error #3 − Verify the configuration database is online, and that the Farm Account has the necessary rights to access the configuration database. +4. Error #4 − Verify the farm can be reached. It might be required to extend the timeout on a binding − learn more in Configuring Timeout Values on a Binding ⸱ Microsoft: https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/configuring-timeout-values-on-a-binding + +## Related articles + +- Installation − Install for SharePoint Core Service · v10.6: /docs/auditor/10.6/auditor/installation +- Configuring Timeout Values on a Binding ⸱ Microsoft: https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/configuring-timeout-values-on-a-binding diff --git a/docs/kb/auditor/event-id-1280-in-health-log.md b/docs/kb/auditor/event-id-1280-in-health-log.md new file mode 100644 index 0000000000..11796aaf90 --- /dev/null +++ b/docs/kb/auditor/event-id-1280-in-health-log.md @@ -0,0 +1,48 @@ +--- +description: >- + Health Log shows Event ID 1280 when the Netwrix Auditor Archive Service has + stopped; start the service and restart the SharePoint monitoring plan data + collection. +keywords: + - Event ID 1280 + - Health Log + - Netwrix Auditor + - Archive Service + - services.msc + - SharePoint monitoring + - Monitoring Plans + - data collection + - Audit Archive +products: + - auditor +sidebar_label: Event ID 1280 in Health Log +tags: [] +title: "Event ID 1280 in Health Log" +knowledge_article_id: kA00g000000H9chCAC +--- + +# Event ID 1280 in Health Log + +## Symptom + +The following error message under Event ID 1280 is prompted in Health Log for your SharePoint monitoring plan: + +``` +Netwrix Auditor Server failed to save audit data to Audit Archive +``` + +## Cause + +**Netwrix Auditor Archive Service** has stopped. + +## Resolution + +Start **Netwrix Auditor Archive Service**: + +1. Open the **Services Manager** either by searching for **Services** in the Search bar, or running the `services.msc` line in the **Run** command window. +2. Locate **Netwrix Auditor Archive Service**, right-click the service and select **Start**. +3. Once the service is started, restart the data collection: + + 1. In the main **Netwrix Auditor** menu, select **Monitoring Plans**. + 2. Select your SharePoint monitoring plan and click **Edit**. + 3. Click **Update** under the **Monitoring Plan** section. diff --git a/docs/kb/auditor/event-id-1281-1282-1283-in-health-log.md b/docs/kb/auditor/event-id-1281-1282-1283-in-health-log.md new file mode 100644 index 0000000000..4d64bf0035 --- /dev/null +++ b/docs/kb/auditor/event-id-1281-1282-1283-in-health-log.md @@ -0,0 +1,57 @@ +--- +description: >- + Describes the causes and resolutions for Event ID 1281, 1282, and 1283 entries + in the Health Log related to SharePoint monitoring plans, including the exact + error messages and recommended actions. +keywords: + - Event ID 1281 + - Event ID 1282 + - Event ID 1283 + - Health Log + - SharePoint monitoring + - Audit Archive + - Netwrix Auditor + - Monitoring plan + - Audit data + - ActivitySummaries +products: + - auditor +sidebar_label: 'Event ID 1281, 1282, 1283 in Health Log' +tags: [] +title: 'Event ID 1281, 1282, 1283 in Health Log' +knowledge_article_id: kA00g000000H9cnCAC +--- + +# Event ID 1281, 1282, 1283 in Health Log + +## Symptoms + +Your SharePoint monitoring plan prompts one of the following error messages under Event ID 1281, 1282, and 1283 in **Health Log**: + +```text +Event ID 1281: Failed to delete temporary files while saving audit data to Audit Archive due to the following error: %errormsg%. +``` + +```text +Event ID 1282: Netwrix Auditor Server failed to read an internal file from Audit Archive: %errormsg%. +Audit data retrieving restarted from the beginning, hence, reports and ActivitySummaries may contain duplicate data. +``` + +```text +Event ID 1283: Netwrix Auditor Server failed to read an internal file from Audit Archive: %errormsg%. +Some audit data may be missing in your Activity Summaries and reports. +``` + +## Causes + +1. The data located in the target folder is corrupted or used by another process. +2. An unexpected error occurred. + +## Resolutions + +- In case the error message contains a file name, verify the file is accessible and is not used by another process. +- Recreate your SharePoint monitoring plan. Refer to the following article for additional information on configuration of SharePoint monitoring plans: Monitoring Plans − SharePoint · v10.6. + +## Related articles + +- Monitoring Plans − SharePoint · v10.6 diff --git a/docs/kb/auditor/event-id-1285-in-health-log.md b/docs/kb/auditor/event-id-1285-in-health-log.md new file mode 100644 index 0000000000..babcbc308f --- /dev/null +++ b/docs/kb/auditor/event-id-1285-in-health-log.md @@ -0,0 +1,41 @@ +--- +description: >- + Describes the cause and resolution for Event ID 1285 ("Web site %URL% cannot + be found") in the Health Log for a SharePoint monitoring plan. +keywords: + - Event ID 1285 + - Health Log + - SharePoint + - Monitoring plan + - Read Access + - Sites only + - Sites and subsites + - URL cannot be found +products: + - auditor +sidebar_label: Event ID 1285 in Health Log +tags: [] +title: "Event ID 1285 in Health Log" +knowledge_article_id: kA00g000000H9d9CAC +--- + +# Event ID 1285 in Health Log + +## Symptom + +The following error message under Event ID 1285 is prompted in Health Log for your SharePoint monitoring plan: + +```text +Web site %URL% cannot be found +``` + +## Cause + +Wrong URL was added to the read scope, or the object available via the URL is invalid. + +## Resolution + +1. Navigate to **Monitoring Plans** > **%affected_SharePoint_plan%** > **Edit**. +2. Select the item, and click **Edit item** in the right pane. +3. In the left pane, select **Read Access**, and select **Sites only** or **Sites and subsites** depending on the monitoring scope. +4. Add a URL for the SharePoint site you would like to monitor. Verify the URL to confirm it is valid and can be accessed via the specified URL. diff --git a/docs/kb/auditor/event-id-1286-in-health-log.md b/docs/kb/auditor/event-id-1286-in-health-log.md new file mode 100644 index 0000000000..64dc6e1bec --- /dev/null +++ b/docs/kb/auditor/event-id-1286-in-health-log.md @@ -0,0 +1,72 @@ +--- +description: >- + Explains causes and resolutions for "Unable to find site %URL%" errors + reported in the Health Log for SharePoint monitoring plans. +keywords: + - SharePoint + - Health Log + - Event ID 1244 + - Event ID 1286 + - Netwrix Auditor + - site lock + - Configure Quotas and Locks + - Access denied + - Log on as a batch job +products: + - auditor +sidebar_label: Event ID 1286 in Health Log +tags: [] +title: "Event ID 1286 in Health Log" +knowledge_article_id: kA00g000000H9d5CAC +--- + +# Event ID 1286 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1244 is prompted in Health Log for your SharePoint monitoring plan: + +1. Error 1: + +``` +Unable to find site %URL% due to the following error: +Attempted to perform an unauthorized operation. +``` + +2. Error 2: + +``` +Unable to find site %URL% due to the following error: +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). +``` + +3. Error 3: + +``` +Unable to find site %URL% due to the following error: +Access to this Web site has been blocked. +``` + +## Causes + +1. Error 1: Netwrix Auditor failed to collect changes from the audited site collection due to the **Adding content prevented** status. Alternatively, the Farm account or the service account for the web application pool hosting the audited site collection has been modified, and has not been granted the **Log on as a batch job** permissions in the server hosting SharePoint Central Administration. + +2. Error 2: Netwrix Auditor failed to collect changes from the audited site collection due to insufficient permissions for the web application hosting the target site collection. + +3. Error 3: Netwrix Auditor failed to collect changes from the audited site collection due to the **No Access** status. + +## Resolutions + +Review the resolution for the corresponding error: + +1. Error 1: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +2. Error 2: In SharePoint Central Administration, navigate to **Web Applications** > **%affected_application%** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. + +3. Error 3: In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft: https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell + +## Related articles + +- Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft: https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell diff --git a/docs/kb/auditor/event-id-1287-in-health-log.md b/docs/kb/auditor/event-id-1287-in-health-log.md new file mode 100644 index 0000000000..b438cd7a84 --- /dev/null +++ b/docs/kb/auditor/event-id-1287-in-health-log.md @@ -0,0 +1,43 @@ +--- +description: >- + Describes Event ID 1287 in the Health Log that indicates read-access audit + settings are not configured for a SharePoint site collection, and provides + steps to enable the required audit settings and update the monitoring plan. +keywords: + - SharePoint + - Health Log + - Event ID 1287 + - audit settings + - site collection + - monitoring plan + - read access + - audit +products: + - auditor +sidebar_label: Event ID 1287 in Health Log +tags: [] +title: "Event ID 1287 in Health Log" +knowledge_article_id: kA00g000000H9d2CAC +--- + +# Event ID 1287 in Health Log + +## Symptom + +The following error message under Event ID 1287 is prompted in Health Log for your SharePoint monitoring plan: + +``` +Audit settings for read access events in site collection %item_ID% are not configured properly. As a result, some read access events may be lost. +``` + +## Cause + +The opening or downloading documents, viewing items and lists, or viewing item properties audit is disabled for the site collection. + +## Resolution + +1. In the affected site collection, navigate to **Site Settings** > **Site Collection Administration** > **Site Collection Audit Settings**. +2. Check the **Opening or downloading documents, viewing items and lists, or viewing item properties** checkbox under the **Documents and Items** section. Save the changes. +3. Update the monitoring plan − select the affected monitoring plan, click **Edit**, and click **Update** in the right pane. + +> **NOTE:** Verify the audit settings are set to be adjusted automatically − in the SharePoint monitoring plan, click **Edit data source** and check the **Configure audit settings** checkbox. Save the changes. diff --git a/docs/kb/auditor/event-id-1288-in-health-log.md b/docs/kb/auditor/event-id-1288-in-health-log.md new file mode 100644 index 0000000000..649529fb9c --- /dev/null +++ b/docs/kb/auditor/event-id-1288-in-health-log.md @@ -0,0 +1,73 @@ +--- +description: >- + Explains Event ID 1288 Health Log messages for SharePoint monitoring plans and + provides causes and step-by-step resolutions for the "Unable to collect read + access events" errors. +keywords: + - Event ID 1288 + - Health Log + - SharePoint + - read access events + - site collection lock + - Access Denied + - Netwrix Auditor + - Configure Quotas and Locks + - Manage Web Site +products: + - auditor +sidebar_label: Event ID 1288 in Health Log +tags: [] +title: "Event ID 1288 in Health Log" +knowledge_article_id: kA00g000000H9d6CAC +--- + +# Event ID 1288 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1288 is prompted in Health Log for your SharePoint monitoring plan: + +1. Error 1: + +``` +Unable to collect read access events from site collection %site_collection%: +Attempted to perform an unauthorized operation. +``` + +2. Error 2: + +``` +Unable to collect read access events from site collection %site_collection%: +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). +``` + +3. Error 3: + +``` +Unable to collect read access events from site collection %site_collection%: +Access to this Web site has been blocked. +``` + +## Causes + +1. Error 1: Netwrix Auditor failed to collect read access changes from the audited site collection due to the **Adding content prevented** status. Alternatively, the Farm account or the service account for the web application pool hosting the audited site collection has been modified, and has not been granted the **Log on as a batch job** permissions in the server hosting **SharePoint Central Administration**. + +2. Error 2: Netwrix Auditor failed to collect read access changes from the audited site collection due to insufficient permissions for the web application hosting the target site collection. + +3. Error 3: Netwrix Auditor failed to collect read access changes from the audited site collection due to the **No Access** status. + +## Resolutions + +Review the resolution for the corresponding error: + +1. Error 1: In **SharePoint Central Administration**, navigate to **Application Management** > **Configure Quotas and Locks** > ` %affected_site_collection% `, and change the status to **Not locked**. + +2. Error 2: In **SharePoint Central Administration**, navigate to **Web Applications** > ` %affected_application% ` > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. + +3. Error 3: In **SharePoint Central Administration**, navigate to **Application Management** > **Configure Quotas and Locks** > ` %affected_site_collection% `, and change the status to **Not locked**. + +Learn more on management of the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🧭](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🧭](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) diff --git a/docs/kb/auditor/event-id-1289-in-health-log.md b/docs/kb/auditor/event-id-1289-in-health-log.md new file mode 100644 index 0000000000..75bb8b4e5c --- /dev/null +++ b/docs/kb/auditor/event-id-1289-in-health-log.md @@ -0,0 +1,65 @@ +--- +description: >- + Describes Event ID 1289 entries in the Health Log for SharePoint monitoring + and provides causes and resolutions for two specific error messages related to + configuration database access and timeouts. +keywords: + - Event ID 1289 + - Health Log + - SharePoint + - configuration database + - timeout + - Netwrix Auditor + - read access events + - binding timeout +products: + - auditor +sidebar_label: Event ID 1289 in Health Log +tags: [] +title: "Event ID 1289 in Health Log" +knowledge_article_id: kA00g000000H9cjCAC +--- + +# Event ID 1289 in Health Log + +## Symptoms + +You might see one of the following error messages under Event ID 1289 in the **Health Log** for your SharePoint monitoring plan: + +1. Error 1: + +```text +An unexpected error occurred while trying to collect read access events from the audited SharePoint farm: +Details: The content type text/html; +charset=utf-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). +If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 45 bytes of the response were: +'Cannot connect to the configuration database.'.. +``` + +2. Error 2: + +```text +An unexpected error occurred while trying to collect read access events from the audited SharePoint farm: +The request change timed out while waiting for a reply after 01:00:00. +Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. +The time allotted to this operation may have been a portion of a longer timeout. +``` + +## Causes + +1. Error 1: Netwrix Auditor failed to collect data due to an unexpected error in SharePoint. The site collection configuration is corrupt, or there is no access to the SharePoint configuration database. + +2. Error 2: Netwrix Auditor failed to collect data as the timeout expired due to SharePoint settings. This could be caused by maintenance activity in your network, resulting in failed process requests to SharePoint. + +## Resolutions + +Review the resolution for the corresponding error: + +1. Error 1: Verify the farm can be reached and is configured correctly — refer to the following article for additional information on the initial setup: Configuration − SharePoint · v10.6. + +2. Error 2: Verify the farm can be reached. It might be required to extend the timeout on a binding — learn more in [Configuring Timeout Values on a Binding ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/configuring-timeout-values-on-a-binding). + +## Related articles + +- Configuration − SharePoint · v10.6 +- [Configuring Timeout Values on a Binding ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/configuring-timeout-values-on-a-binding) diff --git a/docs/kb/auditor/event-id-2002-the-term-get-help-is-not-recognized.md b/docs/kb/auditor/event-id-2002-the-term-get-help-is-not-recognized.md new file mode 100644 index 0000000000..0e76b80863 --- /dev/null +++ b/docs/kb/auditor/event-id-2002-the-term-get-help-is-not-recognized.md @@ -0,0 +1,46 @@ +--- +description: >- + Describes Event ID 2002 'get-help' not recognized error in the Netwrix Auditor + System Health log and explains that the issue is caused by a Microsoft + Exchange cumulative update. Instructs you to upgrade to Netwrix Auditor 10.6 + build 12322 or later and includes related links. +keywords: + - Event ID 2002 + - get-help + - Exchange Server + - KB5030877 + - security update + - Netwrix Auditor + - System Health log + - Administrator Audit Logging +products: + - auditor +sidebar_label: 'Event ID 2002: The Term ''get-help'' Is Not Recogniz' +tags: [] +title: 'Event ID 2002: The Term ''get-help'' Is Not Recogniz' +knowledge_article_id: kA0Qk0000000GuPKAU +--- + +# Event ID 2002: The Term ''get-help'' Is Not Recogniz + +## Symptom + +The Netwrix Auditor System Health log contains Event ID 2002: + +```text +Error detecting Exchange Server Administrator Audit Logging Settings for dc name: +Unable to establish the connection to the Exchange Server (server name) due to the following error: +The term 'get-help' is not recognized as the name of a cmndlet, function, script file, or operating program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. +``` + +## Cause + +The issue caused by Microsoft cumulative update for multiple editions of MS Exchange. Learn more in Description of the security update for Microsoft Exchange Server 2019 and 2016: October 10, 2023 (KB5030877) ⸱ Microsoft 📝: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-october-10-2023-kb5030877-ec769ff1-f60f-411e-a7ed-b63b42a686eb + +## Resolution + +To resolve the issue, upgrade Netwrix Auditor to the version 10.6 build 12322 and above. + +### Related article: + +- Administrator Audit Logging (AAL) configuration details: /docs/kb/auditor/administrator_audit_logging_(aal)_configuration_details diff --git a/docs/kb/auditor/event-id-5801-in-health-log.md b/docs/kb/auditor/event-id-5801-in-health-log.md new file mode 100644 index 0000000000..1bae2949c4 --- /dev/null +++ b/docs/kb/auditor/event-id-5801-in-health-log.md @@ -0,0 +1,57 @@ +--- +description: >- + Explains Event ID 5801 in the Health Log, which indicates an activity session + expired while credentials were in use, and provides possible causes and + resolutions when a resource-based policy and Netwrix Privilege Secure are + used. +keywords: + - Event ID 5801 + - health log + - session expired + - credentials rotation + - data collection + - Netwrix Auditor + - Netwrix Privilege Secure + - session timeout + - monitoring plans +products: + - auditor + - privilege-secure-access-management +sidebar_label: Event ID 5801 in Health Log +tags: [] +title: "Event ID 5801 in Health Log" +knowledge_article_id: kA0Qk0000001H3dKAE +--- + +# Event ID 5801 in Health Log + +## Symptom + +- Netwrix Auditor prompts the following error in the Health Log: + +```text +Event ID: 5801 +The activity session expired while the corresponding credentials were in use. +This might prevent credentials from rotating or result in data collection failures. +``` + +- A resource-based policy is used in Netwrix Privilege Secure. + +## Causes + +Refer to the following possible causes for the error in your environment: + +1. A data collection activity takes too long to complete. +2. Multiple parallel activities use the same credentials. + +## Resolutions + +Refer to the respective resolution for the cause in your environment: + +1. Increase the session timeout to allow the data collection to complete. Refer to the following article for additional information on connection profile setup in Netwrix Privilege Secure: /docs/privilege-secure/4.2/privilegesecure/accessmanagement/admin-guide/policy/add (Connection Profiles Page — Add COnnection Profile · v4.2). +2. Specify different credentials in the monitoring plans and data sources using Netwrix Privilege Secure accounts. Refer to the following article for the list of supported data sources: /docs/auditor/10.7/auditor/admin-guide/settings (Netwrix Auditor Settings — Netwrix Privilege Secure · v10.7). + +## Related Articles + +- /docs/privilege-secure/4.2/privilegesecure/accessmanagement/admin-guide/policy/add (Connection Profiles Page — Add COnnection Profile · v4.2) +- /docs/auditor/10.7/auditor/admin-guide/settings (Netwrix Auditor Settings — Netwrix Privilege Secure · v10.7) diff --git a/docs/kb/auditor/event-id-5802-in-health-log.md b/docs/kb/auditor/event-id-5802-in-health-log.md new file mode 100644 index 0000000000..4c6b582152 --- /dev/null +++ b/docs/kb/auditor/event-id-5802-in-health-log.md @@ -0,0 +1,47 @@ +--- +description: >- + Describes Event ID 5802 in the Health Log where an activity session expires + while credentials are in use and explains how to resolve it by increasing the + session timeout. +keywords: + - Event ID 5802 + - health log + - session expired + - data collection + - Netwrix Auditor + - Netwrix Privilege Secure + - connection profile + - timeout +products: + - auditor + - privilege-secure-access-management +sidebar_label: Event ID 5802 in Health Log +tags: [] +title: "Event ID 5802 in Health Log" +knowledge_article_id: kA0Qk0000001H5FKAU +--- + +# Event ID 5802 in Health Log + +## Symptom + +- You may see the following error in the Health Log of Netwrix Auditor: + +``` +Event ID: 5802 +The activity session expired while the corresponding credentials were in use. This might result in data collection failures. +``` + +- A resource-based policy is used in Netwrix Privilege Secure for Access Management. + +## Cause + +A data collection activity takes too long to complete. + +## Resolution + +Increase the session timeout to allow the data collection to complete. Refer to the following article for additional information on connection profile setup in Netwrix Privilege Secure for Access Management: Connection Profiles Page — Add Connection Profile · v4.2. + +## Related Articles + +- Connection Profiles Page — Add Connection Profile · v4.2 diff --git a/docs/kb/auditor/event-id-5803-in-health-log.md b/docs/kb/auditor/event-id-5803-in-health-log.md new file mode 100644 index 0000000000..326b47ecf9 --- /dev/null +++ b/docs/kb/auditor/event-id-5803-in-health-log.md @@ -0,0 +1,44 @@ +--- +description: >- + Explains Event ID 5803 in the Health Log of Netwrix Auditor and how to resolve + it when an activity session ends while the corresponding credentials were in + use. +keywords: + - Event ID 5803 + - Health Log + - Netwrix Auditor + - Netwrix Privilege Secure + - Configuration Server Service + - session terminated + - data collection failures +products: + - auditor + - privilege-secure-access-management +visibility: public +sidebar_label: Event ID 5803 in Health Log +tags: [] +title: "Event ID 5803 in Health Log" +knowledge_article_id: kA0Qk0000001GVlKAM +--- + +# Event ID 5803 in Health Log + +## Symptom + +Netwrix Auditor prompts the following error in Health Log: + +```text +Event ID: 5803 +The activity session terminated while the corresponding credentials were in use. This might result in data collection failures. +``` + +## Causes + +Refer to the following possible causes for the error message: + +- A user manually terminated the session in the Netwrix Privilege Secure for Access Management console. +- The Netwrix Auditor Configuration Server Service was restarted. + +## Resolution + +This error message informs a user of the abruptly ended session. This behavior is expected in case of a manual session termination in Netwrix Privilege Secure or an abrupt restart of the Netwrix Auditor Configuration Server Service. diff --git a/docs/kb/auditor/event-log-manager-report-service-starts-and-stops-multi-lingual-configuration.md b/docs/kb/auditor/event-log-manager-report-service-starts-and-stops-multi-lingual-configuration.md new file mode 100644 index 0000000000..793bd8d778 --- /dev/null +++ b/docs/kb/auditor/event-log-manager-report-service-starts-and-stops-multi-lingual-configuration.md @@ -0,0 +1,42 @@ +--- +description: >- + If your servers use a non-English language, the Event Log Manager report + "Service Starts and Stops" may show no data because the RDL template looks for + English service-state terms. This article explains how to add localized terms + to the report template and redeploy it to SSRS. +keywords: + - Event Log Manager + - Service Starts and Stops + - RDL + - SSRS + - Netwrix Auditor + - multilingual + - report template + - service state +products: + - auditor +sidebar_label: Event Log Manager Report "Service Starts and Stops +tags: [] +title: >- + Event Log Manager Report "Service Starts and Stops" Multi-Lingual + Configuration +knowledge_article_id: kA04u000000XmDcCAK +--- + +# Event Log Manager Report "Service Starts and Stops" Multi-Lingual Configuration + +## Overview +If your servers are configured in any language other than English, the Event Log Manager report "Service Starts and Stops" will not display information. This is due to the fact that the report template file is written to look for the terms `RUNNING`, `START`, or `STOP`. To fix this, replace those words with the appropriate words in the configured language. + +## Procedure +1. Navigate to the RDL file located at: + - `C:\ProgramData\Netwrix Auditor\Reports\Netwrix Auditor for Event Log\Change Reports\Service Starts and Stops.rdl` +2. Use `Control + F` to find the English words `Running`, `Start`, and `Stop`. Add the correct words in the alternative language to the string values. Example: + - `('RUNNING', 'START', 'WORD3', 'WORD4')` + - ![User-added image](./images/ka04u000000HdFvAAK.jpeg) +3. Save the file. +4. Navigate to the SSRS Report Manager URL, which you can find under **Netwrix Auditor Settings** > **Audit Database** tab. +5. Drill down through the **Netwrix Auditor Report** folder on the homepage. +6. Select the **Netwrix Auditor for Event Log** folder and then the **Change Reports** folder. +7. Find the **Service Starts and Stops** file and click the three dots to choose the delete option. +8. Restart the **Netwrix Auditor Management Service** and the file will be updated with the appropriate language. diff --git a/docs/kb/auditor/event-trace-session-does-not-exist-or-is-configured-incorrectly-in-windows-server-monitoring-plan.md b/docs/kb/auditor/event-trace-session-does-not-exist-or-is-configured-incorrectly-in-windows-server-monitoring-plan.md new file mode 100644 index 0000000000..7ddb124a0b --- /dev/null +++ b/docs/kb/auditor/event-trace-session-does-not-exist-or-is-configured-incorrectly-in-windows-server-monitoring-plan.md @@ -0,0 +1,60 @@ +--- +description: >- + You encounter Event ID 1016 errors indicating "The event trace session does + not exist or is configured incorrectly" in a Netwrix Auditor Windows Server + monitoring plan. This article explains the possible causes and steps to + resolve the issue, including adjusting event log settings and excluding + removable media/hardware from monitoring on virtual machines. +keywords: + - event trace session + - Event ID 1016 + - Windows Server + - event log + - Netwrix Auditor + - monitoring plan + - virtual machine + - removable media + - Windows Server Audit Service +products: + - auditor +sidebar_label: Event Trace Session Does Not Exist or Is Configure +tags: [] +title: "Event Trace Session Does Not Exist or Is Configured Incorrectly in Windows Server Monitoring Plan" +knowledge_article_id: kA04u00000111AJCAY +--- + +# Event Trace Session Does Not Exist or Is Configured Incorrectly in Windows Server Monitoring Plan + +## Symptom + +You've encountered the following error in Health Log for your Windows Servers monitoring plan: + +```text +Source:Windows Server Audit Service +Event ID:1016 +User:N/A +Item: %computer_name% +On %date% %time%, the following error has occurred while processing %item%: +The event trace session does not exist or is configured incorrectly +``` + +## Causes + +- Security event log settings are misconfigured. +- The affected monitored %item% server is a virtual machine. Changes monitored in the server include removable media. + +## Resolutions + +- Review event log settings — refer to the following article for additional information: Windows Server — Adjusting Event Log Size and Retention Settings ⸱ v10.7. For additional information on Windows Server audit setup, refer to the following article: Configuration — Windows Server ⸱ v10.7. + +- Review the monitored changes to system components for the affected VM server: + + 1. In the main **Netwrix Auditor** menu, select **Monitoring Plans**, select the monitoring plan containing the affected server, and click **Edit**. + 2. In the right pane, click **Edit data source** under the **Data source** section. + 3. Under the **Monitor changes to system components** section, uncheck the **Removable media** and **Hardware** checkboxes. Click **Save & Close**. + 4. Click **Update** under the **Monitoring plan** section. + +## Related articles + +- Windows Server — Adjusting Event Log Size and Retention Settings ⸱ v10.7 +- Configuration — Windows Server ⸱ v10.7 diff --git a/docs/kb/auditor/event_id_12371238_in_health_log.md b/docs/kb/auditor/event_id_12371238_in_health_log.md new file mode 100644 index 0000000000..540867f820 --- /dev/null +++ b/docs/kb/auditor/event_id_12371238_in_health_log.md @@ -0,0 +1,62 @@ +--- +description: >- + This article addresses Event ID 1237 and 1238 errors in the Health Log for SharePoint monitoring plans, detailing symptoms, causes, and resolutions. +keywords: + - Event ID 1237 + - Event ID 1238 + - Health Log + - SharePoint monitoring + - Netwrix Auditor +sidebar_label: Event ID 1237/1238 in Health Log +tags: [] +title: "Event ID 1237/1238 in Health Log" +knowledge_article_id: kA00g000000H9dDCAS +products: + - auditor +--- + +# Event ID 1237/1238 in Health Log + +## Symptoms + +One of the following error messages under Event ID 1237 or 1238 is prompted in the Health Log for your SharePoint monitoring plan: + +1. **Error 1:** + ``` + Unable to collect content/security events from site collection %name%: Attempted to perform an unauthorized operation + ``` + +2. **Error 2:** + ``` + Unable to collect content/security events from site collection %name%: Access is denied. + (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) + ``` + +3. **Error 3:** + ``` + Unable to collect content/security events from site collection %name%: Access to this Web site has been blocked. + ``` + +## Causes + +1. **Error 1:** Netwrix Auditor failed to collect content/security changes from the audited site collection due to the **Adding content prevented** status. Otherwise, the Farm account or the service account for the web application pool hosting the audited site collection has been modified and has not been granted the **Log on as a batch job** permissions in the server hosting SharePoint Central Administration. + +2. **Error 2:** Auditor failed to collect content/security changes from the audited site collection due to insufficient permissions for the web application hosting the target site collection. + +3. **Error 3:** Auditor failed to collect content/security changes from the audited site collection due to the **No Access** status. + +## Resolutions + +Review the resolution for the corresponding error: + +1. **Error 1:** In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +2. **Error 2:** In SharePoint Central Administration, navigate to **Web Applications** > **%affected_application%** > **User Permissions**, and verify the security settings. The minimum required permissions are **Manage Web Site**. + +3. **Error 3:** In SharePoint Central Administration, navigate to **Application Management** > **Configure Quotas and Locks** > **%affected_site_collection%**, and change the status to **Not locked**. + +Learn more about managing the SharePoint site lock status via PowerShell in [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell). + +## Related Articles + +- [Manage Lock Status for Site Collections in SharePoint Server − Manage Lock Status for Site Collection via Microsoft PowerShell ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sharepoint/sites/manage-the-lock-status-for-site-collections#manage-the-lock-status-for-a-site-collection-by-using-microsoft-powershell) \ No newline at end of file diff --git a/docs/kb/auditor/events-4624-and-4634-generated-by-service-accounts.md b/docs/kb/auditor/events-4624-and-4634-generated-by-service-accounts.md new file mode 100644 index 0000000000..ef7a8ef753 --- /dev/null +++ b/docs/kb/auditor/events-4624-and-4634-generated-by-service-accounts.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains why Netwrix Auditor service accounts generate Windows Security events + 4624 and 4634 on domain controllers and why many logon/logoff events appear. +keywords: + - 4624 + - 4634 + - service account + - domain controller + - logon + - logoff + - Security event log + - Netwrix Auditor + - Activity Records +products: + - auditor +sidebar_label: Events 4624 and 4634 Generated by Service Accounts +tags: [] +title: "Events 4624 and 4634 Generated by Service Accounts" +knowledge_article_id: kA04u000000wnlHCAQ +--- + +# Events 4624 and 4634 Generated by Service Accounts + +## Questions + +- Why do Netwrix Auditor service accounts access the domain controllers in the monitored environment? +- Why do service accounts create so many logon and logoff events in Security event logs? + +``` +Source: Microsoft Windows security +Event ID: 4624 +An account was successfully logged on. +Security ID: %domain%\%Auditor_service_account% +``` + +``` +Source: Microsoft Windows security +Event ID: 4634 +An account was successfully logged off. +Security ID: %domain%\%Auditor_service_account% +``` + +## Answer + +Netwrix Auditor service accounts that you specify in monitoring plans access domain controllers in your environment to collect data. The data collection occurs in short spans: a service account connects to a domain controller, collects data, and disconnects. Multiple service accounts can connect to a domain controller at the same time to ensure timely delivery of data, for example via reports or search functionality. This also allows the product to collect data before it is overwritten in environments with a high number of Activity Records — therefore, the high number of logon and logoff events is expected. diff --git a/docs/kb/auditor/exchange-server-name-instead-of-user-in-reports.md b/docs/kb/auditor/exchange-server-name-instead-of-user-in-reports.md new file mode 100644 index 0000000000..77c552d6df --- /dev/null +++ b/docs/kb/auditor/exchange-server-name-instead-of-user-in-reports.md @@ -0,0 +1,72 @@ +--- +description: >- + Netwrix Auditor may display the Exchange server name rather than the user in + the Who changed column for group membership changes when the Exchange + Administrator Audit Log LogLevel is set to None. This article explains the + cause and shows how to change the LogLevel to Verbose so the required + properties are included in audit entries. +keywords: + - Exchange + - audit log + - LogLevel + - Verbose + - Netwrix Auditor + - ModifiedProperties + - ModifiedObjectResolvedName + - Who changed +products: + - auditor +sidebar_label: Exchange Server name instead of User in reports +tags: [] +title: "Exchange Server name instead of User in reports" +knowledge_article_id: kA00g000000H9ZzCAK +--- + +# Exchange Server name instead of User in reports + +Netwrix Auditor report shows the Exchange server name instead of the user name in the **Who changed** column for group membership changes. + +## Cause + +This happens because by default the `LogLevel` parameter of the Administrator Audit Log is set to `None`, and the following properties are included in log entries: + +- `CmdletName` +- `ObjectName` +- `Parameters` (values) +- `Caller` +- `Succeeded` +- `RunDate` + +However, the data required to show the correct **Who changed** is missing because `ModifiedProperties` (old and new) and `ModifiedObjectResolvedName` properties are NOT included in the log entries when `LogLevel` is `None`. + +## Resolution + +You must change the `LogLevel` parameter from `None` to `Verbose` so the `ModifiedProperties` (old and new) and `ModifiedObjectResolvedName` properties are included in the audit log entries. + +1. Open **Exchange Management Shell**. +2. Run the following cmdlet to enable verbose logging: + +``` +Set-AdminAuditLogConfig -LogLevel Verbose +``` + +The output should look like this: + +```powershell +[PS] C:Windowssystem32>Set-AdminAuditLogConfig -LogLevel Verbose +WARNING: The admin audit log configuration change you specified could take up to 60 minutes to take effect. +``` + +3. After that, run the following cmdlet and check that `LogLevel` is set to `Verbose`: + +``` +Get-AdminAuditLogConfig +``` + +You should see: + +``` +LogLevel : Verbose +``` + +Once `LogLevel` is set to `Verbose`, Netwrix Auditor will receive the `ModifiedProperties` and `ModifiedObjectResolvedName` information and will be able to display the correct user in the **Who changed** column for group membership changes. diff --git a/docs/kb/auditor/expired-certificate-in-azure-app-for-microsoft-365-tenant-in-netwrix-auditor.md b/docs/kb/auditor/expired-certificate-in-azure-app-for-microsoft-365-tenant-in-netwrix-auditor.md new file mode 100644 index 0000000000..2157f96449 --- /dev/null +++ b/docs/kb/auditor/expired-certificate-in-azure-app-for-microsoft-365-tenant-in-netwrix-auditor.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains whether you need to manually reissue an expiring certificate for a + Microsoft 365 tenant monitored by Netwrix Auditor and how the application + secret affects automatic certificate reissuance. +keywords: + - Microsoft 365 + - Office 365 + - Azure AD + - Entra ID + - certificate + - expired certificate + - application secret + - Netwrix Auditor + - reissue +products: + - auditor +sidebar_label: Expired Certificate in Azure App for Microsoft 365 +tags: [] +title: "Expired Certificate in Azure App for Microsoft 365 Tenant in Netwrix Auditor" +knowledge_article_id: kA04u0000011170CAA +--- + +# Expired Certificate in Azure App for Microsoft 365 Tenant in Netwrix Auditor + +## Question + +A certificate for a Microsoft 365 (Office 365) tenant monitored by Netwrix Auditor is expiring shortly. Should you reissue the certificate manually? + +## Answer + +No. Netwrix Auditor will reissue the certificate automatically as long as the application secret is valid. Once the certificate expires, Netwrix Auditor will use the valid application secret to reissue it. If your application secret has expired, a certificate won't be issued. + +> **NOTE:** If you'd like to force the certificate reissue, you can delete the certificate from the corresponding Entra ID (Azure AD) app. + +### Related articles + +- Microsoft Entra ID — Permissions for Entra ID Auditing ⸱ v10.6 +- SharePoint Online — Permissions for SharePoint Online Auditing ⸱ v10.6 +- Exchange Online — Permissions for Exchange Online Auditing ⸱ v10.6 +- Teams — Permissions for Teams Auditing ⸱ v10.6 diff --git a/docs/kb/auditor/expiry-notifications-sent-to-some-users-only.md b/docs/kb/auditor/expiry-notifications-sent-to-some-users-only.md new file mode 100644 index 0000000000..8d62e155d5 --- /dev/null +++ b/docs/kb/auditor/expiry-notifications-sent-to-some-users-only.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains why expiry notifications are received by some users only and how + Netwrix Password Reset notification options determine which users get + notifications. +keywords: + - expiry + - password expiration + - notifications + - Netwrix Password Reset + - admin report + - reminders + - 14 + - 7 + - 3 +products: + - auditor +sidebar_label: Expiry notifications sent to some users only +tags: [] +title: "Expiry notifications sent to some users only" +knowledge_article_id: kA00g000000H9bICAS +--- + +# Expiry notifications sent to some users only + +You might see that the expiry notifications are received by some users but not all. Some users from the administrative report do not receive any notification. + +--- + +## How Netwrix Password Reset notifies users + +Netwrix Password Reset has two options for user notifications: + +- Notify a user whose password is going to expire in `X` days **every day** during `X` days. In this case all people listed in the admin report will receive a notification every day. +- Notify a user **only 3 times** on certain days, i.e., when the specified number of days is left until password expiration. By default it is `14, 7 and 3` days. In this case the admin report will still be sent every day, but only people with exactly `14, 7 or 3` days until password expiration will receive a notification. + +--- + +## Resolution + +Please make sure Netwrix Password Reset is configured correctly. Also please make sure that notifications are not considered as spam. diff --git a/docs/kb/auditor/exporting-information-on-account-lockout-events.md b/docs/kb/auditor/exporting-information-on-account-lockout-events.md new file mode 100644 index 0000000000..2b39bbf720 --- /dev/null +++ b/docs/kb/auditor/exporting-information-on-account-lockout-events.md @@ -0,0 +1,36 @@ +--- +description: >- + You can extract account lockout event details by parsing the `allinfo.xml` + file in the product installation directory; account names are recorded as + SIDs. For centralized collection across multiple computers, use Netwrix Event + Log Manager. +keywords: + - account lockout + - allinfo.xml + - export + - event logs + - SIDs + - Netwrix Event Log Manager + - audit + - account lockout examiner +products: + - auditor +sidebar_label: Exporting information on account lockout events +tags: [] +title: "Exporting information on account lockout events" +knowledge_article_id: kA00g000000H9THCA0 +--- + +# Exporting information on account lockout events + +Can I export information on account lockout events for audit purposes? + +--- + +The Netwrix Account Lockout Examiner console does not have an export feature. However, all lockout information is stored in the `allinfo.xml` file located in the product installation directory. It can be easily parsed by a third-party tool or script to get the required information. However account names are not stored in the `allinfo.xml`; all accounts are referred to as SIDs. + +![User-added image](images/ka04u000000HcN3_0EM700000004wrO.png) + +Netwrix also has another product called Netwrix Event Log Manager for this purpose. This product is able to collect event log entries from multiple computers across the network and centrally store all events in a central location in a compressed format. + +For more information, refer to the following link: https://www.netwrix.com/event_log_archiving_consolidation_freeware.html diff --git a/docs/kb/auditor/extended_runtime_for_0-create_schema_job_post_v12.0_upgrade.md b/docs/kb/auditor/extended_runtime_for_0-create_schema_job_post_v12.0_upgrade.md new file mode 100644 index 0000000000..9d21a3d2c6 --- /dev/null +++ b/docs/kb/auditor/extended_runtime_for_0-create_schema_job_post_v12.0_upgrade.md @@ -0,0 +1,53 @@ +--- +description: >- + This article addresses the extended runtime issue for the File System 0-Create Schema job after upgrading to v12.0 of Netwrix Access Analyzer. +keywords: + - Netwrix Access Analyzer + - 0-Create Schema job + - extended runtime + - data migration + - SQL commands +sidebar_label: Extended Runtime for 0-Create Schema Job +tags: [] +title: "Extended Runtime for 0-Create Schema Job Post v12.0 Upgrade" +knowledge_article_id: kA0Qk0000002TQvKAM +products: + - auditor +--- + +# Extended Runtime for 0-Create Schema Job Post v12.0 Upgrade + +## Symptom + +After upgrading Netwrix Access Analyzer (formerly Enterprise Auditor) from **v11.6** to **v12.0**, the File System `0-Create Schema` job requires significantly more time to complete. + +## Cause + +When upgrading Access Analyzer from v11.6 to v12.0, the File System `0-Create Schema` job is expected to take longer than it has in previous versions. Analysis task **18. Data Migration** is moving IDs and metadata from the `SA_FSAA_Resources` table into separate, more organized tables, then removing the original columns. It also fixes table mappings for `SA_FSAA_Trustees` and `SA_FSAA_Gates` by replacing missing values with default values if they have not been filled yet. For large environments, or environments with large amounts of File System data, this can take 12 or more hours. + +## Resolution + +1. Schedule the File System `0-Create Schema` job (no trigger needed). +2. Disable all other File System jobs in the Schedules node. +3. From the Schedules node, right-click the **`0-Create Schema`** task and select **Run**. +4. Once the **`0-Create Schema`** job has completed, re-enable all other File System tasks. + +> **IMPORTANT:** If the job runs for more than 24 hours, then proceed with the following steps: + +1. Stop the task. +2. Close the console. +3. Run the following commands on the SQL database: + - ```sql + ALTER TABLE SA_FSAA_ResourcesScanTypeDetails NOCHECK CONSTRAINT ALL + ``` + - ```sql + ALTER TABLE SA_FSAA_ResourceMap NOCHECK CONSTRAINT ALL + ``` +4. Once the above commands complete successfully, run the **`0-Create Schema`** task. +5. Once the job completes, run the following commands: + - ```sql + ALTER TABLE SA_FSAA_ResourcesScanTypeDetails WITH CHECK CHECK CONSTRAINT ALL + ``` + - ```sql + ALTER TABLE SA_FSAA_ResourceMap WITH CHECK CHECK CONSTRAINT ALL + ``` \ No newline at end of file diff --git a/docs/kb/auditor/failed-logon-attempts-after-recent-service-account-password-change.md b/docs/kb/auditor/failed-logon-attempts-after-recent-service-account-password-change.md new file mode 100644 index 0000000000..9aad491a9e --- /dev/null +++ b/docs/kb/auditor/failed-logon-attempts-after-recent-service-account-password-change.md @@ -0,0 +1,47 @@ +--- +description: >- + Service account generates failed logon events after a password change because + collectors did not get updated credentials. This article explains how to + update the service account credentials for Event Log Manager, Inactive User + Tracker, and Netwrix Password Reset collectors. +keywords: + - failed logon + - service account + - password change + - Event Log Manager + - Inactive User Tracker + - Netwrix Password Reset + - Netwrix Auditor + - monitoring plan + - collector + - credentials +products: + - auditor +sidebar_label: Failed Logon Attempts after Recent Service Account +tags: [] +title: "Failed Logon Attempts after Recent Service Account Password Change" +knowledge_article_id: kA04u00000110m2CAA +--- + +# Failed Logon Attempts after Recent Service Account Password Change + +## Symptom + +A Netwrix Auditor service account is generating failed logon events after the recent password change. + +## Cause + +The service account password was not updated for separate collectors (Netwrix Password Reset, Event Log Manager and Inactive User Tracker) with monitoring plans set up. + +## Resolution + +A service account password is not propagated automatically in Netwrix Password Reset, Event Log Manager and Inactive User Tracker collectors. + +For Event Log Manager, Inactive User Tracker and Netwrix Password Reset: + +1. Open the corresponding application, select your monitoring plan and click **Edit**. +2. In the **General** tab, specify new credentials for your service account. + +Refer to the following screenshots for reference on service accounts credentials to be changed in case you've reset a password in Netwrix Auditor: + +![Service account credentials screenshot](images/ka04u00000117Vm_0EM4u000008M8Pe.png) diff --git a/docs/kb/auditor/failed-to-collect-logons-forbidden-error-in-entra-id-monitoring-plan.md b/docs/kb/auditor/failed-to-collect-logons-forbidden-error-in-entra-id-monitoring-plan.md new file mode 100644 index 0000000000..8e934a0067 --- /dev/null +++ b/docs/kb/auditor/failed-to-collect-logons-forbidden-error-in-entra-id-monitoring-plan.md @@ -0,0 +1,73 @@ +--- +description: >- + Explains causes and resolutions for the 403 Forbidden error when Netwrix + Auditor fails to collect Azure (Microsoft Entra) Logons audit data for a + Microsoft Entra ID monitoring plan. +keywords: + - Microsoft Entra ID + - Azure AD + - 403 Forbidden + - logons + - monitoring plan + - Netwrix Auditor + - audit data + - permissions + - Microsoft 365 + - failed to collect +products: + - auditor +sidebar_label: Failed to Collect Logons — Forbidden Error in Entr +tags: [] +title: "Failed to Collect Logons — Forbidden Error in Entra ID Monitoring Plan" +knowledge_article_id: kA04u000001116gCAA +--- + +# Failed to Collect Logons — Forbidden Error in Entra ID Monitoring Plan + +## Symptom + +The following error is prompted in Health Log for your Microsoft Entra ID monitoring plan (formerly Azure AD monitoring plan): + +```text +Source:Azure AD Audit Service +Event ID:2002 +Computer: %Auditor_server_name% +User:N/A +Description:Monitoring Plan: %Azure_AD_monitoring_plan_name% + +The following error has occurred while processing %tenant%: + +Failed to collect Azure Logons audit data due to the following error: The remote server returned an error: (403) Forbidden. +``` + +## Causes + +- App was incorrectly configured. +- Admin consent was not granted to the Azure app. +- API permissions were not granted neither manually, nor via the app manifest. +- Logon activity collection is enabled without a purchased Premium Plan (P1 or P2) license for the Microsoft Entra ID tenant. + +## Resolutions + +- Review the app setup procedure for your monitoring plan. Refer to the following articles for additional information on Microsoft Entra ID, SharePoint Online, Exchange Online, and Teams correspondingly: + - /docs/auditor/10.6/auditor/configurationuration/microsoft365/microsoftentraid (Permissions for Microsoft Entra ID Auditing ⸱ v10.6) + - /docs/auditor/10.6/auditor/configurationuration/microsoft365/sharepointonline (SharePoint Online — Permissions for SharePoint Online Auditing ⸱ v10.6) + - /docs/auditor/10.6/auditor/configurationuration/microsoft365/exchangeonline (Exchange Online — Permissions for Exchange Online Auditing ⸱ v10.6) + - /docs/auditor/10.6/auditor/configurationuration/microsoft365/teams (Teams — Permissions for Teams Auditing ⸱ v10.6) + +- Disable logon activity for your monitored Microsoft 365 (Office 365) tenant: + 1. In the main **Netwrix Auditor** menu, click **Monitoring Plans**. + 2. In the left pane, select your Microsoft Entra ID monitoring plan, and click **Edit**. + 3. In the right pane, click **Edit data source** under the **Data source** section. + 4. Uncheck **Failed logons** and **Successful logons** under the **Monitor Microsoft Entra ID logon activity** section. + 5. Save the changes. + +> **NOTE:** Learn more about Microsoft Entra ID licenses in Sign up for Microsoft Entra ID P1 or P2 Editions ⸱ Microsoft: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/get-started-premium + +## Related articles + +- /docs/auditor/10.6/auditor/configurationuration/microsoft365/microsoftentraid +- /docs/auditor/10.6/auditor/configurationuration/microsoft365/sharepointonline +- /docs/auditor/10.6/auditor/configurationuration/microsoft365/exchangeonline +- /docs/auditor/10.6/auditor/configurationuration/microsoft365/teams +- https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/get-started-premium diff --git a/docs/kb/auditor/failed-to-install-and-configure-netwrix-auditor-access-reviews.md b/docs/kb/auditor/failed-to-install-and-configure-netwrix-auditor-access-reviews.md new file mode 100644 index 0000000000..80cbec4e05 --- /dev/null +++ b/docs/kb/auditor/failed-to-install-and-configure-netwrix-auditor-access-reviews.md @@ -0,0 +1,38 @@ +--- +description: >- + Explains that Netwrix Auditor Access Reviews is a standalone application that + must be purchased separately and advises contacting your Account Executive to + request it. +keywords: + - Netwrix Auditor + - Access Reviews + - install + - configure + - failed installation + - licensing + - purchase + - Account Executive +products: + - auditor +sidebar_label: Failed to Install and Configure Netwrix Auditor Ac +tags: [] +title: "Failed to Install and Configure Netwrix Auditor Access Reviews" +knowledge_article_id: kA04u00000111HjCAI +--- + +# Failed to Install and Configure Netwrix Auditor Access Reviews + +## Question + +I tried to set up Netwrix Auditor Access Reviews but it was unsuccessful. How can I install and configure it? + +## Answer + +Netwrix Auditor Access Reviews operates as a standalone application and must be purchased separately. + +To request it reach out to your Account Executive. + +## Related articles + +- Application Service Account ⸱ v10.6 +- Installation Overview – Upgrade Procedure ⸱ v10.6 diff --git a/docs/kb/auditor/failed-to-login-by-user-netwrix-service-account.md b/docs/kb/auditor/failed-to-login-by-user-netwrix-service-account.md new file mode 100644 index 0000000000..e167f232c7 --- /dev/null +++ b/docs/kb/auditor/failed-to-login-by-user-netwrix-service-account.md @@ -0,0 +1,53 @@ +--- +description: >- + You receive the "Failed to login by user: <Netwrix service account>" error + when the Netwrix service account lacks permissions on the SQL database. This + article shows how to grant the account the required sysadmin role in SQL + Server Management Studio. +keywords: + - Netwrix + - service account + - SQL Server + - login failed + - sysadmin + - permissions + - SQL Server Management Studio + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Failed to login by user: <netwrix service account>' +tags: [] +title: 'Failed to login by user: ``' +knowledge_article_id: kA00g000000H9ZYCA0 +--- + +# Failed to login by user: `<netwrix service account>` + +You receive the error message "Failed to login by user: ``". + +--- + +The Netwrix service account does not have access to login/upload data to the SQL database. + +--- + +## Resolution + +Login to SQL Server Management Studio for your SQL instance and perform the following steps: + +1. Select **Security** +2. Select **New Login** + + +*Screenshot: SQL Server Management Studio - Select Security > New Login* + +3. Enter the netwrix service account into the **Login name** field +4. Select **Server Roles** + + +*Screenshot: Enter Netwrix service account and select Server Roles* + +Check **sysadmin** role to give full access to the netwrix service account + + +*Screenshot: Check sysadmin role for the service account* diff --git a/docs/kb/auditor/failed-to-open-log.md b/docs/kb/auditor/failed-to-open-log.md new file mode 100644 index 0000000000..c2fb6b9752 --- /dev/null +++ b/docs/kb/auditor/failed-to-open-log.md @@ -0,0 +1,65 @@ +--- +description: >- + Describes how to resolve the "Failed to open log" error in the Event Log + Manager when collecting event logs without agent services. Provides causes and + step-by-step remediation including service, network sharing, and firewall + settings. +keywords: + - Failed to open log + - Event Log Manager + - ELM + - network path not found + - '0x80070035' + - Windows Firewall + - File and Printer Sharing + - Server service + - services.msc +products: + - auditor +sidebar_label: Failed to open log +tags: [] +title: "Failed to open log" +knowledge_article_id: kA00g000000H9bqCAC +--- + +# Failed to open log + +The following error appears in the Event Log Manager (ELM) - Summary Report: + +ERROR: Failed to open log "Log Type" (API used: NT). Error details: The network path was not found. (Error number: 0x80070035)" + +--- + +This error usually appears when ELM is configured to collect event logs without agent services (i.e. network traffic compression option is turned off). +There are several possible reasons for this error to appear: + +1. The problematic server is turned off or not accessible through the network. +2. The **Server** service is stopped on the problematic server. +3. The **File & Printer Sharing for Microsoft Networks** feature is turned off in the Local Area Connection properties. +4. The remote connection is blocked by **Windows Firewall**. + +--- + +## Resolution + +1. Make sure the problematic server is started and is accessible through the network. +2. Make sure the **Server** service is started and set to **Automatic** on the problematic server. + +![Services snap-in: Server service](images/ka04u000000HcUb_0EM7000000051QD.png) + +3. Make sure the **File and Printer Sharing for Microsoft Networks** component is enabled in the Local Area Connection properties. + +![Local Area Connection Properties: File and Printer sharing](images/ka04u000000HcUb_0EM7000000051QI.png) + +4. Disable the **Windows Firewall** service on the problematic server: + +- Launch the **Services** snap-in (Click Start / Run, type `services.msc` and press Enter). +- Locate the **Windows Firewall** service, stop it and set to Disable. + +Or configure the Windows Firewall exception: + +- Launch the **Group Policy Object Editor** snap-in (`gpedit.msc`) to edit the Group Policy object (GPO) that is used to manage the Windows Firewall settings in your organization. +- Expand nodes as follow: `Computer Configuration / Administrative Templates / Network / Network Connections / Windows Firewall`, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure. +- Enable the **Allow inbound file and printer sharing exception** exception. + +![Firewall Settings: Allow inbound file and printer sharing exception](images/ka04u000000HcUb_0EM7000000051QN.png) diff --git "a/docs/kb/auditor/failed_to_load_registry_hive_\342\210\222_system_cannot_find_file_specified_configuration_registry_database_is_.md" "b/docs/kb/auditor/failed_to_load_registry_hive_\342\210\222_system_cannot_find_file_specified_configuration_registry_database_is_.md" new file mode 100644 index 0000000000..40d5e48d09 --- /dev/null +++ "b/docs/kb/auditor/failed_to_load_registry_hive_\342\210\222_system_cannot_find_file_specified_configuration_registry_database_is_.md" @@ -0,0 +1,55 @@ +--- +description: >- + This article addresses the warning messages related to loading user registry hives in the Netwrix Auditor, detailing the symptoms, causes, and resolutions for the errors encountered. +keywords: + - registry hive + - Netwrix Auditor + - user profile + - error resolution + - configuration database +sidebar_label: Failed to Load Registry Hive +tags: [] +title: "Failed to Load Registry Hive − System Cannot Find File Specified | Configuration Registry Database Is Corrupt" +knowledge_article_id: kA00g000000H9brCAC +products: + - auditor +--- + +# Failed to Load Registry Hive − System Cannot Find File Specified | Configuration Registry Database Is Corrupt + +## Symptom + +Each data collection returns the following warning: + +``` +: : +The Add/Remove Software data provider failed to load the user registry hive on computer due to the following error: +The system cannot find the file specified. +``` + +Alternatively, the following error can be prompted in the Health Log: + +``` +The Add/Remove Software data provider failed to load the user registry hive on computer due to the following error: +The configuration registry database is corrupt. +``` + +## Cause + +The registry hive `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` contains user profile records with **ProfileImagePath&** value missing. + +## Resolution + +The error can be resolved by performing one of the following steps: + +1. Check for deleted or disabled accounts SIDs in the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` hive without **ProfileImagePath** value to delete them. +2. Add **ProfileImagePath** value (Expandable String Value) with an empty value to the profiles with the value missing. +3. Check the affected server for unknown user profiles by accessing **Control Panel** > **System** > **Advanced system settings** > **Advanced** tab > **Settings** button under the **User Profiles** section to delete them. +4. Ask the remaining users to log in to the system — a user affected by a faulty `NTUSER.DAT` won't be able to log in. +5. In case collection is not affected (e.g., the user does not appear in the registry), you can omit the error. Add the `%*,*,*Remove Software data provider failed to load the user *domain\user*%` line to the Windows Server Auditing **omiterror** list. Refer to the following article for additional information on omit lists: [How to Use Omit Lists](/docs/kb/auditor/how-to-use-omit-lists). + +Once the changes are introduced, reboot the target server. + +### Related Articles + +[How to Use Omit Lists](/docs/kb/auditor/how-to-use-omit-lists) \ No newline at end of file diff --git a/docs/kb/auditor/faq-account-lockout-examiner.md b/docs/kb/auditor/faq-account-lockout-examiner.md new file mode 100644 index 0000000000..e5c7b8ca50 --- /dev/null +++ b/docs/kb/auditor/faq-account-lockout-examiner.md @@ -0,0 +1,49 @@ +--- +description: >- + Answers common questions about Netwrix Account Lockout Examiner, including how + accounts are populated, Windows Server 2008/R2 support, running as a service, + IIS requirements, WMI queries, and Help-Desk Portal licensing. +keywords: + - Account Lockout Examiner + - Netwrix + - account lockout + - Help-Desk Portal + - IIS + - WMI + - Windows Server 2008 R2 + - service + - licensing + - Win32_UserAccount +products: + - auditor +sidebar_label: FAQ Account Lockout Examiner +tags: [] +title: "FAQ Account Lockout Examiner" +knowledge_article_id: kA00g000000H9daCAC +--- + +# FAQ Account Lockout Examiner + +**Q1**: How do I populate the Account list with my users? Should I add each one individually or is there a method to add all users from a domain at once? +**A1**: Accounts are added to the list as soon as they are locked out. You do not need to populate the list. + +**Q2**: Does Account Lockout Examiner have Windows 2008/R2 Server Support? +**A2**: The last version of Account Lockout Examiner has full support for Windows Server 2008/R2 domain controllers. + +**Q3**: Can Netwrix Account Lockout Examiner run as a Windows service? +**A3**: Netwrix Account Lockout Examiner runs as a service, therefore it is not necessary to keep the program open once it has been configured. + +**Q4** Is IIS required on the machine/server where Netwrix Account Lockout Examiner is installed? +**A4**: Internet Information Services (IIS ) is only required for Netwrix Account Lockout Help-Desk Portal. If the Help-Desk Portal and Netwrix Account Lockout Examiner are installed on different computers, IIS must be installed on the computer with the Help-Desk Portal. + +**Q5**: What the WMI queries are talking to on the DCs? +**A5**: This queries use Windows Instrumentation management Service and requests for a) reading the security log and b) reading of account state Here are some fields that are queried: + +- Win32_UserAccount +- Win32_NTLogEvent +- __InstanceCreationEvent +- win32_process +- Win32_OperatingSystem + +**Q6**: Is a separate license required for the Netwrix Account Lockout Help-Desk Portal? +**A6**: No, you do not need a separate license. The Help-Desk portal is a part of Netwrix Account Lockout Examiner, so if you have purchased the product, the web portal goes with it. diff --git a/docs/kb/auditor/file-servers-security-descriptor-of-file-share-is-empty.md b/docs/kb/auditor/file-servers-security-descriptor-of-file-share-is-empty.md new file mode 100644 index 0000000000..0693a2da02 --- /dev/null +++ b/docs/kb/auditor/file-servers-security-descriptor-of-file-share-is-empty.md @@ -0,0 +1,53 @@ +--- +description: >- + Describes Event ID 6131 "The security descriptor of the file share is empty" + and provides troubleshooting steps to restore share and NTFS permissions so + Netwrix Auditor can access the file share. +keywords: + - file share + - security descriptor + - Event ID 6131 + - share permissions + - NTFS permissions + - File Storage Audit Service + - Netwrix Auditor + - troubleshooting + - file servers +products: + - auditor +sidebar_label: File Servers — Security Descriptor of File Share I +tags: [] +title: "File Servers — Security Descriptor of File Share Is Empty" +knowledge_article_id: kA04u00000110sKCAQ +--- + +# File Servers — Security Descriptor of File Share Is Empty + +## Symptom + +Your event log contains the following entries for your Windows File Servers: + +``` +Source:File Storage Audit Service +Event ID:6131 +Snapshot processing for the server %SERVERNAME% completed with errors: +Object: \%SERVERNAME%\%FILESHARENAME%, Error: 0x80049611 The security descriptor of the file share is empty +``` + +## Cause + +The error indicates the file share Netwrix Auditor is trying to access does not have security permissions assigned to it. The issue occurs when the security settings for the file share are misconfigured or corrupted. + +## Resolution + +1. Restart your file server. A restart can resolve permission-related issues — try restarting the server to check if the error persists. + +2. Check the share permissions. Ensure the share permissions are properly configured: + 1. Right-click the affected shared folder, select **Properties**, and navigate to the **Sharing** tab. + 2. Click the **Advanced Sharing** button to verify the correct permissions are set for the intended users (e.g., the data collection account) or groups. + +3. Verify NTFS permissions. NTFS permissions control access to the files and folders within the shared folder. + 1. Right-click the affected shared folder, select **Properties**, and navigate to the **Security** tab. + 2. Ensure the appropriate users (e.g., the data collection account) or groups have the sufficient permissions to access the files. + +4. Verify the file share path. Log in to the Netwrix Auditor server using the data collection account for the File Server monitoring plan and try accessing the affected file server. diff --git a/docs/kb/auditor/filtering-reports-by-the-user-who-made-changes.md b/docs/kb/auditor/filtering-reports-by-the-user-who-made-changes.md new file mode 100644 index 0000000000..7a4dfdc98d --- /dev/null +++ b/docs/kb/auditor/filtering-reports-by-the-user-who-made-changes.md @@ -0,0 +1,31 @@ +--- +description: >- + Shows how to filter daily reports to see all changes made by a particular user + using the Advanced Reports feature and Microsoft SQL Server. +keywords: + - advanced reports + - filter reports + - user name + - Microsoft SQL Server + - Reporting Services + - daily reports + - Netwrix Auditor +products: + - auditor +sidebar_label: Filtering reports by the user who made changes +tags: [] +title: "Filtering reports by the user who made changes" +knowledge_article_id: kA00g000000H9TYCA0 +--- + +# Filtering reports by the user who made changes + +Is there a way of seeing all the changes that have been made to a particular account and reflected in the daily reports, without having to go through each report individually? + +--- + +## Answer + +Yes, with the **Advanced Reports** feature you can filter data in reports by different fields, including the **User name** field. This feature requires **Microsoft SQL Server** installed, either its full version or free version of **Microsoft SQL Express with Advanced Services**. + +For instructions on installing **Microsoft SQL Server** and configuring the **Reporting Services**, refer to the following technical article: https://www.netwrix.com/download/documents/Configuring_Microsoft_SQL_Server_Reporting_Services_Technical_Article.pdf. diff --git a/docs/kb/auditor/fine-grained-policy-and-account-expiration.md b/docs/kb/auditor/fine-grained-policy-and-account-expiration.md new file mode 100644 index 0000000000..a36bb3a5c4 --- /dev/null +++ b/docs/kb/auditor/fine-grained-policy-and-account-expiration.md @@ -0,0 +1,28 @@ +--- +description: >- + Explains whether Netwrix Password Reset can limit reports to users with Fine + Grained Policy settings and provides a workaround using two Managed Objects. +keywords: + - Fine Grained Policy + - account expiration + - Managed Objects + - Netwrix Password Reset + - password expiration + - FGPP + - Active Directory +products: + - auditor +sidebar_label: Fine Grained Policy and account expiration +tags: [] +title: "Fine Grained Policy and account expiration" +knowledge_article_id: kA00g000000H9TdCAK +--- + +# Fine Grained Policy and account expiration + +Can Netwrix Password Reset only report on users with the Fine Grained Policy settings enabled if you need to monitor account expiration as well? + +No — this feature is not available in the current product version. You can use the following workaround: + +1. Create a Managed Object to monitor the Fine Grained Policy users. +2. Create a separate Managed Object to monitor account expiration. diff --git a/docs/kb/auditor/fixing-reports-displaying-letters-instead-of-command-text-in-ssrs.md b/docs/kb/auditor/fixing-reports-displaying-letters-instead-of-command-text-in-ssrs.md new file mode 100644 index 0000000000..cf8f9e4193 --- /dev/null +++ b/docs/kb/auditor/fixing-reports-displaying-letters-instead-of-command-text-in-ssrs.md @@ -0,0 +1,51 @@ +--- +description: >- + When SSRS report toolbar icons render as text symbols, the problem is usually + Internet Explorer permissions. This article explains how to add the reporting + server to Trusted Sites and disable Protected Mode for Admins via Group Policy + to restore the command buttons. +keywords: + - SSRS + - Internet Explorer + - Trusted Sites + - Protected Mode + - Group Policy + - Netwrix + - reporting server + - toolbar icons +products: + - auditor +sidebar_label: Fixing reports displaying letters instead of command text in SSRS +tags: [] +title: "Fixing reports displaying letters instead of command text in SSRS" +knowledge_article_id: kA04u000000Tt80CAC +--- + +# Fixing reports displaying letters instead of command text in SSRS + +## Scenario +Upon opening reports, the command buttons have been replaced by text symbols and it looks similar to this: + +![Screenshot_1.png](images/ka04u000000HdFq_0EM4u0000052m0m.png) + +## Solution +The issue is with Internet Explorer's handling of permissions. To fix the issue you need to add the reporting server to the **Trusted Sites** and disable the **Protected Mode** for Admins on the Netwrix Server. + +### Adding Reporting Server to the Trusted sites +To do this, follow these steps: + +1. In **Internet Explorer**, click **Tools**, then **Internet Options**. Go to the **Security** tab. +2. In the **Select a Web content zone to specify its current security settings** box, click **Trusted Sites**, and then click **Sites**. +3. In the **Add this Web site to the zone** box, type the IP address of the Netwrix Server, and then click **Add**. +4. Click **OK** two times to accept the changes and return to Internet Explorer. + +### Disabling Protected Mode for Admins +This operation can be done using Group Policy. You need to locate the Group Policy that applies to the Admins of the Netwrix Server. To disable Protected Mode, follow these steps: + +1. Launch the **Group Policy Management Console** and edit a policy. +2. Expand: **User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone** +3. Double-click **Turn On Protected mode** +4. Select `ENABLED` +5. Select `DISABLED` from the PROTECTED MODE selection box. + +If this solution didn't help, please contact Netwrix Technical Support. diff --git a/docs/kb/auditor/following-event-log-settings-may-lead-to-incorrect-or-incomplete-data-in-reports.md b/docs/kb/auditor/following-event-log-settings-may-lead-to-incorrect-or-incomplete-data-in-reports.md new file mode 100644 index 0000000000..2390ff747b --- /dev/null +++ b/docs/kb/auditor/following-event-log-settings-may-lead-to-incorrect-or-incomplete-data-in-reports.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains the cause and resolution for Windows event log audit error Event ID + 1016 when event log retention is set to "Do not overwrite events (clear log + manually)". +keywords: + - Event Log + - Event ID 1016 + - Windows Server + - audit + - retention + - Group Policy + - Security Event Log + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Following Event Log Settings May Lead to Incorrect or Incomplete Data in Reports' +tags: [] +title: >- + Following Event Log Settings May Lead to Incorrect or Incomplete Data in + Reports +knowledge_article_id: kA04u00000110q4CAA +--- + +# Following Event Log Settings May Lead to Incorrect or Incomplete Data in Reports + +## Symptom and Cause + +You've encountered the following Windows Server Audit Service error for the Application, Security, or System event log: + +```text +Event ID: 1016 +The following event log settings may lead to incorrect or incomplete data in reports: +The Application event log retention method. +``` + +This error is caused by incorrect event log retention settings, specifically by **Do not overwrite events (clear log manually)**. + +## Resolution + +It is required to have **Overwrite events as needed** option selected in order to allow for newer events to be audited. Check your Group Policy retention settings for the affected event log — refer to the following Netwrix Auditor article for additional information on adjusting event log retention settings: /docs/auditor/10.5/auditor/configurationuration/windowsserver diff --git a/docs/kb/auditor/freeware-license-code.md b/docs/kb/auditor/freeware-license-code.md new file mode 100644 index 0000000000..5e70b0bd74 --- /dev/null +++ b/docs/kb/auditor/freeware-license-code.md @@ -0,0 +1,86 @@ +--- +description: >- + Provides license keys and download links for various Netwrix freeware + utilities and explains how to enter or update the license in the applications. + Includes instructions to remedy the support and maintenance expiry message for + the listed freeware products. +keywords: + - freeware + - license + - license code + - Netwrix + - Disk Space Monitor + - Bulk Password Reset + - Service Monitor + - USB Blocker + - Power Saving Manager +products: + - auditor +visibility: public +sidebar_label: Freeware license code +tags: [] +title: "Freeware license code" +knowledge_article_id: kA00g000000H9U4CAK +--- + +# Freeware license code + +Does the product Freeware Edition require a license key to be entered? + +--- + +Yes, you can find the key on the product download page on the website or below in this article. + +**Note:** The licenses below can also be used to remedy the following error message when it pertains to the list of freeware products below: "Your support and maintenance contract expires in X day(s). You will not be able to get technical support and updates for this product until you renew your maintenance contract. Click here to renew the maintenance contract or contact your Netwrix sales representative."" + +## Bulk Password Reset + +**Bulk Password Reset** + +- License name: NetWrix Bulk Password Reset Freeware License +- License count: `1000000` +- License code: `EhEQEhoaEhEQEhoaDhITFxIS` + +Download Bulk Password Reset: https://www.netwrix.com/local_admin_bulk_password_reset_freeware.html + +## Disk Space Monitor + +**Disk Space Monitor** + +- License name: NetWrix Disk Space Monitor Freeware License +- License count: `1000000` +- License code: `EhEQEhoaEhEQEhoaEhoVEhMR>` + +To update the Disk Space Monitor license: +1. Open the application. +2. Right-click the title bar. +3. Select **About**. +4. Choose **Change License**. + +Download Disk Space Monitor: https://www.netwrix.com/disk_space_monitor_freeware.html + +## USB Blocker + +**USB Blocker** + +This tool is no longer available, but Netwrix Auditor enables you to enforce control over USB device use and more for stronger data security. + +## Netwrix Service Monitor Freeware + +**Netwrix Service Monitor Freeware** + +- License name: NetWrix Service Monitor Freeware License +- License count: `1000000` +- License code: `EhEQEhoaEhEQEhoaFBQXGhIQ` + +Download Netwrix Service Monitor Freeware: https://www.netwrix.com/windows_services_monitoring_freeware.html + +## Workstation Power Saving Manager + +**Workstation Power Saving Manager** + +- License name: NetWrix Workstation Power Saving Manager Freeware License +- License count: `1000000` +- License code: `EhEQEhoaEhEQEhoaDhASFxEb` + +Download Workstation Power Saving Manager: https://www.netwrix.com/power_saving_energy_conservation_freeware.html diff --git a/docs/kb/auditor/generate-self-signed-ssl-certificate-for-ssrs.md b/docs/kb/auditor/generate-self-signed-ssl-certificate-for-ssrs.md new file mode 100644 index 0000000000..348a62f39c --- /dev/null +++ b/docs/kb/auditor/generate-self-signed-ssl-certificate-for-ssrs.md @@ -0,0 +1,92 @@ +--- +description: >- + Shows how to generate and deploy a self-signed SSL certificate for SQL Server + Reporting Services (SSRS) when Netwrix Auditor and SSRS are on different + servers. +keywords: + - SSRS + - SSL + - self-signed certificate + - Netwrix Auditor + - PowerShell + - Export-PFXCertificate + - Import-PfxCertificate +products: + - auditor +sidebar_label: Generate Self-signed SSL Certificate for SSRS +tags: [] +title: "Generate Self-signed SSL Certificate for SSRS" +knowledge_article_id: kA0Qk0000001HRpKAM +--- + +# Generate Self-signed SSL Certificate for SSRS + +## Overview + +Netwrix Auditor uses SQL Server Reporting Services (SSRS) to generate reports. In environments with Netwrix Auditor and SSRS installed on different servers, you should use a secure communication channel. This article covers the steps to generate self-signed certificates to use in SSRS. + +## Instructions + +> **NOTE:** If your self-signed certificate expires, it is reissued upon a reboot. + +Refer to the following steps to generate a self-signed certificate: + +1. On your SSRS server, run an elevated PowerShell instance. + +2. Create a new certificate in the local **My** store and save the created certificate to a variable for further export: + +```powershell +$Certificate = New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -dnsname "%server_name%"" +``` + +Replace `%server_name%` with the FQDN of your SSRS server. + +3. Run the following line to specify the target path for the certificate: + +```powershell +$file="C:\temp\cert_for_ssrs.pfx" +``` + +> **IMPORTANT:** The target folder should exist. + +4. Run the following line to specify the password for the certificate: + +```powershell +$pwd=ConvertTo-SecureString "%CERTIFICATE_PASSWORD%" -asplainText -force +``` + +Copy the certificate password for future steps. + +5. Run the following lines to import the certificate to the trusted certificate store. Export the certificate using the previously created variable: + +```powershell +Export-PFXCertificate -Cert $Certificate -FilePath $file -Password $pwd +``` + +```powershell +Import-PfxCertificate -FilePath $file cert:\LocalMachine\root -Password $pwd +``` + +6. Copy the certificate file to the Netwrix Auditor host server. Run the following line in an elevated Powershell instance to specify the path to the certificate: + +```powershell +$file="C:\temp\cert_for_ssrs.pfx" +``` + +Replace the placeholder path with an actual path. + +7. Run the following lines to import the certificate to the trusted certificate store on the Netwrix Auditor server. + +```powershell +$pwd=ConvertTo-SecureString "%CERTIFICATE_PASSWORD%" -asplainText -force +``` + +```powershell +Import-PfxCertificate -FilePath $file cert:\LocalMachine\root -Password $pwd +``` + +Replace the `%CERTIFICATE_PASSWORD%` placeholder with an actual password. + +8. Import the certificate to all Netwrix Auditor client servers. Perform steps #6 and #7 on all Netwrix Auditor clients. + +> **NOTE:** If you deploy new Netwrix Auditor clients, deploy this certificate on all new servers. diff --git a/docs/kb/auditor/given-key-was-not-present-in-the-dictionary-adfs.md b/docs/kb/auditor/given-key-was-not-present-in-the-dictionary-adfs.md new file mode 100644 index 0000000000..8394668af1 --- /dev/null +++ b/docs/kb/auditor/given-key-was-not-present-in-the-dictionary-adfs.md @@ -0,0 +1,67 @@ +--- +description: >- + After a Windows OS upgrade on an ADFS server, you may see "Failed to retrieve + the state of windows feature. Reason: The given key was not present in the + dictionary." This article explains how to diagnose the issue and restore the + ServerComponentCache or Group Policy settings to resolve the error. +keywords: + - ADFS + - ServerComponentCache + - Get-WindowsFeature + - KeyNotFoundException + - registry + - Server Manager + - Group Policy + - ADFS Health Log + - Windows feature + - Netwrix Auditor +products: + - auditor +sidebar_label: Given Key Was Not Present in the Dictionary — ADFS +tags: [] +title: "Given Key Was Not Present in the Dictionary — ADFS" +knowledge_article_id: kA04u00000110wMCAQ +--- + +# Given Key Was Not Present in the Dictionary — ADFS + +## Symptom + +The following error appears in your ADFS Health Log after upgrading the Windows OS on your ADFS server: + +``` +Failed to retrieve the state of windows feature. +Reason: The given key was not present in the dictionary. +``` + +## Diagnosing the issue + +1. Run the following command in PowerShell on your Netwrix Auditor server to query a target ADFS server, replacing `%TARGET_NAME%` with the actual target server name: + +```powershell +Get-WindowsFeature -ComputerName %TARGET_NAME% +``` + +2. The command returns the following error: + +``` +Get-WindowsFeature The given key was not present in the dictionary. +CategoryInfo: NotSpecified: (:) [Get-WindowsFeature], KeyNotFoundException +``` + +The error indicates a Windows-related issue. + +## Causes + +- The cache `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\ServicingStorage\ServerComponentCache` registry key was corrupted. +- A faulty registry item is present in the XML file that is associated with the Group Policy registry settings. + +## Solutions + +- Recreate the `ServerComponentCache` registry key: + + 1. Locate the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\ServicingStorage\ServerComponentCache` registry key in **Registry Editor** on your ADFS server. + 2. Right-click the key and rename it to `ServerComponentCache.old`. + 3. Run the PowerShell command from your Netwrix Auditor server again or refresh the view in **Server Manager**. This will recreate the key and rebuild the server feature information. + +- Re-create the Group Policy and registry settings. Learn more in [Group Policy error: "The given Key was not present in the dictionary" ⸱ Microsoft 𓂸](https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/cannot-run-group-policy-modeling-wizard)." diff --git a/docs/kb/auditor/group-policy-error-is-not-in-a-valid-format.md b/docs/kb/auditor/group-policy-error-is-not-in-a-valid-format.md new file mode 100644 index 0000000000..b305644944 --- /dev/null +++ b/docs/kb/auditor/group-policy-error-is-not-in-a-valid-format.md @@ -0,0 +1,52 @@ +--- +description: >- + Explains causes and solutions for the "is not in a valid format" Group Policy + error referencing registry.pol files, including how to identify the affected + GPO and recovery options. +keywords: + - group policy + - GPO + - registry.pol + - dcgpofix + - sysvol + - corrupted GPO + - GPMC + - registry.pol error +products: + - auditor +sidebar_label: 'Group Policy error: is not in a valid format' +tags: [] +title: 'Group Policy error: is not in a valid format' +knowledge_article_id: kA00g000000H9bsCAC +--- + +# Group Policy error: is not in a valid format + +You may receive a Group Policy daily summary email with the error: "The file `DC01.corp..com\sysvol\corp..com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol` is not in a valid format. The file might be corrupt. Use Group Policy Object Editor to reconfigure the settings in this extension." + +--- + +The group policy is corrupted or it is not in a valid format. If you open the Group Policy Management Console (GPMC) > highlight the group policy in Summary and navigate to > **Settings** tab, most likely it will return you an error message. +![Settings](images/ka04u000000HcUd_0EM7000000051OC.png) + +--- + +## Identify the affected GPO + +First of all you need to find out the affected policy. + +In the error message `"DC01.corp..com\sysvol\corp..com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol"` — `31B2F340-016D-11D2-945F-00C04FB984F9` is the GUID of the affected group policy. To find out the GUID of a group policy open GPMC > highlight a group policy and open **Details** tab > **Unique ID** is the GUID of a GPO. +![GUID GPO](images/ka04u000000HcUd_0EM7000000051O7.png) + +There are 3 possible solutions: + +1. If you receive an error in the GPMC > GPO **Settings** you may need to restore it from a backup or create anew. +2. This error may also appear when you enable the **Certificate Services Client "Certificate Enrollment Policy"** policy. Please refer to the following Microsoft article regarding this issue - http://support.microsoft.com/kb/2028605 +3. Restore default domain GPOs from backup. Log on to any domain controller > open command prompt and type: `dcgpofix /target:contoso.com` (replace `contoso.com` with your domain name) For more information please refer to the following article - http://technet.microsoft.com/en-us/library/cc739095(v=ws.10).aspx + NOTE: This solution is intended for use only as a last-resort disaster-recovery tool. The customer settings will be reset. +4. If you have any Antivirus software installed on the affected domain controller please check the Virus scanning recommendations for Enterprise computers - http://www.netwrix.com/kb/1585 +5. You may also omit the errors. To do that please open the file `omitproplist_gp.txt` located in the Netwrix Auditor installation folder and put the following to the file in a new line: + `*The file * is not in a valid format and must be replaced.*` + If you didn't find a solution please refer to the following Microsoft article regarding this issue - http://support.microsoft.com/kb/814751 + +
diff --git a/docs/kb/auditor/group-policy-fake-changes.md b/docs/kb/auditor/group-policy-fake-changes.md new file mode 100644 index 0000000000..26daaf27b8 --- /dev/null +++ b/docs/kb/auditor/group-policy-fake-changes.md @@ -0,0 +1,40 @@ +--- +description: >- + Explains why Group Policy changes may appear incorrectly in Netwrix Auditor + and how to configure a single domain controller for Group Policy collection to + avoid false changes. +keywords: + - group policy + - GPO + - domain controller + - replication + - Netwrix Auditor + - dclist.txt + - AD Change Reporter + - fake changes + - replication issue +products: + - auditor +sidebar_label: Group Policy Fake Changes +tags: [] +title: "Group Policy Fake Changes" +knowledge_article_id: kA00g000000H9c9CAC +--- + +# Group Policy Fake Changes + +You received the **Group Policy Change Report** showing some changes you do not believe you made. + +## Cause + +By default Netwrix Auditor is using the most available domain controller for the data collection. On some of the domain controllers Group Policy replication may not occur correctly. Netwrix Auditor may connect to the domain controller that has a replication issue with regards to Group Policies, hence the outdated information, and gather GPOs that contain outdated policy settings. The outdated information in gathered GPOs will be considered as a change when comparing to the previous snapshot. + +## Resolution + +To prevent this from happening, we recommend using a single domain controller for collecting Group Policy changes. + +1. Check which domain controller is currently used for Group Policy changes collection by viewing this file: + - ` %Working Folder%\AD Change Reporter\Omitlists\%domain.name%\dclist.txt` +2. By default ` %Working Folder%` is `C:\ProgramData\Netwrix Auditor`. +3. If there is more than one DC listed in that file, it means that the first DC in the list didn't respond at some point and Netwrix had to pick a new one. This could be the reason for fake changes. +4. If you know a DC which is highly available and stable, feel free to put its FQDN into that file instead of the current ones. diff --git a/docs/kb/auditor/group-policy-shows-sid-instead-of-settings.md b/docs/kb/auditor/group-policy-shows-sid-instead-of-settings.md new file mode 100644 index 0000000000..71cb210690 --- /dev/null +++ b/docs/kb/auditor/group-policy-shows-sid-instead-of-settings.md @@ -0,0 +1,39 @@ +--- +description: >- + If your Group Policy Change report shows SIDs instead of readable settings, + the collector may have used a domain controller that did not resolve SIDs. + This article explains the cause and the logs to provide to Netwrix Technical + Support to resolve the issue. +keywords: + - group policy + - SID + - domain controller + - change report + - GPO + - Netwrix + - tracing logs + - AD Change Reporter +products: + - auditor +sidebar_label: Group Policy shows SID instead of settings +tags: [] +title: "Group Policy shows SID instead of settings" +knowledge_article_id: kA00g000000H9bnCAC +--- + +# Group Policy shows SID instead of settings + +## Symptoms +You received Group Policy Change Report showing some changes you do not believe you made. The changes of Group Policy settings look as if they were renamed from human readable text to a computer specific SID. + +## Cause +By default the product uses a domain controller for the data collection which is most available. Some of the domain controllers may not resolve the Security Identifiers (SID) correctly. The product may connect to the domain controller that does not resolve SIDs, hence it gathers the SIDs of the settings instead of their names. The SID of the group policy setting will be considered as a change when comparing to the previous snapshot. + +## Resolution +To prevent this from happening we recommend using the same domain controller for collecting Group Policy changes. + +In order to determine the domain controller that should be used, please submit a ticket to Netwrix Technical Support and provide the following information: + +1. The problematic Group Policy Change report (it should contain the date and time the report was received). +2. The Group Policy Change Reporter tracing logs (the entire content of the tracing folder) - the default location is `C:Program Files (x86)NetWrixAD Change Reporter Full VersionGPOExecTracing` +3. The tracing of the Active Directory Change Report module - the entire content of the `Tracing` subfolder located in the installation folder of the product. diff --git a/docs/kb/auditor/hide-and-disable-header-and-footer-in-password-expiration-notifier-emails.md b/docs/kb/auditor/hide-and-disable-header-and-footer-in-password-expiration-notifier-emails.md new file mode 100644 index 0000000000..4cef462989 --- /dev/null +++ b/docs/kb/auditor/hide-and-disable-header-and-footer-in-password-expiration-notifier-emails.md @@ -0,0 +1,55 @@ +--- +description: >- + Instructions to remove or disable the header and footer that Netwrix Password + Reset sends in expiration notification emails by setting a registry DWORD. +keywords: + - Netwrix Password Reset + - Password Expiration Notifier + - HideEmailAdditionalInfo + - registry + - HKEY_LOCAL_MACHINE + - header + - footer + - email notifications + - disable +products: + - auditor +sidebar_label: Hide and Disable Header and Footer in Netwrix Password Reset Emails +tags: [] +title: "Hide and Disable Header and Footer in Netwrix Password Reset Emails" +knowledge_article_id: kA00g000000H9eVCAS +--- + +# Hide and Disable Header and Footer in Netwrix Password Reset Emails + +## Scenario + +You'd like to remove the Netwrix header and footer from emails sent to users and managers. By default, Netwrix Password Reset emails include a branded header and footer. Users may get confused by the branding, or think the email was sent by a third party and is a phishing attempt. + +## Resolution + +> **IMPORTANT:** In some cases both header and footer reset after your Netwrix Auditor instance has been upgraded to v10.6. For additional information, refer to the following article: /docs/kb/auditor/password_expiration_notifier_email_header_and_footer_reset_after_upgrade (Password Expiration Notifier Email Header and Footer Reset After Upgrade). + +1. Open Registry Editor on the Netwrix Auditor Server host. +2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Password Expiration Notifier`. +3. Right-click the **Password Expiration Notifier** hive and click **New**. +4. Select **DWORD (32-bit) Value**. + + ![New DWORD (32-bit) Value](images/ka04u00000117kD_0EM4u000008MHts.png) + +5. Name the key `HideEmailAdditionalInfo`. +6. Right-click the key and select **Modify**. +7. Set the value data to `1` (Hexadecimal). + + ![Modify DWORD value to 1](images/ka04u00000117kD_0EM4u000008MHuC.png) + +8. The next round of emails will be sent without the header and footer. + +> **NOTE:** If you'd like to re-enable the header and footer, simply change the value data to `0`. + +To further customize Netwrix Password Reset emails, refer to the following article: /docs/kb/auditor/customize_notifications_and_reports_in_password_expiration_notifier (Customize Notifications and Reports in Password Expiration Notifier). + +### Related articles + +- /docs/kb/auditor/customize_notifications_and_reports_in_password_expiration_notifier - Customize Notifications and Reports in Netwrix Password Reset +- /docs/kb/auditor/password_expiration_notifier_email_header_and_footer_reset_after_upgrade - Password Expiration Notifier Email Header and Footer Reset After Upgrade diff --git a/docs/kb/auditor/high-cpu-load-and-memory-usage.md b/docs/kb/auditor/high-cpu-load-and-memory-usage.md new file mode 100644 index 0000000000..7bfbbcd969 --- /dev/null +++ b/docs/kb/auditor/high-cpu-load-and-memory-usage.md @@ -0,0 +1,40 @@ +--- +description: >- + Provides steps to reduce CPU and memory usage caused by the Account Lockout + Examiner service by modifying registry keys and restarting the service. +keywords: + - Account Lockout Examiner + - high CPU + - memory usage + - registry + - Readlog + - UseWatcher + - LockoutStatusRefreshPeriod + - Services.msc + - regedit + - Active Directory +products: + - auditor +sidebar_label: High CPU load and memory usage +tags: [] +title: "High CPU load and memory usage" +knowledge_article_id: kA00g000000H9TDCA0 +--- + +# High CPU load and memory usage + +Account Lockout Examiner Service causes high CPU spikes and uses up a large percent of memory. What can I do? + +## Resolution + +In order to reduce CPU load and memory usage, perform the following steps: + +1. Open the **Registry Editor** (navigate to **Start** → **Run** and type `regedit`). +2. Navigate to `HKEY_LOCAL_MACHINESOFTWARE[Wow6432Node]NetWrixAccount Lockout Examiner` (Wow6432Node only for x64 OS) +3. Locate the `Readlog` key and set its value to `0`. +4. Create a new key called `UseWatcher`, set its type to `DWORD` and value to `1`. +5. Restart the **NetWrix Account Lockout Examiner** service via **Services.msc**. + +If this does not help, set the `LockoutStatusRefreshPeriod` key value to `0`, but in this case the Account Lockout Examiner will not verify accounts status via Active Directory, so account lockouts will not be reported if a corresponding event is not found in the event log. + +![User-added image](images/ka04u000000HcN0_0EM700000004wxW.png) diff --git a/docs/kb/auditor/high-cpu-usage-on-domain-controllers.md b/docs/kb/auditor/high-cpu-usage-on-domain-controllers.md new file mode 100644 index 0000000000..bc01d814d0 --- /dev/null +++ b/docs/kb/auditor/high-cpu-usage-on-domain-controllers.md @@ -0,0 +1,53 @@ +--- +description: >- + After you install Account Lockout Examiner (ALE), monitored domain controllers + may show CPU spikes caused by WMI queries. This article describes two + registry-based options to reduce CPU usage by changing how ALE communicates + with domain controllers. +keywords: + - Account Lockout Examiner + - ALE + - CPU spikes + - domain controllers + - WMI + - UseWatcher + - UseWMI + - registry + - Services.msc +products: + - auditor +sidebar_label: High CPU usage on domain controllers +tags: [] +title: "High CPU usage on domain controllers" +knowledge_article_id: kA00g000000H9bjCAC +--- + +# High CPU usage on domain controllers + +After you install Account Lockout Examiner (ALE) you may see CPU spikes on monitored domain controllers. If you stop ALE, these spikes go away. + +ALE tracks for lockout events and failed logon events from the Windows security event log of domain controllers. By default it uses WMI calls that may result in high CPU usage of domain controllers. + +There are two options to fix the issue: + +1. Switch the method of communication with domain controllers. In this case ALE will stop querying domain controllers for new events in the log, but domain controllers will notify about new events themselves (WMI feature). This will reduce the number of WMI calls and, as a result, reduce CPU usage. + + In order to do this perform the following on the machine where ALE is installed: + + 1. Run **Registry Editor** (`regedit`), + 2. Go to `HKLM\Software\[Wow6432Node]\NetWrixAccount Lockout Examiner` (Wow6432Node only for x64 OS) + 3. Create a DWORD called `UseWatcher` with value `1` + 4. Restart the **Netwrix Account Lockout Examiner service** via **Services.msc** + + ![User-added image](images/ka04u000000HcUT_0EM7000000052iw.png) + +2. If the above does not help, disable usage of WMI to communicate with domain controllers. (A .Net-based mechanism will be used for it.) + + In order to do this perform the following on the machine where ALE is installed: + + 1. Run **Registry Editor** (`regedit`), + 2. Go to `HKLM\Software\[Wow6432Node]\NetWrixAccount Lockout Examiner` (Wow6432Node only for x64 OS) + 3. Change the `UseWMI` value to `0` + 4. Restart the **Netwrix Account Lockout Examiner service** via **Services.msc** + + ![User-added image](images/ka04u000000HcUT_0EM7000000052jG.png) diff --git a/docs/kb/auditor/high-cpu-usage-on-remote-desktop-servers.md b/docs/kb/auditor/high-cpu-usage-on-remote-desktop-servers.md new file mode 100644 index 0000000000..a9066fa493 --- /dev/null +++ b/docs/kb/auditor/high-cpu-usage-on-remote-desktop-servers.md @@ -0,0 +1,63 @@ +--- +description: >- + After installing Account Lockout Examiner (ALE), remote desktop servers can + experience high CPU usage caused by the wmiprsve.exe process. This article + explains why this happens and provides two registry-based workarounds to + reduce CPU usage. +keywords: + - Account Lockout Examiner + - ALE + - wmiprsve.exe + - WMI + - high CPU + - remote desktop servers + - UseWMI_Workstations + - PF_Enabled + - Services.msc +products: + - auditor +sidebar_label: High CPU usage on remote desktop servers +tags: [] +title: "High CPU usage on remote desktop servers" +knowledge_article_id: kA00g000000H9beCAC +--- + +# High CPU usage on remote desktop servers + +After installing Account Lockout Examiner (ALE), remote desktop servers can experience increased CPU usage by the `wmiprsve.exe` process. This behavior has been traced to WMI calls originating from the server running ALE. If you stop the Netwrix Account Lockout Examiner service while the CPU is loaded, CPU usage is reduced immediately. + +## Cause + +ALE tracks lockout events and invalid logon events from the Windows security log of specified domain controllers (DCs). When ALE collects an invalid logon event from a DC, it connects to the machine where the invalid logon originated and searches that machine's security log. By default ALE uses the WMI service to connect to security logs. + +Every invalid logon event on a DC initiates a WMI query to the workstation or server where that logon occurred. If many invalid logons target the same machine, the resulting numerous WMI calls can drive up CPU usage on that machine. + +## Resolution + +There are two options you can use to reduce CPU usage. + +### Option 1 — Switch the method ALE uses to connect to security logs + +When you switch the method, ALE stops using the WMI service and uses a .NET-based mechanism instead. This change typically reduces CPU usage on the remote servers, but it may increase CPU usage on the machine running ALE. + +To change this on the machine where ALE is installed: + +1. Run Registry Editor (`regedit`). +2. Go to `HKLMSoftware[Wow6432Node]NetWrixAccount Lockout Examiner (Wow6432Node only for x64 OS)` +3. Change the `UseWMI_Workstations` value to `0`. +4. Restart the Netwrix Account Lockout Examiner service via `Services.msc`. + +![User-added image](images/ka04u000000HcUO_0EM7000000052ir.png) + +### Option 2 — Disable searching for detailed info about invalid logons + +If Option 1 does not sufficiently reduce CPU usage, you can disable ALE's attempt to search for detailed information about invalid logons on workstations and servers. With this setting, ALE will only use domain controllers as the information source. Note that you will not see the name of the process that caused the invalid logon. + +To change this on the machine where ALE is installed: + +1. Run Registry Editor (`regedit`). +2. Go to `HKLMSoftware[Wow6432Node]NetWrixAccount Lockout Examiner (Wow6432Node only for x64 OS)`. +3. Create a new DWORD called `PF_Enabled` and set its value to `0`. +4. Restart the Netwrix Account Lockout Examiner service via `Services.msc`. + +![User-added image](images/ka04u000000HcUO_0EM7000000052im.png) diff --git a/docs/kb/auditor/high-memory-usage-even-after-the-readlog-registry-key-is-set-to-0.md b/docs/kb/auditor/high-memory-usage-even-after-the-readlog-registry-key-is-set-to-0.md new file mode 100644 index 0000000000..05481684a6 --- /dev/null +++ b/docs/kb/auditor/high-memory-usage-even-after-the-readlog-registry-key-is-set-to-0.md @@ -0,0 +1,49 @@ +--- +description: >- + Describes how to reduce high memory usage in Account Lockout Examiner after + applying the readlog registry key by tuning registry settings and restarting + the service. +keywords: + - account lockout + - memory usage + - registry + - LockoutStatusRefreshPeriod + - InvLogonCleaningPeriod + - PF_Enabled + - readlog + - Netwrix + - Account Lockout Examiner +products: + - auditor +sidebar_label: High memory usage even after the 'readlog' registr +tags: [] +title: High memory usage even after the 'readlog' registry key is set to 0 +knowledge_article_id: kA00g000000PbdbCAC +--- + +# High memory usage even after the 'readlog' registry key is set to 0 + +Registry changes have been applied per [KB600](https://kb.netwrix.com/600) but the memory usage is still very high. + +--- + +Account Lockout Examiner tracks events from the security log and then processes them to get information, such as account name, workstation name, ip address, etc. + +These types of issues are related to very high activity in the environment - number of events to track is more than the Account Lockout Examiner service can handle and a queue builds up in memory. + +In most cases such activity is related to having several accounts (one or two "problem" accounts) that generate too many invalid logons per second. + +--- + +## Resolution + +First, try to perform additional tuning of the product via the registry. On the Account Lockout Examiner host machine: + +1. Run Registry Editor (`regedit`) +2. Go to `HKEY_LOCAL_MACHINESOFTWARE[Wow6432Node]NetWrixAccount Lockout Examiner` (Wow6432Node only for x64 OS) +3. Make sure `LockoutStatusRefreshPeriod` is `0`. +4. Set `InvLogonCleaningPeriod` value to `10` or lower (decimal) +5. Set `invLogonKeepTime` value to `10` or lower (decimal) +6. *Create DWORD called `PF_Enabled` and set its value to `0` (do this if you are not interested in name of the process causing invalid logons)* +7. Restart the NetWrix Account Lockout Examiner service via **Services.msc** + diff --git a/docs/kb/auditor/hklm-or-hku-error-in-windows-server-auditing-monitoring-plan.md b/docs/kb/auditor/hklm-or-hku-error-in-windows-server-auditing-monitoring-plan.md new file mode 100644 index 0000000000..4f89fba05f --- /dev/null +++ b/docs/kb/auditor/hklm-or-hku-error-in-windows-server-auditing-monitoring-plan.md @@ -0,0 +1,46 @@ +--- +description: >- + Describes and resolves Event ID 1016 'HKLM or HKU' error in the Health Log for + the Windows Server Auditing monitoring plan in Netwrix Auditor by upgrading to + build v10.7.13728 or later. +keywords: + - HKLM + - HKU + - Event ID 1016 + - Windows Server Auditing + - Health Log + - monitoring plan + - Netwrix Auditor + - v10.7.13728 + - registry data provider +products: + - auditor +sidebar_label: HKLM or HKU Error in Windows Server Auditing Monit +tags: [] +title: "HKLM or HKU Error in Windows Server Auditing Monitoring Plan" +knowledge_article_id: kA0Qk0000001JobKAE +--- + +# HKLM or HKU Error in Windows Server Auditing Monitoring Plan + +## Symptom + +Netwrix Auditor prompts the following error in the **Health Log** for the Windows Server Auditing monitoring plan: + +```text +Event ID: 1016 +Monitoring plan: %monitoring_plan_name% +Item: %server_name% +On %date_stamp%, the following error has occurred while processing %server_name%: +The collector Registry data provider failed while gathering data on the server %server_name% due to the following error: HKLM or HKU +Parameter name: path +Actual value was %value%. +``` + +## Cause + +This is a known issue fixed in the release `v10.7.13728`. + +## Resolution + +Upgrade your Netwrix Auditor instance to the build `v10.7.13728` or later. Download the latest version in [My Products · Netwrix](https://www.netwrix.com/my_products.html). diff --git a/docs/kb/auditor/how-are-collections-handled-after-a-network-outage.md b/docs/kb/auditor/how-are-collections-handled-after-a-network-outage.md new file mode 100644 index 0000000000..de086b4a9d --- /dev/null +++ b/docs/kb/auditor/how-are-collections-handled-after-a-network-outage.md @@ -0,0 +1,32 @@ +--- +description: >- + Explains how Netwrix Auditor handles Active Directory data collections during + a Netwrix server network outage or when Domain Controllers are offline, + including behavior when Security Logs are overwritten. +keywords: + - network outage + - Active Directory + - Security Log + - Domain Controller + - collections + - event log + - Who Changed + - Netwrix Auditor + - data loss +products: + - auditor +sidebar_label: How are collections handled after a network outage +tags: [] +title: "How are collections handled after a network outage?" +knowledge_article_id: kA00g000000H9WHCA0 +--- + +# How are collections handled after a network outage on the Netwrix server or when Domain Controllers are offline for some time? + +## Details + +Active Directory data collections run every minute. At the end of each collection, Netwrix Auditor saves the position of the last collected event and starts the next collection from the same place. + +If a Domain Controller's Security Log is not overwritten while the server is inaccessible, Netwrix Auditor will collect and process the data as soon as you turn the server back on or network connectivity is restored, and no data loss will happen. + +Note that Security Log events are not required for determining most of the changes — they are mostly used as the source of When and Who information. If the Security Log overwrites while the DC is inaccessible, or the disconnect time exceeds `6 hours`, Netwrix Auditor may report some changes with "System" in the `Who Changed` field. At the same time, a warning will be logged informing that the event log overwrites occurred. diff --git a/docs/kb/auditor/how-can-i-assign-a-specific-user-read-only-permissions-for-the-sql-server-reporting-services-reports.md b/docs/kb/auditor/how-can-i-assign-a-specific-user-read-only-permissions-for-the-sql-server-reporting-services-reports.md new file mode 100644 index 0000000000..022ad0ac4b --- /dev/null +++ b/docs/kb/auditor/how-can-i-assign-a-specific-user-read-only-permissions-for-the-sql-server-reporting-services-reports.md @@ -0,0 +1,40 @@ +--- +description: >- + Describes how to grant a specific user read-only permissions for SQL Server + Reporting Services reports and how to assign database read access for + Netwrix-related databases. +keywords: + - SQL Server + - Reporting Services + - Report Manager + - read-only + - permissions + - db_datareader + - SQL Server Management Studio + - Netwrix +products: + - auditor +sidebar_label: How can I assign a specific user read-only permiss +tags: [] +title: "How can I assign a specific user read-only permissions for the SQL Server Reporting Services reports?" +knowledge_article_id: kA00g000000H9TfCAK +--- + +# How can I assign a specific user read-only permissions for the SQL Server Reporting Services reports? + +To grant a user read-only permissions, perform the following steps: + +1. Start **Report Manager**. +2. Depending on SQL Server you use: + - For **SQL Server 2005 (including Express)** proceed with the following: + 1. Select the **Properties** tab and click the **New Role Assignment** button. + 2. Add the user or users group name, check the **Browser** box and click **OK**. + - For **SQL Server 2008 / 2008 R2 / 2012 (including Express)** proceed with the following: + 1. Click **Site Settings** -> **Security** and select **New Role Assignment**. + 2. In **Group or user name**, specify a Windows domain user or group account in this format: `\`. Select **System User**, and then click **OK**. +3. Open **SQL Server Management Studio Express** and connect to a server. +4. Navigate to **Security**, right-click **Logins** and select **New Login**. +5. On the **General** screen, select a user or users group. +6. On the **User Mappings** screen, assign all tables related to Netwrix software the `db_datareader` role (for example `NetWrix_FS_Change_Reporter`, or `NetWrix_Event_Log_Manager` etc). + +**Note:** If you are still unable to access the **Report Manager** after following this KB, add your user account to the local administrators group on the SQL server. diff --git a/docs/kb/auditor/how-can-i-decrease-number-of-events-generated-for-directory-service-access-auditing.md b/docs/kb/auditor/how-can-i-decrease-number-of-events-generated-for-directory-service-access-auditing.md new file mode 100644 index 0000000000..51ebecbcbf --- /dev/null +++ b/docs/kb/auditor/how-can-i-decrease-number-of-events-generated-for-directory-service-access-auditing.md @@ -0,0 +1,45 @@ +--- +description: >- + You enabled Directory Service Access auditing and configured object-level + auditing categories, but the Security event log fills quickly. This article + explains how to reduce the number of events generated for Directory Service + Access auditing by disabling unnecessary categories on the domain container. +keywords: + - directory service access + - auditing + - security event log + - Active Directory + - object-level auditing + - Netwrix Auditor + - domain controller +products: + - auditor +sidebar_label: "How can I decrease number of events generated for Directory Service Access auditing?" +tags: [] +title: >- + How can I decrease number of events generated for Directory Service Access + auditing? +knowledge_article_id: kA00g000000H9ViCAK +--- + +# How can I decrease number of events generated for Directory Service Access auditing? + +You enabled Directory Service Access auditing and configured auditing categories in accordance with Netwrix instructions, but this configuration generates a lot of events and the Security event log keeps being overwritten (even after increasing its size to 4GB). How can you decrease the number of events being generated for Directory Service Access auditing? + +Despite the fact that Netwrix Guides recommend enabling almost all categories while configuring object-level auditing, not all of them are being used by Netwrix Auditor. So, to decrease the event generation you can uncheck the unnecessary categories in default domain container auditing settings. The following steps outline how to modify domain container auditing settings and prevent the generation of unnecessary events (decrease the Security event log usage): + +## Steps + +1. Log on to any Domain Controller in the monitored domain. +2. Open **Active Directory Users and Computers**. +3. Right-click on the domain node and select **Properties**. +4. Navigate to **Security tab --> Advanced --> Audit tab**. +5. Select **Everyone** and click **Edit**. +6. Uncheck the following check boxes (you need to have only **SUCCESSFUL** checkboxes checked): + - **Full Control** + - **List Contents** + - **Read all properties** + - **Read permissions** + - **All extended rights** + - **Add GUID** + - And all after "Add GUID" except "Reanimate tombstones" diff --git a/docs/kb/auditor/how-do-i-enable-security-log-autobackups-on-each-domain-controller.md b/docs/kb/auditor/how-do-i-enable-security-log-autobackups-on-each-domain-controller.md new file mode 100644 index 0000000000..3fa92dc367 --- /dev/null +++ b/docs/kb/auditor/how-do-i-enable-security-log-autobackups-on-each-domain-controller.md @@ -0,0 +1,60 @@ +--- +description: >- + Use the attached Security Log Autobackup.adm template to enable and configure + automatic backups of the Security event log on domain controllers using Group + Policy. +keywords: + - security log + - autobackup + - domain controller + - Group Policy + - administrative template + - Event Log + - MaxSize + - Retention + - Default Domain Controllers +products: + - auditor +sidebar_label: How do I enable security log autobackups on each d +tags: [] +title: "How do I enable security log autobackups on each domain controller?" +knowledge_article_id: kA00g000000H9UvCAK +--- + +# How do I enable security log autobackups on each domain controller? + +To do this, use the Security Log Autobackup.adm file attached to this article. Perform the following steps: + +1. Download the attached file. +2. Navigate to **Start** --> **Administrative Tools** --> **Group Policy Management** and navigate to the effective domain controllers policy (the Default Domain Controllers policy by default). +3. Right-click the policy and select **Edit** from the popup menu. +4. In the left pane, expand the **Computer Configuration** --> **Policies** node. +5. Right-click the **Administrative Templates** node and select **Add/Remove Templates...** from the popup menu. +6. In the dialog that opens, browse to the downloaded file and add it. Then click **Close**. +7. Expand the **Administrative Templates** --> **Classic Administrative Templates** --> **NetWrix** node and click on the **Event Log** node. +8. In the right pane, double-click on **Automatically enable backups of the security log file**. +9. Select **Enabled**, click the **Apply** button and then click **OK**. + +### NOTE +If you are running Windows 2003, some nodes may not be displayed after you have added an administrative template. To fix this, make sure that the **Only show policy settings that can be fully managed** option is disabled. To do this, perform the following steps: + +1. Navigate to **Start** --> **Administrative Tools** --> **Group Policy Management** and navigate to the effective domain controllers policy (the Default Domain Controllers policy by default). +2. Right-click the policy and select **Edit** from the popup menu. +3. In the left pane, expand the **Computer Configuration** --> **Policies** node and click on **Administrative Templates**. +4. In the main menu, select **View** --> **Filtering** and deselect the **Only show policy settings that can be fully managed** option. + +Now you will be able to manage the imported administrative template. + +If you need to change the status of security log autobackups `MaxSize`/`Retention`, perform the following steps: + +1. Download the attached file. +2. Navigate to **Start** --> **Administrative Tools** --> **Group Policy Management** and navigate to the effective domain controllers policy (the Default Domain Controllers policy by default). +3. Right-click the policy and select **Edit** from the popup menu. +4. In the left pane, expand the **Computer Configuration** --> **Policies** node. +5. Right-click the **Administrative Templates** node and select **Add/Remove Templates...** from the popup menu. +6. In the dialog that opens, browse to the downloaded file and add it. Then click **Close**. +7. Expand the **Administrative Templates** --> **Classic Administrative Templates** --> **NetWrix** node and click on the **Event Log** node. +8. In the right pane, double-click on **Automatically enable backups of the security log file**. +9. Select the **Disabled**/**Enable**, click the **Apply** button and then click **OK**. +10. Double-click on "Automatically set the "MaxSize" filed for the security log backup". Select the **Disabled**/**Enable**, click the **Apply** button and then click **OK**. +11. Double-click the "Automatically set the "Retention" filed for the security log backup. Select the **Disabled**/**Enable**, click the **Apply** button and then click **OK**. diff --git a/docs/kb/auditor/how-do-i-exclude-access-events-to-the-calendar-and-contacts-folders-from-product-reports.md b/docs/kb/auditor/how-do-i-exclude-access-events-to-the-calendar-and-contacts-folders-from-product-reports.md new file mode 100644 index 0000000000..78c93a2faa --- /dev/null +++ b/docs/kb/auditor/how-do-i-exclude-access-events-to-the-calendar-and-contacts-folders-from-product-reports.md @@ -0,0 +1,33 @@ +--- +description: >- + Explain how to exclude access events to the Calendar and Contacts folders from + Netwrix Auditor reports by editing the mailboxestoexclude.txt file and + ensuring the Compression service option is enabled. +keywords: + - exclude calendar access + - mailboxestoexclude.txt + - Non-owner Mailbox Access Reporter for Exchange + - Netwrix Auditor + - exclude contacts access + - compression service + - agents + - Exchange +products: + - auditor +sidebar_label: How do I exclude access events to the Calendar and +tags: [] +title: "How do I exclude access events to the Calendar and Contacts folders from Netwrix Auditor reports?" +knowledge_article_id: kA00g000000H9UMCA0 +--- + +# How do I exclude access events to the Calendar and Contacts folders from Netwrix Auditor reports? + +How can I exclude access events to the Calendar folder from the product reports? + +Access events to the Calendar folder are excluded by default (this is set in the `mailboxestoexclude.txt` file located in `C:\Program Files (x86)\Netwrix Auditor\Non-owner Mailbox Access Reporter for Exchange` by default). However, Netwrix Auditor only recognizes this file if agents are enabled, so make sure that you enable the **Compression service** option. + +In order to exclude Contacts access from being reported please add the following line to the `mailboxestoexclude.txt` file: + +``` +*/Contacts* +``` diff --git a/docs/kb/auditor/how-do-i-migrate-the-reporting-database-to-another-ms-sql-server-instance-lower-version.md b/docs/kb/auditor/how-do-i-migrate-the-reporting-database-to-another-ms-sql-server-instance-lower-version.md new file mode 100644 index 0000000000..ac24b3eafc --- /dev/null +++ b/docs/kb/auditor/how-do-i-migrate-the-reporting-database-to-another-ms-sql-server-instance-lower-version.md @@ -0,0 +1,81 @@ +--- +description: >- + Steps to migrate the Reporting databases from a higher-version Microsoft SQL + Server instance to a lower-version instance using either the Netwrix Auditor + DB Importer or SQL Server Management Studio Generate Scripts wizard. +keywords: + - SQL Server migration + - reporting database + - Generate Scripts + - DB Importer + - Netwrix Auditor + - SSMS + - downgrade SQL + - migrate database +products: + - auditor +sidebar_label: Migrate Reporting Database to Lower SQL Version +tags: [] +title: "How do I migrate the Reporting database to another MS SQL Server instance lower version?" +knowledge_article_id: kA00g000000H9VWCA0 +--- + +# How do I migrate the Reporting database to another MS SQL Server instance lower version? + +How do I migrate the Reporting databases to another MS SQL Server instance of a downgraded version? + +There are a few options to downgrade the database from a higher version of SQL Server to a lower version of SQL Server. These options include: + +- Configure the product to the destination SQL Server, create the product database, and upload all historical data to it from the local repository folder with the Netwrix Auditor DB Importer tool (can be found in the product installation folder, by default: `C:Program Files (x86)NetwrixActive Directory Auditing`); + +- Migrate the database with the **Generate Scripts** wizard of SQL Server Management Studio. For it please perform the following steps: + +1. Script the schema of the database on the source SQL Server instance using the **Generate Scripts** wizard of the SQL Server Management Studio interface. + +1.1 In Object Explorer connect to the SQL server, right-click the database, expand **Tasks** and choose **Generate Scripts**. + +![User-added image](images/ka04u000000HcOn_0EM700000005TB6.png) + +1.2 This launches the **Generate and Publish Scripts** wizard. Click **Next** to skip the Introduction screen and proceed to the Choose Objects page. + +![User-added image](images/ka04u000000HcOn_0EM700000005TBB.png) + +1.3 On the Choose Objects page, choose **Script entire database and all database objects**, and then click **Next** to proceed to the **Set Scripting Options** page. + +![User-added image](images/ka04u000000HcOn_0EM700000005TBG.png) + +1.4 On the **Set Scripting Options** page, specify the location where you want to save the script file, and then click the **Advanced** button. + +![User-added image](images/ka04u000000HcOn_0EM700000005TBL.png) + +1.5 In the **Advanced Scripting Options** dialog box, set `Script Triggers`, `Indexes` and `Primary Key` options to `True`, set `Script for Server Version` to ``<version of the destination SQL server instance>``, and set `Types of data to script` to `Schema and Data`. This last option is key because this is what generates the data per table. + +![User-added image](images/ka04u000000HcOn_0EM700000005TC4.png) + +1.6 Once done, click **OK** to close the **Advanced Scripting Options** dialog box and return to the **Set Scripting Options** page. In the **Set Scripting Options** page, click **Next** to continue to the Summary page. + +1.7 After reviewing your selections on the Summary page, click **Next** to generate scripts. + +![User-added image](images/ka04u000000HcOn_0EM700000005TBV.png) + +1.8 Once scripts are generated successfully, choose the **Finish** button to close the **Generate and Publish Scripts** wizard. + +![User-added image](images/ka04u000000HcOn_0EM700000005TBa.png) + +2. Connect to the destination SQL Server instance, and then run the SQL scripts that were generated, to create the database schema and copy its data. + +2.1 In Object Explorer connect to the destination SQL Server instance and then in SQL Server Management Studio open the SQL Server script you saved in Step 1. + +![User-added image](images/ka04u000000HcOn_0EM700000005TBf.png) + +![User-added image](images/ka04u000000HcOn_0EM700000005TBk.png) + +![User-added image](images/ka04u000000HcOn_0EM700000005TBp.png) + +2.2 Modify the script to specify the correct location for the database data and log files. Once done, run the script to create the database on the destination SQL Server instance. + +![User-added image](images/ka04u000000HcOn_0EM700000005TCE.png) + +2.3 Upon successful execution, refresh the Database folder in Object Explorer. + +![User-added image](images/ka04u000000HcOn_0EM700000005TC9.png) diff --git a/docs/kb/auditor/how-do-i-monitor-hidden-file-shares.md b/docs/kb/auditor/how-do-i-monitor-hidden-file-shares.md new file mode 100644 index 0000000000..4ee65bb107 --- /dev/null +++ b/docs/kb/auditor/how-do-i-monitor-hidden-file-shares.md @@ -0,0 +1,31 @@ +--- +description: >- + Explains how to monitor hidden file shares (those ending with $) when using + the Netwrix Auditor data source for Windows File Servers, including adding + individual hidden shares and auditing all hidden shares via the Scope tab. +keywords: + - hidden file shares + - hidden shares + - file shares + - Netwrix Auditor + - Windows File Servers + - UNC + - Scope tab + - Computer item +products: + - auditor +sidebar_label: How do I monitor hidden file shares? +tags: [] +title: "How do I monitor hidden file shares?" +knowledge_article_id: kA00g000000H9U6CAK +--- + +# How do I monitor hidden file shares? + +If you specified **Computer** as an Item in the Netwrix Auditor Windows File Servers data source, Netwrix Auditor monitors all available file shares on that server, except for the hidden ones (ending with `$` sign). If you want to monitor a specific hidden share, you need to add it explicitly, specifying its full UNC path, e.g. `\server\hiddenshare$`. + +If you would like to audit all hidden shares on the server, check the corresponding option at the **Scope** tab of your **Computer** item: + +![image.png](images/ka04u000000HcNr_0EM4u000007qtQ1.png) + +**NOTE:** It is not recommended to specify the system drive (`\server\c$`) as an Item. This will force Netwrix to audit local folders including the system ones that produce a lot of noise and degrade the product performance. diff --git a/docs/kb/auditor/how-do-you-specify-a-local-administrator-account-to-obtain-disk-space-information-from-computers-tha.md b/docs/kb/auditor/how-do-you-specify-a-local-administrator-account-to-obtain-disk-space-information-from-computers-tha.md new file mode 100644 index 0000000000..6a5d961c76 --- /dev/null +++ b/docs/kb/auditor/how-do-you-specify-a-local-administrator-account-to-obtain-disk-space-information-from-computers-tha.md @@ -0,0 +1,31 @@ +--- +description: >- + Explains how to specify a local administrator account to obtain disk space + information from computers that are not part of a domain. Describes installing + Disk Space Monitor on a stand-alone PC and configuring it to monitor the local + computer. +keywords: + - disk space monitor + - local administrator + - stand-alone computer + - non-domain + - monitoring + - NetWrix Disk Space Monitor + - Configurator + - local admin account + - disk space information +products: + - auditor +sidebar_label: How do you specify a local administrator account t +tags: [] +title: "How do you specify a local administrator account to obtain disk space information from computers that are not part of the domain?" +knowledge_article_id: kA00g000000Pbd2CAC +--- + +# How do you specify a local administrator account to obtain disk space information from computers that are not part of the domain? + +--- + +Disk Space Monitor has no option to monitor computers that are not joined to the domain. All monitored computers must be part of the domain. + +You can however install the software on a stand-alone PC using a local administrator account. You will need to logon to Windows using a local administrator account, install Disk Space Monitor and configure the product to monitor the local computer (**Start | Programs | NetWrix Disk Space Monitor Full Version | Configurator | Click Add and specify the stand-alone PC name**). diff --git a/docs/kb/auditor/how-does-inactive-user-tracker-work.md b/docs/kb/auditor/how-does-inactive-user-tracker-work.md new file mode 100644 index 0000000000..114296126b --- /dev/null +++ b/docs/kb/auditor/how-does-inactive-user-tracker-work.md @@ -0,0 +1,43 @@ +--- +description: >- + Explains how the Inactive User Tracker (IUT) in Netwrix Auditor determines + user inactivity by querying Active Directory attributes and calculating + inactivity periods. +keywords: + - inactive user tracker + - IUT + - Active Directory + - lastLogon + - lastLogonTimestamp + - createTimestamp + - domain controller + - LDAP + - inactivity + - Netwrix Auditor +products: + - auditor +sidebar_label: How Does Inactive User Tracker Work? +tags: [] +title: "How Does Inactive User Tracker Work?" +knowledge_article_id: kA00g000000H9WSCA0 +--- + +# How Does Inactive User Tracker Work? + +## Question + +How does Inactive User Tracker (IUT) work? + +## Answer + +1. IUT requests the current date from the local machine. +2. IUT requests the list of Active Directory users from the domain (via LDAP). +3. IUT picks the first user from the list. +4. IUT retrieves `lastLogon` and `lastLogonTimestamp` attributes for the user from every domain controller. + +> **IMPORTANT:** In case a single domain controller is unavailable, no action will be performed. + +5. If the user has never logged in, the `createTimestamp` attribute is used instead of `lastLogon` or `lastLogonTimestamp`. In case multiple `lastLogonTimestamp` entries are available, the most recent is used. +6. Inactivity time is calculated using `createTimestamp`, `lastLogon` or `lastLogonTimestamp` and the local machine date/time to determine the number of days. +7. If the user matches the inactivity criteria specified, they will be added to the list of inactive users and acted upon according to the configuration. +8. Steps 4 to 7 are repeated for each user in the list. diff --git a/docs/kb/auditor/how-does-merging-logon-activity-events-work.md b/docs/kb/auditor/how-does-merging-logon-activity-events-work.md new file mode 100644 index 0000000000..13baffadc1 --- /dev/null +++ b/docs/kb/auditor/how-does-merging-logon-activity-events-work.md @@ -0,0 +1,49 @@ +--- +description: >- + Explains how Netwrix Auditor merges similar Logon Activity events to reduce + noise and how events are selected and prioritized during merging. +keywords: + - logon + - logon activity + - merging + - events + - Netwrix Auditor + - duplicate events + - failed attempts + - event IDs +products: + - auditor +sidebar_label: How Does Merging Logon Activity Events Work? +tags: [] +title: "How Does Merging Logon Activity Events Work?" +knowledge_article_id: kA04u000001118cCAA +--- + +# How Does Merging Logon Activity Events Work? + +## Question + +How does merging Logon Activity events work? + +## Answer + +Netwrix Auditor merges similar logon events to reduce noice and narrow the number of similar events. Merging events works as follows: + +1. The records are considered similar when they have the same event type, User, Name and IP of the originating workstation, Name and IP of the target workstation. For Failed Attempts the failure reasons must also match. + +2. For successful logons the value of events is ranged as follows (ascending): + + - Unidentified Logon + - Interactive Logon based on the events `4768` and `4769` + - Interactive Logon based on the event `4624` + - Reconnecting to a remote session based on the event `4778` + + After the merging completes, the first event is displayed to the user. + +3. If there is an Interactive Logon based on events `4768` and `4769` where the **What** and **Workstation** fields are different, all subsequent events of this type with **What** and **Workstation** fields matching the **What** field of the original event, will be merged. Other words, if there was a remote connection to a workstation, it would overwrite all direct connections within the specified time range. + +4. Domain Controller Logoff events of the same type are also merged and the user sees the first one. However if there was an event `4779` (remote session disconnected), it would be considered more valueable. The product also filters out all logoffs for which the corresponding logon belongs to another event (i.e. not displayed to the user). + +5. Failed Attempts are also combined into a single event and the number of failed attempts is displayed. + +6. For all other events the product simply removes duplicates. The user sees the first event in the series. diff --git a/docs/kb/auditor/how-does-netwrix-account-lockout-examiner-work.md b/docs/kb/auditor/how-does-netwrix-account-lockout-examiner-work.md new file mode 100644 index 0000000000..a201ad7139 --- /dev/null +++ b/docs/kb/auditor/how-does-netwrix-account-lockout-examiner-work.md @@ -0,0 +1,41 @@ +--- +description: >- + Netwrix Account Lockout Examiner tracks account lockouts in real time, locates + lockout origins, and helps you troubleshoot by examining invalid logons. It + processes Windows Security logs without agents and provides detailed + examination results for proactive resolution. +keywords: + - account lockout + - lockout examiner + - invalid logons + - Windows Security log + - audit policy + - examination + - lockout troubleshooting + - Netwrix Auditor +products: + - auditor +sidebar_label: How does Netwrix Account Lockout Examiner work +tags: [] +title: "How does Netwrix Account Lockout Examiner work" +knowledge_article_id: kA00g000000H9dcCAC +--- + +# How does Netwrix Account Lockout Examiner work + +## Overview + +Netwrix Account Lockout Examiner tracks account lockouts in real time, enables proactive lockout resolutions, and helps you effectively troubleshoot account lockouts. + +Account Lockout Examiner is able to determine the origins of lockouts and show detailed information about specified lockouts and invalid logons. Account Lockout Examiner processes Windows Security log without using agents, so you must configure the audit policy in the domain according to the requirements of the tool. Configuration of the audit policy is described in the admin guide and this [article](http://kb.netwrix.com/1199). + +Since Windows Security log is the only source, Account Lockout Examiner can show only the information that is present in the log. After Account Lockout Examiner finds a lockout event, it adds the information about the account lockout to the list in the **Summary** tab. You can investigate an account lockout using the **Examination** feature. + +### Conducting an Examination + +To run an examination: + +1. Click the **Examine** button at the bottom of the list in the **Summary** tab, or +2. Right-click an account and select **Examine**. + +When you run an examination, it shows a list of invalid logons, specifies the names of the processes that used invalid credentials, and checks the most common reasons for lockouts: mapped drives, scheduled tasks, RDP sessions, and services running under the credentials of the account in question. Examination results look like this: [![User-added image](images/ka0Qk00000045if_0EM700000004wzI.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAbd&feoid=00N700000032Pj2&refid=0EM700000004wzI) diff --git a/docs/kb/auditor/how-does-netwrix-auditor-for-vmware-work.md b/docs/kb/auditor/how-does-netwrix-auditor-for-vmware-work.md new file mode 100644 index 0000000000..ce877bc24b --- /dev/null +++ b/docs/kb/auditor/how-does-netwrix-auditor-for-vmware-work.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains how Netwrix Auditor for VMware collects auditing events and inventory + data, how often it runs, and how it uses the VMware EventHistoryCollector API + to retrieve events from ESXi servers and vCenter. +keywords: + - Netwrix Auditor + - VMware + - ESXi + - vCenter + - EventHistoryCollector + - audit events + - snapshots + - inventory + - data collector +products: + - auditor +sidebar_label: How does Netwrix Auditor for VMware work +tags: [] +title: "How does Netwrix Auditor for VMware work" +knowledge_article_id: kA00g000000H9SkCAK +--- + +# How does Netwrix Auditor for VMware work + +## Overview +Netwrix Auditor collects changes every 15 minutes and refreshes its full snapshot every day. To generate change and inventory reports, Netwrix Auditor collects the following data: + +- Auditing events (which are generated on monitored ESXi server/vCenter) +- Virtual environment objects and properties (which are then used to build snapshots of monitored virtual environment) + +### Collecting Events +To collect the auditing events, Netwrix Auditor uses the VMware API method called [`EventHistoryCollector`](http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.wssdk.pg.doc_50%2FPG_Ch15_Alarms.17.4.html), which retrieves auditing events from the specified ESX server vCenter. In other words Netwrix Auditor just asks the monitored ESXi Server vCenter for auditing events it has without direct access to the audit log files databases on the monitored ESXi Server vCenter (all these operations are being handled by VMware API). + +Before gathering new auditing events, the VMware data collector looks into its repository and identifies the last collected audit event - which the previous data collection has stopped on and the current data collection should start from. + +For example: +1. The previous data collection stopped on an event which was generated on 12/27/2022 at 6:26 AM +2. The first event Netwrix Auditor for VMware expects to get in the current data collection will be same - generated on 12/27/2022 at 6:26 AM (because events in the event chain should be inseparably linked with each other) + +In other cases (when the first received event was generated later than 12/27/2022 at 6:26 AM) the product will consider this as an event overwrite - because this means that some event chain pieces are missing. Audit events are stored in different places for different VMware products, for a standalone ESXi server events are retained in memory and how back they go depends on the available memory. vCenter pulls events from its managed ESXi servers and stores them in the vCenter Event Database. diff --git a/docs/kb/auditor/how-does-password-expiration-notifier-work.md b/docs/kb/auditor/how-does-password-expiration-notifier-work.md new file mode 100644 index 0000000000..9dd239f02f --- /dev/null +++ b/docs/kb/auditor/how-does-password-expiration-notifier-work.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains how Netwrix Password Reset (PEN) determines password expiration and + selects users for notification. Describes the main algorithm steps used by the + tool. +keywords: + - password expiration + - LDAP + - pwdLastSet + - Netwrix Password Reset + - notification + - Maximum Password Age + - PEN + - Active Directory + - algorithm + - users +products: + - auditor +sidebar_label: How does Netwrix Password Reset work? +tags: [] +title: "How does Netwrix Password Reset work?" +knowledge_article_id: kA00g000000H9WUCA0 +--- + +# How does Netwrix Password Reset (PEN) work? + +Note: This only includes the main function algorithm; advanced features are not included. + +1. LDAP query is used to determine the Maximum Password Age for the domain. +2. A list of users is also determined via LDAP query. +3. First user from the list is processed. +4. The `pwdLastSet` attribute value is determined for this user. +5. The number of days before the password expires in is determined based on the Maximum Password Age as well as the value of `pwdLastSet`. +6. PEN checks whether the user matches the conditions specified in the settings (e.g. list of users whose password expires in xx days, notification options and advanced settings). +7. If the user matches the conditions then it is added to the report, if not, then the next user in the list is processed. diff --git a/docs/kb/auditor/how-i-can-change-the-trace-log-path-on-the-audited-sql-server.md b/docs/kb/auditor/how-i-can-change-the-trace-log-path-on-the-audited-sql-server.md new file mode 100644 index 0000000000..e1eb48a7d7 --- /dev/null +++ b/docs/kb/auditor/how-i-can-change-the-trace-log-path-on-the-audited-sql-server.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains how to change the trace log path on an audited SQL Server by editing + the `pathstotracelogs.txt` file in the SQL Server Auditing collector + directory, with syntax and example. +keywords: + - SQL Server + - trace logs + - pathstotracelogs + - Netwrix Auditor + - UNC path + - sys.fn_trace_getinfo + - SQLServerInstance + - SQL trace +products: + - auditor +sidebar_label: How I can change the trace log path on the audited +tags: [] +title: "How I can change the trace log path on the audited SQL Server?" +knowledge_article_id: kA00g000000H9dYCAS +--- + +# How I can change the trace log path on the audited SQL Server? + +To change the log path on the audited SQL Server, perform the following: + +1. Navigate to the `SQL Server Auditing` collector directory (by default `C:\Program Files (x86)\Netwrix Auditor\SQL Server Auditing`). +2. Open the `pathstotracelogs.txt` file for editing. +3. Populate this file with the UNC path where you want the trace logs to be stored on your SQL Servers. (You can check the current log path by executing the following command: `SELECT * FROM sys.fn_trace_getinfo(NULL) WHERE property=2`) + +Syntax: `SQLServerInstance|UNC path` + +For example: `serverinstance|C:\Program Files\Microsoft SQL Server\MSSQL\LOG` + +**NOTE**: Replace `SQLServer` with the SQL server machine name. Replace `Instance` with the SQL server instance name. diff --git a/docs/kb/auditor/how-netwrix-auditor-collects-data-from-replicated-domain-controllers.md b/docs/kb/auditor/how-netwrix-auditor-collects-data-from-replicated-domain-controllers.md new file mode 100644 index 0000000000..a83d4b5237 --- /dev/null +++ b/docs/kb/auditor/how-netwrix-auditor-collects-data-from-replicated-domain-controllers.md @@ -0,0 +1,47 @@ +--- +description: >- + Explains how Netwrix Auditor collects and displays data from replicated Domain + Controllers, and how event log replication affects search results, reports, + alerts, and emails. +keywords: + - domain controllers + - replication + - event logs + - Netwrix Auditor + - monitoring plan + - alerts + - reports + - search + - collection time +products: + - auditor +sidebar_label: 'How Netwrix Auditor Collects Data from Replicated ' +tags: [] +title: "How Netwrix Auditor Collects Data from Replicated Domain Controllers?" +knowledge_article_id: kA04u000001111HCAQ +--- + +# How Netwrix Auditor Collects Data from Replicated Domain Controllers? + +## Question + +Is Netwrix Auditor able to show data collected from one of several replicated Domain Controllers in search, reports, alerts, and emails? + +Example deployment scenario: + +1. There are two Domain Controllers within a domain. The replication configured successfully between these Domain Controllers, and neither one is read-only. +2. A monitoring plan is configured to collect data **only from a single Domain Controller**. + +## Answer + +Yes, Netwrix Auditor can show these events with some considerations. +Netwrix collects data, including but not limited to Windows Security Event Logs that are not replicated from one Domain Controller to another. Even if an action itself was replicated, the product will not be able to show correctly all issue details in search, reports, alerts, and emails since event log entries are not replicated. Review the following for additional information: + +| Detail | How the product report it | +|--------------|-------------------------------------------------------------------------------------------| +| What | Actual information | +| Object type | Actual information | +| Who | System | +| Where | Unknown | +| Workstation | — | +| When | This detail shows the time when the action was collected by the product rather than the time when it actually happened. diff --git a/docs/kb/auditor/how-netwrix-auditor-for-sql-server-collects-data.md b/docs/kb/auditor/how-netwrix-auditor-for-sql-server-collects-data.md new file mode 100644 index 0000000000..55675eae16 --- /dev/null +++ b/docs/kb/auditor/how-netwrix-auditor-for-sql-server-collects-data.md @@ -0,0 +1,94 @@ +--- +description: >- + Explains how Netwrix Auditor for SQL Server collects configuration and + database content change data, the traces and triggers it uses, and where audit + data is stored. +keywords: + - netwrix + - sql server + - auditing + - traces + - triggers + - Netwrix Auditor + - .trc + - NetwrixSQLaudit + - sqlcr_db.sql +products: + - auditor +sidebar_label: How Netwrix Auditor for SQL Server Collects Data +tags: [] +title: "How Netwrix Auditor for SQL Server Collects Data" +knowledge_article_id: kA00g000000H9VMCA0 +--- + +# How Netwrix Auditor for SQL Server Collects Data + +## Question +How does Netwrix Auditor for SQL Server work? What is the data source for it? + +## Answer +There are two options for monitoring SQL servers within Netwrix Auditor. + +**1. Audit SQL server configuration changes** +To find these changes Netwrix Auditor for SQL Server collects a state snapshot from the server, compares it with the previously taken snapshot, and determines what was changed. To get WHO CHANGED WHEN CHANGED information for found changes the product uses internal SQL Server traces. + +**If there is no tracing enabled**, changes will be reported as made by the system. That is why the product checks if internal SQL audit mechanism is enabled and enables it if needed during every data collection as follows: + +When enabling internal SQL traces, the following parameters are used: + +``` +@pathtolog = retrieved from SQL server. +@option_value = 2 +@max_file_size = 100 +@max_rollover_files = 6 +@on=1 +@create_trace = 0 +@create_filter_trace = 0 +@create_filter_stmt_trace = 0 +@traceName = @pathtolog + N'netwrix sql cr trace' +@traceFilterName = @pathtolog + N'netwrix sql cr filter trace' +@traceFilterStmtName = @pathtolog + N'netwrix sql cr stmt trace' +``` + +Then audit traces are enabled by means of the `exec sp_trace_setevent @traceName_id,%eventID%, @current_num,@on` command. The following traces are enabled: + +- 102 -- Audit Statement GDR Event +- 103 -- Audit Object GDR Event +- 104 -- Audit AddLogin Event +- 105 -- Audit Login GDR Event +- 106 -- Audit Login Change Property Event +- 108 -- Audit Add Login to Server Role Event +- 109 -- Audit Add DB User Event +- 110 -- Audit Add Member to DB Role Event +- 128 -- Audit Database Management Event +- 129 -- Audit Database Object Management Event +- 130 -- Audit Database Principal Management Event +- 131 -- Audit Schema Object Management Event +- 135 -- Audit Database Object Take Ownership Event +- 152 -- Audit Change Database Owner +- 170 -- Audit Server Scope GDR Event +- 171 -- Audit Server Object GDR Event +- 172 -- Audit Database Object GDR Event +- 176 -- Audit Server Object Management Event +- 177 -- Audit Server Principal Management Event + +The list of variables and events can be easily found in the `sqlcr_db.sql` file located in the program installation directory (by default - `C:\Program Files (x86)\Netwrix Auditor\SQL Server Auditing`). + +All internal traces are stored in `.trc` files in the SQL Server logs folder - by default, it is `C:\Program Files\Microsoft SQLServer\MSSQL.2\MSSQLLOG`. There is a size limit for these files - 100 Mb per file. It is allowed to create 6 trace files so the maximum log size is **600 Mb.** The oldest one gets automatically removed once the size limit is reached. + +More information about internal SQL Server audit can be found in the following Microsoft article: https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms191006(v=sql.105)?redirectedfrom=MSDN + +Also, the detailed list of monitored objects can be found in the following article: /docs/auditor/10.6/auditor/configurationuration/sqlserver + +**2. Audit database content changes** +For more in-depth auditing of SQL databases, Netwrix Auditor for SQL Server — database content auditing can be enabled. If the **Monitor changes to data in the database tables** option is enabled, the product performs the following steps: + +- For each database, it checks for the corresponding owner record in the Master database and on current database and enables `TRUSTWORTHY` property (review the following for more information: https://learn.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property?view=sql-server-ver16&redirectedfrom=MSDN) for the current database. +- Creates an additional database - **NetwrixSQLCRaudit**, that is used to store information about all changes to other databases. +- Creates a trigger called `Netwrix_audit_trg_%tablename%` in every table of monitored databases that logs transaction info to the `NetwrixSQLaudit` database. +- Creates additional table - `dbo.Netwrix_Audit_errors` - in each database and is used to store info about all errors that occurred during the audit process. + +Data on **Who changed** is again got from internal SQL traces. The product itself runs on scheduled tasks, gathers all `.trc` files and information from `NetwrixSQLaudit` DB, and generates reports based on this information. All `dbo.Netwrix_Audit_errors` tables and `NetwrixSQLaudit` database get cleared once data is collected from them. By default, it is done once a day. All changes which are performed within the 2nd option (enabling database content auditing) can be reverted by running the `sqlcr_remove_audit_from_db.sql` script located in the program installation directory against each affected database. To run this script, open it in SQL Server Management Studio, connect to the target SQL Server instance, type the target database name in square parentheses `[]` and click the **Execute** button. + +### 2.1 Triggerless Collection +Triggerless collection is another method of collecting database content changes, which uses SQL Trace Log instead of triggers. It checks the event called **Audit Schema Object Access** with filter **Permissions** = 1 (SELECT ALL) or 2 (UPDATE ALL) | 8 (INSERT) | 16 (DELETE) on the database logs. Collector gathers new information from SQL trace log every 5 minutes. Event filtration happens on the trace log level i.e. Events that are either omitted from logging or outside of the scope of the collector will not be gathered. diff --git a/docs/kb/auditor/how-netwrix-ensures-safety-of-stored-credentials.md b/docs/kb/auditor/how-netwrix-ensures-safety-of-stored-credentials.md new file mode 100644 index 0000000000..a8439bf926 --- /dev/null +++ b/docs/kb/auditor/how-netwrix-ensures-safety-of-stored-credentials.md @@ -0,0 +1,67 @@ +--- +description: >- + Explains how Netwrix Auditor stores and protects data collection account + credentials using Windows DPAPI (CryptoAPI), describing encryption, storage, + decryption stages, and FAQs. +keywords: + - DPAPI + - CryptoAPI + - CryptProtectData + - CryptUnprotectData + - Configuration.xml + - CRYPTPROTECT_LOCAL_MACHINE + - encrypted credentials + - Netwrix Auditor + - data protection + - Windows DPAPI +products: + - auditor +sidebar_label: How Netwrix Ensures Safety of Stored Credentials +tags: [] +title: "How Netwrix Ensures Safety of Stored Credentials" +knowledge_article_id: kA00g000000H9eYCAS +--- + +# How Netwrix Ensures Safety of Stored Credentials + +## Data Protection + +Netwrix Auditor leverages accounts with privileges considered higher than regular users" for target systems configuration, access, and data collection. Therefore, credentials of those accounts must be stored on the Netwrix Auditor server in a secure manner. + +For that, Netwrix Auditor utilizes a native Microsoft Windows cryptographic mechanism called Data Protection API (DPAPI) based on [Crypto API](https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-portal). Detailed information on DPAPI implementation by Microsoft can be found in [Windows Data Protection](https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN#windataprotection-dpapi_topic04). + +The benefits of this approach are + +- Usage of DPAPI is recommended by Microsoft for encryption of sensitive data at rest (such as passwords or [master keys](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-encryption-at-rest?view=aspnetcore-3.0#windows-dpapi)). Also, DPAPI is used by Microsoft services to store credentials (e.g., Remote Desktop Connection). +- DPAPI is built-in in the Microsoft Windows operating system. Therefore, all enhancements, updates and security bug fixes are provided through regular Windows Update. +- [CryptoAPI](https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-portal) under the hood of DPAPI uses proven cryptographic algorithms such as AES 256-bit for data encryption. They can be adjusted to the specific needs of a company through Cryptographic Service Providers configuration. +- Master keys used by DPAPI for data encryption are managed by Microsoft Windows OS; third-party applications and Netwrix Auditor, in particular, do not access or control them. + +--- + +The following table describes how data containing passwords of data collection accounts is managed by Netwrix Auditor: + +| Stage | Description | How Security is Ensured | +|---|---|---| +| Data Encryption | Netwrix Auditor invokes the [CryptProtectData](https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata) function, passes a password of a data collection account as sensitive data for encryption. The function then returns the encrypted data for storage. | The CryptProtectData function is a part of the CryptoAPI located in [Crypt32.dll](https://docs.microsoft.com/en-us/windows/win32/seccrypto/crypt32-dll-versions). The request for further processing is transferred through a secure RPC channel to the LSA system process. In the LSA, the data is encrypted and transferred back to the Netwrix Auditor components. | +| Data Storage | Data with encrypted passwords is stored in `Configuration.xml` file located in `%ProgramData%Netwrix AuditorAuditCoreConfigServer` on the Netwrix Auditor Server. | 1. Access to this folder is denied for anyone except for local Administrators on the Netwrix Auditor host. 2. Copying the data itself or the Configuration file to another machine does not pose data to risk since the data is encrypted with `CRYPTPROTECT_LOCAL_MACHINE` flag. This flag ensures that the data can be decrypted just on the machine it has been encrypted on. | +| Data Decryption | Netwrix Auditor invokes the [CryptUnprotectData](https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata) function to get decrypted data with a password that is necessary for connecting to a specific target system | The decryption is performed in the same secure way as encryption. | + +--- + +## Frequently Asked Questions + +**Q:** What cryptographic algorithm is used for encryption? +**A:** Since Netwrix Auditor relies on DPAPI instead of directly handling encryption, the actual mechanism is defined by the Windows operation system. Netwrix does not have control over selection of cryptographic algorithms. + +[CryptoAPI](https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-portal) under the hood of DPAPI uses proven cryptographic algorithms for data encryption such as AES 256-bit. + +**Q:** What if someone unauthorized gets a copy of the `Configuration.xml` file on another machine and then tries to decrypt passwords stored in it? +**A:** Microsoft Data Protection API provides mechanism to associate encrypted data with the machine context. Netwrix uses this approach by utilizing `CRYPTPROTECT_LOCAL_MACHINE` flag for encryption. This ensures that the data can be decrypted only on the same machine it has been encrypted on. + +**Q:** What should Netwrix administrators do to keep Netwrix Auditor as secure as possible? +**A:** The most important thing is to limit access to the Netwrix Auditor server. Just authorized personnel should have access to the Netwrix Auditor server. + +The access level must be thoroughly adjusted as well; regular Netwrix Auditor users don't need the local Administrators rights. + +For detailed guidelines, see [Best Practices for Securing Netwrix Auditor](https://kb.netwrix.com/215). diff --git a/docs/kb/auditor/how-reports-from-user-activity-video-recorder-resolve-host-names.md b/docs/kb/auditor/how-reports-from-user-activity-video-recorder-resolve-host-names.md new file mode 100644 index 0000000000..469e303001 --- /dev/null +++ b/docs/kb/auditor/how-reports-from-user-activity-video-recorder-resolve-host-names.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains how User Activity Video Recorder determines host names for reports by + checking the local hosts file and falling back to DNS; includes a PowerShell + command to verify the resolved host name. +keywords: + - User Activity Video Recorder + - UAVR + - host name resolution + - hosts file + - DNS + - PowerShell + - 127.0.0.1 + - reports + - name resolution +products: + - auditor +sidebar_label: How Reports from User Activity Video Recorder reso +tags: [] +title: "How Reports from User Activity Video Recorder resolve host names" +knowledge_article_id: kA04u000000PdIsCAK +--- + +# How Reports from User Activity Video Recorder resolve host names + +**Question**: When I check reports, the server name is shown differently as when I try to resolve its' name using the DNS server. How does User Activity Video Recorder resolve host names? + +**Answer:** First of all, the UAVR Agent looks locally in the hosts file of the server (located in `C:\Windows\System32\drivers\etc` folder). You can also check the Name resolution by utilizing this command in PowerShell on the monitored server: + +```powershell +[System.Net.Dns]::GetHostEntry("127.0.0.1").HostName +``` + +The resulting name will match the name of the server in the UAVR report. If there is no record for `127.0.0.1-localhost` on the server, the DNS server will be polled for the name. diff --git a/docs/kb/auditor/how-the-network-traffic-compression-service-works.md b/docs/kb/auditor/how-the-network-traffic-compression-service-works.md new file mode 100644 index 0000000000..125dfe645e --- /dev/null +++ b/docs/kb/auditor/how-the-network-traffic-compression-service-works.md @@ -0,0 +1,78 @@ +--- +description: >- + Explains how the Network Traffic Compression Service works on Domain + Controllers and how to enable or override it using the agent.ini file to + optimize data transfer to Netwrix Auditor. +keywords: + - network traffic compression + - domain controller + - Netwrix Auditor + - agent.ini + - traffic optimization + - DC agents + - bandwidth + - data collection + - skip setting +products: + - auditor +sidebar_label: How the Network Traffic Compression Service Works +tags: [] +title: "How the Network Traffic Compression Service Works" +knowledge_article_id: kA00g000000H9SLCA0 +--- + +# How the Network Traffic Compression Service Works + +## Overview + +The Network Traffic Compression Service is implemented by a tiny executable that runs on Domain Controllers, pre-filters data and then sends it to Netwrix Auditor in a highly compressed format. + +> IMPORTANT: if you do not want any extra services running on the Domain Controllers, you can configure Netwrix Auditor to work without the service (**not recommended**) + +The Traffic Compression Service helps increase scalability and optimize traffic. It is a recommended option and is especially useful in poorly connected environments — for example, when you have multiple Domain Controllers distributed across geographic locations. + +The Network Traffic Compression creates a service on the DC and copies a folder of 6KB in size to the machine. The service only runs when the Netwrix Auditor server calls it. In congested systems with high latency, the service can substantially improve data transfer while minimizing the impact on bandwidth. Using the service results in an approximately 100x reduction in the amount of data transferred and has a negligible impact on the performance of the target computer. + +## Instructions + +> TIP: network traffic compression can be enabled for all DCs in the domain by selecting a corresponding option in the **Active Directory data source** + +To override the default value for specific DCs you specify: + +1. Navigate to the Netwrix Auditor installation directory. For example, `C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing` +2. Open `agent.ini` +3. Update it using the syntax below: + +``` +dcname={remote|agent|skip|skipSilent} +``` + +### Parameters + +- `dcname` – name of a domain controller for which you want to customize the Network Traffic Compression Service usage +- `remote` – means that the service will NOT be used on this particular domain controller +- `agent` – means that the service will be used to collect data from this particular domain controller, even if it is disabled in the Netwrix Auditor UI +- `skip` – means that the data will not be collected from this particular domain controller (this option can be used, for example, if the domain controller goes down and should be temporarily excluded from data collection) + +> NOTE: Using the `skip` setting can produce incomplete reports: incorrect values in **Who Changed** / **When Changed** fields + +- `skipsilent` – same as skip but should only be used for completely decommissioned DCs + +### Examples + +You have six domain controllers. Five of them are located in New York and one in Seattle. You do not need to use agents on the New York domain controllers since they have fast network connections, while the one located in Seattle is slow due to its distance from the main office. + +In this way, you can specify the agent monitoring as follows: + +``` +NY1.acme.com=remote +NY2.acme.com=remote +NY3.acme.com=remote +NY4.acme.com=remote +NY5.acme.com=remote +Seattle.acme.com=agent +``` + +## Related Articles + +- Network Traffic Compression ⸱ v 10.6 — /docs/auditor/10.6/auditor/admin-guide/healthstatus diff --git a/docs/kb/auditor/how-to-add-additional-space-to-long-term-archive.md b/docs/kb/auditor/how-to-add-additional-space-to-long-term-archive.md new file mode 100644 index 0000000000..20c2d629ca --- /dev/null +++ b/docs/kb/auditor/how-to-add-additional-space-to-long-term-archive.md @@ -0,0 +1,56 @@ +--- +description: >- + Learn how to add disk space to the Long-Term Archive used by Netwrix Auditor + and how to decrease archive retention to free up space while preserving + historical data when possible. +keywords: + - long-term archive + - archive retention + - disk space + - Netwrix Auditor + - Investigations + - system health + - archive overflow + - retention period +products: + - auditor +sidebar_label: How to Add Additional Space to Long-Term Archive +tags: [] +title: "How to Add Additional Space to Long-Term Archive" +knowledge_article_id: kA04u000001115iCAA +--- + +# How to Add Additional Space to Long-Term Archive + +## Overview + +In some cases, you may need to add space to the Long-Term Archive. Please follow the steps below to enhance your archive capacity. + +## Instructions + +**Long-Term Archive** is a file-based storage where Netwrix Auditor saves the collected activity records. By default, it is located on the system drive at `%PROGRAMDATA%\Netwrix Auditor\Data` and keeps data for `120 months (10 years)`. The product informs you if you are running out of space on a system disk where it is stored. + +There is a **Long-Term Archive** widget that helps you monitor the Long-Term Archive capacity. The widget can be found by clicking the **Health Status** tile on the Netwrix Auditor home screen. It displays the current size and daily increase of the Long-Term Archive as well as the remaining free space on the target drive. + +Once the free disk space starts approaching the minimum level, you will see events in the **Netwrix Auditor System Health** log. When the free disk space is less than `3 GB`, the Netwrix services responsible for audit data collection will be stopped, which means that data collection also stops. + +Typically, Netwrix recommends adding space (`150-200 GB`) to the drive where the Long-Term Archive resides to resolve the issue. Follow the steps below to find where your Long-Term Archive data is stored. + +1. In Netwrix Auditor, navigate to **Settings**. +2. Select the **Long-Term Archive** page and review where your audit data is written. You can modify the archive retention settings here; however, read the steps below for the correct procedure. + +In this scenario, all historical data collected by the product will be preserved. If you do not have enough hardware resources for that, add some space (recommended `25-30 GB`) on the Auditor Server host to restore regular product functionality and then decrease the retention period of the archive. + +> **IMPORTANT:** After changing the retention, for example to 1 year, all data older than 1 year will be removed (it might take up to several days) and that freed up even more disk space. + +Follow the steps below to decrease the retention period for the archive: + +1. Add some space (`25-30 GB`) on the Auditor Server. +2. Shortly after adding additional space, start all Netwrix services. +3. Immediately after that, decrease the Long-Term Archive retention. For that, navigate to the Auditor settings -> **Long-Term Archive** and click **Modify** under the Long-term Archive. Then provide a new retention value in months. + +It is up to you to decide how long you want to keep historical data. If you know that no historical data will be needed past one year, decrease the retention to `12 months`. The historical data can be imported from the Archive back to your Audit Database when needed via the **Investigations** feature. + +Learn more about Investigations in the following article: /docs/auditor/10.6/auditor/admin-guide/settings + +Review additional recommendations for preventing Long-Term Archive overflow in the following article: /docs/kb/auditor/how_to_prevent_long-term_archive_overflow diff --git a/docs/kb/auditor/how-to-apply-netwrix-auditor-license.md b/docs/kb/auditor/how-to-apply-netwrix-auditor-license.md new file mode 100644 index 0000000000..30239cca2d --- /dev/null +++ b/docs/kb/auditor/how-to-apply-netwrix-auditor-license.md @@ -0,0 +1,42 @@ +--- +description: >- + This article explains how to apply a Netwrix Auditor license using the .lic + file you received from the licensing team. It shows how to upload the file in + the product UI and verify the applied license. +keywords: + - Netwrix Auditor + - license + - .lic + - apply license + - update license + - licensing + - verify license + - Settings + - Licenses +products: + - auditor +sidebar_label: How to Apply Netwrix Auditor License +tags: [] +title: "How to Apply Netwrix Auditor License" +knowledge_article_id: kA04u0000000GtKCAU +--- + +# How to Apply Netwrix Auditor License + +## Question + +How to apply a Netwrix Auditor license? + +## Answer + +You may have received an email from our licensing team — download the attached `*.lic` file and follow the steps below: + +1. In the main Netwrix Auditor screen, go to **Settings** > **Licenses** and click **Update**. + + ![2.png](images/ka04u00000116MV_0EM4u000007cekk.png) + +2. Navigate to your `*.lic` file and select the file. + +3. Click **Open**. + +The license is now applied to your Netwrix Auditor instance. Verify the information in the **Licenses** section. diff --git a/docs/kb/auditor/how-to-apply-the-license-to-virtual-appliance.md b/docs/kb/auditor/how-to-apply-the-license-to-virtual-appliance.md new file mode 100644 index 0000000000..31119dcd10 --- /dev/null +++ b/docs/kb/auditor/how-to-apply-the-license-to-virtual-appliance.md @@ -0,0 +1,59 @@ +--- +description: >- + Shows how to apply a Windows product key to the Netwrix Virtual Appliance and + how to convert the Windows evaluation edition to a retail or volume-licensed + edition using DISM and slmgr.vbs. +keywords: + - license + - virtual appliance + - Windows Server + - product key + - DISM + - GVLK + - activation + - evaluation + - volume license +products: + - auditor +sidebar_label: How to apply the license to Virtual Appliance +tags: [] +title: "How to apply the license to Virtual Appliance" +knowledge_article_id: kA00g000000H9V4CAK +--- + +# How to apply the license to Virtual Appliance + +## Scenario + +I have downloaded the Netwrix Virtual Appliance but when I am trying to apply a Windows product key, I get the following message: "**That key can't be used to activate this edition of Windows. Please try a different key.**" or "**This edition cannot be upgraded**"" + +## Solution + +The Netwrix Virtual Appliance is distributed with a 180-day evaluation version of Windows Server. You have to use your own product key purchased from Microsoft for activation. The Key must be of `Retail` version, Volume Licensed keys follow a different procedure. Prior to applying the key, evaluation version must be converted to a Standard or Datacenter version. In order to do that, please perform the following steps: + +1. Launch command prompt **as administrator** +2. Execute the following command: `DISM /online /Get-CurrentEdition.` Confirm that the Current Edition includes the word 'Eval' +3. Execute the command `DISM /online /Get-TargetEditions ` to get the list of possible upgrade options +4. Execute `DISM /online /Set-Edition: /ProductKey:[enter your product key here] /AcceptEula`, providing the edition ID from the previous step and a retail product key. + +The server will restart twice. + +**NOTE**, the process might take some time. Do not terminate it - wait until it completes. Afterward, you can apply the product key as usual. + +### Volume-Licensed Activation + +If you have `Volume Licensed` key, you can convert your Evaluation version to Retail version, after conversion, you can apply any product key. + +To convert you need to select an appropriate Generic Volume License Key (GVLK) from [Microsoft Website](https://docs.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys) that matches your version of Windows Server. + +Conversion Example for Windows Server 2019 Standard: + +| Command | Description | +|---|---| +| `dism /online /set-edition:ServerStandard /productkey:N69G4-B89J2-4G8F4-WWYCC-J464C /accepteula` | Applies GVLK and converts to an appropriate ver. of OS. The Execution of Command might take up to 30 minutes | +| `slmgr.vbs /upk ` | Removes GVLK from OS | +| `slmgr.vbs /cpky` | Removes GVLK from OS | +| `slmgr.vbs /ipk XXXXX-XXXXX-XXXX-XXXXX-XXXXX` | Applies VL key | +| `slmgr.vbs /ato` | forced activation | + +XXXXX-XXXXX-XXXX-XXXXX-XXXXX - is a VL key. diff --git a/docs/kb/auditor/how-to-audit-a-non-trusted-domain.md b/docs/kb/auditor/how-to-audit-a-non-trusted-domain.md new file mode 100644 index 0000000000..c28f68080e --- /dev/null +++ b/docs/kb/auditor/how-to-audit-a-non-trusted-domain.md @@ -0,0 +1,64 @@ +--- +description: >- + Shows how to configure DNS and network settings so you can audit a remote + domain that has no trust relationship with your primary domain using Netwrix + Auditor. +keywords: + - non-trusted domain + - audit + - DNS + - nslookup + - Netwrix Auditor + - stub zone + - NetBIOS over TCP/IP +products: + - auditor +sidebar_label: How to Audit a Non-Trusted Domain +tags: [] +title: "How to Audit a Non-Trusted Domain" +knowledge_article_id: kA04u000000PcsaCAC +--- + +# How to Audit a Non-Trusted Domain + +## Question + +How to audit a non-trusted domain in Netwrix Auditor? + +## Answer + +> **IMPORTANT:** A remote domain should be accessible and reachable via nslookup from domain controllers of your primary domain and from Netwrix server. + +Refer to the following steps to audit a remote domain that does not have any trust relationship with the Netwrix server or your primary domain: + +1. In any of domain controllers of your primary domain, open **DNS Manager** console. +2. In the left pane under the domain controller, right-click **Forward Lookup Zones**, and select **New zone**. +3. In the New Zone Wizard window, click next, select **Stub zone** and check the **Store the zone in Active Directory** checkbox. Click **Next**. +4. Select the **To all DNS servers running on domainc controllers in this domain** option for replication, and click **Next**. +5. Enter the remote domain FQDN in the **Zone name** field. Click **Next**. +6. Add IP addresses for all domain controllers of the remote domain. + +> **NOTE:** It is recommended to provide multiple domain controllers to ensure redundancy. + +7. Click **Next**, and then click **Finish** to complete the setup. +8. Once the setup is completed, restart the DNS server. Right-click the server, and select **Restart** under **All Tasks**. +9. In your Netwrix Auditor server and domain controller, run the following command in elevated Command Prompt to flush DNS: +``` +text +ipconfig /flushdns +``` +10. In your Netwrix Auditor server, run the following command in elevated Command Prompt: +``` +text +nslookup +``` + - Once prompted, enter the remote domain FQDN you've previously specified to make sure the newly added domain is reachable from your Netwrix Auditor server. +11. Enable **NetBIOS over TCP/IP** support in the Netwrix Auditor server network interface: + + 1. Proceed to **Network Connections** — you can reach the menu either via your Control Panel, or by searching by **View network connections**. + 2. Right-click the current connection, and click **Properties**. + 3. Select **Internet Protocol Version 4 (TCP/IPv4)**, and click **Properties**. + 4. Click **Advanced**. + 5. Select the **WINS** tab, and select **Enable NetBIOS over TCP/IP**. Click **OK** to save changes. + +> **NOTE:** If the domain still fails to get audited after completing all the steps provided, you can also specify the domainc controller name as `domain.tld\user` or `user@domain.tld` in Netwrix Auditor. diff --git a/docs/kb/auditor/how-to-audit-another-domain-with-netwrix-auditor.md b/docs/kb/auditor/how-to-audit-another-domain-with-netwrix-auditor.md new file mode 100644 index 0000000000..bb326c39a6 --- /dev/null +++ b/docs/kb/auditor/how-to-audit-another-domain-with-netwrix-auditor.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains how to audit domains different from the Netwrix Auditor host domain, + including trusted and non-trusted domain scenarios and account requirements. +keywords: + - audit domain + - trusted domain + - non-trusted domain + - data collecting account + - gMSA + - trust relationships + - Active Directory + - Netwrix Auditor +products: + - auditor +sidebar_label: How to Audit Another Domain with Netwrix Auditor +tags: [] +title: "How to Audit Another Domain with Netwrix Auditor" +knowledge_article_id: kA00g000000H9ceCAC +--- + +# How to Audit Another Domain with Netwrix Auditor + +## Question + +Can I audit another domain with Netwrix Auditor? + +## Answer + +With Netwrix Auditor you can audit domains different from the one where the Netwrix Auditor host resides. Refer to the following scenarios: + +- If there is a two-way trust set up between the audited domain and the domain where the Netwrix Auditor host is installed, no limitations apply. Learn more about trusts in [How trust relationships work for forests in Active Directory ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust). +- For audit of non-trusted domains, refer to the following article for additional information: [How to Audit a Non-Trusted Domain](/docs/kb/auditor/how-to-audit-a-non-trusted-domain). + +> **NOTE:** The data collecting account should have required permissions in the monitored domain. Refer to the following article for additional information on Data Collecting Account and group Managed Service Account (gMSA) requirements: Monitoring Plans — Data Collecting Account ⸱ v10.6. + +### Related articles + +- [How trust relationships work for forests in Active Directory ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust) +- [How to Audit a Non-Trusted Domain](/docs/kb/auditor/how-to-audit-a-non-trusted-domain) +- Monitoring Plans — Data Collecting Account ⸱ v10.6 diff --git a/docs/kb/auditor/how-to-audit-file-servers-with-enabled-user-account-control.md b/docs/kb/auditor/how-to-audit-file-servers-with-enabled-user-account-control.md new file mode 100644 index 0000000000..27db9d8d38 --- /dev/null +++ b/docs/kb/auditor/how-to-audit-file-servers-with-enabled-user-account-control.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains why Netwrix Auditor cannot configure audit settings for file server + managed objects when User Account Control is enabled and how to resolve the + issue. +keywords: + - Netwrix Auditor + - File Server + - User Account Control + - UAC + - audit settings + - System Health + - permissions + - BUILTINAdministrators +products: + - auditor +sidebar_label: How to audit File Servers with enabled User Accoun +tags: [] +title: "How to audit File Servers with enabled User Account Control" +knowledge_article_id: kA00g000000H9V8CAK +--- + +# How to audit File Servers with enabled User Account Control + +Why Netwrix Auditor cannot configure audit settings for File Servers Managed Object? + +--- + +Most likely, this is due to enabled User Account Control. ​In this case the Netwrix Auditor System Health log contains the following error: +*Cannot configure audit settings for the object `<Managed Object name>`: A required privilege is not held by the client.* + +To resolve this issue, do the following: + +1. If your target server is not in a domain, create a user that is not a member of the **BUILTINAdministrators** group. Grant all required rights and permissions to the account. +2. Enable User Account Control for local connections only and disable it for remote connections. diff --git a/docs/kb/auditor/how-to-audit-servers-located-in-another-subnet-behind-firewall.md b/docs/kb/auditor/how-to-audit-servers-located-in-another-subnet-behind-firewall.md new file mode 100644 index 0000000000..4d66c47fb3 --- /dev/null +++ b/docs/kb/auditor/how-to-audit-servers-located-in-another-subnet-behind-firewall.md @@ -0,0 +1,51 @@ +--- +description: >- + Explains how to resolve RPC and Service Control Manager errors when auditing + servers on different subnets by opening required firewall ports or configuring + RPC dynamic port ranges. +keywords: + - Netwrix Auditor + - RPC + - dynamic RPC ports + - firewall + - TCP 135 + - TCP 445 + - 49152-65535 + - 50000-50200 +products: + - auditor +sidebar_label: How to audit servers located in another subnet beh +tags: [] +title: "How to audit servers located in another subnet behind firewall" +knowledge_article_id: kA00g000000H9erCAC +--- + +# How to audit servers located in another subnet behind firewall + +Netwrix Auditor for Windows Servers (NetWrix Server Configuration Change Reporter in 6.5 or older) does not work with systems on different subnets. The following errors appear: + +``` + : Error during agent operation on server . Cannot open Service Control Manager on computer ''. This operation might require other privileges. Additional information: The RPC server is unavailable . + : Error during agent operation on server . The RPC server is unavailable. (Exception from HRESULT: 0x800706BA). Additional information: none. + : Error during agent operation on server . Check if .Net Framework is installed error. Additional information: none. +``` + +--- + +One of the required ports is blocked by Firewall. + +--- + +## Resolution + +To resolve the issue, make sure the following ports are opened: + +1. `TCP 135` and `TCP 445` are opened both ways. +2. Dynamic RPC ports range are opened from the server where Netwrix Auditor is installed to the monitored server. The product uses these ports to connect to the monitored servers and launch the agent services. You can open the ports in two ways: + +- Open the following TCP ports range on your Firewall: + +> for Windows Vista/7/2008: `49152-65535` +> for Windows XP/2003: `1024-5000` + +- Alternatively, you can configure a custom Dynamic RPC ports range on the managed server, for example you can configure ports `50000-50200` and open these ports in your Firewall. For detailed instructions, please refer to the following Microsoft KB article: http://support.microsoft.com/kb/154596 diff --git a/docs/kb/auditor/how-to-audit-user-password-changes.md b/docs/kb/auditor/how-to-audit-user-password-changes.md new file mode 100644 index 0000000000..6718f27fbb --- /dev/null +++ b/docs/kb/auditor/how-to-audit-user-password-changes.md @@ -0,0 +1,46 @@ +--- +description: >- + Shows how to enable auditing of user password changes by editing the + omitproplist.txt file to remove or comment out the *.PasswordChanged entry. + Includes a note about reapplying the change after product upgrades and a tip + for avoiding Access is Denied when saving. +keywords: + - user password change + - auditing + - omitproplist.txt + - omit list + - Netwrix Auditor + - Active Directory Auditing + - PasswordChanged + - omitproplist + - access denied +products: + - auditor +sidebar_label: How to Audit User Password Changes +tags: [] +title: "How to Audit User Password Changes" +knowledge_article_id: kA00g000000H9edCAC +--- + +# How to Audit User Password Changes + +## Symptom + +User Password Changes are not appearing in Search or Report results. + +## Cause + +By default User Password Change auditing is disabled via omitlist. + +## Reolution + +This functionality can be easily enabled by navigating to the following file location: + +`C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing\omitproplist.txt` + +Open `omitproplist.txt` in a text editor, find the entry of `*.PasswordChanged` and comment it out with a pound/hash sign (#), like this: `#*.PasswordChanged .` By doing so you make the omit list ignore this entry, effectively re-enabling it for reporting. All future User Password Changes will now be audited by Netwrix Auditor. +Instead of commenting, the line can also be deleted. + +**Note**: When you upgrade Netwrix Auditor to a new version, it would restore that parameter in the omit list, so you will have to comment/delete it again. + +**Tip**: When saving changes to the omit list, you may receive "Access is Denied" error. In order to proceed, either open the text editor as Administrator or save the file to the desktop and drag'n'drop to the original folder, which would trigger the admin prompt." diff --git a/docs/kb/auditor/how-to-automatically-apply-office-classification-labels.md b/docs/kb/auditor/how-to-automatically-apply-office-classification-labels.md new file mode 100644 index 0000000000..07b4e77a49 --- /dev/null +++ b/docs/kb/auditor/how-to-automatically-apply-office-classification-labels.md @@ -0,0 +1,56 @@ +--- +description: >- + Use taxonomy mappings or workflow actions to automatically apply Office + Classification Labels to documents in SharePoint at the time of + classification. +keywords: + - Office Classification Labels + - taxonomy mapping + - SharePoint + - O365 Label + - classification + - Taxonomy Manager + - QS Administration + - Workflow Action + - auto-classification +products: + - auditor + - data-classification +visibility: public +sidebar_label: How to automatically apply Office Classification L +tags: [] +title: "How to automatically apply Office Classification Labels" +knowledge_article_id: kA00g000000H9e4CAC +--- + +# How to automatically apply Office Classification Labels + +The below steps can be followed to ensure that Office Classification Labels will be automatically applied at the time of classification. + +There are two methods of applying labels, both of which are described below: + +- **Taxonomy Mapping** - For a simple automated experience it is possible to assign labels to existing Term Set structures within **Taxonomy Manager** +- **Workflow Action** - For a more complex assignment experience it is also possible to both add, and remove labels via **Workflow Actions** + +## Taxonomy Mapping + +1. Log into the **QS Administration interface** +2. Navigate to the **Taxonomies** area +3. Navigate to the **Term** that is to be used to define when the **Classification Label** should be applied (please note, the **taxonomy** in question should be an auto-classified **SharePoint Term Set**) +4. Select the **Settings** tab +5. Scroll to the **Microsoft Office Classification Labels** section +6. Select **Add** and choose the label that you wish to apply (if the site collection has only recently been added then the label may not yet have been synchronised down) + +### How does this work? + +At the time of classification the Classifier process will identify any terms that have both met their threshold and also contain mappings to Office Classification Labels. The engine will then select the highest scoring term, and automatically apply the mapped label to the document in SharePoint (taking into account which labels are available per site collection as well as the setting specified at the term level). + +## Workflow Action + +1. Log into the **QS Administration interface** +2. Navigate to the **Workflows** area +3. Create a **Workflow**, either selecting a **SharePoint** source - or creating the workflow against the generic **SharePoint** type +4. Configure the **Workflow** conditions +5. Select **"Add"** to add a new **Rule Action** +6. Under **SharePoint**, select either: **"Write O365 Label"** or **"Remove O365 Label"** +7. Specify the **label** that should be **written** or **removed** and then select **Save** diff --git a/docs/kb/auditor/how-to-capture-service-traffic.md b/docs/kb/auditor/how-to-capture-service-traffic.md new file mode 100644 index 0000000000..17d430e62d --- /dev/null +++ b/docs/kb/auditor/how-to-capture-service-traffic.md @@ -0,0 +1,62 @@ +--- +description: >- + Shows how to capture and debug HTTP traffic from Netwrix Data Classification + services using Fiddler by configuring the machine.config to route service + traffic through the Fiddler proxy. +keywords: + - Fiddler + - machine.config + - proxy + - Netwrix Data Classification + - Collector + - Indexer + - Classifier + - HTTP + - Telerik + - debugging +products: + - auditor + - data-classification +sidebar_label: How to capture service traffic +tags: [] +title: "How to capture service traffic" +knowledge_article_id: kA00g000000H9eDCAS +--- + +# How to capture service traffic + +In more **complex** or **secure** environments you sometimes need to **debug** connectivity between the **Netwrix Data Classification** services and an external **HTTP** connection (website, SharePoint site collection, etc.). In these cases **Fiddler** is a free tool that you can use to exclude certain issues and inspect the exact **HTTP** traffic that occurs. + +When **Fiddler** launches and attaches it adjusts the current user's proxy settings to point at **Fiddler**, running on `127.0.0.1:8888` by default. However, the core services (Collector, Indexer and Classifier) do not inherit those settings automatically and must be configured manually. + +If the failure case succeeds when Fiddler is running (and configured), that suggests the environment requires a proxy configuration that has not been configured correctly. Coordinate with your network team to confirm the exact proxy requirements between the server and the destination. + +You can download Fiddler from the Telerik website: https://www.telerik.com/fiddler + +--- + +**Note:** Making changes to the `machine.config` may temporarily interrupt IIS. + +## Procedure + +1. Start **Fiddler**. +2. Launch **Notepad** with elevated permissions (Right click the program → Run as **Administrator**). +3. Open the following file: `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config` +4. Add the XML block below as a peer to the existing **system.net** element, replacing any existing **defaultProxy** element if present (see image below). +5. Save the file. +6. Restart the core **Services** (**Collector**, **Indexer** and **Classifier**). + +**NOTE:** The **system.net** element must be contained within the **configuration** element. + +```xml + + + + + + +``` + +![CaptureTrafficMachineConfig](https://kb.netwrix.com/wp-content/uploads/2019/12/CaptureTrafficMachineConfig.png) diff --git a/docs/kb/auditor/how-to-change-smtp-timeout.md b/docs/kb/auditor/how-to-change-smtp-timeout.md new file mode 100644 index 0000000000..3bb760e0d6 --- /dev/null +++ b/docs/kb/auditor/how-to-change-smtp-timeout.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains how to increase the SMTP send timeout by editing the registry. The + default timeout is set to 60 seconds. +keywords: + - SMTP + - timeout + - SMTP timeout + - registry + - regedit + - Password Expiration Notifier + - NetWrix + - Timeout registry + - SMTP submit +products: + - auditor +sidebar_label: How to change SMTP Timeout +tags: [] +title: "How to change SMTP Timeout" +knowledge_article_id: kA00g000000H9TRCA0 +--- + +# How to change SMTP Timeout + +Timeout occurs during submitting a mail message to an SMTP. Is it possible to increase the default timeout? + +The default timeout is set to 60 seconds. To change this parameter: + +1. Navigate to **Start -> Run** and type `regedit`. +2. Expand `HKLM -> Software -> NetWrix -> Password Expiration Notifier -> Timeout` and set a new value. diff --git a/docs/kb/auditor/how-to-change-the-default-ports-in-netwrix-auditor-user-activity-video-recording.md b/docs/kb/auditor/how-to-change-the-default-ports-in-netwrix-auditor-user-activity-video-recording.md new file mode 100644 index 0000000000..09b5325540 --- /dev/null +++ b/docs/kb/auditor/how-to-change-the-default-ports-in-netwrix-auditor-user-activity-video-recording.md @@ -0,0 +1,50 @@ +--- +description: >- + Shows how to change the default ports (9003 and 9004) used by Netwrix Auditor + User Activity Video Recording by editing registry settings on the host and + target machines and restarting the UAVR service. +keywords: + - netwrix + - user activity + - video recording + - ports + - registry + - UAVR + - ServerPort + - CallbackPort +products: + - auditor +sidebar_label: How to Change the Default Ports in Netwrix Auditor +tags: [] +title: "How to Change the Default Ports in Netwrix Auditor User Activity Video Recording" +knowledge_article_id: kA00g000000H9VcCAK +--- + +# How to Change the Default Ports in Netwrix Auditor User Activity Video Recording + +## Related Query + +- "Is there a way to configure the agent to use different ports instead of 9003 and 9004 for User Activity Video Recording?" + +## Question + +How can you change the default ports in Netwrix Auditor User Activity Video Recording? + +## Answer + +Yes, you can configure the agent to use different ports by modifying the registry settings on both the Netwrix Auditor host server and the target servers. Follow these steps: + +### On the Netwrix Auditor Host Server + +1. Open **Registry Editor** and navigate to: + `HKEY_LOCAL_MACHINE\SOFTWARE\(Wow6432Node)\NetWrix Auditor\User Activity Video Reporter` +2. Create a new **DWORD (32-bit)** value named **ServerPort** (default: `9004`). + +### On Each Target Machine + +1. Open **Registry Editor** and navigate to: + `HKEY_LOCAL_MACHINE\SOFTWARE\(Wow6432Node)\NetWrix\User Activity Video Reporter Agent` +2. Create a new **String** value named **ServerPort** (this should match the value specified on the Netwrix host). +3. Create another **String** value named **CallbackPort** (default: `9003`). +4. Specify the desired ports in both values. +5. Restart the **UAVR Service** on each target machine to apply the changes. diff --git a/docs/kb/auditor/how-to-change-the-frequency-of-data-collections-for-file-server-auditing.md b/docs/kb/auditor/how-to-change-the-frequency-of-data-collections-for-file-server-auditing.md new file mode 100644 index 0000000000..ac8d47f91a --- /dev/null +++ b/docs/kb/auditor/how-to-change-the-frequency-of-data-collections-for-file-server-auditing.md @@ -0,0 +1,28 @@ +--- +description: >- + Explains how to modify the scheduled Task Scheduler job used by Netwrix + Auditor to change the frequency of data collections for File Server auditing. +keywords: + - file server auditing + - Task Scheduler + - scheduled task + - Netwrix Auditor + - File Server Change Reporter + - collection frequency + - triggers + - Windows +products: + - auditor +sidebar_label: How to change the frequency of data collections fo +tags: [] +title: "How to change the frequency of data collections for File Server auditing?" +knowledge_article_id: kA00g000000H9WDCA0 +--- + +# How to change the frequency of data collections for File Server auditing? + +In order to change the frequency of data collections please perform the following: + +1. Go to **Control Panel** -> **Administrative Tools** -> **Task Scheduler** -> **Task Scheduler Library**; +2. Double click task **Netwrix Management Console - File Server Change Reporter your_collection**; +3. Then **Triggers** tab, then click **New** and choose **Daily** and set `Repeat task every N hours` (type your selection if it is not available to pick from the drop down). diff --git a/docs/kb/auditor/how-to-change-the-netwrix-data-classification-query-server-url.md b/docs/kb/auditor/how-to-change-the-netwrix-data-classification-query-server-url.md new file mode 100644 index 0000000000..48f6822f31 --- /dev/null +++ b/docs/kb/auditor/how-to-change-the-netwrix-data-classification-query-server-url.md @@ -0,0 +1,42 @@ +--- +description: >- + Shows how to change the Netwrix Data Classification Query Server URL from HTTP + to HTTPS by updating the `conceptConfig.exe` configuration in the application + and web service locations. +keywords: + - Netwrix Data Classification + - Query Server + - URL + - conceptConfig.exe + - conceptQS + - ConceptCollectorService + - conceptIndexer + - HTTPS + - localhost + - change URL +products: + - auditor + - data-classification +sidebar_label: How to change the Netwrix Data Classification Query Server URL +tags: [] +title: "How to change the Netwrix Data Classification Query Server URL" +knowledge_article_id: kA00g000000H9eXCAS +--- + +# How to change the Netwrix Data Classification Query Server URL + +## Scenario + +You want to change the Netwrix Data Classification Query Server URL from `http://localhost:80/conceptQS` to `https://localhost:80/conceptQS`. + +## Solution + +Navigate to the following file locations: + +- `C:\Program Files\ConceptSearching\Services\ConceptCollectorService\conceptConfig.exe` +- `C:\inetpub\wwwroot\conceptQS\bin\conceptConfig.exe` +- `C:\Program Files\ConceptSearching\Services\conceptIndexer\conceptConfig.exe` + +For each instance of `conceptConfig.exe`, change the path seen here: + +![Change NDC URL](https://kb.netwrix.com/wp-content/uploads/2019/10/Change-NDC-URL-3.png) diff --git a/docs/kb/auditor/how-to-check-the-netwrix-auditor-health-status.md b/docs/kb/auditor/how-to-check-the-netwrix-auditor-health-status.md new file mode 100644 index 0000000000..9d436b21ea --- /dev/null +++ b/docs/kb/auditor/how-to-check-the-netwrix-auditor-health-status.md @@ -0,0 +1,65 @@ +--- +description: >- + Use the Health Status dashboard to monitor Netwrix Auditor components + including activity records, monitoring plans, the Health Log, database + statistics, Long Term Archive (LTA), and the Working Folder. +keywords: + - health status + - activity records + - health log + - long term archive + - working folder + - database statistics + - monitoring plans + - SQL Express + - LTA + - Netwrix Auditor +products: + - auditor +sidebar_label: How to Check the Netwrix Auditor Health Status +tags: [] +title: "How to Check the Netwrix Auditor Health Status" +knowledge_article_id: kA00g000000H9eZCAS +--- + +# How to Check the Netwrix Auditor Health Status + +## Health Status Dashboard + +As a Netwrix Administrator you need the tools and knowledge to maintain a healthy and efficient installation of Netwrix Auditor. Here are the tips and tricks for monitoring Netwrix Auditor health. + +From the home page we can click **Health Status**. This presents administrators with a handful of extremely useful visuals. + +### Activity Records by Date + +This dashboard tile helps an administrator maintain visibility on data flow. The most obvious purpose this serves is confirmation of collection. You may also find that these statistics help you predict future need of resources. If incoming activity records increase, consideration of more storage or CPU cores may be required. You can use the matrix seen here to see recommended hardware based on incoming Activity Records per day. + +### Monitoring Overview + +The Monitoring Overview allows administrators to see all a complete picture of monitoring plan health. Plans with errors will show with a status of **Take Action**, while healthy plans will show **Ready**. The **Filter** option allows administrators to look at specific Data Sources or groups of Monitoring Plans to tailor visibility to specific needs. + +### Health Log + +The information seen in the Netwrix Auditor Health Log is directly pulled from a Windows Event Log called `Netwrix Auditor System Health`. Information seen here can vary vastly between environments. Messages can vary from informational, warning, and error based. + +There is also the chance that the Health Log is relaying an error received from an audited data source. If limited information is found in our documentation, you may find that the error is directly from the audited source. In this case, it is beneficial to google search the error as well. This often reveals that the error exists with the data source itself. + +The Health Log also provides the option for filtering, allowing administrators to view messages from specific data sources/monitoring plans, as well as different types of messages (Information, warning, errors). + +There may be times where Netwrix Auditor Technical Support requests a copy of your Health Log. To provide this file, please view the steps [here](/docs/kb/auditor/how-to-save-and-zip-netwrix-auditor-system-health-event-log.md). More details on the Health Log can be obtained here. + +### Database Statistics + +Similar to the Activity Records Statistics tile, this dashboard allows administrators to view the status of SQL Audit Databases, size of Audit Databases, and amount of Activity Records stored. + +Double-clicking a database name will expand the block and reveal more information. + +This dashboard can assist with troubleshooting in instances where data may not be available for searching and reporting. Remember that SQL Express databases have a limit of 10 GB for storage. + +### Long Term Archive + +This simple, yet effective, tile gives administrators insight on Long Term Archive storage usage. You may hear Technical Support refer to this as the "LTA". If you notice rapid growth and you have not placed the Long Term Archive on a drive independent of the System Drive, please follow the steps [here](https://kb.netwrix.com/247) to migrate your Long Term Archive. + +### Working Folder + +The Working Folder is a structure of files that plays an integral part in event processing. Similar to the LTA tile, this tile will provide visibility on Working Folder growth. Expect this directory to grow and shrink periodically as it receives data, processes, and then sends it off for storage in SQL and the LTA. This directory can also be migrated to a drive independent to the system drive. The steps to migrate the Working Folder can be viewed [here](/docs/kb/auditor/how-to-migrate-netwrix-auditor-working-folder-to-a-new-location.md). diff --git a/docs/kb/auditor/how-to-clear-the-sessions-list-in-netwrix-auditor.md b/docs/kb/auditor/how-to-clear-the-sessions-list-in-netwrix-auditor.md new file mode 100644 index 0000000000..db9bff0336 --- /dev/null +++ b/docs/kb/auditor/how-to-clear-the-sessions-list-in-netwrix-auditor.md @@ -0,0 +1,28 @@ +--- +description: >- + Shows how to clear the sessions list in Netwrix Auditor by deleting the + Sessions folder from the Audit Archive location. +keywords: + - sessions + - Audit Archive + - sessions list + - Netwrix Auditor + - Management Console + - delete Sessions folder + - audit data +products: + - auditor +sidebar_label: How to clear the sessions list in Netwrix Auditor? +tags: [] +title: "How to clear the sessions list in Netwrix Auditor?" +knowledge_article_id: kA00g000000H9UpCAK +--- + +# How to clear the sessions list in Netwrix Auditor? + +To clear the list of sessions, perform the following steps: + +1. In Netwrix Auditor select **Audit Archive** under **Settings** in the pane at the left. +2. Find the path where the audit data is written (for example, `C:ProgramDataNetWrixManagement Console`). +3. Navigate to **Audit Archive** foder. +4. Delete **Sessions** folder. diff --git a/docs/kb/auditor/how-to-configure-disk-space-monitor-reporting.md b/docs/kb/auditor/how-to-configure-disk-space-monitor-reporting.md new file mode 100644 index 0000000000..3b2233f62b --- /dev/null +++ b/docs/kb/auditor/how-to-configure-disk-space-monitor-reporting.md @@ -0,0 +1,55 @@ +--- +description: >- + Learn how to configure Netwrix Auditor Disk Space Monitor reporting, including + server targets, thresholds, SMTP settings, and real-time notifications. +keywords: + - disk space + - monitor + - WMI + - SMTP + - email + - threshold + - real-time + - report + - Netwrix Auditor +products: + - auditor +sidebar_label: How to configure Disk Space Monitor reporting +tags: [] +title: "How to configure Disk Space Monitor reporting" +knowledge_article_id: kA00g000000PbdcCAC +--- + +# How to configure Disk Space Monitor reporting + +To configure the Netwrix Auditor Disk Space Monitor reporting, perform the following steps: + +## Steps + +1. Run the software configurator tool. + +2. Enter the names of the servers you want to monitor. Enter values without quotes. Format examples: + - Entire server: `myserver` + - UNC Path: `\myserverpublic` + - Individual drive: `myserverc:` + - Mount point: `myserverc:foldernamemount_point_name` + +3. Specify the threshold in MB of free space or percentage of available space (for example, `100` percent). + +4. Check the **Send notifications in real-time** checkbox if you want the software to check the servers every 10 minutes. + +4. Supply a comma-separated list of e-mail addresses to send reports to (at least one e-mail is required). + +5. Specify SMTP server settings (name, port, from address). + +6. Click **OK** and enter an account name and password which will be used to generate reports. + +This account must be powerful enough to connect to all managed servers using WMI. + +## How it works + +It will work as follows: +------------------------------------- +The product task begins to work on a scheduled basis and repeats every 10 minutes, so disks are monitored in real-time. +When the **Send notifications in real-time** checkbox is checked, the Netwrix Auditor Disk Space Monitor sends notifications on the detected servers with low free disk space if disk capacity change occurs. +The default summary report schedule is daily at 3:00 AM. diff --git a/docs/kb/auditor/how-to-configure-granular-audit-policies-for-logon-auditing.md b/docs/kb/auditor/how-to-configure-granular-audit-policies-for-logon-auditing.md new file mode 100644 index 0000000000..5cfe243e26 --- /dev/null +++ b/docs/kb/auditor/how-to-configure-granular-audit-policies-for-logon-auditing.md @@ -0,0 +1,57 @@ +--- +description: >- + This article describes how to configure granular audit policies for Logon + auditing on Windows Vista or later, using Local Security Policy or Group + Policy Object (GPO). It also explains how to enable granular audit policies + checking in Netwrix Logon Reporter. +keywords: + - granular audit policies + - Logon auditing + - auditpol + - gpupdate + - Local Security Policy + - Group Policy + - Windows Server 2008 R2 + - Netwrix Logon Reporter +products: + - auditor +sidebar_label: How to configure granular audit policies for Logon +tags: [] +title: "How to configure granular audit policies for Logon Auditing" +knowledge_article_id: kA00g000000PbdSCAS +--- + +# How to configure granular audit policies for Logon Auditing + +How to configure granular audit policies for Logon Auditing (Windows Vista or later)? + +In Windows Server 2008 R2 and Server 2012, granular audit policies are integrated with the Group Policies, so you can apply them via a Group Policy Object (GPO) or Local Security Policies. + +## Applying Granular Audit Policies via Local Policies + +To apply granular audit policies via Local Policies, perform the following: + +1. On a monitored server, open the Local Security Policy snap-in (navigate to **Start** -> **Run** and type `secpol.msc`). +2. Navigate to **Security Settings -> Local Policies -> Security Options** and locate the **Audit: Force audit policy subcategory settings (Windows Vista or later)** policy. +3. Double-click this policy and select the **Enabled** option. +4. Navigate to **Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies**. +5. Set the subcategories below to Success and Failure: + - `LogonLogoff -> Audit Other Logon/Logoff Events` + - `LogonLogoff -> Audit Logon` + - `LogonLogoff -> Audit Logoff` + - `Account Management -> Audit User Account Management` +6. Update your Group Policies by executing the `gpupdate /force` command in the command line interface. + + Note: You can check your current effective settings by executing the following command: + + ```cmd + gpupdate /force + auditpol /get /category:* + ``` +7. In Netwrix Logon Reporter, navigate to the **Advanced** tab. Select the **Enable granular audit policies checking** option and click **Apply**. + +## Applying Granular Audit Policies via Group Policies + +To apply a granular audit policy configuration via a Group Policy Object (GPO), you must have a Windows Server 2008 R2 domain controller or member server with the Group Policy Management Console installed. + +For instructions on how to do this, refer to the following technical article by Microsoft: [Advanced Security Audit Policy Step-by-Step Guide](http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx?ppud=4) diff --git a/docs/kb/auditor/how-to-configure-monitoring-of-local-accounts.md b/docs/kb/auditor/how-to-configure-monitoring-of-local-accounts.md new file mode 100644 index 0000000000..dac8335baf --- /dev/null +++ b/docs/kb/auditor/how-to-configure-monitoring-of-local-accounts.md @@ -0,0 +1,34 @@ +--- +description: >- + Shows how to configure Netwrix Account Lockout Examiner to monitor local + machine event logs by adding the workstation as a managed object. +keywords: + - account lockout + - local accounts + - event logs + - monitoring + - Netwrix Account Lockout Examiner + - Domain Controller + - managed objects +products: + - auditor +sidebar_label: How to configure monitoring of local accounts +tags: [] +title: "How to configure monitoring of local accounts" +knowledge_article_id: kA00g000000H9deCAC +--- + +# How to configure monitoring of local accounts + +Netwrix Account Lockout Examiner can be set to monitor local machine event logs by performing the following steps + +1. Start Netwrix Account Lockout Examiner. +2. Go to **File - Settings**. +3. In the dialog box, choose **Managed Objects** tab. +4. Press the **Add** button. +5. In the next dialog box, select the **Domain Controller** radio button and enter the the name of workstation local events of which you want to monitor +6. Press the **OK** button. Press the **OK** button again. + +[![User-added image](images/ka04u000000HcWP_0EM700000004wxl.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAbY&feoid=00N700000032Pj2&refid=0EM700000004wxl) + +**Note:** Make sure that the account used to run the Account Lockout Examiner service has administrative access to the machine you are adding. diff --git a/docs/kb/auditor/how-to-configure-netwrix-auditor-in-failover-mode.md b/docs/kb/auditor/how-to-configure-netwrix-auditor-in-failover-mode.md new file mode 100644 index 0000000000..3e1e282390 --- /dev/null +++ b/docs/kb/auditor/how-to-configure-netwrix-auditor-in-failover-mode.md @@ -0,0 +1,63 @@ +--- +description: >- + Instructions to configure Netwrix Auditor in failover mode to minimize + downtime and reduce the risk of losing audit data, including VM + recommendations, Long-Term Archive placement, and backup procedures. +keywords: + - failover + - backup + - Long-Term Archive + - LTA + - Configuration.xml + - Netwrix Auditor + - snapshot + - virtual machine +products: + - auditor +sidebar_label: How to Configure Netwrix Auditor in Failover Mode +tags: [] +title: "How to Configure Netwrix Auditor in Failover Mode" +knowledge_article_id: kA00g000000H9TECA0 +--- + +# How to Configure Netwrix Auditor in Failover Mode + +## Question + +How can you configure Netwrix Auditor (NA) in failover mode to minimize the downtime and risk of losing audit data in case of an outage? + +## Answer + +**IMPORTANT:** Back up Netwrix Auditor databases if needed. + +Refer to the following steps to configure Netwrix Auditor in failover mode: + +1. Prepare your environment by installing Netwrix Auditor on a virtual machine. + + > **NOTE:** If Netwrix Auditor is already installed on a physical machine, consider migrating it to a virtual box. Some vendors support "physical to VM" migration." + +2. Configure the Long-Term Archive (LTA) to be stored on a remote location, such as a shared iSCSI volume. Refer to the following Netwrix knowledge base article for instructions on how to move LTA to a new location: /docs/kb/auditor/how_to_move_long-term_archive_to_a_new_location + +3. For setting up backup and failover, ensure that the volume under LTA and Working Folder is redundant enough to survive failure. + +4. Use the features provided by your virtualization vendor to ensure zero-downtime of your Netwrix Auditor machine (e.g., HyperV Live Migration or VMware VMotion.) + +For alternative backup and failover options, refer to the steps below. + +1. Ensure that the volume under LTA and Working Folder is redundant enough to survive failure. + +2. Once Netwrix Auditor is up and fully operational, back up the virtual machine. + + > **NOTE:** You can configure backups as often as every hour, using differential backups, for example, with one full backup daily. + +3. Set up regular backups of the Netwrix Auditor `Configuration.xml` file on the Netwrix Auditor Server. Navigate to the following default path: `%ProgramData%Netwrix Auditor\AuditCore\ConfigServer` + + > **NOTE:** In case you previously migrated your Working Folder, review the following Registry Key value to identify the new location: `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride` + +4. Restore the Netwrix Auditor machine from snapshot. + +5. Restore the configuration. + +## Related Articles + +- How to Move Long-Term Archive to a New Location: /docs/kb/auditor/how_to_move_long-term_archive_to_a_new_location diff --git a/docs/kb/auditor/how-to-configure-netwrix-non-owner-mailbox-access-reporter-to-monitor-clusters-of-exchange-servers.md b/docs/kb/auditor/how-to-configure-netwrix-non-owner-mailbox-access-reporter-to-monitor-clusters-of-exchange-servers.md new file mode 100644 index 0000000000..2cc2cae123 --- /dev/null +++ b/docs/kb/auditor/how-to-configure-netwrix-non-owner-mailbox-access-reporter-to-monitor-clusters-of-exchange-servers.md @@ -0,0 +1,36 @@ +--- +description: >- + Shows how to configure Netwrix Auditor to monitor clusters of Exchange servers + for non-owner mailbox access by specifying the IP addresses of all + mailbox-role servers in the Non-owner Mailbox Access Reporter Exchange server + list. +keywords: + - Netwrix Auditor + - Exchange + - Non-owner Mailbox Access + - Exchange cluster + - monitoring + - IP addresses + - Exchange servers + - Omit list +products: + - auditor +sidebar_label: 'How to configure Netwrix Non-Owner Mailbox Access ' +tags: [] +title: "How to configure Netwrix Non-Owner Mailbox Access Reporter to monitor clusters of Exchange servers?" +knowledge_article_id: kA00g000000H9TbCAK +--- + +# How to configure Netwrix Non-Owner Mailbox Access Reporter to monitor clusters of Exchange servers? + +## Overview + +How to configure Netwrix Auditor for Exchange to monitor clusters of Exchange servers for non-owner access. + +To monitor a cluster of Exchange servers, specify IP addresses of all Exchange servers with mailbox role, which belong to the monitored cluster to the Non-owner Mailbox Access Reporter Exchange server list. You can find out more about data excluding in this [Help Center article](/docs/auditor/). + +## Procedure + +1. Specify the IP addresses of all Exchange servers that have the Mailbox role and belong to the monitored cluster. +2. Add those IP addresses to the **Non-owner Mailbox Access Reporter Exchange server list**. +3. For details about excluding data and omit lists, see the Help Center article: [https://helpcenter.netwrix.com/Omit_lists/Omit_list_ES.html](https://helpcenter.netwrix.com/Omit_lists/Omit_list_ES.html). diff --git a/docs/kb/auditor/how-to-configure-notifications-on-service-account-password-expiration.md b/docs/kb/auditor/how-to-configure-notifications-on-service-account-password-expiration.md new file mode 100644 index 0000000000..81c343d462 --- /dev/null +++ b/docs/kb/auditor/how-to-configure-notifications-on-service-account-password-expiration.md @@ -0,0 +1,27 @@ +--- +description: >- + Explains how to notify managers or IT staff about impending service account + password expirations by configuring notifications in Netwrix Password Reset + and specifying a manager email in Active Directory. +keywords: + - service account + - password expiration + - notifications + - Netwrix Password Reset + - Active Directory + - managers + - email +products: + - auditor +sidebar_label: 'How to configure notifications on service account ' +tags: [] +title: "How to configure notifications on service account password expiration" +knowledge_article_id: kA00g000000H9TaCAK +--- + +# How to configure notifications on service account password expiration + +Netwrix Password Reset sends emails to AD users when their passwords are about to expire. How can this be configured for the service accounts that run server-based applications? How can the IT staff be notified of an impending service account password expiration? + +1. In Netwrix Password Reset, select the **Send report to the users' managers** check-box. +2. Using the **Active Directory Users and Computers** tool, specify the manager's email address for a service account. The manager will be notified about the service account password expiration. diff --git a/docs/kb/auditor/how-to-configure-the-disk-space-monitor-to-work-behind-a-firewall.md b/docs/kb/auditor/how-to-configure-the-disk-space-monitor-to-work-behind-a-firewall.md new file mode 100644 index 0000000000..04c7a10d20 --- /dev/null +++ b/docs/kb/auditor/how-to-configure-the-disk-space-monitor-to-work-behind-a-firewall.md @@ -0,0 +1,44 @@ +--- +description: >- + Use these steps to allow the Disk Space Monitor to connect through a Firewall + by ensuring TCP port 135 (DCOM) is allowed and the scheduled task runs. +keywords: + - disk space monitor + - firewall + - port 135 + - DCOM_TCP135 + - Netwrix Disk Space Monitor + - netsh + - scheduled task +products: + - auditor +sidebar_label: How to configure the Disk Space Monitor to work be +tags: [] +title: "How to configure the Disk Space Monitor to work behind a Firewall" +knowledge_article_id: kA00g000000H9ULCA0 +--- + +# How to configure the Disk Space Monitor to work behind a Firewall + +How do I configure the Disk Space Monitor to work behind a Firewall? + +## Overview + +A Firewall may prevent Disk Space Monitor attempts to connect to the server and get information about the disk space. Make sure that port `135` is open. + +## Resolution + +Perform the following steps: + +1. Run the firewall by going to **Start** | **Control Panel** | **Windows Firewall**. +2. Click the **Exceptions** tab and check the list of Programs and Services. +3. Make sure the list of Programs and Services contains the `DCOM_TCP135` line. + +If `DCOM_TCP135` is not in the list of Programs and Services, perform the following steps: + +1. Go to **Start** | **Run** | type `cmd` and press **OK**. +2. Type `netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135` and press **Enter**. +3. Go to **Start** | **Control Panel** | **Windows Firewall**. +4. Click the **Exceptions** tab and make sure `DCOM_TCP135` has been added to the list of Program and Services. +5. Go to **Start** | **Control Panel** | **Scheduled Tasks**. Run the Netwrix Disk Space Monitor scheduled task. +6. Open the mailbox you have specified to receive notifications and make sure the report displays disk space information about the server in question. diff --git a/docs/kb/auditor/how-to-configure-the-product-to-send-two-user-notifications-instead-of-three.md b/docs/kb/auditor/how-to-configure-the-product-to-send-two-user-notifications-instead-of-three.md new file mode 100644 index 0000000000..d084e987c0 --- /dev/null +++ b/docs/kb/auditor/how-to-configure-the-product-to-send-two-user-notifications-instead-of-three.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains how to configure Netwrix Password Reset to send two user password + expiration notifications instead of the default three by setting the second + and third notifications to the same value. +keywords: + - password expiration + - notifications + - Netwrix Password Reset + - configure + - user notifications + - expiration reminders + - two notifications +products: + - auditor +sidebar_label: How to configure the product to send two user noti +tags: [] +title: "How to configure the product to send two user notifications instead of three" +knowledge_article_id: kA00g000000H9TNCA0 +--- + +# How to configure the product to send two user notifications instead of three + +Netwrix Password Reset sends three user password expiration notifications. Is it possible to configure the product to only send two notifications instead? + +In order to do this, configure user notifications as follows: + +1. Configure the first notification to be sent when the password expired in `X` days. +2. Configure the second notification to be sent when the password expires in `Y` days. +3. Configure the third notification to be sent when the password expires in `Y` days as well. In other words, put the same value in the second and the third notification field. diff --git a/docs/kb/auditor/how-to-configure-the-sms-notifications-feature-for-password-expiration-notifier.md b/docs/kb/auditor/how-to-configure-the-sms-notifications-feature-for-password-expiration-notifier.md new file mode 100644 index 0000000000..8e37ee6580 --- /dev/null +++ b/docs/kb/auditor/how-to-configure-the-sms-notifications-feature-for-password-expiration-notifier.md @@ -0,0 +1,44 @@ +--- +description: >- + Learn how to enable and configure SMS notifications for Netwrix Password + Reset, including how to set the SMS provider and the Active Directory property + that contains recipient phone numbers. +keywords: + - password expiration + - SMS notifications + - Netwrix Password Reset + - Active Directory + - pager + - SMS provider + - esendex + - Telephones tab + - Provider name + - Property name +products: + - auditor +sidebar_label: How to configure the SMS notifications feature for Netwrix Password Reset +tags: [] +title: "How to configure the SMS notifications feature for Netwrix Password Reset?" +knowledge_article_id: kA00g000000Pbd9CAC +--- + +# How to configure the SMS notifications feature for Netwrix Password Reset? + +How do I configure the SMS notifications feature? + +--- + +**Perform the following steps to configure the Netwrix Password Reset SMS notifications:** + +1. Run the program configurator tool in basic mode. +2. Check the checkbox next to the **Notify Users using text messages (SMS)** option and click the **Configure** button. +3. Specify the time when to notify users via text messages notification. +4. Specify the provider name service (the provider who provides SMS notification service; [esendex.net](http://esendex.net) for example). +5. Specify the Property name. This is the name on the **Telephones** tab of the Active Directory user account properties. This field contains the recipient phone number and its value will be used by the software (it is the `Pager` property by default). +6. Click the **OK** button. + +By default, Netwrix Password Reset looks for the pager number in the `Pager` field and assumes that the pager number is specified in the following format: + +`pager_number@operator_name.` + +The **Provider name** and **Property name** fields need to be filled out only if the pager number specified in the non-default field (pager field) contain only the pager number without the operator name (`145625378` instead of `145625378@`[esendex.net](http://esendex.net) for example). diff --git a/docs/kb/auditor/how-to-configure-user-activity-to-trigger-a-recording-session-on-program-execution.md b/docs/kb/auditor/how-to-configure-user-activity-to-trigger-a-recording-session-on-program-execution.md new file mode 100644 index 0000000000..8f4110667b --- /dev/null +++ b/docs/kb/auditor/how-to-configure-user-activity-to-trigger-a-recording-session-on-program-execution.md @@ -0,0 +1,48 @@ +--- +description: >- + Shows how to configure Netwrix Auditor User Activity to start recording when a + specific program is launched or when any program is launched except specified + ones. Explains how to find the application description and how to enter the + application name and window title patterns. +keywords: + - program execution + - recording session + - user activity + - application monitoring + - Netwrix Auditor + - Task Manager + - window title + - application description + - Notepad +products: + - auditor +sidebar_label: How to Configure User Activity to Trigger a Record +tags: [] +title: "How to Configure User Activity to Trigger a Recording Session on Program Execution" +knowledge_article_id: kA00g000000H9WTCA0 +--- + +# How to Configure User Activity to Trigger a Recording Session on Program Execution + +How to configure User Activity to start recording when a particular program is launched? + +## Options + +Netwrix Auditor for User Activity offers three options: +1. Record when any application is run. +2. Record when a specific application is run. +3. Record when any application is run except the ones specified. + +This article addresses #2 and #3 specifically, as the way in which the application names are entered is the same for both. Note: It is required that the program has a window with a title. For example, programs executed via command line without a GUI would not apply. + +## Find the application description + +There are two ways to find the application description: + +1. Launch the application you want to monitor and start **Task Manager**. In the Task Manager dialog, open the **Processes** tab and look for the application description in the **Description** column. +2. Locate the executable file for the application you want to monitor, right-click it and select **Properties**. In the **Properties** dialog, switch to the **Details** tab and look for the application description in the **File Description** field. + +## Notes + +- Although the video recording will only start when a particular application is opened, it still records the entire screen. +- **Example:** If you want to configure recording each time Notepad is opened, use `Notepad` as the **Application Description** and for the **Window Title** you can use something like `*Notepad*` because the word "Notepad" is always in the window title regardless of the name of the document open." diff --git a/docs/kb/auditor/how-to-control-the-size-of-netwrixsqlcraudit-databases-on-sql-instances-and-what-it-is-needed-for.md b/docs/kb/auditor/how-to-control-the-size-of-netwrixsqlcraudit-databases-on-sql-instances-and-what-it-is-needed-for.md new file mode 100644 index 0000000000..b5a59fbcba --- /dev/null +++ b/docs/kb/auditor/how-to-control-the-size-of-netwrixsqlcraudit-databases-on-sql-instances-and-what-it-is-needed-for.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains how to control the size of NetwrixSQLCRAudit databases created by + Netwrix Auditor on SQL Server instances and describes their purpose. +keywords: + - NetwrixSQLCRAudit + - Netwrix Auditor + - SQL Server + - database size + - Audit data changes + - MSSQL Management Studio + - shrink database + - delete database + - audit +products: + - auditor +sidebar_label: 'How to control the size of NetwrixSQLCRAudit databases on SQL instances? And what it is needed for?' +tags: [] +title: >- + How to control the size of NetwrixSQLCRAudit databases on SQL instances? And + what it is needed for? +knowledge_article_id: kA00g000000H9WcCAK +--- + +# How to control the size of NetwrixSQLCRAudit databases on SQL instances? And what it is needed for? + +How to control the size of `NetwrixSQLCRAudit` databases on SQL instances and what they are used for. + +If you enable the **Audit data changes** option as part of SQL Server audit, Netwrix Auditor creates an additional database — `NetwrixSQLCRAudit` — on each monitored SQL Server. The database is used as a temporary storage of all changes performed to other server databases. In order to control the size of `NetwrixSQLCRAudit` databases, the following two options are suggested: + +1. Disable the **Audit data changes** option if you are not interested in content changes, and delete the `NetwrixSQLCRAudit` database(s) from the SQL Server(s). +2. Shrink the `NetwrixSQLCRAudit` database(s) via MSSQL Management Studio. + +For additional information about how Netwrix Auditor for SQL Server works, please refer to the following KB: /docs/kb/auditor/how_netwrix_auditor_for_sql_server_collects_data diff --git a/docs/kb/auditor/how-to-count-number-of-cpu-cores-on-your-oracle-database-deployment.md b/docs/kb/auditor/how-to-count-number-of-cpu-cores-on-your-oracle-database-deployment.md new file mode 100644 index 0000000000..a97bc6a1af --- /dev/null +++ b/docs/kb/auditor/how-to-count-number-of-cpu-cores-on-your-oracle-database-deployment.md @@ -0,0 +1,41 @@ +--- +description: >- + Learn how to determine the total number of CPU cores used by your Oracle + Database deployment for Netwrix Auditor licensing by querying the + CPU_CORE_COUNT_CURRENT parameter on each database instance. +keywords: + - oracle + - cpu cores + - CPU_CORE_COUNT_CURRENT + - V$LICENSE + - licensing + - sqlplus + - database instance + - Netwrix Auditor +products: + - auditor +sidebar_label: How to count number of CPU cores on your Oracle Da +tags: [] +title: "How to count number of CPU cores on your Oracle Database deployment?" +knowledge_article_id: kA00g000000H9V9CAK +--- + +# How to count number of CPU cores on your Oracle Database deployment? + +The licensing for Netwrix Auditor for Oracle Database is based on the number of CPU cores utilized by the entire Oracle Database deployment (the `CPU_CORE_COUNT_CURRENT` parameter). To find the overall core count, retrieve the number of CPU cores on each Oracle Database instance and sum the numbers together. + +## Steps + +1. On the computer where your database is deployed, run the `sqlplus` tool. +2. Connect to your Oracle Database instance—use an Oracle account with the SYSDBA privilege. For example: + - `OracleUser as sysdba` + - Enter your password. +3. Execute the following SQL query: + ```sql + select CPU_CORE_COUNT_CURRENT from V$LICENSE; + ``` + +Repeat these steps for every Oracle Database instance and then sum up the results to get the number of CPU cores for the entire deployment. + +For details on the Oracle Database commands mentioned in this article, refer to: +https://docs.oracle.com/cd/B19306_01/server.102/b14237/dynviews_1144.htm#REFRN30116 diff --git a/docs/kb/auditor/how-to-count-number-of-licenses-required-for-auditing-a-microsoft-office-365-tenant.md b/docs/kb/auditor/how-to-count-number-of-licenses-required-for-auditing-a-microsoft-office-365-tenant.md new file mode 100644 index 0000000000..d0bed15c93 --- /dev/null +++ b/docs/kb/auditor/how-to-count-number-of-licenses-required-for-auditing-a-microsoft-office-365-tenant.md @@ -0,0 +1,62 @@ +--- +description: >- + Learn how to count the number of mailbox licenses required for auditing a + Microsoft Office 365 tenant with Netwrix Auditor, for both MFA and non-MFA + accounts. +keywords: + - Office 365 + - O365 + - licenses + - mailbox + - Netwrix Auditor + - PowerShell + - MFA + - Exchange Online +products: + - general +sidebar_label: How to count number of licenses required for audit +tags: [] +title: "How to count number of licenses required for auditing a Microsoft Office 365 tenant?" +knowledge_article_id: kA00g000000H9T4CAK +--- + +# How to count number of licenses required for auditing a Microsoft Office 365 tenant? + +In Microsoft Office 365, you can create different types of mail accounts for different purposes. However, Netwrix Auditor requires purchasing licenses only for **Mailbox accounts**; there is no charge for accounts of any other types: + +- Mailbox — requires license +- Group — free +- Resource — free +- Contact — free +- Shared — free + +To determine the actual number of licenses you need to purchase from Netwrix, do one of the following, depending on your Office 365 account type. + +## For Non-MFA-enabled account + +1. Download the ZIP file with the shell script provided by Netwrix and extract it: + - https://www.netwrix.com/download/countO365_licenses.zip + - This script counts the number of mailbox accounts in your Office 365 tenant. + + Note: You can run the script on any computer where Windows PowerShell is installed. The computer must be connected to the Internet. + +2. Run **Windows PowerShell** as Administrator and then invoke the `countO365_licenses.ps1` script. +3. Enter your Office 365 account credentials when prompted and click **OK**. +4. When the script completes, you will see the number of mailbox accounts for which you need to purchase licenses: + +![User-added image](./images/ka04u000000HcMr_0EM0g000000hNsh.png) + +## For MFA-enabled account + +1. Connect to **Exchange Online** as described in the Microsoft article: + - https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps + +2. Execute the following commands: +```powershell +$userMailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited +$userMailboxes.count +``` + +3. The displayed number represents how many mailbox accounts you need to purchase licenses for. + +Original KB Article 2082 diff --git a/docs/kb/auditor/how-to-count-the-number-of-your-network-devices-in-your-configuration.md b/docs/kb/auditor/how-to-count-the-number-of-your-network-devices-in-your-configuration.md new file mode 100644 index 0000000000..d53f4ac1fb --- /dev/null +++ b/docs/kb/auditor/how-to-count-the-number-of-your-network-devices-in-your-configuration.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains how to count the network devices that require licensing in your + Netwrix Auditor configuration when using Syslog forwarding. +keywords: + - network devices + - licensing + - Syslog + - Netwrix Auditor + - relay + - license count + - audit data + - configuration +products: + - auditor +sidebar_label: How to count the number of your network devices in +tags: [] +title: "How to count the number of your network devices in your configuration?" +knowledge_article_id: kA00g000000H9SnCAK +--- + +# How to count the number of your network devices in your configuration? + +--- + +The licensing **does not depend** on your Syslog forwarding configuration. In the example below, Netwrix Auditor collects audit data from five devices, one of them (6) also serving as a relay: + +![User-added](images/servlet_image_3823966b1661.png) + +The computer (5) does not send any data, so it does not count for a licensed object. Therefore, for this example configuration, purchase Netwrix Auditor license for five network devices.   Original KB Article 2122 diff --git a/docs/kb/auditor/how-to-create-a-load-balanced-cews-environment.md b/docs/kb/auditor/how-to-create-a-load-balanced-cews-environment.md new file mode 100644 index 0000000000..839e411f77 --- /dev/null +++ b/docs/kb/auditor/how-to-create-a-load-balanced-cews-environment.md @@ -0,0 +1,77 @@ +--- +description: >- + Describes how to configure a basic load balanced environment for the Netwrix + Data Classification CEWS so each server hosts both the Administration + Interface (QS) and the Web Service Endpoint. Includes step-by-step actions and + an example SharePoint configuration script. +keywords: + - CEWS + - load balancing + - Netwrix Data Classification + - conceptQS + - conceptCEWS + - IIS + - SharePoint + - Content Enrichment Web Service +products: + - auditor + - data-classification +sidebar_label: How to create a load balanced CEWS environment +tags: [] +title: "How to create a load balanced CEWS environment" +knowledge_article_id: kA00g000000H9e6CAC +--- + +# How to create a load balanced CEWS environment + +## Overview +This article describes how to configure a basic load balanced environment for the **Netwrix Data Classification CEWS** product. In this configuration each server will run both the: + +- **Netwrix Data Classification QS Administration Interface** +- **Netwrix Data Classification CEWS Web Service Endpoint** + +The CEWS endpoint leverages the local `conceptQS.asmx` web service endpoint on each server. + +## Assumptions +*This article assumes that the environment is currently a single server instance - not a **DQS** configuration.* + +## Procedure + +1. Access the current **conceptCEWS** server via RDP (`mstsc`) and perform the following actions: + 1. Locate your `conceptDB` directory (default location of `C:\Program Files\ConceptSearching`) + 2. **Share** the `conceptDB` folder with an appropriate service account (you will map this to each of the other servers) + 3. Locate your `conceptQS/conceptCEWS` directory (default location of `C:\inetpub\wwwroot`) + 4. **Copy** both directories + +2. Access the new server via RDP and perform the following actions: + 1. Map a shared drive to the share created in step 1(a) + 2. Navigate to the default **IIS** location (`C:\inetpub\wwwroot`) + 3. **Paste** the copied applications + 4. Navigate into the `conceptQS` folder + 5. **Open** `conceptConfig.exe` + 6. Amend the CSE files location to the mapped network drive + 7. **Open IIS Manager (Run + inetmgr)** + 8. Right-click each of the two new folders and select "**Convert to Application**" + 9. Validate that the configured **Application Pool** is configured for both the correct account and the correct `.NET` version (4.0) + +3. Configure your load balancer to point to the two servers, typically: + - http://servername/conceptQS/ContentEnrichmentWebService.svc + +4. Amend the SharePoint CEWS configuration to point to the load balancer rather than the new server. An example script is shown below for reference: + +```powershell +$ssa = Get-SPEnterpriseSearchServiceApplication +$config = New-SPEnterpriseSearchContentEnrichmentConfiguration +$config.Endpoint = "http://loadbalancer/conceptCEWS/ContentProcessingEnrichmentService.svc" +$config.InputProperties = "Body", "Title", "OriginalPath", "", "", .... +$config.OutputProperties = "", "", .... +$config.SendRawData = $True +$config.MaxRawDataSize = 8192 +$config.Timeout = 30000 +Set-SPEnterpriseSearchContentEnrichmentConfiguration -SearchApplication $ssa -ContentEnrichmentConfiguration $config +``` + +## Notes +- Ensure that the service account used for the shared `conceptDB` has the necessary permissions on all servers. +- Confirm that the application pools and identities are consistent across servers to avoid permission or configuration mismatches. +- Verify connectivity from SharePoint (or other consumers) to the load balancer endpoint after configuration. diff --git a/docs/kb/auditor/how-to-create-new-reporting-databases.md b/docs/kb/auditor/how-to-create-new-reporting-databases.md new file mode 100644 index 0000000000..20d3a07a41 --- /dev/null +++ b/docs/kb/auditor/how-to-create-new-reporting-databases.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains how to create new reporting databases by backing up or deleting + existing Netwrix databases and re-applying SQL report settings in the Netwrix + Auditor console. +keywords: + - reporting database + - Netwrix Auditor + - SQL Management studio + - report settings + - Manage Objects + - Active Directory + - backup + - SQL database +products: + - auditor +sidebar_label: How to create new reporting databases +tags: [] +title: "How to create new reporting databases" +knowledge_article_id: kA00g000000H9VjCAK +--- + +# How to create new reporting databases + +How do I create new reporting databases? + +## Answer + +You can either back up and delete the existing Netwrix databases or just delete them, depending on your preference. + +### Steps + +1. Back up and delete the existing Netwrix databases with `SQL Management studio`, or just delete them depending on your preference. +2. Create a new database for each audited system by re-applying the SQL report settings for your managed object in the Netwrix Auditor console: + - **Netwrix Auditor console | Manage Objects | Your Manage object | Audited System (for example Active Directory) | Reports | Report settings tab on the right | Apply button** diff --git a/docs/kb/auditor/how-to-create-the-full-dump-of-a-process.md b/docs/kb/auditor/how-to-create-the-full-dump-of-a-process.md new file mode 100644 index 0000000000..b6e5524bbf --- /dev/null +++ b/docs/kb/auditor/how-to-create-the-full-dump-of-a-process.md @@ -0,0 +1,36 @@ +--- +description: >- + Describes how to create a full memory dump of a process using Process Explorer + so you can provide it to Netwrix technical support. +keywords: + - process dump + - full dump + - Process Explorer + - procexp.exe + - memory dump + - Access Denied + - debug programs + - Netwrix technical support + - ProcessExplorer.zip +products: + - auditor +sidebar_label: How to create the full dump of a process +tags: [] +title: "How to create the full dump of a process" +knowledge_article_id: kA00g000000H9SGCA0 +--- + +# How to create the full dump of a process + +Netwrix technical support may ask you to create a dump of a particular process (it records the memory state of the product at specific time). Perform the following steps to create a dump file: + +1. Download the Process Explorer using the following link: [http://download.sysinternals.com/files/ProcessExplorer.zip](http://download.sysinternals.com/files/ProcessExplorer.zip). +2. Extract the `ProcessExplorer.zip`. +3. Run the `procexp.exe` application. +4. Navigate to required process, right-click it and select **Create Dump > Create Full Dump.** +5. Specify location to save the dump file. +6. Provide the dump file to the technical support. + +![User-added image](images/ka0Qk000000DRwr_0EM7000000051zm.png) + +**NOTE:** If you receive Access Denied error during the process, please check the ["Debug Programs" Computer Policy](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/debug-programs). Consider adding the account that you use to the list of allowed users or use an Account which has this permission (e.g. local administrator account)" diff --git a/docs/kb/auditor/how-to-customize-email-notification-template.md b/docs/kb/auditor/how-to-customize-email-notification-template.md new file mode 100644 index 0000000000..504589f277 --- /dev/null +++ b/docs/kb/auditor/how-to-customize-email-notification-template.md @@ -0,0 +1,55 @@ +--- +description: >- + Learn how to customize the email notification template for Account Lockout + Examiner by editing the notification_template.txt file and using AD attributes + and internal variables. +keywords: + - account lockout + - notification template + - notification_template.txt + - AD attributes + - lockout notification + - Netwrix Account Lockout Examiner + - email template + - remote control + - help-desk link +products: + - auditor +sidebar_label: How to customize email notification template +tags: [] +title: "How to customize email notification template" +knowledge_article_id: kA00g000000H9dbCAC +--- + +# How to customize email notification template + +## Overview +Account Lockout Examiner can send a notification when a lockout occurs. You can edit the notification text or title by modifying the notification template. + +## Template location +The template file `notification_template.txt` is stored in the product installation folder. The default path is: +`C:\Program Files (x86)\NetWrix Account Lockout Examiner` + +## Template sections +The notification template consists of four sections: + +- The `SUBJECT` section contains the text reflected in the message subject. +- The `BODY`, `WEB` and `REMOTE_CONTROL` sections contain the text reflected in the message body. +- The `BODY` section contains the main text of the notification. +- The `WEB` section contains a link to the Help-Desk portal and related text, and is shown only if a Link is enabled in Account Lockout Examiner settings. +- The `REMOTE_CONTROL` section contains text providing Remote control instructions, and is shown only if Remote control is enabled in Account Lockout Examiner settings. + +## Modifying the template +You can modify the template in the following ways: + +- Edit any text within the template sections. +- Add any AD attribute name. The attribute name should be in the following format: ` %AD.[attribute]%`. + - For example, with the ` %AD.Displayname%` attribute added into the template, the notification message will show the Display name of the locked out user account. +- Add any internal variable name: + - ` %NTAccount%` - shows the name of the locked out account. + - ` %WorkStation%` - shows the name of the workstation where an account was locked out. + - ` %LockoutTime%` - shows the lockout time. + - ` %Link%` - shows the link to the web portal. + +## Example +[![User-added image](images/ka04u000000HcWM_0EM700000004wyA.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAdA&feoid=00N700000032Pj2&refid=0EM700000004wyA) diff --git a/docs/kb/auditor/how-to-delete-old-entries-from-the-account-list.md b/docs/kb/auditor/how-to-delete-old-entries-from-the-account-list.md new file mode 100644 index 0000000000..58342fdce6 --- /dev/null +++ b/docs/kb/auditor/how-to-delete-old-entries-from-the-account-list.md @@ -0,0 +1,34 @@ +--- +description: >- + Shows how to remove old account entries from the account list in Netwrix + Auditor by using the UI or by editing the `alinfo.xml` file manually. +keywords: + - account list + - alinfo.xml + - ALObj + - SID + - remove accounts + - Netwrix Auditor + - service restart + - delete entries +products: + - auditor +sidebar_label: How to delete old entries from the account list +tags: [] +title: "How to delete old entries from the account list" +knowledge_article_id: kA00g000000H9TkCAK +--- + +# How to delete old entries from the account list + +You can delete old entries by selecting the accounts from **All accounts** (multiple selection is supported) and clicking the **Remove** button. + +The account list is stored in the `alinfo.xml` file and you can manually delete the required accounts directly from the file. To do this, stop the Netwrix Auditor service, delete the account information (the information is enclosed in the `` and `` tags; accounts are referred to as `SIDs`), and then start the service again. + +1. Stop the Netwrix Auditor service. +2. Open the `alinfo.xml` file. +3. Delete the account information enclosed in the `` and `` tags for the accounts you want to remove. Accounts are referred to as `SIDs`. +4. Save the `alinfo.xml` file. +5. Start the Netwrix Auditor service. + +![User-added image](images/ka04u000000HcNX_0EM700000004wxg.png) diff --git a/docs/kb/auditor/how-to-detect-the-root-cause-of-multiple-failed-logons.md b/docs/kb/auditor/how-to-detect-the-root-cause-of-multiple-failed-logons.md new file mode 100644 index 0000000000..2e4ffe0ed2 --- /dev/null +++ b/docs/kb/auditor/how-to-detect-the-root-cause-of-multiple-failed-logons.md @@ -0,0 +1,49 @@ +--- +description: >- + Explains how to find the root cause when Netwrix Auditor reports many failed + logons from a single workstation or server, and lists places to check for + outdated credentials. +keywords: + - failed logons + - logon failures + - Netwrix Auditor + - credentials + - Windows Credential Manager + - ADFS + - DCOM + - task scheduler + - troubleshooting +products: + - auditor +sidebar_label: How to detect the root cause of multiple failed lo +tags: [] +title: "How to detect the root cause of multiple failed logons" +knowledge_article_id: kA00g000000H9eNCAS +--- + +# How to detect the root cause of multiple failed logons + +## Symptom + +Netwrix Auditor for Logon Activity may report a large amount of failed logons from a single workstation or server. + +## Cause + +Usually, this happens because the problematic account credentials were saved somewhere on the target machine and became outdated. If a user's password was changed but not updated in the system or application that used it, those systems/applications will try to use the stored outdated credentials and generate a large number of failed logons. + +## Resolution + +Login to the originating machine and check the following systems for outdated credentials: + +- **Windows Credential Manager** - may store outdated credentials. +- **Windows task scheduler** - there could be a task configured to run using the problematic account. +- **Application or service** - there could be a service that is trying to start or a tool/application that is trying to run using outdated credentials. +- **Terminal Server session** - there could be an opened session with outdated credentials. +- **AD Federation Services** - replication issues - a new password was not replicated to ADFS. +- **DCOM objects** - sometimes a computer requires a restart after changing user password to apply settings to DCOM objects that are using these credentials. + +Enter valid account credentials. + +If you want an overview on how Failed Logon information is collected, check this article: https://kb.netwrix.com/5905 (Why Do I Have Incomplete Information on Failed Logons?) + +If you need a guide on how to Investigate Failed Logon, check this article: https://kb.netwrix.com/5198 (Investigating Failed Logons) diff --git a/docs/kb/auditor/how-to-determine-the-exchange-web-services-ews-url.md b/docs/kb/auditor/how-to-determine-the-exchange-web-services-ews-url.md new file mode 100644 index 0000000000..e2b199d84a --- /dev/null +++ b/docs/kb/auditor/how-to-determine-the-exchange-web-services-ews-url.md @@ -0,0 +1,42 @@ +--- +description: >- + Learn how to find the Exchange Web Services (EWS) URL for your Exchange Server + using PowerShell or Outlook. Includes the default URL format and step-by-step + instructions. +keywords: + - EWS + - Exchange + - Exchange Server + - EWS URL + - PowerShell + - Outlook + - Autodiscover + - Availability Service +products: + - auditor + - data-classification +sidebar_label: How To Determine the Exchange Web Services (EWS) U +tags: [] +title: "How To Determine the Exchange Web Services (EWS) URL" +knowledge_article_id: kA00g000000H9eFCAS +--- + +# How To Determine the Exchange Web Services (EWS) URL + +The default **URL** for **EWS** is usually in the format `https://mailserver/EWS/Exchange.asmx`, however this may not be correct for every **Exchange Server**. + +There are two methods to find the **URL:** + +## PowerShell + +1. Open the **Exchange Management Shell** on the **Exchange Server** +2. Type `Get-WebServicesVirtualDirectory |Select name, *url* | fl` + +## Outlook + +1. Open **Outlook** +2. Hold the **Ctrl key** + **right-click** on the **Outlook** Icon in the system tray +3. Select **"Test E-mail Auto Configuration"** from the menu +4. Type in an **email address** located on the desired **Exchange Server** +5. Click **"Test"** +6. The URL is listed as **"Availability Service URL"** diff --git a/docs/kb/auditor/how-to-disable-the-self-audit-feature-in-netwrix-auditor.md b/docs/kb/auditor/how-to-disable-the-self-audit-feature-in-netwrix-auditor.md new file mode 100644 index 0000000000..a13c0d0b2d --- /dev/null +++ b/docs/kb/auditor/how-to-disable-the-self-audit-feature-in-netwrix-auditor.md @@ -0,0 +1,33 @@ +--- +description: >- + Instructions to disable the Self-Audit feature in Netwrix Auditor so the + program stops logging configuration changes such as creation or removal of + monitoring plans. +keywords: + - Self-Audit + - Netwrix Auditor + - disable Self-Audit + - monitoring plans + - configuration changes + - settings + - Collect data for Self-Audit +products: + - auditor +sidebar_label: How to disable the Self-Audit feature in Netwrix A +tags: [] +title: "How to disable the Self-Audit feature in Netwrix Auditor" +knowledge_article_id: kA04u0000000H43CAE +--- + +# How to disable the Self-Audit feature in Netwrix Auditor + +The **Self-Audit** feature enables Netwrix Auditor to keep track of configuration changes made to the program, such as creation/removal of monitoring plans. If this feature is deemed unnecessary or unwanted, you can disable it by following the steps below. + +--- + +1. Launch **Netwrix Auditor** +2. Navigate to **Settings** +3. Under the **General** tab, find the **Self-Audit** section +4. Uncheck the box labeled "Collect data for Self-Audit" + +Configuration changes will no longer be logged by Netwrix Auditor diff --git a/docs/kb/auditor/how-to-discover-inactive-users-with-netwrix-auditor.md b/docs/kb/auditor/how-to-discover-inactive-users-with-netwrix-auditor.md new file mode 100644 index 0000000000..4e74ad011d --- /dev/null +++ b/docs/kb/auditor/how-to-discover-inactive-users-with-netwrix-auditor.md @@ -0,0 +1,32 @@ +--- +description: >- + Learn how to find and review inactive users in Active Directory using Netwrix + Auditor reports and the built-in Inactive User Tracker tool. +keywords: + - inactive users + - Active Directory + - Last Logon Time + - Inactive User Tracker + - Netwrix Auditor + - user auditing + - reports +products: + - auditor +sidebar_label: How to Discover Inactive Users with Netwrix Auditor +tags: [] +title: "How to Discover Inactive Users with Netwrix Auditor?" +knowledge_article_id: kA04u000001111vCAA +--- + +# How to Discover Inactive Users with Netwrix Auditor? + +## Question + +How to review inactive users with Netwrix Auditor? + +## Answer + +You can find information about inactive users in your Active Directory domain using the **User Accounts – Last Logon Time** report or the built-in **Inactive User Tracker** tool. Do the following: + +1. Review the report. For that, on the product home screen, click the **Reports** tile and navigate to **Active Directory** > **Active Directory – State-in-Time** > **User Accounts –** **Last Logon Time.** Review the report and apply filters as desired. +2. Create a dedicated monitoring plan for inactive users using the built-in **Inactive User Tracker** tool. For additional information on how to configure inactive users auditing and review the report, refer to the following article: Inactive User Tracker. diff --git a/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-event-log-manager.md b/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-event-log-manager.md new file mode 100644 index 0000000000..42709be550 --- /dev/null +++ b/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-event-log-manager.md @@ -0,0 +1,44 @@ +--- +description: >- + This article explains how to edit data collection and reporting schedules in + Netwrix Auditor Event Log Manager. It shows how to edit the Task Scheduler + task for collection and how to change the reporting notification time in the + monitoring plan. +keywords: + - Event Log Manager + - schedule + - Task Scheduler + - monitoring plan + - data collection + - reporting schedule + - Netwrix Auditor + - notification delivery +products: + - auditor +sidebar_label: How to Edit Schedules in Netwrix Auditor Event Log +tags: [] +title: "How to Edit Schedules in Netwrix Auditor Event Log Manager" +knowledge_article_id: kA0Qk0000000S2jKAE +--- + +# How to Edit Schedules in Netwrix Auditor Event Log Manager + +## Overview + +Netwrix Auditor Event Log Manager implements two schedules for data collection and reporting. Depending on your business needs, these schedules can be altered to fit your environment. This article describes how to edit schedules in the Event Log Manager. + +## Instructions + +Refer to the following steps to edit the data collection schedule: + +1. Open **Task Scheduler** on your Auditor server. +2. Select **Task Scheduler Library** and locate the Event Log Manager task − the correct task is named `Netwrix Auditor − {%GUID%} − {%GUID%}` and should contain the line `Starts Netwrix Auditor data collection on Event Log for %monitoring_plan_name%` in the **Description** field of the scheduled task. +3. Right-click the task and click **Properties**. +4. In the **Triggers** tab, select the **Daily** trigger and click **Edit**. +5. Define the new schedule and click **OK** > **OK** to save changes. + +Refer to the following steps to edit the reporting schedule: + +1. Launch Event Log Manager, select the monitoring plan, and click **Edit**. +2. Switch to the **Advanced** tab and edit the **Specify notification delivery time** value. +3. Click **Save** to save your changes. diff --git a/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-inactive-user-tracker.md b/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-inactive-user-tracker.md new file mode 100644 index 0000000000..34ea644caf --- /dev/null +++ b/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-inactive-user-tracker.md @@ -0,0 +1,36 @@ +--- +description: >- + Use this article to change the scheduled task that runs Inactive User Tracker + data collection in Netwrix Auditor. It explains how to locate and edit the + Task Scheduler entry. +keywords: + - Netwrix Auditor + - Inactive User Tracker + - schedule + - Task Scheduler + - Event Log Manager + - triggers + - task properties +products: + - auditor +sidebar_label: 'How to Edit Schedules in Netwrix Auditor Inactive ' +tags: [] +title: "How to Edit Schedules in Netwrix Auditor Inactive User Tracker" +knowledge_article_id: kA0Qk0000000XwrKAE +--- + +# How to Edit Schedules in Netwrix Auditor Inactive User Tracker + +## Overview + +Netwrix Auditor Inactive User Tracker implements a schedule for actions and reporting. Depending on your business needs, the schedules can be altered to fit your environment. This article describes how to edit schedules in Inactive User Tracker. + +## Instructions + +Follow these steps to edit the schedule: + +1. Open **Task Scheduler** on your Netwrix Auditor server. +2. Select **Task Scheduler Library** and locate the Event Log Manager task − the correct task is named `Netwrix Auditor − {%GUID%} − {%GUID%}` and should contain the line `Starts Netwrix Auditor data collection on Inactive Users for %monitoring_plan_name%` in the **Description** field of the scheduled task. +3. Right-click the task and click **Properties**. +4. In the **Triggers** tab, select the **Daily** trigger and click **Edit**. +5. Define the new schedule and click **OK** > **OK** to save changes. diff --git a/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-password-expiration-notifier.md b/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-password-expiration-notifier.md new file mode 100644 index 0000000000..b21bdfbb26 --- /dev/null +++ b/docs/kb/auditor/how-to-edit-schedules-in-netwrix-auditor-password-expiration-notifier.md @@ -0,0 +1,38 @@ +--- +description: >- + Netwrix Auditor Password Reset implements a schedule for reporting. This + article explains how to edit the reporting schedule for Password Reset + reporting tasks on your Netwrix Auditor server. +keywords: + - password expiration + - schedule + - Task Scheduler + - Event Log Manager + - Netwrix Auditor + - Password Reset + - reporting schedule + - triggers + - daily trigger +products: + - auditor +sidebar_label: "How to Edit Schedules in Netwrix Auditor Password Reset" +tags: [] +title: "How to Edit Schedules in Netwrix Auditor Password Reset" +knowledge_article_id: kA0Qk0000000XyTKAU +--- + +# How to Edit Schedules in Netwrix Auditor Password Reset + +## Overview + +Netwrix Auditor Password Reset implements a schedule for reporting. Depending on your business needs, the schedule can be altered to fit your environment. This article describes how to edit the reporting schedule in Password Reset. + +## Instructions + +Refer to the following steps to edit the reporting schedule: + +1. Open **Task Scheduler** on your Netwrix Auditor server. +2. Select **Task Scheduler Library** and locate the Event Log Manager task − the correct task is named `Netwrix Auditor − {%GUID%} − {%GUID%}` and should contain the line `Starts Netwrix Auditor data collection on Password Expiration for %monitoring_plan_name%` in the **Description** field of the scheduled task. +3. Right-click the task and click **Properties**. +4. In the **Triggers** tab, select the **Daily** trigger and click **Edit**. +5. Define the new schedule and click **OK** > **OK** to save changes. diff --git a/docs/kb/auditor/how-to-enable-item-level-auditing-on-multiple-file-servers.md b/docs/kb/auditor/how-to-enable-item-level-auditing-on-multiple-file-servers.md new file mode 100644 index 0000000000..5620af3d03 --- /dev/null +++ b/docs/kb/auditor/how-to-enable-item-level-auditing-on-multiple-file-servers.md @@ -0,0 +1,41 @@ +--- +description: >- + Use the provided PowerShell script to enable item-level auditing on multiple + file servers. Edit `line #19` to set the target OU and domain, then run the + script under a domain admin account. +keywords: + - item level auditing + - file servers + - PowerShell script + - auditing + - OU + - domain admin + - file shares + - modify events + - access events +products: + - auditor +sidebar_label: How to enable item level auditing on multiple file +tags: [] +title: "How to enable item level auditing on multiple file servers?" +knowledge_article_id: kA00g000000H9W6CAK +--- + +# How to enable item level auditing on multiple file servers? + +Using the PowerShell script provided, edit `line #19` and replace `your_ou_name` and `your_domain` with their corresponding values. +This script will take all Computers in the specified OU and apply audit to all visible shares on these computers with audit settings for all access and modify events. +The script must be run under a domain admin account. + +## Steps + +1. Open the provided PowerShell script in an editor. +2. Edit `line #19` and replace `your_ou_name` and `your_domain` with the appropriate values for your environment. +3. Save the script. +4. Run the script under a domain admin account. + +## Notes + +- The script targets all Computers in the specified OU. +- The script applies audit settings to all visible shares on those computers for all access and modify events. +- Ensure you run the script using a domain admin account to allow the required changes. diff --git a/docs/kb/auditor/how-to-enable-ocr-for-non-english-images.md b/docs/kb/auditor/how-to-enable-ocr-for-non-english-images.md new file mode 100644 index 0000000000..c64de34ea1 --- /dev/null +++ b/docs/kb/auditor/how-to-enable-ocr-for-non-english-images.md @@ -0,0 +1,111 @@ +--- +description: >- + Shows how to deploy Tesseract OCR language packs and configure OCR Path + Mapping so Netwrix Data Classification processes non‑English images correctly. +keywords: + - OCR + - Tesseract + - language pack + - tessdata + - Data Classification + - OCR Path Mapping + - non‑English + - conceptQS + - conceptCollector +products: + - auditor + - data-classification +visibility: public +sidebar_label: How to Enable OCR for Non-English Images +tags: [] +title: "How to Enable OCR for Non-English Images" +knowledge_article_id: kA00g000000H9e3CAC +--- + +# How to Enable OCR for Non-English Images + +## Question + +How can I enable OCR for non-English images? + +## Answer + +The steps below explain how to deploy additional **OCR language pack(s)** and how to identify which **files** should be processed via the installed **pack(s)**. This assumes that you have enabled **OCR** correctly. More details can be found in the following KB article: [Process Document Images results in no extracted text or invalid text](/docs/kb/auditor/process-document-images-results-in-no-extracted-text-or-invalid-text.md). + +Select the language you wish to use from the list below to download the corresponding language pack: + +1. Ensure that the **pack** is deployed on all **servers** to the following locations: + 1. **conceptQS** (typically: `C:\inetpub\wwwroot\NDC\bin\Tesseract-OCR\tessdata`) + 2. **conceptCollector** (typically: `C:\Program Files\Netwrix\Data Classification\Services\ConceptCollectorService\Tesseract-OCR\tessdata`) +2. The **language pack** file should not be **renamed.** + +Then, identify which files should be processed via a particular language pack: + +1. Log into the **Administration Portal.** +2. Select **Config.** +3. Expand **Text Processing.** +4. Select **OCR Path Mapping.** +5. Each mapping allows you to define part of a **path** to identify specific files for processing: + 1. Select **Add.** + 2. Define the **inclusion** filter, such as: + - `*ru_*` - Identifies any file that contains `ru_` within the path + - `*` - Identifies any file + 3. Select the **language** (mapped to the deployed language pack). + 4. Select **Save.** +6. In the event that a **file** matches **multiple** **inclusion rules**, the longest matching **rule** will be used. + +## Language Packs: + +- [Afrikaans](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/afr.traineddata) +- [Albanian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/sqi.traineddata) +- [Arabic](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/ara.traineddata) +- [Basque](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/eus.traineddata) +- [Belarusian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/bel.traineddata) +- [Bengali](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/ben.traineddata) +- [Bulgarian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/bul.traineddata) +- [Catalan](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/cat.traineddata) +- [Czech](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/ces.traineddata) +- [Chinese Simplified](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/chi_sim.traineddata) +- [Chinese Traditional](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/chi_tra.traineddata) +- [Croatian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/hrv.traineddata) +- [Danish](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/dan.traineddata) +- [Dutch](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/nld.traineddata) +- [English](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/eng.traineddata) +- [Estonian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/est.traineddata) +- [Finnish](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/fin.traineddata) +- [French](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/fra.traineddata) +- [Galician](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/glg.traineddata) +- [German](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/deu.traineddata) +- [Greek](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/ell.traineddata) +- [Hebrew](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/heb.traineddata) +- [Hindi](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/hin.traineddata) +- [Hungarian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/hun.traineddata) +- [Icelandic](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/isl.traineddata) +- [Italian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/ita.traineddata) +- [Japanese](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/jpn.traineddata) +- [Kannada](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/kan.traineddata) +- [Korean](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/kor.traineddata) +- [Latvian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/lav.traineddata) +- [Lithuanian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/lit.traineddata) +- [Malayalam](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/mal.traineddata) +- [Macedonian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/mkd.traineddata) +- [Maltese](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/mlt.traineddata) +- [Malay](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/msa.traineddata) +- [Norwegian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/nor.traineddata) +- [Polish](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/pol.traineddata) +- [Portuguese](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/por.traineddata) +- [Romanian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/ron.traineddata) +- [Russian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/rus.traineddata) +- [Slovak](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/slk.traineddata) +- [Slovenian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/slv.traineddata) +- [Spanish](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/spa.traineddata) +- [Serbian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/srp.traineddata) +- [Swahili](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/swa.traineddata) +- [Swedish](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/swe.traineddata) +- [Tamil](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/tam.traineddata) +- [Telugu](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/tel.traineddata) +- [Tagalog](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/tgl.traineddata) +- [Thai](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/tha.traineddata) +- [Turkish](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/tur.traineddata) +- [Ukrainian](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/ukr.traineddata) +- [Vietnamese](https://www.netwrix.com/download/products/DDC/TesseractLanguagePacks/vie.traineddata) diff --git a/docs/kb/auditor/how-to-exclude-backup-events-from-the-sql-server-change-reporter-reports.md b/docs/kb/auditor/how-to-exclude-backup-events-from-the-sql-server-change-reporter-reports.md new file mode 100644 index 0000000000..efc41ab744 --- /dev/null +++ b/docs/kb/auditor/how-to-exclude-backup-events-from-the-sql-server-change-reporter-reports.md @@ -0,0 +1,28 @@ +--- +description: >- + Shows how to exclude Backup events from Netwrix Auditor for SQL Server reports + by editing the omitobjlist.txt file in the product installation folder. +keywords: + - Netwrix Auditor + - SQL Server + - backup events + - omitobjlist.txt + - exclude events + - SQL Server Auditing + - reports + - auditing +products: + - auditor +sidebar_label: How to exclude Backup events from the SQL Server C +tags: [] +title: "How to exclude Backup events from the SQL Server Change Reporter reports?" +knowledge_article_id: kA00g000000H9UHCA0 +--- + +# How to exclude Backup events from the Netwrix Auditor for SQL Server reports? + +To exclude Backup events from the Netwrix Auditor for SQL Servers reports, perform the following steps: + +1. Open the program installation folder (`C:\Program Files (x86)\Netwrix Auditor\SQL Server Auditing` by default). +2. Open the `omitobjlist.txt` file for editing. +3. Add the line called `Backup` (without quotes) at the end of the file and save it. diff --git a/docs/kb/auditor/how-to-exclude-non-operable-domain-controllers-from-monitoring-in-netwrix-auditor.md b/docs/kb/auditor/how-to-exclude-non-operable-domain-controllers-from-monitoring-in-netwrix-auditor.md new file mode 100644 index 0000000000..fa206f8698 --- /dev/null +++ b/docs/kb/auditor/how-to-exclude-non-operable-domain-controllers-from-monitoring-in-netwrix-auditor.md @@ -0,0 +1,58 @@ +--- +description: >- + Shows how to exclude a non-operable or decommissioned domain controller from + monitoring in Netwrix Auditor by adding it to the omitdclist.txt file in the + Netwrix working folder. +keywords: + - domain controller + - exclude + - omitdclist.txt + - Netwrix Auditor + - Working Folder + - Inactive Users Tracker + - DataPathOverride + - monitoring +products: + - auditor +sidebar_label: How to Exclude Non-operable Domain Controllers fro +tags: [] +title: "How to Exclude Non-operable Domain Controllers from Monitoring in Netwrix Auditor" +knowledge_article_id: kA00g000000H9TQCA0 +--- + +# How to Exclude Non-operable Domain Controllers from Monitoring in Netwrix Auditor + +## Question + +How to exclude a non-operable or decommissioned domain controller from monitoring? + +## Answer + +To exclude domain controllers from monitoring, refer to the following steps: + +1. Navigate to the ` %Working Folder%`. + + The default path to Netwrix Working Folder is: `C:\ProgramData\Netwrix Auditor`. If the Working Folder has been moved and you do not know the path, you can find it by opening the **Registry Editor** and navigating to: + + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride` + + > **NOTE:** The `Inactive Users Tracker` folder might not exist in the `%working folder%` directory if Inactive Users Tracker was not deployed. + +2. Open the `omitdclist.txt` file and specify the name of the domain controller you want to exclude in a new line. + + > **NOTE:** Make sure the line does not start with the **#** symbol. + + Refer to the following code block for a reference: + + ```text + # DC name formats: full DNS and NETBIOS. IP addresses are not supported. + # e.g. # dc1.example.com + # + MYDC.MYDOMAIN.LOCAL + ``` + + ![User-added image](images/ka0Qk0000003W1l_0EMQk000003oywv.png) + +3. Save the changes. Inactive User Tracker will exclude this domain controller. + +Refer to the following article for additional information: Monitoring Plans — User Activity Monitoring Scope — v10.6. diff --git a/docs/kb/auditor/how-to-exclude-smart-card-users-from-monitoring-by-password-expiration-notifier.md b/docs/kb/auditor/how-to-exclude-smart-card-users-from-monitoring-by-password-expiration-notifier.md new file mode 100644 index 0000000000..93c7d0ee66 --- /dev/null +++ b/docs/kb/auditor/how-to-exclude-smart-card-users-from-monitoring-by-password-expiration-notifier.md @@ -0,0 +1,32 @@ +--- +description: >- + Shows how to exclude Smart Card users from monitoring by Netwrix Password + Reset by adding a registry DWORD under the monitoring plan key on the Netwrix + Auditor Server. +keywords: + - smart card + - Password Expiration Notifier + - Netwrix Password Reset + - registry + - IgnoreUsersWithSmartCardsSettings + - monitoring plan GUID + - Netwrix Auditor + - regedit +products: + - auditor +sidebar_label: How to exclude Smart Card users from monitoring by Netwrix Password Reset +tags: [] +title: "How to exclude Smart Card users from monitoring by Netwrix Password Reset?" +knowledge_article_id: kA00g000000H9cZCAS +--- + +# How to exclude Smart Card users from monitoring by Netwrix Password Reset? + +Perform the following steps: + +1. On the computer where Netwrix Auditor Server resides, open Registry Editor: navigate to **Start** > **Run** and type `regedit`. +2. In the Registry Editor, create a new registry key: + `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix Auditor\Password Expiration Notifier\`. +3. Create the new DWORD `IgnoreUsersWithSmartCardsSettings` value under this key and set it to `1`. + +Note: The shortest way to learn the Monitoring plan GUID would be looking up the trace file for the following line: `Profile: {0}` diff --git a/docs/kb/auditor/how-to-exclude-specific-user-accounts-from-reports.md b/docs/kb/auditor/how-to-exclude-specific-user-accounts-from-reports.md new file mode 100644 index 0000000000..33d1c0bd8d --- /dev/null +++ b/docs/kb/auditor/how-to-exclude-specific-user-accounts-from-reports.md @@ -0,0 +1,36 @@ +--- +description: >- + Describes how to exclude specific user accounts from Netwrix File Server + Change Reporter change summaries and reports by editing omituserlist files. +keywords: + - exclude users + - omituserlist_fs.txt + - omitstoreuserlist_fs.txt + - Netwrix File Server Change Reporter + - Change Summaries + - SSRS reports + - service account + - email summaries + - wildcards +products: + - auditor +sidebar_label: How to exclude specific user accounts from reports +tags: [] +title: "How to exclude specific user accounts from reports" +knowledge_article_id: kA00g000000H9TvCAK +--- + +# How to exclude specific user accounts from reports + +How do I exclude certain user accounts from **Netwrix File Server Change Reporter Change Summaries** and **Reports** if I do not want to monitor them (for example, a service account used by a backup software)? + +## Solution + +To exclude user accounts from data collection and reporting, do the following: + +1. Navigate to the **Netwrix File Server Change Reporter** installation folder. +2. Open one of the following configuration files: + - `omituserlist_fs.txt` file to exclude certain users from the email **Change Summaries** + - `omitstoreuserlist_fs.txt` file to exclude certain users from **SSRS-based Reports** and email **Change Summaries** as well. +3. Edit the selected file by specifying the accounts you want to exclude. Accounts must be entered one per line in the `domainusername` format. Wildcards (`*` and `?`) are supported. +4. Save the changes and close the file. diff --git a/docs/kb/auditor/how-to-exclude-system-account-from-event-log.md b/docs/kb/auditor/how-to-exclude-system-account-from-event-log.md new file mode 100644 index 0000000000..35a3faf4f8 --- /dev/null +++ b/docs/kb/auditor/how-to-exclude-system-account-from-event-log.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains how to exclude the Windows `SYSTEM` account from Event Logs by + applying a filter or changing the audit policy. +keywords: + - SYSTEM account + - Event Log + - Windows Event Viewer + - filter events + - audit policy + - exclude SYSTEM + - Netwrix Auditor +products: + - auditor +sidebar_label: How to Exclude System Account From Event Log +tags: [] +title: "How to Exclude System Account From Event Log" +knowledge_article_id: kA04u00000111DNCAY +--- + +# How to Exclude System Account From Event Log + +## Question + +In some cases, for example, if an Antivirus running under the `SYSTEM` account generates multiple events and saturates the Windows logs, you might want to exclude the `SYSTEM` account from being shown in the Windows Event Logs or got monitored at all. + +This article answers the question on how to exclude the `SYSTEM` account from logs. + +## Answer + +You can do that in two ways: + +- Set a filter for the `SYSTEM` account to not show in the event logs. Learn more in [Windows Event Viewer — How to Filter Events ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/host-integration-server/core/how-to-filter-events2) +- Change the audit policy for the `SYSTEM` account to not get monitored. Learn more in [Windows Event Viewer ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/host-integration-server/core/windows-event-viewer1) diff --git a/docs/kb/auditor/how-to-exclude-the-public-key-infrastructure-pki-changes-from-being-reported.md b/docs/kb/auditor/how-to-exclude-the-public-key-infrastructure-pki-changes-from-being-reported.md new file mode 100644 index 0000000000..075a06e6cb --- /dev/null +++ b/docs/kb/auditor/how-to-exclude-the-public-key-infrastructure-pki-changes-from-being-reported.md @@ -0,0 +1,65 @@ +--- +description: >- + Shows how to exclude Public Key Infrastructure (PKI) attribute changes from + Netwrix Auditor reports by adding entries to the omitproplist.txt file in the + product installation directory. +keywords: + - PKI + - Public Key Infrastructure + - omitproplist + - Netwrix Auditor + - ms-PKI + - exclude + - reporting + - audit + - attributes +products: + - auditor +sidebar_label: How to exclude the Public Key Infrastructure (PKI) +tags: [] +title: "How to exclude the Public Key Infrastructure (PKI) changes from being reported?" +knowledge_article_id: kA00g000000H9YSCA0 +--- + +# How to exclude the Public Key Infrastructure (PKI) changes from being reported? + +For example: + +- [ms-PKI-AccountCredentials](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678097(v=vs.85).aspx) +- [ms-PKI-Certificate-Application-Policy](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678100(v=vs.85).aspx) +- [ms-PKI-Certificate-Name-Flag](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678101(v=vs.85).aspx) +- [ms-PKI-Certificate-Policy](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678102(v=vs.85).aspx) +- [ms-PKI-Cert-Template-OID](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678103(v=vs.85).aspx) +- [ms-PKI-Credential-Roaming-Tokens](http://msdn.microsoft.com/en-us/library/windows/desktop/hh339659(v=vs.85).aspx) +- [ms-PKI-DPAPIMasterKeys](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678098(v=vs.85).aspx) +- [ms-PKI-Enrollment-Flag](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678104(v=vs.85).aspx) +- [ms-PKI-Enrollment-Servers](http://msdn.microsoft.com/en-us/library/windows/desktop/hh339660(v=vs.85).aspx) +- [ms-PKI-Minimal-Key-Size](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678105(v=vs.85).aspx) +- [ms-PKI-OID-Attribute](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678107(v=vs.85).aspx) +- [ms-PKI-OID-CPS](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678108(v=vs.85).aspx) +- [ms-PKI-OID-LocalizedName](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678106(v=vs.85).aspx) +- [ms-PKI-OID-User-Notice](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678109(v=vs.85).aspx) +- [ms-PKI-Private-Key-Flag](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678110(v=vs.85).aspx) +- [ms-PKI-RA-Application-Policies](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678112(v=vs.85).aspx) +- [ms-PKI-RA-Policies](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678113(v=vs.85).aspx) +- [ms-PKI-RA-Signature](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678114(v=vs.85).aspx) +- [ms-PKI-RoamingTimeStamp](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678099(v=vs.85).aspx) +- [ms-PKI-Site-Name](http://msdn.microsoft.com/en-us/library/windows/desktop/hh339661(v=vs.85).aspx) +- [ms-PKI-Supersede-Templates](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678115(v=vs.85).aspx) +- [ms-PKI-Template-Minor-Revision](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678116(v=vs.85).aspx) +- [ms-PKI-Template-Schema-Version](http://msdn.microsoft.com/en-us/library/windows/desktop/ms678117(v=vs.85).aspx) + +--- + +In order to exclude changes to these attributes from being reported, do the following: + +1. Navigate to the Netwrix Auditor installation directory. +2. Add the following lines to the **omitproplist.txt** file: + +``` +*.msPKIAccountCredentials +*.msPKIDPAPIMasterKeys +*.msPKIRoamingTimeStamp + +etc.. +``` diff --git a/docs/kb/auditor/how-to-exclude-user-s-extended-properties-from-being-reported.md b/docs/kb/auditor/how-to-exclude-user-s-extended-properties-from-being-reported.md new file mode 100644 index 0000000000..b81332d43d --- /dev/null +++ b/docs/kb/auditor/how-to-exclude-user-s-extended-properties-from-being-reported.md @@ -0,0 +1,33 @@ +--- +description: >- + Add specific entries to the omitproplist.txt file in the Netwrix Auditor for + SQL Server installation directory to prevent user extended properties from + being reported. +keywords: + - omitproplist.txt + - omitproplist + - extended properties + - user properties + - Netwrix Auditor + - SQL Server + - exclude + - user.extended +products: + - auditor +sidebar_label: How to exclude user`s extended properties from bei +tags: [] +title: "How to exclude user`s extended properties from being reported?" +knowledge_article_id: kA00g000000H9WiCAK +--- + +# How to exclude user`s extended properties from being reported? + +To exclude user's extended properties from being reported, add the following lines to the `omitproplist.txt` file located in the Netwrix Auditor for SQL Server installation directory: + +1. Open the `omitproplist.txt` file in the Netwrix Auditor for SQL Server installation directory. +2. Add the following lines to the file: + +```text +user.*.extended* +user.extended*.* +``` diff --git a/docs/kb/auditor/how-to-exclude-users-and-objects-from-monitoring-scope-in-netwrix-auditor-ui.md b/docs/kb/auditor/how-to-exclude-users-and-objects-from-monitoring-scope-in-netwrix-auditor-ui.md new file mode 100644 index 0000000000..1fb10017d0 --- /dev/null +++ b/docs/kb/auditor/how-to-exclude-users-and-objects-from-monitoring-scope-in-netwrix-auditor-ui.md @@ -0,0 +1,56 @@ +--- +description: >- + Use the Netwrix Auditor UI to exclude specific users and objects from a + monitoring scope. This article shows steps to configure the Users and Objects + tabs in a monitoring plan and explains object exclusion rule syntax. +keywords: + - exclude users + - exclude objects + - monitoring scope + - Netwrix Auditor + - monitoring plan + - Active Directory + - omit list + - exclusion rules +products: + - auditor +sidebar_label: How to Exclude Users and Objects from Monitoring S +tags: [] +title: "How to Exclude Users and Objects from Monitoring Scope in Netwrix Auditor UI" +knowledge_article_id: kA04u000000PoL2CAK +--- + +# How to Exclude Users and Objects from Monitoring Scope in Netwrix Auditor UI + +## Question + +How to exclude specific users and objects from the monitoring scope via Netwrix Auditor UI? + +## Answer + +You can exclude specific users and objects from your monitoring scope using the following tabs in the Netwrix Auditor UI: + +- the **Users** tab to exclude particular users performing activity in Active Directory. +- the **Objects** tab to exclude (or include) activity performed to objects in Active Directory. + +> **Note:** Examples of object exclusion rules for **Objects** are provided below. + +1. In the main Netwrix Auditor menu, select **Monitoring plans** under **Configuration**. +2. Select the relevant monitoring plan, select the data source and click **Edit**. +3. Select the data source and click **Edit data source**. + + ![bM2zhsogPP.png](images/ka04u000000Qmg4_0EM4u000007cgGr.png) +4. In the left pane, select **Users**. Check the **Exclude these users:** checkbox and click **Add** to add users to be excluded from the monitoring plan. Once all the users are added, click **Save & Close** in the bottom left corner. + + ![UwJqLVpUZx.png](images/ka04u000000Qmg4_0EM4u000007cgOC.png) +5. For objects, select the **Objects** tab in the left pane, check the **Exclude these objects** checkbox and click **Add** to exclude objects from the monitoring scope. Once you've added the objects, click **Save & Close**. + + ![RmVD0BXEc0.png](images/ka04u000000Qmg4_0EM4u000007cgPy.png) + +The following examples explain how the exclusion rules work for **Objects**. Same logic applies to the inclusion rules: + +- `dc11.local/OU` will exclude the OU itself. However, objects within this OU will not be excluded. +- `dc11.local/OU/*` will exclude objects within the OU. However, the OU itself will not be excluded. +- `dc11.local/OU*` will exclude the OU itself, all objects within it, and also all objects whose path begins with `dc11.local/OU` (like `dc11.local/OU_HQ`). + +For additional information on omit lists and excluding data sources, refer to the following article: Exclude Objects from Monitoring Scope. diff --git a/docs/kb/auditor/how-to-figure-out-the-ip-address-used-for-a-failed-logon-attempt.md b/docs/kb/auditor/how-to-figure-out-the-ip-address-used-for-a-failed-logon-attempt.md new file mode 100644 index 0000000000..a2a60f687b --- /dev/null +++ b/docs/kb/auditor/how-to-figure-out-the-ip-address-used-for-a-failed-logon-attempt.md @@ -0,0 +1,103 @@ +--- +description: >- + Shows two methods to determine the IP address involved in a failed logon + attempt: review the original event in Event Viewer and enable writing event + descriptions into the database to view details in the Netwrix Auditor console. +keywords: + - failed logon + - IP address + - Event Log Manager + - Event Viewer + - Netwrix Auditor + - event IDs + - 4625 + - DB Importer +products: + - auditor +sidebar_label: How to figure out the IP address used for a failed +tags: [] +title: "How to figure out the IP address used for a failed logon attempt?" +knowledge_article_id: kA00g000000H9WnCAK +--- + +# How to figure out the IP address used for a failed logon attempt? + +There is no **IP address** field in the `Failed Logon Attempts` report. + +However there are 2 ways you can figure out the IP address: + +1. Locate the event and review the event data. To do this, refer to **Procedure 1**. +2. Enable the "**Write event descriptions into the database**" option. To do this, refer to **Procedure 2**. + +## Procedure 1: + +1. Note the **Computer** **name** and the timestamp of the particular failed logon attempt. + + ![Image 1](images/ka04u000000HcPz_0EM700000004y2I.png) + +2. Go to **Start / All Programs / Netwrix Auditor / Event Log Manager / Advanced Tools / Viewer** +3. In the **Viewer** tool: + - select **Managed Object** name from the drop-down list + - select **Computer**, that you have noticed on step 1 as **Computer name** + - select **Event Log** as **Security** + - specify dates **From** and **To**, use date from the timestamp that you have noticed on step 1 + + ![Image 2](images/ka04u000000HcPz_0EM700000004y2N.png) + +4. Click the **View** button, and specify the location of the evt-file and click **OK**. The newly saved event log will be opened in **Event Viewer** automatically. +5. To convert the evt-file to evtx format, in the left hand panel, right click the saved log and select **Save All Events As**, specify the location of the evtx-file and click **OK**. Open the saved file via **Event Viewer**. + + ![Image 3](images/ka04u000000HcPz_0EM700000004y2S.png) + +6. When the evtx-file is opened, click **Filter Current Log** in the **Actions** pane. +7. In the **Filter Current Log** dialog box, specify `Event ID` as `4625,529-537,539` (failed logon attempts IDs), and then click **Logged** drop-down list and select **Custom range**. + + ![Image 4](images/ka04u000000HcPz_0EM700000004y2X.png) + +8. Specify date range around the timestamp that you have noticed on step 1 and click **OK**. Click **OK** + + ![Image 5](images/ka04u000000HcPz_0EM700000004y2c.png) + +9. Find the corresponding event in the filtered log and double-click it. +10. The **IP Address** is displayed in the **Network Information** section of the event description. + + ![Image 6](images/ka04u000000HcPz_0EM700000004y2h.png) + +## Procedure 2: + +1. Note the **Computer name** and the timestamp of the particular failed logon attempt. + + ![Image 1-1](images/ka04u000000HcPz_0EM700000004y31.png) + +2. In the **Netwrix Auditor Management Console**, go to **Managed Objects / <Your Mananaged Object> / Event Log Manager** node. +3. Enable the "**Write event descriptions into the database**" check box (if it is already selected, continue from **step 6**). Close console. + + ![Image 1-2](images/ka04u000000HcPz_0EM700000004y3B.png) + +4. Go to **Start / All Programs / Netwrix Auditor / Event Log Manager / Advanced Tools / DB Importer** +5. Select your managed object from the drop-down list and specify the date range that includes the date of the event. Click **Import**. + + ![Image 1-3](images/ka04u000000HcPz_0EM700000004y3G.png) + +6. Start **Netwrix Auditor Management Console**, go to **Managed Objects / <Your Mananaged Object> / Event Log Manager / Reports / General Reports / All Events by Computer** report. +7. In the filters: + - specify date range around the timestamp that you have noticed on step 1 + - specify **Computer** as **Computer name** you have noticed on step 1 (put **%** before and after the name) + - specify **Event ID** as **%5%** + - specify **Event Log** as **Security** + + !" ![Image](images/servlet_image_3823966b1661.png) + +8. Click the **View Report** button. +9. Find the corresponding event in the filtered log and click the blue link in the **Date** field. + + ![Image 1-5](images/ka04u000000HcPz_0EM700000004y3V.png) + +10. The page with **Event Details** will be displayed. + + ![Image 1-6](images/ka04u000000HcPz_0EM700000004y3k.png) + +NOTE: + +- The **IP address** is not always available in the description of the **Failed logon attempt** events. +- If you are looking for full description for another event, the described steps are similar except the specified **Event IDs** will be different. diff --git a/docs/kb/auditor/how-to-figure-out-where-a-user-account-was-locked-out.md b/docs/kb/auditor/how-to-figure-out-where-a-user-account-was-locked-out.md new file mode 100644 index 0000000000..73f9dd31b7 --- /dev/null +++ b/docs/kb/auditor/how-to-figure-out-where-a-user-account-was-locked-out.md @@ -0,0 +1,63 @@ +--- +description: >- + Learn how to investigate where and why a user account was locked out using + Netwrix Auditor, including reports to run, searches to perform, and how to + enable auditing to trace failed logon sources. +keywords: + - account lockout + - failed logon + - Event ID 4740 + - Event ID 4625 + - Netwrix Auditor + - lockout investigation + - audit policy + - Caller Computer Name +products: + - auditor +sidebar_label: 'How to figure out where a user account was locked ' +tags: [] +title: "How to figure out where a user account was locked out?" +knowledge_article_id: kA04u00000110vTCAQ +--- + +# How to figure out where a user account was locked out? + +## Question + +How to figure out where a user account was locked out with Netwrix Auditor? + +## Answer + +There are several root causes for an account being locked, such as the user providing the wrong password multiple times or services/applications running under the account using expired stored credentials. When a service or application attempts to authenticate using expired or incorrect credentials, it causes failed logon events that can lead to an account lockout. + +With Netwrix Auditor, try the following to learn more about the locked account and find the reason: + +1. Review the User Accounts - Locked report. For that: + - On the Netwrix Auditor Client home page, click the **REPORTS** tile in the upper left corner. + - Expand **Predefined** > **Active Directory** > **Active Directory - State-in-Time**. + - Run the **User Account - Locked** report. + +2. Run a search to see how many failed logons were performed by this user before the account was locked. For that: + - On the Netwrix Auditor Client home page, click the **SEARCH ACTIVITY RECORDS** tile in the upper left corner. + - Switch to the **Advanced** view. + - Apply filters as follows: + - `Monitoring plan - Equals - Logon Activity` + - `Who - Contains - Account Name` + - `Action - Equals - Failed logon` + +3. Netwrix Auditor also suggests searching for the related event ID on the domain controller where the account was locked. For example, Event ID `4740` is generated on domain controllers, Windows servers, and workstations every time an account gets locked out. View the **Caller Computer Name** in the event details to see the source. + +4. To track the source of failed logons, enable failed logon auditing on the workstations from which these failed logons originated. For that: + - On the workstation where failed logons occurred, open the **Local Security Policy** snap-in. + - Expand **Local Policies** > **Security Options** and set the **Audit: Force audit policy** subcategory settings to `Enabled`. + - Navigate to **Advanced Audit Policy Configuration** > **System Audit Policy Configuration** > **Logon\Logoff** and set **Audit Logon** to `Failure`. + + NOTE: If this workstation is subject to a Group Policy configuration, configure audit policies via the **Group Policy Configuration** snap-in. + + When done, look up failed logon events (typically, Event ID `4625`) under the corresponding account in the **Security log** on these workstations, correlating the date and time of the failed logons with the entries seen in Netwrix Auditor reports and/or search results. + + Learn more about failed logon events: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648 + + Review the events. They might contain information about the process generating the failed logons for a particular user account. diff --git a/docs/kb/auditor/how-to-filter-out-certain-mailboxes-and-folders-from-reports.md b/docs/kb/auditor/how-to-filter-out-certain-mailboxes-and-folders-from-reports.md new file mode 100644 index 0000000000..9d1802bdac --- /dev/null +++ b/docs/kb/auditor/how-to-filter-out-certain-mailboxes-and-folders-from-reports.md @@ -0,0 +1,37 @@ +--- +description: >- + Learn how to exclude specific mailboxes and folders from reports by editing + the mailboxestoexclude.txt file in the program installation folder. +keywords: + - mailboxes + - mailboxestoexclude + - exclude + - reports + - folders + - compression service + - Netwrix Auditor + - wildcards +products: + - auditor +sidebar_label: How to filter out certain mailboxes and folders fr +tags: [] +title: "How to filter out certain mailboxes and folders from reports?" +knowledge_article_id: kA00g000000H9TtCAK +--- + +# How to filter out certain mailboxes and folders from reports? + +How do I filter out certain mailboxes and folders from product reports? + +## Procedure + +1. Navigate to the program installation folder. +2. Open the `mailboxestoexclude.txt` file. This file contains a list of mailboxes and folders to be excluded from reports. +3. Specify entries in the file using one of the following formats: + - `Mailbox_Name` + - `Mailbox_Name/Folder_Name` + - Use wildcards like `*/Folder_Name` to exclude the specified folder from all mailboxes. The latter excludes the specified folder of all mailboxes. + +## Notes + +- NOTE: If compression service is not enabled, the `Mailbox_Name/Folder_Name` lines are ignored. diff --git a/docs/kb/auditor/how-to-filter-out-certain-users-from-reports.md b/docs/kb/auditor/how-to-filter-out-certain-users-from-reports.md new file mode 100644 index 0000000000..2849b755a9 --- /dev/null +++ b/docs/kb/auditor/how-to-filter-out-certain-users-from-reports.md @@ -0,0 +1,45 @@ +--- +description: >- + Shows how to exclude specific users from mailbox access reports in Netwrix + Auditor by adding them to the userstoexclude.txt file. Explains the file + structure, wildcard support, and how exclusions affect stored snapshots and + the Report Viewer. +keywords: + - mailbox access + - exclude users + - userstoexclude.txt + - Netwrix Auditor + - snapshots + - Report Viewer + - wildcards + - data collection +products: + - auditor +sidebar_label: How to filter out certain users from reports +tags: [] +title: "How to filter out certain users from reports" +knowledge_article_id: kA00g000000H9WYCA0 +--- + +# How to filter out certain users from reports + +How do I filter out certain users from mailbox access reports? + +## Procedure + +1. To exclude a specific user from the mailbox access reports, add that user to the `userstoexclude.txt` file located in the Netwrix Auditor installation directory. + - Since this file is read at the beginning of each data collection, the exclusion affects only newly collected data. + +## File structure + +- Each entry must be on a separate line. +- Wildcards (`*` and `?`) are supported. +- Lines that start with the `#` sign are treated as comments and are ignored. + +## Image + +![User-added image](images/ka04u000000HcPk_0EM7000000054Bf.png) + +## Note + +**NOTE.** The `userstoexclude.txt` file contains a list of users who must be excluded from reports if they perform non-owner access to mailboxes. But the audit data for these users will still be stored in the snapshots, so if a user is removed from this list, the information on the user actions can be viewed with the **Report Viewer**. diff --git a/docs/kb/auditor/how-to-filter-out-specific-events-from-being-monitored-by-the-logon-reporter-software.md b/docs/kb/auditor/how-to-filter-out-specific-events-from-being-monitored-by-the-logon-reporter-software.md new file mode 100644 index 0000000000..9d61dcdc27 --- /dev/null +++ b/docs/kb/auditor/how-to-filter-out-specific-events-from-being-monitored-by-the-logon-reporter-software.md @@ -0,0 +1,58 @@ +--- +description: >- + Explains how to configure the ExcludeFilter.txt file in the Netwrix Logon + Reporter installation folder to omit specific events from reports and Detail + Reports. +keywords: + - ExcludeFilter.txt + - Logon Reporter + - Exclude filter + - Event filtering + - Netwrix Logon Reporter + - Detail Reports + - EventID +products: + - auditor +sidebar_label: 'How to filter out specific events from being monitored by the Netwrix Logon Reporter software?' +tags: [] +title: >- + How to filter out specific events from being monitored by the Netwrix Logon + Reporter software? +knowledge_article_id: kA00g000000H9U5CAK +--- + +# How to filter out specific events from being monitored by the Netwrix Logon Reporter software? + +## Overview + +There is an `ExcludeFilter.txt` file in the Netwrix Logon Reporter installation folder. This file contains a list of event parameters indicating that an event should be omitted from reports and email Detail Reports. + +An event that has any of the parameters specified in this file will be omitted. + +The following parameters can be specified: `Computer`, `EventID`, `User`, `SID`, `UserDomain`, `UserName`. + +One entry per line is accepted in the following format: `parameter:value` + +For example, if you want to omit all events generated by user jsmith, add the following line: + +`User:corpjsmith` + +Wildcard `*` can be used to replace any number of symbols. + +## Examples + +Few useful examples: + +1. To exclude netwrix service account, add the following string: + `User:*netwrix_account` + +2. To exclude workstations and servers account logins, add the following string: + `User:**$` + +3. To exclude useless system logins, add the following strings: + `User:*AUTHORITYANONYMOUS*` + `User:*AUTHORITYSYSTEM*` + `User:*AUTHORITYLOCAL*` + `User:*AUTHORITYNETWORK*` + +**NOTE:** If your Netwrix Logon Reporter installation directory does not contain the `ExcludeFilter.txt` file, please contact [Netwrix Technical Support](https://www.netwrix.com/support_ticket.html) team to get the most recent version of the program. diff --git a/docs/kb/auditor/how-to-find-destination-of-failed-ntlm-logons.md b/docs/kb/auditor/how-to-find-destination-of-failed-ntlm-logons.md new file mode 100644 index 0000000000..6365b1a963 --- /dev/null +++ b/docs/kb/auditor/how-to-find-destination-of-failed-ntlm-logons.md @@ -0,0 +1,47 @@ +--- +description: >- + Shows how to locate the origin of failed NTLM logon attempts by temporarily + enabling NTLM auditing on a Domain Controller and how to revert the change. +keywords: + - NTLM + - failed logon + - Domain Controller + - audit + - Event ID 4776 + - gpupdate + - authentication +products: + - auditor +sidebar_label: How to Find Destination of Failed NTLM Logons? +tags: [] +title: "How to Find Destination of Failed NTLM Logons?" +knowledge_article_id: kA04u00000111KxCAI +--- + +# How to Find Destination of Failed NTLM Logons? + +## Question + +How to identify the origin (destination) of the failed logons occurring through NTLM instead of Kerberos? For example, if a system administrator set up some process on a file server that was trying to authenticate over NTLM, which is hitting the Domain Controllers to authenticate and failing to perform said process. + +## Answer + +Because failed logons occurred through NTLM, the Domain Controllers were not documenting the details of the login attempts origin via event ID 4776 (not 4768/4769/4771), thus there is no information on failed logons' details in logs, such as the originating workstation name or IP address. + +To find the actual source of failed logons, enable NTLM auditing temporarily. For that: + +1. On the Domain Controller, open the **Group Policy** snap-in. +2. Expand the **Computer Configuration** **Policies** -> **Windows Settings** -> **Security Settings** -> **Local Policies** -> **Security Options** -> **Network Security: Restrict NTLM: Audit NTLM authentication**. +3. Set it to `enable all`, which only enables auditing of NTLM attempts, does not allow or restrict NTLM traffic. +4. Open **Command Prompt** as an elevated `user/administrator` and run the `gpupdate /force` command so the policy change takes effect on the Domain Controller. +5. The actual NTLM login attempts on the DC are logged here: + + **Applications** -> **Microsoft** -> **Windows** -> **NTLM** -> **Operational** + + Which contains information about the failed logon origin. For example, the name (and I think IP, but cannot guarantee) of a file server. +6. Disable NTLM authentication by unselecting the `enable all` checkbox enabled in step 3. +7. In the command prompt, run the `gpupdate /force` command again to turn off the extra auditing on the Domain Controller. + +## Related Articles: + +- /docs/kb/auditor/why_do_i_have_incomplete_information_on_failed_logons — Why Do I Have Incomplete Information on Failed Logons?. diff --git a/docs/kb/auditor/how-to-find-out-my-netwrix-auditor-version.md b/docs/kb/auditor/how-to-find-out-my-netwrix-auditor-version.md new file mode 100644 index 0000000000..3b4f2618a5 --- /dev/null +++ b/docs/kb/auditor/how-to-find-out-my-netwrix-auditor-version.md @@ -0,0 +1,37 @@ +--- +description: >- + Instructions to determine the version and build of your Netwrix Auditor + installation. +keywords: + - Netwrix Auditor + - version + - build + - check version + - About + - Settings + - how to + - KB + - audit +products: + - auditor +sidebar_label: How to Find Out My Netwrix Auditor Version +tags: [] +title: "How to Find Out My Netwrix Auditor Version" +knowledge_article_id: kA04u00000110rMCAQ +--- + +# How to Find Out My Netwrix Auditor Version + +## Question + +How can you establish the Netwrix Auditor version you're currently running? + +## Answer + +To establish the version and build of your Netwrix Auditor instance, refer to the following steps: + +1. In your main Netwrix Auditor menu, click the **Settings** button. +2. In the left pane, select **About Netwrix Auditor**. +3. Your current version and build will be available in the right section. + +![About Netwrix Auditor dialog showing version and build](images/ka04u00000116gG_0EM4u000008LXT9.png) diff --git a/docs/kb/auditor/how-to-find-video-recording-files.md b/docs/kb/auditor/how-to-find-video-recording-files.md new file mode 100644 index 0000000000..743d85ba00 --- /dev/null +++ b/docs/kb/auditor/how-to-find-video-recording-files.md @@ -0,0 +1,36 @@ +--- +description: >- + Shows where Netwrix Auditor stores User Activity video recording files and how + to locate and copy the .avi files on disk. +keywords: + - video recording + - .avi + - sessions recordings + - Long-Term Archive + - file location + - Netwrix Auditor + - File Explorer + - recordings + - video files + - path +products: + - auditor +sidebar_label: How to Find Video Recording Files +tags: [] +title: "How to Find Video Recording Files" +knowledge_article_id: kA04u00000111F9CAI +--- + +# How to Find Video Recording Files + +## Question + +In some cases, you might want to find your video recording files on the computer. For example, to share them or move them to another PC. Where are the files stored physically? + +## Answer + +The User Activity video is already a video file `.avi`, you only need to locate the file and copy it. Follow the steps below to locate the files: + +1. In **Netwrix Auditor**, navigate to **Settings** -> **Long-Term Archive** and find the path to your Video Recording files under **Location for sessions recordings**. +2. Copy the path and paste it into **File Explorer**. +3. Once there you will see the names of the computers being monitored, the users name, then folders by year, then by Month and day together. diff --git a/docs/kb/auditor/how-to-force-netwrix-auditor-to-collect-a-specific-applications-and-services-event-log.md b/docs/kb/auditor/how-to-force-netwrix-auditor-to-collect-a-specific-applications-and-services-event-log.md new file mode 100644 index 0000000000..3fffe0f731 --- /dev/null +++ b/docs/kb/auditor/how-to-force-netwrix-auditor-to-collect-a-specific-applications-and-services-event-log.md @@ -0,0 +1,37 @@ +--- +description: >- + Describes how to force Netwrix Auditor to collect a specific Applications and + Services event log by obtaining the log's full name in Event Viewer and + entering it into the Event Log filter. +keywords: + - Netwrix Auditor + - Event Log + - Applications and Services + - Event Viewer + - Event Log Manager + - log name + - Full Name + - filter +products: + - auditor +sidebar_label: How to force Netwrix Auditor to collect a specific +tags: [] +title: "How to force Netwrix Auditor to collect a specific Applications and Services event log?" +knowledge_article_id: kA00g000000H9WdCAK +--- + +# How to force **Netwrix Auditor** to collect a specific **Applications and Services** event log? + +--- + +When creating a new filter for **Event Log Manager**, you can select the log name from the drop-down list or enter the name of any custom log. In order to get the log name, please do the following: + +1. On the server where the log is located, start **Event Viewer** and navigate to the desired event log. +2. Right click on it and select **Log Properties**. +3. On the **Properties** window, copy **Full Name** of the event log. + +![EventViewer - select desired log](images/ka04u000000HcPp_0EM700000005DIQ.png) + +4. Paste that name to the **Event Log** field of the filter: + +![image.png](images/ka04u000000HcPp_0EM4u000007qsVK.png) diff --git a/docs/kb/auditor/how-to-generate-an-access-token-for-a-dropbox-source-in-netwrix-data-classification.md b/docs/kb/auditor/how-to-generate-an-access-token-for-a-dropbox-source-in-netwrix-data-classification.md new file mode 100644 index 0000000000..59929f4b97 --- /dev/null +++ b/docs/kb/auditor/how-to-generate-an-access-token-for-a-dropbox-source-in-netwrix-data-classification.md @@ -0,0 +1,41 @@ +--- +description: >- + Steps to generate an access token in Dropbox to use when adding a Dropbox + source in Netwrix Data Classification. +keywords: + - Dropbox + - access token + - Netwrix Data Classification + - Dropbox API + - Authorization Code + - Create app + - Full Dropbox access + - generate token +products: + - auditor + - data-classification +sidebar_label: How to Generate an Access Token for a DropBox Sour +tags: [] +title: "How to Generate an Access Token for a DropBox Source in Netwrix Data Classification" +knowledge_article_id: kA00g000000PbctCAC +--- + +# How to Generate an Access Token for a DropBox Source in Netwrix Data Classification + +## Question + +How can you generate an Access Token for a DropBox source in Netwrix Data Classification? + +## Answer + +When adding a Dropbox source in Netwrix Data Classification you are asked for an “Access Token”. These are the steps to generate the required Access Token: + +1. Go to https://www.dropbox.com/developers/apps/create. +2. Authorize, if prompted. +3. Choose **Dropbox API** on the first step. +4. Choose **Full Dropbox access** in the second step. +5. Name the app. This name will become a folder in your Dropbox account. +6. Click the **Create app** button. +7. You’ll be presented with your app’s settings. +8. Click the **Generate** button next to **Authorization Code** and follow the prompts on the screen. +9. After the token is generated, you’ll see a string of letters and numbers: this is the access token that is required to add to the DropBox source. diff --git a/docs/kb/auditor/how-to-get-database-content-audit-working.md b/docs/kb/auditor/how-to-get-database-content-audit-working.md new file mode 100644 index 0000000000..9f1b394267 --- /dev/null +++ b/docs/kb/auditor/how-to-get-database-content-audit-working.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains how to get Database Content Audit working for SQL Server in Netwrix + Auditor by assigning the `sysadmin` role to the database owner to allow + cross-database writes. +keywords: + - Netwrix Auditor + - Database Content Audit + - SQL Server + - sysadmin + - database owner + - cross-database write + - MSSQL Management Console + - audit reports +products: + - auditor +sidebar_label: How to get Database Content Audit working +tags: [] +title: "How to get Database Content Audit working" +knowledge_article_id: kA00g000000H9aYCAS +--- + +# How to get Database Content Audit working + +You have enabled Data changes Audit in Netwrix Auditor for SQL Servers data source, configured as per our guide, but do not get data in reports without any errors, while you are sure some changes to data in the audited table were made. + +--- + +The owner of the target database must have the `sysadmin` role on your SQL Server. It is needed for cross-database write. + +--- + +### Resolution + +1. Open **MSSQL Management Console** and connect to your SQL Server. +2. Select properties of the target database and pick an owner. +3. Go to **Security->Logins** and grant that account the `sysadmin` role. diff --git a/docs/kb/auditor/how-to-get-full-netwrix-auditor-version.md b/docs/kb/auditor/how-to-get-full-netwrix-auditor-version.md new file mode 100644 index 0000000000..bc6eb2c047 --- /dev/null +++ b/docs/kb/auditor/how-to-get-full-netwrix-auditor-version.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains how to obtain a full Netwrix Auditor version and apply a license to + convert a trial installation to a fully licensed instance. +keywords: + - Netwrix Auditor + - license + - trial + - full version + - apply license + - download + - license file +products: + - auditor +sidebar_label: How to Get Full Netwrix Auditor Version +tags: [] +title: "How to Get Full Netwrix Auditor Version" +knowledge_article_id: kA04u00000110lsCAA +--- + +# How to Get Full Netwrix Auditor Version + +## Question + +I'm unable to find a standard Netwrix Auditor version on the Netwrix website, there are only trial versions of products available. Where can I get a full Netwrix Auditor executive? + +## Answer + +A trial version and a full version of Netwrix Auditor are the same version of the Auditor suite, with the only difference being the license applied. + +1. Once you've received your license file, download the trial Auditor version and apply the license file to it. + + [](https://www.netwrix.com/products.html) + + - In case you already have Netwrix Auditor installed, apply you new license to the existing Auditor instance. + +Refer to the following article for additional information on applying a license to your Netwrix Auditor instance: [How to Apply Netwrix Auditor License](/docs/kb/auditor/how-to-apply-netwrix-auditor-license). diff --git a/docs/kb/auditor/how-to-get-single-alert-on-mass-objects-modification.md b/docs/kb/auditor/how-to-get-single-alert-on-mass-objects-modification.md new file mode 100644 index 0000000000..4971e5568b --- /dev/null +++ b/docs/kb/auditor/how-to-get-single-alert-on-mass-objects-modification.md @@ -0,0 +1,37 @@ +--- +description: >- + Shows how to configure an alert threshold in Netwrix Auditor so a single alert + triggers for mass object modifications, such as deleting a folder that + contains many files. +keywords: + - Netwrix Auditor + - alert threshold + - mass objects modification + - alerts + - folder deletion + - activity records + - alert settings +products: + - auditor +sidebar_label: How to Get Single Alert on Mass Objects Modificati +tags: [] +title: "How to Get Single Alert on Mass Objects Modification?" +knowledge_article_id: kA04u000000wnsrCAA +--- + +# How to Get Single Alert on Mass Objects Modification? + +## Question + +How to configure settings of a single alert to be triggered by mass objects modification? For example, if a folder got deleted containing many files. + +## Answer + +To get notified about mass objects modification with one Netwrix Alert, configure alert threshold. + +For additional information on alerts thresholds, refer to the following article: Alerts — Create Alerts — v10.6. + +1. On the Netwrix Auditor home page, click the **Alerts setings** link. +2. Select the alert you want to be triggered by mass objects removal and click **Edit**. +3. Navigate to **Thresholds**. When enabled, a single alert will be sent instead of many alerts. This can be helpful when Netwrix Auditor detects many activity records matching the filters you specified. +4. Configure threshold parameters as needed. diff --git a/docs/kb/auditor/how-to-identify-whether-auditor-server-can-receive-data-from-meraki-api.md b/docs/kb/auditor/how-to-identify-whether-auditor-server-can-receive-data-from-meraki-api.md new file mode 100644 index 0000000000..9894f6a909 --- /dev/null +++ b/docs/kb/auditor/how-to-identify-whether-auditor-server-can-receive-data-from-meraki-api.md @@ -0,0 +1,58 @@ +--- +description: >- + Shows how to verify whether the Netwrix Auditor server can reach the Meraki + API and how to troubleshoot an Event ID 6023 error caused by port or firewall + issues. +keywords: + - Meraki + - Meraki API + - Netwrix Auditor + - Network Devices Audit Service + - Event ID 6023 + - ports + - firewall + - curl + - Meraki dashboard +products: + - auditor +sidebar_label: How to Identify Whether Auditor Server Can Receive +tags: [] +title: "How to Identify Whether Auditor Server Can Receive Data from Meraki API?" +knowledge_article_id: kA0Qk0000000XGvKAM +--- + +# How to Identify Whether Auditor Server Can Receive Data from Meraki API? + +## Symptoms + +When configuring a Meraki dashboard data source, the following error appears: + +``` + + Source: Network Devices Audit Service + Event ID: 6023 + Unable to process item: The network path was not found. +``` + +When searching for the Meraki dashboard data source, no data is available. + +## Cause + +This error indicates an incorrect port configuration on the side of the Meraki dashboard data source. + +## Instructions + +To identify whether the Netwrix Auditor server can receive data from the Meraki API, open the command prompt as an administrator and execute the following command: + +1. Open the command prompt as an administrator. +2. Run the command: + +```bash +curl https://api.meraki.com/api/v1 > 1.html +``` + +This is an example of a response when the product cannot access the Meraki API: + +![User-added image](images/ka0Qk0000002jaX_0EMQk0000045bUT.png) + +In this case, check the ports required to audit the Meraki dashboard source and your internal firewall. Learn more about required ports and protocols in this article: Data Source Configuration — Network Devices — Network Devices Ports — v10.6 (/docs/auditor/10.6/auditor/configurationuration/networkdevices). diff --git a/docs/kb/auditor/how-to-import-a-list-of-server-to-be-monitored-in-disk-space-monitor.md b/docs/kb/auditor/how-to-import-a-list-of-server-to-be-monitored-in-disk-space-monitor.md new file mode 100644 index 0000000000..9b190f8889 --- /dev/null +++ b/docs/kb/auditor/how-to-import-a-list-of-server-to-be-monitored-in-disk-space-monitor.md @@ -0,0 +1,37 @@ +--- +description: >- + Shows how to import a list of servers into Disk Space Monitor using the + Configurator. The import file must be a plain text (`*.txt`) file with one + server name per line. +keywords: + - disk space monitor + - import servers + - txt + - configurator + - Netwrix Disk Space Monitor + - server list + - monitoring +products: + - auditor +sidebar_label: "How to import a list of server to be monitored in Disk Space Monitor?" +tags: [] +title: "How to import a list of server to be monitored in Disk Space Monitor?" +knowledge_article_id: kA00g000000H9UNCA0 +--- + +# How to import a list of server to be monitored in Disk Space Monitor? + +--- + +To import the list of servers to Disk Space Monitor, perform the following: + +1. Go to **Start** | **Programs** | **Netwrix Disk Space Monitor Full Version** | **Configurator**. +2. Click the **Import** button. The file being imported must be in a `*.txt` format with the list of server names. The list should be in the following format: + +```text +Server1 +Server2 +Server3 +Server4 +etc... +``` diff --git a/docs/kb/auditor/how-to-improve-document-processing-performance.md b/docs/kb/auditor/how-to-improve-document-processing-performance.md new file mode 100644 index 0000000000..fe69cd01a3 --- /dev/null +++ b/docs/kb/auditor/how-to-improve-document-processing-performance.md @@ -0,0 +1,75 @@ +--- +description: >- + This article explains how to tweak Netwrix Data Classification processing + settings to maximize server resource usage and improve document processing + throughput. It describes collector, indexer, classifier tuning, polling + adjustments, and SQL host considerations. +keywords: + - document processing + - performance tuning + - Collector Threads + - Indexer + - Classifier + - polling + - SQL performance + - Netwrix Data Classification +products: + - auditor + - data-classification +sidebar_label: How to improve document processing performance +tags: [] +title: "How to improve document processing performance" +knowledge_article_id: kA00g000000H9e0CAC +--- + +# How to improve document processing performance + +The **Netwrix Data Classification** platform contains a number of ways to tweak the processing of content to make the most of the available server resources and ensure that your content is processed as quickly as possible. You may wish to review this guide if: + +- You're seeing one or two of the core services **idle** a large percentage of the time +- and, one service is typically busy processing content (suggesting a bottleneck with one service) + +The below guide details some of the typical steps we would recommend taking when looking to improve performance, or debug a lower than expected throughput. + +## Collector + +The **Collector** service is largely bound by the **CPU** and **Network** performance available to the server. If these resources are not being fully utilised then there are several configuration variables that can be increased by following these steps: + +1. Navigate to the "**Config**" section of the **QS Administration interface** +2. On the "**Collector**" tab consider increasing the following variables: + - **Collector** **Threads** - Limits the total number of requests to external systems, each **thread** can be thought of as a single user, so 5 **threads** would roughly be the equivalent load of 5 extra users + - **Collector Domain Threads** - Limits the total number of requests to each HTTP Domain (the root URL of a website or SharePoint environment etc). Depending on the content being crawled this will override the main "**Collector Threads**" variable. I.E, if we are only crawling one website or one SharePoint environment and we have values of 10 and 5 for the main and domain variables respectively then the lower "**Domains**" value will used. + - **Collector File Threads** - Limits the total number of requests made to file sources. + +We would recommend increasing these values slowly - reviewing the environment and then perhaps repeating. It is also important to continue monitoring the source system(s) as you increase the demands made on the environment. + +## Indexer + +The **Indexer** service is largely bound by the **IO/Disk/Memory** performance available to the server. We would recommend considering the following: + +- The current **IO** usage level, in virtual environments this should be reviewed on the VM host +- The speed of the disks used for indexing (the **CSE** files location, by default: `C:Program FilesConcept SearchingconceptDB`). We recommend using solid-state storage, or the fastest disks available " high speed network appliances are also supported. +- When utilising a network storage device it is important to also monitor **Network** usage, and consider upgrading the Network link + +## Classifier + +The **Classifier** service is largely bound by the **CPU** performance available to the server. If these resources are not being fully utilised then you can increase throughput by following these steps: + +1. Navigate to the "**Config**" section of the **QS Administration interface** +2. On the "**Classifier**" tab consider increasing the "**Classifier Threads**", monitoring **CPU** usage as throughput increases + +## Delays between batches + +In smaller, less busy, environments you may sometimes see a "**delay**" between each batch. This can sometimes leave you waiting 30-45 seconds for a document to process through fully. This is nothing to worry about - the services are designed to go into a small "**sleep**" state when there is no more work to do in order to reduce demands on the SQL environment. You can optionally remove this "**sleep**" setting by following these steps: + +1. Navigate to the "**Config**" section of the **QS Administration interface** +2. Reduce the values of the following configuration options: + 1. **Collector Polling** + 2. **Indexer Polling** + 3. **Classifier Polling** + +Once updated please restart each of the affected services. + +## SQL Performance + +If you are still seeing throughput issues, with little demand on the **Netwrix Data Classification** server then we would recommend reviewing the SQL Server host - in particular **CPU** and **Memory** utilisation. diff --git a/docs/kb/auditor/how-to-install-access-reviews.md b/docs/kb/auditor/how-to-install-access-reviews.md new file mode 100644 index 0000000000..fbc3761a9d --- /dev/null +++ b/docs/kb/auditor/how-to-install-access-reviews.md @@ -0,0 +1,38 @@ +--- +description: >- + Shows where to find the Netwrix Auditor Access Reviews installation wizard and + how to download and deploy it via the Netwrix Auditor Download Manager. +keywords: + - Access Reviews + - Download Manager + - Netwrix Auditor + - Virtual Appliance + - On-premises + - installation + - setup +products: + - auditor +sidebar_label: How to Install Access Reviews +tags: [] +title: "How to Install Access Reviews" +knowledge_article_id: kA04u00000110kfCAA +--- + +# How to Install Access Reviews + +## Question + +Where can I find Netwrix Auditor Access Reviews installation wizard? + +## Answer + +Access Reviews can be accessed via the Netwrix Auditor Download Manager. You can get Download Manager by downloading the Netwrix Auditor or the Netwrix Data Classification trial version here: [Netwrix Products](https://www.netwrix.com/products.html). + +> **NOTE:** Once you apply your license, your trial version will switch to a standard version. + +Launch the Netwrix Auditor Download Manager executive and select the appropriate deployment option. +In case you're planning the on-premise deployment, click **On-premises Deployment**, select the suitable package and click **Download**. Once you've downloaded the package, the Access Reviews Setup executive will be available in the downloaded archive. + +For the VM deployment, proceed with the **Virtual Appliance** option and select the suitable package. Netwrix Auditor Access Reviews will come preinstalled for the VM of your choice. + +![pI1UIaaJkT.png](images/ka04u00000116Ju_0EM4u000008LKrz.png) diff --git a/docs/kb/auditor/how-to-install-and-use-netwrix-account-lockout-examiner.md b/docs/kb/auditor/how-to-install-and-use-netwrix-account-lockout-examiner.md new file mode 100644 index 0000000000..b8ffb044c4 --- /dev/null +++ b/docs/kb/auditor/how-to-install-and-use-netwrix-account-lockout-examiner.md @@ -0,0 +1,48 @@ +--- +description: >- + Learn how to download, launch, and operate Netwrix Account Lockout Examiner to + investigate account lockouts using security event logs. +keywords: + - account lockout + - ALE + - Netwrix Account Lockout Examiner + - lockout troubleshooting + - security event logs + - Domain Admins +products: + - auditor +sidebar_label: How to Install and Use Netwrix Account Lockout Exa +tags: [] +title: "How to Install and Use Netwrix Account Lockout Examiner" +knowledge_article_id: kA04u000000PcnuCAC +--- + +# How to Install and Use Netwrix Account Lockout Examiner + +## Preparation +Ensure you have downloaded the most recent version of Netwrix Account Lockout Examiner (ALE). Navigate to [https://www.netwrix.com/my_products.html](https://www.netwrix.com/my_products.html) to download the most recent version of ALE, as well as other Netwrix products. + +## Launching Netwrix Account Lockout Examiner +Once you've downloaded ALE, open the folder. Here you will find the following items: + +- Netwrix Account Lockout Examiner executable +- Netwrix Account Lockout Examiner User Guide +- What's New! + +1. Right click the `Netwrix_Account_Lockout_Examiner.exe` and click **Run as Administrator**. +2. A window will appear with a License Agreement and EULA. Please read the contents carefully and then choose to **Accept**. + +![User-added image](images/ka04u000000HdES_0EM4u000002CO3k.png) + +## Operating Netwrix Account Lockout Examiner +The next page that appears the the starting page for ALE. Here is a brief description of the options available to you. + +- **Locked account name -** This filed is where you will enter the account you wish to examine to discover the source of being locked out. + +- **Specify examiner credentials** - The first radial button is selected by default - the **"Use current account"** option. This option will use the currently logged in account as the service account to conduct the examination. If you would like to provide another account, choose the second radial button - the **"Use the following account"** option. **Ensure the account is a member of the Domain Admins group.** + +- **Examine audit trails for the last X days** - This field accepts a numeric value which will determine how many days backward the examiner will look while parsing security event logs. The further back the examination goes, the longer the examination process will take. + +Once the fields above are satisfied, click the **Examine** button to begin an examination. + +For continued use of ALE, save the executable to a location such as the desktop. If at anytime you wish to begin a new examination, simply re-run the executable. diff --git a/docs/kb/auditor/how-to-install-group-policy-management-console-on-different-windows-versions.md b/docs/kb/auditor/how-to-install-group-policy-management-console-on-different-windows-versions.md new file mode 100644 index 0000000000..02db1ec59e --- /dev/null +++ b/docs/kb/auditor/how-to-install-group-policy-management-console-on-different-windows-versions.md @@ -0,0 +1,68 @@ +--- +description: >- + Instructions to install Group Policy Management Console (GPMC) on various + Windows versions so you can audit Group Policy changes with Netwrix Auditor. +keywords: + - Group Policy + - GPMC + - Group Policy Management Console + - Netwrix Auditor + - RSAT + - Windows Server 2008 + - Windows 10 + - installation +products: + - auditor +sidebar_label: "How to install Group Policy Management Console on different Windows versions" +tags: [] +title: "How to install Group Policy Management Console on different Windows versions" +knowledge_article_id: kA00g000000H9VqCAK +--- + +# How to install Group Policy Management Console on different Windows versions + +- Should I install Group Policy Management Console to audit Group Policy changes with Netwrix Auditor? +- How can I install Group Policy Management Console on different Windows versions? + +--- + +Group Policy Management Console is an administrative tool for managing Group Policy across the enterprise. If you want to audit Group Policy, you must install Group Policy Management Console on the computer where Netwrix Auditor resides. To install Group Policy Management Console manually, perform the following steps depending on the Windows version your Netwrix Auditor server is running: + +## To install GPMC on Windows Server 2008 and Windows Server 2008 R2 + +1. Navigate to **Start → Control Panel → Programs and Features → Turn Windows features on or off**. +2. In the **Server Manager** dialog, select **Features** in the left pane, click **Add Features** and select **Group Policy Management**. +3. Click **Install** to enable it. + +## To install GPMC on Windows Server 2012 and above + +1. Navigate to **Start → Control Panel → Programs and Features → Turn Windows features on or off**. +2. In the **Add Roles and Features Wizard** dialog that opens, proceed to the **Features** tab in the left pane, and then select **Group Policy Management**. +3. Click **Next** to proceed to the confirmation page. +4. Click **Install** to enable it. + +## To install GPMC on Windows 7 + +1. [Download](http://www.microsoft.com/en-us/download/details.aspx?id=7887) and install Remote Server Administration Tools that include Group Policy Management Console. +2. Navigate to **Start → Control Panel → Programs and Features → Turn Windows features on or off**. +3. Navigate to **Remote Server Administration Tools → Feature Administration Tools** and select **Group Policy Management Tools**. +4. Click **Install**. + +## To install GPMC on Windows 8 + +1. [Download](http://www.microsoft.com/en-us/download/details.aspx?id=28972) and install Remote Server Administration Tools that include Group Policy Management Console. +2. Navigate to **Start → Control Panel → Programs and Features → Turn Windows features on or off**. +3. Navigate to **Remote Server Administration Tools → Feature Administration Tools** and select **Group Policy Management Tools**. + +## To install GPMC on Windows 8.1 + +1. [Download](http://www.microsoft.com/en-us/download/details.aspx?id=39296) and install Remote Server Administration Tools that include Group Policy Management Console. +2. Navigate to **Start → Control Panel → Programs and Features → Turn Windows features on or off**. +3. Navigate to **Remote Server Administration Tools → Feature Administration Tools** and select **Group Policy Management Tools**. + +## To install GPMC on Windows 10 + +1. Open or search for **Settings**. +2. Go to **Manage optional features** and click **Add a feature**. +3. Select and install the specific Remote Server Administration Tools needed. +4. To see installation progress, click the **Back** button and view the status on the **Manage optional features** page. diff --git a/docs/kb/auditor/how-to-install-individual-features-for-netwrix-auditor.md b/docs/kb/auditor/how-to-install-individual-features-for-netwrix-auditor.md new file mode 100644 index 0000000000..69cbc0ddae --- /dev/null +++ b/docs/kb/auditor/how-to-install-individual-features-for-netwrix-auditor.md @@ -0,0 +1,38 @@ +--- +description: >- + Instructions to install individual features from the Netwrix Auditor installer + by extracting and running the feature MSI files from the temporary unpack + directory. +keywords: + - Netwrix Auditor + - install features + - MSI + - '%temp%' + - RarSFX0 + - Modules + - installation wizard + - adcrfull + - fscrfull +products: + - auditor +sidebar_label: How to install individual features for Netwrix Aud +tags: [] +title: "How to install individual features for Netwrix Auditor" +knowledge_article_id: kA00g000000H9VtCAK +--- + +# How to install individual features for Netwrix Auditor + +When you run the **Netwrix Auditor** installation wizard, you can check the Windows temporary files directory to install separate features. + +## Steps + +1. Open the **Netwrix Auditor** installation executable. +2. When it asks if you want to **Unpack**, click **Yes**. +3. Leave the main installation wizard window open. +4. Go to the ` %temp% ` folder or the local temp directory for the currently logged in user. +5. Open the folder named `RarSFX0`. +6. Open the **Modules** folder. +7. Here you will find setup msi files for each of the features (adcrfull, fscrfull, iutfull, etc). +8. Run the specific MSI for the feature you need to install. +9. After you have installed the feature(s) you want, you can close the **Netwrix Auditor** installation wizard. diff --git a/docs/kb/auditor/how-to-investigate-compression-services-errors.md b/docs/kb/auditor/how-to-investigate-compression-services-errors.md new file mode 100644 index 0000000000..cbfceb6d56 --- /dev/null +++ b/docs/kb/auditor/how-to-investigate-compression-services-errors.md @@ -0,0 +1,50 @@ +--- +description: >- + Describes how to troubleshoot compression service errors such as "Compression + service is unavailable" and "Unable to update the Compression Service" in the + Netwrix Auditor health log. +keywords: + - compression service + - Netwrix Auditor + - health log + - troubleshooting + - data collection + - ports + - Remote Registry + - WMI +products: + - auditor +sidebar_label: How to Investigate Compression Services Errors +tags: [] +title: "How to Investigate Compression Services Errors" +knowledge_article_id: kA04u000000TsqpCAC +--- + +# How to Investigate Compression Services Errors + +## Overview + +In the Netwrix Auditor health log, some error events mention issues with the compression service or its connectivity, such as **Compression service is unavailable** and **Unable to update the Compression Service**. This article describes how to troubleshoot these errors. + +## Description + +1. If you recently migrated Netwrix Auditor to a new server, check that the old Netwrix instance doesn't have access to your environment. Navigate to the old Netwrix server and stop all Netwrix Auditor services. +2. Log in to the Netwrix server with **Data Collection Account** credentials (monitoring plan – settings – data collection) and check that you can open this path via File Explorer: + - `\*audited_server*\c$\Windows\` + + Check if you can add or remove files from this folder. If not, check the permissions for the Data Collection account: + + - MonitoringPlans – Data Collecting Account ⸱ v10.6 (opens in a new window) + + **Note:** Pay attention to which collector you're going to adjust permissions. +3. Test the ports required for the problematic monitoring plan: + - Requirements – Protocols and Ports ⸱ v10.6 (choose the problematic monitoring plan on the left). + + Here is an article on how to check ports: + + - [How to check TCP, UDP and Dynamic ports required for Netwrix Auditor monitoring plans](/docs/kb/auditor/check-tcp-and-udp-ports-required.md) (opens in a new window) +4. Check Remote Registry and Windows Management Instrumentation Services: + - For File Servers Auditing: Windows File Servers – Enable Remote Registry Service ⸱ v10.6 (opens in a new window) + - For Windows Server Auditing: Windows Server – Enable Remote Registry and Windows Management Instrumentation Services ⸱ v10.6 (opens in a new window) +5. Add antivirus exclusions on the Netwrix and target servers for folders: + - See the article on how to do it: [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md) (opens in a new window) diff --git a/docs/kb/auditor/how-to-manually-enable-advanced-sql-tracing.md b/docs/kb/auditor/how-to-manually-enable-advanced-sql-tracing.md new file mode 100644 index 0000000000..d3d22cbeee --- /dev/null +++ b/docs/kb/auditor/how-to-manually-enable-advanced-sql-tracing.md @@ -0,0 +1,41 @@ +--- +description: >- + Instructions to manually enable advanced SQL tracing by deploying the sqlcr + stored procedures to the audited SQL Server using SQL Server Management Studio + (SSMS). +keywords: + - advanced SQL tracing + - sqlcr + - SQL Server + - Netwrix Auditor + - SSMS + - sql tracing + - stored procedures + - auditing +products: + - auditor +sidebar_label: How to manually enable advanced SQL tracing +tags: [] +title: "How to manually enable advanced SQL tracing" +knowledge_article_id: kA04u0000000HFBCA2 +--- + +# How to manually enable advanced SQL tracing + +To manually enable advanced SQL tracing, follow these simple steps: + +1. On the Netwrix Auditor host, navigate to `C:\Program Files(x86)\Netwrix Auditor\SQL Server Auditing` +2. Find the file `sqlcr_audit_db.sql` +3. The set of files here, starting with `sqlcr_` are tied to the monitoring plan configuration. + - Follow the table below to determine which files are needed and then continue with the steps. +4. Copy this file to the SQL Server host +5. Launch **SQL Server Management Studio (SSMS)** and connect to the audited SQL Server +6. Drag and drop the `sqlcr_audit_db.sql` file into the open blue space right of the **Object Explorer** window +7. After the text from the stored procedure appears, click the **Execute** button on the tool bar at the top of the screen. + +| Auditing Configuration Changes | `sqlcr_audit_db.sql` | +|---|---| +| Failed SQL and Windows logons | `sqlcr_sp_logon_failed.sql` | +| Successful SQL logons | `sqlcr_sp_logon_success.sql` | +| *If all logon boxes are checked* | `sqlcr_sp_logon_success_failed.sql` | +| | | diff --git a/docs/kb/auditor/how-to-manually-remove-compression-services-from-audited-servers.md b/docs/kb/auditor/how-to-manually-remove-compression-services-from-audited-servers.md new file mode 100644 index 0000000000..aa0c0ffbe4 --- /dev/null +++ b/docs/kb/auditor/how-to-manually-remove-compression-services-from-audited-servers.md @@ -0,0 +1,100 @@ +--- +description: >- + Shows how to manually remove compression services from previously audited + servers after you change the auditing scope for Windows Server Auditing or + User Activity Auditing in Netwrix Auditor. +keywords: + - compression + - compression service + - remove + - Netwrix Auditor + - Windows Server Auditing + - User Activity Auditing + - PsExec + - PowerShell +products: + - auditor +sidebar_label: How to Manually Remove Compression Services from A +tags: [] +title: "How to Manually Remove Compression Services from Audited Servers" +knowledge_article_id: kA04u0000000HepCAE +--- + +# How to Manually Remove Compression Services from Audited Servers + +## Question + +I've changed the auditing scope for Windows Servers Auditing or User Activity Auditing monitoring plans. How to manually delete compression services from previously audited servers? + +## Answer + +### Prerequisites + +Refer to the following list for prerequisites: + +- Access to your domain contoller. All further activities should be done on a domain controller. +- Access to PowerShell. +- Access to a file share accessible from all servers. +- PsExec tool. Download the PsExec tool in PsExec ⸱ Microsoft 🛈: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec + +### Generate a list of affected servers + +You can manually create the list, however, it is recommended to execute the following PowerShell command to create it: + +```powershell +Get-ADComputer -Filter * -SearchBase "DIstinguishedName of an OU with affected servers" | Select -Expand Name | Out-File -filepath %PATH TO FILESHARE%\serverlist.txt +``` + +Do make sure to replace `*PATH TO FILESHARE*` with a relevant path. + +### Add Compression Service installation files to your file share + +For Windows Server Auditing: + +```text +C:\Program Files (x86)\Netwrix Auditor\Windows Server Auditing\Netwrix.WSA.CompressionService.Setup.msi +``` + +For User Activity Auditing: + +```text +C:\Program Files (x86)\Netwrix Auditor\User Activity Video Recording\UACoreSvcSetup.msi +``` + +### Create a text file + +Depending on Compression Service, add the following lines to the file: + +For Windows Server Auditing: + +```text +msiexec /i "%PATH TO FILESHARE%\Netwrix.WSA.CompressionService.Setup.msi" /quiet +msiexec /x "%PATH TO FILESHARE%\Netwrix.WSA.CompressionService.Setup.msi" /quiet +``` + +For User Activity Auditing: + +```text +msiexec /i "%PATH TO FILESHARE%\UACoreSvcSetup.msi" /quiet +msiexec /x %PATH TO FILESHARE%\UACoreSvcSetup.msi" /quiet +``` + +Name the file `"remove"` and add the `".bat"` extension to have the file named `remove.bat`. + +### Execute the command via PowerShell + +Open Powershell in the PSexec installation folder and execute the following command: + +```text +./psexec64.exe \@"*PATH TO FILESHARE*\serverlist.txt" -s "*%PATH TO FILESHARE%\remove.bat" +``` + +Do make sure to replace `*PATH TO FILESHARE*` with a relevant path. + +If you'd like to remove Compression Service from a single server, replace `@"*PATH TO FILESHARE*\serverlist.txt"` with `\Servername`. Refer to the following screenshot for the output reference: + +![Output reference](images/ka04u00000116iG_0EM4u000004bz9T.png) + +The script calls upon the functions in the msi to upgrade the Compression Service to the version of .msi installer and then to remove said Compression Service, since it only can execute remove command on a Compression Service of the same version. + +> NOTE: If the script reads only the first symbol of the serverlist.txt file, you will need to use Notepad++ or any similar tool to change the file encoding to ANSI. diff --git a/docs/kb/auditor/how-to-manually-remove-the-help-desk-portal.md b/docs/kb/auditor/how-to-manually-remove-the-help-desk-portal.md new file mode 100644 index 0000000000..c9ace959f5 --- /dev/null +++ b/docs/kb/auditor/how-to-manually-remove-the-help-desk-portal.md @@ -0,0 +1,34 @@ +--- +description: >- + Shows how to manually remove the Help-Desk Portal installed by NetWrix Account + Lockout Examiner when uninstall via Programs and Features fails. +keywords: + - help-desk portal + - uninstall + - NetWrix Account Lockout Examiner + - ALE + - IIS + - Windows Installer + - registry + - Wow6432Node +products: + - auditor +sidebar_label: How to manually remove the Help-Desk Portal +tags: [] +title: "How to manually remove the Help-Desk Portal" +knowledge_article_id: kA00g000000H9TWCA0 +--- + +# How to manually remove the Help-Desk Portal + +I failed to uninstall NetWrix Account Lockout Examiner Help-Desk Portal via **Programs and Features**. Is it possible to remove the portal manually? + +--- + +Yes, for manual uninstallation, do the following. + +1. Delete the **Web** folder from the NetWrix Account Lockout Examiner installation directory. +2. Delete all files from `C:WindowsInstaller` (it contains temp files only) +3. Delete the **NetWrix** folder from the **Temp** folder of the user under whose credentials the Help-Desk Portal was installed. +4. Remove the corresponding node from `HKLMSoftware{Wow3264Node}MicrosoftWindowsCurrentVersionUninstall` (Wow6432Node only for x64 OS). +5. Delete the **ALE** virtual directory from the IIS manager. diff --git a/docs/kb/auditor/how-to-migrate-account-lockout-examiner.md b/docs/kb/auditor/how-to-migrate-account-lockout-examiner.md new file mode 100644 index 0000000000..405e94d89e --- /dev/null +++ b/docs/kb/auditor/how-to-migrate-account-lockout-examiner.md @@ -0,0 +1,46 @@ +--- +description: >- + Shows how to migrate NetWrix Account Lockout Examiner to a different server by + installing the product on the new host, stopping services, copying + configuration files, and installing the Web Help-Desk Portal if required. +keywords: + - Account Lockout Examiner + - migration + - server migration + - NetWrix + - alinfo.xml + - settings.xml + - notifylist.txt + - Web Help-Desk Portal +products: + - auditor +sidebar_label: How to migrate Account Lockout Examiner +tags: [] +title: "How to migrate Account Lockout Examiner" +knowledge_article_id: kA00g000000H9TgCAK +--- + +# How to migrate Account Lockout Examiner + +How do I migrate NetWrix Account Lockout Examiner to a different server? + +## Procedure + +To migrate NetWrix Account Lockout Examiner to a different server, perform the following steps: + +1. Install NetWrix Account Lockout Examiner on a new server. +2. Stop the product service on a new server +3. Stop the NetWrix Account Lockout Examiner service on the old server +4. Copy the following files from the old NetWrix Account Lockout Examiner installation directory to the same location on the new server: + +- `alinfo.xml` +- `inv_logon.xml` +- `settings.xml` +- `sessions.xml` +- `notification_template.txt` (if you use non-default notification template) +- `notifylist.txt` (if you use granularity for notifications) + +5. Start the NetWrix Account Lockout Examiner service on the new server. +6. If you are using the NetWrix Account Lockout Examiner Web Help-Desk Portal, install it on the new server. + +![User-added image](images/ka04u000000HcNT_0EM700000004wyK.png) diff --git a/docs/kb/auditor/how-to-migrate-netwrix-auditor-databases-to-another-sql-server-instance.md b/docs/kb/auditor/how-to-migrate-netwrix-auditor-databases-to-another-sql-server-instance.md new file mode 100644 index 0000000000..4ac4ba5ad7 --- /dev/null +++ b/docs/kb/auditor/how-to-migrate-netwrix-auditor-databases-to-another-sql-server-instance.md @@ -0,0 +1,71 @@ +--- +description: >- + Shows how to migrate Netwrix Auditor databases to another Microsoft SQL Server + instance, including prerequisites and step-by-step instructions for backing + up, restoring, and reconfiguring reporting services. +keywords: + - Netwrix Auditor + - SQL Server + - SSRS + - migrate databases + - restore + - ReportServer + - audit database + - backup + - Reporting Services +products: + - auditor +sidebar_label: How to Migrate Netwrix Auditor Databases to Anothe +tags: [] +title: "How to Migrate Netwrix Auditor Databases to Another SQL Server Instance" +knowledge_article_id: kA00g000000Pbd8CAC +--- + +# How to Migrate Netwrix Auditor Databases to Another SQL Server Instance + +## Question + +Can you migrate audit databases to another Microsoft SQL Server instance? + +## Answer + +Yes, you are able to migrate audit databases to another Microsoft SQL Server instance. Follow the steps below to complete this process. + +### Prerequisites + +- Required Permissions: The account used by Netwrix Auditor must have **db_owner** rights on the target audit databases. For SQL Server Reporting Services (SSRS), the account must have the **Content Manager** role on the Home folder, and users must have the **Browser** role on the Report Server. For detailed steps on assigning these permissions, see Requirements – SQL Server Reporting Services · v10.7: /docs/auditor/10.7/auditor/requirements +- SQL Server and SSRS must be installed and configured on the new server. + +### Instructions + +1. Configure a new SQL Server instance. +2. On the Netwrix Auditor server, stop `Netwrix Auditor Archive Service` and `Netwrix Auditor Management Service`. +3. Back up all Netwrix databases in the old SQL Server instance except for **Netwrix_CommonDB**, **Netwrix_ImportDB**, **Netwrix_Auditor_EventLog**, **ReportServer**, and **ReportServerTempDB**. To back up databases: + 1. Open **Microsoft SQL Server Management Studio** and connect to the original SQL Server instance. + 2. Select an **audit database**, right-click it, and select **Tasks** > **Back Up...** + 3. In the **Back Up Database** window, review the path where the database backup will be stored in the **Destination** section. +4. Copy the database backups to your new SQL Server. In the new **SQL Server** instance: + 1. Open **Microsoft SQL Server Management Studio** and connect to the destination SQL Server instance. + 2. Right-click the **Databases** node and select **Restore Database...** + 3. Under the **Source** section, select the **Device** option, and click **...** to browse for databases. + 4. In the **Specify Backup Devices** window, click **Add** and select the backup database file. Click **OK**. + 5. Specify the database name and check the **Restore** checkbox under the **Backup sets to restore** section. +5. Deploy the new Report Database. For more information, see Deploying the Report Server Database: /docs/kb/auditor/deploying_the_report_server_database +6. Stop the old **SQL Server (%instance_name%)** service. +7. Start `Netwrix Auditor Archive Service` and `Netwrix Auditor Management Service`. +8. In the main Netwrix Auditor menu, select **Settings** > **Audit Database** tab, and specify the new SQL Server and Reporting Service settings. + +> **NOTE:** If you receive the following pop-up message, click **Yes** to proceed with modifying the Audit Database settings: +> ![Audit Database modification prompt](images/servlet_image_3823966b1661.png) + +9. Click **Yes** when the following message appears: + ![Confirmation dialog: Data will become unavailable until the new database is configured](images/servlet_image_3823966b1661.png) +10. In the main Netwrix Auditor menu, select **Settings** > **Investigations** tab. Click **Modify** to specify the new SQL Server settings. +11. Run a search with the filter **When | Equals | Last 7 days**. If you see the relevant data, the databases were migrated successfully and the new SQL Server is being used. +12. **Optional:** Start the old SQL Server instance if it is used for any other tasks. + +## Related Links + +- Requirements – SQL Server Reporting Services · v10.7: /docs/auditor/10.7/auditor/requirements +- How to Prepare the Netwrix Server for a SQL Upgrade: /docs/kb/auditor/how_to_prepare_the_netwrix_server_for_a_sql_upgrade +- Deploying the Report Server Database: /docs/kb/auditor/deploying_the_report_server_database diff --git a/docs/kb/auditor/how-to-migrate-netwrix-auditor-working-folder-to-a-new-location.md b/docs/kb/auditor/how-to-migrate-netwrix-auditor-working-folder-to-a-new-location.md new file mode 100644 index 0000000000..4f3f5ca5fa --- /dev/null +++ b/docs/kb/auditor/how-to-migrate-netwrix-auditor-working-folder-to-a-new-location.md @@ -0,0 +1,100 @@ +--- +description: >- + Shows how to move the Netwrix Auditor Working Folder to a new local location + and covers planning, migration steps, and post-migration actions for + successful and failed migrations. +keywords: + - Working Folder + - migration + - Netwrix Auditor + - WorkingFolderMigration.exe + - Long-Term Archive + - Health Status + - '%ProgramData%' + - local folder +products: + - auditor +sidebar_label: How to Migrate Netwrix Auditor Working Folder to a +tags: [] +title: "How to Migrate Netwrix Auditor Working Folder to a New Location" +knowledge_article_id: kA00g000000PcOLCA0 +--- + +# How to Migrate Netwrix Auditor Working Folder to a New Location + +## Question + +How to move the Netwrix Auditor Working Folder to a new location? + +## Answer + +The size of your Working Folder may grow significantly (up to 1 TB) depending on the workload, especially during activity peaks. If your system drive capacity is limited, you might want to keep the temporary files and trace logs on another drive, i.e. change the Working Folder default location. + +> **NOTE:** Netwrix Auditor has two file storages used for different purposes: +> +> - Long-Term Archive, a repository of collected audit data stored in proprietary Netwrix format (activity records). Audit data is kept in the Long-Term Archive for 10 years as per default settings. The default Long-Term Archive location is ` %ProgramData%\Netwrix Auditor\Data`. For more information on setting Long-Term Archive up, refer to the following article: Netwrix Auditor Settings – Long-Term Archive · v10.6. +> +> If you would like to move Long-Term Archive to another location, refer to the following article: [How to Move Long-Term Archive to a New location](/docs/kb/auditor/how-to-move-long-term-archive-to-a-new-location). +> +> - Working Folder, a repository for Netwrix Auditor to store operational information (configuration files for product components, log files, and other data). To ensure the audit trail continuity, Netwrix Auditor also caches some audit data locally in the Working Folder prior to placing it to the Long-Term Archive or any audit database. Audit data is kept in the Working Folder for a shorter period of up to several weeks. The default Working Folder location is ` %ProgramData%\Netwrix Auditor\`. + +### Planning and preparation + +1. To track your current Working Folder capacity and estimate the disk space you will need on the new target drive, use the **Working Folder** widget of the Health Status dashboard. Refer to the following articles for additional information: Netwrix Auditor Operations and Health − Health Status Dashboard · v10.6 and [How to Check the Netwrix Auditor Health Status](/docs/kb/auditor/how-to-check-the-netwrix-auditor-health-status.md). +2. The Working Folder can be stored only locally on the Netwrix server — prepare a local folder for the migration process. Make sure the target folder location differs from the Long-Term Archive location. + + > **NOTE:** Network shares are not supported. +3. To run the `WorkingFolderMigration.exe` utility, the current account must be a member of the local **Administrators** group. + +### Working Folder migration procedure + +1. Navigate to ` %Netwrix Auditor installation folder%\Audit Intelligence` and launch the `WorkingFolderMigration.exe` utility. +2. Specify the target folder in the **Specify new destination** field. + + ![User-added image](images/ka0Qk0000002slt_0EM0g000002BkO9.png) + + > **IMPORTANT:** Network shares are not supported − make sure the new Working Folder destination is a local folder. +3. Click **Migrate**. All temporary data from ` %ProgramData%\Netwrix Auditor\` will be copied to the specified target folder. +4. Wait for the migration process to complete. Your final screen should look like the following screenshot in case the migration process was completed correctly: + + ![wf_migration.png](images/ka0Qk0000002slt_0EM4u000007chgj.png) + +If the migration process was completed successfully, proceed to steps described in **Scenario A**. + +In case any error occurs during the migration process, the Working Folder contents will remain in the original location. The final screen might look like the following screenshot: + +![User-added image](images/ka0Qk0000002slt_0EM0g000002BkNM.png) + +In case the migration process was not completed successfully, follow the steps described in **Scenario B**. + +### Post-migration actions − Scenario A + +If migration was completed successfully, refer to the following steps: + +1. Take 1 to 2 days to verify the new configuration — make sure there are no related errors in the Netwrix Auditor Health log. +2. Once you have verified the proper operation, open the source location (original Working Folder) to remove old trace logs. Locate the following folders: + - ` %ProgramData%\Netwrix Auditor\Logs\Archive` + - ` %ProgramData%\Netwrix Auditor\AuditCore\Logs` + - ` %ProgramData%\Netwrix Auditor\ShortTerm` + - ` %ProgramData%\Netwrix Auditor\SyslogCollection` + - ` %ProgramData%\Netwrix Auditor\FileStorageAuditor` +3. Make a backup copy of the contents, then remove these folders + +> **NOTE:** The ` %ProgramData%\Netwrix Auditor\AuditCore` folder data other than trace logs usually does not occupy much space. If you do have to have this folder cleared, it is recommended to double-check and back up the contents before the cleanup. + +### Post-migration actions − Scenario B + +If migration was completed with any errors, refer to the following steps: + +1. **In the source location** − Keep all source files as is in the source location (original Working Folder). Do not delete them from the source folder. Netwrix Auditor will continue working using the original folder files. + + > **IMPORTANT:** Netwrix Auditor configuration changes only after a successful migration. Otherwise, if any error occurs, the configuration remains the same with the original Working Folder path preserved. Keep all files in the original location for Netwrix Auditor to be able to use that folder. +2. **In the target location** − As the Netwrix Auditor configuration does not change in case of unsuccessful migration, you can safely remove the files found in the target location. After that you can run the migration utility once again. In case errors still occur during the migration process, contact Netwrix Technical Support: [Open a Ticket · Netwrix 🧭](https://www.netwrix.com/tickets.html#/open-a-ticket) + +## Related articles and links + +- Netwrix Auditor Settings – Long-Term Archive · v10.6 +- [How to Move Long-Term Archive to a New location](/docs/kb/auditor/how-to-move-long-term-archive-to-a-new-location) +- Netwrix Auditor Operations and Health − Health Status Dashboard · v10.6 +- [How to Check the Netwrix Auditor Health Status](/docs/kb/auditor/how-to-check-the-netwrix-auditor-health-status.md) +- [Open a Ticket · Netwrix 🧭](https://www.netwrix.com/tickets.html#/open-a-ticket) diff --git a/docs/kb/auditor/how-to-migrate-netwrix-inactive-users-tracker-to-other-servers.md b/docs/kb/auditor/how-to-migrate-netwrix-inactive-users-tracker-to-other-servers.md new file mode 100644 index 0000000000..0328f982a7 --- /dev/null +++ b/docs/kb/auditor/how-to-migrate-netwrix-inactive-users-tracker-to-other-servers.md @@ -0,0 +1,36 @@ +--- +description: >- + Shows how to migrate the Inactive Users Tracker component when you install + Netwrix Auditor on another server, including copying the program data and + reapplying the license. +keywords: + - Inactive Users Tracker + - migration + - Netwrix Auditor + - ProgramData + - server migration + - copy files + - license + - Inactive Users Tracker folder +products: + - auditor +sidebar_label: How to migrate Netwrix Inactive Users Tracker to o +tags: [] +title: "How to migrate Netwrix Inactive Users Tracker to other servers" +knowledge_article_id: kA00g000000H9TjCAK +--- + +# How to migrate Netwrix Inactive Users Tracker to other servers + +How do I migrate Netwrix Inactive Users Tracker to other servers? + +On Netwrix Auditor Versions 9.0 and Newer, Inactive Users Tracker is installed alongside the Netwrix Auditor installation. + +1. Install Netwrix Auditor on a new server. +2. Copy the following files to the same location on the new server: + - Contents of `C:\ProgramData\Netwrix Auditor\Inactive Users Tracker` + - Screenshot all four tabs of the Inactive Users Tracker interface for configuration + ![User-added image](images/ka04u000000HcNW_0EM4u000002QzDA.png) +3. Paste the contents of original `C:\ProgramData\Netwrix Auditor\Inactive Users Tracker` folder to the `C:\ProgramData\Netwrix Auditor\Inactive Users Tracker` folder on the new server +4. Reconfigure Inactive Users Tracker using the screenshots you captured +5. Apply your Netwrix Auditor License to the new instance of Netwrix Auditor. diff --git a/docs/kb/auditor/how-to-modify-index-processing-mode.md b/docs/kb/auditor/how-to-modify-index-processing-mode.md new file mode 100644 index 0000000000..e94b4504fb --- /dev/null +++ b/docs/kb/auditor/how-to-modify-index-processing-mode.md @@ -0,0 +1,44 @@ +--- +description: >- + Shows how to change the Index Processing Mode by running the cleaner and + re-collecting the index from the administration web console. Follow the + Initial Product Configuration wizard to select No Index, Keyword, or Compound + Term processing modes. +keywords: + - index processing + - re-collect index + - index maintenance + - processing mode + - Run Cleaner + - Initial Product Configuration + - No Index + - Keyword + - Compound Term +products: + - auditor + - data-classification +visibility: public +sidebar_label: How to modify Index Processing Mode +tags: [] +title: "How to modify Index Processing Mode" +knowledge_article_id: kA00g000000PbceCAC +--- + +# How to modify Index Processing Mode + +1. In the administration web console, navigate to **Config** -> **Settings** -> **Core**. + +![](https://kb.netwrix.com/wp-content/uploads/2020/03/NDC_Processing_1.png) + +2. Click the **Run Cleaner** button in the right corner. +3. In the **Index Maintenance** dialog, select **Re-Collect Index**. +4. On the **Would you like to re-run the product configuration wizard?** step, select **Run** and click **Next**. +5. On the **Summary** step, click **Next**. +6. Click **Yes** in the confirmation dialog that appears. +7. Wait until all actions complete. +8. Once completed, the **Initial Product Configuration** wizard appears. +9. On the **Instance** step, select the instance that you want to proceed with. +10. Click **Next**. +11. On the **Processing Settings** step, select the desirable Index Processing mode: **No Index**, **Keyword**, or **Compound Term**. + +![](https://kb.netwrix.com/wp-content/uploads/2020/03/NDC_Processing_2.png) diff --git a/docs/kb/auditor/how-to-modify-ssrs-report-timeouts.md b/docs/kb/auditor/how-to-modify-ssrs-report-timeouts.md new file mode 100644 index 0000000000..b72bf4ddc9 --- /dev/null +++ b/docs/kb/auditor/how-to-modify-ssrs-report-timeouts.md @@ -0,0 +1,74 @@ +--- +description: >- + How to modify SSRS report timeouts for Netwrix Auditor, including per-report + and global execution timeouts, httpRuntime executionTimeout, and + RSReportServer.config DatabaseQueryTimeout. +keywords: + - SSRS + - report timeout + - executionTimeout + - web.config + - RSReportServer.config + - DatabaseQueryTimeout + - Netwrix Auditor + - Report Manager + - Reporting Services +products: + - auditor +sidebar_label: How to modify SSRS report timeouts +tags: [] +title: "How to modify SSRS report timeouts" +knowledge_article_id: kA04u0000000GyPCAU +--- + +# How to modify SSRS report timeouts + +There's a chance one or more Netwrix Auditor reports take a while to load. It's also possible some reports timeout during generation. To prevent timeout for larger reports, follow one of the options below: + +## Report Execution Timeout + +You can set reports to never timeout by selecting the **Do not timeout report execution** option. At default configuration, reports will timeout at `1800` seconds. To remove the timeout, navigate to your **Report Manager URL**, which can be found under **Netwrix Auditor settings > Audit Database** tab. + +Once the Report Manager page opens you can choose to remove the timeout per report or globally. + +### Per Report + +1. Navigate through the Netwrix Auditor report folder until you find the desired report +2. Click the three dot menu and choose the **manage** option +3. Click the **processing options** tab and choose the **report timeout** option. +4. Select the option to remove report timeout + - **Note: If your Netwrix Auditor report folder is deleted or re-deployed, ensure you perform these steps again on the specific reports** + +### Global Timeout + +1. Click on the **Site Settings** in the top right of the Report Manager page +2. Choose the **General** tab and select the report timeout option **Do not timeout report** + +## HTTP Timeout + +You may also choose to set the httpruntime to run larger reports. To do this, you must alter the value of the attribute `executionTimeout` of the tag `httpRuntime`. The default value is `9000` seconds. + +Here is a clip from configuration: + +```xml + + + +``` + +To find this file, navigate to the SSRS `web.config` file. By default, this is located at `C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer` + +Find the **HttpRuntime** parameter (as seen in the example above) and change the value. Removing the parameter entirely is unfortunately not possible, however you can set an insanely high value to this parameter, for example `2147483647` (2^31-1), which is equal to around 25000 days. + +**NOTE**: It's possible that this parameter doesn't exist in your `web.config` file, in this case it would use the default value of `9000`. Simply create the entry using the example above. + +## DatabaseQueryTimeout + +The **DatabaseQueryTimeout** value can be altered by editing the **RSReportServer.config**. This file is located at + +`C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer` + +The default value is `120` seconds. + +For additional SSRS timeout configurations, please refer to this Microsoft article: +https://social.technet.microsoft.com/wiki/contents/articles/23508.sql-server-reporting-services-troubleshooting-timeout-settings.aspx diff --git a/docs/kb/auditor/how-to-modify-the-account-lockout-examiner-service-account.md b/docs/kb/auditor/how-to-modify-the-account-lockout-examiner-service-account.md new file mode 100644 index 0000000000..12454e9bad --- /dev/null +++ b/docs/kb/auditor/how-to-modify-the-account-lockout-examiner-service-account.md @@ -0,0 +1,34 @@ +--- +description: >- + Shows how to change the service account used by the Netwrix Account Lockout + Examiner service after installation. +keywords: + - account lockout + - service account + - Services snap-in + - Netwrix + - Account Lockout Examiner + - restart service +products: + - auditor +sidebar_label: How to modify the Account Lockout Examiner service +tags: [] +title: "How to modify the Account Lockout Examiner service account" +knowledge_article_id: kA00g000000H9UhCAK +--- + +# How to modify the Account Lockout Examiner service account + +I am asked to specify an account during installation of Netwrix Account Lockout Examiner. How to change it once it is installed? + +The Netwrix Account Lockout Examiner service account you entered during installation is used to run the Netwrix Account Lockout Examiner service. To change it, perform the following steps: + +## Resolution + +1. Go to **Services** snap-in - **Start** - **Administrative Tools** - **Services**. +2. Locate **Netwrix Account Lockout Examiner**, right click it and select **Properties**. +3. Click the **Log On** tab. +4. Change the account, click **OK**. +5. Restart the **Account Lockout Examiner** service. + +![User-added](images/servlet_image_3823966b1661.png) diff --git a/docs/kb/auditor/how-to-modify-the-activity-summary-delivery-schedule.md b/docs/kb/auditor/how-to-modify-the-activity-summary-delivery-schedule.md new file mode 100644 index 0000000000..3dec904ff7 --- /dev/null +++ b/docs/kb/auditor/how-to-modify-the-activity-summary-delivery-schedule.md @@ -0,0 +1,39 @@ +--- +description: >- + Shows how to modify the Activity Summary delivery schedule in Netwrix Auditor, + and explains considerations when increasing delivery frequency for plans with + State in Time enabled. +keywords: + - Activity Summary + - delivery schedule + - Monitoring Plans + - Notifications Tab + - State in Time + - Netwrix Auditor + - delivery frequency +products: + - auditor +sidebar_label: How to modify the Activity Summary delivery schedu +tags: [] +title: "How to modify the Activity Summary delivery schedule" +knowledge_article_id: kA00g000000PbdJCAS +--- + +# How to modify the Activity Summary delivery schedule + +How do I modify the Change Summary delivery schedule? + +--- + +To modify the Activity Summary delivery schedule, perform the following: + +1. In **Netwrix Auditor** navigate to **Monitoring Plans** and double click the desired plan +2. Click **Edit Settings** +3. Choose to **Notifications Tab** +4. Here, you can change the delivery time and frequency of delivery, up to every hour. + +**NOTE:** Increasing delivery frequency on a plan with State in Time enabled will require you to consider the following: + +- State in Time collection is tied to delivery frequency +- Collecting State in Time more than once a day could potentially affect performance of target systems and the Netwrix Auditor server. +- Storage consumption on the Netwrix Auditor server will increase significantly diff --git a/docs/kb/auditor/how-to-modify-the-recipient-list-for-activity-summary-reports.md b/docs/kb/auditor/how-to-modify-the-recipient-list-for-activity-summary-reports.md new file mode 100644 index 0000000000..cb1ce1beab --- /dev/null +++ b/docs/kb/auditor/how-to-modify-the-recipient-list-for-activity-summary-reports.md @@ -0,0 +1,35 @@ +--- +description: >- + Learn how to modify the recipient list for Activity Summary and Change Summary + reports in Netwrix Auditor. This article explains how to add or remove + recipients for a Monitoring Plan's notifications. +keywords: + - Activity Summary + - recipient list + - Monitoring Plan + - notifications + - Netwrix Auditor + - email recipients + - Change Summary + - reports +products: + - auditor +sidebar_label: How to modify the recipient list for Activity Summ +tags: [] +title: "How to modify the recipient list for Activity Summary reports?" +knowledge_article_id: kA00g000000Pbd6CAC +--- + +# How to modify the recipient list for Activity Summary reports? + +To change the recipients for Change Summary reports, please do following: + +## Procedure + +1. Open Netwrix Auditor +2. Navigate to **Monitoring Plans** +3. Double-click the Monitoring Plan for which you wish to change recipients +4. Click **Edit Settings** +5. Click the **Notifications Tab** +6. Choose **Add Recipient** and enter any new recipients +7. Click the `x` next to their email to remove them from the list diff --git a/docs/kb/auditor/how-to-monitor-print-service-activity.md b/docs/kb/auditor/how-to-monitor-print-service-activity.md new file mode 100644 index 0000000000..11ec43c3d1 --- /dev/null +++ b/docs/kb/auditor/how-to-monitor-print-service-activity.md @@ -0,0 +1,92 @@ +--- +description: >- + Shows how to enable Windows Print Service event logging, create an inclusive + filter in Netwrix Auditor Event Log Manager, and configure an RDL report to + view print usage statistics. +keywords: + - print service + - printer usage + - Event Viewer + - Netwrix Auditor + - Event Log Manager + - RDL report + - printing events + - Event ID 307 +products: + - auditor +sidebar_label: How to Monitor Print Service Activity +tags: [] +title: "How to Monitor Print Service Activity" +knowledge_article_id: kA04u000000HDkpCAG +--- + +# How to Monitor Print Service Activity + +## Question +How to track print usage statistics for a network printer? + +## Answer +You can enable the print event logging by following the steps below: + +1. Enable logging for the print service of the print server — open **Event Viewer** > **Applications and Services Logs** > **Microsoft** > **Windows** > **PrintService**. +2. Right-click the **Operational** item to select **Properties**. + + ![1.png](images/ka04u000000HdPU_0EM4u0000084ozs.png) + +3. Check the **Enable logging** checkbox — print service events will now be logged. Click **OK** to save changes. + + ![2.png](images/ka04u000000HdPU_0EM4u0000084ozx.png) + +Create an inclusive filter in Netwrix Auditor Event Log Manager: + +1. Create a new monitoring plan by clicking **Add** or select the preexisting monitoring plan and click **Edit**. +2. Click the **Configure** button for Audit archiving filters. + + ![1.png](images/ka04u000000HdPU_0EM4u0000084p07.png) + +3. Click **Add** for Inclusive Filters. + + ![2.png](images/ka04u000000HdPU_0EM4u0000084p0C.png) + +4. Fill in the filter name and description with the **Event Log** field to contain the following line: + + ``` + Microsoft-Windows-PrintService/Operational + ``` + + Verify the location for the print server event logs via Event Viewer — the Log Name should correspond with the actual event logs location. + + ![3.png](images/ka04u000000HdPU_0EM4u0000084p0D.png) + +5. You can specify Event IDs in the **Event Fields** tab to filter the events (e.g. Event ID 307 for **Printing a document**). Additionally you can filter the events via **Insertion Strings**, refer to the index numbers specified in event details (e.g. Param1 stands for Index 1 with "Job #" value). + +Download the **Printed Documents RDL.zip** archive provided below and extract the .rdl file: + +1. Open the Reports Server URL in your browser and navigate to the folder you'd like to upload the report to (e.g. **Home** > **Netwrix Auditor** > **Netwrix Auditor for Event Log** > **Change Reports**). +2. Click **Upload** to upload the report to the folder. + + ![1.png](images/ka04u000000HdPU_0EM4u0000084p0b.png) + +Configure the report to use the `Netwrix_Auditor_EventLog` database: + +1. Click the meatball **More info** menu of the Print Service report to select the **Manage** tab. +2. Select the **Data sources** tab to choose **Custom data source**. +3. Specify the Microsoft SQL Server connection type and enter the following connection string: + + ``` + Data Source=SQLINSTANCE;Initial Catalog=Netwrix_Auditor_EventLog;Application Name="Netwrix Auditor"; + ``` + + NOTE: `SQLINSTANCE` should be replaced with the name of your SQL Server instance. + + ![2.png](images/ka04u000000HdPU_0EM4u0000084p0l.png) + +4. Input your credentials, test the connection and save the changes. + + ![3.png](images/ka04u000000HdPU_0EM4u0000084p0q.png) + +5. The report is now available via the web interface of your Report Server. It will not appear under Reports in the Netwrix Auditor console. + + ![4.png](images/ka04u000000HdPU_0EM4u0000084p15.png) + +Printed Documents RDL: https://www.netwrix.com/download/Printed-Documents-RDL.zip diff --git a/docs/kb/auditor/how-to-move-long-term-archive-to-a-new-location.md b/docs/kb/auditor/how-to-move-long-term-archive-to-a-new-location.md new file mode 100644 index 0000000000..4daf596d93 --- /dev/null +++ b/docs/kb/auditor/how-to-move-long-term-archive-to-a-new-location.md @@ -0,0 +1,53 @@ +--- +description: >- + Step-by-step instructions to move the Netwrix Auditor long-term archive (LTA) + to a new location for versions 8.5 and newer, including service and task + handling and ActivityRecords migration guidance. +keywords: + - long-term archive + - LTA + - Netwrix Auditor + - migrate archive + - ActivityRecords + - archive path + - storage migration + - upgrade +products: + - auditor +sidebar_label: How to Move Long-Term Archive to a New Location +tags: [] +title: "How to Move Long-Term Archive to a New Location" +knowledge_article_id: kA00g000000H9SSCA0 +--- + +# How to Move Long-Term Archive to a New Location + +## Question + +How to move Long-Term Archive to a location different from the default one for Netwrix Auditor version 8.5 and newer? + +## Answer + +> **NOTE:** In case you've previously migrated your Netwrix Auditor Storages (Long-Term Archive and/or Short-Term Archive) manually or upgraded from Netwrix Auditor 8.0, contact [Netwrix Technical Support](https://www.netwrix.com/support.html) for assistance. + +For a clean installation of Netwrix Auditor 8.5 or newer, follow these steps: + +1. Stop all services except `Netwrix Auditor Configuration Service(NwCfgServerSvc)` and `Netwrix Auditor Core Service(NwCoreSvc)`. + - If any monitoring plan for **Netwrix Password Reset**, Inactive User Tracker, or Event Log Manager has ever been set up, disable the scheduled tasks for these applications of your Netwrix Auditor instance. To disable them: + - Navigate to **Start** > **All Programs** > **Task Scheduler** > **Task Scheduler Library** and locate the tasks named Netwrix Auditor with descriptions mentioning the Netwrix Password Reset, Inactive User Tracker, or Event Log Manager applications. + - Select these tasks (if any) and click **Disable** in the right pane. + + ![lta_mig_1.png](images/ka04u00000117ad_0EM4u000008LFeu.png) + +2. Copy all files from the old Long-Term-Archive folder into the new Long-Term-Archive folder except for the `ActivityRecords` folder. + + > **TIP:** While it is not recommended to store your Long-Term Archive on a system disk or in a remote location, it is still possible to set both options up. Refer to the following article for additional documentation on setting up remote Long-Term Archive: Auditor Settings – Long-Term Archive · v10.6. + +3. Copy the very last day folder from your `ActivityRecords` folder. + - Pay attention to the folder structure — if the very last day folder had the `C:\ProgramData\Netwrix Auditor\Data\ActivityRecords\1970\01\01\0000` path, it should be copied to `%New_LTA_Path%\ActivityRecords\1970\01\01\0000`. + +4. Start `Netwrix Auditor Management Service(NwManagementSvc)`. In the main Netwrix Auditor menu, navigate to **Settings** > **Long-Term Archive** and specify the new path. + +5. Start the other services and tasks you previously disabled. + +6. Copy the rest of the files from the old `ActivityRecords` folder to the new one. If you are prompted to overwrite any files, skip those files instead. diff --git a/docs/kb/auditor/how-to-move-netwrix-auditor-to-the-cloud.md b/docs/kb/auditor/how-to-move-netwrix-auditor-to-the-cloud.md new file mode 100644 index 0000000000..7be834d7d7 --- /dev/null +++ b/docs/kb/auditor/how-to-move-netwrix-auditor-to-the-cloud.md @@ -0,0 +1,41 @@ +--- +description: >- + Step-by-step instructions to move an on-premises Netwrix Auditor installation + to a VM hosted by a cloud service provider, including preparation, migration, + licensing, and network considerations. +keywords: + - Netwrix Auditor + - migration + - cloud + - VM + - server migration + - ports + - license + - requirements +products: + - auditor +sidebar_label: How to Move Netwrix Auditor to the Cloud? +tags: [] +title: "How to Move Netwrix Auditor to the Cloud?" +knowledge_article_id: kA04u000001116lCAA +--- + +# How to Move Netwrix Auditor to the Cloud? + +## Question + +How to move an on-premises Netwrix Auditor installation to a VM running on a cloud service provider? + +## Answer + +Consider it to simply be an installation on another network. Netwrix recommends the following scenario: + +1. Spin up a new Windows Server VM in your cloud environment, provision it based on the Auditor Requirements: /docs/auditor/10.6/auditor/requirements + +2. After that, migrate your old instance according to the following article: Migrating Netwrix Auditor to New Server: /docs/kb/auditor/migrating_auditor_to_new_server. + + > **NOTE:** When you go to migrate, both the old and new instances of Netwrix Auditor must be exactly the same version and build. In Netwrix Auditor, navigate to **Settings** -> **About Netwrix Auditor** and check the build number. + +3. Make sure you applied the license. You will need a license for Netwrix Auditor no matter where it is used. + +If you are using an internal file server, make sure Netwrix Auditor is able to access it across the internet or a VPN if you have a tunnel set up. For additional information on required protocols and ports that must be opened, refer to the following article: Requirements – Protocols and Ports Required: /docs/auditor/10.6/auditor/requirements diff --git a/docs/kb/auditor/how-to-move-reporting-databases-to-a-new-drive.md b/docs/kb/auditor/how-to-move-reporting-databases-to-a-new-drive.md new file mode 100644 index 0000000000..72016c3c09 --- /dev/null +++ b/docs/kb/auditor/how-to-move-reporting-databases-to-a-new-drive.md @@ -0,0 +1,39 @@ +--- +description: >- + Shows how to move Netwrix Reporting databases to a different drive by + detaching and attaching the databases in SQL Management Studio. +keywords: + - reporting + - database + - SQL Management Studio + - MDF + - LDF + - detach + - attach + - move database + - Netwrix +products: + - auditor +sidebar_label: How to move reporting databases to a new drive +tags: [] +title: "How to move reporting databases to a new drive" +knowledge_article_id: kA00g000000H9W0CAK +--- + +# How to move reporting databases to a new drive + +How do I move the Netwrix Reporting databases to another drive? + +## Procedure + +1) Open **SQL Management Studio** on the computer where the SQL Instance resides. +2) **Right click** on the **database** you would like to move and go to **Properties**. +3) Under **Select a page**, select **Files**. +4) By default there will be two files for each database, an **`MDF`** and an **`LDF`** file. Note the location of these files in the **`Path`** column. +5) Hit **Okay** +6) **Right click** the database and go to **Tasks -> Detach**. +7) In the **Detach Database Window** check the box to **Drop Connections** and hit **Okay**. +8) Navigate to the location from **step #4** and copy the **`MDF` and `LDF` file** to the new location. +9) In **SQL Management Studio** **right click** the **Databases folder** and select **Attach**. +10) **Click Add** under **Databases to Attach** and select the location and **`MDF`** file for the database and hit okay (The **`LDF`** will be located automatically if in the same location). +11) Hit **okay** again on the **Attach databases** screen. Your database should now be attached once again and now residing in it's new location. diff --git a/docs/kb/auditor/how-to-notify-users-without-email-in-password-expiration-notifier.md b/docs/kb/auditor/how-to-notify-users-without-email-in-password-expiration-notifier.md new file mode 100644 index 0000000000..87b6dbb8eb --- /dev/null +++ b/docs/kb/auditor/how-to-notify-users-without-email-in-password-expiration-notifier.md @@ -0,0 +1,40 @@ +--- +description: >- + Describes how to notify users who do not have an email address in the audited + domain by using the `mail` LDAP attribute or by specifying an external address + in Netwrix Password Reset. Includes steps to configure the target email and + notes about SMTP relay requirements. +keywords: + - password expiration + - notify users + - LDAP + - mail attribute + - SMTP relay + - Netwrix Password Reset + - PEN + - monitoring plan + - Send reports to administrators +products: + - auditor +sidebar_label: How to Notify Users Without Email in Password Expi +tags: [] +title: "How to Notify Users Without Email in Password Expiration Notifier" +knowledge_article_id: kA00g000000PbdDCAS +--- + +# How to Notify Users Without Email in Password Expiration Notifier + +## Question + +How does Netwrix Password Reset (Password Expiration Notifier, PEN) notify a user with no associated account in the audited domain? + +## Answer + +To notify the user, PEN uses the `mail` LDAP attribute assigned to the target account. If there is no associated email, you can specify the target email manually. Refer to the following steps: + +1. Run PEN. Select the correct monitoring plan and click **Edit**. +2. In the **Send reports to administrators** field, specify the target email separated by a comma. Save the changes. + +The specified email should now receive reports on expiring passwords. + +> **IMPORTANT:** In the described scenario, PEN uses the SMTP server specified in the **Notifications** tab to send notifications to external email addresses. The SMTP server must have a correctly configured relay service to send emails to external mailboxes. diff --git a/docs/kb/auditor/how-to-omit-certain-object-changes-from-being-reported.md b/docs/kb/auditor/how-to-omit-certain-object-changes-from-being-reported.md new file mode 100644 index 0000000000..a1d3def11c --- /dev/null +++ b/docs/kb/auditor/how-to-omit-certain-object-changes-from-being-reported.md @@ -0,0 +1,56 @@ +--- +description: >- + Explains how to exclude certain data from Server Configuration Change Reporter + snapshots by using omit files such as `omit***.txt`, with examples of patterns + you can use in `omitpathlist.txt`. +keywords: + - server configuration + - omit files + - omitpathlist + - omitregkeys + - snapshot + - WMI + - Win32 + - registry + - deviceid + - Server Configuration Change Reporter +products: + - auditor +sidebar_label: How to omit certain object changes from being repo +tags: [] +title: "How to omit certain object changes from being reported?" +knowledge_article_id: kA00g000000H9TPCA0 +--- + +# How to omit certain object changes from being reported? + +The Server Configuration Change Reporter provides the option to exclude certain data from the reports. In the product installation folder, you can find a number of files named `omit***.txt`. For example, the file called `omitregkeys.txt` contains a list of registry keys that are not stored in the Server Configuration Change Reporter snapshot. Each one of these omit files contains examples of the file’s use (special symbols used: `*` - any symbol, `#` - comment, this line will not be processed). + +Examples from the `omitpathlist.txt`: + +1. `Server1rootcimv2:Win32_BaseBoard*` + Specifies that data related to the `Win32_BaseBoard` class from the `rootcimv2` namespace on the Server1 server will not be included; + +2. `Server1rootcimv2*` + Specifies that data from the `rootcimv2` namespace on the Server1 server will not be included; + +3. `Server1*Win32_Keyboard*` + Specifies that data related to the `Win32_Keyboard` class on the Server1 server will not be included; + +4. `*Win32_CacheMemory*` + Specifies that data related to the `Win32_CacheMemory` class on all the servers will not be included; + +5. `*rootaspnet*` + Specifies that data from the `rootaspnet` namespace on all the servers will not be included; + +6. `Server1rootcimv2:Win32_UsbHub.deviceid="usbroot_hub4&630cc7&0"`" + Specifies that data related to the `deviceid="usbroot_hub4&630cc7&0"` object of the `Win32_UsbHub` class from the namespace `rootcimv2` on the Server1 server will not be included; + +7. `Server1*.deviceid="usbroot_hub4&630cc7&0"` + Specifies that data related to the `deviceid="usbroot_hub4&630cc7&0"` object on the Server1 server will not be included; + +8. `*.deviceid="usbroot_hub4&630cc7&0"` + Specifies that data related to the `deviceid="usbroot_hub4&630cc7&0"` object on all the servers will not be included. + +9. `*ScheduledTasksClass*.*MicrosoftWindowsCustomer Experience Improvement ProgramServer*` + Specifies that data related to the Windows Customer Experience Improvement Program scheduled tasks will not be included. diff --git a/docs/kb/auditor/how-to-omit-changes-to-the-msexchmobilemailboxpolicybl-attribute.md b/docs/kb/auditor/how-to-omit-changes-to-the-msexchmobilemailboxpolicybl-attribute.md new file mode 100644 index 0000000000..2524f93e85 --- /dev/null +++ b/docs/kb/auditor/how-to-omit-changes-to-the-msexchmobilemailboxpolicybl-attribute.md @@ -0,0 +1,32 @@ +--- +description: >- + Use Netwrix Auditor to omit changes to the msExchMobileMailboxPolicyBL + attribute from being reported by adding the attribute pattern to the omit list + file. This article shows the exact file path and the line to add. +keywords: + - msExchMobileMailboxPolicyBL + - omit + - omitproplist_ecr.txt + - Active Directory + - Netwrix Auditor + - auditing + - exclude attribute + - mailbox policy +products: + - auditor +sidebar_label: How to omit changes to the "msExchMobileMailboxPol +tags: [] +title: How to omit changes to the "msExchMobileMailboxPolicyBL" attribute? +knowledge_article_id: kA00g000000H9VRCA0 +--- + +# How to omit changes to the "msExchMobileMailboxPolicyBL" attribute? + +--- + +To exclude changes to the `msExchMobileMailboxPolicyBL` attribute from being reported, perform the following steps: + +1. On the machine where **Netwrix Auditor** is installed, navigate to the product installation directory. By default it is `C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing` +2. Open the `omitproplist_ecr.txt` file for editing and add the following line: + `*.msExchMobileMailboxPolicyBL*` +3. Save this file diff --git a/docs/kb/auditor/how-to-omit-changes-to-the-supported-encryption-type.md b/docs/kb/auditor/how-to-omit-changes-to-the-supported-encryption-type.md new file mode 100644 index 0000000000..2bba13a2a5 --- /dev/null +++ b/docs/kb/auditor/how-to-omit-changes-to-the-supported-encryption-type.md @@ -0,0 +1,31 @@ +--- +description: >- + Shows how to exclude changes to the Active Directory attribute "Supported + Encryption Type" from reporting by Netwrix Auditor by adding the attribute to + the omit properties list. +keywords: + - Supported Encryption Type + - msds-supportedencryptiontypes + - omitproplist.txt + - Active Directory + - exclude changes + - omit properties + - Netwrix Auditor + - monitoring scope +products: + - auditor +sidebar_label: How to Omit Changes to Supported Encryption Type +tags: [] +title: How to omit changes to the "Supported Encryption Type"? +knowledge_article_id: kA00g000000H9VZCA0 +--- + +# How to omit changes to the "Supported Encryption Type"? + +To exclude changes to "Supported Encryption Type" from being reported, perform the following steps: + +1. On the machine where Netwrix Auditor resides, navigate to the product installation directory (by default `C:\Program Files (x86)\Netwrix Auditor\Acitve Directory Auditing`) +2. Open `omitproplist.txt` file and add the following line: ` *.msds-supportedencryptiontypes` +3. Save this file. + +Additional details can be found here: Exclude Data from Active Directory Monitoring Scope diff --git a/docs/kb/auditor/how-to-omit-some-exchange-server-attributes-from-being-reported.md b/docs/kb/auditor/how-to-omit-some-exchange-server-attributes-from-being-reported.md new file mode 100644 index 0000000000..721822a703 --- /dev/null +++ b/docs/kb/auditor/how-to-omit-some-exchange-server-attributes-from-being-reported.md @@ -0,0 +1,35 @@ +--- +description: >- + Describes how to exclude specific Exchange Server attributes from reporting by + Netwrix Auditor by editing the omitproplist_ecr.txt file. +keywords: + - Exchange + - attribute + - omit + - reporting + - Netwrix Auditor + - omitproplist_ecr.txt + - msExchSafeSendersHash + - Active Directory Auditing +products: + - auditor +sidebar_label: How to omit some Exchange Server attributes from b +tags: [] +title: "How to omit some Exchange Server attributes from being reported" +knowledge_article_id: kA00g000000H9V0CAK +--- + +# How to omit some Exchange Server attributes from being reported + +How to omit some Exchange Server attributes from being reported? + +To omit an Exchange Server attribute from reporting: + +1. Navigate to the **Netwrix Auditor** installation folder. For example, `C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing.` +2. Locate the `omitproplist_ecr.txt` file and add the attributes you want to exclude from reporting in the following format: + + ``` + *. + ``` + + **For example:** `*.msExchSafeSendersHash` diff --git a/docs/kb/auditor/how-to-omit-user-account-locked-out-events-from-reports.md b/docs/kb/auditor/how-to-omit-user-account-locked-out-events-from-reports.md new file mode 100644 index 0000000000..eb9cd7c3e5 --- /dev/null +++ b/docs/kb/auditor/how-to-omit-user-account-locked-out-events-from-reports.md @@ -0,0 +1,28 @@ +--- +description: >- + To exclude all "User Account Locked Out" events from reports in Netwrix + Auditor, edit the `unomitproplist.txt` file in the Netwrix Auditor + installation folder and remove or comment out the `*.lockoutTime` line. +keywords: + - User Account Locked Out + - lockout + - unomitproplist.txt + - lockoutTime + - Netwrix Auditor + - omit events +products: + - auditor +sidebar_label: How to omit User Account Locked Out events from re +tags: [] +title: "How to omit User Account Locked Out events from reports" +knowledge_article_id: kA00g000000H9WeCAK +--- + +# How to omit User Account Locked Out events from reports + +In order to exclude all "User Account Locked Out" events from reports in Netwrix Auditor, perform the following steps: + +1. Navigate to the Netwrix Auditor installation folder +2. Open the `unomitproplist.txt` file +3. Remove the `*.lockoutTime` line OR just add `#` to the beginning of the line (for example, `#*.lockoutTime`) +4. Save the file diff --git a/docs/kb/auditor/how-to-omit-warnings-in-netwrix-auditor-for-active-directory-when-audit-is-properly-configured.md b/docs/kb/auditor/how-to-omit-warnings-in-netwrix-auditor-for-active-directory-when-audit-is-properly-configured.md new file mode 100644 index 0000000000..4e2e800c21 --- /dev/null +++ b/docs/kb/auditor/how-to-omit-warnings-in-netwrix-auditor-for-active-directory-when-audit-is-properly-configured.md @@ -0,0 +1,43 @@ +--- +description: >- + Shows how to suppress warnings for domain controllers in Netwrix Auditor for + Active Directory when the audit is properly configured or when the connection + between the Netwrix server and a domain controller is unstable (RPC errors). +keywords: + - Netwrix Auditor + - Active Directory + - domain controller + - warnings + - suppresswarnings + - agent.ini + - RPC +products: + - auditor +sidebar_label: How to omit warnings in Netwrix Auditor for Active +tags: [] +title: "How to omit warnings in Netwrix Auditor for Active Directory when audit is properly configured?" +knowledge_article_id: kA00g000000H9VeCAK +--- + +# How to omit warnings in Netwrix Auditor for Active Directory when audit is properly configured? + +You receive warnings about some of your domain controllers while they are properly configured and do not have any issues. How can you omit warnings in Netwrix Auditor for Active Directory? + +Netwrix Auditor may throw warnings about some of your domain controllers. This article applies when the audit is properly configured and/or the connection between the Netwrix server and the affected domain controller is not stable (RPC errors). + +**Caution!** This article should not be used when **System** is shown in the **Who Changed** column of the daily summary report. + +To omit the warnings: + +1. Navigate to `C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing` +2. Open `agent.ini`. +3. Add FQDNs in the following format: `=suppresswarnings` + +For example: + +``` +DC1.contoso.com=suppresswarnings +DC2.contoso.com=suppresswarnings +``` + +Each DC should be entered on a separate line. diff --git a/docs/kb/auditor/how-to-opt-out-of-the-netwrix-customer-experience-improvement-program-in-netwrix-auditor.md b/docs/kb/auditor/how-to-opt-out-of-the-netwrix-customer-experience-improvement-program-in-netwrix-auditor.md new file mode 100644 index 0000000000..9671201d62 --- /dev/null +++ b/docs/kb/auditor/how-to-opt-out-of-the-netwrix-customer-experience-improvement-program-in-netwrix-auditor.md @@ -0,0 +1,32 @@ +--- +description: >- + Shows how to opt out of the Netwrix Customer Experience Improvement Program in + Netwrix Auditor. +keywords: + - opt-out + - customer experience + - telemetry + - Netwrix Auditor + - usage statistics + - privacy + - settings +products: + - auditor +sidebar_label: 'How to opt-out of the Netwrix Customer Experience ' +tags: [] +title: "How to opt-out of the Netwrix Customer Experience Improvement Program in Netwrix Auditor" +knowledge_article_id: kA04u0000000H48CAE +--- + +# How to opt-out of the Netwrix Customer Experience Improvement Program in Netwrix Auditor + +The Customer Experience Program is a feature which helps Netwrix improve the quality, reliability, and performance of Netwrix products and services. If you accept, Netwrix collects statistical information on how the Licensee uses the product in accordance with applicable law. If you no longer wish to participate in this program, follow the steps below: + +--- + +1. Launch Netwrix Auditor +2. Navigate to the **Settings** +3. Under the **General** tab, find the **Netwrix Auditor usage statistics** section +4. Uncheck the box labeled "**Take part in Netwrix Customer Experience Improvement Program**" + +Netwrix Auditor will no longer collect usage data diff --git a/docs/kb/auditor/how-to-prepare-for-printing-ssrs-based-reports.md b/docs/kb/auditor/how-to-prepare-for-printing-ssrs-based-reports.md new file mode 100644 index 0000000000..f0c117ac18 --- /dev/null +++ b/docs/kb/auditor/how-to-prepare-for-printing-ssrs-based-reports.md @@ -0,0 +1,45 @@ +--- +description: >- + Learn how to enable and install the ActiveX Control required to print + SSRS-based reports from Internet Explorer and Netwrix Auditor Client. +keywords: + - SSRS + - ActiveX + - Internet Explorer + - Netwrix Auditor + - Report Viewer + - printing + - ActiveX Control +products: + - auditor +sidebar_label: How to prepare for printing SSRS-based reports +tags: [] +title: "How to prepare for printing SSRS-based reports" +knowledge_article_id: kA04u0000000GsCCAU +--- + +# How to prepare for printing SSRS-based reports + +To print SSRS-based reports, SSRS Report Viewer and Netwrix Auditor Client require ActiveX Control to be installed and enabled on the local machine. + +- To install the control, make sure you have administrative rights on the local computer. +- Recommended browser version is Internet Explorer 8 or later. + +Take the following steps: + +1. Open the Internet Explorer **Tools** menu by clicking the gear icon in the top-right corner. +2. Select **Internet Options**. +3. Go to the **Security** tab and click **Custom level…** +4. Locate the ActiveX controls and plug-ins section. +5. Select **Enable** or **Prompt** for each of the following three settings: + - **Run ActiveX controls and plug-ins** + - **Script ActiveX controls marked safe for scripting** + - **Download signed ActiveX controls** + +![User-added image](images/ka04u000000HcZ6_0EM4u000002P6Cl.png) + +6. Click **OK**. +7. Open any SSRS-based report using Internet Explorer and click **Print**. +8. Internet Explorer will prompt for installation of the additional components it needs for printing. Click **Yes**. The ActiveX Control automatically downloads and installs. + +Then you will be able to print the reports from Internet Explorer and Netwrix Auditor UI. diff --git a/docs/kb/auditor/how-to-prepare-netwrix-server-for-os-upgrade.md b/docs/kb/auditor/how-to-prepare-netwrix-server-for-os-upgrade.md new file mode 100644 index 0000000000..e34a5da8a2 --- /dev/null +++ b/docs/kb/auditor/how-to-prepare-netwrix-server-for-os-upgrade.md @@ -0,0 +1,58 @@ +--- +description: >- + This article describes steps to prepare the Netwrix Auditor host server for a + Windows operating system upgrade, including backup recommendations and service + stop/start commands. +keywords: + - Netwrix Auditor + - OS upgrade + - Windows upgrade + - snapshot + - backup + - PowerShell + - Stop-Service + - Start-Service + - failover +products: + - auditor +sidebar_label: How to Prepare Netwrix Server for OS Upgrade +tags: [] +title: "How to Prepare Netwrix Server for OS Upgrade" +knowledge_article_id: kA04u000000wnjVCAQ +--- + +# How to Prepare Netwrix Server for OS Upgrade + +## Overview + +This article provides preparation steps for upgrading an operating system (Windows) in the Netwrix Auditor host server. + +## Instructions + +### Pre-Upgrade Data Security Measures: Snapshot and Backup Guidelines + +Taking a snapshot or creating a backup of the Netwrix Auditor Server is recommended for data protection and recovery. The method to be used depends on the approach used for Auditor installation, whether it's on a virtual or physical machine. + +> **TIP:** You can configure Netwrix Auditor in the failover mode. To learn about failover and backup scenarios, read [How to configure Netwrix Auditor in the Failover Mode?](/docs/kb/auditor/how-to-configure-netwrix-auditor-in-failover-mode.md) + +Stop all Netwrix services running in your server − run the following line in elevated PowerShell: + +```powershell +Stop-Service -Displayname Netwrix* +``` + +### Post-Upgrade Procedure: Auditor Initialization and Service Verification + +After the upgrade, give Netwrix Auditor a couple of hours to initialize, and make sure all services are running. To start all Netwrix Auditor-related processes in the server, run the following line in elevated PowerShell: + +```powershell +Start-Service -Displayname Netwrix* +``` + +### Post-Upgrade Warnings and Data Collection Interruptions + +After the upgrade, you might notice warnings in the Health log. These warnings occur because services are temporarily unavailable and data collection is interrupted during the upgrade and server reboot. Once the upgrade is complete, services will be automatically restarted, and data collection will continue without any issues. + +## Related articles + +- [How to configure Netwrix Auditor in the Failover Mode?](/docs/kb/auditor/how-to-configure-netwrix-auditor-in-failover-mode.md) diff --git a/docs/kb/auditor/how-to-prepare-the-netwrix-server-for-a-sql-upgrade.md b/docs/kb/auditor/how-to-prepare-the-netwrix-server-for-a-sql-upgrade.md new file mode 100644 index 0000000000..4176f9fafa --- /dev/null +++ b/docs/kb/auditor/how-to-prepare-the-netwrix-server-for-a-sql-upgrade.md @@ -0,0 +1,38 @@ +--- +description: >- + Guidance on preparing the Netwrix server for an in-place upgrade of Microsoft + SQL Server 2014 to SQL Server 2019, including precautions and links to + migration guidance. +keywords: + - SQL upgrade + - SQL Server 2019 + - SQL Server 2014 + - Netwrix server + - backup + - snapshot + - database migration + - MS SQL +products: + - auditor +sidebar_label: How to Prepare the Netwrix Server for a SQL Upgrad +tags: [] +title: "How to Prepare the Netwrix Server for a SQL Upgrade" +knowledge_article_id: kA04u000001115OCAQ +--- + +# How to Prepare the Netwrix Server for a SQL Upgrade + +## Question + +Is there a process we need to follow on the Netwrix server to prepare for an upgrade? This is an in-place upgrade of SQL 2014 to SQL 2019. We have backups and plan to snapshot the virtual machines before starting. Are there any steps to take on the Netwrix application server before and after the SQL upgrade? + +## Answer + +There is no need to back up anything on the Netwrix server when performing SQL upgrades. You also don't need to back up the config file. + +> **NOTE:** However, as an additional precautionary measure, you have the option of taking a snapshot of the Netwrix host before starting any upgrade procedures + +There are some best practices that can help you to properly upgrade your SQL. + +- Read about prerequisites and instructions in this article: [Upgrade to a different edition of SQL Server (Setup) ⸱ Microsoft 👍](https://learn.microsoft.com/en-us/sql/database-engine/install-windows/upgrade-to-a-different-edition-of-sql-server-setup?view=sql-server-ver16) +- Read how to Migrate Netwrix Databases to Another MS SQL Server Instance diff --git a/docs/kb/auditor/how-to-prevent-long-term-archive-overflow.md b/docs/kb/auditor/how-to-prevent-long-term-archive-overflow.md new file mode 100644 index 0000000000..54f30e5fdf --- /dev/null +++ b/docs/kb/auditor/how-to-prevent-long-term-archive-overflow.md @@ -0,0 +1,42 @@ +--- +description: >- + Learn how to prevent disk overflow on the drive that stores the Long-Term + Archive by adjusting retention, moving the archive, or excluding data from + monitoring scope. +keywords: + - long-term archive + - archive retention + - disk overflow + - Netwrix Auditor + - move archive + - omit lists + - monitoring scope + - virtual machine + - Active Directory +products: + - auditor +sidebar_label: How to Prevent Long-Term Archive Overflow +tags: [] +title: "How to Prevent Long-Term Archive Overflow" +knowledge_article_id: kA00g000000PbdHCAS +--- + +# How to Prevent Long-Term Archive Overflow + +## Question + +How can you prevent disk overflow on the drive where the Long-Term Archive is located? + +## Answer + +You can deal with this issue in one of the following ways: + +1. Modify Long-Term Archive retention period. For that: + - In Netwrix Auditor, navigate to **Settings**. + - Select the **Long-Term Archive** page and modify the archive retention settings – provide the value in months. +2. Move the archive to another drive. Learn more in the following article: /docs/kb/auditor/how_to_move_long-term_archive_to_a_new_location (How to Move Long-Term Archive to a New Location). +3. Exclude Data from the Auditing Scope. For additional information, refer to the following article: /docs/kb/auditor/how_to_exclude_users_and_objects_from_monitoring_scope_in_netwrix_auditor_ui (How to Exclude Users and Objects from Monitoring Scope in Netwrix Auditor UI). + +You can also fine tune your monitoring scope via omit lists — this allows you to proactively decrease the DB loads as changes for omitted items are not recorded. For additional information on available omit lists, review the corresponding article applicable to your target system. For example, for Active Directory omit lists, refer to the following article: /docs/auditor/10.6/auditor/admin-guide/monitoringplans/activedirectory (Monitoring Plans — Active Directory Plans — Active Directory Monitoring Scope). + +> **NOTE:** If you are using a virtual machine, either add another drive or expand your current drive. diff --git a/docs/kb/auditor/how-to-properly-remove-auditor-components-prior-to-further-clear-installation.md b/docs/kb/auditor/how-to-properly-remove-auditor-components-prior-to-further-clear-installation.md new file mode 100644 index 0000000000..77dbb7abeb --- /dev/null +++ b/docs/kb/auditor/how-to-properly-remove-auditor-components-prior-to-further-clear-installation.md @@ -0,0 +1,56 @@ +--- +description: >- + How to remove Netwrix Auditor components from a server before performing a + clean installation to avoid conflicts with the previous installation. +keywords: + - Netwrix Auditor + - clear install + - uninstall + - compression services + - monitoring plans + - server preparation + - migration + - reinstall +products: + - auditor +sidebar_label: How to Properly Remove Auditor Components Prior to +tags: [] +title: "How to Properly Remove Auditor Components Prior to Further Clear Installation?" +knowledge_article_id: kA0Qk0000000Lm1KAE +--- + +# How to Properly Remove Auditor Components Prior to Further Clear Installation? + +## Overview + +In cases when you already have Netwrix Auditor installed on a server and, for some reasons, do not want to upgrade the product and migrate the configuration to another server, you might want to perform clear install of Netwrix Auditor to this machine. How to make sure the new server installation/configuration doesn't encounter problems related to the old Netwrix server? + +## Instructions + +Review the explanations and instructions below to safely prepare your server for clear install. + +### Question 1 + +Do I need to uninstall Netwrix compression services from all the nodes that the previous installation/server was monitoring before I build new server? + +### Answer + +No, because Netwrix Auditor is supposed to automatically uninstall compression services upon removing the targeted machine/location or items from monitoring plans. + +### Question 2 + +Does Netwrix Auditor uninstallation from my server removes all Netwrix compression services or do I have to manually uninstall them from all nodes? + +### Answer + +In most cases, yes it does. However, for the proper uninstallation of all compression services, Netwrix recommends following the procedure below: + +1. In Netwrix Auditor, navigate to **Monitoring plans** and remove the **items** first. +2. Wait for the host server some time to synchronize with nodes that have the compression services installed. Depending on your Auditor configuration, the uninstallation process might take a while. Wait for a couple of hours for the uninstallation to take effect. +3. Double check that the compression services were uninstalled successfully. +4. Delete all **monitoring plans**. +5. Uninstall Netwrix Auditor itself. + +### Related Article + +- [Migrating Netwrix Auditor to New Server](/docs/kb/auditor/migrating-auditor-to-new-server.md) diff --git a/docs/kb/auditor/how-to-read-netwrix-auditor-logs.md b/docs/kb/auditor/how-to-read-netwrix-auditor-logs.md new file mode 100644 index 0000000000..276793e066 --- /dev/null +++ b/docs/kb/auditor/how-to-read-netwrix-auditor-logs.md @@ -0,0 +1,66 @@ +--- +description: >- + Learn where Netwrix Auditor stores its logs, how to read them, and how to + prepare logs for Technical Support to troubleshoot collectors and services. +keywords: + - logs + - Netwrix Auditor + - collectors + - troubleshooting + - NwArchiveSVC + - log location + - Control + F + - archive service +products: + - auditor +sidebar_label: How to Read Netwrix Auditor Logs +tags: [] +title: "How to Read Netwrix Auditor Logs" +knowledge_article_id: kA00g000000H9eaCAC +--- + +# How to Read Netwrix Auditor Logs + +## What to expect from Netwrix Auditor logs + +Logs can reveal many aspects of operations for all Netwrix Auditor Collectors and Services. Not all log information is related to errors; most of the text will walk you through the collection process. + +## Where are the logs? + +The Netwrix Auditor logs can be found by default at `C:\ProgramData\Netwrix Auditor\Logs` on the Netwrix Auditor Server. + +There is an overwhelming amount of logs to choose from. To efficiently view logs, first choose which collector you want to troubleshoot or investigate. Most log folders display the name of the related collector. Some logs are nested and may take longer to find until you build familiarity with the file structure. + +- **Data Collection Core** + This is an example of a less obvious log location. This directory has logs for collectors like File Server Auditing and Logon Activity. + +- **Audit Core** + This directory includes logs for Netwrix Auditor Core Services. For example, Technical Support will view these logs in instances where data may not be getting stored in SQL. In this example, you would look at the `NwArchiveSVC` because the Netwrix Auditor Archive Service is responsible for storing data in SQL. + +## How to read the logs + +Due to variance between logs, the general rule of thumb when viewing logs is to start with the largest sized log. Alternatively, you can choose to start with log files with names that match the collector in question. In this example, they are the same: + +![Reading Logs](https://kb.netwrix.com/wp-content/uploads/2019/10/Reading-Logs.png) + +Once you open a log, you will want to either scroll to the bottom or use the keystroke `Control + End`. + +Log data is formatted in columns. From left to right, data is presented as: Date/Time, Message Type, Process Code, Process Name, Process description/Error Description. + +![Reading log data](https://kb.netwrix.com/wp-content/uploads/2019/10/reading-log-data-1-1024x147.png) + +Unless you are viewing logs to better understand collector processes, you will want to filter through the log using a find function. Useful search terms to find errors and warnings include: + +- `Control + F` +- warn +- err +- error +- failed +- tracing (This may not be present in every log, but if it is, you can see when a collection begins, follow it through, and watch for signs of root cause) +- names of servers and domain controllers (If you suspect issues with collections from identified machines, you may find clues by searching their names in the logs) + +Ultimately, learning logs requires the ability to watch for patterns. While extremely useful, logs will not always lead to a direct resolution. They tend to act as a stepping stone along the path to resolution. + +## Sending logs to Technical Support + +In most cases, Technical Support will request logs for tickets not resolved on initial contact. If you want to anticipate this and possibly expedite resolution, you can prepare the logs using the steps seen here: https://kb.netwrix.com/4645. diff --git a/docs/kb/auditor/how-to-recreate-alerts-database.md b/docs/kb/auditor/how-to-recreate-alerts-database.md new file mode 100644 index 0000000000..123c1eba89 --- /dev/null +++ b/docs/kb/auditor/how-to-recreate-alerts-database.md @@ -0,0 +1,37 @@ +--- +description: >- + Shows how to recreate the Netwrix_AlertsDB database used to store Alerts data: + back up the current database, recreate it in SQL Server, and restart the + Netwrix Auditor Management service. +keywords: + - Netwrix_AlertsDB + - Netwrix Auditor + - recreate database + - SQL Server + - SSMS + - backup + - Alerts database + - service restart +products: + - auditor +sidebar_label: How to Recreate Alerts Database? +tags: [] +title: "How to Recreate Alerts Database?" +knowledge_article_id: kA04u000000wnozCAA +--- + +# How to Recreate Alerts Database? + +## Overview + +Sometimes, for some reasons, you need to recreate the `Netwrix_AlertsDB` database used to store your Alerts data and hosted by the specified instance of the SQL Server. For example, if the current database is full. For additional information on special Netwrix Auditor databases capacity, refer to the following article: Health Status Dashboard — Database Statistics — v10.6. + +This article explains how to recreate this database. + +## Instructions + +To recreate the `Netwrix_AlertsDB` database, do the following: + +1. Connect to SQL Server Management Studio and create a backup of your current `Netwrix_AlertsDB` database. Learn more in [Quickstart: Backup and restore a SQL Server database with SSMS ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/quickstart-backup-restore-database?view=sql-server-ver16&tabs=ssms). +2. Then, delete the existing database and create a new one with the name of `Netwrix_AlertsDB`. +3. On the computer that hosts your Netwrix Auditor Server, start the **Services** snap-in and restart the **Netwrix Auditor Management** service. diff --git a/docs/kb/auditor/how-to-reduce-audit-database-size-for-netwrix-auditor.md b/docs/kb/auditor/how-to-reduce-audit-database-size-for-netwrix-auditor.md new file mode 100644 index 0000000000..3331633307 --- /dev/null +++ b/docs/kb/auditor/how-to-reduce-audit-database-size-for-netwrix-auditor.md @@ -0,0 +1,101 @@ +--- +description: >- + Shows how to reduce the Netwrix Auditor audit database size by adjusting + retention settings, deleting or renaming databases, and rebuilding databases. + Also explains considerations for SQL Server Express and how to estimate + database growth. +keywords: + - audit database + - retention + - Netwrix Auditor + - SQL Server Express + - delete database + - rename database + - rebuild database + - database size + - database statistics +products: + - auditor +sidebar_label: How to Reduce Audit Database Size for Netwrix Audi +tags: [] +title: "How to Reduce Audit Database Size for Netwrix Auditor" +knowledge_article_id: kA00g000000H9cbCAC +--- + +# How to Reduce Audit Database Size for Netwrix Auditor + +## Question + +How to reduce the Netwrix Auditor audit database size? + +## Answer + +> **NOTE:** Data removed after altering or deleting audit databases will no longer be readily available to be searched and reported. To query that data, you'll have to perform an investigation. For additional data on investigations, refer to the following article: Auditor Settings – Investigations · v10.6: /docs/auditor/10.6/auditor/admin-guide/settings + +You can configure the audit database retention settings by following the next steps: + +1. Launch Netwrix Auditor and open the **Settings** menu. +2. In the left pane, select the **Audit Database** tab. +3. Click **Modify** under the **Database Retention** section and input the retention period in days. + + ![User-added image](images/ka04u00000117bz_0EM0g000000hGVv.png) + + - **Tip:** Longer retention periods results in larger audit databases. + +Data that exceeds the new retention period will be removed during the next collection, reducing the audit database size. + +> **NOTE:** If you are using SQL Server Express to save your audit data, you may find your audit databases quickly reach the 10 GB limit. Instead of fine-tuning retention settings, you may choose to either delete and recreate your audit databases or rename the older full database for new information to be kept in a new database. Refer to the following steps for additional information on the process. + +### Deleting audit database + +1. In Windows Services Manager on your Netwrix host, stop both **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service**. +2. Run your SQL Management Studio instance and navigate to ` %SQL_Server_database_name% > Databases` to select the database you are going to delete. + + ![User-added image](images/ka04u00000117bz_0EM70000000QIPr.png) + +3. In the Delete Object window, check both option checkboxes: + 1. Delete backup and restore history information for databases. + 2. Close existing connections. +4. Once the database has been deleted, restart **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service**. + +The audit database has now been successfully deleted. Refer to the **Rebuilding audit databases** section for next steps. + +### Rebuilding audit databases + +1. Select an affected monitoring plan and click **Edit** > click **Edit settings** in the right pane. +2. In the left pane, select the **Audit Database** tab. Review the database name and update it if necessary. + Netwrix Auditor allows you to specify settings for each monitoring plan individually, so you'll have to rebuild the database for each monitoring plan separately. + + ![User-added image](images/ka04u00000117bz_0EM0g000000hGWo.png) + +3. Refresh or reopen the SQL Management Studio to ensure the audit database was rebuilt. + +### Renaming audit databases + +1. In Windows Services Manager on your Netwrix host, stop both **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service**. +2. Run your SQL Management Studio instance and navigate to ` %SQL_Server_database_name% > Databases` to select the database you are going to rename. +3. Right-click the selected database and select **Rename**. + + ![Screenshot_1.png](images/ka04u00000117bz_0EM4u000004dCnj.png) + +4. Add **_old** or another word to the end of the database name to differentiate it from other databases. +5. Once the database has been renamed, restart **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service**. + +The audit database has now been successfully renamed. Refer to the **Rebuilding audit databases** section for next steps. + +> **NOTE:** Both renaming and deleting processes are temporary non-scalable workarounds for SQL Server Express limitations. We strongly recommend using Standard version of SQL Server to avoid potential data loss and issues with databases. + +### Setting the retention period + +> **NOTE:** In order to correctly set the retention period, you have to estimate your audit database growth. If you are using Netwrix Auditor 9.6 or newer, this can be done by monitoring **Health Status** > **Database statistics**. + +![db_stats.png](images/ka04u00000117bz_0EM4u000008LKwz.png) + +1. Run your SQL Management Studio instance and navigate to ` %SQL_Server_database_name% > Databases` to locate the required database. +2. Right-click it and select **Properties**. + + ![User-added image](images/ka04u00000117bz_0EM70000000QIQN.png) + +3. Review **Size** and **Space Available** parameters. + +> **NOTE:** This should be done over the course of several days to get the best estimate of growth. diff --git a/docs/kb/auditor/how-to-reduce-the-netwrix-event-log-manager-database-size.md b/docs/kb/auditor/how-to-reduce-the-netwrix-event-log-manager-database-size.md new file mode 100644 index 0000000000..b86dfbd1a8 --- /dev/null +++ b/docs/kb/auditor/how-to-reduce-the-netwrix-event-log-manager-database-size.md @@ -0,0 +1,33 @@ +--- +description: >- + Learn how to reduce the NetWrix Event Log Manager SQL database size by + configuring the database retention period to remove old events automatically. +keywords: + - NetWrix Event Log Manager + - database retention + - SQL database + - delete old events + - database size + - data retention + - Enterprise Management Console +products: + - auditor +sidebar_label: How to reduce the NetWrix Event Log Manager databa +tags: [] +title: "How to reduce the NetWrix Event Log Manager database size" +knowledge_article_id: kA00g000000H9TCCA0 +--- + +# How to reduce the NetWrix Event Log Manager database size + +Our NetWrix Event Log Manager database size is getting too large. How can we reduce its size and delete old events? + +You can reduce the database size by setting the SQL database retention period that allows controlling the amount of data stored in your SQL database. In accordance with this setting, the database size is automatically updated during the event collection process. + +To configure the SQL database retention settings, do the following: + +1. Start **NetWrix Enterprise Management Console**, and navigate to **Managed Objects** **``** **Event Log Manager** **Reports**. +2. In the right pane, switch to the **Settings** tab, select the **Store audit data in the database for () days** check box, and specify the number of days (for example, `30 days`). **Note**: the longer the period you specify, the larger your database size is. +3. Click **Apply** to save the changes. + +The NetWrix Event Log Manager database size will be reduced during the next data collection. diff --git a/docs/kb/auditor/how-to-remove-a-decomissioned-server-from-ssrs-reports.md b/docs/kb/auditor/how-to-remove-a-decomissioned-server-from-ssrs-reports.md new file mode 100644 index 0000000000..21fbd2871f --- /dev/null +++ b/docs/kb/auditor/how-to-remove-a-decomissioned-server-from-ssrs-reports.md @@ -0,0 +1,34 @@ +--- +description: >- + Shows how to remove a decommissioned file server from the drop-down menu in + SQL Report Manager by deleting the server's entry from the Sessions table in + the NetWrix_File_Server_Change_Reporter database. +keywords: + - SQL + - SSRS + - Report Manager + - NetWrix + - NetWrix_File_Server_Change_Reporter + - Sessions + - decommissioned server + - remove server +products: + - auditor +sidebar_label: How to remove a decomissioned server from SSRS rep +tags: [] +title: "How to remove a decomissioned server from SSRS rep" +knowledge_article_id: kA00g000000H9VpCAK +--- + +# How to remove a decomissioned server from SSRS rep + +How to remove a decommissioned file server from the drop down menu in SQL Report Manager? + +## Resolution + +To remove this server from reports, open MS SQL Management Studio, connect to your SQL server which hosts the NetWrix databases, click on **New query** and execute the following query: + +```sql +use NetWrix_File_Server_Change_Reporter +delete from Sessions where sessions.Object = 'decommissioned_server_name'; +``` diff --git a/docs/kb/auditor/how-to-remove-all-triggers-from-sql-server-database.md b/docs/kb/auditor/how-to-remove-all-triggers-from-sql-server-database.md new file mode 100644 index 0000000000..72f7c54d06 --- /dev/null +++ b/docs/kb/auditor/how-to-remove-all-triggers-from-sql-server-database.md @@ -0,0 +1,27 @@ +--- +description: >- + Shows how to remove all triggers from audited SQL Server database(s) by + running the supplied Netwrix Auditor script. +keywords: + - SQL Server + - triggers + - remove triggers + - Netwrix Auditor + - sqlcr_remove_audit_from_db.sql + - SQL Server Auditing + - database triggers +products: + - auditor +sidebar_label: How to remove all triggers from SQL Server databas +tags: [] +title: "How to remove all triggers from SQL Server database?" +knowledge_article_id: kA00g000000H9WhCAK +--- + +# How to remove all triggers from SQL Server database? + +## Resolution + +To remove all triggers from audited database(s), execute the script located at the installation folder of Netwrix Auditor: `C:\Program Files (x86)\Netwrix Auditor\SQL Server Auditing\sqlcr_remove_audit_from_db.sql` + +**Note:** Before executing the script, you should specify the name of the database where you would like to remove the triggers in the **Available Databases** list box. diff --git a/docs/kb/auditor/how-to-remove-footer-from-real-time-alert-emails.md b/docs/kb/auditor/how-to-remove-footer-from-real-time-alert-emails.md new file mode 100644 index 0000000000..126224c9d4 --- /dev/null +++ b/docs/kb/auditor/how-to-remove-footer-from-real-time-alert-emails.md @@ -0,0 +1,37 @@ +--- +description: >- + Shows how to remove the footer text from real-time alert emails by editing the + registry and setting the ShowReportFooter DWORD value to 0. +keywords: + - real-time alerts + - footer + - ShowReportFooter + - registry + - HKEY_LOCAL_MACHINE + - Netwrix Event Log Manager + - alert emails + - regedit +products: + - auditor +sidebar_label: How to remove footer from real-time alert emails +tags: [] +title: "How to remove footer from real-time alert emails" +knowledge_article_id: kA00g000000H9TrCAK +--- + +# How to remove footer from real-time alert emails + +How do I remove the following text from the real-time alert emails: '**This is an automatically generated message from Netwrix Event Log Manager. Please visit www.netwrix.com for more products and updates.**'? + +--- + +To remove the text, perform the following: + +1. Launch **Registry Editor** (**Start** -> **Run**, type `regedit`). +2. Navigate to `HKEY_LOCAL_MACHINESOFTWARENetWrixEvent Log Manager` in the left pane (use `HKEY_LOCAL_MACHINESOFTWAREWow6432NodeNetWrixEvent Log Manager` if you are running a 64-bit version of Windows). +3. In the right pane, modify the existing DWORD value (or create a new DWORD value: right-click the right pane, click **New**, select **DWORD value** from the drop-down list) with the following parameters: + - Name: `ShowReportFooter` + - Value: `0` +4. Save the changes. + +The footer will no longer be shown in the real-time alert emails. diff --git a/docs/kb/auditor/how-to-remove-netwrix-auditor-for-active-directory-group-policy-and-exchange.md b/docs/kb/auditor/how-to-remove-netwrix-auditor-for-active-directory-group-policy-and-exchange.md new file mode 100644 index 0000000000..95d21d6e2a --- /dev/null +++ b/docs/kb/auditor/how-to-remove-netwrix-auditor-for-active-directory-group-policy-and-exchange.md @@ -0,0 +1,42 @@ +--- +description: >- + Step-by-step instructions to completely uninstall Netwrix Auditor for Active + Directory, Group Policy and Exchange Servers, including removing files, + scheduled tasks, registry keys, and SQL databases. Includes instructions to + remove the Lightweight Agent from domain controllers. +keywords: + - uninstall + - Netwrix Auditor + - Active Directory + - Group Policy + - Exchange + - audit archive + - registry + - scheduled tasks + - SQL Server +products: + - auditor +sidebar_label: How to remove Netwrix Auditor for Active Directory +tags: [] +title: 'How to remove Netwrix Auditor for Active Directory, Group Policy and Exchange?' +knowledge_article_id: kA00g000000Pbd1CAC +--- + +# How to remove Netwrix Auditor for Active Directory, Group Policy and Exchange? + +How can I remove **Netwrix Auditor for Active Directory, Group Policy and Exchange**? + +To completely uninstall **Netwrix Auditor for Active Directory, Group Policy and Exchange Servers**, perform the following steps: + +1. Remove the program using Control Panel. +2. Delete the entire contents of the Netwrix Auditor Audit Archive folder (to locate the folder correctly see **Netwrix Auditor console -> Settings -> Audit Archive**). By default, `C:\ProgramData\NetWrix\ManagementConsole\Data`. +3. Delete the following directory: + - **Vista or above**: `C:\ProgramData\NetWrix` + - **Windows XP, 2003 Server**: `C:\Documents and Settings\All Users\Application Data\NetWrix` and `C:\Program Files\Common Files\NetWrix`. +4. Delete all scheduled Tasks that start with "NetWrix". +5. Delete the program installation folder. +6. Launch `regedit` and remove the following directory: + - **for 32-bit OS**: `HKEY_LOCAL_MACHINE\SOFTWARE\NetWrix` + - **for 64-bit OS**: `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetWrix` +7. To remove all historical data from your SQL Server, remove all NetWrix databases using MS SQL Server Management Studio. +8. To remove Netwrix Auditor Lightweight Agent from Domain Controllers, refer to this [KB article](http://www.netwrix.com/knowledge_base.html?mode=sol&solution=00000818). diff --git a/docs/kb/auditor/how-to-remove-netwrix-event-log-agent-from-multiple-servers.md b/docs/kb/auditor/how-to-remove-netwrix-event-log-agent-from-multiple-servers.md new file mode 100644 index 0000000000..92cdf4afcf --- /dev/null +++ b/docs/kb/auditor/how-to-remove-netwrix-event-log-agent-from-multiple-servers.md @@ -0,0 +1,37 @@ +--- +description: >- + Shows how to remove the Netwrix Event Log agent from multiple servers by using + sc.exe and a provided PowerShell script that accepts a list of servers. +keywords: + - Netwrix + - Event Log agent + - remove + - sc.exe + - PowerShell + - servers + - Remove.zip +products: + - auditor +sidebar_label: How to remove Netwrix Event Log agent from multipl +tags: [] +title: "How to remove Netwrix Event Log agent from multiple servers" +knowledge_article_id: kA00g000000H9W9CAK +--- + +# How to remove Netwrix Event Log agent from multiple servers + +We used to use Netwrix Auditor - Generic (Event Log Management) events and Netwrix Auditor for User logons with agents, but we do not use them anymore + +But agents are still installed on the servers, so we need a method to safely automate the removal of the service from all servers. + +--- + +The agents are registered as services, so it is recommended to use `sc.exe` to remove services. + +Find attached a Powershell script that will remove Netwrix agents from all servers in the specified list. + +https://kb.netwrix.com/wp-content/uploads/2013/12/Remove.zip + +The script requires a list of servers in a text file as input. + +Example: `.Remove.ps1 -list D:Servers.txt` diff --git a/docs/kb/auditor/how-to-remove-old-oracle-database-audit-events.md b/docs/kb/auditor/how-to-remove-old-oracle-database-audit-events.md new file mode 100644 index 0000000000..fd49120aad --- /dev/null +++ b/docs/kb/auditor/how-to-remove-old-oracle-database-audit-events.md @@ -0,0 +1,61 @@ +--- +description: >- + Instructions to create a scheduled job in Oracle Database to remove old + Unified Auditing events using DBMS_SCHEDULER and DBMS_AUDIT_MGMT. +keywords: + - oracle + - audit + - DBMS_SCHEDULER + - DBMS_AUDIT_MGMT + - unified auditing + - cleanup + - scheduler job + - Netwrix Auditor +products: + - auditor +sidebar_label: How to remove old Oracle Database audit events +tags: [] +title: "How to remove old Oracle Database audit events" +knowledge_article_id: kA00g000000H9T3CAK +--- + +# How to remove old Oracle Database audit events + +How to remove old audit events when auditing Oracle Database? + +--- + +Netwrix recommends removing old audit events periodically to reduce load on the database server while auditing. You can use the following Oracle Database packages: + +- `DBMS_SCHEDULER` — Refer to the following Oracle Database online documentation: https://docs.oracle.com/database/121/ARPLS/d_sched.htm#ARPLS72235 +- `DBMS_AUDIT_MGMT` — Refer to the following Oracle Database online documentation: https://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 + +The example below describes how to create the job to remove audit events by the following criteria: + +- **Audit type** — Unified Auditing +- **Event Age** — Older than one day + +The job is triggered once a day. Review the example: + +```plsql +BEGIN + DBMS_SCHEDULER.create_job( + job_name => 'cleanup_unified_audit_job', + job_type => 'PLSQL_BLOCK', + job_action => 'BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, last_archive_time => TRUNC(SYSDATE)-1); DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, use_last_arch_timestamp => TRUE); END;', + start_date => SYSTIMESTAMP, + auto_drop => FALSE, + enabled => TRUE, + repeat_interval => 'FREQ=DAILY;INTERVAL=1' + ); +END; +``` + +Run the following queries to review results: + +- ```sql + SELECT * FROM USER_SCHEDULER_JOB_RUN_DETAILS where JOB_NAME = 'CLEANUP_UNIFIED_AUDIT_JOB'; + ``` +- ```sql + SELECT * FROM DBA_SCHEDULER_JOBS WHERE JOB_NAME = 'CLEANUP_UNIFIED_AUDIT_JOB'; + ``` diff --git a/docs/kb/auditor/how-to-remove-the-netwrix-data-classification-sharepoint-add-in-conceptclassifierapp.md b/docs/kb/auditor/how-to-remove-the-netwrix-data-classification-sharepoint-add-in-conceptclassifierapp.md new file mode 100644 index 0000000000..1810074c2b --- /dev/null +++ b/docs/kb/auditor/how-to-remove-the-netwrix-data-classification-sharepoint-add-in-conceptclassifierapp.md @@ -0,0 +1,65 @@ +--- +description: >- + Step-by-step instructions to remove the Netwrix Data Classification SharePoint + Provider-Hosted Add-In (conceptClassifierApp) from SharePoint, including + removal of associated JavaScript, Custom Actions, and Remote Event Receivers + (RERs). +keywords: + - Netwrix Data Classification + - SharePoint + - add-in removal + - conceptClassifierApp + - App Catalog + - Remote Event Receiver + - Custom Actions + - JavaScript +products: + - auditor + - data-classification +sidebar_label: How to remove the Netwrix Data Classification Shar +tags: [] +title: "How to remove the Netwrix Data Classification SharePoint Add-In (conceptClassifierApp)" +knowledge_article_id: kA00g000000H9e2CAC +--- + +# How to remove the Netwrix Data Classification SharePoint Add-In (conceptClassifierApp) + +How to **remove/uninstall** the **Netwrix Data Classification** **SharePoint** **Provider** **Hosted** **Add**-**In** from **SharePoint** including the associated **JavaScript**, **Custom Actions**, and **Remote Event Receivers (RERs)**? + +## Manual Deployment (Add-In installed manually per site-collection) + +1. Navigate to each site collection on which the **Add-In** has been installed, and: + 1. Load the **Site Contents** page + 2. Locate the `conceptClassifierApp` entry + 3. **Select the ellipsis** + 4. Click **Remove** +2. Navigate to your **App Catalog** site collection, and: + 1. Load the library **Apps for SharePoint** + 2. Delete the `conceptClassifierApp` entry +3. Navigate to the conceptQS Administration Interface, and: + 1. Select **Sources** from the top navigation + 2. Select **SharePoint** from the sub navigation + 3. Expand **Settings** from the side navigation + 4. Select **App Configuration** from the side navigation + 5. Delete any associated **configurations** + +## Tenancy Scoped Deployment (Add-In installed into the App Catalog and pushed out to the tenancy) + +1. Navigate to the QS Administration Interface, and: + 1. Load the following URL: `/conceptQS/ClassifierApp/Deployment/Remove` + 2. Select any site collections that are currently using the **Add-In** + 3. Select **Remove** +2. Navigate to your **App Catalog** site collection, and: + 1. Load the **Site Contents** page + 2. Locate the `conceptClassifierApp` entry + 3. **Select the ellipsis** + 4. Select **Deployment** + 5. Remove all tenancy options and submit the changes + 6. Load the library **Apps for SharePoint** + 7. Delete the `conceptClassifierApp` entry +3. Navigate to the QS Administration Interface, and: + 1. Select **Sources** from the top navigation + 2. Select **SharePoint** from the sub navigation + 3. Expand **Settings** from the side navigation + 4. Select **App Configuration** from the side navigation + 5. Delete any associated **configurations** diff --git a/docs/kb/auditor/how-to-renew-the-netwrix-data-classification-for-sharepoint-conceptclassifierapp-client-secret.md b/docs/kb/auditor/how-to-renew-the-netwrix-data-classification-for-sharepoint-conceptclassifierapp-client-secret.md new file mode 100644 index 0000000000..54f5542d2f --- /dev/null +++ b/docs/kb/auditor/how-to-renew-the-netwrix-data-classification-for-sharepoint-conceptclassifierapp-client-secret.md @@ -0,0 +1,38 @@ +--- +description: >- + Instructions to renew the Add-In client secret for SharePoint and Netwrix Data + Classification (conceptClassifierApp). Follow the steps to create and apply a + new client secret and update the configuration. +keywords: + - client secret + - SharePoint + - Netwrix Data Classification + - conceptClassifierApp + - ClientId + - AppPrincipalId + - Update Client Secret + - Replace Current +products: + - auditor + - data-classification +sidebar_label: How to renew the Netwrix Data Classification for S +tags: [] +title: "How to renew the Netwrix Data Classification for SharePoint (conceptClassifierApp) Client Secret" +knowledge_article_id: kA00g000000H9eGCAS +--- + +# How to renew the Netwrix Data Classification for SharePoint (conceptClassifierApp) Client Secret + +In order to renew the **Add-In** client secret on the SharePoint and Netwrix Data Classification sides, follow the steps below: + +## Procedure + +1. Navigate to the "**Sources**" section of the **Administration Interface** +2. Select "**SharePoint**" +3. Expand "**Settings**" +4. Select "**App Configuration**" +5. Select "**Edit**" on the configuration you wish to **renew** and make note of the `ClientId` value (you will need this shortly) +6. Follow the [Microsoft Guide](https://www.netwrix.com/go/ReplaceAcsClientSecret) for creating a new **client secret** (the `AppPrincipalId` referred to in the guide is the `ClientId` value from step 5) +7. Close the "**Edit**" dialog and select "**Update Client Secret**" +8. Enter your new `value`, along with the **expiry date** (typically either 1 or 3 years away). +9. If your **client secret** has already **expired** then select the "**Replace Current**" option. diff --git a/docs/kb/auditor/how-to-repair-netwrix-auditor-installation.md b/docs/kb/auditor/how-to-repair-netwrix-auditor-installation.md new file mode 100644 index 0000000000..4db814d712 --- /dev/null +++ b/docs/kb/auditor/how-to-repair-netwrix-auditor-installation.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains how to repair a Netwrix Auditor installation by running + the installer and choosing the Repair option. It includes a PowerShell command + to stop Netwrix services before repair. +keywords: + - repair + - installation + - Netwrix Auditor + - Stop-Service + - My Products + - troubleshooting + - installer +products: + - auditor +sidebar_label: How to Repair Netwrix Auditor Installation +tags: [] +title: "How to Repair Netwrix Auditor Installation" +knowledge_article_id: kA04u000001119QCAQ +--- + +# How to Repair Netwrix Auditor Installation + +## Question + +How to repair a Netwrix Auditor installation in our environment? + +## Answer + +> **IMPORTANT:** Before proceeding, run the following command in elevated PowerShell to stop all Netwrix Services and prevent any possible complications during the repair process: +> +> ```powershell +> Stop-Service -Displayname Netwrix* +> ``` + +1. Establish the Netwrix Auditor version and build you're currently running in your environment. Refer to the following article for additional information: [How to Find Out My Netwrix Auditor Version](/docs/kb/auditor/how-to-find-out-my-netwrix-auditor-version.md). +2. Proceed to your **My Products** page to download the executable for the corresponding version. Refer to the following link: [Netwrix — My Products](https://www.netwrix.com/my_products.html). +3. Run the downloaded executable. Once the files are extracted, a setup screen will be prompted. + + ![Install Netwrix Auditor setup screen](images/ka04u00000117fh_0EM4u000008MBTP.png) + +4. Select **Install** under **Install Netwrix Auditor**. +5. Click **Next**, and select **Repair**. +6. Confirm the selection by clicking **Repair**. +7. Allow the repair process to complete. +8. Restart your Netwrix Auditor server to complete the repair. + +## Related articles + +- [How to Find Out My Netwrix Auditor Version](/docs/kb/auditor/how-to-find-out-my-netwrix-auditor-version.md) diff --git a/docs/kb/auditor/how-to-restrict-access-to-the-help-desk-portal-and-the-administrative-console.md b/docs/kb/auditor/how-to-restrict-access-to-the-help-desk-portal-and-the-administrative-console.md new file mode 100644 index 0000000000..e067fa0ba6 --- /dev/null +++ b/docs/kb/auditor/how-to-restrict-access-to-the-help-desk-portal-and-the-administrative-console.md @@ -0,0 +1,42 @@ +--- +description: >- + Explains how to restrict access by managing the Administrator and Help-Desk + Operator roles and how to add or remove members from these roles in the + Administrative Console and Help-Desk portal. +keywords: + - help-desk + - security roles + - administrator + - help-desk operator + - account lockout + - reset password + - Netwrix Account Lockout Examiner + - Administrative Console + - user management + - Security Roles +products: + - auditor +sidebar_label: How to restrict access to the Help-Desk portal and +tags: [] +title: "How to restrict access to the Help-Desk portal and the Administrative Console" +knowledge_article_id: kA00g000000H9dFCAS +--- + +# How to restrict access to the Help-Desk portal and the Administrative Console + +## Overview + +Netwrix Account Lockout Examiner uses a role-based security model that allows assigning different access permissions to users with different roles. The product uses two roles: + +- **Administrator**: has complete access to all product features, including the configuration options in the Administrative Console. +- **Help-Desk Operator**: can unlock user accounts and reset passwords, and perform account lockout examinations from the Administrative Console or the Help-Desk portal. Members of this role cannot modify the product settings. + +By default, the **Administrator** role includes users belonging to the local `Administrators` group on the computer where Netwrix Account Lockout Examiner is installed; and the **Help-Desk Operator** role includes users belonging to `Netwrix Account Help Desk` group in the domain where Netwrix Account Lockout Examiner is installed. + +## To include or exclude users from these security groups + +1. In the Netwrix Account Lockout Examiner console, navigate to **File -> Settings** and select the **Security Roles** tab. +2. Click the **Modify** button next to the group that you want to edit. +3. In the dialog that opens, click **Add** to add a member to the selected security role, or select a user and click **Remove** to exclude them. + +[![User-added image](images/ka04u000000HcVz_0EM700000004wyU.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAd1&feoid=00N700000032Pj2&refid=0EM700000004wyU) diff --git a/docs/kb/auditor/how-to-save-and-zip-netwrix-auditor-system-health-event-log.md b/docs/kb/auditor/how-to-save-and-zip-netwrix-auditor-system-health-event-log.md new file mode 100644 index 0000000000..182ec33d59 --- /dev/null +++ b/docs/kb/auditor/how-to-save-and-zip-netwrix-auditor-system-health-event-log.md @@ -0,0 +1,59 @@ +--- +description: >- + Learn how to export the Netwrix Auditor System Health event log using an + elevated Command Prompt or manually via Event Viewer, and how to zip the saved + log for support. +keywords: + - Netwrix Auditor + - System Health + - event log + - wevtutil + - NASH.evtx + - export + - zip + - Event Viewer + - logs +products: + - auditor +sidebar_label: 'How to Save and Zip Netwrix Auditor System Health ' +tags: [] +title: "How to Save and Zip Netwrix Auditor System Health Event Log" +knowledge_article_id: kA00g000000H9VXCA0 +--- + +# How to Save and Zip Netwrix Auditor System Health Event Log + +## Question + +How to save (export) and zip the Netwrix Auditor System Health event log? + +## Answer + +### Export System Health event log via elevated Command Prompt line + +Execute the following command in an elevated Command Prompt: + +``` +wevtutil epl "Netwrix Auditor" %userprofile%\desktop\NASH.evtx +``` + +The exported System Health event log will appear on your Desktop. + +### Export System Health event log manually + +1. Open **Event Viewer**. +2. Expand the **Applications and Services Logs** folder. + + ![Netwrix Auditor System Health Logs](images/ka04u00000117Ay_0EM70000000tnyM.png) + +3. Right-click the **Netwrix Auditor System Health** log file and select **Save All Events As...**. +4. Name the file and click **Save**. + + ![Save All Events As](images/ka04u00000117Ay_0EM70000000tnyW.png) + +5. Select the option to **Display information for these languages**, check the **English (United States)** checkbox, and click **OK**. +6. Once the file is saved, right-click it and zip the file. + +### Sending Netwrix Auditor logs + +Your Technical Support Engineer may request you to attach Netwrix Auditor logs. Refer to the following article for additional information: https://kb.netwrix.com/4645 (How to Send Netwrix Auditor Logs). diff --git a/docs/kb/auditor/how-to-send-netwrix-auditor-logs.md b/docs/kb/auditor/how-to-send-netwrix-auditor-logs.md new file mode 100644 index 0000000000..9e506628ff --- /dev/null +++ b/docs/kb/auditor/how-to-send-netwrix-auditor-logs.md @@ -0,0 +1,82 @@ +--- +description: >- + Explains which Netwrix Auditor logs Technical Support may request and how to + collect and upload them to a support ticket. +keywords: + - netwrix auditor + - logs + - support + - troubleshooting + - system health + - trace logs + - config files + - upload + - customer portal +products: + - auditor +visibility: public +sidebar_label: How to Send Netwrix Auditor Logs +tags: [] +title: "How to Send Netwrix Auditor Logs" +knowledge_article_id: kA00g000000H9efCAC +--- + +# How to Send Netwrix Auditor Logs + +## Question + +- What logs might be requested by Netwrix Technical Support? +- How can you upload Netwrix Auditor logs to a support ticket? + +## Answer + +### Technical Support checklist + +Netwrix Technical Support might request a collection of your Netwrix Auditor logs for troubleshooting purposes. Make sure you gather the following items to help your Technical Support Engineer resolve your issue. + +- **Netwrix Auditor System Health event log**. Refer to the following article for additional information on exporting the System Health event log: /docs/kb/auditor/how_to_save_and_zip_netwrix_auditor_system_health_event_log (How to Save and Zip Netwrix Auditor System Health Event Log). + +- **Netwrix Auditor configuration files**. Navigate to ` %Working Folder%\AuditCore\ConfigServer ` and copy the **ConfigServer** folder. The default location of the **ConfigServer** folder is `C:\ProgramData\Netwrix Auditor\AuditCore\ConfigServer`. + +- **Trace logs**. If requested, navigate to ` %Working Folder%\Netwrix Auditor\Logs `, and copy the required folder(s). + +> **NOTE:** Your Technical Support Engineer will request a specific subdirectory of the **Logs** folder. Please do not send the entire **Logs** folder unless requested. + +> **NOTE:** If you are unable to locate Working Folder, refer to the following options to perform on your Auditor server to establish the folder location: +> +> 1. Run the following line in Command Prompt in your Auditor server to get the value of the `DataPathOverride` subkey entry. The output will contain the location of Working Folder in your Auditor server: +> +> ```batch +> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride" +> ``` +> +> 2. Run the following line in PowerShell in your Auditor server to get the value of the `DataPathOverride` subkey entry. The output will contain the location of Working Folder in your Netwrix Auditor server: +> +> ```powershell +> Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride" -Name "(Default)" +> ``` +> +> 3. Review the string entry under the following registry subnode in your Netwrix Auditor server. The **Value Data** field contains the location of Working Folder: +> +> ```registry +> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride +> ``` + +### Uploading the logs + +1. Once you have located all the required logs, copy them to a single folder and compress it by right-clicking the folder and selecting **Send to** > **Compressed (zipped) folder**. + +2. Log in to the Customer Portal and attach the archived logs to the opened ticket. Use the following link to open the **Open tickets** page: https://www.netwrix.com/tickets.html#/tickets/open (My Tickets — Open Tickets). + +> **NOTE:** Once you have opened the **Open Tickets** page and identified the corresponding ticket (with a matching ticket #), you can attach the logs via one of the following ways: +> +> - Click the **Add attachments** button located under the **Actions** column of the ticket. +> ![Customer Portal Attachments 1](images/ka0Qk000000Bei5_00N0g000004CA0p_0EMQk000008M3Qr.png) +> +> - Expand the ticket details by clicking the **down carat (▼)** button and click the **plus (+)** button next to **Attachments**. +> ![Customer Portal Attachments 2](images/ka0Qk000000Bei5_00N0g000004CA0p_0EMQk000008M3U5.png) + +## Related links + +- How to Save and Zip Netwrix Auditor System Health Event Log: /docs/kb/auditor/how_to_save_and_zip_netwrix_auditor_system_health_event_log +- My Tickets — Open Tickets: https://www.netwrix.com/tickets.html#/tickets/open diff --git a/docs/kb/auditor/how-to-specify-dell-emc-unity-server-as-a-monitored-item.md b/docs/kb/auditor/how-to-specify-dell-emc-unity-server-as-a-monitored-item.md new file mode 100644 index 0000000000..c4e9bfadcc --- /dev/null +++ b/docs/kb/auditor/how-to-specify-dell-emc-unity-server-as-a-monitored-item.md @@ -0,0 +1,35 @@ +--- +description: >- + Shows how to specify a Dell EMC Unity server as a monitored item in Netwrix + Auditor and what to consider when you use an IP address instead of the FQDN. +keywords: + - Dell EMC Unity + - Unity + - Netwrix Auditor + - monitored item + - FQDN + - IP address + - DNS + - reverse lookup + - Active Directory +products: + - auditor +sidebar_label: How to specify Dell EMC Unity server as a monitore +tags: [] +title: "How to specify Dell EMC Unity server as a monitored item" +knowledge_article_id: kA04u000000PcpRCAS +--- + +# How to specify Dell EMC Unity server as a monitored item + +To audit Dell EMC Unity storage system, Netwrix Auditor needs to access its registry data. You must provide the `FQDN` of the Unity storage system when you add a Dell EMC Unity storage as a monitored item in the Netwrix Auditor monitoring plan. + +Alternatively, you can enter the IP address. If your Netwrix Auditor server is located in another domain (an untrusted domain or a workgroup), ensure any of the following: + +- A reverse lookup zone is configured on the DNS server for the Unity system — to resolve its IP address into FQDN. + +-OR- + +- The Netwrix Auditor data collecting account has `Read` permissions for the `OU=EMC NAS servers` node in Active Directory. + +Otherwise, data collection will fail, reporting an error caused by network path not found. diff --git a/docs/kb/auditor/how-to-specify-exchange-server-to-collect-administrator-audit-log.md b/docs/kb/auditor/how-to-specify-exchange-server-to-collect-administrator-audit-log.md new file mode 100644 index 0000000000..95b05c146b --- /dev/null +++ b/docs/kb/auditor/how-to-specify-exchange-server-to-collect-administrator-audit-log.md @@ -0,0 +1,43 @@ +--- +description: >- + Use this procedure to specify a single Exchange Server with IIS configured so + Netwrix products collect the Administrator Audit Log and avoid Administrator + Audit Log errors in reports. +keywords: + - Exchange + - Administrator Audit Log + - IIS + - aal_serverlist.txt + - AALCollectionVersion + - registry + - Netwrix + - audit collection + - Exchange Server + - aal_serverlist +products: + - auditor +sidebar_label: How to specify Exchange Server to collect Administ +tags: [] +title: "How to specify Exchange Server to collect Administrator Audit Log" +knowledge_article_id: kA00g000000H9SFCA0 +--- + +# How to specify Exchange Server to collect Administrator Audit Log + +If for some reason you cannot configure **IIS** (steps **5-8** from **Procedure 16** of the **Installation and Configuration Guide** attached to this article) on all Exchange Servers in your organization, it is enough to configure it on just one Exchange Server. You can specify the Exchange Server with configured IIS to be used by Netwrix products to avoid the Administrator Audit Log error appearing in reports. + +## Procedure + +In order to specify properly configured servers to the product, perform the following steps: + +1. On the computer where the Netwrix host resides, navigate to the `C:ProgramDataNetWrixAD Change ReporterOmitlists%Managed object name%` folder. +2. Add the properly configured server's FQDN to the `aal_serverlist.txt` file. (Each server's FQDN in a separate line). +3. Click **Start -> Run** and type `regedit` to open **Registry Editor**. +4. Navigate to the following folder depending on your operating system: + - **32-bit OS:** `HKLM\SOFTWARE\Node\NetWrix\AD Change Reporter\AALCollectionVersion` + - **64-bit OS:** `HKLM\SOFTWARE\Wow6432Node\NetWrix\AD Change Reporter\AALCollectionVersion` +5. Check that the `AALCollectionVersion` key value is set to `1`. + +## Explanation + +**Explanation:** In this scenario the first server where the product will try to get the Administrator Audit Log will be the first server from the `aal_serverlist.txt`. If all servers from `aal_serverlist.txt` fail to provide the Administrator Audit Log, the product will try to collect the Administrator Audit Log from other Exchange Servers in your organization, and the Administrator Audit Log error can appear in the report. diff --git a/docs/kb/auditor/how-to-track-network-interface-changes-on-a-server.md b/docs/kb/auditor/how-to-track-network-interface-changes-on-a-server.md new file mode 100644 index 0000000000..72f3dcec06 --- /dev/null +++ b/docs/kb/auditor/how-to-track-network-interface-changes-on-a-server.md @@ -0,0 +1,50 @@ +--- +description: >- + Explains how to track network interface changes on a Windows server using + Netwrix Auditor and lists the specific types of changes that are tracked. + Includes links to installation and configuration guides. +keywords: + - network interface + - network adapter + - Windows Server + - Netwrix Auditor + - hardware + - IP address + - MAC address + - DHCP + - DNS + - network change tracking +products: + - auditor +sidebar_label: How to track Network interface changes on a server +tags: [] +title: "How to track Network interface changes on a server?" +knowledge_article_id: kA00g000000H9W4CAK +--- + +# How to track Network interface changes on a server? + +## Overview +To track network interface changes on a server, use Netwrix Auditor for Windows Servers. When choosing **Monitored System Components**, ensure **Hardware** is checked (even if the server is virtual). + +## Types of changes tracked +The types of changes that are tracked are as follows: + +- Adapter Type +- Configuration Manager Error Code +- Default IP Gateway +- DHCP Enabled +- DNS Server Search Order +- IP Address +- Last Error Code +- MAC Address +- Network Connection Name +- Network Connection Status +- Service Name +- Status + +## Installation and configuration guides +Please refer to the following guides for installation and configuration of Netwrix Auditor for Windows Servers: + +- https://www.netwrix.com/download/documents/NetWrix_Windows_Server_Change_Reporter_Installation_Guide.pdf +- https://www.netwrix.com/download/documents/NetWrix_Windows_Server_Change_Reporter_Administrator_Guide.pdf diff --git a/docs/kb/auditor/how-to-troubleshoot-issue-when-changes-are-listed-as-made-by-system-in-a-change-report.md b/docs/kb/auditor/how-to-troubleshoot-issue-when-changes-are-listed-as-made-by-system-in-a-change-report.md new file mode 100644 index 0000000000..4dfd54bf14 --- /dev/null +++ b/docs/kb/auditor/how-to-troubleshoot-issue-when-changes-are-listed-as-made-by-system-in-a-change-report.md @@ -0,0 +1,63 @@ +--- +description: >- + Troubleshoot when Netwrix Auditor change reports show "System" as the change + initiator and list the domain controller as "unknown", including diagnostic + steps and data to collect for support. +keywords: + - Netwrix Auditor + - change report + - System + - Security event log + - domain controller + - TraceLevel + - ADEVT + - auditing + - IgnoreAuditCheckResultError +products: + - auditor +sidebar_label: Troubleshoot Changes Listed as System +tags: [] +title: "How to troubleshoot issue when changes are listed as made by System in a change report" +knowledge_article_id: kA00g000000H9YkCAK +--- + +# How to troubleshoot issue when changes are listed as made by System in a change report + +You have configured change auditing in accordance with Netwrix Auditor Installation and Configuration guide (Installation and Configuration Guide), the Change Summary reports contain no warningserrors, however some changes are listed as made by the "System" account instead of the real user. Also the domain controller where these changes were made on is listed as "unknown". + +Active DirectoryGroup PolicyExchange (if you are monitor Exchange 2007, 2003) Change Reporters receive information regarding change initiator from Security event logs located on domain controllers. Once the corresponding Security event is found it is being added to the related change. The reason why the product includes "System"� as who changed for the particular changes is because it cannot find the corresponding Security event. In situation when auditing is correctly configured (product does not complain about auditing configuration) there could be several reasons why the Security events can be missed: + +1. Netwrix Auditor runs under an account with limited rights and all warnings are omitted according to the product settings. In this case, the Security event logs can be overwritten or one of the managed domain controllers can be inaccessible but no warnings will be added into Change Summary reports and sessions in the Netwrix Auditor console. +2. The Security event log auto backup is enabled but the data processing account account does not have rights to access the directory where the logs are backed up. +3. Other reasons that need be addressed by Netwrix technical support, for example: + +- Security events appear with a huge delay in the Security event log (after a change is made) on monitored domain controllers; +- Security events are collected by Netwrix Auditor but not listed in the Change Summaries; +- Security events are listed in the Security event log (for corresponding changes) but not collected by Netwrix Auditor. + +Navigate to one of the possible solutions that correspond to the issues described in the **Cause** section above: + +1. To diagnose and troubleshoot the issue, provide the data processing account account with administrative rights (add to the **Domain Admins** user group) and disable errors omitting (set the **IgnoreAuditCheckResultError** registry key to **`0`**, it is located in the following registry hive `HKEY_LOCAL_MACHINESOFTWARE(Wow6432Node)NetwrixAD Change Reporter`). This action allows you to see whether: + + - The error persists while running the product under a domain admin account; + - There are any auditing problems that need to be addressed (warnings will appear in the Change Summary reports and in the sessions in the Netwrix Auditor console) + +2. If you add the data processing account to the **Domain Admins** group and the issue has been resolved, this may indicate that the data processing account that runs Netwrix Auditor has no rights to read the **Security event log backups**. To resolve this issue and keep running the product under your data processing account without the domain administrator rights, provide it with the following rights and permissions: + + - Permissions to the following registry key on each Domain Controller in the target domain: `HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventLogSecurity.` + - Add the data processing account to one of the following groups in the monitored domain: **Print Operators**, **Server Operators**. + +3. If you provided the data processing account with the domain administrator rights, see no warnings but still receive reports with "**System**" as "**Who Changed**" (for particular changes), open a support ticket on the Netwrix support portal (http://www.netwrix.com/support.html). Gather and provide the following information: + + - Enable diagnostic logging: + 1. Open **Registry Editor** and navigate to the`HKEY_LOCAL_MACHINESOFTWARE(Wow6432Node)NetwrixAD Change Reporte`r registry hive. + 2. Right-click the **TraceLevel** registry key and set its value to "`31`" (decimal). + + - Reproduce the issue - Receive a report with "**System**" as "**Who changed**" (These steps must be taken as soon as possible after you received the Changed Summary report, because the Security event logs may get overwritten) + + - Save the Change Summary that contains **System** in the "**Who changed**" column. + - Select two or three objects that were changed by "**System**" (in the received report) and generate metadata for each of the selected objects and save the results into a text file. For instructions on how to generate metadata for an Active Directory object, refer to the following Microsoft kb article: http://technet.microsoft.com/en-us/library/cc755360(v=ws.10).aspx + - In the generated metadata results find the domain controller where a change was done and save the Security event log file from that domain controller. Perform these steps for each selected object. Refer to the following article for details of how to use metadata and determine the domain controller where the change was made http://blogs.technet.com/b/brad_rutkowski/archive/2006/09/21/hey-who-deleted-that-user-from-ad.aspx + - Navigate to the Audit Archive directory for the monitored domain Managed Object and copy files with `*.ADEVT` extension whose name starts with the domain controller name you found on previous step and that were created the day you received the report (see previous step) and one day after (e.g. if you received summary report at 3 A.M on Wednesday, gather `*.ADEVT` files for the corresponding domain controller which was created on Tuesday and Wednesday. If you are gathering this data on Thursday, please also include files created on Thursday). + - Netwrix Auditor tracing log files (the entire contents of the **Tracing** subfolder of the `%Netwrix Auditor installation folder%Active Directory Auditing` folder). + - Archive these files and contact Netwrix technical support. diff --git a/docs/kb/auditor/how-to-troubleshoot-overwrites-in-change-reports-for-vmware.md b/docs/kb/auditor/how-to-troubleshoot-overwrites-in-change-reports-for-vmware.md new file mode 100644 index 0000000000..1f15c1f5a8 --- /dev/null +++ b/docs/kb/auditor/how-to-troubleshoot-overwrites-in-change-reports-for-vmware.md @@ -0,0 +1,86 @@ +--- +description: >- + Learn how to troubleshoot overwrite warnings in VMware change reports by + retrieving audit events with VMware PowerCLI and collecting logs to provide to + support. +keywords: + - VMware + - Netwrix Auditor + - overwrite + - change report + - PowerCLI + - Get-VIEvent + - vCenter + - ESX + - audit events + - troubleshooting +products: + - auditor +sidebar_label: How to troubleshoot overwrites in change reports f +tags: [] +title: "How to troubleshoot overwrites in change reports for VMWare" +knowledge_article_id: kA00g000000H9SdCAK +--- + +# How to troubleshoot overwrites in change reports for VMWare + +Refer to the KB article for details about how Netwrix Auditor for VMware works: https://kb.netwrix.com/258. Overwrites warnings occur because there is some gap between the last collected and the oldest of newly received events. Try running collections more frequently by changing the notifications frequency under **Monitoring Plan** settings. If this doesn't help, perform the following steps to troubleshoot this and localize the problematic place. + +After receiving a change report for VMware with event overwrites warning and changes which, as a result of event overwrites, were reported as made by `system`, retrieve audit events using VMware PowerCLI cmdlets by connecting to vCenter and ESX hosts: + +## Prerequisites + +1. Download and install VMware PowerCLI; this package contains a set of PowerShell cmdlets which you can use to retrieve audit events from an ESX server or vCenter. + +## Steps to retrieve events + +1. Install the VMware PowerCLI module for the current user: + ```powershell + Install-Module -Name VMware.PowerCLI -Scope CurrentUser + ``` + +2. Import the VMware PowerCLI module: + ```powershell + Import-Module VMware.PowerCLI + ``` + +3. Set the PowerCLI configuration to ignore invalid certificates: + ```powershell + Set-PowerCLIConfiguration -InvalidCertificateAction Ignore + ``` + +4. Connect to the VMware host by running the `Connect-VIServer` cmdlet. See https://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Connect-VIServer.html for details. Example: + ```powershell + Connect-VIServer "ESX hostname" + ``` + - A credentials window will appear. Enter the account that will read data from the vCenter. + +5. Run the `Get-VIEvent` cmdlet to retrieve events. See https://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Get-VIEvent.html for details. + + - To get all events for the last 24 hours and redirect output to a file: + ```powershell + Get-VIEvent -Entity * -Start (Get-Date).AddDays(-1) >> C:%ESX_host_name%.txt + ``` + + - If the cmdlet returns a timeout error, reduce the timeframe of requested events. For the last hour: + ```powershell + Get-VIEvent -Entity * -Start (Get-Date).AddHours(-1) >> C:%ESX_host_name%.txt + ``` + + - For the last 10 minutes: + ```powershell + Get-VIEvent -Entity * -Start (Get-Date).AddMinutes(-10) >> C:%ESX_host_name%.txt + ``` + +Perform these steps for every ESX host that is managed with the vCenter specified in Netwrix Auditor for VMware. + +## Submit a support ticket + +1. Submit a ticket at: https://www.netwrix.com/support.html?source=sitemenu and provide the following information: + + - Events retrieved with VMware PowerCLI cmdlets from vCenter and ESX hosts (files created during the steps described in the section above). + - The change report for VMware that you received (after receiving which the event files were generated) and the inventory report. + - Events (file with `.events` extension) from the following directory after receiving the change report of Netwrix Auditor for VMware: + - `C:ProgramDataNetwrix AuditorShortTermVMAGUID` + +Archive these files and provide them within the support ticket to the Technical Support team. diff --git a/docs/kb/auditor/how-to-upgrade-netwrix-auditor.md b/docs/kb/auditor/how-to-upgrade-netwrix-auditor.md new file mode 100644 index 0000000000..08862a564f --- /dev/null +++ b/docs/kb/auditor/how-to-upgrade-netwrix-auditor.md @@ -0,0 +1,77 @@ +--- +description: >- + Step-by-step instructions to upgrade Netwrix Auditor, including pre-upgrade + actions, upgrade procedures for different versions, and post-upgrade + validation steps. +keywords: + - upgrade + - Netwrix Auditor + - installation + - SQL + - SSRS + - Monitoring Plans + - Audit Database + - PowerShell +products: + - auditor +sidebar_label: How to Upgrade Netwrix Auditor +tags: [] +title: "How to Upgrade Netwrix Auditor" +knowledge_article_id: kA00g000000H9ePCAS +--- + +# How to Upgrade Netwrix Auditor + +## Question + +How to update Netwrix Auditor? + +## Answer + +> **NOTE:** It is highly recommended to capture a snapshot of the server. + +> **NOTE:** Before you begin, launch a PowerShell session as Administrator and execute the following command: +> +> ```powershell +> Stop-Service -Displayname Netwrix* +> ``` +> +> This will stop all Netwrix services and prevent complications during the upgrade. + +### Netwrix Auditor v.9.96 and later + +Refer to the following video for step-by-step instructions on upgrading to the latest Netwrix Auditor version: + +- Video: https://www.youtube.com/embed/M_IfPaf_7ig + +For the text version of the guide, refer to the following documentation article: /docs/auditor/10.7/auditor/installation + +### Netwrix Auditor v.9.95 and earlier + +> **NOTE:** For additional information on upgrade increments, refer to the following article: /docs/kb/auditor/upgrade_increments_for_netwrix_auditor + +The following steps represent a scenario for upgrading from v.9.95 to v.9.96. The upgrade progress for Netwrix Auditor version 8.0 up to 9.96 will be similar. If you are upgrading from an earlier version, view the additional steps under **Post Upgrade** > **Legacy Steps** further in this article. + +1. When upgrading, it is recommended to log in via your data collection service account. Right-click the installer and choose **Run as administrator**. The following window will include options to view documentation for the new version. +2. Click the **Install** button to continue the upgrade. You will confirm the version you’re upgrading to in the next window. +3. Confirm the version and click **Next**. +4. Read the EULA, check the **I accept the terms of the License Agreement** checkbox and click **Next**. +5. Click **Install**. Once the installation process is complete, you should see the confirmation. +6. Congratulations, you have successfully upgraded! + +## Post Upgrade + +Upon completion, Netwrix Auditor will launch. To confirm integrity, run the following tests: + +- **Configuration:** View your Monitoring Plans and settings to confirm the configuration successfully carried over. +- **SQL Connectivity:** On the homepage click **Search** and run a search with your desired parameters. If data is returned, SQL connectivity is validated. +- **SSRS Connectivity:** On the homepage click **Reports** and attempt to view a report for a data source that you are currently auditing. If the report successfully builds, SSRS connectivity is validated. +- **Legacy Steps:** On version 8.5 and lower, you will need to launch the Netwrix Auditor Administrator Console and manually upgrade the Audit Databases in SQL. + - Click **Audit Database** and then click **Upgrade**. + + ![8.0-Upgrade-6-1.png](images/ka0Qk000000Csfl_0EM4u0000084TwA.png) + +## Related articles + +- Upgrade to the Latest Version ⸱ 10.7 — /docs/auditor/10.7/auditor/installation +- Upgrade Increments for Netwrix Auditor — /docs/kb/auditor/upgrade_increments_for_netwrix_auditor diff --git a/docs/kb/auditor/how-to-upload-audit-data-from-the-long-term-archive-to-audit-database.md b/docs/kb/auditor/how-to-upload-audit-data-from-the-long-term-archive-to-audit-database.md new file mode 100644 index 0000000000..d20d75d34c --- /dev/null +++ b/docs/kb/auditor/how-to-upload-audit-data-from-the-long-term-archive-to-audit-database.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains how to import historical audit data from the Long-Term Archive into + the SQL-based Audit Database for reporting and investigations, with a link to + Netwrix Auditor documentation. +keywords: + - Long-Term Archive + - Audit Database + - SQL + - reporting + - investigations + - Netwrix Auditor + - archive import +products: + - auditor +sidebar_label: How to Upload Audit Data from the Long-Term Archiv +tags: [] +title: "How to Upload Audit Data from the Long-Term Archive to Audit Database" +knowledge_article_id: kA00g000000PbcxCAC +--- + +# How to Upload Audit Data from the Long-Term Archive to Audit Database + +## Question + +I want to make past data available for reporting (e.g., I need to investigate a security incident). How can I upload audit data from the Long-Term Archive to the SQL-based Audit Database? + +## Answer + +To make your past audit data available for reporting, import from the Long-Term Archive to Audit Database as described in this article: Administration – Netwrix Auditor Settings – Investigations · v10.6 diff --git a/docs/kb/auditor/how-to-use-omit-lists.md b/docs/kb/auditor/how-to-use-omit-lists.md new file mode 100644 index 0000000000..01c33549e8 --- /dev/null +++ b/docs/kb/auditor/how-to-use-omit-lists.md @@ -0,0 +1,95 @@ +--- +description: >- + Lists omit lists used to filter data in Netwrix Auditor and provides the file + locations and reference links for each supported data source. +keywords: + - omit lists + - exclude + - Netwrix Auditor + - monitoring scope + - auditing + - configuration + - audit settings + - exclude objects + - omit +products: + - auditor +sidebar_label: How to Use Omit Lists +tags: [] +title: "How to Use Omit Lists" +knowledge_article_id: kA00g000000H9eeCAC +--- + +# How to Use Omit Lists + +## Overview + +Omit lists serve as tools for filtering data. It is important to take careful consideration when making an omission. All omit lists include instructions and syntax examples at the top of the text file. Omit lists provided below are organized by their corresponding data source. + +> **IMPORTANT:** Changes to omit lists do not affect the assessment results of Netwrix Auditor Audit Configuration Assistant. + +## Omit lists (by data source) + +### Active Directory + +Active Directory omit lists are found under `\%Netwrix Auditor installation folder%\Active Directory Auditing`. For additional information on Active Directory omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/activedirectory (Active Directory Plans – Monitoring Scope · v10.7). + +### Microsoft Entra ID (formerly Azure AD) + +Microsoft Entra ID omit lists are found under `\%Netwrix Auditor installation folder%\Azure AD Auditing`. For additional information on Microsoft Entra ID omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/microsoftentraid (Microsoft Entra ID Plans – Monitoring Scope · v10.7). + +### Event Log Manager + +Event Log Manager omit lists are found under `\%Netwrix Auditor installation folder%\Event Log Management`. For additional information on Event Log Manager omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/windows (Windows Server Plans – Windows Server Monitoring Scope: Event Log · v10.7). + +### Exchange + +Exchange omit lists are found under `\%Netwrix Auditor installation folder%\Active Directory Auditing`. For additional information on Exchange omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/exchange (Exchange Plans – Monitoring Scope · v10.7). + +### Exchange Online + +Exchange Online omit lists are found under `\%Netwrix Auditor installation folder%\Exchange Online Auditing`. For additional information on Exchange Online omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/exchangeonline (Exchange Online Plans – Monitoring Scope · v10.7). + +### File Servers + +File Servers omit lists are found under `\%Netwrix Auditor installation folder%\File Server Auditing`. For additional information on File Servers omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/fileservers (File Servers Plans – Monitoring Scope · v10.7). + +### Group Policy + +Group Policy omit lists are found under `\%Netwrix Auditor installation folder%\Active Directory Auditing`. For additional information on Group Policy omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/grouppolicy (Group Policy Plans – Monitoring Scope · v10.7). + +### Inactive User Tracker + +Inactive User Tracker omit lists are found under `\%Working Folder%\Inactive Users Tracker`. For additional information on Inactive User Tracker omit lists, refer to the following article: /docs/auditor/10.7/auditor/tools (Exclude Objects from Monitoring Scope – Inactive Users · v10.7). + +### Logon Activity + +Logon Activity omit lists are found under `\%Working Folder%\NLA\Settings`. For additional information on Group Policy omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/logonactivity (Logon Activity Plans – Monitoring Scope · v10.7). + +### Oracle Database + +For additional information on Oracle Database omit lists, refer to the following article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/oracle (Oracle Database Plans – Monitoring Scope · v10.7). + +### Netwrix Password Reset + +Netwrix Password Reset omit lists are found under `\%Netwrix Auditor installation folder%\Password Expiration Alerting`. For additional information on Netwrix Password Reset omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/activedirectory (Active Directory Plans – AD Monitoring Scope: Password Expiration · v10.7). + +### SharePoint + +SharePoint omit lists are found under `\%Working Folder%\Netwrix Auditor for SharePoint\Configuration\GUID\`. For additional information on SharePoint omit lists, refer to the following article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/sharepoint (SharePoint Plans – Monitoring Scope · v10.7). + +### SharePoint Online + +SharePoint Online omit lists are found under `\%Working Folder%\Netwrix Auditor for SharePoint Online\Configuration\GUID`. For additional information on SharePoint Online omit lists, refer to the following article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/sharepointonline (SharePoint Online Plans – Monitoring Scope · v10.7). + +### SQL Server Auditing + +SQL Server omit lists are found under `\%Netwrix Auditor installation folder%\SQL Server Auditing`. For additional information on SQL Server omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/sqlserver (SQL Server Plans – Monitoring Scope · v10.7). + +### VMWare + +VMWare omit lists are found under `\%Netwrix Auditor installation folder%\VMware Auditing`. For additional information on VMWare omit lists, refer to the following article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/vmware (VMware Plans – Monitoring Scope · v10.7). + +### Windows Server + +Windows Server omit lists are found under `\%Netwrix Auditor installation folder%\Windows Server Auditing`. For additional information on Windows Server omit lists, refer to the following documentation article: /docs/auditor/10.7/auditor/admin-guide/monitoringplans/windows (Windows Server Plans – Monitoring Scope · v10.7). diff --git a/docs/kb/auditor/how-to-use-sms-text-for-alerts.md b/docs/kb/auditor/how-to-use-sms-text-for-alerts.md new file mode 100644 index 0000000000..9ef400f3e9 --- /dev/null +++ b/docs/kb/auditor/how-to-use-sms-text-for-alerts.md @@ -0,0 +1,47 @@ +--- +description: >- + Describes how to configure Netwrix Auditor to send alerts via SMS by using + carrier-specific email-to-SMS gateways and lists common carrier formats for + the US and Canada. +keywords: + - SMS + - text + - alerts + - email-to-sms + - carriers + - Netwrix Auditor + - notifications + - US carriers + - Canada carriers + - mobile +products: + - auditor +visibility: public +sidebar_label: How to use SMS(Text) for alerts +tags: [] +title: "How to use SMS(Text) for alerts" +knowledge_article_id: kA00g000000H9WLCA0 +--- + +# How to use SMS(Text) for alerts + +You can configure Netwrix Auditor to send alerts to special SMS-enabled email addresses. + +## Supported carriers (US) + +- AT&T - `cellnumber@txt.att.net` +- Verizon - `cellnumber@vtext.com` +- T-Mobile - `cellnumber@tmomail.net` +- Sprint PCS - `cellnumber@messaging.sprintpcs.com` +- Virgin Mobile - `cellnumber@vmobl.com` +- US Cellular - `cellnumber@email.uscc.net` +- Nextel - `cellnumber@messaging.nextel.com` +- Boost - `cellnumber@myboostmobile.com` +- Alltel - `cellnumber@message.alltel.com` +- SimpleMobile - `cellnumber@mmst5.tracfone.com` + +## Canada + +- Bell - `cellnumber@txt.bell.ca` +- Rogers - `cellnumber@pcs.rogers.com` +- Telus - `msg.telus.com` diff --git a/docs/kb/auditor/how-to-use-wildcards-in-netwrix-auditor-reports.md b/docs/kb/auditor/how-to-use-wildcards-in-netwrix-auditor-reports.md new file mode 100644 index 0000000000..936e5b6f7e --- /dev/null +++ b/docs/kb/auditor/how-to-use-wildcards-in-netwrix-auditor-reports.md @@ -0,0 +1,75 @@ +--- +description: >- + Explains which SQL wildcards you can use in Netwrix Auditor reports and + provides examples of matched results for each wildcard. +keywords: + - wildcards + - SQL + - SSRS + - Netwrix Auditor + - pattern matching + - LIKE operator + - percent wildcard + - underscore wildcard +products: + - auditor +sidebar_label: How to Use Wildcards in Netwrix Auditor Reports +tags: [] +title: "How to Use Wildcards in Netwrix Auditor Reports" +knowledge_article_id: kA00g000000H9VUCA0 +--- + +# How to Use Wildcards in Netwrix Auditor Reports + +## Question + +How to use wildcards in Netwrix Auditor reports? What are the wildcards? + +## Answer + +Netwrix Auditor reports are based on SQL Server Reporting Services — the same wildcards apply as the wildcards used in SQL queries. + +### Wildcards + +#### `%` +- Function: The `%` wildcard matches all characters beginning at that position and/or bounded by the next character. See results for the `A%E` query. +- Matched results: + - `AE` + - `ABE` + - `ACE` + - `ABCDE` + +#### `_` +- Function: The `_` underscore wildcard replaces any single character at that position. See results for the `A_E` query. +- Matched results: + - `A1E` + - `ABE` + - `AAE` + - `AOE` + +#### `[***]` +- Function: The `[***]` square brackets wildcard will match a single stated character at the position in the string. See results for the `A[ABC]E` query. +- Matched results: + - `ABE` + - `ACE` + - `AAE` + - Not `ADE`, `AEE`, etc. + +#### `[*-*]` +- Function: The `[*-*]` square brackets wildcard will match a range of characters at that position in the string. See results for the `A[A-D]E` query. +- Matched results: + - `ABE` + - `ACE` + - `AAE` + - `ADE` + - Not `AEE`, `AOE`, etc. + +#### `[^*-*]` +- Function: The `[^*-*]` square brackets wildcard will match any character outside of the specified range. See results for the `A[^A-D]E` query. +- Matched results: + - `ARE` + - `AGE` + - `AOE` + - Not `ABE`, `ACE`, `AAE`, `ADE`. + +![Wildcards image](images/ka04u00000117UP_0EM4u000008M7Sw.png) diff --git a/docs/kb/auditor/how-to-view-custom-sensitive-file-categories-in-netwrix-auditor.md b/docs/kb/auditor/how-to-view-custom-sensitive-file-categories-in-netwrix-auditor.md new file mode 100644 index 0000000000..2018eb5d34 --- /dev/null +++ b/docs/kb/auditor/how-to-view-custom-sensitive-file-categories-in-netwrix-auditor.md @@ -0,0 +1,56 @@ +--- +description: >- + Shows how to use custom sensitive file categories in the Sensitive Data + Discovery module so Netwrix Auditor can generate reports using taxonomies from + Netwrix Data Classification. +keywords: + - sensitive data + - taxonomy + - Netwrix Auditor + - Netwrix Data Classification + - Sensitive Data Discovery + - custom categories + - file classification +products: + - auditor + - data-classification +sidebar_label: How to View Custom Sensitive File Categories in Ne +tags: [] +title: "How to View Custom Sensitive File Categories in Netwrix Auditor" +knowledge_article_id: kA0Qk0000000YsvKAE +--- + +# How to View Custom Sensitive File Categories in Netwrix Auditor + +## Overview + +The Sensitive Data Discovery (SDD) module allows you to generate Netwrix Auditor reports and alerts for sensitive data collected and classified with Netwrix Data Classification (NDC). This article covers the use of custom sensitive file categories in the Sensitive Data Discovery module. + +## Instructions + +> **IMPORTANT:** Due to the current SDD limitations, Netwrix Auditor can use only taxonomies built-in in Netwrix Data Classification: +> +> - CCPA +> - CMMC +> - Financial Records +> - GDPR +> - GLBA +> - HIPAA +> - PCI DSS +> - PHI +> - PII + +Refer to the following steps: + +> **NOTE:** You can reset a built-in taxonomy later—they are included in Netwrix Data Classification as templates pre-populated with terms/clues. + +1. Select the built-in taxonomy to modify — in the main Netwrix Data Classification screen, select the **Content** tab and click **Taxonomies**. In the left pane of the **Term Management** section, select the target taxonomy from the drop-down list. +2. Delete the built-in taxonomy terms up to the root term — it is usually named after the taxonomy (e.g., the root CMMC term is named **CMMC**). + + > **NOTE:** To delete parent terms, first delete the children terms. +3. Once the built-in terms are cleared, create a new child term under the root taxonomy term. Right-click the root term and click **Add Child Term(s)**. Then, insert the new clues to the child term. + + ![User-added image](images/ka0Qk0000002kpx_0EMQk000003xxWz.png) +4. Set up your sources to include target files for the modified taxonomy. Wait for the files to be crawled and classified. + +The corresponding Netwrix Auditor report will include the used taxonomy and file owner. diff --git a/docs/kb/auditor/how_to_get_a_daily_list_of_users_addedremoved_from_any_ad_group.md b/docs/kb/auditor/how_to_get_a_daily_list_of_users_addedremoved_from_any_ad_group.md new file mode 100644 index 0000000000..a156606067 --- /dev/null +++ b/docs/kb/auditor/how_to_get_a_daily_list_of_users_addedremoved_from_any_ad_group.md @@ -0,0 +1,34 @@ +--- +description: >- + This article provides step-by-step instructions on how to obtain a daily list of users added or removed from any Active Directory group using Netwrix Auditor. +keywords: + - Active Directory + - Netwrix Auditor + - user management +sidebar_label: Daily User Changes in AD Groups +tags: [] +title: "How to Get a Daily List of Users Added/Removed From Any AD Group?" +knowledge_article_id: kA04u000001116qCAA +products: + - auditor +--- + +# How to Get a Daily List of Users Added/Removed From Any AD Group? + +## Question + +How to get the list of users added/removed from an Active Directory group on a regular basis (for example, daily)? + +## Answer + +Create a subscription to Netwrix search results with the following parameters: + +1. **Filters** + ![User-added image](./images/servlet_image_ebe11c05eb6f.png) + + Windows records users adding or removing as a change to the group itself, since the group is an AD object. Therefore, the **Action** filter type is suggested to be *Modified*. + +2. **Schedule** + Set the schedule to whatever frequency you want – the Subscription returns all events that occurred after the latest Subscription delivery. The initial one may have a lot. + +For additional information on how to create subscriptions, refer to the following article: [Administration – Subscriptions](/docs/auditor/10.6/admin/subscriptions/overview). \ No newline at end of file diff --git a/docs/kb/auditor/how_to_make_netwrix_auditor_upload_data_to_sql_using_tls_1.2.md b/docs/kb/auditor/how_to_make_netwrix_auditor_upload_data_to_sql_using_tls_1.2.md new file mode 100644 index 0000000000..acf49cfba9 --- /dev/null +++ b/docs/kb/auditor/how_to_make_netwrix_auditor_upload_data_to_sql_using_tls_1.2.md @@ -0,0 +1,43 @@ +--- +description: >- + This article provides step-by-step instructions for configuring Netwrix Auditor and SQL Server to communicate securely using TLS version 1.2. +keywords: + - Netwrix Auditor + - SQL Server + - TLS 1.2 +sidebar_label: Configure Netwrix Auditor for TLS 1.2 +tags: [] +title: "How to Make Netwrix Auditor Upload Data to SQL Using TLS 1.2" +knowledge_article_id: kA00g000000H9dBCAS +products: + - auditor +--- + +# How to Make Netwrix Auditor Upload Data to SQL Using TLS 1.2 + +## Overview + +This KBA describes a process of configuring Netwrix and SQL Server to communicate via the secure channel - TLS version 1.2. + +## Instructions + +Here is an example of an error you may encounter while using the Search function in Netwrix Auditor: + +``` +Sql Server error occurred (18, [DBNETLIB][ConnectionOpen (SECDoClientHandshake().]SSL Security error.) +``` + +![Error Message Example](./images/servlet_image_c2e8b90bb7b7.png) + +1. Make sure TLS 1.2 is enabled on both servers. Use this Microsoft guide to configure it: [How to enable TLS 1.2](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2). +2. To find the version of Native Client, start the ODBC Administrator on the Netwrix Auditor host. Right-click the **Start** button and then choose **Run**. In the Run window, type the following, followed by **Enter**: `odbcad32.exe`. +3. Check the Version column under the Drivers tab. + + ![ODBC Driver Version](./images/servlet_image_e00b5dadcf89.png) + +4. If the version is lower than "2011.110.7001.00", download and install the **64-bit version** of [SQL Native Client](https://www.microsoft.com/en-us/download/details.aspx?id=50402) on the Netwrix Auditor host. +5. Restart the **Netwrix Auditor Audit Archive Service**. + +--- + +For more information about SQL and TLS 1.2, refer to [TLS 1.2 support for Microsoft SQL Server](https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server). \ No newline at end of file diff --git a/docs/kb/auditor/html-reports-have-an-issue-with-non-latin-characters.md b/docs/kb/auditor/html-reports-have-an-issue-with-non-latin-characters.md new file mode 100644 index 0000000000..61f57f6b73 --- /dev/null +++ b/docs/kb/auditor/html-reports-have-an-issue-with-non-latin-characters.md @@ -0,0 +1,34 @@ +--- +description: >- + HTML summary reports may display non-Latin characters as question marks or + symbols. This article explains why and how to fix it by changing the encoding + to Unicode (UTF-8) in your email client or browser. +keywords: + - HTML + - reports + - non-Latin + - characters + - UTF-8 + - encoding + - email client + - browser +products: + - auditor +sidebar_label: HTML reports have an issue with non-Latin characte +tags: [] +title: "HTML reports have an issue with non-Latin characters" +knowledge_article_id: kA00g000000H9Z6CAK +--- + +# HTML reports have an issue with non-Latin characters + +## Summary +Summary reports show non-Latin characters as question marks or symbols. + +--- + +It may happen when records contain language symbols different from Latin characters. + +--- + +I n order to resolve this issue change the encoding in your email client or browser to Unicode (UTF-8). diff --git a/docs/kb/auditor/hyperlinks-in-custom-branding.md b/docs/kb/auditor/hyperlinks-in-custom-branding.md new file mode 100644 index 0000000000..42c09ea27b --- /dev/null +++ b/docs/kb/auditor/hyperlinks-in-custom-branding.md @@ -0,0 +1,40 @@ +--- +description: >- + Shows how to make the Support field in the custom branding feature an active + hyperlink by using an HTML anchor tag in the Administrative Portal Branding + settings. +keywords: + - custom branding + - hyperlink + - support link + - HTML + - anchor tag + - Administrative Portal + - Branding + - Netwrix Auditor +products: + - auditor +sidebar_label: Hyperlinks in custom branding +tags: [] +title: "Hyperlinks in custom branding" +knowledge_article_id: kA00g000000H9ThCAK +--- + +# Hyperlinks in custom branding + +How to make the support field in the custom branding feature an active hyperlink? + +This can be done by using html tags. + +## Steps + +1. Browse to the **Administrative Portal** and go to **Settings - Branding** tab. +2. Specify the hyperlink using the html ` ` tag, for example: + +``` +Support link +``` + +3. Modify the URL (`https://netwrix.com/`) and caption (`Support link`) as needed + +![User-added image](images/ka04u000000HcNU_0EM700000004xUL.png) diff --git a/docs/kb/auditor/i-can-t-see-changed-values-with-database-content-audit.md b/docs/kb/auditor/i-can-t-see-changed-values-with-database-content-audit.md new file mode 100644 index 0000000000..7735b9328a --- /dev/null +++ b/docs/kb/auditor/i-can-t-see-changed-values-with-database-content-audit.md @@ -0,0 +1,35 @@ +--- +description: >- + When you enable Database Content Audit in Netwrix Auditor, a report may show + only the count of modified rows without the before/after values. This article + explains the two possible causes and how to resolve them. +keywords: + - database content audit + - database audit + - primary key + - triggers + - Netwrix Auditor + - monitoring rules + - detailed monitoring + - ALTER TABLE + - modified rows +products: + - auditor +sidebar_label: I can't see changed values with Database Content A +tags: [] +title: I can't see changed values with Database Content A +knowledge_article_id: kA00g000000H9SbCAK +--- + +# I can't see changed values with Database Content A + +You have enabled Database Content Audit in Netwrix Auditor and received a report which contains only the number of modified rows without values. There are two possible reasons: + +1. You enabled the triggerless (**Do not use triggers**) mode. This option does not show `before` and `after` values. +2. You enabled the **Use triggers for detailed monitoring** mode, but the table that you specified in the **Monitoring rules** does not contain a primary key. To add a primary key to the table, please run the following SQL command: + +```sql +ALTER TABLE table_name ADD PRIMARY KEY (primary_key_column_name) +``` + +Please note that If you use the ALTER TABLE statement to add a primary key, the primary key column must already have been declared to not contain NULL values (when the table was first created). diff --git a/docs/kb/auditor/i-cannot-see-sql-changes-made-in-my-third-party-application.md b/docs/kb/auditor/i-cannot-see-sql-changes-made-in-my-third-party-application.md new file mode 100644 index 0000000000..29e99c9a4b --- /dev/null +++ b/docs/kb/auditor/i-cannot-see-sql-changes-made-in-my-third-party-application.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains why changes made inside an ERP application's internal database are + not reported by SQL Server Auditing and how this behavior affects Netwrix + Auditor. Clarifies that application-level changes do not affect SQL Server + instance properties and therefore are not tracked. +keywords: + - SQL Server Auditing + - ERP + - managed SQL Server + - auditing + - Netwrix Auditor + - third-party application + - database changes + - not tracked +products: + - auditor +sidebar_label: I cannot see SQL changes made in my third-party ap +tags: [] +title: "I cannot see SQL changes made in my third-party application" +knowledge_article_id: kA00g000000H9W3CAK +--- + +# I cannot see SQL changes made in my third-party application + +I made some changes in my ERP system (which uses a managed SQL Server) like adding users and this is not reported by SQL Server Auditing. + +--- + +Your application has its own internal DB structure, and all changes you make are only related to internal logic of this application, like access to objects of this application only, and don't affect any real SQL Server instance properties and as such changes are not tracked. diff --git a/docs/kb/auditor/illegible-notification-contents-and-characters-in-password-expiration-notifier.md b/docs/kb/auditor/illegible-notification-contents-and-characters-in-password-expiration-notifier.md new file mode 100644 index 0000000000..662a5d626d --- /dev/null +++ b/docs/kb/auditor/illegible-notification-contents-and-characters-in-password-expiration-notifier.md @@ -0,0 +1,39 @@ +--- +description: >- + Notifications from Netwrix Password Reset (PEN) may appear illegible when the + previewing environment does not use UTF-8 encoding; this article explains the + cause and how to resolve it. +keywords: + - UTF-8 + - encoding + - notifications + - illegible characters + - email client + - PEN + - Netwrix Password Reset + - Netwrix Auditor +products: + - auditor +sidebar_label: Illegible Notification Contents and Characters in Netwrix Password Reset +tags: [] +title: "Illegible Notification Contents and Characters in Netwrix Password Reset" +knowledge_article_id: kA0Qk0000000Q8zKAE +--- + +# Illegible Notification Contents and Characters in Netwrix Password Reset + +## Symptom + +When previewing or viewing notifications sent by Netwrix Auditor Netwrix Password Reset (PEN), the contents are illegible. The text and particular characters do not correspond to the intended language. + +![IllegibleCharacters](images/ka0Qk0000001Zjh_0EMQk000002jqCb.png) + +## Cause + +The email client or environment used to preview the notification does not support the `UTF-8` encoding. + +## Resolution + +Review the character encoding settings in your email client or affected environment − make sure the `UTF-8 (Unicode)` encoding is enabled. + +> **NOTE:** It is recommended to set up the explicit `UTF-8 (Unicode)` encoding support instead of available automatic detection methods. diff --git a/docs/kb/auditor/images-are-not-shown.md b/docs/kb/auditor/images-are-not-shown.md new file mode 100644 index 0000000000..c36d77e990 --- /dev/null +++ b/docs/kb/auditor/images-are-not-shown.md @@ -0,0 +1,43 @@ +--- +description: >- + When the Web Portal displays red boxes instead of images, enable the IIS + Static content feature. This article shows how to enable Static content on + Windows 7 and Windows 2008 to restore image display. +keywords: + - IIS + - Static content + - images + - red boxes + - Web Portal + - Windows 7 + - Windows 2008 + - display images +products: + - auditor +sidebar_label: Images Are not Shown +tags: [] +title: "Images Are not Shown" +knowledge_article_id: kA00g000000H9YHCA0 +--- + +# Images Are not Shown + +## Question +Web Portal shows no images just red boxes. Whats the case? + +![User-added image](images/ka04u00000117dv_0EM7000000050pb.png) + +## Answer +The issue occurs because IIS cannot display images because of configuration. +To address the issue, enable the **Static content** feature within IIS. + +**In Windows 7:** + +1. Go to **Control Panel - Programs and Features - Turn Windows features on or off**. +2. Navigate to **Internet Information Services (IIS) - World Wide Web Services - Common HTTP Features**. +3. Make sure that the checkbox in front of the **Static content** is enabled. + +**In Windows 2008**: + +1. Navigate to **Server Manager - Roles - Web server**, find the Role services in the right pane, click **Add role services**. +2. Enable **Static content** under **Common HTTP Features**. diff --git a/docs/kb/auditor/images/ka04u000000HcMr_0EM0g000000hNsh.png b/docs/kb/auditor/images/ka04u000000HcMr_0EM0g000000hNsh.png new file mode 100644 index 0000000000..94acac136c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcMr_0EM0g000000hNsh.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcMv_0EM700000004wr9.png b/docs/kb/auditor/images/ka04u000000HcMv_0EM700000004wr9.png new file mode 100644 index 0000000000..b1f2897e4b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcMv_0EM700000004wr9.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcMw_0EM700000004wzm.png b/docs/kb/auditor/images/ka04u000000HcMw_0EM700000004wzm.png new file mode 100644 index 0000000000..3a9fb31467 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcMw_0EM700000004wzm.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcN0_0EM700000004wxW.png b/docs/kb/auditor/images/ka04u000000HcN0_0EM700000004wxW.png new file mode 100644 index 0000000000..e8cf65a7e6 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcN0_0EM700000004wxW.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcN3_0EM700000004wrO.png b/docs/kb/auditor/images/ka04u000000HcN3_0EM700000004wrO.png new file mode 100644 index 0000000000..a1eeddc1b1 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcN3_0EM700000004wrO.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcN7_00N0g000004CA0p_0EM700000004xgW.png b/docs/kb/auditor/images/ka04u000000HcN7_00N0g000004CA0p_0EM700000004xgW.png new file mode 100644 index 0000000000..cadf846540 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcN7_00N0g000004CA0p_0EM700000004xgW.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcN7_00N0g000004CA0p_0EM700000004xgl.png b/docs/kb/auditor/images/ka04u000000HcN7_00N0g000004CA0p_0EM700000004xgl.png new file mode 100644 index 0000000000..39038f7601 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcN7_00N0g000004CA0p_0EM700000004xgl.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNK_0EM700000004wzw.png b/docs/kb/auditor/images/ka04u000000HcNK_0EM700000004wzw.png new file mode 100644 index 0000000000..b3dd4b472b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNK_0EM700000004wzw.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNK_0EM700000004x01.png b/docs/kb/auditor/images/ka04u000000HcNK_0EM700000004x01.png new file mode 100644 index 0000000000..5f3452b1a2 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNK_0EM700000004x01.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNT_0EM700000004wyK.png b/docs/kb/auditor/images/ka04u000000HcNT_0EM700000004wyK.png new file mode 100644 index 0000000000..49b0cbc86e Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNT_0EM700000004wyK.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNU_0EM700000004xUL.png b/docs/kb/auditor/images/ka04u000000HcNU_0EM700000004xUL.png new file mode 100644 index 0000000000..06deedf8a5 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNU_0EM700000004xUL.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNV_0EM700000007LkF.png b/docs/kb/auditor/images/ka04u000000HcNV_0EM700000007LkF.png new file mode 100644 index 0000000000..bcab6a1f42 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNV_0EM700000007LkF.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNW_0EM4u000002QzDA.png b/docs/kb/auditor/images/ka04u000000HcNW_0EM4u000002QzDA.png new file mode 100644 index 0000000000..c8e3f81616 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNW_0EM4u000002QzDA.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNX_0EM700000004wxg.png b/docs/kb/auditor/images/ka04u000000HcNX_0EM700000004wxg.png new file mode 100644 index 0000000000..a1eeddc1b1 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNX_0EM700000004wxg.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNZ_0EM700000004wyZ.png b/docs/kb/auditor/images/ka04u000000HcNZ_0EM700000004wyZ.png new file mode 100644 index 0000000000..99ea546925 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNZ_0EM700000004wyZ.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNZ_0EM700000004wye.png b/docs/kb/auditor/images/ka04u000000HcNZ_0EM700000004wye.png new file mode 100644 index 0000000000..541e859a6e Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNZ_0EM700000004wye.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKg.png b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKg.png new file mode 100644 index 0000000000..deb5ab047c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKg.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKq.png b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKq.png new file mode 100644 index 0000000000..b48ad3af57 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKq.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKv.png b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKv.png new file mode 100644 index 0000000000..2756bfd07a Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yKv.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yL0.png b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yL0.png new file mode 100644 index 0000000000..9f1c9170f0 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yL0.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yL5.png b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yL5.png new file mode 100644 index 0000000000..52c3ddfa08 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNi_0EM700000004yL5.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xEI.png b/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xEI.png new file mode 100644 index 0000000000..47cac59dce Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xEI.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xEN.png b/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xEN.png new file mode 100644 index 0000000000..7ff44af869 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xEN.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xES.png b/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xES.png new file mode 100644 index 0000000000..a47decb86d Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNm_0EM700000004xES.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIo.png b/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIo.png new file mode 100644 index 0000000000..b8036358cc Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIo.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIt.png b/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIt.png new file mode 100644 index 0000000000..416af46bdc Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIt.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIy.png b/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIy.png new file mode 100644 index 0000000000..993487ed34 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNo_0EM700000004xIy.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcNr_0EM4u000007qtQ1.png b/docs/kb/auditor/images/ka04u000000HcNr_0EM4u000007qtQ1.png new file mode 100644 index 0000000000..6dad049728 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcNr_0EM4u000007qtQ1.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TB6.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TB6.png new file mode 100644 index 0000000000..85f81939d3 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TB6.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBB.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBB.png new file mode 100644 index 0000000000..a713288c58 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBB.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBG.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBG.png new file mode 100644 index 0000000000..43d0dd720c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBG.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBL.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBL.png new file mode 100644 index 0000000000..c366ecd3c2 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBL.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBV.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBV.png new file mode 100644 index 0000000000..e4bda68d7b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBV.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBa.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBa.png new file mode 100644 index 0000000000..efc64b82ee Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBa.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBf.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBf.png new file mode 100644 index 0000000000..8838dcc6c5 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBf.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBk.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBk.png new file mode 100644 index 0000000000..78b4bec453 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBk.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBp.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBp.png new file mode 100644 index 0000000000..e2164fd9cb Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TBp.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TC4.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TC4.png new file mode 100644 index 0000000000..b25333a9e1 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TC4.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TC9.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TC9.png new file mode 100644 index 0000000000..b9fd0b0381 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TC9.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TCE.png b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TCE.png new file mode 100644 index 0000000000..da6c6750b5 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcOn_0EM700000005TCE.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcP8_0EM7000000051Zt.png b/docs/kb/auditor/images/ka04u000000HcP8_0EM7000000051Zt.png new file mode 100644 index 0000000000..4471be912a Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcP8_0EM7000000051Zt.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPk_0EM7000000054Bf.png b/docs/kb/auditor/images/ka04u000000HcPk_0EM7000000054Bf.png new file mode 100644 index 0000000000..c6923b0590 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPk_0EM7000000054Bf.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPp_0EM4u000007qsVK.png b/docs/kb/auditor/images/ka04u000000HcPp_0EM4u000007qsVK.png new file mode 100644 index 0000000000..7099c96186 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPp_0EM4u000007qsVK.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPp_0EM700000005DIQ.png b/docs/kb/auditor/images/ka04u000000HcPp_0EM700000005DIQ.png new file mode 100644 index 0000000000..55a385b17d Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPp_0EM700000005DIQ.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2I.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2I.png new file mode 100644 index 0000000000..83c07415a3 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2I.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2N.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2N.png new file mode 100644 index 0000000000..fc89bbb3de Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2N.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2S.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2S.png new file mode 100644 index 0000000000..1f52b1115f Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2S.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2X.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2X.png new file mode 100644 index 0000000000..6f6100adc5 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2X.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2c.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2c.png new file mode 100644 index 0000000000..07ff888d22 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2c.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2h.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2h.png new file mode 100644 index 0000000000..382ee0a5c7 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y2h.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y31.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y31.png new file mode 100644 index 0000000000..5c2cd95a38 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y31.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3B.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3B.png new file mode 100644 index 0000000000..a0e1a4d623 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3B.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3G.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3G.png new file mode 100644 index 0000000000..a41eab3624 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3G.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3V.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3V.png new file mode 100644 index 0000000000..44df0a2583 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3V.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3k.png b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3k.png new file mode 100644 index 0000000000..a3c132851b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcPz_0EM700000004y3k.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcQv_0EM700000004wpw.png b/docs/kb/auditor/images/ka04u000000HcQv_0EM700000004wpw.png new file mode 100644 index 0000000000..156c056961 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcQv_0EM700000004wpw.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcQv_0EM700000004wq1.png b/docs/kb/auditor/images/ka04u000000HcQv_0EM700000004wq1.png new file mode 100644 index 0000000000..7ff44af869 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcQv_0EM700000004wq1.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRE_0EM700000004xUB.png b/docs/kb/auditor/images/ka04u000000HcRE_0EM700000004xUB.png new file mode 100644 index 0000000000..46f8499110 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRE_0EM700000004xUB.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRE_0EM700000004xUG.png b/docs/kb/auditor/images/ka04u000000HcRE_0EM700000004xUG.png new file mode 100644 index 0000000000..82e5f5182b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRE_0EM700000004xUG.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRH_0EM700000004wmJ.png b/docs/kb/auditor/images/ka04u000000HcRH_0EM700000004wmJ.png new file mode 100644 index 0000000000..fd14d88e17 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRH_0EM700000004wmJ.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRU_0EM700000004x9r.png b/docs/kb/auditor/images/ka04u000000HcRU_0EM700000004x9r.png new file mode 100644 index 0000000000..e70773a00f Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRU_0EM700000004x9r.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3C.png b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3C.png new file mode 100644 index 0000000000..abdfed02a7 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3C.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3H.png b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3H.png new file mode 100644 index 0000000000..d350d3b008 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3H.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3M.png b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3M.png new file mode 100644 index 0000000000..26197c0375 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3M.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3W.png b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3W.png new file mode 100644 index 0000000000..2674bd7562 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3W.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3b.png b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3b.png new file mode 100644 index 0000000000..40c220f770 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRb_0EM70000000QI3b.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxC.png b/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxC.png new file mode 100644 index 0000000000..ce393819b2 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxC.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxH.png b/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxH.png new file mode 100644 index 0000000000..f6751e2701 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxH.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxM.png b/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxM.png new file mode 100644 index 0000000000..6a62533893 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxM.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxR.png b/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxR.png new file mode 100644 index 0000000000..16335a20e9 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRc_0EM700000004wxR.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRc_0EM7000000054jS.png b/docs/kb/auditor/images/ka04u000000HcRc_0EM7000000054jS.png new file mode 100644 index 0000000000..4a8edc7c9e Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRc_0EM7000000054jS.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRc_0EM7000000054jX.png b/docs/kb/auditor/images/ka04u000000HcRc_0EM7000000054jX.png new file mode 100644 index 0000000000..892e76ccee Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRc_0EM7000000054jX.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZN.png b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZN.png new file mode 100644 index 0000000000..070f142324 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZN.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZS.png b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZS.png new file mode 100644 index 0000000000..ebcbc6838d Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZS.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZc.png b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZc.png new file mode 100644 index 0000000000..18de34f023 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZc.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZr.png b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZr.png new file mode 100644 index 0000000000..bd582e3530 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZr.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZw.png b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZw.png new file mode 100644 index 0000000000..c7659b4059 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRf_0EM70000000xMZw.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcRw_0EM700000008Dtg.png b/docs/kb/auditor/images/ka04u000000HcRw_0EM700000008Dtg.png new file mode 100644 index 0000000000..ed3ec54868 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcRw_0EM700000008Dtg.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcS0_0EM700000005Cwt.png b/docs/kb/auditor/images/ka04u000000HcS0_0EM700000005Cwt.png new file mode 100644 index 0000000000..cf88b532d4 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcS0_0EM700000005Cwt.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcS1_0EM700000007Jf8.png b/docs/kb/auditor/images/ka04u000000HcS1_0EM700000007Jf8.png new file mode 100644 index 0000000000..0b4541f4b5 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcS1_0EM700000007Jf8.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcS1_0EM700000007JfD.png b/docs/kb/auditor/images/ka04u000000HcS1_0EM700000007JfD.png new file mode 100644 index 0000000000..65c50ef3f0 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcS1_0EM700000007JfD.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcS3_0EM700000005HCR.png b/docs/kb/auditor/images/ka04u000000HcS3_0EM700000005HCR.png new file mode 100644 index 0000000000..9ed857de2d Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcS3_0EM700000005HCR.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Pc.png b/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Pc.png new file mode 100644 index 0000000000..778c6a1f68 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Pc.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Ph.png b/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Ph.png new file mode 100644 index 0000000000..84ec534d38 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Ph.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Pm.png b/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Pm.png new file mode 100644 index 0000000000..deb89e4cd8 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSG_0EM7000000054Pm.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSG_0EM700000005pJq.png b/docs/kb/auditor/images/ka04u000000HcSG_0EM700000005pJq.png new file mode 100644 index 0000000000..01172ae899 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSG_0EM700000005pJq.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Be.png b/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Be.png new file mode 100644 index 0000000000..b3a8c2e777 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Be.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Bj.png b/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Bj.png new file mode 100644 index 0000000000..41ea834998 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Bj.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Bo.png b/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Bo.png new file mode 100644 index 0000000000..511291c3c4 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSR_0EM7000000053Bo.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSU_0EM700000006Hfg.png b/docs/kb/auditor/images/ka04u000000HcSU_0EM700000006Hfg.png new file mode 100644 index 0000000000..aa4a85998c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSU_0EM700000006Hfg.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSU_0EM700000006Hfl.png b/docs/kb/auditor/images/ka04u000000HcSU_0EM700000006Hfl.png new file mode 100644 index 0000000000..a0fd362b9f Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSU_0EM700000006Hfl.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XV3.png b/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XV3.png new file mode 100644 index 0000000000..61321fb4ac Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XV3.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XV8.png b/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XV8.png new file mode 100644 index 0000000000..42d427ca7c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XV8.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XVD.png b/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XVD.png new file mode 100644 index 0000000000..729b887c67 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSZ_0EM700000006XVD.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcSn_0EM700000005hNk.png b/docs/kb/auditor/images/ka04u000000HcSn_0EM700000005hNk.png new file mode 100644 index 0000000000..0dc21a005c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcSn_0EM700000005hNk.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcT2_0EM700000005kEC.png b/docs/kb/auditor/images/ka04u000000HcT2_0EM700000005kEC.png new file mode 100644 index 0000000000..96fc8573d6 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcT2_0EM700000005kEC.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPW.png b/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPW.png new file mode 100644 index 0000000000..b84e276f67 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPW.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPb.png b/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPb.png new file mode 100644 index 0000000000..e87f8cb832 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPb.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPg.png b/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPg.png new file mode 100644 index 0000000000..4d6a1c38db Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcT5_0EM700000008DPg.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrO.png b/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrO.png new file mode 100644 index 0000000000..82d2ff989d Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrO.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrT.png b/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrT.png new file mode 100644 index 0000000000..2d1abc6ee6 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrT.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrY.png b/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrY.png new file mode 100644 index 0000000000..82cace6eb4 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcTw_0EM700000005BrY.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcTz_0EM700000005AFx.png b/docs/kb/auditor/images/ka04u000000HcTz_0EM700000005AFx.png new file mode 100644 index 0000000000..f1ba3cf948 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcTz_0EM700000005AFx.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcU6_0EM7000000054Ba.png b/docs/kb/auditor/images/ka04u000000HcU6_0EM7000000054Ba.png new file mode 100644 index 0000000000..de7384ee50 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcU6_0EM7000000054Ba.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUL_0EM7000000053hV.png b/docs/kb/auditor/images/ka04u000000HcUL_0EM7000000053hV.png new file mode 100644 index 0000000000..302e82b65b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUL_0EM7000000053hV.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUO_0EM7000000052im.png b/docs/kb/auditor/images/ka04u000000HcUO_0EM7000000052im.png new file mode 100644 index 0000000000..9faef47568 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUO_0EM7000000052im.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUO_0EM7000000052ir.png b/docs/kb/auditor/images/ka04u000000HcUO_0EM7000000052ir.png new file mode 100644 index 0000000000..a930e85d8c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUO_0EM7000000052ir.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUT_0EM7000000052iw.png b/docs/kb/auditor/images/ka04u000000HcUT_0EM7000000052iw.png new file mode 100644 index 0000000000..6d5fea1c12 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUT_0EM7000000052iw.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUT_0EM7000000052jG.png b/docs/kb/auditor/images/ka04u000000HcUT_0EM7000000052jG.png new file mode 100644 index 0000000000..8e25eec662 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUT_0EM7000000052jG.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUW_0EM700000004x0B.png b/docs/kb/auditor/images/ka04u000000HcUW_0EM700000004x0B.png new file mode 100644 index 0000000000..c38cf9d924 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUW_0EM700000004x0B.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QD.png b/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QD.png new file mode 100644 index 0000000000..bd266093ff Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QD.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QI.png b/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QI.png new file mode 100644 index 0000000000..79b6c71550 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QI.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QN.png b/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QN.png new file mode 100644 index 0000000000..c52f1a9e1a Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUb_0EM7000000051QN.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUd_0EM7000000051O7.png b/docs/kb/auditor/images/ka04u000000HcUd_0EM7000000051O7.png new file mode 100644 index 0000000000..0e679d2fe4 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUd_0EM7000000051O7.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUd_0EM7000000051OC.png b/docs/kb/auditor/images/ka04u000000HcUd_0EM7000000051OC.png new file mode 100644 index 0000000000..3ba283a95d Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUd_0EM7000000051OC.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUe_0EM7000000050xL.png b/docs/kb/auditor/images/ka04u000000HcUe_0EM7000000050xL.png new file mode 100644 index 0000000000..ed2ff94b83 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUe_0EM7000000050xL.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUe_0EM7000000050xQ.png b/docs/kb/auditor/images/ka04u000000HcUe_0EM7000000050xQ.png new file mode 100644 index 0000000000..10e2cd7082 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUe_0EM7000000050xQ.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xfn.png b/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xfn.png new file mode 100644 index 0000000000..9eabd811b3 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xfn.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xfx.png b/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xfx.png new file mode 100644 index 0000000000..f1dea1b926 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xfx.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xg2.png b/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xg2.png new file mode 100644 index 0000000000..9faef47568 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xg2.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xg7.png b/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xg7.png new file mode 100644 index 0000000000..ced2361d81 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUi_0EM700000004xg7.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUp_0EM700000004xfs.png b/docs/kb/auditor/images/ka04u000000HcUp_0EM700000004xfs.png new file mode 100644 index 0000000000..09b00eba3a Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUp_0EM700000004xfs.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUv_0EM700000004wr4.png b/docs/kb/auditor/images/ka04u000000HcUv_0EM700000004wr4.png new file mode 100644 index 0000000000..fa88596aba Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUv_0EM700000004wr4.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUw_0EM700000004wlz.png b/docs/kb/auditor/images/ka04u000000HcUw_0EM700000004wlz.png new file mode 100644 index 0000000000..4dd538bf80 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUw_0EM700000004wlz.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUw_0EM700000004wm4.png b/docs/kb/auditor/images/ka04u000000HcUw_0EM700000004wm4.png new file mode 100644 index 0000000000..6d5fea1c12 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUw_0EM700000004wm4.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyo.png b/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyo.png new file mode 100644 index 0000000000..c74649f60d Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyo.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyt.png b/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyt.png new file mode 100644 index 0000000000..7ff44af869 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyt.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyy.png b/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyy.png new file mode 100644 index 0000000000..4ff70364d7 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcUx_0EM700000004wyy.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcVz_0EM700000004wyU.png b/docs/kb/auditor/images/ka04u000000HcVz_0EM700000004wyU.png new file mode 100644 index 0000000000..4ff70364d7 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcVz_0EM700000004wyU.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqL.png b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqL.png new file mode 100644 index 0000000000..2d1ac1cd4b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqL.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqQ.png b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqQ.png new file mode 100644 index 0000000000..ba7e6941b5 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqQ.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqV.png b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqV.png new file mode 100644 index 0000000000..47048fefdd Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqV.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqa.png b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqa.png new file mode 100644 index 0000000000..01ff8948af Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqa.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqf.png b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqf.png new file mode 100644 index 0000000000..27189f383f Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcW3_0EM700000004wqf.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcW6_0EM700000004wzN.png b/docs/kb/auditor/images/ka04u000000HcW6_0EM700000004wzN.png new file mode 100644 index 0000000000..57f8f43f9c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcW6_0EM700000004wzN.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcWD_0EM700000004udF.png b/docs/kb/auditor/images/ka04u000000HcWD_0EM700000004udF.png new file mode 100644 index 0000000000..6d5fea1c12 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcWD_0EM700000004udF.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcWD_0EM700000004wzc.png b/docs/kb/auditor/images/ka04u000000HcWD_0EM700000004wzc.png new file mode 100644 index 0000000000..8e25eec662 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcWD_0EM700000004wzc.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcWF_0EM700000004xUV.png b/docs/kb/auditor/images/ka04u000000HcWF_0EM700000004xUV.png new file mode 100644 index 0000000000..7e06e3c815 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcWF_0EM700000004xUV.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcWK_0EM700000004wmE.png b/docs/kb/auditor/images/ka04u000000HcWK_0EM700000004wmE.png new file mode 100644 index 0000000000..510d6339a1 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcWK_0EM700000004wmE.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcWM_0EM700000004wyA.png b/docs/kb/auditor/images/ka04u000000HcWM_0EM700000004wyA.png new file mode 100644 index 0000000000..152f8f82ac Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcWM_0EM700000004wyA.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcWP_0EM700000004wxl.png b/docs/kb/auditor/images/ka04u000000HcWP_0EM700000004wxl.png new file mode 100644 index 0000000000..a468320de8 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcWP_0EM700000004wxl.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPE.png b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPE.png new file mode 100644 index 0000000000..ef04bf6a92 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPE.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPJ.png b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPJ.png new file mode 100644 index 0000000000..2f12a137e5 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPJ.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPO.png b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPO.png new file mode 100644 index 0000000000..8256382b8b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPO.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPT.png b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPT.png new file mode 100644 index 0000000000..23a7975254 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPT.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPn.png b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPn.png new file mode 100644 index 0000000000..df2ebf1069 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPn.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPs.png b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPs.png new file mode 100644 index 0000000000..0edae2e9a4 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXR_0EM700000004vPs.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D96q.png b/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D96q.png new file mode 100644 index 0000000000..8ed0912a6a Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D96q.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D975.png b/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D975.png new file mode 100644 index 0000000000..db59b486b3 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D975.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D97U.png b/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D97U.png new file mode 100644 index 0000000000..cc2c54621b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D97U.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D97j.png b/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D97j.png new file mode 100644 index 0000000000..19550bc834 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXd_0EM4u000002D97j.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7U.png b/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7U.png new file mode 100644 index 0000000000..0ea0ef0f03 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7U.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7Z.png b/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7Z.png new file mode 100644 index 0000000000..49a4881426 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7Z.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7t.png b/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7t.png new file mode 100644 index 0000000000..ab8aca13d7 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx7t.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx8I.png b/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx8I.png new file mode 100644 index 0000000000..235492da3e Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcXh_0EM4u000002Qx8I.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcZ5_0EM0g000002CGLg.png b/docs/kb/auditor/images/ka04u000000HcZ5_0EM0g000002CGLg.png new file mode 100644 index 0000000000..920f9cd5f8 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcZ5_0EM0g000002CGLg.png differ diff --git a/docs/kb/auditor/images/ka04u000000HcZ6_0EM4u000002P6Cl.png b/docs/kb/auditor/images/ka04u000000HcZ6_0EM4u000002P6Cl.png new file mode 100644 index 0000000000..22579290db Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HcZ6_0EM4u000002P6Cl.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdDR_0EM4u0000084XpS.png b/docs/kb/auditor/images/ka04u000000HdDR_0EM4u0000084XpS.png new file mode 100644 index 0000000000..372b9b82e0 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdDR_0EM4u0000084XpS.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdES_0EM4u000002CO3k.png b/docs/kb/auditor/images/ka04u000000HdES_0EM4u000002CO3k.png new file mode 100644 index 0000000000..7cd112a463 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdES_0EM4u000002CO3k.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYD.png b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYD.png new file mode 100644 index 0000000000..8edecf717a Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYD.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYI.png b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYI.png new file mode 100644 index 0000000000..9f1e5e3a92 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYI.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYN.png b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYN.png new file mode 100644 index 0000000000..a36dc96b89 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYN.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYS.png b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYS.png new file mode 100644 index 0000000000..d9876c6654 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CmYS.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CsNQ.png b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CsNQ.png new file mode 100644 index 0000000000..8edecf717a Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdEa_0EM4u000002CsNQ.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdFq_0EM4u0000052m0m.png b/docs/kb/auditor/images/ka04u000000HdFq_0EM4u0000052m0m.png new file mode 100644 index 0000000000..3877df2ce6 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdFq_0EM4u0000052m0m.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdFvAAK.jpeg b/docs/kb/auditor/images/ka04u000000HdFvAAK.jpeg new file mode 100644 index 0000000000..6be9b252ed Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdFvAAK.jpeg differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084ozs.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084ozs.png new file mode 100644 index 0000000000..af69bc0e8c Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084ozs.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084ozx.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084ozx.png new file mode 100644 index 0000000000..9eb0b93522 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084ozx.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p07.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p07.png new file mode 100644 index 0000000000..41f34fa270 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p07.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0C.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0C.png new file mode 100644 index 0000000000..cce47a94f4 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0C.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0D.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0D.png new file mode 100644 index 0000000000..bbbee1f068 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0D.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0b.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0b.png new file mode 100644 index 0000000000..ea45875791 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0b.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0l.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0l.png new file mode 100644 index 0000000000..ce3fd7bee1 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0l.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0q.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0q.png new file mode 100644 index 0000000000..e8d68b34e0 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p0q.png differ diff --git a/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p15.png b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p15.png new file mode 100644 index 0000000000..36a74b7a30 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000HdPU_0EM4u0000084p15.png differ diff --git a/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgGr.png b/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgGr.png new file mode 100644 index 0000000000..c2dfe7bd27 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgGr.png differ diff --git a/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgOC.png b/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgOC.png new file mode 100644 index 0000000000..da0442cb2b Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgOC.png differ diff --git a/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgPy.png b/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgPy.png new file mode 100644 index 0000000000..a219efab64 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000Qmg4_0EM4u000007cgPy.png differ diff --git a/docs/kb/auditor/images/ka04u000000wvtY_0EM4u000008pRVW.png b/docs/kb/auditor/images/ka04u000000wvtY_0EM4u000008pRVW.png new file mode 100644 index 0000000000..dfd5fb60a7 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000wvtY_0EM4u000008pRVW.png differ diff --git a/docs/kb/auditor/images/ka04u000000wvy4_0EM4u000008LkB8.png b/docs/kb/auditor/images/ka04u000000wvy4_0EM4u000008LkB8.png new file mode 100644 index 0000000000..f2dadb6cf0 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000wvy4_0EM4u000008LkB8.png differ diff --git a/docs/kb/auditor/images/ka04u000000wvzg_0EM4u000008pVor.png b/docs/kb/auditor/images/ka04u000000wvzg_0EM4u000008pVor.png new file mode 100644 index 0000000000..ffea24cf9e Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000wvzg_0EM4u000008pVor.png differ diff --git a/docs/kb/auditor/images/ka04u000000wvzg_0EM4u000008pVow.png b/docs/kb/auditor/images/ka04u000000wvzg_0EM4u000008pVow.png new file mode 100644 index 0000000000..3951cdec3f Binary files /dev/null and b/docs/kb/auditor/images/ka04u000000wvzg_0EM4u000008pVow.png differ diff --git a/docs/kb/auditor/images/ka04u0000011688_0EM4u000008LCjZ.png b/docs/kb/auditor/images/ka04u0000011688_0EM4u000008LCjZ.png new file mode 100644 index 0000000000..c2ce0bf317 Binary files /dev/null and b/docs/kb/auditor/images/ka04u0000011688_0EM4u000008LCjZ.png differ diff --git a/docs/kb/auditor/images/ka04u00000116G7_0EM4u000007ceka.png b/docs/kb/auditor/images/ka04u00000116G7_0EM4u000007ceka.png new file mode 100644 index 0000000000..f8a22622cc Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116G7_0EM4u000007ceka.png differ diff --git a/docs/kb/auditor/images/ka04u00000116G7_0EM4u000007cekk.png b/docs/kb/auditor/images/ka04u00000116G7_0EM4u000007cekk.png new file mode 100644 index 0000000000..4d78f8eb01 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116G7_0EM4u000007cekk.png differ diff --git a/docs/kb/auditor/images/ka04u00000116GR_0EM4u000002PWPR.png b/docs/kb/auditor/images/ka04u00000116GR_0EM4u000002PWPR.png new file mode 100644 index 0000000000..87ee6cdeb8 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116GR_0EM4u000002PWPR.png differ diff --git a/docs/kb/auditor/images/ka04u00000116Ju_0EM4u000008LKrz.png b/docs/kb/auditor/images/ka04u00000116Ju_0EM4u000008LKrz.png new file mode 100644 index 0000000000..3de4de522a Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116Ju_0EM4u000008LKrz.png differ diff --git a/docs/kb/auditor/images/ka04u00000116MV_0EM4u000007cekk.png b/docs/kb/auditor/images/ka04u00000116MV_0EM4u000007cekk.png new file mode 100644 index 0000000000..4d78f8eb01 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116MV_0EM4u000007cekk.png differ diff --git a/docs/kb/auditor/images/ka04u00000116R6_0EM0g000000hUdK.png b/docs/kb/auditor/images/ka04u00000116R6_0EM0g000000hUdK.png new file mode 100644 index 0000000000..8b46a9d26c Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116R6_0EM0g000000hUdK.png differ diff --git a/docs/kb/auditor/images/ka04u00000116gG_0EM4u000008LXT9.png b/docs/kb/auditor/images/ka04u00000116gG_0EM4u000008LXT9.png new file mode 100644 index 0000000000..c071c99ca9 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116gG_0EM4u000008LXT9.png differ diff --git a/docs/kb/auditor/images/ka04u00000116iG_0EM4u000004bz9T.png b/docs/kb/auditor/images/ka04u00000116iG_0EM4u000004bz9T.png new file mode 100644 index 0000000000..a17296259c Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116iG_0EM4u000004bz9T.png differ diff --git a/docs/kb/auditor/images/ka04u00000116xf_0EM4u000008Ljuv.png b/docs/kb/auditor/images/ka04u00000116xf_0EM4u000008Ljuv.png new file mode 100644 index 0000000000..88361ba78a Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116xf_0EM4u000008Ljuv.png differ diff --git a/docs/kb/auditor/images/ka04u00000116zv_0EM4u000008Ll2v.png b/docs/kb/auditor/images/ka04u00000116zv_0EM4u000008Ll2v.png new file mode 100644 index 0000000000..7d2af1765f Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116zv_0EM4u000008Ll2v.png differ diff --git a/docs/kb/auditor/images/ka04u00000116zv_0EM4u000008LlzE.png b/docs/kb/auditor/images/ka04u00000116zv_0EM4u000008LlzE.png new file mode 100644 index 0000000000..ec237a3482 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000116zv_0EM4u000008LlzE.png differ diff --git a/docs/kb/auditor/images/ka04u000001173i_0EM4u000008Liq9.png b/docs/kb/auditor/images/ka04u000001173i_0EM4u000008Liq9.png new file mode 100644 index 0000000000..8a3ea96a50 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000001173i_0EM4u000008Liq9.png differ diff --git a/docs/kb/auditor/images/ka04u000001173i_0EM4u000008LirC.png b/docs/kb/auditor/images/ka04u000001173i_0EM4u000008LirC.png new file mode 100644 index 0000000000..27795dbef6 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000001173i_0EM4u000008LirC.png differ diff --git a/docs/kb/auditor/images/ka04u0000011776_0EM4u000008Ls7s.png b/docs/kb/auditor/images/ka04u0000011776_0EM4u000008Ls7s.png new file mode 100644 index 0000000000..da8e22fb88 Binary files /dev/null and b/docs/kb/auditor/images/ka04u0000011776_0EM4u000008Ls7s.png differ diff --git a/docs/kb/auditor/images/ka04u000001177u_0EM4u000008Lr6o.png b/docs/kb/auditor/images/ka04u000001177u_0EM4u000008Lr6o.png new file mode 100644 index 0000000000..7404655823 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000001177u_0EM4u000008Lr6o.png differ diff --git a/docs/kb/auditor/images/ka04u000001179H_0EM4u000008Lt2y.png b/docs/kb/auditor/images/ka04u000001179H_0EM4u000008Lt2y.png new file mode 100644 index 0000000000..7942622b46 Binary files /dev/null and b/docs/kb/auditor/images/ka04u000001179H_0EM4u000008Lt2y.png differ diff --git a/docs/kb/auditor/images/ka04u00000117A1_0EM4u000008LuEC.png b/docs/kb/auditor/images/ka04u00000117A1_0EM4u000008LuEC.png new file mode 100644 index 0000000000..915a706b17 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117A1_0EM4u000008LuEC.png differ diff --git a/docs/kb/auditor/images/ka04u00000117Ay_0EM70000000tnyM.png b/docs/kb/auditor/images/ka04u00000117Ay_0EM70000000tnyM.png new file mode 100644 index 0000000000..0fdc9ba0cb Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117Ay_0EM70000000tnyM.png differ diff --git a/docs/kb/auditor/images/ka04u00000117Ay_0EM70000000tnyW.png b/docs/kb/auditor/images/ka04u00000117Ay_0EM70000000tnyW.png new file mode 100644 index 0000000000..d3da379744 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117Ay_0EM70000000tnyW.png differ diff --git a/docs/kb/auditor/images/ka04u00000117HQ_0EM4u000008M035.png b/docs/kb/auditor/images/ka04u00000117HQ_0EM4u000008M035.png new file mode 100644 index 0000000000..c818ffae6f Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117HQ_0EM4u000008M035.png differ diff --git a/docs/kb/auditor/images/ka04u00000117HW_0EM4u000008LwaA.png b/docs/kb/auditor/images/ka04u00000117HW_0EM4u000008LwaA.png new file mode 100644 index 0000000000..59b1313ee2 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117HW_0EM4u000008LwaA.png differ diff --git a/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCum.png b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCum.png new file mode 100644 index 0000000000..143d64a8f2 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCum.png differ diff --git a/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCuw.png b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCuw.png new file mode 100644 index 0000000000..b913d34720 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCuw.png differ diff --git a/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCv1.png b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCv1.png new file mode 100644 index 0000000000..fc76c85313 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCv1.png differ diff --git a/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCvL.png b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCvL.png new file mode 100644 index 0000000000..7867fdf304 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCvL.png differ diff --git a/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCvk.png b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCvk.png new file mode 100644 index 0000000000..acb31665b7 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCvk.png differ diff --git a/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCwE.png b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCwE.png new file mode 100644 index 0000000000..d1b823c4eb Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008LCwE.png differ diff --git a/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008M2Tz.png b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008M2Tz.png new file mode 100644 index 0000000000..2984a95a18 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117L8_0EM4u000008M2Tz.png differ diff --git a/docs/kb/auditor/images/ka04u00000117TM_0EM4u000008M6Wx.png b/docs/kb/auditor/images/ka04u00000117TM_0EM4u000008M6Wx.png new file mode 100644 index 0000000000..003b1a0d42 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117TM_0EM4u000008M6Wx.png differ diff --git a/docs/kb/auditor/images/ka04u00000117UP_0EM4u000008M7Sw.png b/docs/kb/auditor/images/ka04u00000117UP_0EM4u000008M7Sw.png new file mode 100644 index 0000000000..6cb1f39a49 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117UP_0EM4u000008M7Sw.png differ diff --git a/docs/kb/auditor/images/ka04u00000117Vm_0EM4u000008M8Pe.png b/docs/kb/auditor/images/ka04u00000117Vm_0EM4u000008M8Pe.png new file mode 100644 index 0000000000..c6a4be86f2 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117Vm_0EM4u000008M8Pe.png differ diff --git a/docs/kb/auditor/images/ka04u00000117ad_0EM4u000008LFeu.png b/docs/kb/auditor/images/ka04u00000117ad_0EM4u000008LFeu.png new file mode 100644 index 0000000000..d0fd0c85c8 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117ad_0EM4u000008LFeu.png differ diff --git a/docs/kb/auditor/images/ka04u00000117bz_0EM0g000000hGVv.png b/docs/kb/auditor/images/ka04u00000117bz_0EM0g000000hGVv.png new file mode 100644 index 0000000000..2643e87b0d Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117bz_0EM0g000000hGVv.png differ diff --git a/docs/kb/auditor/images/ka04u00000117bz_0EM0g000000hGWo.png b/docs/kb/auditor/images/ka04u00000117bz_0EM0g000000hGWo.png new file mode 100644 index 0000000000..ab4fbaebf9 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117bz_0EM0g000000hGWo.png differ diff --git a/docs/kb/auditor/images/ka04u00000117bz_0EM4u000004dCnj.png b/docs/kb/auditor/images/ka04u00000117bz_0EM4u000004dCnj.png new file mode 100644 index 0000000000..7ddf8c24a3 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117bz_0EM4u000004dCnj.png differ diff --git a/docs/kb/auditor/images/ka04u00000117bz_0EM4u000008LKwz.png b/docs/kb/auditor/images/ka04u00000117bz_0EM4u000008LKwz.png new file mode 100644 index 0000000000..32aaedde2d Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117bz_0EM4u000008LKwz.png differ diff --git a/docs/kb/auditor/images/ka04u00000117bz_0EM70000000QIPr.png b/docs/kb/auditor/images/ka04u00000117bz_0EM70000000QIPr.png new file mode 100644 index 0000000000..7a7e1ea7fc Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117bz_0EM70000000QIPr.png differ diff --git a/docs/kb/auditor/images/ka04u00000117bz_0EM70000000QIQN.png b/docs/kb/auditor/images/ka04u00000117bz_0EM70000000QIQN.png new file mode 100644 index 0000000000..866bd800e7 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117bz_0EM70000000QIQN.png differ diff --git a/docs/kb/auditor/images/ka04u00000117cJ_0EM4u000008LXj2.png b/docs/kb/auditor/images/ka04u00000117cJ_0EM4u000008LXj2.png new file mode 100644 index 0000000000..d6021013e8 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117cJ_0EM4u000008LXj2.png differ diff --git a/docs/kb/auditor/images/ka04u00000117dv_0EM7000000050pb.png b/docs/kb/auditor/images/ka04u00000117dv_0EM7000000050pb.png new file mode 100644 index 0000000000..4a98ff9c54 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117dv_0EM7000000050pb.png differ diff --git a/docs/kb/auditor/images/ka04u00000117fh_0EM4u000008MBTP.png b/docs/kb/auditor/images/ka04u00000117fh_0EM4u000008MBTP.png new file mode 100644 index 0000000000..17a56a9daa Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117fh_0EM4u000008MBTP.png differ diff --git a/docs/kb/auditor/images/ka04u00000117hE_0EM4u000007ccaS.png b/docs/kb/auditor/images/ka04u00000117hE_0EM4u000007ccaS.png new file mode 100644 index 0000000000..368a8adfc1 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117hE_0EM4u000007ccaS.png differ diff --git a/docs/kb/auditor/images/ka04u00000117hE_0EM4u000007ccac.png b/docs/kb/auditor/images/ka04u00000117hE_0EM4u000007ccac.png new file mode 100644 index 0000000000..94c35d355c Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117hE_0EM4u000007ccac.png differ diff --git a/docs/kb/auditor/images/ka04u00000117kD_0EM4u000008MHts.png b/docs/kb/auditor/images/ka04u00000117kD_0EM4u000008MHts.png new file mode 100644 index 0000000000..2b9e589490 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117kD_0EM4u000008MHts.png differ diff --git a/docs/kb/auditor/images/ka04u00000117kD_0EM4u000008MHuC.png b/docs/kb/auditor/images/ka04u00000117kD_0EM4u000008MHuC.png new file mode 100644 index 0000000000..c48d6abb66 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117kD_0EM4u000008MHuC.png differ diff --git a/docs/kb/auditor/images/ka04u00000117sv_0EM4u000008LXSz.png b/docs/kb/auditor/images/ka04u00000117sv_0EM4u000008LXSz.png new file mode 100644 index 0000000000..32f3eff24b Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117sv_0EM4u000008LXSz.png differ diff --git a/docs/kb/auditor/images/ka04u00000117wO_0EM4u000008MQhR.png b/docs/kb/auditor/images/ka04u00000117wO_0EM4u000008MQhR.png new file mode 100644 index 0000000000..9fa47fdc7c Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117wO_0EM4u000008MQhR.png differ diff --git a/docs/kb/auditor/images/ka04u00000117wO_0EM4u000008MQmb.png b/docs/kb/auditor/images/ka04u00000117wO_0EM4u000008MQmb.png new file mode 100644 index 0000000000..c2d7bf71d0 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117wO_0EM4u000008MQmb.png differ diff --git a/docs/kb/auditor/images/ka04u00000117xM_0EM4u000002CKXg.png b/docs/kb/auditor/images/ka04u00000117xM_0EM4u000002CKXg.png new file mode 100644 index 0000000000..7f6f215f41 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117xM_0EM4u000002CKXg.png differ diff --git a/docs/kb/auditor/images/ka04u00000117xM_0EM4u000007qlPA.png b/docs/kb/auditor/images/ka04u00000117xM_0EM4u000007qlPA.png new file mode 100644 index 0000000000..2d29d94817 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117xM_0EM4u000007qlPA.png differ diff --git a/docs/kb/auditor/images/ka04u00000117zS_0EM4u000008MT4S.png b/docs/kb/auditor/images/ka04u00000117zS_0EM4u000008MT4S.png new file mode 100644 index 0000000000..3ce139867c Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000117zS_0EM4u000008MT4S.png differ diff --git a/docs/kb/auditor/images/ka04u00000118ES_0EM700000004udP.png b/docs/kb/auditor/images/ka04u00000118ES_0EM700000004udP.png new file mode 100644 index 0000000000..3c0b0f9b73 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000118ES_0EM700000004udP.png differ diff --git a/docs/kb/auditor/images/ka04u00000118GJ_0EM4u000008MgWU.png b/docs/kb/auditor/images/ka04u00000118GJ_0EM4u000008MgWU.png new file mode 100644 index 0000000000..e40bf39093 Binary files /dev/null and b/docs/kb/auditor/images/ka04u00000118GJ_0EM4u000008MgWU.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMXd.png b/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMXd.png new file mode 100644 index 0000000000..b30c8ea26d Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMXd.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMY1.png b/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMY1.png new file mode 100644 index 0000000000..95a5defd75 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMY1.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMY6.png b/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMY6.png new file mode 100644 index 0000000000..02b975a914 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMY6.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMYB.png b/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMYB.png new file mode 100644 index 0000000000..f3d677fef2 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000000ws1_0EM4u000008MMYB.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001L8r_0EM4u000008MV3l.png b/docs/kb/auditor/images/ka0Qk0000001L8r_0EM4u000008MV3l.png new file mode 100644 index 0000000000..c16f15867d Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001L8r_0EM4u000008MV3l.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001LLl_0EM4u000008MMJG.png b/docs/kb/auditor/images/ka0Qk0000001LLl_0EM4u000008MMJG.png new file mode 100644 index 0000000000..72b7ccec1f Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001LLl_0EM4u000008MMJG.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001LLl_0EM4u000008MMJL.png b/docs/kb/auditor/images/ka0Qk0000001LLl_0EM4u000008MMJL.png new file mode 100644 index 0000000000..7c3d7d06a8 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001LLl_0EM4u000008MMJL.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVg.png b/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVg.png new file mode 100644 index 0000000000..04f479efa9 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVg.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVq.png b/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVq.png new file mode 100644 index 0000000000..74e997e35a Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVq.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVr.png b/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVr.png new file mode 100644 index 0000000000..985c909daf Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVr.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVv.png b/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVv.png new file mode 100644 index 0000000000..2dec225990 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001LQb_0EM4u000004dDVv.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001LaH_0EM4u000008M5Wm.png b/docs/kb/auditor/images/ka0Qk0000001LaH_0EM4u000008M5Wm.png new file mode 100644 index 0000000000..2b91f31bdb Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001LaH_0EM4u000008M5Wm.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001OrV_0EMQk000002Tph8.png b/docs/kb/auditor/images/ka0Qk0000001OrV_0EMQk000002Tph8.png new file mode 100644 index 0000000000..93da4726ed Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001OrV_0EMQk000002Tph8.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001S2H_0EMQk000001wr0A.png b/docs/kb/auditor/images/ka0Qk0000001S2H_0EMQk000001wr0A.png new file mode 100644 index 0000000000..7330916ab6 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001S2H_0EMQk000001wr0A.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001VD3_0EMQk000002dT5q.png b/docs/kb/auditor/images/ka0Qk0000001VD3_0EMQk000002dT5q.png new file mode 100644 index 0000000000..af12ab605b Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001VD3_0EMQk000002dT5q.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001ZBp_0EMQk000002dUpt.png b/docs/kb/auditor/images/ka0Qk0000001ZBp_0EMQk000002dUpt.png new file mode 100644 index 0000000000..52bd5bc577 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001ZBp_0EMQk000002dUpt.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001ZgT_0EM4u000008MF8u.png b/docs/kb/auditor/images/ka0Qk0000001ZgT_0EM4u000008MF8u.png new file mode 100644 index 0000000000..da6c1db24f Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001ZgT_0EM4u000008MF8u.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001Zjh_0EMQk000002jqCb.png b/docs/kb/auditor/images/ka0Qk0000001Zjh_0EMQk000002jqCb.png new file mode 100644 index 0000000000..1f0bd09b4e Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001Zjh_0EMQk000002jqCb.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001f7Z_0EM4u000002CQsV.png b/docs/kb/auditor/images/ka0Qk0000001f7Z_0EM4u000002CQsV.png new file mode 100644 index 0000000000..b6c9b4a126 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001f7Z_0EM4u000002CQsV.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000001hxN_0EMQk000002u2KX.png b/docs/kb/auditor/images/ka0Qk0000001hxN_0EMQk000002u2KX.png new file mode 100644 index 0000000000..4b16676296 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000001hxN_0EMQk000002u2KX.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000002jaX_0EMQk0000045bUT.png b/docs/kb/auditor/images/ka0Qk0000002jaX_0EMQk0000045bUT.png new file mode 100644 index 0000000000..73e8f57c62 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000002jaX_0EMQk0000045bUT.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000002kpx_0EMQk000003xxWz.png b/docs/kb/auditor/images/ka0Qk0000002kpx_0EMQk000003xxWz.png new file mode 100644 index 0000000000..b09b8fbe09 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000002kpx_0EMQk000003xxWz.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000002slt_0EM0g000002BkNM.png b/docs/kb/auditor/images/ka0Qk0000002slt_0EM0g000002BkNM.png new file mode 100644 index 0000000000..4876846aab Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000002slt_0EM0g000002BkNM.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000002slt_0EM0g000002BkO9.png b/docs/kb/auditor/images/ka0Qk0000002slt_0EM0g000002BkO9.png new file mode 100644 index 0000000000..121ecb7b1a Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000002slt_0EM0g000002BkO9.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000002slt_0EM4u000007chgj.png b/docs/kb/auditor/images/ka0Qk0000002slt_0EM4u000007chgj.png new file mode 100644 index 0000000000..e38946deed Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000002slt_0EM4u000007chgj.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000002uxN_0EM4u000008LHag.png b/docs/kb/auditor/images/ka0Qk0000002uxN_0EM4u000008LHag.png new file mode 100644 index 0000000000..d1a7c09f0b Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000002uxN_0EM4u000008LHag.png differ diff --git a/docs/kb/auditor/images/ka0Qk00000031Iv_0EM4u000008LafD.png b/docs/kb/auditor/images/ka0Qk00000031Iv_0EM4u000008LafD.png new file mode 100644 index 0000000000..424f01f9d4 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk00000031Iv_0EM4u000008LafD.png differ diff --git a/docs/kb/auditor/images/ka0Qk00000031Iv_0EM4u000008LafI.png b/docs/kb/auditor/images/ka0Qk00000031Iv_0EM4u000008LafI.png new file mode 100644 index 0000000000..8fd671ff7e Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk00000031Iv_0EM4u000008LafI.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000003W1l_0EMQk000003oywv.png b/docs/kb/auditor/images/ka0Qk0000003W1l_0EMQk000003oywv.png new file mode 100644 index 0000000000..4e83eb40bf Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000003W1l_0EMQk000003oywv.png differ diff --git a/docs/kb/auditor/images/ka0Qk00000045if_0EM700000004wzI.png b/docs/kb/auditor/images/ka0Qk00000045if_0EM700000004wzI.png new file mode 100644 index 0000000000..7a0c2bf758 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk00000045if_0EM700000004wzI.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000004pqL_0EM4u000008M4JN.png b/docs/kb/auditor/images/ka0Qk0000004pqL_0EM4u000008M4JN.png new file mode 100644 index 0000000000..82a73ad2a4 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000004pqL_0EM4u000008M4JN.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000004pqL_0EM4u000008M4JS.png b/docs/kb/auditor/images/ka0Qk0000004pqL_0EM4u000008M4JS.png new file mode 100644 index 0000000000..c32272720c Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000004pqL_0EM4u000008M4JS.png differ diff --git a/docs/kb/auditor/images/ka0Qk0000006sTx_0EMQk000008Iaq1.png b/docs/kb/auditor/images/ka0Qk0000006sTx_0EMQk000008Iaq1.png new file mode 100644 index 0000000000..d98fd20201 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk0000006sTx_0EMQk000008Iaq1.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000Bei5_00N0g000004CA0p_0EMQk000008M3Qr.png b/docs/kb/auditor/images/ka0Qk000000Bei5_00N0g000004CA0p_0EMQk000008M3Qr.png new file mode 100644 index 0000000000..77c7d4d664 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000Bei5_00N0g000004CA0p_0EMQk000008M3Qr.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000Bei5_00N0g000004CA0p_0EMQk000008M3U5.png b/docs/kb/auditor/images/ka0Qk000000Bei5_00N0g000004CA0p_0EMQk000008M3U5.png new file mode 100644 index 0000000000..a326577629 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000Bei5_00N0g000004CA0p_0EMQk000008M3U5.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000Bei5_0EMQk000008M3Qr.png b/docs/kb/auditor/images/ka0Qk000000Bei5_0EMQk000008M3Qr.png new file mode 100644 index 0000000000..77c7d4d664 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000Bei5_0EMQk000008M3Qr.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000Bei5_0EMQk000008M3U5.png b/docs/kb/auditor/images/ka0Qk000000Bei5_0EMQk000008M3U5.png new file mode 100644 index 0000000000..a326577629 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000Bei5_0EMQk000008M3U5.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000CoU5_0EM4u0000084Tco.png b/docs/kb/auditor/images/ka0Qk000000CoU5_0EM4u0000084Tco.png new file mode 100644 index 0000000000..17af375af3 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000CoU5_0EM4u0000084Tco.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000Csfl_0EM4u0000084TwA.png b/docs/kb/auditor/images/ka0Qk000000Csfl_0EM4u0000084TwA.png new file mode 100644 index 0000000000..2811e1de5d Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000Csfl_0EM4u0000084TwA.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000DRwr_0EM7000000051zm.png b/docs/kb/auditor/images/ka0Qk000000DRwr_0EM7000000051zm.png new file mode 100644 index 0000000000..037c8d63e9 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000DRwr_0EM7000000051zm.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000DbzR_0EM4u000002PbUM.png b/docs/kb/auditor/images/ka0Qk000000DbzR_0EM4u000002PbUM.png new file mode 100644 index 0000000000..8eb47cd8d4 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000DbzR_0EM4u000002PbUM.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000EAE1_0EM4u000008LFTc.png b/docs/kb/auditor/images/ka0Qk000000EAE1_0EM4u000008LFTc.png new file mode 100644 index 0000000000..ac2eeb08df Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000EAE1_0EM4u000008LFTc.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000EIjS_0EMQk000005FPXt.png b/docs/kb/auditor/images/ka0Qk000000EIjS_0EMQk000005FPXt.png new file mode 100644 index 0000000000..539de7335b Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000EIjS_0EMQk000005FPXt.png differ diff --git a/docs/kb/auditor/images/ka0Qk000000EIjS_0EMQk00000661ik.png b/docs/kb/auditor/images/ka0Qk000000EIjS_0EMQk00000661ik.png new file mode 100644 index 0000000000..90ac2e2a64 Binary files /dev/null and b/docs/kb/auditor/images/ka0Qk000000EIjS_0EMQk00000661ik.png differ diff --git a/docs/kb/auditor/images/ka40g0000004KSJ_0EM700000004udP.png b/docs/kb/auditor/images/ka40g0000004KSJ_0EM700000004udP.png new file mode 100644 index 0000000000..e8602612f3 Binary files /dev/null and b/docs/kb/auditor/images/ka40g0000004KSJ_0EM700000004udP.png differ diff --git a/docs/kb/auditor/images/ka40g000000kAbd_0EM700000004wzI.png b/docs/kb/auditor/images/ka40g000000kAbd_0EM700000004wzI.png new file mode 100644 index 0000000000..e8602612f3 Binary files /dev/null and b/docs/kb/auditor/images/ka40g000000kAbd_0EM700000004wzI.png differ diff --git a/docs/kb/auditor/images/servlet_image_1166f08ea416.png b/docs/kb/auditor/images/servlet_image_1166f08ea416.png new file mode 100644 index 0000000000..ad4da13e70 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_1166f08ea416.png differ diff --git a/docs/kb/auditor/images/servlet_image_31a741be3a3d.png b/docs/kb/auditor/images/servlet_image_31a741be3a3d.png new file mode 100644 index 0000000000..04f479efa9 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_31a741be3a3d.png differ diff --git a/docs/kb/auditor/images/servlet_image_3823966b1661.png b/docs/kb/auditor/images/servlet_image_3823966b1661.png new file mode 100644 index 0000000000..e8602612f3 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_3823966b1661.png differ diff --git a/docs/kb/auditor/images/servlet_image_427ba59f8bbf.png b/docs/kb/auditor/images/servlet_image_427ba59f8bbf.png new file mode 100644 index 0000000000..cadf846540 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_427ba59f8bbf.png differ diff --git a/docs/kb/auditor/images/servlet_image_5badb1d5b327.png b/docs/kb/auditor/images/servlet_image_5badb1d5b327.png new file mode 100644 index 0000000000..47f9d19cee Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_5badb1d5b327.png differ diff --git a/docs/kb/auditor/images/servlet_image_61a97e6d04cc.png b/docs/kb/auditor/images/servlet_image_61a97e6d04cc.png new file mode 100644 index 0000000000..a20b991e78 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_61a97e6d04cc.png differ diff --git a/docs/kb/auditor/images/servlet_image_69209af72eac.png b/docs/kb/auditor/images/servlet_image_69209af72eac.png new file mode 100644 index 0000000000..18804b5805 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_69209af72eac.png differ diff --git a/docs/kb/auditor/images/servlet_image_69af0d1737a5.png b/docs/kb/auditor/images/servlet_image_69af0d1737a5.png new file mode 100644 index 0000000000..d6021013e8 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_69af0d1737a5.png differ diff --git a/docs/kb/auditor/images/servlet_image_94223e4b2a63.png b/docs/kb/auditor/images/servlet_image_94223e4b2a63.png new file mode 100644 index 0000000000..e8602612f3 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_94223e4b2a63.png differ diff --git a/docs/kb/auditor/images/servlet_image_a2750b9c5910.png b/docs/kb/auditor/images/servlet_image_a2750b9c5910.png new file mode 100644 index 0000000000..805c4ed1be Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_a2750b9c5910.png differ diff --git a/docs/kb/auditor/images/servlet_image_a39f37f6c350.png b/docs/kb/auditor/images/servlet_image_a39f37f6c350.png new file mode 100644 index 0000000000..465e6b7685 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_a39f37f6c350.png differ diff --git a/docs/kb/auditor/images/servlet_image_a59a6a87d3a0.png b/docs/kb/auditor/images/servlet_image_a59a6a87d3a0.png new file mode 100644 index 0000000000..2dec225990 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_a59a6a87d3a0.png differ diff --git a/docs/kb/auditor/images/servlet_image_b26ce25b201c.png b/docs/kb/auditor/images/servlet_image_b26ce25b201c.png new file mode 100644 index 0000000000..6a70dc8833 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_b26ce25b201c.png differ diff --git a/docs/kb/auditor/images/servlet_image_b60fe6913b2e.png b/docs/kb/auditor/images/servlet_image_b60fe6913b2e.png new file mode 100644 index 0000000000..f61147ec70 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_b60fe6913b2e.png differ diff --git a/docs/kb/auditor/images/servlet_image_b88c6cd43443.png b/docs/kb/auditor/images/servlet_image_b88c6cd43443.png new file mode 100644 index 0000000000..74e997e35a Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_b88c6cd43443.png differ diff --git a/docs/kb/auditor/images/servlet_image_bcb70814f4ea.png b/docs/kb/auditor/images/servlet_image_bcb70814f4ea.png new file mode 100644 index 0000000000..985c909daf Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_bcb70814f4ea.png differ diff --git a/docs/kb/auditor/images/servlet_image_c2e8b90bb7b7.png b/docs/kb/auditor/images/servlet_image_c2e8b90bb7b7.png new file mode 100644 index 0000000000..7f6f215f41 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_c2e8b90bb7b7.png differ diff --git a/docs/kb/auditor/images/servlet_image_cf580c3eff6f.png b/docs/kb/auditor/images/servlet_image_cf580c3eff6f.png new file mode 100644 index 0000000000..39038f7601 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_cf580c3eff6f.png differ diff --git a/docs/kb/auditor/images/servlet_image_d51a544506f7.png b/docs/kb/auditor/images/servlet_image_d51a544506f7.png new file mode 100644 index 0000000000..da6c1db24f Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_d51a544506f7.png differ diff --git a/docs/kb/auditor/images/servlet_image_dcd3919a2b21.png b/docs/kb/auditor/images/servlet_image_dcd3919a2b21.png new file mode 100644 index 0000000000..60e33057e5 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_dcd3919a2b21.png differ diff --git a/docs/kb/auditor/images/servlet_image_df5aa01d204f.png b/docs/kb/auditor/images/servlet_image_df5aa01d204f.png new file mode 100644 index 0000000000..7e247ac4f0 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_df5aa01d204f.png differ diff --git a/docs/kb/auditor/images/servlet_image_e00b5dadcf89.png b/docs/kb/auditor/images/servlet_image_e00b5dadcf89.png new file mode 100644 index 0000000000..2d29d94817 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_e00b5dadcf89.png differ diff --git a/docs/kb/auditor/images/servlet_image_ea6adfe5aae7.png b/docs/kb/auditor/images/servlet_image_ea6adfe5aae7.png new file mode 100644 index 0000000000..87eb38bcb4 Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_ea6adfe5aae7.png differ diff --git a/docs/kb/auditor/images/servlet_image_ebe11c05eb6f.png b/docs/kb/auditor/images/servlet_image_ebe11c05eb6f.png new file mode 100644 index 0000000000..2b91f31bdb Binary files /dev/null and b/docs/kb/auditor/images/servlet_image_ebe11c05eb6f.png differ diff --git a/docs/kb/auditor/impossible-to-export-a-report.md b/docs/kb/auditor/impossible-to-export-a-report.md new file mode 100644 index 0000000000..a212d455bc --- /dev/null +++ b/docs/kb/auditor/impossible-to-export-a-report.md @@ -0,0 +1,57 @@ +--- +description: >- + Explains why you cannot export reports from Netwrix Auditor when Internet + Explorer is not installed and lists workarounds to save reports via a browser, + Report Manager (SSRS), or the Print feature. +keywords: + - export + - report + - Netwrix Auditor + - SSRS + - Report Manager + - PDF + - Internet Explorer + - Print +products: + - auditor +sidebar_label: Impossible to Export a Report +tags: [] +title: "Impossible to Export a Report" +knowledge_article_id: kA04u000000HDfkCAG +--- + +# Impossible to Export a Report + +## Symptoms + +- In Netwrix Auditor v10.5, the **Export** icon is active, but Netwrix Auditor does not export the report when you click and select the report format (Word, Excel, PDF, PowerPoint, TIFF file, MHTML). +- In Netwrix Auditor v10.6 and v10.7, the **Export** icon is missing. + +## Cause + +Internet Explorer is not installed on the affected server. + +## Resolutions + +> **NOTE:** In Netwrix Auditor v10.8, you are able to export reports without Internet Explorer installed. + +Refer to the following options to save the report: + +- Verify that another browser is installed on your server. + +- Export the report via Report Manager. + > **IMPORTANT:** A non-gMSA account with the **Content Manager** role is required to access SSRS. Refer to the following article for additional information: /docs/auditor/10.7/auditor/requirements + + 1. In Netwrix Auditor, navigate to **Settings** > **Audit Database**. + 2. Click the **Report Manager URL**, locate the required report, and export it. + +- Export the PDF version using the **Print** feature. + + 1. In Netwrix Auditor, navigate to the **Reports** menu and run a report. + 2. Click the **Print** icon, select the appropriate format, and click **Print**. + ![Print dialog or options](images/ka0Qk000000CoU5_0EM4u0000084Tco.png) + 3. Proceed with the further steps to save the report. + +## Related Articles + +- /docs/auditor/10.7/auditor/requirements diff --git a/docs/kb/auditor/improving_file_system_bulk_import_performance_by_adding_indexes_in_netwrix_access_analyzer_v12.0.md b/docs/kb/auditor/improving_file_system_bulk_import_performance_by_adding_indexes_in_netwrix_access_analyzer_v12.0.md new file mode 100644 index 0000000000..76b0e74e3a --- /dev/null +++ b/docs/kb/auditor/improving_file_system_bulk_import_performance_by_adding_indexes_in_netwrix_access_analyzer_v12.0.md @@ -0,0 +1,72 @@ +--- +description: >- + This article provides instructions for improving the performance of File System Bulk Imports in Netwrix Access Analyzer by adding indexes to the SA_FSAA_ResourceMap table. +keywords: + - File System Bulk Import + - Netwrix Access Analyzer + - SQL Server Management Studio +sidebar_label: Improve Bulk Import Performance +tags: [] +title: "Improving File System Bulk Import Performance by Adding Indexes in Netwrix Access Analyzer v12.0" +knowledge_article_id: kA0Qk0000002u69KAA +products: + - auditor +--- + +# Improving File System Bulk Import Performance by Adding Indexes in Netwrix Access Analyzer v12.0 + +## Related Queries + +- "FSAA bulk import takes too long." +- "How do I speed up FSAA bulk import in Access Analyzer?" + +## Overview + +To enhance performance during File System Bulk Imports, you can add additional indexes to the `SA_FSAA_ResourceMap` table in the Netwrix Access Analyzer (formerly Enterprise Auditor) database. Internal testing has shown significant improvements in import efficiency when these indexes are present. This guide outlines the steps for adding them safely using **SQL Server Management Studio (SSMS)**. + +> **NOTE:** This performance issue began in **Netwrix Access Analyzer v12.0** and has been **resolved in v12.0.0.1128**. Applying the indexes below is only necessary if you are using an earlier affected build. You can verify if the additional indexes are already present in your environment using the following SQL command: + +```sql +SELECT name FROM sys.indexes WHERE object_id = OBJECT_ID('SA_FSAA_ResourceMap'); +``` + +## Instructions + +1. **Stop Any Running File System Bulk Imports** + Pause any active import jobs before applying index changes to prevent locking issues or partial writes. You can restart them once all indexes are successfully added. + +2. **Launch SQL Server Management Studio (SSMS)** + Connect to your **Access Analyzer** database instance using an account with DBO privileges. + +3. **Select the Correct Database** + In the **Object Explorer**, expand the appropriate server node. Then, locate and select the **Access Analyzer** database that contains the `SA_FSAA_ResourceMap` table. + +4. **Open a New Query Window** + Right-click the selected database and choose **New Query** to open a new query editor tab. + +5. **Run the Index Creation Statements** + Copy and execute the following SQL commands in the **Query** window: + +```sql +CREATE INDEX SA_FSAA_ResourceMap_AccessID_IDX ON SA_FSAA_ResourceMap (HOST, AccessID); +CREATE INDEX SA_FSAA_ResourceMap_ActivityID_IDX ON SA_FSAA_ResourceMap (HOST, ActivityID); +CREATE INDEX SA_FSAA_ResourceMap_DLPID_IDX ON SA_FSAA_ResourceMap (HOST, DLPID); +``` + +6. **(Optional) Verify Index Creation** + To ensure the indexes were created, run the following query in the **Query** window: + +```sql +SELECT name FROM sys.indexes WHERE object_id = OBJECT_ID('SA_FSAA_ResourceMap'); +``` + +![SQL Server Management Studio showing index names for the SA_FSAA_ResourceMap table](./images/servlet_image_69209af72eac.png) + +7. **Restart File System Bulk Imports** + Once indexes are confirmed, resume any imports that were previously paused. + +> **NOTE:** These indexes only need to be applied once. Future versions of the **Create Schema** job will automatically detect them and skip creation if they already exist. + +## Related Link + +- [Create Schema Job Documentation](/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-create_schema) \ No newline at end of file diff --git a/docs/kb/auditor/inactive-users-tracker-locks-out-active-accounts-not-logging-to-windows.md b/docs/kb/auditor/inactive-users-tracker-locks-out-active-accounts-not-logging-to-windows.md new file mode 100644 index 0000000000..efb4aea7c6 --- /dev/null +++ b/docs/kb/auditor/inactive-users-tracker-locks-out-active-accounts-not-logging-to-windows.md @@ -0,0 +1,36 @@ +--- +description: >- + Netwrix Auditor's Inactive Users Tracker uses the LastLogonTime AD attribute + to determine account inactivity; in hybrid environments some actions do not + update this attribute, which can cause active accounts to be locked. This + article explains the cause and provides a workaround by excluding users or OUs + from the monitoring scope. +keywords: + - Inactive Users Tracker + - LastLogonTime + - AD attribute + - hybrid environment + - lockout + - Netwrix Auditor + - Office 365 + - omit list + - monitoring scope +products: + - auditor +sidebar_label: Inactive Users Tracker Locks Out Active Accounts n +tags: [] +title: "Inactive Users Tracker Locks Out Active Accounts not Logging to Windows" +knowledge_article_id: kA04u000000TsnvCAC +--- + +# Inactive Users Tracker Locks Out Active Accounts not Logging to Windows + +## Symptom and Cause + +Netwrix Auditor's Inactive Users Tracker uses the `LastLogonTime` AD attribute to decide when a user was last active. Certain actions (such as logon to Office 365 on hybrid environments) do not affect this attribute, so Netwrix Auditor's Inactive Users Tracker (IUT) perceives these accounts to be inactive and locks them. + +## Solution + +You can work around this issue by omitting either the user or the OU from the monitoring scope of Netwrix Auditor's Inactive Users Tracker. This prevents IUT from acting on the account in any way, making it impossible for the tracker to set the locked status for the specified accounts. + +For additional information on omit lists for Inactive Users Tracker, refer to the following article: /docs/auditor/10.5/auditor/admin-guide/monitoringscope diff --git a/docs/kb/auditor/include-change-password-events-by-users-via-ctrl-alt-del-combination-in-netwrix-auditor-reports.md b/docs/kb/auditor/include-change-password-events-by-users-via-ctrl-alt-del-combination-in-netwrix-auditor-reports.md new file mode 100644 index 0000000000..5f8e19b35c --- /dev/null +++ b/docs/kb/auditor/include-change-password-events-by-users-via-ctrl-alt-del-combination-in-netwrix-auditor-reports.md @@ -0,0 +1,36 @@ +--- +description: >- + Shows how to include change password events performed by users through the + Ctrl+Alt+Del key combination in Netwrix Auditor reports. +keywords: + - change password + - Ctrl+Alt+Del + - Netwrix Auditor + - omitproplist.txt + - password reset + - Active Directory auditing + - reports +products: + - auditor +sidebar_label: Include Change Password Events by Users via Ctrl+Alt+Del +tags: [] +title: "Include Change Password Events by Users via Ctrl+Alt+Del Combination in Netwrix Auditor Reports Auditor Reports" +knowledge_article_id: kA00g000000H9TnCAK +--- + +# Include Change Password Events by Users via Ctrl+Alt+Del Combination in Netwrix Auditor Reports + +## Question + +Is it possible to include change password events performed by users through the ctrl+alt+del key combination into Netwrix Auditor reports? + +## Answer + +Yes, it is possible. Such events are omitted by default. To include them in Netwrix Auditor reports, follow the steps below: + +1. Navigate to the Netwrix Auditor for Active Directory installation folder: `C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing` by default. +2. Locate the `omitproplist.txt` file and open it with a text editor. +3. Locate the `*.PasswordChanged` line and add a `"#"` sign at the beginning so it looks like `#*.PasswordChanged`. +4. Save your edits. + +Once these changes have been applied, password resets performed by users will be shown in the Netwrix Auditor change reports. diff --git a/docs/kb/auditor/incorrect-data-in-reports-without-any-warnings.md b/docs/kb/auditor/incorrect-data-in-reports-without-any-warnings.md new file mode 100644 index 0000000000..442a521bfa --- /dev/null +++ b/docs/kb/auditor/incorrect-data-in-reports-without-any-warnings.md @@ -0,0 +1,44 @@ +--- +description: >- + If reports show no data or the `System` value in the **Who** column while + Netwrix Auditor System Health shows no errors, this article explains possible + causes and resolutions related to the Security event log on the file server. +keywords: + - Security event log + - Who column + - empty reports + - Event ID 521 + - overwrite events + - System Health + - gpresult + - Netwrix Auditor +products: + - auditor +sidebar_label: Incorrect data in reports without any warnings +tags: [] +title: "Incorrect data in reports without any warnings" +knowledge_article_id: kA00g000000H9dNCAS +--- + +# Incorrect data in reports without any warnings + +You receive reports containing no information or the `System` value in the **Who** column, and there are no errors or warnings in the Netwrix Auditor System Health log. + +--- + +## Possible cause + +The possible cause of this issue is the Security event log on the file server: + +- The Security event log is not populated with new events. +- The Security event log was relocated. + +--- + +## Resolution + +- If you changed the Security event log location and did not reboot your file server, the system services may fail to update their settings based on the updated configuration. Therefore, you must reboot your file server. +- If you did not relocate the Security event log, perform one of the following to resolve the issue: + - Open the Security event log using the **Event Viewer**. If the log is corrupted or contains events with ID `521`, this may indicate that there is not enough free disk space to store new information. Provide more disk space and clear the log. Refer to the The disk on a monitored file server is overfilled knowledge base article for more information: https://kb.netwrix.com/1262 + - Make sure that either the **Overwrite events as needed** retention method is selected, or the Security log automatic archiving option is enabled: /docs/auditor/10.5/auditor/configurationuration/windowsfileshares + - Verify with the `gpresult` tool if your settings are being overwritten by Group Policies. diff --git a/docs/kb/auditor/incorrecty-display-names-in-the-what-changed-column.md b/docs/kb/auditor/incorrecty-display-names-in-the-what-changed-column.md new file mode 100644 index 0000000000..2cf9f1afea --- /dev/null +++ b/docs/kb/auditor/incorrecty-display-names-in-the-what-changed-column.md @@ -0,0 +1,28 @@ +--- +description: >- + Netwrix Auditor can log system-created SharePoint objects with their system + names (for example, after enabling the Publishing feature), which can cause + incorrect display names to appear in the "What" column of reports and Change + Summaries. +keywords: + - Netwrix Auditor + - SharePoint + - Spaudit + - Publishing + - ContentDB + - What column + - Change Summaries + - display name +products: + - auditor +sidebar_label: Incorrecty Display Names in the "What Changed" col +tags: [] +title: Incorrecty Display Names in the "What Changed" column +knowledge_article_id: kA00g000000H9dOCAS +--- + +# Incorrecty Display Names in the "What Changed" column + +## Details + +When collecting data on permission changes, **Netwrix Auditor** employs native SharePoint audit (**SPaudit**) and also runs data collections on SharePoint ContentDB every 30 minutes. In some cases (for example, after enabling the **Publishing** feature on the site collection) objects are created and therefore logged by **Netwrix Auditor** with their system names. For example, `$Resources:cmscore,RoleNameViewer`. That is why the display name of the system-created objects can be reported incorrectly in the **"What"** column in reports and Change Summaries. diff --git a/docs/kb/auditor/infognition-screenpressor-installed-in-netwrix-auditor-server-and-audited-servers.md b/docs/kb/auditor/infognition-screenpressor-installed-in-netwrix-auditor-server-and-audited-servers.md new file mode 100644 index 0000000000..9b4e6706d0 --- /dev/null +++ b/docs/kb/auditor/infognition-screenpressor-installed-in-netwrix-auditor-server-and-audited-servers.md @@ -0,0 +1,43 @@ +--- +description: >- + Explains what the Infognition ScreenPressor codec is, why it is installed on + the Netwrix Auditor server and audited servers, and how to reinstall it if + needed. +keywords: + - Infognition + - ScreenPressor + - codec + - Netwrix Auditor + - User Activity + - video recording + - reinstall + - download +products: + - auditor +sidebar_label: Infognition ScreenPressor Installed in Netwrix Aud +tags: [] +title: "Infognition ScreenPressor Installed in Netwrix Auditor Server and Audited Servers" +knowledge_article_id: kA04u0000000JviCAE +--- + +# Infognition ScreenPressor Installed in Netwrix Auditor Server and Audited Servers + +## Question + +After Netwrix Auditor was deployed in the environment, the Infognition ScreenPressor application was installed both in the Netwrix Auditor server and audited servers. What is Infognition ScreenPressor? Is Infognition ScreenPressor a part of the Netwrix Auditor solution? + +## Answer + +Infognition ScreenPressor is a codec used to record and playback the User Activity videos. The codec is installed automatically in the Netwrix Auditor server and the monitored servers. Uninstalling this application might lead to User Activity performance issues. + +> **NOTE:** If you do not implement User Activity monitoring in your environment, it is safe to uninstall the codec. + +In case the codec was deleted, and you'd like to reinstall the codec, you can download it using the following link: [Infognition ScreenPressor Codec ⸱ Netwrix](https://www.netwrix.com/download/ScreenPressorNetwrix.zip). + +### Attached files + +- [Infognition ScreenPressor Codec ⸱ Netwrix](https://www.netwrix.com/download/ScreenPressorNetwrix.zip) + +### Related articles + +- [ScreenPressor ⸱ Infognition](http://www.infognition.com/ScreenPressor/) diff --git a/docs/kb/auditor/installation-fails-with-the-category-does-not-exist-message.md b/docs/kb/auditor/installation-fails-with-the-category-does-not-exist-message.md new file mode 100644 index 0000000000..fe03660a39 --- /dev/null +++ b/docs/kb/auditor/installation-fails-with-the-category-does-not-exist-message.md @@ -0,0 +1,56 @@ +--- +description: >- + During installation, you receive the "Category does not exist" message due to + User Account Control settings preventing elevation. This article explains how + to change the elevation prompt behavior or disable UAC for Windows Server + 2008/Windows 7 and Windows Vista to resolve the issue. +keywords: + - Category does not exist + - User Account Control + - UAC + - secpol.msc + - Elevate without prompting + - Never notify + - Windows 7 + - Windows Vista +products: + - auditor +sidebar_label: Installation fails with the "Category does not exi +tags: [] +title: Installation fails with the "Category does not exist" message +knowledge_article_id: kA00g000000H9XxCAK +--- + +# Installation fails with the "Category does not exist" message + +The product installation fails, and the user is presented with the **"Category does not exist"** message. + +The issue may be caused by the **User Account Control** performance. + +There are two ways to resolve the issue: + +## Change the elevation prompt behavior for administrators + +1. Open the **Start** menu, navigate to **All Programs / Accessories / Run**, type in `secpol.msc` and click **OK**. +2. In the **Local Security Policy** left pane, navigate to **Local Policies / Security Options**. +3. In the right pane, double-click the following policy: **User Account Control: Behavior of the elevation prompt for administrators.** +4. On the **Local Security Settings** tab, select `Elevate without prompting` and click **OK**. The tasks that request elevation will automatically run as elevated without prompting administrator. +5. Close the **Local Security Settings** window. +6. Restart the system, if you are notified that it is needed to apply the changes. + +## Or disable User Account Control (UAC) + +- For **Windows 2008** and **Windows 7**, do the following: + +1. Open the **Start** menu, navigate to **Control Panel / User Accounts / Change User Account Control settings**. +2. In the **User Accounts Control Settings** window, switch to `Never notify`. +3. Restart your server to apply the changes. + +- For **Windows Vista**, do the following: + +1. Open the **Start** menu, navigate to **Control Panel / User Accounts**. +2. In the **User Accounts** window, click **User Accounts**. +3. In the **User Accounts** tasks window, click **Turn User Account Control** off. +4. If **UAC** is currently configured in **Admin Approval Mode**, the **User Account Control message appears**. Click **Continue**. +5. Clear the **Use User Account Control (UAC) to help protect your computer** check box, and then click **OK**. +6. Click **Restart Now** to apply the change right away, or click **Restart Later**, and then close the **User Accounts tasks** window. diff --git a/docs/kb/auditor/insufficient-memory-and-not-enough-storage-errors.md b/docs/kb/auditor/insufficient-memory-and-not-enough-storage-errors.md new file mode 100644 index 0000000000..cf2d0ccc17 --- /dev/null +++ b/docs/kb/auditor/insufficient-memory-and-not-enough-storage-errors.md @@ -0,0 +1,44 @@ +--- +description: >- + Explains causes and resolutions for "Insufficient memory" and "Not enough + storage" errors when running Netwrix Event Log Manager, including how to + adjust Windows performance settings. +keywords: + - Insufficient memory + - E_OUTOFMEMORY + - Not enough storage + - Netwrix Event Log Manager + - SystemPropertiesAdvanced.exe + - performance settings + - Background services + - Programs + - managed object + - memory +products: + - auditor +sidebar_label: Insufficient memory and not enough storage errors +tags: [] +title: "Insufficient memory and not enough storage errors" +knowledge_article_id: kA00g000000H9Y1CAK +--- + +# Insufficient memory and not enough storage errors + +I get the following errors: +**Insufficient memory to continue the execution of the program** +**Not enough storage is available to complete this operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY))** + +--- + +1. The server where **Netwrix Event Log Manager** is installed has not enough physical memory to execute the program. +2. Your managed object has more than **20-50** servers. +3. The server where **Netwrix Event Log Manager** is installed is configured to optimize memory usage for **Background services**. + +--- + +1. Increase the total amount of physical memory on your **Netwrix Event Log Manager** server. +2. Create additional managed objects and divide your managed servers between them. +3. Configure your server to optimize memory usage for **Programs**: + 1. Click **Start / Run**. Type `SystemPropertiesAdvanced.exe` and press **Enter**. + 2. In the **System properties** window click the **Settings** button under **Performance**. + 3. Navigate to the **Advanced** tab and select the **Programs** option under **Adjust for best performance of**. Click **Apply**. diff --git a/docs/kb/auditor/integrating-privilege-secure-for-access-management-with-auditor.md b/docs/kb/auditor/integrating-privilege-secure-for-access-management-with-auditor.md new file mode 100644 index 0000000000..dbce45f0cd --- /dev/null +++ b/docs/kb/auditor/integrating-privilege-secure-for-access-management-with-auditor.md @@ -0,0 +1,177 @@ +--- +description: >- + This article explains how to integrate Netwrix Privilege Secure for Access + Management with Netwrix Auditor, covering certificate export, connection + profile and policy configuration, and enabling the integration in monitoring + plans. +keywords: + - Netwrix Privilege Secure + - Netwrix Auditor + - integration + - certificate export + - connection profile + - access policy + - resource-based + - credential-based + - monitoring plan +products: + - auditor + - privilege-secure-access-management +sidebar_label: Integrating Privilege Secure for Access Management +tags: [] +title: "Integrating Privilege Secure for Access Management with Auditor" +knowledge_article_id: kA0Qk0000002WwfKAE +--- + +# Integrating Netwrix Privilege Secure for Access Management with Netwrix Auditor + +## Overview + +This guide describes the steps to set up Netwrix Privilege Secure for Access Management integration in Netwrix Auditor. The guide is split into sections to segment the setup process. Refer to the corresponding section to learn more about the required steps. + +## Instructions + +### Perform the Initial Setup in Netwrix Auditor + +1. In the main Netwrix Auditor menu, go to **Settings** > **Privilege Secure**. If this is the first time you are setting up the integration, click the **Set Up Integration** button. +2. Specify the Netwrix Privilege Secure for Access Management server name or the IP address with the corresponding port, and click **Next**. For example, with the default 6500 port: + `https://contoso-nps:6500/` +3. If the Netwrix Privilege Secure for Access Management server certificate is untrusted on the Netwrix Auditor host, select the **I want Auditor to trust this certificate when connecting to this server** checkbox and click **Next**. +4. Take note of the application name. You can keep the default name or change it. This article uses the default **NetwrixAuditor** name. + + > **NOTE:** It is not recommended to use a space in the application name, as this may lead to incorrect operation when using Microsoft Extra ID. + +5. In the **Specify the client certificate** section, select **Generate new certificate** and click **Next**. +6. Export the Netwrix Auditor Privilege Secure for Access Management client certificate to the Netwrix Privilege Secure for Access Management server. Refer to the steps in the **Export the Certificate to Privilege Secure for Access Management Server** section. +7. In the **Dashboard** tab of Netwrix Privilege Secure for Access Management, click **Users** > **Add** > **New Application User**. +8. Specify the application name to match the application name stated in Netwrix Auditor. The default name is **NetwrixAuditor**. +9. Copy the certificate serial number value from your Netwrix Auditor server. Click **Save**. +10. Once you save the details, Netwrix Privilege Secure for Access Management generates an API key. Reveal the key, copy the value, and paste it in the **API key** field in the Privilege Secure Integration window of your Netwrix Auditor server. +11. In the Netwrix Auditor server, click **Next** > **Finish** to complete the initial setup. + +### Export the Certificate to Privilege Secure for Access Management Server + +1. On the Netwrix Auditor server, start the Microsoft Management Console—press **Windows + R**, type **mmc**, and click **OK**. +2. Go to **File** > **Add/Remove Snap-in...** +3. In the left pane, locate the **Certificates** snap-in, highlight it, and click **Add >**. +4. In the pop-up windows, select **Computer account** > **Next** > **Local computer** > **Finish**. +5. Click **OK** to save the snap-in. +6. In the left pane, go to **Certificates (Local Computer)** > **Personal** > **Certificates**. +7. Locate the Netwrix Auditor Privilege Secure for Access Management Client certificate, right-click it, and select **All Tasks** > **Export...** +8. In the Export Wizard, click **Next** > **No, do not export the private key** > **Next** > **DER encoded binary** > **Next**. +9. Specify the target location and name the certificate. Click **Next**, then click **Finish**. +10. A message to confirm the successful export should appear. Confirm the export by reviewing the target location. +11. Copy the exported certificate to the Netwrix Privilege Secure for Access Management server. +12. On the Netwrix Privilege Secure for Access Management server, right-click the certificate and select **Install**. +13. Select **Local machine** > **Next** > **Place all certificates in the following store:** > **Trusted Root Certification Authorities** > **Next** > **Finish**. A message to confirm the successful import should appear. + +### Create a Connection Profile + +> **NOTE:** Both credential-based and resource-based integrations require a connection profile. The steps to set up a connection profile are the same for both types of integration. + +1. In Netwrix Privilege Secure for Access Management, select the **Policy** tab and go to **Access Policy** > **Connection Profiles** in the left pane. +2. Click the plus icon to add a new connection profile. For the generic workflow, refer to the following article: https://docs.netwrix.com/connection-profiles-add-v4-2 +3. Name the connection profile to distinguish it from other non-integration-related connection profiles. +4. Refer to the required connection profile settings: + - Allow Proxy Auto-connect = True + - Record Proxy Session = True + + Session Control + - Max Duration = 60 + - Session End Notification = 5 + - Enable Session Extension = False + - Monitor for Logon = False + - Leave Existing Members in Group = True + - Validate Users for SSH Sessions = False + - Require Notes for Sessions = False + - Require Ticket Number for Sessions = False + + Credential Management + - Allow User to Access Password = True + - Enable credential auto-fill in browser extension = False + - Enable `Show Password` option in user interface and browser extension = False + - View Password Timeout = 20 + + Website + - Clear Website Data Before Start = True + - Clear Website Data After Stop = True + - Record Session Audio = True + + - Approval Workflow = Automatic +5. Click **Save** to save the profile settings. + +### Setting Up the Resource-based Policy for Integration + +The resource-based type of the integration requires the following items: + +- Activity +- Resource + +Refer to the following subsections for information on required steps. + +#### Create an Activity + +1. In Netwrix Privilege Secure for Access Management, select the **Policy** tab and go to **Activities** in the left pane. +2. Click the plus icon to add a new activity. For the generic workflow, refer to the following article: https://docs.netwrix.com/activities-add-v4-2 +3. Specify the activity name. This article uses the **Netwrix Auditor Domain Admin** name. Refer to the required activity settings: + - Platform = Active Directory + - Login Account = Activity Token + - Activity Type = Interactive + - Login Account Template = ` %targetDomain%\%samAccountName% ` +4. Click **Save** to save the changes. +5. Add an action to the pre-session—click the plus sign next to the **Pre-Session (Grant)** section. +6. Refer to the required pre-session action settings: + - Action Type = Add User to Domain Group + - Domain = `%target_domain%` + - Group = Domain Admins + - Continue on Error = False + - Action Name = Add to Domain Admins + - Paired Action's Name = Remove from Domain Admins +7. Click **Okay** to save changes. + +#### Create a Resource + +1. In Netwrix Privilege Secure for Access Management, select the **Policy** tab and go to **Resources** in the left pane. +2. Click **Add** and select **New Server**. Select **Import from AD** and select the target domain controller. + + > **NOTE:** In environments with multiple domain controllers, select the primary domain controller. + +3. In the bottom right corner, select the service account, and click **Add**. + +#### Create a Resource-based Access Policy + +1. In Netwrix Privilege Secure for Access Management, select the **Policy** tab and go to **Access Policy** in the left pane. +2. Click the plus icon to add a new access policy. For the generic workflow, refer to the following article: https://docs.netwrix.com/access-policy-add-v4-2 +3. Introduce a policy name. +4. Verify the **Type** value is **Resource Based**. Select the dedicated connection profile and click **Save**. +5. Select the **Users** tab and click **Add** to add a user. Select the application user (**NetwrixAuditor** by default) and click **Add**. +6. Select the **Activities** tab and click **Add** to add an activity. Select the **Netwrix Auditor Domain Admin** activity and click **Add**. +7. Select the **Resources** tab and click **Add** to add a resource to manage. Select the target resources and click **Add**. + +### Setting Up Credential-based Policy for Integration + +1. Specify the account for Netwrix Privilege Secure for Access Management to control—in the **Dashboard** tab, select the **Credentials** section and locate the target domain account. +2. Select the corresponding checkbox and click **Manage**. Click **Automatic**. +3. In the **Policy** tab, select the **Access Policy** menu in the left pane. Click the plus icon to add a new access policy. For the generic workflow, refer to the following article: https://docs.netwrix.com/access-policy-add-v4-2 +4. Introduce a policy name. +5. Verify the **Type** value is **Credential Based**. Select the appropriate dedicated connection profile and click **Save**. +6. Select the **Users** tab and click **Add** to add a user. Select the application user (**NetwrixAuditor** by default) and click **Add**. +7. Select the **Credentials** tab and click **Add** to add the managed account. Select the managed account and click **Add**. + +### Enable Integration in Target Monitoring Plan + +1. In the **Monitoring Plans** menu, select the target monitoring plan. +2. Double-click the target item. In the **Specify the Account for Collecting Data** section, select **Privilege Secure**. +3. Depending on the policy type, select the **Credential-based** or the **Resource-based** type in the **Access Policy** field. +4. For a credential-based policy, specify the user name of the user account for collecting data. +5. For a resource-based policy, specify the activity name and the resource name in the corresponding fields. + + > **IMPORTANT:** Specify the names as stated in Netwrix Privilege Secure for Access Management. + +6. Click **Save & Close**. + +## Related Links + +- https://docs.netwrix.com/connection-profiles-add-v4-2 +- https://docs.netwrix.com/activities-add-v4-2 +- https://docs.netwrix.com/access-policy-add-v4-2 diff --git a/docs/kb/auditor/integration-and-authorization-of-netwrix-auditor-in-active-directory.md b/docs/kb/auditor/integration-and-authorization-of-netwrix-auditor-in-active-directory.md new file mode 100644 index 0000000000..701d0bd44b --- /dev/null +++ b/docs/kb/auditor/integration-and-authorization-of-netwrix-auditor-in-active-directory.md @@ -0,0 +1,38 @@ +--- +description: >- + Explains how Netwrix Auditor integrates with Active Directory and how the AD + data collector authorizes via LDAP impersonation, with a link to protocol and + ports requirements. +keywords: + - Active Directory + - LDAP + - impersonation + - integration + - authorization + - protocols + - ports + - data collector + - Netwrix Auditor +products: + - auditor +sidebar_label: Integration and Authorization of Netwrix Auditor i +tags: [] +title: "Integration and Authorization of Netwrix Auditor in Active Directory" +knowledge_article_id: kA04u000000wnsDCAQ +--- + +# Integration and Authorization of Netwrix Auditor in Active Directory + +## Question + +How does Netwrix Auditor integrate and authorize in Active Directory? + +## Answer + +When monitoring Active Directory, the AD data collector uses impersonation calls to LDAP as an interactive logon. + +Depending on the data source, Netwrix Auditor will implement different protocols to authorize − refer to the following article for additional information on protocols used in corresponding data collectors: Requirements − Protocols and Ports Required ⸱ v10.6. + +## Related articles + +- Requirements − Protocols and Ports Required ⸱ v10.6 diff --git a/docs/kb/auditor/invalid-character-value-for-cast-specification-error-occurs-when-trying-to-store-audit-data.md b/docs/kb/auditor/invalid-character-value-for-cast-specification-error-occurs-when-trying-to-store-audit-data.md new file mode 100644 index 0000000000..5a57e36e54 --- /dev/null +++ b/docs/kb/auditor/invalid-character-value-for-cast-specification-error-occurs-when-trying-to-store-audit-data.md @@ -0,0 +1,70 @@ +--- +description: >- + Netwrix Auditor fails to store audit data and reports "Invalid Character Value + for cast specification." This article explains causes and provides two + workarounds to restore data collection without data loss. +keywords: + - Invalid Character Value + - cast specification + - database error + - Netwrix Auditor + - archive + - Investigations + - SQL Server + - database retention + - Archive Service +products: + - auditor +sidebar_label: Invalid Character Value for Cast Specification Err +tags: [] +title: "Invalid Character Value for Cast Specification Error Occurs When Trying to Store Audit Data" +knowledge_article_id: kA04u00000110zLCAQ +--- + +# Invalid Character Value for Cast Specification Error Occurs When Trying to Store Audit Data + +## Symptom + +Netwrix Auditor fails to store audit data although there is adequate space on the database and archive locations. During the data collection, the following error occurs: + +``` +Invalid Character Value for cast specification. +``` + +## Cause + +This error usually appears for big databases created on earlier versions of Netwrix Auditor (9.9 and older). + +## Resolution + +The source of the issue was resolved in newer versions, and since you are on 9.96 and above, select one of the workarounds below, whichever is more comfortable for you. + +**NOTE:** Netwrix recommends upgrading to the latest version to avoid database issues. + +1. Resolution 1 + + Create a new database for the monitoring plan to write data to. + + - Check which exactly databases are affected. For that, in Netwrix Auditor, go to **Health Status** dashboard -> **Database Statistics**. + - Find the plan that is writing to the affected database and click **Edit**. + - On the **Audit Database** tab, provide a new name under **Database:**, so a new one is created, and the plan starts writing to it. + + Data will not be lost, since the old database will remain in the SQL instance, and also all collected data can always be imported from the Long-Term Archive. + + You can import previously collected data you need to run reports for the desired period of time using the **Investigations** feature. + + 1. In Netwrix Auditor, go to **Settings** -> **Investigations** -> **Configure**. + 2. Select a data source, check the desired monitoring plan, and set the dates. + 3. Click **Run**. + + For additional information on how to import previously collected data, refer to the following article: Investigations (/docs/auditor/10.5/auditor/admin-guide/settings). + +2. Resolution 2 + + If the previously collected data is accessible from the problematic database (check using Search filtered for the corresponding monitoring plan), create an empty plan with no Data sources and attach it to the old database for Netwrix Auditor to have access to the data in the database. + + You can review the data already collected for the past 180 days (assuming database retention settings in Netwrix Auditor are as by default). + + After the database retention period passes, you will be able to remove the old database from the SQL Server completely and will not need this empty plan anymore (stale data would be cleared according to database retention settings, and all the current data will be in the new database). + +**IMPORTANT:** If, after these workarounds, you will have the *Archive Service is busy processing activity records* error, refer to the following article: Archive Service is busy processing activity records (/docs/kb/auditor/archive_service_is_busy_processing_activity_records). diff --git a/docs/kb/auditor/invalid-user-settings-error-in-sql-server-reporting-services-settings.md b/docs/kb/auditor/invalid-user-settings-error-in-sql-server-reporting-services-settings.md new file mode 100644 index 0000000000..9fc607b740 --- /dev/null +++ b/docs/kb/auditor/invalid-user-settings-error-in-sql-server-reporting-services-settings.md @@ -0,0 +1,47 @@ +--- +description: >- + You may see the 'Invalid user credentials' error when you modify audit + database settings in Netwrix Auditor. This article lists causes and + resolutions. +keywords: + - SQL Server Reporting Services + - SSRS + - Invalid user credentials + - Netwrix Auditor + - audit database + - SSRS account + - permissions + - troubleshooting +products: + - auditor +sidebar_label: Invalid User Settings Error in SQL Server Reportin +tags: [] +title: "Invalid User Settings Error in SQL Server Reporting Services Settings" +knowledge_article_id: kA04u000000wnrjCAA +--- + +# Invalid User Settings Error in SQL Server Reporting Services Settings + +## Symptom + +You see the following error message when you modify audit database settings in Netwrix Auditor: + +```text +Error accessing SQL Server Reporting Services. +Check your SQL Server Reporting Services Settings. +Invalid user credentials. Update your settings if necessary or proceed with current settings. +``` + +## Causes + +- Incorrect permissions granted to the SSRS account. +- Incorrect credentials specified for the SSRS account. + +## Resolutions + +- Review the permissions granted to the SSRS account − refer to the following article for additional information on the initial setup: /docs/auditor/10.6/auditor/requirements +- Review the credentials specified for the SSRS account. + +## Related articles + +- /docs/auditor/10.6/auditor/requirements diff --git a/docs/kb/auditor/investigating-failed-logons.md b/docs/kb/auditor/investigating-failed-logons.md new file mode 100644 index 0000000000..f07e667d1a --- /dev/null +++ b/docs/kb/auditor/investigating-failed-logons.md @@ -0,0 +1,142 @@ +--- +description: >- + Shows how to investigate repeated failed logons and identify their source + using Event Viewer XML queries, Netwrix Auditor search, local audit policy, + and NetLogon debugging. +keywords: + - failed logon + - account lockout + - Event Viewer + - Netwrix Auditor + - NetLogon + - netlogon.log + - event ID 4625 + - XML query + - audit policy +products: + - auditor +sidebar_label: Investigating Failed Logons +tags: [] +title: "Investigating Failed Logons" +knowledge_article_id: kA00g000000PbciCAC +--- + +# Investigating Failed Logons + +## Symptom + +You have encountered a situation where an account is getting locked out from multiple failed logons. Reports show that this account is in fact performing failed logons, however, the events from which Netwrix Auditor has parsed do not provide what is causing the logon events on the workstation. + +## Cause + +There are several root causes for this scenario, but most commonly there are services or applications that are running via the locked out account. The stored credentials become expired and when the service or application attempts to authenticate via the account, it performs a failed logon. + +## Resolution + +If further investigation is needed, the XML query below can be executed against the Security Event Logs of systems that you suspect the account to being performing failed logons. + +In order to populate the Security Log with logon/logoff details, you will need to enable logon/logoff auditing via local policy. The Security Log will now provide additional logon activity details. + +Next, navigate to the Windows Event Viewer and open the Security Log. Filter the log, as seen here. + +**Enter the following query into the XML tab** + +```xml + + + + + +``` + +You will need to replace the `ACCOUNT_IN_QUESTION` of the query to the name of the account that caused failed logon. +Alternatively, if you want to only see auth requests and failed logon attempts, use this query: + +```xml + + + + + +``` + +You can also remove or expand the time frame by manipulating the `TimeCreated[timediff(@SystemTime) <= 43200000]` element of the query. + +- Last Hour = 3600000 +- Last 12 Hours = 43200000 +- Last 24 Hours = 86400000 +- Last 7 days = 604800000 + +### Investigating Recurring Failed Logons + +The most common scenario for failed logons is when some service or application is running using wrong credentials. To find the exact program or see more details for the logon event, please follow the instructions below: + +1. Run Netwrix Auditor → Search, and specify the filters: + **Data Source – Equals – Logon Activity** + **Action – Equals – Failed logon** +2. Find the event, and locate the workstation where the failed logon occurred. (details – originating workstation) +3. Navigate to the workstation where the failed logon occurred and enable local audit policy settings: + - Use `gpedit.msc` → `Computer Configurations` → `Windows Settings` → `Security Settings` → `Local Policies` → `Audit Policy` + - **Audit process tracking: Success, Failure** + - **Audit Logon events: Success, Failure** +4. Right-click **Start > Event Viewer > Windows > Security event log.** + Now wait for new failed logons for the account, and filter security event log by event ID 4625. +5. Find the event we are looking for (you can press Ctrl+F and enter the problematic account name). + +**NOTE**: The username in events can be indicated in different formats, for example, `domain\\user`, `user@domain.com`, or simply `user` in general. You can search for the unique part of the username, the `[user]` part in `domain\\user`. + +In the Caller Process Name you can see the name of the program which is using wrong credentials. + +For example: +Caller Process Name: `C:\Program Files\Microsoft SQL Server\MSRS13.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe` +In such case you can open SQL Server Reporting Services Configuration Manager and change the credentials for user there. Also you can check if you have old SSRS instances on this server. + +Update the password for the problematic service and disable audit policies that have been enabled in step 3 after the investigation. + +### Investigating Failed Logons from Outside of Domain using Netlogon Debugging + +Sometimes failed logons occur when users from outside of Domain try to logon onto your servers. This can be detected by Netwrix Auditor when there is no domain name in the WHO field (neither `domain\\username` nor `username@domain` style). This means that there is an attempt to logon using NTLM. + +Step 1: Find your logon server +First, check which server is your domain’s logon server by typing `set logonserver` in CMD + +Step 2: Look at Event Viewer +Log into that server and open Event Viewer, or open Event viewer and choose **Action > Connect to another Computer** +Look in the Security log files, and if you see **Audit failure** with **logon type=3** that means there are Network “Netlogon” failure attempts. + +Step 3: Enable NetLogon logging +Enable NetLogon Logging: Use the following command on the logon server in a command prompt: + +```bash +nltest /dbflag:0x2080ffff +``` + +The `netlogon.log` file is located in the `%SystemRoot%\Debug` directory of the Microsoft Windows Logon Server. + +Step 4: Identify the source of the attack +In the `netlogon.log` file, you can find which entries correspond to your failed logon attempts and this will also show you what the hostname is that the attempt is coming from. +If an internal attack, the workstation name is likely part of your domain/network already. +If an outside attack, the hostname can be anything, even the name of a brute force program such as FreeRDP - in some cases, it may even be blank. + +Step 5: Disable NetLogon logging +When finished, and you have found examples of your impacted username being attempted, disable NetLogon Logging with this command: + +```bash +nltest /dbflag:0x0 +``` + +You don't want to keep NetLogon enabled simply because it will use resources and disk space on your system when it is not actively needed. + +Step 6: Identify Reason Codes/Error Codes +See code translations: +https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/bc-p/1561127/ + +2 Common codes you may see in the log file: +- `0XC000006A` – An incorrect password was guessed +- `0XC0000234` – An account lockout was issued from the “Via” computer name - this is the computer which is being attempted against, and which sends the lockout signal to your domain controller (or local policy holder if in a workgroup). + +If you want an overview on how Failed Logon information is collected, check this article: https://kb.netwrix.com/5905 + +If you have multiple Failed Logons, check this article: https://kb.netwrix.com/3553 + + diff --git a/docs/kb/auditor/investigations-in-netwrix-auditor-take-too-long.md b/docs/kb/auditor/investigations-in-netwrix-auditor-take-too-long.md new file mode 100644 index 0000000000..944dd347c4 --- /dev/null +++ b/docs/kb/auditor/investigations-in-netwrix-auditor-take-too-long.md @@ -0,0 +1,90 @@ +--- +description: >- + Explains how to use CSVExportTool to export large datasets from the Long-Term + Archive in Netwrix Auditor, enabling you to retrieve historical data more + efficiently than the Investigations export. +keywords: + - Long-Term Archive + - CSVExportTool + - Investigations + - export + - CSV + - Netwrix Auditor + - search report + - performance +products: + - auditor +sidebar_label: Investigations in Netwrix Auditor Take Too Long +tags: [] +title: "Investigations in Netwrix Auditor Take Too Long" +knowledge_article_id: kA04u00000111CjCAI +--- + +# Investigations in Netwrix Auditor Take Too Long + +## Question + +When you attempt to export data from Long-Term Archive in **Investigations**, the export process takes too long. This applies to any investigation covering a longer period (two months to two years). Is there another way to access your historical data? + +## Answer + +> **NOTE:** In **Investigations**, it is recommended to limit the investigated period to one month. + +To export a larger data collection from your Long-Term Archive, you can use CSVExportTool. It allows you to run a pre-configured search query against your Long-Term Archive and export the results to a `.csv` file. This lets you investigate a larger period of time at once, and access your historical data more efficiently. + +> **NOTE:** The account used to export data from Long-Term Archive should have **Full Control** permissions to access the Long-Term Archive folder. + +Follow these steps: + +1. In your Netwrix Auditor host, set up a search report for CSVExportTool to use. + + 1. In the main Netwrix Auditor menu, click **Search Activity Records**. + 2. Select **Advanced Mode** for the **Filter**, **Operator**, and **Value** rows to appear. + 3. Select the fields needed, and specify the date range. Refer to the following articles for additional information on filters: Administration — Simple Mode ⸱ v10.6 and Administration — Advanced Mode ⸱ v10.6. Once the filters are selected, run the search by clicking **Search**. + + > **NOTE:** The **Search** results displayed may be incomplete or missing entirely as you've just configured a search query. + + 4. In the top right corner, click the **Tools** menu and select **Save as report**. + 5. Name the custom report, copy the name of the report, and click **Save**. + +2. In your Netwrix Auditor host, open elevated Command Prompt, and run the following command to move to the CSVExportTool directory: + +```powershell +cd C:\Program Files (x86)\Netwrix Auditor\Audit Core +``` + +3. To save the results of the report you previously created, run the following command: + +```powershell +CsvExportTool.exe -filters "%custom_report_name%" -csv "%destination\name.csv%" +``` + +Replace `%custom_report_name%` with the report name defined in the prior steps. For example, to have the results of the **testreportcsv** report saved to `testreport123.csv` file in `C:\testfolder`: + +```powershell +CsvExportTool.exe -filters "testreportcsv" -csv "c:\testfolder\testreport123.csv" +``` + +## Additional options + +Refer to the following export customization options: + +- The **-existing** attribute allows you to overwrite or append data to the existing `.csv` file. Possible attributes are **append** and **overwrite**. The following line will overwrite the contents of the existing `testreport123.csv` file. + +```powershell +CsvExportTool.exe -existing overwrite -filters "testreportcsv" -csv "c:\testfolder\testreport123.csv" +``` + +- The **-split** attribute allows you to write each piece of data either to a separate or single row. Possible attributes are **split** and **combine**. The following line will allow you to write Activity Records to a single line. + +```powershell +CsvExportTool.exe -details combine -filters "testreportcsv" -csv "c:\testfolder\testreport123.csv" +``` + +## Related articles + +- Administration — Simple Mode ⸱ v10.6 + /docs/auditor/10.6/auditor/admin-guide/search + +- Administration — Advanced Mode ⸱ v10.6 + /docs/auditor/10.6/auditor/admin-guide/search diff --git a/docs/kb/auditor/is-it-possible-to-have-ndc-sql-database-and-auditor-databases-on-the-same-sql-server.md b/docs/kb/auditor/is-it-possible-to-have-ndc-sql-database-and-auditor-databases-on-the-same-sql-server.md new file mode 100644 index 0000000000..380a69d173 --- /dev/null +++ b/docs/kb/auditor/is-it-possible-to-have-ndc-sql-database-and-auditor-databases-on-the-same-sql-server.md @@ -0,0 +1,35 @@ +--- +description: >- + Do not keep Netwrix Data Classification and Netwrix Auditor databases on the + same SQL Server instance; this may cause significant performance loss. See + migration guidance for moving the Netwrix Data Classification database to + another server. +keywords: + - Netwrix Data Classification + - Netwrix Auditor + - SQL Server + - database + - performance + - NDC + - migrate + - database migration +products: + - auditor + - data-classification +sidebar_label: Is It Possible to Have NDC SQL Database and Audito +tags: [] +title: "Is It Possible to Have NDC SQL Database and Auditor Databases on the Same SQL Server?" +knowledge_article_id: kA04u000001118ICAQ +--- + +# Is It Possible to Have NDC SQL Database and Auditor Databases on the Same SQL Server? + +## Question + +Is it possible to have both: Netwrix Data Classification (NDC) SQL database and the Netwrix Auditor databases on the same SQL Server instance? + +## Answer + +Netwrix strongly recommends **do not keep** these databases on the same SQL Server. This may lead to significant performance loss. + +If, for some reasons, you need to migrate your Netwrix Data Classification (NDC) SQL database to another server, refer to the following article for additional information: [How to Migrate Netwrix Data Classification Database](/docs/kb/dataclassification/how-to-migrate-the-netwrix-data-classification-database.md). diff --git a/docs/kb/auditor/japanese-characters-missing-or-displayed-incorrectly-in-pdf-reports.md b/docs/kb/auditor/japanese-characters-missing-or-displayed-incorrectly-in-pdf-reports.md new file mode 100644 index 0000000000..3019f6a3f8 --- /dev/null +++ b/docs/kb/auditor/japanese-characters-missing-or-displayed-incorrectly-in-pdf-reports.md @@ -0,0 +1,43 @@ +--- +description: >- + If Japanese characters are missing or displayed incorrectly in PDF reports, + install the Japanese Supplemental Fonts on the client or server. This article + explains how to add the optional font feature on Windows 10 and Windows Server + 2016 and newer. +keywords: + - Japanese + - PDF + - fonts + - Windows Server 2016 + - Windows 10 + - Japanese Supplemental Fonts + - TTF + - locale +products: + - auditor +sidebar_label: Japanese Characters Missing or Displayed Incorrect +tags: [] +title: "Japanese Characters Missing or Displayed Incorrectly in PDF Reports" +knowledge_article_id: kA04u00000110hCCAQ +--- + +# Japanese Characters Missing or Displayed Incorrectly in PDF Reports + +## Symptom + +When exporting a report in the .PDF format, Japanese characters appear missing or displaying improperly. + +## Cause + +Starting Windows Server 2016, Japanese TTF files are optional for installations with system locale different from Japanese. + +## Resolution + +For Windows 10 clients and newer, refer to the following steps: + +1. Open **Settings** > **Apps** > **(Manage) Optional features** > **Add a feature** > type **Japanese Supplemental Fonts** > check the checkbox and click **Install**. + +For Windows Server 2016 and newer, refer to the following steps: + +1. Open **Settings** > **Apps** > **(Manage) Optional features** > **Add a feature** > type **Japanese Supplemental Fonts** > check the checkbox and click **Install**. +2. In case no online option is possible, refer to the following step in the Microsoft article: [Cannot configure a language pack for Windows Server 2019 — Use LPKSetup](https://learn.microsoft.com/en-US/troubleshoot/windows-server/shell-experience/cannot-configure-language-pack-windows-server-desktop-experience#method-2-use-lpksetup). diff --git a/docs/kb/auditor/kds-removal-tool-for-adv-2023-003-failed-to-load-configuration-file.md b/docs/kb/auditor/kds-removal-tool-for-adv-2023-003-failed-to-load-configuration-file.md new file mode 100644 index 0000000000..c079bba044 --- /dev/null +++ b/docs/kb/auditor/kds-removal-tool-for-adv-2023-003-failed-to-load-configuration-file.md @@ -0,0 +1,71 @@ +--- +description: >- + If the KDS Removal tool (NetwrixAuditorKDSRemoval) cannot find + Configuration.xml and shows "Failed to load configuration file. Could not find + a part of the path", follow these steps to point the tool to the correct + Working Folder path or DataPathOverride registry key. +keywords: + - KDS + - KDS Removal + - ADV-2023-003 + - Configuration.xml + - DataPathOverride + - config.json + - Netwrix Auditor + - Working Folder +products: + - auditor +sidebar_label: KDS Removal Tool for ADV-2023-003 Failed to Load C +tags: [] +title: "KDS Removal Tool for ADV-2023-003 Failed to Load Configuration File" +knowledge_article_id: kA04u000001112ACAQ +--- + +# KDS Removal Tool for ADV-2023-003 Failed to Load Configuration File + +## Symptom + +You're unable to run the NetwrixAuditorKDSRemoval (KDS Removal) tool to delete KDS Root Key data (ADV-2023-003). The following error is prompted showing the tool is unable to reach the **Configuration.xml** file: + +``` +Failed to load configuration file. +Could not find a part of the path +``` + +![Error dialog image](images/ka04u00000117HW_0EM4u000008LwaA.png) + +## Cause + +The KDS Removal tool is unable to locate the Netwrix Auditor configuration file. + +## Solution + +1. Check the location of the configuration file (located by default in `C:\ProgramData\Netwrix Auditor\AuditCore\ConfigServer\Configuration.xml`). If a Working Folder migration was previously done, check the `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride` key for a path. + +2. Open the folder you've extracted the KDS tool to. Open the `config.json` file using a text editor (e.g., Notepad++). In the **"DataPathKey"** section of the file, specify the path to your Working Folder in the **"DefaultValue"** line. Refer to the following code blocks for an example. + +Original snippet (uses environment variable): + +```json +"DataPathKey": + { + "KeyPath": "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix Auditor\DataPathOverride", + "KeyName": "", + "DefaultValue": "%PROGRAMDATA%\Netwrix Auditor" + }, +``` + +Change it to a full path (example): + +```json +"DataPathKey": + { + "KeyPath": "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix Auditor\DataPathOverride", + "KeyName": "", + "DefaultValue": "C:\ProgramData\Netwrix Auditor" + }, +``` + +3. Save changes and run the tool again. + +In case these steps did not help, contact Netwrix Technical Support: https://www.netwrix.com/open_a_ticket.html. diff --git a/docs/kb/auditor/lockouts-are-not-tracked.md b/docs/kb/auditor/lockouts-are-not-tracked.md new file mode 100644 index 0000000000..c7640dc7df --- /dev/null +++ b/docs/kb/auditor/lockouts-are-not-tracked.md @@ -0,0 +1,43 @@ +--- +description: >- + If some account lockout events are not tracked even though auditing and + NetWrix Account Lockout Examiner settings are correct and the connection to + the domain controller (DC) shows as OK, follow the steps to verify the Windows + security log and adjust registry keys to enable proper tracking. +keywords: + - lockout + - account lockout + - domain controller + - registry + - readLog + - UseWatcher + - UseWMI + - Event Viewer + - Windows security log +products: + - auditor +sidebar_label: Lockouts are not tracked +tags: [] +title: "Lockouts are not tracked" +knowledge_article_id: kA00g000000H9dSCAS +--- + +# Lockouts are not tracked + +You noticed that some lockout events are not tracked even though audit and all settings for Netwrix Account Lockout Examiner have been configured correctly and connection to the required domain controller (DC) and audit setup are shown as OK. + +--- + +First, make sure the Windows security log on your DC is reachable: connect via **Event Viewer** and check that events are logged. If the events are written correctly, but Netwrix Account Lockout Examiner still does not track them, do the following: + +1. On the computer where Netwrix Account Lockout Examiner is installed, open Registry Editor: navigate to **Start** - **Run**, enter `regedit` and click **OK**. +2. In the Registry Editor left pane, navigate to `HKLM\Software\Wow6432Node\NetWrix\Account Lockout Examiner` (Wow6432Node only for x64 OS). +3. In the right pane, double-click `readLog` and set its value to `0`. +4. Create a new DWORD named `UseWatcher` and set its value to `1`. +5. Restart the Netwrix Account Lockout Examiner service via the Services snap-in. + +[![User-added image](images/ka04u000000HcWD_0EM700000004udF.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAcl&feoid=00N700000032Pj2&refid=0EM700000004udF) + +If the above doesn't help, try to change the value of the `UseWMI` registry key to `0`. + +[![User-added image](images/ka04u000000HcWD_0EM700000004wzc.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAcl&feoid=00N700000032Pj2&refid=0EM700000004wzc) diff --git a/docs/kb/auditor/log-overwrites-warnings.md b/docs/kb/auditor/log-overwrites-warnings.md new file mode 100644 index 0000000000..3c7b924f74 --- /dev/null +++ b/docs/kb/auditor/log-overwrites-warnings.md @@ -0,0 +1,113 @@ +--- +description: >- + Explains causes and resolutions for "log overwrites" warnings reported by + Netwrix Event Log Manager and provides procedures to increase event log size, + configure GPO retention, enable archiving, and configure processing of + archived logs. +keywords: + - log overwrites + - event log + - Event Viewer + - Maximum log size + - Group Policy + - archive events + - Netwrix Event Log Manager + - ProcessBackupLogs + - registry +products: + - auditor +sidebar_label: Log overwrites warnings +tags: [] +title: "Log overwrites warnings" +knowledge_article_id: kA00g000000H9esCAC +--- + +# Log overwrites warnings + +**Netwrix Event Log Manager** shows the following errors: + +``` +[WARNING] log overwrites occurred on this computer since the last collection. Please increase the maximum size of the . Last collected event: 02/28/2013 18:23:14 (GMT); first new event: 02/28/2013 18:37:15 (GMT); estimated loss: 1 hour(s). Cannot find last stored event. +``` + +## Overview + +The product is configured to collect the event data at the preconfigured intervals (every 10 minutes by default), but the real frequency of the data collections depends on the number of new events in the logs of monitored servers. If the target event log is configured to **Overwrite events as needed** and the `Maximum log size` of the event log does not allow keeping all events between the data collections, the program cannot find the last collected event in the target log and detects that some events were lost. There are several reasons why the error occurs: + +## Possible causes + +1. The target event log is configured to keep `20480 Kb` of events by default and that is not enough to keep all generated events between the data collections. Refer to **Procedure 1 and 2** to increase the maximum event log size. +2. The target event log has been cleaned up manually by the system administrator. In this case for **Application** log, you may see the following information in the warning message: **first new event: 01/01/1970 00:00:00 (GMT)**; (see example screenshot). + +NOTE: for **Security** and **System** event logs, you can figure out who cleared the log if you can find the appropriate event in the log: + +- **System** event log: "The System log file was cleared." event (**Event ID: 104**);" +- **Security** event log: "The audit log was cleared." event (**Event ID: 1102**); +- **Application** event log: there is no way to find out who cleaned up the **Application** event log. + +3. The target event log overwrites events faster than the program collects them (often occurs with **Security** event log). Refer to **Procedure 3 and 4** to configure the problematic event log to **Archive events when full**. +4. The target event log is configured to **Archive events when full**, and **Event Log Manager** is not configured to process event logs archives. Refer to **Procedure 4** to configure Event Log Manager. + +## Procedure 1: Increase `Maximum log size` on the problematic server + +1. Log on to the problematic server and launch **Event Viewer**: Click **Start**, **Run** and type `eventvwr.msc` without quotes and press **Enter**. +2. In the left-hand panel of **Event Viewer**, navigate to the problematic log, and then right-click it and select **Properties**. +3. In the **Properties** window, change `Maximum log size` to `4194240` (Kb) as recommended by Microsoft: http://support.microsoft.com/kb/957662 + IMPORTANT: Before changing `Maximum log size`, make sure that the system drive has enough free space to store the event log of the maximum size. If not, the event log will grow and fill up all free space on the system drive and the system will stop responding. +4. Make sure the **Overwrite events as needed** option is selected and click **Apply**. + +![Configuring maximum log size](images/ka04u000000HcXR_0EM700000004vPE.png) + +## Procedure 2: Increase `Maximum log size` via Group Policy Object + +1. Go to **Start** / **Administrative Tools** / **Group Policy Management**. +2. In the window displayed, go to **Group Policy Management** / **Forest Name** / **Domains** / **Group Policy Objects** / right-click the appropriate policy (or create new) and select **Edit**. **Group Policy Management Editor** starts. + +![Group Policy Management](images/ka04u000000HcXR_0EM700000004vPJ.png) + +3. In the left pane, go to **Computer Configuration** / **Policies** / **Windows Settings** / **Security Settings** / **Event Log**. Right-click **Retention method for ``**, choose **Properties**. +4. In the **Security Policy Setting** tab, check the **Define this policy setting** box and select **Do not overwrite events (clear log manually)**. Click OK. +5. Right-click **Maximum `` size**, choose **Properties**. +6. In the **Security Policy Setting** tab, check the **Define this policy setting** box and set the size to `4194240` Kb as recommended by Microsoft: http://support.microsoft.com/kb/957662 + IMPORTANT: The affected machines must have enough free space on their system drives for storing the event log of the maximum size. If not, the event log will grow and fill up all free space on the system drive and the system will stop responding. + +![Group Policy Management Editor](images/ka04u000000HcXR_0EM700000004vPO.png) + +7. Close **Group Policy Object Editor** and link the configured GPO to the required OUs and containers in **Group Policy Management**. +8. OPTIONAL: Upgrade the group policies on the problematic servers by performing the following command: + ``` + gpupdate /force + ``` + +## Procedure 3: Configure the problematic event log to **Archive events when full** + +1. On the problematic server, click **Start** / **Run**, type `rsop.msc` and press **Enter**. +2. When the **Resultant Set of Policy** is processed, expand **Computer Configuration** / **Windows Setting** / **Security Settings** / **Event Log**. +3. Make sure that the **Retention method for ``** policy setting has the **Not Defined** or **Manually** value set. If not, change this setting using **Group Policy Management Editor** as described in **Procedure 2**. + +![RSOP Results](images/ka04u000000HcXR_0EM700000004vPT.png) + +4. Perform the following steps: + - Click **Start** / **Run**, type `eventvwr.msc` and press **Enter**. The **Event Viewer** window will be displayed. + - Expand the **Windows Log** node, right-click **Security** and select **Properties**. + - In the **Maximum Log Size** field, set the following value: `4194240` (Kb). + - Select the **Archive the log when full, do not overwrite events** radio button. + - Click the **Clear Log** button. Click the **Apply** button. + +![Event Viewer Settings on Windows 2008](images/ka04u000000HcXR_0EM700000004vPn.png) + +NOTE: These maximum sizes are recommended by Microsoft: http://support.microsoft.com/kb/957662 +IMPORTANT: Before you change `Maximum log size` and enable the **Archive events when full** option, make sure that the system drive has enough free space to store the event log and log's backup files of the maximum size. If not, the event log will grow and fill up all free space on the system drive and the system will stop responding. + +5. Perform the steps from **Procedure 4** to allow the product to collect and to clear the log's backup files. + +## Procedure 4: Configuring event log's backup files processing + +1. On the computer that has Netwrix software installed, Click **Start** / **Run**, type `regedit` and press **Enter**. The **Registry Editor** window will be displayed. +2. Expand `HKEY_LOCAL_MACHINE/SOFTWARE/NetWrix/` (`HKLM/Software/Wow6432Node/NetWrix/` for a 64-bit operating system) and click the **Event Log Manager** key. +3. Change the values of the following keys: + +- `ProcessBackupLogs` set to `1` +- `CleanAutoBackupLogs` set to `X` (if you want the archives to be removed when all events in them are older than `X` hours, for example: `24` hours). + +![Event Log Manager Registry Settings](images/ka04u000000HcXR_0EM700000004vPs.png) diff --git a/docs/kb/auditor/logon-failed-for-unattended-execution-account-running-netwrix-auditor-reports.md b/docs/kb/auditor/logon-failed-for-unattended-execution-account-running-netwrix-auditor-reports.md new file mode 100644 index 0000000000..ac3cc0faeb --- /dev/null +++ b/docs/kb/auditor/logon-failed-for-unattended-execution-account-running-netwrix-auditor-reports.md @@ -0,0 +1,69 @@ +--- +description: >- + This article explains how to resolve the "Logon failed for the unattended + execution account" error when running Netwrix Auditor reports by verifying + execution account credentials in Report Server Configuration Manager or in the + rsreportserver.config file. +keywords: + - Netwrix Auditor + - SSRS + - rsreportserver.config + - unattended execution account + - rsLogonFailed + - execution account credentials + - SQL Server Reporting Services + - Logon failed +products: + - auditor +sidebar_label: Logon Failed for Unattended Execution Account Runn +tags: [] +title: "Logon Failed for Unattended Execution Account Running Netwrix Auditor Reports" +knowledge_article_id: kA04u00000111H5CAI +--- + +# Logon Failed for Unattended Execution Account Running Netwrix Auditor Reports + +## Symptom + +The following error occurs when trying to run Netwrix Auditor reports: + +```text +The report server has encountered a configuration error. +Logon failed for the unattended execution account. (rsServerConfigurationError) +Log on failed. Ensure the user name and password are correct. (rsLogonFailed) +The user name or password is incorrect +``` + +## Causes + +- Credentials for the execution account used in your Report Server Configuration Manager instance are incorrect. +- Incorrect credentials for an execution account are saved in the `rsreportserver.config` file and are prompted upon a login. + +## Resolutions + +To verify credentials for an execution account in Report Server Configuration Manager, follow these steps: + +1. In the **Start** menu on your SQL server, select the **Microsoft SQL Server Reporting Services** folder > **Report Server Configuration Manager**. +2. Connect to the server. +3. In the left pane, select the **Execution Account** tab. +4. Review the credentials provided, and click **Apply**. + +If no credentials are visible in Report Server Configuration Manager, follow these steps: + +1. Locate the `rsreportserver.config` file. Refer to the following path for SQL Server Reporting Services (2016): + + ```text + C:\Program Files\Microsoft SQL Server\MSRS13.MSSQLSERVER\Reporting Services\ReportServer + ``` + + Refer to the following path for SQL Server Reporting Services (2017 and later): + + ```text + C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer + ``` + +2. Open the `rsreportserver.config` file in a text editor, and locate the `` node. + + ![UnattendedExecutionAccount node](images/ka04u00000117zS_0EM4u000008MT4S.png) + +3. Delete the credentials specified in ``, ``, and `` fields. diff --git a/docs/kb/auditor/logon-failures-in-multi-domain-environments.md b/docs/kb/auditor/logon-failures-in-multi-domain-environments.md new file mode 100644 index 0000000000..8fdb0b7b82 --- /dev/null +++ b/docs/kb/auditor/logon-failures-in-multi-domain-environments.md @@ -0,0 +1,58 @@ +--- +description: >- + Explains why Netwrix Auditor service account logon attempts fail in + multi-domain environments and provides steps to suppress or resolve these + failures. +keywords: + - Netwrix Auditor + - logon failures + - multi-domain + - Kerberos + - IgnoreRootDCErrors + - Active Directory + - omitexchangeserverlist + - Exchange + - monitoring plan +products: + - auditor +sidebar_label: Logon Failures in Multi-domain Environments +tags: [] +title: "Logon Failures in Multi-domain Environments" +knowledge_article_id: kA04u000000PoMKCA0 +--- + +# Logon Failures in Multi-domain Environments + +## Symptoms + +- The service account used for collecting data in **Netwrix Auditor** is trying to authenticate to a different domain in a multi-domain environment. +- The security event log for the other domain server contains recurring entries on failed logon attempts by the **Netwrix Auditor** service account. The result code is `0x6` — `Client not found in Kerberos database`. + +## Cause + +In multi-domain environments, Active Directory Auditing collectors may connect to servers in other domains: + +- Root DCs. +- Exchange servers. +- Forest domain DCs. + +## Solutions + +- Root DC errors can be omitted: + 1. Open **Registry Editor** (**Start** > **Run** > **regedit**). + 2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change Reporter`. + 3. Create a new **DWORD (32-bit)** value and name it **IgnoreRootDCErrors**. + 4. Right-click the value and select **Modify**. + 5. Set the value data to **1**. + +- If you would like to prevent **Netwrix Auditor** from accessing Exchange servers, you can use the `omitexchangeserverlist` omit list to specify Exchange servers to be omitted from the monitoring scope. The list can be found in `%Netwrix Auditor installation folder%\Active Directory Auditing`. + +- You can also disable schema and configuration monitoring options for your Active Directory monitoring plan: + 1. In the main **Netwrix Auditor** menu, select **Monitoring Plans**. + 2. Select your monitoring plan for Active Directory and click **Edit**. + 3. Select the data source and click **Edit data source**. + 4. Uncheck the **Schema** and **Configurations** checkboxes. + 5. Click **Save** to save changes. + +- You can also setup a trust between the server domain and the affected domain with a single service account to collect the data. For additional information on a single dedicated service account used for data collection and reporting purposes, refer to the following article: Active Directory — Overview (/docs/auditor/10.5/auditor/permissions/datacollection/activedirectory). + For additional information on restrictions in a multi-domain environment, refer to the following article: Server and Client — Domains and Trusts (/docs/auditor/10.5/auditor/installation/deployment/serverclient). diff --git a/docs/kb/auditor/logon-prompt-extension-deployment-problems.md b/docs/kb/auditor/logon-prompt-extension-deployment-problems.md new file mode 100644 index 0000000000..9c83fb87e8 --- /dev/null +++ b/docs/kb/auditor/logon-prompt-extension-deployment-problems.md @@ -0,0 +1,48 @@ +--- +description: >- + Instructions to enable GPO software installation logging to troubleshoot Logon + Prompt Extension deployment failures and how to collect and submit the + diagnostic log. +keywords: + - Logon Prompt Extension + - GPO + - AppMgmtDebugLevel + - Appmgmt.log + - troubleshooting + - Windows registry + - deployment +products: + - auditor +sidebar_label: Logon Prompt Extension deployment problems +tags: [] +title: "Logon Prompt Extension deployment problems" +knowledge_article_id: kA00g000000PbdXCAS +--- + +# Logon Prompt Extension deployment problems + +## Problem +Logon Prompt Extension is not being deployed via GPO. + +There could be several different reasons for this issue. You must collect additional information to support the investigation. + +## Resolution +To investigate further, enable GPO software installation logging as described in the Microsoft KB article: http://support.microsoft.com/kb/249621 + +Follow these steps on the problematic client computer: + +1. Launch `regedit` and navigate to the following key: + - `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics` + - You may have to create the `Diagnostics` registry subkey if it is not present. + +2. In the `Diagnostics` key create a new value: + - Type: `DWORD` + - Name: `AppMgmtDebugLevel` + - Value: `4b (HEX)` + +3. Reproduce the issue — try to install the Logon Prompt Extension via GPO. + +4. Create a new ticket on our site (https://www.netwrix.com/support_ticket.html) and send the diagnostic file: + - ` %SystemRoot%\DebugUserMode\Appmgmt.log ` + +**NOTE:** We recommend that you delete the `AppMgmtDebugLevel` registry value to avoid performance degradation after sending the log files to us. diff --git a/docs/kb/auditor/logon-request-contained-an-invalid-logon-type-value.md b/docs/kb/auditor/logon-request-contained-an-invalid-logon-type-value.md new file mode 100644 index 0000000000..d04087be9d --- /dev/null +++ b/docs/kb/auditor/logon-request-contained-an-invalid-logon-type-value.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains the cause of the "A logon request contained an invalid + logon type value" error in Netwrix Auditor and shows how to resolve it by + specifying the collecting account in the correct domain\\username format. +keywords: + - logon + - logon type + - monitoring plan + - data collection + - domain\\username + - Netwrix Auditor + - error + - troubleshooting + - account +products: + - auditor +sidebar_label: Logon Request Contained an Invalid Logon Type Valu +tags: [] +title: "Logon Request Contained an Invalid Logon Type Value" +knowledge_article_id: kA04u0000000Hh5CAE +--- + +# Logon Request Contained an Invalid Logon Type Value + +## Symptom and Cause + +You've encountered the following error: + +``` +A logon request contained an invalid logon type value +``` + +This error may occur in case the account name wasn't specified correctly during the configuration process for a monitoring plan. + +## Resolution + +Specify the account for collecting data of the affected monitoring plan in the `domain\\username` format: + +1. In the main **Netwrix Auditor** menu, click the **Monitoring plans** button. +2. In the left pane, select the affected monitoring plan and click **Edit**. You can check all the monitoring plans set up in case you're unsure about the particular affected plan. +3. In the right pane, select **Edit settings** in the **Monitoring Plan** section. +4. In the left pane, select the **Data Collection** tab and edit the **User name** field contents to suit the `domain\\username` format. + +Alternatively you can check the account configured in **Netwrix Auditor**: + +1. In the top right corner of the main **Netwrix Auditor** screen, select **Settings**. +2. In the **General** tab of the left pane, click **Manage** under **Accounts and passwords** section. + +> **NOTE:** If the error persists after you've checked all monitoring plans, contact [Netwrix Technical Support](https://www.netwrix.com/open_a_ticket.html). diff --git a/docs/kb/auditor/logon-request-contained-invalid-logon-type-value-in-netwrix-auditor-health-log.md b/docs/kb/auditor/logon-request-contained-invalid-logon-type-value-in-netwrix-auditor-health-log.md new file mode 100644 index 0000000000..95b9b98574 --- /dev/null +++ b/docs/kb/auditor/logon-request-contained-invalid-logon-type-value-in-netwrix-auditor-health-log.md @@ -0,0 +1,69 @@ +--- +description: >- + Explains the causes and step-by-step resolution for the Health Log error "A + logon request contained an invalid logon type value" in Netwrix Auditor, + including how to verify data collecting account credentials and permissions. +keywords: + - Health Log + - invalid logon type + - data collecting account + - monitoring plan + - Netwrix Auditor + - gMSA + - Local Administrator + - no data collected +products: + - auditor +sidebar_label: Logon Request Contained Invalid Logon Type Value i +tags: [] +title: "Logon Request Contained Invalid Logon Type Value in Netwrix Auditor Health Log" +knowledge_article_id: kA04u00000111EVCAY +--- + +# Logon Request Contained Invalid Logon Type Value in Netwrix Auditor Health Log + +## Symptom + +- The following errors are prompted in your Health Log: + +```text +Monitoring plan: %affected_monitoring_plan_name% +Item: %affected_item% +The following error has occurred: +Failed to get a list of audited computers in %affected_item% due to the following error: +A logon request contained an invalid logon type value +``` + +```text +Monitoring plan: %affected_monitoring_plan_name% +Your monitoring plan does not contain items of this data source type. +``` + +- No data is collected in the affected monitoring plan. + +## Causes + +- The data collecting account credentials were specified incorrectly. +- The data collecting account permissions are misconfigured. +- The gMSA account was not assigned a Local Administrator role. + +## Resolution + +To verify the data collection account credentials were specified correctly, refer to the following steps: + +1. In the main Netwrix Auditor menu, select **Monitoring Plans**. +2. In the left pane, select the affected monitoring plan, and click **Edit**. +3. In the left pane, click **Edit settings** under the **Monitoring Plan** section. +4. In the left pane, select the **Data Collection** tab, and review the data collecting account credentials. + +> **NOTE:** Make sure the data collecting account is specified in the `domain\account` name format. + +5. Save changes and allow the monitoring plan some time to collect data. + +Alternatively, you might have a particular data collecting account set up for a specific item. You can review the corresponding data collecting account credentials by clicking **Edit Item** under the **Item** section. + +For additional information on configuring your data collecting account, refer to the following article: /docs/auditor/10.6/auditor/admin-guide/monitoringplans (Monitoring Plans — Data Collecting Account ⸱ v10.6). + +## Related articles + +- /docs/auditor/10.6/auditor/admin-guide/monitoringplans (Monitoring Plans — Data Collecting Account ⸱ v10.6) diff --git a/docs/kb/auditor/logs-to-collect-for-netwrix-auditor-sms-alert-issues.md b/docs/kb/auditor/logs-to-collect-for-netwrix-auditor-sms-alert-issues.md new file mode 100644 index 0000000000..84fdbbae0a --- /dev/null +++ b/docs/kb/auditor/logs-to-collect-for-netwrix-auditor-sms-alert-issues.md @@ -0,0 +1,45 @@ +--- +description: >- + If Netwrix Auditor sends email alerts but not SMS, collect the AlertsSender + verbose logs and the NwArchiveSvc logs as described so Netwrix Support can + troubleshoot SMS alert delivery. +keywords: + - Netwrix Auditor + - SMS + - alerts + - logs + - AlertsSender.ini + - NwArchiveSvc + - Audit Core + - verbose logging + - troubleshooting +products: + - auditor +sidebar_label: Logs to Collect for Netwrix Auditor SMS Alert Issu +tags: [] +title: "Logs to Collect for Netwrix Auditor SMS Alert Issues" +knowledge_article_id: kA0Qk0000000ZdhKAE +--- + +# Logs to Collect for Netwrix Auditor SMS Alert Issues + +## Qusetion + +Netwrix Auditor does not send SMS alerts, while email alerts work fine. What logs should be collected and provided to the Netwrix support team to troubleshoot the issue? + +## Answer + +Follow the steps below to collect the necessary logs: + +1. On the Auditor Server, locate the **Audit Core** folder (by default, `C:\Program Files (x86)\Netwrix Auditor\Audit Core`). +2. In the **Audit Core** folder, locate the `GlobalSettings.ini` file. +3. Copy this file to the desktop and rename the copy to `AlertsSender.ini`. +4. Open the `AlertsSender.ini` file with any text editor, for example, **Notepad++**, and find the `MaxSeverity` line. +5. Change the value on this line from `INFO` to `DBG`. +6. Save the `AlertsSender.ini` file, and then copy it back into the **AuditCore folder**. The `AlertsSender.ini` file is required for the AlertsSender process to generate logs. +7. Open the **Services** snap-in and restart the **Netwrix Auditor Core Service** and the **Netwrix Auditor Archive Service**. +8. Make a test change to trigger the affected alert, then go to the associated monitoring plan and click **Update**. This should help trigger the alert. Also, you can wait for the product to process the data (approximately 24 hours). +9. Once you have allowed enough time through either test changes or natural events, locate the **NwArchiveSvc** folder (default location is `C:\ ProgramData\Netwrix Auditor\Logs\AuditCore`). +10. Copy the **NwArchiveSvc** folder to another location, compress it, and attach it to the corresponding ticket in the Netwrix Customer Portal: https://www.netwrix.com/sign_in.html. +11. When done, remove the `AlertsSender.ini` file from the **AuditCore** folder. +12. Restart the **Netwrix Auditor Core Service** and the **Netwrix Auditor Archive Service** again to stop verbose logging once testing is complete. diff --git a/docs/kb/auditor/long-data-collection-improving-the-performance.md b/docs/kb/auditor/long-data-collection-improving-the-performance.md new file mode 100644 index 0000000000..a7ed008c9d --- /dev/null +++ b/docs/kb/auditor/long-data-collection-improving-the-performance.md @@ -0,0 +1,103 @@ +--- +description: >- + Steps to improve Netwrix Auditor performance when data collection takes too + long, including guidance on monitoring plans, hardware, network compression, + database retention, antivirus exclusions, scope settings, and omit lists. +keywords: + - Netwrix Auditor + - performance + - data collection + - monitoring plans + - database retention + - network compression + - antivirus exclusions + - Event Log Manager + - omit lists +products: + - auditor +sidebar_label: Long Data Collection — Improving the Performance +tags: [] +title: "Long Data Collection — Improving the Performance" +knowledge_article_id: kA00g000000H9WjCAK +--- + +# Long Data Collection — Improving the Performance + +## Question + +Data collection takes too long to complete. How to improve the Netwrix Auditor performance to speed up the data collection? + +## Answer + +The following recommendations will allow you to improve the overall Netwrix Auditor performance. + +### Split data sources in separate monitoring plans + +For the initial setup and post-setup stages, it is highly recommended to stick to the following structure: + +- One database per monitoring plan. +- One monitoring plan per data source. + +> **NOTE:** It is possible to split collections of specific data sources in multiple monitoring plans, although it is important to considering the following: +> +> - SQL edition (Express or Standard or other). +> - Average number of activity records of your single data source. +> - Hardware limitations. + +In general, it is recommended to use different databases for different data sources to avoid rapid database size growth and ease the troubleshooting process. For additional information on creation of monitoring plans, refer to the following article: /docs/auditor/10.6/auditor/admin-guide/monitoringplans + +### Hardware limitations + +In case of recent changes to your environment that led to hindered performance, refer to the following article for reference on hardware requirements for your infrastructure: /docs/auditor/10.6/auditor/requirements + +### Network traffic compression + +To reduce network traffic in distributed deployments, multi-site networks, and other environments with remote locations that have limited bandwidth, it is recommended to use network traffic compression. This option also helps reduce the CPU load for the Netwrix Auditor host — for additional information on setting up traffic compression, refer to the following article: /docs/auditor/10.6/auditor/admin-guide/healthstatus + +### Decrease database retention period + +Depending on your environment and needs, the Audit Database retention period can be either increased or decreased. It should be noted, that higher retention period for any database will also lead to greater database sizes and longer times to search for stored data. For additional information on setting a database retention period, refer to the following article: /docs/auditor/10.6/auditor/admin-guide/settings + +### Exclude Netwrix-related folders from antivirus scans + +As Netwrix Auditor creates and writes audit data in smaller portions, your antivirus suite will attempt to check every new or edited file to complete the threat check. Full file reads might take extra time to complete, hindering the writing capability of Netwrix Auditor, in some cases leading to timeouts and additional RAM and CPU loads. Refer to the following article for additional information on folders to be excluded from regular antivirus checks: /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor + +### Set up data collection for State-in-Time reports + +Some collectors allow for scheduling of State-in-Time data collection — increasing the time window between these events will help to avoid resource consumption spikes. Same applies to Activity Summary reports — increasing the time window between these reports will allow you to decrease the momentary loads. Both these changes won't affect the overall resource consumption, they will distribute the consumption evenly. Refer to the following article for additional information on editing data sources: /docs/auditor/10.6/auditor/admin-guide/monitoringplans + +### Specify domain controllers and Exchange servers for data collection + +You can specify DCs and Exchange servers to collect data from — this allows to mitigate the effects of decreased network availability, the hardware underperformance, and distance to the Netwrix host of domain controllers and Exchange servers. Refer to `dclist.txt`, `dirsyncdclist.txt`, and `aal_serverlist.txt` files to list the closest and most reliable DCs and Exchange servers. + +### Group membership + +Group membership data is collected to include information on group membership of the account that performed a change or an action. Disabling the group membership data collection will reduce the monitoring scope to the audited domain only, but this might increase the overall Active Directory Auditing performance as Netwrix Auditor won't have to query global catalogs in the forest. Refer to the following steps to disable the group membership monitoring: + +1. Select your monitoring plan and click **Edit**. +2. Select the appropriate data source and click **Edit data source** in the right pane. +3. Select the **General** tab in the left pane. +4. Uncheck the **Group membership** under the **Detect additional details** section. + +### Event Log Manager + +In case you have an Event Log Manager plan set up, make sure it doesn't monitor data covered by one of your Netwrix Auditor monitoring plans to avoid redundant monitoring data and performance impact. Refer to the following steps to can disable event log collection via Event Log Manager: + +1. Launch Netwrix Auditor Event Log Manager. +2. Select your monitoring plan and click **Edit**. +3. In the top left corner, uncheck the **Enable event log collection** checkbox and click **Save**. + +### Omit lists + +You can limit the monitoring scope in your environment via omit lists — this allows to proactively decrease the DB loads as changes for omitted items are not recorded. For additional information on how to exclude users and objects via Netwrix Auditor UI, refer to the following article: /docs/kb/auditor/how_to_exclude_users_and_objects_from_monitoring_scope_in_netwrix_auditor_ui. For additional information on available omit lists, review the corresponding article applicable to your target system. For example, for Active Directory omit lists, refer to the following article: /docs/auditor/10.6/auditor/admin-guide/monitoringplans/activedirectory + +### Related articles + +- /docs/auditor/10.6/auditor/admin-guide/monitoringplans +- /docs/auditor/10.6/auditor/requirements +- /docs/auditor/10.6/auditor/admin-guide/healthstatus +- /docs/auditor/10.6/auditor/admin-guide/settings +- /docs/kb/auditor/antivirus_exclusions_for_netwrix_auditor +- /docs/auditor/10.6/auditor/admin-guide/monitoringplans +- /docs/kb/auditor/how_to_exclude_users_and_objects_from_monitoring_scope_in_netwrix_auditor_ui +- /docs/auditor/10.6/auditor/admin-guide/monitoringplans/activedirectory diff --git a/docs/kb/auditor/malformed-control-request.md b/docs/kb/auditor/malformed-control-request.md new file mode 100644 index 0000000000..609a14c191 --- /dev/null +++ b/docs/kb/auditor/malformed-control-request.md @@ -0,0 +1,45 @@ +--- +description: >- + Explains why Account Lockout Examiner returns "Malformed control request" when + you send a remote control email and lists the required email structure to + unlock accounts. +keywords: + - account lockout + - malformed control request + - Account Lockout Examiner + - UNLOCK + - remote control email + - UTF-8 + - lockout notification + - unlock code +products: + - auditor +sidebar_label: Malformed control request +tags: [] +title: "Malformed control request" +knowledge_article_id: kA00g000000H9a1CAC +--- + +# Malformed control request + +When I send remote control e-mail to Account Lockout Examiner to unlock user account, I get a reply saying: + +**Malformed control request** + +--- + +Account Lockout Examiner requires a specific structure of an e-mail to unlock the user account. + +It should be a reply to lockout notification and shall have the code specified after `UNLOCK:` keyword. + +For example: + +![User-added image](images/ka04u000000HcT2_0EM700000005kEC.png) + +--- + +Make sure that: +1. you reply to a lockout notifications +2. `UNLOCK:` keyword is specified +3. the quoted e-mail was not changed +4. you reply in UTF-8 encoding. diff --git a/docs/kb/auditor/managed-objects-disappear-after-disk-space-on-system-drive-fills-up.md b/docs/kb/auditor/managed-objects-disappear-after-disk-space-on-system-drive-fills-up.md new file mode 100644 index 0000000000..193d7d6b53 --- /dev/null +++ b/docs/kb/auditor/managed-objects-disappear-after-disk-space-on-system-drive-fills-up.md @@ -0,0 +1,35 @@ +--- +description: >- + If the system drive fills up, managed objects can disappear. Restore the + NetwrixChangeReporterConfig.xml file from backup and open a support ticket + with the pre-restore copy so Netwrix can investigate. +keywords: + - managed objects + - disk space + - system drive + - NetwrixChangeReporterConfig.xml + - restore + - backup + - support ticket + - Customer Portal + - Netwrix +products: + - auditor +sidebar_label: Managed Objects Disappear After Disk Space on Syst +tags: [] +title: "Managed Objects Disappear After Disk Space on System Drive Fills Up" +knowledge_article_id: kA00g000000H9S5CAK +--- + +# Managed Objects Disappear After Disk Space on System Drive Fills Up + +## Summary +Sometimes after filling up the space on the system drive your managed objects may disappear. The root cause has not yet been determined. + +## Resolution +1. Restore the `NetwrixChangeReporterConfig.xml` file from backup. +2. By default, this file can be found at: `C:ProgramDataNetWrixManagement Console` +3. Prior to restoring the file, create a support ticket on our Customer Portal and send us a copy of the `NetwrixChangeReporterConfig.xml` file that you have (pre-restore version). This will allow us to gather more data to reproduce this issue and understand the root cause. + +The Customer Portal can be found at the following URL: +http://www.netwrix.com/customers/tickets.html?source=supportmenu diff --git a/docs/kb/auditor/manually-update-user-activity-core-service.md b/docs/kb/auditor/manually-update-user-activity-core-service.md new file mode 100644 index 0000000000..712171ce32 --- /dev/null +++ b/docs/kb/auditor/manually-update-user-activity-core-service.md @@ -0,0 +1,121 @@ +--- +description: >- + Shows how to manually update Netwrix Auditor User Activity Core Service on + single or multiple target servers when versions mismatch, including PowerShell + and batch methods. +keywords: + - netwrix + - auditor + - user activity + - core service + - UACoreSVCSetup + - uninstall + - powershell + - batch + - UAVR +products: + - auditor +sidebar_label: Manually Update User Activity Core Service +tags: [] +title: "Manually Update User Activity Core Service" +knowledge_article_id: kA0Qk0000000PJNKA2 +--- + +# Manually Update User Activity Core Service + +## Question + +The Netwrix Auditor User Activity Core Service version in a target server does not correspond to the version of the Auditor server. Is it possible to manually update User Activity Core Service in either all or specific target servers? + +## Answer + +> **NOTE:** Refer to the following article for additional information on establishing the version of your Auditor server: /docs/kb/auditor/how_to_find_out_my_netwrix_auditor_version (How to Find Out My Netwrix Auditor Version). + +> **IMPORTANT:** It is recommended to stop User Activity services in the Netwrix server before making changes to installed Core Services in targets. Run the following command in elevated PowerShell to stop User Activity Core Service and Audit Service: +> +> ```powershell +> Stop-Service -DisplayName "Netwrix Auditor User Activity *" +> ``` + +User Activity Core Service is designed to be deployed automatically when adding items to the corresponding monitoring plan. The Core Service version is supposed to match the Auditor server version − the service is updated on each Auditor server upgrade. In case of connectivity issues during the upgrade procedure, Core Service in a target server may be skipped leading to a version mismatch. Refer to the following steps to manually update Core Service in affected servers depending on the scope of the out-of-date Core Service targets. + +### Update Core Service in a single target server + +1. Remove the server item from the User Activity monitoring plan and add it again. In the User Activity monitoring plan, select the target server and click **Remove item** in the right pane. To verify the status of Core Service in a target server, select **Edit Data Source** > the **Monitored Computers** tab. +2. Manually delete the User Activity Core Service app from the target server. In the target server, proceed to the **Settings** menu > **Apps (& Features)** > select **Netwrix Auditor User Activity Core Service** > click **Uninstall**. Allow the Auditor server some time to reinstall Core Service. +3. Update Core Service by manually installing the new version in the affected server − in your Auditor server, copy the `UACoreSVCSetup.exe` file located by default in the following directory: + + ```text + C:\Program Files (x86)\Netwrix Auditor\User Activity Video Recording + ``` + + Copy the `.exe` file to the affected server and run it. Proceed with the installation steps to update your Core Service version. + +> **IMPORTANT:** If User Activity services were previously stopped in Auditor server, start them after deleting Core Service in target servers. This will allow Auditor server to install the new version automatically or detect the updated service. Run the following command in elevated PowerShell: +> +> ```powershell +> Start-Service -DisplayName "Netwrix Auditor User Activity *" +> ``` + +### Manually update Core Service in multiple target servers − Option #1 + +1. Download the following PowerShell script: https://www.netwrix.com/download/products/KnowledgeBase/Uninstall-NetwrixProduct.ps1 (Uninstall-NetwrixProduct.ps1). +2. In elevated PowerShell in your Netwrix server, run the script to uninstall Core Service from all target servers in the User Activity monitoring plan: + + ```powershell + . .\Uninstall-NetwrixProduct.ps1 + Uninstall-UAVRAgents -Verbose + ``` + + > **NOTE:** Make sure to either `cd` or `Set-Location -Path` to the directory containing the script. + +3. The output for the PowerShell script should include the `Status: Uninstalled` lines. + +> **IMPORTANT:** If User Activity services were previously stopped in Auditor server, start them after deleting Core Service in target servers. This will allow Auditor server to install the new version automatically. Run the following command in elevated PowerShell: +> +> ```powershell +> Start-Service -DisplayName "Netwrix Auditor User Activity *" +> ``` + +### Manually update Core Service in multiple target servers − Option #2 + +1. Create a temporary folder for the files used. This article implements the **tmp** folder located in `C:\TMP`. +2. Create a `.txt` file containing a list of affected servers. To automate the task, you can use the following PowerShell command: + + ```powershell + Get-ADComputer -Filter * -SearchBase "DistinguishedName_of_affected_servers_OU" | Select -Expand Name | Out-File -filepath C:\TMP\servers.txt -Encoding ascii + ``` + + Replace the `DistinguishedName_of_affected_servers_OU` with the actual distinguished name of the OU containing affected servers. Replace the filepath with the actual filepath for the folder used. + +3. Create a `delete_UAVR.bat` file in the same folder. Edit it to add the following contents: + + ```batch + @echo off + for /F "tokens=*" %%A in (servers.txt) do echo Processing %%A & wmic /node:"%%A" product where "description='Netwrix Auditor User Activity Core Service'" call uninstall + ``` + + Save the changes. + +4. Run PowerShell as a user having permissions to uninstall applications in target servers. +5. Run the `.bat` file: + + ```powershell + . .\delete_UAVR.bat + ``` + + > **NOTE:** Make sure to either `cd` or `Set-Location -Path` to the directory containing the `.bat` file. + +6. The output for each deleted Core Service in each server should include a `ReturnValue = 0` line. +7. Once the `.bat` file finishes running, you can run it again to verify Core Service instances were deleted. + +> **IMPORTANT:** If User Activity services were previously stopped in Auditor server, start them after deleting Core Service in target servers. This will allow Auditor server to install the new version automatically. Run the following command in elevated PowerShell: +> +> ```powershell +> Start-Service -DisplayName "Netwrix Auditor User Activity *" +> ``` + +## Related links + +- How to Find Out My Netwrix Auditor Version: /docs/kb/auditor/how_to_find_out_my_netwrix_auditor_version +- Uninstall-NetwrixProduct.ps1: https://www.netwrix.com/download/products/KnowledgeBase/Uninstall-NetwrixProduct.ps1 diff --git a/docs/kb/auditor/mass-removal-of-files-located-on-dfs-server.md b/docs/kb/auditor/mass-removal-of-files-located-on-dfs-server.md new file mode 100644 index 0000000000..1db0ed9c95 --- /dev/null +++ b/docs/kb/auditor/mass-removal-of-files-located-on-dfs-server.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains why the Mass Data Removal from File Servers alert appears when files + are removed and immediately replaced on a DFS server, and how upgrading + resolves the issue. +keywords: + - Mass Data Removal + - DFS + - file server + - Netwrix Auditor + - alert + - upgrade + - My Products + - 10.6.12321 +products: + - auditor +sidebar_label: Mass Removal of Files Located on DFS Server +tags: [] +title: "Mass Removal of Files Located on DFS Server" +knowledge_article_id: kA0Qk0000000WeDKAU +--- + +# Mass Removal of Files Located on DFS Server + +## Question + +Why am I seeing the alert **Mass Data Removal from File Servers** in Netwrix Auditor, alongside the removal and immediate replacement of many files on a DFS file server? + +## Answer + +This is expected behavior for Netwrix Auditor 10.6.12321 and below. To avoid the issue, Netwrix recommends upgrading to the latest version. You can download the latest version from the [My Products](https://www.netwrix.com/my_products.html) page. + +For the oldest versions, the workflow is as follows: + +1. In the audited infrastructure with multiple DFS servers, if one server undergoes maintenance shutdown while another remains operational, it triggers mass file removal. +2. This removal consequently activates the **Mass Data Removal from File Servers** alert in Netwrix Auditor. +3. Netwrix Auditor interprets the disappearance of files from the affected server as a mass creation of file delete Activity Records. diff --git a/docs/kb/auditor/message-size-exceeds-fixed-maximum-message-size-error-in-health-log.md b/docs/kb/auditor/message-size-exceeds-fixed-maximum-message-size-error-in-health-log.md new file mode 100644 index 0000000000..d7d4ef0421 --- /dev/null +++ b/docs/kb/auditor/message-size-exceeds-fixed-maximum-message-size-error-in-health-log.md @@ -0,0 +1,65 @@ +--- +description: >- + Explains causes and resolutions for "Message size exceeds fixed maximum + message size" errors in the Health Log when Netwrix Auditor cannot send email + reports. Provides steps to compress attachments, change subscription file + format, and verify the Exchange server. +keywords: + - message size + - SMTP + - Exchange + - Health Log + - subscription + - activity summary + - compress attachment + - Netwrix Auditor +products: + - auditor +sidebar_label: Message Size Exceeds Fixed Maximum Message Size Er +tags: [] +title: "Message Size Exceeds Fixed Maximum Message Size Error in Health Log" +knowledge_article_id: kA00g000000H9WZCA0 +--- + +# Message Size Exceeds Fixed Maximum Message Size Error in Health Log + +## Symptoms + +You've encountered one of the following errors in your Health Log: + +```text +Netwrix Auditor was unable to send Activity Summary to %email_address%. +Error: SMTP Exception: The server rejected the message: %message% +Message size exceeds fixed maximum message size. +Check your SMTP settings. Make sure the Exchange server is up and running and recipient's mailbox is accessible. +``` + +```text +Netwrix Auditor was unable to deliver the subscription %subscription_name% due to the following error: +The following subscriptions could not be sent to the recipient %email_address%: +Error: Exceeded storage allocation. The server response was: %message% +Message size exceeds fixed maximum message size. +``` + +## Causes + +- Size of the attached report exceeds the maximum message size. +- Your Exchange server is affected by a connectivity issue. + +## Resolutions + +- Activity Summaries in large environments may exceed the maximum message size. + + 1. In the main Netwrix Auditor menu, select **Monitoring plans**, select the affected monitoring plan in the left pane, and click **Edit**. + 2. In the right pane, click **Edit settings** under the **Monitoring plan** section. + 3. In the left pane, select **Notifications**. + 4. Check the **Compress attachment before sending** checkbox, and click **Save**. + +- Subscription reports in large environments may exceed the maximum message size. + + 1. In the main Netwrix Auditor menu, select **Subscriptions**, select the affected subscription, and click **Edit**. + 2. In the left pane, select the **General** tab. + 3. Under the **Specify delivery options**, select **CSV** in the drop-down **File format** list. + 4. Click **Save** to save changes. + +- Restart your Exchange server to verify the issue is not related to the server. diff --git a/docs/kb/auditor/migrate-event-log-manager-monitoring-plans.md b/docs/kb/auditor/migrate-event-log-manager-monitoring-plans.md new file mode 100644 index 0000000000..6b1f049732 --- /dev/null +++ b/docs/kb/auditor/migrate-event-log-manager-monitoring-plans.md @@ -0,0 +1,54 @@ +--- +description: >- + Shows how to migrate a monitoring plan for Event Log Manager (ELM) between + Netwrix Auditor servers by copying rule folders and exporting/importing Task + Scheduler tasks. +keywords: + - event log manager + - ELM + - monitoring plan + - migrate + - Task Scheduler + - Netwrix Auditor + - rules + - export + - import + - working folder +products: + - auditor +sidebar_label: Migrate Event Log Manager Monitoring Plans +tags: [] +title: "Migrate Event Log Manager Monitoring Plans" +knowledge_article_id: kA04u00000110xoCAA +--- + +# Migrate Event Log Manager Monitoring Plans + +## Question + +How to migrate a monitoring plan for Event Log Manager (ELM) to a different server? + +## Answer + +### On your prior Netwrix Auditor server + +1. Copy the folders located in ` %Working Folder%\Event Log Management\Rules\ `. Each folder represents a single monitoring plan in Event Log Manager. +2. Export the Event Log Manager tasks from Task Scheduler: + + 1. Open your Task Scheduler either via the Search bar or `taskschd.msc` in the Run command window. + 2. Locate all tasks related to Event Log Manager. They will have the following line in the description under the **General** tab: + + ``` + Starts Netwrix Auditor data collection on Event Log for '%monitoring_plan_name%' + ``` + + 3. To export a task, right-click a task and click **Export**. Perform these steps for all tasks. + +### On your new Netwrix Auditor server + +1. Create a monitoring plan in Event Log Manager using the name of the prior monitoring plan. +2. Copy the folder from your prior server to the new one to ` %Working Folder%\Event Log Management\Rules\ `. +3. Import the tasks for Task Scheduler: + + 1. On your new server, open Task Scheduler, and click **Action** in the top row > **Import...**. + 2. Select the previously exported tasks and import them to your new server. diff --git a/docs/kb/auditor/migrate-netwrix-password-expiration-notifier-to-a-different-server.md b/docs/kb/auditor/migrate-netwrix-password-expiration-notifier-to-a-different-server.md new file mode 100644 index 0000000000..12a27019fa --- /dev/null +++ b/docs/kb/auditor/migrate-netwrix-password-expiration-notifier-to-a-different-server.md @@ -0,0 +1,46 @@ +--- +description: >- + Shows how to migrate Netwrix Password Reset (formerly Password Expiration + Notifier) to a different server by installing Netwrix Auditor on the new + server, copying templates, and reconfiguring settings. +keywords: + - migrate + - Netwrix Password Reset + - Netwrix Auditor + - templates + - password expiration + - notification templates + - Actions tab + - license +products: + - auditor + - password_reset +sidebar_label: Migrate Netwrix Password Reset to a Different Server +tags: [] +title: "Migrate Netwrix Password Reset to a Different Server" +knowledge_article_id: kA00g000000Pbd7CAC +--- + +# Migrate Netwrix Password Reset to a Different Server + +## Question + +How to migrate Netwrix Password Reset to a different server? + +## Answer + +In Netwrix Auditor versions 9.0 and newer, Netwrix Password Reset is installed alongside the Netwrix Auditor installation. + +1. Install Netwrix Auditor on a new server. +2. Copy the following data from the old server to the new server: + - Templates folder from `C:\Program Files (x86)\Netwrix Auditor\Password Expiration Alerting\Templates`. + - Screenshot all four tabs of the Netwrix Password Reset interface for configuration details. + ![tIfrvbFLMt.png](images/ka04u00000117hE_0EM4u000007ccaS.png) +3. Reconfigure Netwrix Password Reset according to the screenshots you captured. +4. Apply your Netwrix Auditor License to the new instance of Netwrix Auditor. + +### NOTE + +Message templates customized via the Netwrix Password Reset UI should be transferred manually — make sure to copy the contents of the **Actions** tab reports highlighted in the screenshot. + +![CslItbePFg.png](images/ka04u00000117hE_0EM4u000007ccac.png) diff --git a/docs/kb/auditor/migrating-auditor-to-new-server.md b/docs/kb/auditor/migrating-auditor-to-new-server.md new file mode 100644 index 0000000000..f39162e514 --- /dev/null +++ b/docs/kb/auditor/migrating-auditor-to-new-server.md @@ -0,0 +1,148 @@ +--- +description: >- + Step-by-step procedure to migrate a Netwrix Auditor instance to a new server, + including exporting/importing configuration, moving the Long-Term Archive, and + handling SQL databases. +keywords: + - Netwrix Auditor migration + - naconfig.xml + - Long-Term Archive + - SQL migration + - configserverDbProcessor + - Audit Core + - migrate Auditor + - validation checklist +products: + - auditor +sidebar_label: Migrating Auditor to New Server +tags: [] +title: "Migrating Auditor to New Server" +knowledge_article_id: kA00g000000H9ebCAC +--- + +# Migrating Auditor to New Server + +## Overview + +This article outlines a step-by-step process for how to migrate a Netwrix Auditor instance to a new server. + +## Instructions + +### Planning the Migration + +1. Installing Netwrix Auditor on the new server. +2. Exporting and importing Netwrix Auditor Configuration. +3. Migration of Long-Term Archive. +4. Migration of SQL databases. + - Migration of SQL databases is not required if you plan to keep SQL hosted on the original Netwrix Auditor Server or in case SQL is already hosted remotely. +5. Final setup. +6. Important Notes Post-Migration. +7. Validation checklist. + +### Installing Netwrix Auditor on the New Server + +When moving Netwrix Auditor to a new server, ensure the version and build of the Netwrix Auditor instance on your new server matches the old server version and build. Your new server should meet the Software Requirements and Hardware Requirements for the appropriate version: + +- Software Requirements · v10.7: /docs/auditor/10.7/auditor/requirements +- Hardware Requirements · v10.7: /docs/auditor/10.7/auditor/requirements + +### Exporting the Netwrix Auditor configuration file + +1. Stop and disable all Netwrix Auditor services except for **Netwrix Auditor Configuration Server Service** and **Netwrix Auditor Core Service** running in your original Netwrix Auditor server. This prevents Netwrix Auditor from running collections during the migration process. +2. Disable any scheduled tasks for your Netwrix Auditor instance. These will be present in case any monitoring plan for Netwrix Password Reset, Netwrix Inactive Users Tracker, or Event Log Manager have ever been set up. + +Now you can safely export the configuration by following the next steps: + +1. Run Command Prompt as administrator. +2. Execute the following commands: + +```text +cd C:\Program Files (x86)\Netwrix Auditor\Audit Core +configserverDbProcessor.exe export -target "C:\naconfig.xml" +``` + +3. Input an encryption password for the backup file. + +> **NOTE:** You can use any target path to export the config file. Make sure to include the file name **naconfig.xml** to the end of the export path. + +The configuration file has been successfully exported. Navigate to the target path to copy the config file to your new server. The file will be imported to the new Netwrix Auditor instance towards the end of the migration process. + +### Long-Term Archive + +By default, Long-Term Archive is located at `C:\ProgramData\Netwrix Auditor\Data`. If you have previously migrated your Long-Term Archive, you can find the location in your main Netwrix Auditor menu > **Settings** > **Long-Term Archive**. + +Navigate to your Long-Term Archive location and copy the entire folder. Proceed by transferring Long-Term Archive to the new Netwrix Auditor server. While you can migrate it to the default location, it is recommended to keep Long-Term Archive on a separate drive. This will prevent rapid storage consumption on the C drive. Take note of where you have placed Long-Term Archive on the new Netwrix Auditor server. + +> **NOTE:** You can split the Long-Term Archive migration into two steps if the size of your ActivityRecords folder doesn't allow for a quick migration. For additional information, refer to the following article: How to Move Long-Term Archive to a New Location: /docs/kb/auditor/how_to_move_long-term_archive_to_a_new_location + +### SQL Databases + +It is important to decide on migration of your SQL databases or keeping them in your current SQL Server instance during the Netwrix Auditor migration. In case you'd like to migrate your SQL Server databases, refer to the following article for additional information: Migrating Netwrix Databases: /docs/kb/auditor/how_to_migrate_netwrix_auditor_databases_to_another_sql_server_instance + +Once SQL migration is complete, refer to the following article for additional information on Report Server Database deployment: Deploying the Report Server Database: /docs/kb/auditor/deploying_the_report_server_database + +### Final Steps + +> **NOTE:** All further steps should be performed in your new Netwrix Auditor server instance. + +1. Stop all Netwrix services in your new Netwrix Auditor server instance except for **Netwrix Auditor Configuration Server Service** and **Netwrix Auditor Core Service**. +2. Import the naconfig.xml file. + 1. Run Command Prompt as administrator. + 2. Execute the following commands: + +```text +cd C:\Program Files (x86)\Netwrix Auditor\Audit Core +configserverDbProcessor.exe import -source %PATH_OF_EXPORTED_NACONFIG.XML% -target "C:\ProgramData\Netwrix Auditor\AuditCore\ConfigServer\Configuration.xml" +``` + +3. Run PowerShell as administrator and execute the following command to start all Netwrix Auditor services: + +```powershell +Start-Service -Displayname Netwrix* +``` + +4. Launch Netwrix Auditor and proceed to **Settings** > **Long-Term Archive**. Change the path for Long-Term Archive to reflect the migrated Long-Term Archive location. + +> **NOTE:** If you did not migrate the SQL databases, skip Step 5 and proceed to the next section. + +5. Netwrix Auditor requires a reference to the new SQL Server instance. Refer to the following steps to find the instance name: + 1. Launch SQL Server Management Studio. + 2. Click **Properties** for the instance name. + 3. In Netwrix Auditor **Settings** menu, select **Audit Databse** in the left pane and click **Modify** under **Audit database settings**. + 4. Specify the SQL Server instance name and credentials of the account used to write data to SQL databases. Refer to the following articles for additional information on SQL permissions and report server database deployment: + - Requirements for SQL Server to Store Audit Data – Configure Audit Database Account · v10.7: /docs/auditor/10.7/auditor/requirements + - Deploying the Report Server Database: /docs/kb/auditor/deploying_the_report_server_database + +### Important Notes Post-Migration + +- If you've previously had any omit lists configured, you will have to either copy the contents of these omit lists or copy the files to the new server. For additional information on omit lists and their locations, refer to the following article: How to Use Omit Lists: /docs/kb/auditor/how_to_use_omit_lists +- You cannot migrate Event Log Manager or its configuration files. Remember to manually copy the configuration over to the new server. Event Log Manager data will be migrated in case you've migrated SQL databases. +- Netwrix Password Reset and Netwrix Inactive Users Tracker do not store any data — their reports are sent daily via email. For more information on how to migrate these Netwrix tools, refer to the following articles: + - Migrate Netwrix Password Reset to a Different Server: /docs/kb/auditor/migrate_netwrix_password_expiration_notifier_to_a_different_server + - How to migrate Netwrix Inactive Users Tracker to other servers: /docs/kb/auditor/how_to_migrate_netwrix_inactive_users_tracker_to_other_servers +- User Activity data will not be collected until the Core Service is redeployed after migration. For more information on how to reset Netwrix Auditor User Activity Core Service to allow the monitoring plan to redeploy with the new configuration settings and registry keys, review the following article: Uninstalling User Activity Monitoring Agents: /docs/kb/auditor/uninstalling_user_activity_monitoring_agents + +### Validation Checklist + +Run the following checks for your migrated Netwrix Auditor instance: + +- Run a search with blank parameters (an open search). +- Run a report on a data source you are auditing. +- Confirm your monitoring plans have carried over. +- Apply the Auditor license. Refer to the following article for additional information: How to Apply Netwrix Auditor License: /docs/kb/auditor/how_to_apply_netwrix_auditor_license + +> **IMPORTANT:** The SSL certificate previously used for Integration API will be missing from the certificate store in your new Netwrix Auditor server. Generate a new SSL certificate for Netwrix Auditor Integration API − refer to the following article for additional information: Integration API − Security ⸱ v10.7: /docs/auditor/10.7/auditor/api + +Monitor the system over the next few days to confirm the migration has been completed successfully. As long as the system is operable and you can view migrated data, you can delete all traces of Netwrix Auditor from your former server, including the software uninstallation. + +## Related Articles + +- Software Requirements · v10.7: /docs/auditor/10.7/auditor/requirements +- Hardware Requirements · v10.7: /docs/auditor/10.7/auditor/requirements +- How to Move Long-Term Archive to a New Location: /docs/kb/auditor/how_to_move_long-term_archive_to_a_new_location +- Migrating Netwrix Databases: /docs/kb/auditor/how_to_migrate_netwrix_auditor_databases_to_another_sql_server_instance +- Deploying the Report Server Database: /docs/kb/auditor/deploying_the_report_server_database +- Requirements for SQL Server to Store Audit Data – Configure Audit Database Account · v10.7: /docs/auditor/10.7/auditor/requirements +- Integration API − Security ⸱ v10.7: /docs/auditor/10.7/auditor/api +- Specified Logon Session Does Not Exist Error in Netwrix Auditor: /docs/kb/auditor/specified_logon_session_does_not_exist_error_in_netwrix_auditor +- How to Apply Netwrix Auditor License: /docs/kb/auditor/how_to_apply_netwrix_auditor_license diff --git a/docs/kb/auditor/migrating_netwrix_access_analyzer_database_to_a_new_sql_server.md b/docs/kb/auditor/migrating_netwrix_access_analyzer_database_to_a_new_sql_server.md new file mode 100644 index 0000000000..295c345dc2 --- /dev/null +++ b/docs/kb/auditor/migrating_netwrix_access_analyzer_database_to_a_new_sql_server.md @@ -0,0 +1,106 @@ +--- +description: >- + This article provides step-by-step instructions for migrating the Netwrix Access Analyzer database to a new SQL Server, including necessary permissions and storage configuration updates. +keywords: + - Access Analyzer + - SQL Server migration + - database permissions +sidebar_label: Migrate Access Analyzer Database +tags: [] +title: "Migrating Netwrix Access Analyzer Database to a New SQL Server" +knowledge_article_id: kA0Qk0000002xgjKAA +products: + - auditor +--- + +# Migrating Netwrix Access Analyzer Database to a New SQL Server + +## Related Queries + +- "How do I move the Access Analyzer database to a new SQL Server?" +- "What permissions do Access Analyzer service accounts need after a database migration?" +- "Why does Access Analyzer fail to connect after restoring the database on a new server?" + +## Overview + +This article provides step-by-step instructions for migrating the Netwrix Access Analyzer (formerly Enterprise Auditor) database from an existing Microsoft SQL Server instance to a new one. It includes post-migration SQL permissions required for Windows and SQL accounts used by Access Analyzer and steps for updating storage configuration in the Access Analyzer console. + +> **IMPORTANT:** The migration steps below assume you are familiar with [Microsoft’s standard best practices for SQL Server database migration ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/data-migration/) and have prepared your environment accordingly. + +## Instructions + +### 1. Prepare for Migration + +- Back up your Netwrix Access Analyzer database. +- Document all service accounts and Windows accounts used by Access Analyzer for console access, scheduled tasks, and services. +- If Role-Based Access is enabled, ensure you have a record of any custom database roles. + +### 2. Migrate the Database + +- Follow [Microsoft’s best practices for moving SQL databases ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/data-migration/) to detach, copy, and attach or back up and restore your Access Analyzer database to the new SQL Server. + +### 3. Assign Required Permissions + +After migration, assign the following permissions for every Windows account or SQL Server account used by Access Analyzer. Replace `` and `` with your actual user and database names. + +```sql +USE [master] +GRANT VIEW ANY DEFINITION TO [] +GO +USE [] +GO +EXEC sp_addrolemember 'db_datareader', '' +GO +EXEC sp_addrolemember 'db_datawriter', '' +GO +GRANT CREATE TABLE TO [] +GO +GRANT CREATE VIEW TO [] +GO +GRANT CREATE PROCEDURE TO [] +GO +GRANT CREATE FUNCTION TO [] +GO +GRANT CREATE TYPE TO [] +GO +GRANT REFERENCES ON SCHEMA::dbo TO [] +GO +GRANT ALTER ON SCHEMA::dbo TO [] +GO +GRANT EXECUTE ON SCHEMA::dbo TO [] +GO +GRANT INSERT ON SCHEMA::dbo TO [] +GO +GRANT UPDATE ON SCHEMA::dbo TO [] +GO + +ALTER USER [] WITH DEFAULT_SCHEMA = dbo +``` + +> **NOTE:** If Role-Based Access is used, make sure all required database roles are copied or recreated in the new database. For more information, see [Configuring Roles in Access Analyzer](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/configureroles). + +### 4. Update Access Analyzer Storage Configuration + +After restoring the database and setting permissions, follow these steps to reconnect Access Analyzer: + +1. Launch **Access Analyzer** on a server where the user has `dbo` access to the new database. +2. When the console opens, an error message may appear stating the database cannot be reached. This is expected. +3. Close the error window. +4. Select **Add New Storage Profile**. + > **NOTE:** For more details, see [Add a Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/add). +5. Enter the connection details for the new SQL Server and database. +6. Test connectivity and ensure the console connects successfully. +7. Select the **Set as Default** option on the new storage profile. + > **NOTE:** For more details, see [Set a Default Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/default). +8. Close and reopen **Access Analyzer** to verify persistent connectivity. +9. Once you have confirmed successful reconnection, delete the old storage profile. + > **NOTE:** For more details, see [Delete a Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/delete). + +## Related Links + +- [Configuring Roles in Access Analyzer](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/configureroles) +- [Managing Storage in Access Analyzer](/docs/accessanalyzer/12.0/admin/settings/storage/overview) +- [Move a Database ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/data-migration/) +- [Add a Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/add) +- [Set a Default Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/default) +- [Delete a Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/delete) \ No newline at end of file diff --git a/docs/kb/auditor/mimikatz-pass-the-hash-activity-on-netwrix-auditor-server.md b/docs/kb/auditor/mimikatz-pass-the-hash-activity-on-netwrix-auditor-server.md new file mode 100644 index 0000000000..bf81349a67 --- /dev/null +++ b/docs/kb/auditor/mimikatz-pass-the-hash-activity-on-netwrix-auditor-server.md @@ -0,0 +1,32 @@ +--- +description: >- + Explains why Mimikatz Pass-the-Hash activity may be detected on a Netwrix + Auditor server and how to address these alerts, including impersonation and + Secondary Logon Service requirements. +keywords: + - Mimikatz + - Pass-the-Hash + - Netwrix Auditor + - impersonation + - Secondary Logon Service + - SIEM + - alerts +products: + - auditor +sidebar_label: Mimikatz Pass-the-Hash Activity on Netwrix Auditor +tags: [] +title: "Mimikatz Pass-the-Hash Activity on Netwrix Auditor Server" +knowledge_article_id: kA04u00000110nPCAQ +--- + +# Mimikatz Pass-the-Hash Activity on Netwrix Auditor Server + +## Question + +My Security Event and Incident Management suite has detected Mimikatz Pass-the-Hash activity on Netwrix Auditor server. Is Netwrix Auditor trying to steal my passwords and hashes? + +## Answer + +This is an expected behavior for the set up Active Directory monitoring plan. Netwrix Auditor collects data from audited domains with the Data Collection account via impersonation. Refer to the following link for additional information on impersonation: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961980(v=technet.10)?redirectedfrom=MSDN. The use of impersonation requires Secondary Logon Service enabled as stated in the product documentation: /docs/auditor/10.5/auditor/configurationuration/activedirectory + +You can exclude your Netwrix Auditor server from the monitoring scope of your SEIM to stop receiving these alerts. For additional information on the Pass-the-Hash attack, refer to the following article: https://blog.netwrix.com/2021/11/30/passing-the-hash-with-mimikatz/. diff --git a/docs/kb/auditor/misconfigured-permissions-and-policies-warnings-in-windows-server-monitoring-plan.md b/docs/kb/auditor/misconfigured-permissions-and-policies-warnings-in-windows-server-monitoring-plan.md new file mode 100644 index 0000000000..167df99a54 --- /dev/null +++ b/docs/kb/auditor/misconfigured-permissions-and-policies-warnings-in-windows-server-monitoring-plan.md @@ -0,0 +1,109 @@ +--- +description: >- + This article lists common Health Log events related to misconfigured + permissions and audit/policy settings in Windows Server monitoring plans, + explains probable causes, and provides step-by-step resolutions to correct the + configurations on target servers. +keywords: + - Windows Server + - audit permissions + - Remote Registry + - event log + - gpresult + - audit policies + - Netwrix Auditor + - monitoring plan +products: + - auditor +sidebar_label: Misconfigured Permissions and Policies Warnings in +tags: [] +title: "Misconfigured Permissions and Policies Warnings in Windows Server Monitoring Plan" +knowledge_article_id: kA00g000000H9bMCAS +--- + +# Misconfigured Permissions and Policies Warnings in Windows Server Monitoring Plan + +## Symptoms + +One of the following events is prompted in Health Log in your Netwrix Auditor instance: + +``` +Windows Registry audit permissions are not enabled for this server. Adjust Windows Registry audit permissions automatically or manually. +``` + +``` +The Registry data provider failed to get the information on registry key %key% due to the following error: Access is denied. +``` + +``` +Unable to configure the following policies due to a conflict: %audit_policy% +``` + +``` +Unable to configure the following audit policies on this computer because it is a domain controller: %audit_policy% +``` + +``` +The following event log settings may lead to incorrect or incomplete data in reports: %setting% +``` + +``` +Security log overwrites occurred on this computer since the last collection. Please increase the maximum size of the %affected% event log. +``` + +``` +Data provider %name% failed during data collection from server %name% due to the following error: The Remote Registry service is not running. +``` + +``` +Data provider %name% failed during data collection from server %name% due to the following error: +The interface is unknown. (Exception from HRESULT: 0x800706B5). +``` + +``` +Data provider %name% failed during data collection from server %name% due to the following error: +The network path was not found. (Exception from HRESULT: 0x80070035). +``` + +``` +The following error occurred when collecting data from the Application log: Failed to open log %affected_log%. +Error details: The interface is unknown. (Error number: 0x800706B5). +``` + +``` +The following error occurred when collecting data from the Application log: Failed to open log %affected_log%. +Error details: The network path was not found. (Error number: 0x80070035) +``` + +``` +Unable to configure the following policies due to a conflict: %setting%. +``` + +## Causes + +The audit settings in the target server are misconfigured. The affected server is stated in the **Item** line of the event. + +## Resolutions + +> **IMPORTANT:** To review the possible conflicts in your environment, use the `gpresult` line in elevated Command Prompt. Learn more in gpresult · Microsoft: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult + +> **NOTE:** To disable the automatic configuration of audit settings in your Windows Server monitoring plan, navigate to **Monitoring Plans** > select the affected monitoring plan and click **Edit** > click **Edit data source** in the right pane > uncheck the **Adjust audit settings automatically** checkbox > click **Save**. + +Review the resolutions to ensure the settings are configured correctly in your target servers. + +- Verify both the `Remote Registry` and `Windows Management Instrumentation` services are set up to have the **Automatic** startup type. Refer to the following article for additional information: Windows Server − Enable Remote Registry and Windows Management Instrumentation Services · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver + +- Verify the Windows Registry audit settings are configured correctly − refer to the following article for additional information on the manual setup: Windows Server − Configure Windows Registry Audit Settings · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver + +- Verify the local audit policies are configured correctly − refer to the following article for additional information on the manual setup: Windows Server − Configure Local Audit Policies · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver Alternatively, you can set up the advanced audit policies − refer to the following article for additional information on the manual setup: Windows Server − Configure Advanced Audit Policies · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver + +- Verify the event log size and retention method settings in target servers − refer to the following article for additional information: Windows Server − Adjusting Event Log Size and Retention Settings · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver + +## Related articles + +- gpresult · Microsoft: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- Windows Server − Enable Remote Registry and Windows Management Instrumentation Services · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver +- Windows Server − Configure Windows Registry Audit Settings · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver +- Windows Server − Configure Local Audit Policies · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver +- Windows Server − Configure Advanced Audit Policies · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver +- Windows Server − Adjusting Event Log Size and Retention Settings · v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver diff --git a/docs/kb/auditor/monitored-event-ids.md b/docs/kb/auditor/monitored-event-ids.md new file mode 100644 index 0000000000..c41b229fdc --- /dev/null +++ b/docs/kb/auditor/monitored-event-ids.md @@ -0,0 +1,37 @@ +--- +description: >- + Lists the Windows event IDs that Netwrix Account Lockout Examiner monitors for + invalid logons and account lockout/unlock events. +keywords: + - event IDs + - account lockout + - Kerberos + - NTLM + - Windows event log + - 4771 + - 4776 + - 4740 + - 4625 +products: + - auditor +sidebar_label: Monitored Event IDs +tags: [] +title: "Monitored Event IDs" +knowledge_article_id: kA00g000000H9dXCAS +--- + +# Monitored Event IDs + +Netwrix Account Lockout Examiner monitors invalid logons and lockouts. + +Here is the detailed list of monitored events: + +| Windows Vista/2008/7/2008R2 | Windows XP/2003 | Type | Description | +|-----------------------------|-----------------|---------|------------------------------------------------------------------------| +| `4771` | `675` | Failure | Invalid Kerberos logon - Kerberos ticket request failed | +| `4776` | `680,681` | Failure | Invalid NTLM logon - failed NTLM authentication attempt | +| `4740` | `644` | Success | An account was locked out | +| `4767` | `671` | Success | An account was unlocked | +| `4625` | `529-539*` | Failure | An account failed to log on - actual invalid logon event | + +*In Windows XP/2003 actual invalid logons can be logged as any of 10 events with IDs between 529 and 539 diff --git a/docs/kb/auditor/monitoring-currentcontrolset-changes-in-windows-server-monitoring-plan.md b/docs/kb/auditor/monitoring-currentcontrolset-changes-in-windows-server-monitoring-plan.md new file mode 100644 index 0000000000..cc81d9c191 --- /dev/null +++ b/docs/kb/auditor/monitoring-currentcontrolset-changes-in-windows-server-monitoring-plan.md @@ -0,0 +1,68 @@ +--- +description: >- + Shows how to monitor changes to the CurrentControlSet subkey in Netwrix + Auditor by specifying the ControlSet%%% subkeys in customregistrykeys.txt to + avoid event mismatches. +keywords: + - CurrentControlSet + - customregistrykeys.txt + - ControlSet001 + - ControlSet002 + - registry monitoring + - Windows Server + - Netwrix Auditor + - monitoring plan + - registry keys +products: + - auditor +sidebar_label: Monitoring CurrentControlSet Changes in Windows Se +tags: [] +title: "Monitoring CurrentControlSet Changes in Windows Server Monitoring Plan" +knowledge_article_id: kA04u000000wnkTCAQ +--- + +# Monitoring CurrentControlSet Changes in Windows Server Monitoring Plan + +## Question + +How to monitor changes to the `CurrentControlSet` subkey in Netwrix Auditor? + +## Answer + +The `CurrentControlSet` subkey is a pointer to the existing `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%%%` control sets. You must set up change monitoring via the `\ControlSet%%%` subkeys to avoid security event mismatch. Follow these steps to set up `\ControlSet%%%` subkeys monitoring: + +1. On the Netwrix Auditor host, navigate to ` %Netwrix Auditor installation folder%\Windows Server Auditing`. The following path is the default installation path: + +```Registry +C:\Program Files (x86)\Netwrix Auditor\Windows Server Auditing +``` + +2. Locate and edit the `customregistrykeys.txt` file − add the following two lines: + +```Registry +%Monitoring_Plan%,%Server_Name%,HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 +%Monitoring_Plan%,%Server_Name%,HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002 +``` + + Make sure to replace the placeholders with actual monitoring plan and server names. + +3. Save the changes. + +> **NOTE:** In most cases, `ControlSet001` stands for the last control set the server was booted with. `ControlSet002` stands for the last known good control set, or the control set that last successfully booted the server. + +## Troubleshooting + +- Events related to the `CurrentControlSet` subkey changes state **system** in the **Who** field. + +If the `CurrentControlSet` subkey was specified in `customregistrykeys.txt`, the related events will contain `\ControlSet%%%` paths causing event mismatches and subsequent replacement of the **Who** field values with **system**. Explicitly state the `ControlSet%%%` control sets to be monitored in `customregistrykeys.txt`, for example: + +```Registry +Windows_Server_MP,test-server-01.internal,HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 +Windows_Server_MP,test-server-01.internal,HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002 +``` + +This example implies a Windows Server monitoring plan named **Windows_Server_MP** with the **test-server-01.internal** server monitored. Replace the names used with the names used in your environment. + +## Related Link + +- Windows Server − Monitoring Custom Registry Keys diff --git a/docs/kb/auditor/monitoring-ssl-certificates-with-event-log-manager.md b/docs/kb/auditor/monitoring-ssl-certificates-with-event-log-manager.md new file mode 100644 index 0000000000..4ee9a6c4e7 --- /dev/null +++ b/docs/kb/auditor/monitoring-ssl-certificates-with-event-log-manager.md @@ -0,0 +1,69 @@ +--- +description: >- + Learn how to monitor SSL certificate events by creating filters and alerts in + Event Log Manager for Netwrix Auditor. +keywords: + - ssl + - certificates + - event log manager + - monitoring + - alerts + - Netwrix Auditor + - event IDs + - certificate expiration +products: + - auditor +sidebar_label: Monitoring SSL Certificates with Event Log Manager +tags: [] +title: "Monitoring SSL Certificates with Event Log Manager" +knowledge_article_id: kA00g000000PbckCAC +--- + +# Monitoring SSL Certificates with Event Log Manager + +## Events related to SSL certificates + +The following is a list of events that are related to SSL Certificates: + +- `1001` Certificate Replaced +- `1002` Certificate Expired +- `1003` Certificate Expiration Approaching +- `1004` Certificate Deleted +- `1005` Certificate Archived +- `1006` Certificate Installed + +In order to audit these events, create a new filter in Event Log Manager. + +**NOTE:** Please follow this guide for fundamental configurations of Event Log Manager in Netwrix Auditor: /docs/auditor/10.5/auditor/tools/eventlogmanager Failure to do so may result in a delay or absence of audit data. + +## Create a filter to audit SSL certificate events + +1. If this is your first Event Log Manager plan, enter notification recipients and target servers before continuing. + ![Config Filter](https://kb.netwrix.com/wp-content/uploads/2019/11/1-Config-Filter.png) + +2. Add a new filter. + ![Add new Filter](https://kb.netwrix.com/wp-content/uploads/2019/11/2-Add-new-Filter.png) + +3. When an SSL certificate is added to a server, a new event log titled `Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational` is created. Enter this log into the **Event Log** text field and set **Write To** to **Both**. + ![Event Log and Both](https://kb.netwrix.com/wp-content/uploads/2019/11/3-Event-Log-and-Both.png) + +4. Click the **Event Fields** tab and enter the event IDs you wish to audit. The provided example exhibits auditing of all SSL Certificate events. + ![Event IDs](https://kb.netwrix.com/wp-content/uploads/2019/11/4-Event-IDs.png) + +5. Click **OK** until you are back to the Event Log Manager homepage and then click **Save**. + +You will now receive reports for SSL certificate event data. + +## Configure alerts for SSL certificate events + +If you wish to receive Alerts for this data, repeat the filter configuration steps using the Alert Filter Configuration: + +1. Open the Alert Filter Configuration and add a new alert filter as needed. + ![Alert](https://kb.netwrix.com/wp-content/uploads/2019/11/5-Alert.png) ![New Alert](https://kb.netwrix.com/wp-content/uploads/2019/11/6-New-Alert.png) + +2. Configure the alert filter similarly to the report filter, specifying the same event log and event IDs. + ![Alert Filter](https://kb.netwrix.com/wp-content/uploads/2019/11/7-Alert-Filter.png) ![Alert Filter 2](https://kb.netwrix.com/wp-content/uploads/2019/11/8-Alert-Filter-2.png) ![Alert Filter 3](https://kb.netwrix.com/wp-content/uploads/2019/11/8-Alert-Filter-3.png) + +3. Click **OK** until you are back to the Event Log Manager homepage and then click **Save**. + +The configured Monitoring Plan will now yield reports and alerts for SSL auditing. diff --git a/docs/kb/auditor/navigating-and-understanding-a-netwrix-auditor-monitoring-plan.md b/docs/kb/auditor/navigating-and-understanding-a-netwrix-auditor-monitoring-plan.md new file mode 100644 index 0000000000..ede0c14201 --- /dev/null +++ b/docs/kb/auditor/navigating-and-understanding-a-netwrix-auditor-monitoring-plan.md @@ -0,0 +1,87 @@ +--- +description: >- + Learn the layout and common configuration options of a Netwrix Auditor + Monitoring Plan, including global settings, data source and item options, and + best practices for optimal monitoring. +keywords: + - monitoring plan + - Netwrix Auditor + - State in Time + - audit database + - data source + - delegation + - notifications + - data collection + - monitoring plan configuration +products: + - auditor +sidebar_label: Navigating and Understanding a Netwrix Auditor Mon +tags: [] +title: "Navigating and Understanding a Netwrix Auditor Monitoring Plan" +knowledge_article_id: kA00g000000PbcoCAC +--- + +# Navigating and Understanding a Netwrix Auditor Monitoring Plan + +While each data source has different monitoring plan configuration options, there are some commonalities across them all. This article will assist you in learning the fundamental layouts of a Monitoring Plan and details on specific configurations. + +## Monitoring Plan Layout + +Navigate to any of your configured monitoring plans. In the upper-right pane of the Monitoring Plan, you will find the **Monitoring Plan** configuration options. The options available here apply globally to any data source and item listed under the monitoring plan. **Edit Settings** provides you with the following menu options. + +### Monitoring Plan Options + +![Monitoring Plan Settings](https://kb.netwrix.com/wp-content/uploads/2020/04/MP-Settings-1024x323.png) + +#### Edit Settings + +- **General –** Here you can rename and provide descriptions for your Monitoring Plan. +- **Data Collection –** Here you can change or modify the account used to collect data from audited data sources under this Monitoring Plan. +- **Audit Database –** Here you are given the option to disable search functionality if you only wish to receive activity summaries (you should not enable this option unless you have a specific reason). You may also choose to rename the database in which all audit data for data sources and items under this monitoring plan is written. + - **Note:** If you change the name in this text field, it deploys a new database. The previous database will remain in SQL but the content within it is no longer available for searching in reporting. Only databases specified in the Audit Database tab of monitoring plans can be searched and reported on. Lastly, you may choose to specify a custom account to write this audit data to the audit database in your SQL Server. +- **Notifications –** This menu provides the options to modify the notification schedule. By default, the activity summary will be sent daily at 3:00 AM. What is less obvious about this function is that it is tied to the State in Time collection schedule for your data sources. With the default configuration, as listed above, a State in Time collection runs at 3:00 AM. You should leave the schedule at its default. Increasing frequency results in more State in Time snapshots, which can lead to increased storage consumption and resource performance issues. Changing the time, however, can be useful in situations where many processes occur at the same time. Changing the time from 3:00 AM to 4:00 AM should not have a negative impact as long as you leave the frequency at 24 hours. + +#### Delegation + +**Delegation** allows administrators to provide Role-Based Access to Monitoring Plans and specific data. If you would like to learn more about Delegation, visit our [Help Center](/docs/auditor/). + +#### Update + +Following the **Delegation** option, you will see the **Update** button. This button allows you to force a collection for every data source and item under the Monitoring Plan. There are some data sources that behave differently with this button. For example, User Activity cannot perform a forced collection. There is another exception for the **Update** button. + +You should not perform an update on an Active Directory Data Source. Due to its design, clicking update may prevent the collector from finishing the combination of event data with State in Time data. This often results in Activity Records with incomplete timestamps and Who as *System*. In this case, it is better to wait for the Active Directory collector to finish, which occurs roughly every 10 minutes. + +### Data Source Options + +![Data Source Settings](https://kb.netwrix.com/wp-content/uploads/2020/04/Data-Source-settings-1024x323.png) + +- **Add Data Source –** Under the Data Source options, you can add a new data source. While this option is available, you should combine only compatible data sources such as Active Directory, Exchange, and Group Policy. Due to the current configuration of globally locked settings, combining Active Directory with something like File Server auditing can often lead to issues. Keeping data sources separated also makes troubleshooting more efficient. +- **Edit Data Source** + + This menu will differ greatly from one data source to another. The only constants you may find here are: + + - Enabling/Disabling State in Time – Recommended to be enabled. + - Enabling/Disabling Network Traffic Compression – Recommended to be enabled. + - When enabled, more processing is done at the target server. When disabled, more data is sent over the network and processed locally on the Netwrix Auditor host. + - If you notice performance issues, you can toggle this option on or off to trial performance. + + All other configurations for a data source will heavily depend on the data source. You should visit our [configuration guides](/docs/auditor/) on the Help Center for more specific information. + +- **Remove Data Source –** Highlight a data source and select this option to remove it from the Monitoring Plan. The audit database for this monitoring plan will still contain audit data for this data source but will no longer collect and store further information after the data source is removed. + +### Item Options + +![Item Settings](https://kb.netwrix.com/wp-content/uploads/2020/04/Item-Settings-1024x323.png) + +- **Add Item –** Highlight a data source and select **Add Item** to add another supported item for that data source. For Active Directory, you could add another Domain. For User Activity, you could add another workstation or server. When it comes to the number of items you should audit under one Monitoring Plan, it depends on available resources. You should start small and scale up. For example, through trial and error, an administrator finds that their Netwrix Auditor host can handle 5 Windows Servers per Windows Server Monitoring Plan. They have 30 servers that need to be audited, so they deploy 6 Windows Server Monitoring Plans to accommodate this. +- **Edit Item –** This allows you to modify or change the audited item. For more granularity, you can also use **Edit Item** to provide custom credentials. This is useful for audited DMZs or secured file systems for which you wish to use a more locked-down account. Custom credentials will override the credentials provided under **Edit Settings > Data Collection**. +- **Remove Item –** This will remove the item from the data source and monitoring plan. If the target server has an agent, Netwrix Auditor will attempt to remove it. If it fails, you may need to remove it manually through **Programs and Features**. + +### The Perfect Monitoring Plan + +Ideally, a monitoring plan should exhibit these elements: + +- Segregated Data Sources +- State in Time Enabled +- Load Balanced Scope (Number of Items) +- Careful consideration of data source–specific configurations diff --git a/docs/kb/auditor/ndc-dashboard-failure.md b/docs/kb/auditor/ndc-dashboard-failure.md new file mode 100644 index 0000000000..ff2e41b3e6 --- /dev/null +++ b/docs/kb/auditor/ndc-dashboard-failure.md @@ -0,0 +1,71 @@ +--- +description: >- + Troubleshoot when the NDC Dashboard fails to load due to IIS faults caused by + the System Center Operations Manager (SCOM) 2016 agent. This article shows the + relevant error messages and the recommended remediation steps. +keywords: + - NDC + - dashboard failure + - SCOM 2016 + - PerfMon64.dll + - w3wp.exe + - conceptsearching + - conceptclassifier + - Operations Manager + - IIS fault +products: + - auditor + - data-classification +visibility: public +sidebar_label: NDC Dashboard Failure +tags: [] +title: "NDC Dashboard Failure" +knowledge_article_id: kA00g000000PbcnCAC +--- + +# NDC Dashboard Failure + +## Scenario + +**NDC Dashboard fails to load and the conceptsearching eventlog shows this error:** + +``` +Component: conceptClassifier + Caller: Run + Level: Error + conceptEngine2.ServiceModel.PingQs + Failed to contact QS: http://localhost:80/conceptQS/conceptQS.asmx, error: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> +``` + +**In addition to this error, in the _conceptsearching_ log, you will see the below error in the Windows Application Event Log:** + +``` +Faulting application name: w3wp.exe, version: 10.0.17763.1, time stamp: 0xcfdb13d8 + Faulting module name: PerfMon64.dll, version: 8.0.13053.0, time stamp: 0x5a26da79 + Exception code: 0xc0000409 + Fault offset: 0x000000000013f68f + Faulting process id: 0x2940 + Faulting application start time: 0x01d53c07a74a0b75 + Faulting application path: c:windowssystem32inetsrvw3wp.exe + Faulting module path: C:Program FilesMicrosoft Monitoring AgentAgentAPMDOTNETAgentV8.0.13053.0PerfMon64.dll + Report Id: 84973451-9fbf-4b31-9dd8-ca486181ffd2 + Faulting package full name: + Faulting package-relative application ID: +``` + +The faulting module path listed in the error points out that the cause of the IIS fault is the 2016 SCOM agent. + +## Solution + +1. Uninstall the 2016 SCOM agent from the IIS server. +2. Stop the following services: + - `conceptclassifier` + - `conceptcollector` + - `conceptindexer` +3. Restart the server. + +The dashboard will load and the issue is resolved. + +If uninstalling the SCOM 2016 agent is not an option, follow either Method 1 or Method 2 in the article linked below, depending on your SCOM needs: + +- https://support.microsoft.com/en-us/help/4457771/resolve-issues-by-removing-apm-components-in-operations-manager-2016 diff --git a/docs/kb/auditor/ndc-page-status-codes.md b/docs/kb/auditor/ndc-page-status-codes.md new file mode 100644 index 0000000000..441869f40a --- /dev/null +++ b/docs/kb/auditor/ndc-page-status-codes.md @@ -0,0 +1,191 @@ +--- +description: >- + Lists all page status codes used by Netwrix Data Classification (NDC), + including expected processing statuses (0–400) and error statuses (-1 to + -999). Use this reference to interpret document states during the + classification process. +keywords: + - NDC + - page status codes + - document status + - classification + - error codes + - iFilter + - SharePoint + - indexing +products: + - auditor + - data-classification +sidebar_label: NDC Page Status Codes +tags: [] +title: "NDC Page Status Codes" +knowledge_article_id: kA00g000000Pbd4CAC +--- + +# NDC Page Status Codes + +Below is a list of all page statuses that can be found within Netwrix Data Classification (NDC). All positive statuses (0 through 400) are expected statuses for documents determined by whichever step they are at in the Classification process. All negative statuses (-1 through -999) indicate some type of failure. + +## Document Processing Statuses + +- Awaiting collection (0) +- Paused Source (8) +- Document Auto-Deleted (9) +- Document Deleted (10) +- Pending Submit (75) +- Collected (100) +- Collected (150) +- Converted (200) +- Indexed (Pending) (299) +- Indexed (300) +- Classified (Pending Write) (325) +- Classified (Pending) (399) +- Classified (400) + +## Document Error Statuses + +- Pending Delete (-1) +- Hub Replaced (-9) +- SharePoint - Property Update Failure (-10) +- SharePoint - Property Update Failure (-11) +- SharePoint - Property Update Failure (-12) +- Upload Failure (-40) +- File - Indexing Error (-41) +- File - Length Error (-42) +- File - Length Error (-43) +- iFilter - No Text (-44) +- iFilter - Not Available (-45) +- iFilter - Sharing Error (-46) +- HTTP - Read Error (-50) +- PDF - Conversion Exception (-51) +- DOC - Conversion Exception (-52) +- PPT - Conversion Exception (-53) +- RTF - Conversion Exception (-54) +- XML - Conversion Exception (-55) +- HTML - Conversion Exception (-56) +- WPD - Conversion Exception (-57) +- MSG - Conversion Exception (-58) +- File - ACL Error (-59) +- iFilter - Not Available (60) (-60) +- iFilter - Unknown Exception (-61) +- iFilter - Security Exception (-62) +- iFilter - Access Denied (-63) +- iFilter - Unknown Format (-64) +- iFilter - Out of memory (-65) +- iFilter - Disabled (-66) +- iFilter - File Corrupt (-67) +- iFilter - Access Denied (-68) +- iFilter - No Values (-69) +- SharePoint - Hub Page Collection Error (-70) +- SharePoint - List Collection Error (-71) +- SharePoint - List Collection Exception (-72) +- SharePoint - Site Excluded (-73) +- SharePoint - Site Unavailable (-74) +- SharePoint - Site Cache Error (-75) +- SharePoint - Unknown Exception (-76) +- SharePoint - Metadata Error (-77) +- SharePoint - Document Update Failed (-78) +- SharePoint - Document Not Found (-79) +- conceptSQL Object Not Found (-81) +- conceptSQL - Templated Query Error (-82) +- conceptSQL - Connection Error (-83) +- conceptSQL - PrimaryKey Pass Error (-84) +- conceptSQL - Error Processing Primary Key (-85) +- conceptSQL - DB Schema Error (-86) +- conceptSQL - Duplication Error (-87) +- conceptSQL - Data Not Found (-88) +- conceptSQL - Object Configuration Error (-89) +- conceptSQL - PrimaryKey Missing (-90) +- conceptSQL - ContentType excluded (-91) +- conceptSQL - WITH (NOLOCK) Missing (-92) +- conceptSQL - GET_PATH failed (-93) +- conceptSQL - Error fetching data row (-94) +- conceptSQL - Error processing source (-95) +- conceptSQL Error processing existing row (-96) +- conceptSQL Error processing new row (-97) +- conceptSQL Exception processing new row (-98) +- File - Directory does not exist (-99) +- HTTP - Collection Exception (-100) +- File - Open Error (-101) +- File - Read Error (-102) +- File - Does not exist (-103) +- File - Load Attributes (-104) +- SQL - Metadata Error (-105) +- SQL - Upload Error (-106) +- SQL - XmlIndexRequest Error (-107) +- SQL - XmlIndexSectionsRequest Error (-108) +- HTTP - Duplicate Page (-109) +- HTTP - Connection Failure (-110) +- HTTP - Connection Closed (-111) +- HTTP - Keep Alive Failure (-112) +- HTTP - Name Resolution Failure (-113) +- HTTP - Request Pending (-114) +- HTTP - Pipeline Failure (-115) +- HTTP - Protocol Error (-116) +- HTTP - Proxy Name Resolution Error (-117) +- HTTP - Receive Failure (-118) +- HTTP - Request Cancelled (-119) +- HTTP - Secure Channel Failure (-120) +- HTTP - Send Failure (-121) +- HTTP - Server Protocol Violation (-122) +- HTTP - Timeout (-123) +- HTTPS - Trust Failure (-124) +- HTTP - Thread Timeout (-125) +- File - Thread Timeout (-126) +- HTTP - Unknown Error (-130) +- HTTP - 'noindex' in robots.txt (-140) +- HTTP - 'disallow' in robots.txt (-141) +- HTTP - Excluded Content Type (-149) +- Threading - File Thread Exception (-151) +- File - OLE Processing Error (-153) +- File - Conversion Exception (-154) +- File - Too Small (-155) +- File - Too Large (-156) +- File - Not found (-157) +- HTTP - Invalid URI (-158) +- HTTP - Invalid URI (-159) +- Duplicate Page (-160) +- HTTP - Redirected Page Excluded (-161) +- HTTP - Redirected Page On Excluded Domain (-162) +- Empty Document (-163) +- Invalid Type Error (-164) +- Document Excluded (-165) +- Document Not Included (-166) +- OCR Language File Not Found (-167) +- Duplicate Hub Detected (-168) +- DOC - Conversion Exception (-170) +- DOC- Conversion Exception (-171) +- RTF - Conversion Exception (-172) +- PPT - Conversion Exception (-173) +- WPD - Conversion Exception (-174) +- WPD - Signature Error (-175) +- WPD - Encryption Error (-176) +- WPD - Version Error (-177) +- MSG File - Conversion Exception (-178) +- OfficeXML - Conversion Exception (-179) +- PDF - Signature Error (-181) +- PDF - Invalid Trailer (-182) +- PDF - Decryption Failure (-183) +- PDF - Invalid XRef (-184) +- PDF - Object Error (-185) +- PDF - XRef Exception (-186) +- PDF - Extraction Exception (-187) +- PDF - Unknown Exception (-188) +- OLE File Conversion - Access Error (-190) +- OLE File Conversion - Signature Error (-191) +- OLE File Conversion - DIFAT Error (-192) +- OLE File Conversion - Exception (-193) +- OLE File Conversion - Data Stream Error (-194) +- OLE File Conversion - FAT Error (-195) +- OLE File Conversion - Exception (-196) +- OLE Temp File Too Large (-197) +- Text Extraction - Open Error (-198) +- Exchange - Service Response Failure (-200) +- Box - Document Locked (-251) +- Authentication Error (-401) +- Access Denied (-403) +- Document not found (-404) +- conceptSQL – Content Filename is an HTTP source (-814) +- conceptSQL – Missing Configuration Settings (-815) +- Licencing – Source Type Unlicenced (-998) +- Unknown (-999) diff --git a/docs/kb/auditor/netwrix-auditor-api-authentication-in-kerberos-only-environment.md b/docs/kb/auditor/netwrix-auditor-api-authentication-in-kerberos-only-environment.md new file mode 100644 index 0000000000..6c7ad640a0 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-api-authentication-in-kerberos-only-environment.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains whether Netwrix Auditor can authenticate in a Kerberos-only + environment and lists limitations to consider when using Kerberos for API + integration. +keywords: + - Kerberos + - NTLM + - API authentication + - Netwrix Auditor + - Windows Server Auditing + - hostname + - IP address +products: + - auditor +sidebar_label: Netwrix Auditor API Authentication in Kerberos-onl +tags: [] +title: "Netwrix Auditor API Authentication in Kerberos-only Environment" +knowledge_article_id: kA04u000000PoLHCA0 +--- + +# Netwrix Auditor API Authentication in Kerberos-only Environment + +## Question + +Can Netwrix Auditor authentication be set up in Kerberos-only environment? + +## Answer + +While NTLM authentication is recommended for API integration, Kerberos protocol can be used instead with following limitations to be considered: + +- Windows Server Auditing requires full computer names to be used instead of aliases. +- Netwrix Auditor clients require a Netwrix Auditor server hostname to be specified instead of the server IP address. diff --git a/docs/kb/auditor/netwrix-auditor-configuration-server-service-fails-to-start-too-many-methods-to-fire-events-from.md b/docs/kb/auditor/netwrix-auditor-configuration-server-service-fails-to-start-too-many-methods-to-fire-events-from.md new file mode 100644 index 0000000000..ec14190603 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-configuration-server-service-fails-to-start-too-many-methods-to-fire-events-from.md @@ -0,0 +1,97 @@ +--- +description: >- + Describes how to resolve 'Error 0x80040209: An interface has too many methods + to fire events from' when the Netwrix Auditor Configuration Server Service + fails to start and shows 'Access is denied'. +keywords: + - Netwrix Auditor + - Configuration Server + - Error 0x80040209 + - Access is denied + - ConfigServer + - Configuration.xml + - backup + - service fails to start + - System Health log +products: + - auditor +sidebar_label: Configuration Server Service Fails - Too Many Methods +tags: [] +title: "Netwrix Auditor Configuration Server Service Fails to Start — Too Many Methods to Fire Events From" +knowledge_article_id: kA04u000000PoMPCA0 +--- + +# Netwrix Auditor Configuration Server Service Fails to Start — Too Many Methods to Fire Events From + +## Symptoms + +- Netwrix Auditor Configuration Server Service stopped. When attempting to restart the service, it stops again with the following message in Netwrix Auditor System Health log: + +``` +Windows could not start the Netwrix Auditor Configuration Server Service service on Local Computer. +Error 0x80040209: An interface has too many methods to fire events from. +``` + +![Screenshot 1](images/ka04u00000117L8_0EM4u000008LCum.png) + +Other services are running as expected. + +![Screenshot 2](images/ka04u00000117L8_0EM4u000008LCuw.png) + +- The following error is prompted in the main Netwrix Auditor screen: + +``` +Connection failed +Access is denied +``` + +![Screenshot 3](images/ka04u00000117L8_0EM4u000008M2Tz.png) + +Upon checking Services running, Netwrix Auditor Configuration Server Service appears to have stopped. When attempting to restart the service, the same error is prompted. + +## Causes + +Any of the following potential causes may lead to corruption of the configuration server status file: + +- The C drive of the Netwrix Auditor server has reached or is running out of its capacity. +- Unexpected shutdown of the Netwrix Auditor server (e.g. due to the power outage). +- Cross-program interaction (e.g. antivirus software blocks an operation performed by Netwrix Auditor). + +## Resolution + +Refer to the following steps to troubleshoot the issue: + +1. Back up the ConfigServer folder located in ` %Working Folder%\AuditCore\ConfigServer`. +2. Delete all files in the original ConfigServer folder except for the StorageBackups folder and the Configuration.xml file. + +![ConfigServer folder contents](images/ka04u00000117L8_0EM4u000008LCv1.png) + +3. Restart Netwrix Auditor Configuration Server Service. +4. Make sure the following services are running (including all the monitoring plan-related services): + +- Netwrix Auditor Core Service. +- Netwrix Auditor Archive Service. + +In case the aforementioned steps did not help, refer to the following steps to troubleshoot the issue: + +1. Back up the ConfigServer folder located in ` %Working Folder%\AuditCore\ConfigServer`. +2. Delete all files in the original ConfigServer folder except for the StorageBackups folder. It is located in ` %Working Folder%\AuditCore\ConfigServer`. + +![ConfigServer StorageBackups folder](images/ka04u00000117L8_0EM4u000008LCvL.png) + +3. Copy the Configuration.xml file from the latest **BACKUP_%DATE%**\%GUID% folder. + +![Backup folder selection](images/ka04u00000117L8_0EM4u000008LCvk.png) + +4. Paste the copied Configuration.xml file to ` %Working Folder%\AuditCore\ConfigServer`. +5. Restart Netwrix Auditor Configuration Server Service. +6. Make sure the following services are running (including all the monitoring plan-related services): + +- Netwrix Auditor Core Service. +- Netwrix Auditor Archive Service. + +> **NOTE:** If these steps did not help, try using the Configuration.xml file from the second to the last **BACKUP_%DATE%**\%GUID% folder. Paste the file to ` %Working Folder%\AuditCore\ConfigServer` and restart Netwrix Auditor services. + +![Configuration restored](images/ka04u00000117L8_0EM4u000008LCwE.png) + +> **NOTE:** If the issue reoccurs after some time, contact [Netwrix Technical Support](https://www.netwrix.com/open_a_ticket.html). diff --git a/docs/kb/auditor/netwrix-auditor-consumes-disk-space-recommendations.md b/docs/kb/auditor/netwrix-auditor-consumes-disk-space-recommendations.md new file mode 100644 index 0000000000..09df75f53d --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-consumes-disk-space-recommendations.md @@ -0,0 +1,79 @@ +--- +description: >- + Explains why Netwrix Auditor can consume a lot of disk space and provides + detailed recommendations to reduce disk usage, move archives and working + folders, and inspect page file and local DB usage. +keywords: + - netwrix auditor + - disk space + - long-term archive + - working folder + - page file + - local db + - backups + - performance monitor +products: + - auditor +sidebar_label: Netwrix Auditor Consumes Disk Space — Recommendati +tags: [] +title: "Netwrix Auditor Consumes Disk Space — Recommendations" +knowledge_article_id: kA04u00000111I3CAI +--- + +# Netwrix Auditor Consumes Disk Space — Recommendations + +## Question + +Netwrix Auditor takes up a lot of disk space and once it gets to around a minimum of free disk space, the Netwrix services stop, and all monitoring plans have the **Stops Responding** status. Which are Netwrix recommendations for adequate hardware resource consumption? + +## Answer + +The following recommendations will allow you to reduce disk space consumption: + +1. Netwrix recommends upgrading to the latest version. For each updated version, Netwrix improves performance and tends avoiding disk space consumption. + + For additional information on upgrade procedure, refer to the following article: Installation — Upgrade to the Latest Version — v10.6. + +2. Move your Long-Term Archive to another logical disk and/or modify its retention settings. **Long-Term Archive** is a file-based storage where Netwrix Auditor saves the collected activity records. + + By default, it is located on the system drive at `%PROGRAMDATA%\Netwrix Auditor\Data` and keeps data for `120 months (10 years)` and the product informs you if you are running out of space on a system disk where it is stored. + + Once the free disk space starts approaching the minimum level, you will see events in the **Netwrix Auditor System Health** log. When the free disk space is less than `3GB`, the Netwrix services responsible for audit data collection will be stopped, which means that the data collection also stops. + + Follow these Knowledge Base articles for additional information: + + - [How to Move Long-Term Archive to a New Location](/docs/kb/auditor/how-to-move-long-term-archive-to-a-new-location) + - [How to Prevent Overflow on the Drive Where the Long-Term Archive is Located?](/docs/kb/auditor/how-to-prevent-long-term-archive-overflow) + +3. Migrate Working Folder to a new location. + + The size of your Working Folder may grow significantly (normally, up to `10 – 20GB`) depending on the workload, especially during activity peaks. If your system drive capacity is limited, you might want to keep the temporary files and trace logs on another drive, i.e. change the Working Folder default location. + + For additional information on how to move the Working Folder, refer to the following article: [How to Migrate Netwrix Auditor Working Folder to a New Location?](/docs/kb/auditor/how-to-migrate-netwrix-auditor-working-folder-to-a-new-location.md). + +4. Remove the **Netwrix Backup** folder. Netwrix strongly recommends keeping the backups for supported product versions. + + For additional information about the Backup folder, refer to the following article: [Backups Folder in Netwrix Auditor](/docs/kb/auditor/backups-folder-in-netwrix-auditor.md). + +5. Additional space might be consumed by the **Local DB** in the **ShortTerm** folder; this can occur when the SQL communication is not working properly or the DB files getting corrupted. Follow the resolution steps in the article: [Netwrix Auditor System Health Log Contains EventID 2002](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA04u000000wnpOCAQ.html). + +6. Check the size of the Windows page file. If it grows big, this indicates lack of RAM and Windows tries to compensate it with disk space. Adding more RAM helps fixing disk space consumption by page files. + + Follow the steps to inspect page file usage using **Performance Monitor** + + 1. On the Auditor Server, open **Administrative Tools** -> **Performance Monitor**. + 2. Expand **Monitoring Tools** and select **Performance Monitor**. + 3. Right-click the graph and select **Add Counters...**. + 4. In the **Available counters** list, select **Paging File.** + 5. Click the down-arrow icon to the right of Paging File. + 6. Select `% Usage` under Paging File and then click the **Add** button. + 7. Click **OK** to close the dialog. + + Now the **Paging File** counter is displayed in the **Performance Monitor**. + +## Related Articles + +- [Error: Netwrix Auditor for File Servers Audit Service Terminated Unexpectedly](/docs/kb/auditor/error-netwrix-auditor-for-file-servers-audit-service-terminated-unexpectedly.md) +- [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md) +- [How to Add Additional Space to Long-Term Archive?](/docs/kb/auditor/how-to-add-additional-space-to-long-term-archive) +- [Netwrix Auditor System Health Log Contains EventID 2002](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA04u000000wnpOCAQ.html) diff --git a/docs/kb/auditor/netwrix-auditor-data-collection-account-failed-logons-account-lockouts.md b/docs/kb/auditor/netwrix-auditor-data-collection-account-failed-logons-account-lockouts.md new file mode 100644 index 0000000000..64cb30d699 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-data-collection-account-failed-logons-account-lockouts.md @@ -0,0 +1,117 @@ +--- +description: >- + Explains causes and resolutions when the Netwrix Auditor Data Collection + Account produces failed logons or gets locked out, with steps to update + credentials across monitoring plans, custom accounts, SQL/SSRS settings, + services, and supplemental collectors. +keywords: + - Data Collection Account + - failed logons + - account lockouts + - credentials + - monitoring plan + - SQL + - SSRS + - services + - Netwrix Password Reset +products: + - auditor +sidebar_label: 'Netwrix Auditor Data Collection Account: Failed Lo' +tags: [] +title: 'Netwrix Auditor Data Collection Account: Failed Logons | Account Lockouts' +knowledge_article_id: kA00g000000H9eMCAS +--- + +# Netwrix Auditor Data Collection Account: Failed Logons | Account Lockouts + +## Symptom + +Logon Activity reports show that the Data Collection Account is producing failed logons and/or getting locked out. + +## Cause + +One of the locations shown below has expired credentials. + +## Resolution + +### Monitoring Plans + +Credentials entered for a monitoring plan are found by navigating from the **Netwrix Auditor Home Page**: + +1. Click **Monitoring Plans**. +2. Double-click a selected monitoring plan. +3. Click **Edit Settings** (top right). +4. Open the **Data Collection** tab and update the credentials. + +**Enter good and current credentials under the Data Collection Tab.** + +--- + +### Custom Data Collection Account + +There may be times when a custom account is needed for auditing a specific data source. The input field for custom Data Collection Accounts is found by navigating from the **Netwrix Auditor Home Page**: + +1. Click **Monitoring Plans**. +2. Double-click a selected monitoring plan. +3. Double-click a selected *Item*. + +![Custom Data Collection Account](https://kb.netwrix.com/wp-content/uploads/2019/09/Custom-DCA.png) + +**Enter good and current credentials into the Custom Account fields. If you are using the Default Data Collection Account, leave the custom fields blank.** + +--- + +### SQL & SSRS Settings + +Found by navigating from the **Netwrix Auditor Home Page**: + +1. Click **Settings**. +2. Open the **Audit Database** tab. + +![SQL & SSRS Settings](https://kb.netwrix.com/wp-content/uploads/2019/09/Settings-1024x558.png) + +**Enter good and current credentials by clicking `Modify` for both SQL and SSRS settings.** + +--- + +### Services + +Some Netwrix Auditor services may run under the Netwrix Auditor Data Collection Account. Identify such services: + +![Services](https://kb.netwrix.com/wp-content/uploads/2019/09/Services.png) + +- Right-click the service and select **Properties**. + +![Change Service Credentials](https://kb.netwrix.com/wp-content/uploads/2019/09/Change-Service-creds.png) + +**Enter good and current credentials and click "OK".** + +--- + +### Netwrix Password Reset, Event Log Manager, and Inactive User Tracker + +Netwrix Auditor comes installed with three additional programs that provide additional auditing avenues. Navigating to the Data Collection Account credentials is the same for all three. Find the programs via the Start Menu: + +1. Open the Start Menu. +2. Select a monitoring plan for the program. +3. Click **Edit**. + +**Note:** If you do not have any monitoring plans for these programs, you may skip this step. + +![Password Reset, ELM, IUT](https://kb.netwrix.com/wp-content/uploads/2019/09/Pen_IUT_ELM-1024x548.png) + +**Enter good and current credentials for these collectors and click "Save".** + +--- + +### The issue has not been resolved... + +If you are still receiving failed logons and/or lockouts for your Netwrix Auditor Data Collection Account, consider the following: + +- Confirm that no other applications are using the same account as a service account (for example: backup software, virus scanners, etc.). +- Stop Netwrix services for a short period. Take note of the window during which the services are stopped. Once services are running again, allow some time for data to upload to SQL. After waiting, run a search like the one below: + +![Search for Data Collection Account failures](https://kb.netwrix.com/wp-content/uploads/2019/09/Search-for-DCA-1024x409.png) + +- If any failed logons and/or lockouts are reported for the Data Collection Account, Netwrix is certainly not the root cause. +- If the proposed solutions above do not resolve the issue, contact Technical Support for assistance. diff --git a/docs/kb/auditor/netwrix-auditor-event-log-manager-shows-smtp-authentication-errors-while-configuring-a-monitoring-pl.md b/docs/kb/auditor/netwrix-auditor-event-log-manager-shows-smtp-authentication-errors-while-configuring-a-monitoring-pl.md new file mode 100644 index 0000000000..8efc6ea37e --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-event-log-manager-shows-smtp-authentication-errors-while-configuring-a-monitoring-pl.md @@ -0,0 +1,61 @@ +--- +description: >- + Describes how to resolve SMTP authentication errors in Netwrix Auditor Event + Log Manager when configuring a monitoring plan, typically caused by missing + TLS 1.2 support. Includes registry changes and WinHTTP settings to enable TLS + 1.2 on the Auditor and target servers. +keywords: + - SMTP + - authentication + - TLS 1.2 + - Event Log Manager + - Netwrix Auditor + - WinHTTP + - registry + - TLSRegkey.reg +products: + - auditor +sidebar_label: Netwrix Auditor Event Log Manager shows SMTP authe +tags: [] +title: "Netwrix Auditor Event Log Manager shows SMTP authentication errors while configuring a monitoring plan" +knowledge_article_id: kA04u00000110xFCAQ +--- + +# Netwrix Auditor Event Log Manager shows SMTP authentication errors while configuring a monitoring plan + +## Symptom + +1. Netwrix Auditor Event Log Manager does not collect logs and shows the following error while trying to 'verify' if the messages were being sent in the Event Log Manager monitoring plan. + ![User-added image](images/ka04u00000116xf_0EM4u000008Ljuv.png) + +2. When providing credentials for the Netwrix Auditor Event Log Manager monitoring plan, the following dialog appears: + +``` +The specified account cannot be verified. The user name or password is incorrect. +``` + +## Cause + +This error occurs when using o365 SMTP Server that requires TLS 1.2 enabled on the computer that hosts Netwrix Auditor Server and on the target server(s). + +## Resolution + +Follow the steps below to resolve the issue: + +1. Make sure that TLS 1.2 is enabled on the target server: + - Open **Registry Editor** and navigate to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled`. + - If enabled, the key value should be `"1"`. + - For additional information about TLS enabling, refer to the following article: Сonnection Issue when TLS 1.2 Is Required. + +2. Configure all .NET Framework keys on the Netwrix Auditor and target server(s). Use the [download link](https://netwrix.com/download/products/KnowledgeBase/TLSRegkey.reg) to configure registry keys automatically. Run the file on your Auditor Server and all target servers. + +3. On the target server, open **Registry Editor** and navigate to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL`. Change the **EventLogging** value to `"7"`. + +4. If the settings listed above are configured correctly, but the issue persists, also consider checking the **WinHTTP** settings. On the target server, open **Registry Editor** and check the following registry keys: + + Learn more in [Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows ⸱ Microsoft](https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392) + + - `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols = (DWORD): 0xAA0` + - `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols = (DWORD): 0xAA0` + +5. Restart both: Netwrix Auditor and the target server(s). diff --git a/docs/kb/auditor/netwrix-auditor-failed-to-collect-the-administrator-audit-log.md b/docs/kb/auditor/netwrix-auditor-failed-to-collect-the-administrator-audit-log.md new file mode 100644 index 0000000000..95f9dd8315 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-failed-to-collect-the-administrator-audit-log.md @@ -0,0 +1,45 @@ +--- +description: >- + This article explains how to resolve the "Failed to collect the Administrator + audit log" error in Netwrix Auditor caused by an invalid domain name format. + It shows how to update the domain to FQDN format in the monitoring plan. +keywords: + - administrator audit log + - Exchange servers + - FQDN + - monitoring plan + - domain name + - Netwrix Auditor + - health log + - Take Action +products: + - auditor +sidebar_label: Netwrix Auditor Failed to Collect the Administrato +tags: [] +title: "Netwrix Auditor Failed to Collect the Administrator Audit Log" +knowledge_article_id: kA04u00000111CtCAI +--- + +# Netwrix Auditor Failed to Collect the Administrator Audit Log + +## Symptom + +A **Domain** item has the *Take Action* status and the Netwrix Auditor Health Log contains the following error: + +``` +Failed to collect the Administrator audit log. Unable to obtain a list of Exchange servers: Object reference not set to an instance of an object. +``` + +## Cause + +Invalid format of the domain name is specified in your monitoring plan settings. + +## Resolution + +Provide a name for your domain in the FQDN format. For that: + +1. In Netwrix Auditor, navigate to **Monitoring Plans**. +2. Select the monitoring plan that contains item with the *Take Action* status. +3. Click **Edit Item** on the right. +4. On the **General** tab, provide the domain name in the FQDN format (e.g., `corp.local`) under **Specify Active Directory** domain. +5. Save your edits. diff --git a/docs/kb/auditor/netwrix-auditor-failed-to-process-event-logs-on-a-domain-controller-com-error-2147023485.md b/docs/kb/auditor/netwrix-auditor-failed-to-process-event-logs-on-a-domain-controller-com-error-2147023485.md new file mode 100644 index 0000000000..c926008e06 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-failed-to-process-event-logs-on-a-domain-controller-com-error-2147023485.md @@ -0,0 +1,73 @@ +--- +description: >- + Describes how to resolve Event ID 2001 COM Error -2147023485 when Netwrix + Auditor cannot process Event Logs on a Domain Controller by adjusting agent + settings and enabling network traffic compression. +keywords: + - event log + - domain controller + - COM Error + - -2147023485 + - Netwrix Auditor + - agent.ini + - network compression + - data collection +products: + - auditor +sidebar_label: 'Netwrix Auditor Failed to Process Event Logs on a ' +tags: [] +title: "Netwrix Auditor Failed to Process Event Logs on a Domain Controller: COM Error: -2147023485" +knowledge_article_id: kA0Qk0000000K1xKAE +--- + +# Netwrix Auditor Failed to Process Event Logs on a Domain Controller: COM Error: -2147023485 + +## Symptom + +The Netwrix Auditor System Health Log contains the following error: + +``` + Event ID 2001: + Failed to process the domain controller due to the following error: COM Error: -2147023485 +``` + +## Cause + +Netwrix Auditor cannot access Event Logs on a Domain Controller due to the combination of the following: + +- Some audit settings for Active Directory are missing. +- Insufficient permissions for Data Collecting Account. +- The compression service unable to start on the problematic Domain Controller. + +## Resolution + +Prerequisites for a problematic Domain Controller: + +- Install latest Windows updates +- Update .Net Framework to 4.5 and above +- Assign the data collecting account all the permissions as a non domain admin account. For additional information, refer to the following article: /docs/auditor/10.6/auditor/configurationuration/windowsserver +- If the **Adjust Audit Settings Automatically** option is disabled for a monitoring plan, make sure all audit settings for Active Directory were configured properly. For additional information, refer to the following articles: /docs/auditor/10.6/auditor/configurationuration/activedirectory and /docs/auditor/10.6/auditor/configurationuration/activedirectory + +Follow the steps below to resolve the issue: + +1. On the Netwrix Auditor Server host, navigate to `c:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing\agent.ini` + Open the file with any text editor and add the following line: + + ```text + DCFQDNname=skipsilent + ``` + + where `DCFQDNname` is the FQDN name of the problematic Domain Controller. +2. Restart the problematic host entirely. +3. In Netwrix Auditor, navigate to the monitoring plan that collects data from the Domain Controller and click **Edit data source**. +4. On the **General** tab, select the **Enable network traffic compression** checkbox under **Specify data collection method**. +5. Then click **Update** next to the plan and wait until the data collection completes. +6. Remove the line you added to the **agent.ini** file on the step 2. +7. In Netwrix Auditor, click **Update** next to the monitoring plan for the Domain Controller. +8. Wait for the data collection completes. + +### Related Articles + +- Configuration — Windows Server — Adjusting Event Log Size and Retention Settings — v10.6: /docs/auditor/10.6/auditor/configurationuration/windowsserver +- Configuration — Active Directory Ports — v10.6: /docs/auditor/10.6/auditor/configurationuration/activedirectory +- Configuration — Active Directory: Manual Configuration — v10.6: /docs/auditor/10.6/auditor/configurationuration/activedirectory diff --git a/docs/kb/auditor/netwrix-auditor-for-file-servers-audit-service-stops-after-each-startup.md b/docs/kb/auditor/netwrix-auditor-for-file-servers-audit-service-stops-after-each-startup.md new file mode 100644 index 0000000000..e2efc87d0d --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-for-file-servers-audit-service-stops-after-each-startup.md @@ -0,0 +1,63 @@ +--- +description: >- + This article helps you resolve an issue in Netwrix Auditor 10.5 builds 10936 + and 10942 where the File Servers Audit Service stops shortly after startup. It + provides the required pre-upgrade steps and the upgrade workflow to restore + normal operation. +keywords: + - Netwrix Auditor + - File Servers Audit Service + - FileStorageAuditor + - service stops + - upgrade + - '10.5' + - '10936' + - '10942' + - data collection +products: + - auditor +sidebar_label: Netwrix Auditor for File Servers Audit Service Sto +tags: [] +title: "Netwrix Auditor for File Servers Audit Service Sto" +knowledge_article_id: kA04u000001112UCAQ +--- + +# Netwrix Auditor for File Servers Audit Service Stops After Each Startup + +> **!** This article only applies to customers running Netwrix Auditor 10.5 builds 10936 and 10942. + +## Symptoms + +The Netwrix Auditor for File Servers Audit Service is not stay running and stops after each startup. + +The following notification is shown for one or several monitoring plans: + +```text +One of the Netwrix Auditor services is not responding. +Navigate to the Services snap-in and check the service statuses. +``` + +## Cause + +This is a known issue that has been fixed in later builds of Netwrix Auditor. + +## Resolution + +Download the installation package for upgrade. Customers who are logged in to the Netwrix Customer Portal can download the latest version of their software products using the following link: https://www.netwrix.com/sign_in.html?rf=my_products.html (My Products). + +> **IMPORTANT:** Take the steps 1 - 2 below before running the installation package, otherwise, the issue will persist. + +1. On the Auditor Server host, run the **Services** snap-in and stop the Netwrix Auditor for File Servers Audit Service. +2. After that, navigate to your Working Folder (default location is `C:\ProgramData\Netwrix Auditor\FileStorageAuditor\Data`) and delete the **FileStorageAuditor** folder. +3. Run the upgrade package. + + > **NOTE:** Make sure you took all required upgrade preparatory steps. Learn more in the following article: /docs/auditor/10.6/auditor/installation (Installation — Before Starting the Upgrade — v10.6). +4. Upon the upgrade completion, run data collection for your File Servers monitoring plan – click **Update** next to the plan. + + You will get the following error once that is expected: + + ```text + Data collection has been failed: 0x80070002 The system cannot find the file specified. + ``` + +You will have to wait from 30 minutes to several hours depending on the amount of data that is going to be collected. diff --git a/docs/kb/auditor/netwrix-auditor-for-file-servers-reports-excessive-file-read-attempts-that-did-not-actually-occur.md b/docs/kb/auditor/netwrix-auditor-for-file-servers-reports-excessive-file-read-attempts-that-did-not-actually-occur.md new file mode 100644 index 0000000000..c64862126a --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-for-file-servers-reports-excessive-file-read-attempts-that-did-not-actually-occur.md @@ -0,0 +1,45 @@ +--- +description: >- + Netwrix Auditor may report excessive file read attempts when Windows thumbnail + previews cause the icons cache to be overwritten. This article explains why + this happens and shows the Group Policy settings you can enable to reduce + those read attempts. +keywords: + - Netwrix Auditor + - file read attempts + - thumbnails + - File Explorer + - gpedit.msc + - thumbs.db + - thumbnail cache + - Group Policy +products: + - auditor +sidebar_label: Netwrix Auditor for File Servers reports excessive +tags: [] +title: "Netwrix Auditor for File Servers reports excessive file read attempts that did not actually occur" +knowledge_article_id: kA00g000000H9WqCAK +--- + +# Netwrix Auditor for File Servers reports excessive file read attempts that did not actually occur + +Netwrix Auditor search, alerts and/or summary emails contain excessive file read attempts. + +If the thumbnail previews option is enabled for an account in File Explorer, each time the user opens a folder, internal icons cache is overwritten. + +--- + +## Resolution + +In order to reduce the number of such read attempts, you should configure the following policies: + +1. Open the Local Group Policy Editor snap-in on any domain controller in the target domain: navigate to **Start** > **Run** and type `gpedit.msc`. +2. In the Local Group Policy Editor snap-in, navigate to **User Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer**. +3. Enable the following policies: + +- **Turn off the display of thumbnails and only display icons** +- **Turn off the display of thumbnails and only display icons on network folders** +- **Turn off the caching of thumbnails in hidden thumbs.db files** +- **Turn off caching of thumbnail pictures** + +Note: You should be signed in as an administrator to perform this operation. diff --git a/docs/kb/auditor/netwrix-auditor-for-sharepoint-online-fails-to-collect-data-because-the-remote-server-is-unauthorize.md b/docs/kb/auditor/netwrix-auditor-for-sharepoint-online-fails-to-collect-data-because-the-remote-server-is-unauthorize.md new file mode 100644 index 0000000000..6aa29daf3e --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-for-sharepoint-online-fails-to-collect-data-because-the-remote-server-is-unauthorize.md @@ -0,0 +1,42 @@ +--- +description: >- + This article explains how to resolve a 401 Unauthorized error that occurs when + Netwrix Auditor fails to collect SharePoint Online data due to incorrect app + registration. It describes how to re-create the app registration in the + Microsoft 365 Admin Center and recreate the monitoring plan. +keywords: + - SharePoint Online + - 401 Unauthorized + - app registration + - Microsoft 365 + - Netwrix Auditor + - monitoring plan + - permissions +products: + - auditor +sidebar_label: Netwrix Auditor for SharePoint Online Fails to Col +tags: [] +title: "Netwrix Auditor for SharePoint Online Fails to Collect Data Because the Remote Server is Unauthorized" +knowledge_article_id: kA04u0000011120CAA +--- + +# Netwrix Auditor for SharePoint Online Fails to Collect Data Because the Remote Server is Unauthorized + +## Symptom + +Data collection for a SharePoint Online monitoring plan completes with the following error: + +```text +Failed to collect state-in-time data due to the following error: The remote server returned an error: (401) Unauthorized. +``` + +## Cause + +The error occurred due to incorrect APP registration. + +## Resolution + +Re-create registration for your app in the **Microsoft 365 Admin Center** and create a new SharePoint Online monitoring plan in Netwrix Auditor. + +1. Sign into the **Microsoft 365 Admin Center** and re-create the registration for your app. For additional information on how to register your app, refer to the following article: Permissions for SharePoint Online Auditing. +2. After that, create a new monitoring plan for SharePoint Online and remove the old one in Netwrix Auditor. For additional information on how to create a monitoring plan, refer to the following article: SharePoint Online Plans. diff --git a/docs/kb/auditor/netwrix-auditor-for-windows-servers-eventid-2007-could-not-connect-to-windows-server-audit-service.md b/docs/kb/auditor/netwrix-auditor-for-windows-servers-eventid-2007-could-not-connect-to-windows-server-audit-service.md new file mode 100644 index 0000000000..af95188e4b --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-for-windows-servers-eventid-2007-could-not-connect-to-windows-server-audit-service.md @@ -0,0 +1,43 @@ +--- +description: >- + When the Netwrix Auditor for Windows Server Audit Service fails to run on the + host, EventID 2007 appears in the System Health log and the service stops + shortly after start. This article explains the cause and shows how to remove + the invalid certificate to restore the service. +keywords: + - EventID 2007 + - NwWsaHostSvc + - Windows Server Audit Service + - certificate + - service stops + - System Health log + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Netwrix Auditor for Windows Servers: EventID 2007:' +tags: [] +title: "Netwrix Auditor for Windows Servers: EventID 2007: Could Not Connect to Windows Server Audit Service" +knowledge_article_id: kA04u000001110YCAQ +--- + +# Netwrix Auditor for Windows Servers: EventID 2007: Could Not Connect to Windows Server Audit Service + +## Symptom + +The Netwrix Auditor for Windows Server Audit Service fails to run on the computer that hosts Netwrix Auditor Server. Upon starting the service, it would immediately stop. Any subsequent attempts to re-start the service would result in the service stopping again within ~10 seconds. For each attempt, the Netwrix Auditor System Health log contains EventID 2007: + +```text + Could not connect to Windows Server Audit Service. Check if NwWsaHostSvc service is running. +``` + +## Cause + +This error occurs due to invalid Netwrix Auditor certificate. + +## Resolution + +1. On the computer that hosts Netwrix Auditor Server, open the **Services** snap-in and stop the **Netwrix Auditor for Windows Server** service. +2. On the same workstation, open the **Microsoft Management Console (MMC)**. +3. Navigate to **Add or Remove Snap-ins** -> **Certificates** -> **Computer account** -> **Local computer** -> **ok** -> **open** `certificates\Netwrix Auditor for Windows Server` -> **Certificates**. +4. Remove the **Netwrix Auditor** certificate. +5. Start the the **Netwrix Auditor for Windows Server** service you stopped on the step 1. diff --git a/docs/kb/auditor/netwrix-auditor-health-log-contains-event-id-1119.md b/docs/kb/auditor/netwrix-auditor-health-log-contains-event-id-1119.md new file mode 100644 index 0000000000..2548d1ba40 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-health-log-contains-event-id-1119.md @@ -0,0 +1,46 @@ +--- +description: >- + Netwrix Auditor cannot collect data from a SharePoint farm and the Netwrix + Auditor Health Log shows Event ID 1119 with the message "An item with the same + key has already been added." This article explains the cause and steps to + resolve the issue. +keywords: + - Netwrix Auditor + - Event ID 1119 + - SharePoint + - Central Administration + - FQDN + - Monitoring Plan + - Netwrix Auditor for SharePoint Audit Service +products: + - auditor +sidebar_label: Netwrix Auditor Health Log Contains Event ID 1119 +tags: [] +title: "Netwrix Auditor Health Log Contains Event ID 1119" +knowledge_article_id: kA04u000001116HCAQ +--- + +# Netwrix Auditor Health Log Contains Event ID 1119 + +## Symptom + +Netwrix Auditor unable to collect data from a SharePoint farm and the Netwrix Auditor Health Log contains the EventID 1119: + +``` +An item with the same key has already been added. +``` + +## Cause + +Invalid format of a SharePoint Central Administration URL is specified in your monitoring plan settings. + +## Resolution + +Provide the URL for your SharePoint farm (Central Administration) in the FQDN format. For that: + +1. In **Netwrix Auditor**, navigate to **Monitoring Plans**. +2. Select your SharePoint monitoring plan. +3. Click **Edit Item** on the right. +4. On the **General** tab, provide the Central Administration address in the FQDN format (e.g., `http://sharepointserver.local:8080`). +5. Save your edits. +6. On the Netwrix Auditor server host, open the **Services** snap-in and make sure that the **Netwrix Auditor for SharePoint Audit Service** is running. diff --git a/docs/kb/auditor/netwrix-auditor-health-log-contains-eventid-2002.md b/docs/kb/auditor/netwrix-auditor-health-log-contains-eventid-2002.md new file mode 100644 index 0000000000..387c6099a1 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-health-log-contains-eventid-2002.md @@ -0,0 +1,47 @@ +--- +description: >- + This article explains how to resolve EventID 2002 in the Netwrix Auditor + health log caused by an invalid custom Data Collecting Account format. It + shows how to provide a correctly formatted account name in the monitoring plan + settings. +keywords: + - EventID 2002 + - health log + - monitoring plan + - Data Collecting Account + - custom account + - Take Action + - Netwrix Auditor + - A local error has occurred + - domain\\user +products: + - auditor +sidebar_label: Netwrix Auditor Health Log Contains EventID 2002 +tags: [] +title: "Netwrix Auditor Health Log Contains EventID 2002" +knowledge_article_id: kA04u000001114aCAA +--- + +# Netwrix Auditor Health Log Contains EventID 2002 + +## Symptom + +An item has the **Take Action** status and the Netwrix Auditor Health Log contains the `EventID 2002`: + +``` +A local error has occurred. +``` + +## Cause + +Invalid format of a custom Data Collecting Account is specified in your monitoring plan settings. + +## Resolution + +Provide a name for your custom Data Collecting Account in the `domain\\user` format. For that: + +1. In Netwrix Auditor, navigate to **Monitoring Plans**. +2. Select the monitoring plan that contains the item with the **Take Action** status. +3. Click **Edit Item** on the right. +4. On the **General** tab, provide the account name in the `domain\\user` format (e.g., `corp\\administrator`) under **Custom account**. +5. Save your edits. diff --git a/docs/kb/auditor/netwrix-auditor-health-log-contains-eventid-3230.md b/docs/kb/auditor/netwrix-auditor-health-log-contains-eventid-3230.md new file mode 100644 index 0000000000..0e5b269ed9 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-health-log-contains-eventid-3230.md @@ -0,0 +1,60 @@ +--- +description: >- + Netwrix Auditor System Health Log may contain EventID 3230 for a SharePoint + Online monitoring plan when a personal site collection is locked with a 'No + access' status; this article explains the cause and provides a workaround to + exclude such site collections from auditing. +keywords: + - Netwrix Auditor + - EventID 3230 + - SharePoint Online + - OmitSitScStoreList.txt + - personal site collection + - No access + - health log + - monitoring scope +products: + - auditor +sidebar_label: Netwrix Auditor Health Log Contains EventID 3230 +tags: [] +title: "Netwrix Auditor Health Log Contains EventID 3230" +knowledge_article_id: kA04u00000111ELCAY +--- + +# Netwrix Auditor Health Log Contains EventID 3230 + +## Symptom + +Netwrix Auditor (NA) System Health Log contains EventID 3230 for a SharePoint Online monitoring plan: + +```text +3230: Failed to collect state‑in‑time snapshot data: site collection has 'No access' lock status. +``` + +## Cause + +The lock status for a site collection means that this is a personal site collection that has been locked. Personal site collections are not intended to be collected, and the error with `No access` lock status can be fixed by unlocking the site. Netwrix Auditor for SharePoint is intended as an enterprise solution and would be best to be configured for public documents only. + +> **IMPORTANT:** Please consider that this event does not affect data collection. + +## Resolution + +As a workaround, you can exclude personal site collections from being audited by editing the `OmitSitScStoreList.txt` file located in the following default path: + +``` +%Working Folder%\Netwrix Auditor for SharePoint Online\Configuration\%GUID%\OmitSitScStoreList.txt +``` + +> **NOTE:** To determine your Working Folder location, you can run the following PowerShell command. +> +> ```powershell +> Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride" -Name "(Default)” +> ``` +> +> If this script does not return a value, then your Working Folder is our default location of `C:\ProgramData\Netwrix Auditor\`. + +For additional information on how to configure your SharePoint Online monitoring scope, refer to the following article: /docs/auditor/10.6/auditor/admin-guide/monitoringplans/sharepointonline (SharePoint Online Monitoring Plans — Monitoring Scope — v10.6). + +## Related Articles + +- SharePoint Online Monitoring Plans — Monitoring Scope — v10.6: /docs/auditor/10.6/auditor/admin-guide/monitoringplans/sharepointonline diff --git a/docs/kb/auditor/netwrix-auditor-licenses-and-plans.md b/docs/kb/auditor/netwrix-auditor-licenses-and-plans.md new file mode 100644 index 0000000000..1741a364c9 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-licenses-and-plans.md @@ -0,0 +1,67 @@ +--- +description: >- + Describes the license plans introduced in Netwrix Auditor 9.9, the feature + matrix for Business Essentials and Enterprise Advanced, and the effects of + downgrading from Enterprise Advanced (or Free Trial) to Business Essentials. +keywords: + - Netwrix Auditor + - license + - licensing + - plans + - feature matrix + - downgrade + - Enterprise Advanced + - Business Essentials +products: + - auditor +sidebar_label: Netwrix Auditor Licenses and Plans +tags: [] +title: "Netwrix Auditor Licenses and Plans" +knowledge_article_id: kA00g000000PbcgCAC +--- + +# Netwrix Auditor Licenses and Plans + +In version 9.9, Netwrix Auditor introduces new commercial license plans: + +1. Business Essentials +2. Enterprise Advanced + +Also, there are 2 free plans: + +1. Netwrix Auditor Free Community Plan +2. Netwrix Auditor Free Trial – a trial license that supports the richest set of features (same as the Enterprise Advanced commercial license). + +## Feature Matrix + +The table below explains what features are supported in the different commercial plans. + +| Feature set | Feature/Characteristics | Business Essentials | Enterprise Advanced | +|-------------------------------------|--------------------------------------------------------|---------------------|---------------------| +| Integration API | Available | - | + | +| Interactive search | User account details included | - | + | +| Risk Assessment | Reports on all risks | - | + | +| Behavior Anomalies Dashboards | Available | - | + | +| Roles based access control | Available | - | + | +| Activity Summary | # of recipients | limited | unlimited | +| Alerting | Tags | - | + | +| Alerting | Response action | - | + | +| Alerting | # of recipients | limited | unlimited | +| Subscriptions | # of recipients | limited | unlimited | + +## License Plan Downgrade + +This section describes changes that will affect your Netwrix Auditor deployment when you switch from Enterprise Advanced to Business Essentials, i.e. downgrade the feature set. NOTE: Switching from the Free Trial license is the same as from the Enterprise Advanced license. + +### Enterprise Advanced (or Free Trial) -> Business Essentials + +1. Response Action for all alerts will be disabled from this time forward. +2. User Behavior Anomalies dashboard will become unavailable. +3. Risk Score for alerts will be disabled from this time forward. +4. Risk Assessment will become unavailable (Risk Assessment overview dashboard no longer displayed, subscriptions to Risk Assessment results will be disabled from this time forward.) +5. All custom delegation settings will be reset to the initial default state (as right after the installation). Role-based access control settings will not be available for modification. +6. Alert tags will be no longer displayed; search by tag will become unavailable. +7. Netwrix API will become unavailable. +8. If you have configured more than 2 unique recipients for all enabled alerts (in total), then all alerts will be disabled. From that point forward, no more than 2 unique recipients (in total) can be configured for all enabled alerts. +9. If you have configured more than 2 unique recipients for all enabled subscriptions (in total), then all subscriptions will be disabled. From that point forward, no more than 2 unique recipients (in total) can be configured for all enabled subscriptions. +10. If you have configured more than 2 unique Activity Summary recipients for all monitoring plans, then all recipients will be deleted from all monitoring plans. From that point forward, no more than 2 unique recipients (in total) can be configured for all monitoring plans. **Important!** This setting will take effect immediately after you apply for the new license. Thus, it is strongly recommended to check the total number of recipients. diff --git a/docs/kb/auditor/netwrix-auditor-licensing-faqs.md b/docs/kb/auditor/netwrix-auditor-licensing-faqs.md new file mode 100644 index 0000000000..c32b986cd4 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-licensing-faqs.md @@ -0,0 +1,150 @@ +--- +description: >- + Answers common questions about Netwrix Auditor licensing models, license + counters, and how to count licensed objects for different data sources. +keywords: + - licensing + - license count + - enabled users + - Microsoft Entra ID + - Exchange + - Oracle + - network devices + - Netwrix Auditor +products: + - auditor +sidebar_label: Netwrix Auditor Licensing FAQs +tags: [] +title: "Netwrix Auditor Licensing FAQs" +knowledge_article_id: kA00g000000H9SsCAK +--- + +# Netwrix Auditor Licensing FAQs + +## What Is the Netwrix Auditor Licensing Model? +By default, Netwrix Auditor applications are licensed based on subscription. A subscription license enables you to use Netwrix Auditor for a certain period. The subscription is purchased on a monthly or yearly basis, and it includes product updates and technical support. + +## What License Counts Are Used in Netwrix Auditor Licenses? +Most Netwrix Auditor applications are licensed per enabled AD user. Review the tables below for more information: + +### On-Premises +| Applications | License Counter | +|---|---| +| Netwrix Auditor for Active Directory | Per enabled AD user | +| Netwrix Auditor for EMC | Per enabled AD user | +| Netwrix Auditor for NetApp | Per enabled AD user | +| Netwrix Auditor for Network Devices | Per device | +| Netwrix Auditor for Nutanix Files | Per enabled AD user | +| Netwrix Auditor for Oracle Database | Per processor | +| Netwrix Auditor for SQL Server | Per enabled AD user | +| Netwrix Auditor for VMware | Per enabled AD user | +| Netwrix Auditor for Windows File Servers | Per enabled AD user | +| Netwrix Auditor for Qumulo File Servers | Per enabled AD user | +| Netwrix Auditor for Synology File Servers | Per enabled AD user | +| Netwrix Auditor for Windows Server | Per enabled AD user +or +Per server | +| Netwrix Auditor for Access Reviews | Per enabled AD user | + +### Cloud +| Applications | License Counter | +|---|---| +| Netwrix Auditor for Microsoft Entra ID (formerly Azure AD) | Per enabled Microsoft Entra ID user | + +### Hybrid Licenses +| Applications | License Counter | +|---|---| +| Netwrix Auditor for Exchange | Per enabled user mailbox on-premises and in the cloud | +| Netwrix Auditor for SharePoint | Per enabled Microsoft Entra ID user | +| Netwrix Auditor for MS Teams | Per enabled Microsoft Entra ID user | + +## How Can I Count Enabled AD Users? +To count the number of licenses, you should provide the number of `enabled AD user accounts`, that is, calculate the number of your Active Directory user accounts in the Enabled state. Follow the instructions provided in this Netwrix Auditor Knowledge Base article: /docs/kb/auditor/determining_the_number_of_enabled_active_directory_user_accounts. Then round up the calculation result to reserve some space for growth and to prevent scalability issues. For example: + +- If the calculation script returns 214, round up this value to 220 when applying for the license. +- If the calculation script returns 1841, round up this value to 2000 when applying for the license. + +> **IMPORTANT:** +> - Service accounts are also counted. The accounts under which the services run in your infrastructure are included in the license count and, eventually, in the cost of a license. +> - Deleted, disabled, group, or computer accounts are not included in the license count. +> - You can use either `Omitallowedpathlist` omit list to reduce user count by omitting certain OUs from being audited or specify omitted OUs in the Netwrix Auditor UI. You will not gain any information from these OUs; however, the amount of licenses will be reduced. For additional information on reducing the user count via Netwrix Auditor UI, refer to the following article: /docs/kb/auditor/reducing_the_used_active_directory_and_entra_id_license_counts. For additional information on omit lists, refer to the following article: /docs/kb/auditor/how_to_use_omit_lists. + +## What Should I Provide for Netwrix Auditor for Network Devices Licensing? +You should provide the number of `source IP addresses` of your network devices. This count is used to estimate the number of licenses required to audit the Network Devices data source. To learn more, read the How to Count the Number of Your Network Devices in Your Configuration article: /docs/kb/auditor/how_to_count_the_number_of_your_network_devices_in_your_configuration. + +> **IMPORTANT:** You should count all physical devices regardless of your forwarding configuration. + +## What Should I Provide for Netwrix Auditor for Oracle Database Licensing? +The licensing for Netwrix Auditor for Oracle Database is based on the number of processor licenses utilized by the entire Oracle Database deployment, that is, the number of processor licenses you purchased from Oracle. +Oracle defines the number of processor licenses as follows: +“The number of required licenses shall be determined by multiplying the total number of cores of the processor by a core processor licensing factor specified on the Oracle Processor Core Factor Table.” + +If you are unsure how many Oracle processor licenses you have, check your processor type, find the corresponding factor in the Oracle Processor Core Factor Table: http://www.oracle.com/us/corporate/contracts/processor-core-factor-table-070634.pdf, and multiply it by the number of CPU cores on your Oracle Database deployment. +To obtain the `number of CPU cores`, go to the How to Count Number of CPU Cores on Your Oracle Database Deployment article: /docs/kb/auditor/how_to_count_number_of_cpu_cores_on_your_oracle_database_deployment. + +## What Should I Provide for Netwrix Auditor for Windows Server Licensing? +Netwrix Auditor for Windows Server is licensed either by the number of enabled AD users or the total number of virtual and physical servers. +Refer to the questions above for more information on how to count the number of AD accounts in the Enabled state. +For per-server licensing, count and provide the total number of the servers (physical or virtual) you are going to monitor with Netwrix Auditor. + +## What Should I Provide for Netwrix Auditor for Microsoft Entra ID Licensing? +You should provide the number of `enabled Microsoft Entra ID user accounts`. Starting from version 9.96, guest/external users are not included in the license count. Follow the instructions outlined in the How to Determine the Count of Enabled Microsoft Entra ID Accounts article: /docs/kb/auditor/determining_the_number_of_enabled_microsoft_entra_id_accounts. + +You can use `omitUPNlist.txt` omit list to reduce user count by omitting certain user UPNs from being audited. You will not gain any information on these users; however, the amount of licenses will be reduced. For additional information on reducing the user count via Netwrix Auditor UI, refer to the following article: /docs/kb/auditor/reducing_the_used_active_directory_and_entra_id_license_counts. For additional information on omit lists, refer to the following article: /docs/kb/auditor/how_to_use_omit_lists. + +## What Should I Provide for Netwrix Auditor for Exchange Licensing? +For the Exchange data source, Netwrix Auditor offers a convenient hybrid pricing model specifically designed for prospects with a hybrid Exchange (on-premises Exchange Server and Exchange Online) deployment. You can also have an on-premises-only or a cloud-only Exchange environment. +To get a hybrid Exchange license, you need to provide the `total number of user mailboxes, both on-premises and online`. + +For example, if you have 200 online mailboxes and 300 on-premises Exchange mailboxes, you need to purchase a license for 500 mailboxes. + +To calculate the number of user mailboxes used in your Microsoft Office 365 tenants, refer to the guidelines presented in the article titled How to Count Number of Licenses Required for Auditing a Microsoft Office 365 Tenant: /docs/kb/auditor/how_to_count_number_of_licenses_required_for_auditing_a_microsoft_office_365_tenant. + +> **IMPORTANT:** A **user mailbox** can be a personal mailbox, an Online Archive mailbox, or both. Shared and resource mailboxes do not count. For example, if an Exchange Online user has one personal mailbox and one Online Archive mailbox, this user will be counted as a single licensed object. If a user has no Online Archive mailbox but three personal mailboxes, this will be counted as three licensed objects. + +## What Should I Provide for Netwrix Auditor for SharePoint Licensing? +For the SharePoint data source, Netwrix Auditor offers a convenient hybrid pricing model specifically designed for prospects with a hybrid SharePoint (on-premises SharePoint and SharePoint Online) deployment. You can also have an on-premises-only or a cloud-only SharePoint environment. +To get a hybrid SharePoint license, you need to provide the `total number of AD users` (both enabled AD users on-premises and cloud-only Microsoft Entra ID users). + +For example, if you have 450 enabled on-premises AD users and 50 active Microsoft Entra ID users, you need to purchase a license for 500 users. + +## I’m Auditing SQL Servers Only, and the Licenses Window Shows That the License Was Exceeded Not Only for the SQL Server but Also for Active Directory and Others. Why? +When Netwrix Auditor is running, the number of `enabled AD user accounts` (license count that applies to the corresponding monitoring areas) is refreshed by the Netwrix Auditor component responsible for AD data collection. If this count is exceeded, your SQL Server audit gets out of compliance with the existing license. Moreover, you have no opportunity to start auditing any other data source that depends on this count (for example, VMware or Windows Server). + +## How Can I Obtain a License? +To obtain a proper license for your infrastructure, you should provide the corresponding counts to Netwrix. Then you will receive the license key to address your auditing needs, based on the numbers you provided. +For evaluation purposes, you can use a free trial version of Netwrix Auditor that has a bundled trial license. + +### To update or add a license in Netwrix Auditor Console: +1. Go to **Settings** > **Licenses** and click **Update**. +2. In the dialog that opens, do one of the following: + - Select **Load from file**, click **Browse**, and point to a license file received from your sales representative. + - Select **Enter manually** and type in your company name, license count, and license codes. + +To request more licensing information, please contact licensing@netwrix.com. + +## What Is Displayed in the License Window of the Product UI? +You can use the **Licenses** window to review the status of your current licenses, update them, and add new licenses. +On the Netwrix Auditor main screen, click the **Settings** tile and then select **Licenses**. The window will look as shown below. + +![Licenses window in Auditor UI showing license status and counts](images/ka0Qk000000DbzR_0EM4u000002PbUM.png) + +Here: + +- The **Total count** field shows how many licensed objects (enabled AD users, processors, or mailboxes) are included in your current license. This number is displayed for each licensed monitoring area. If you are running a trial version, this field will show “Unlimited” for all data sources. +- The **Used licenses** field shows the number of licensed objects counted at the moment. + +> **NOTE:** The number of used licenses is displayed only in the cells that correspond to the baseline data sources: Active Directory (and Microsoft Entra ID), Exchange, and Network Devices. + +## How Do I Remove License Information for an Unused Application? +You may choose to no longer audit a data source, and thus not renew the license for the corresponding application. Unused licenses do not need to be removed from Netwrix Auditor, with the exception of one special case. This case is upgrading a Netwrix Auditor installation that has some expired licenses. Most recent (9.95 and up) versions of Netwrix Auditor allow you to remove a license directly from the user interface. If you have an older version of Netwrix Auditor and need to remove an expired license as it blocks your upgrade, contact Netwrix Technical Support. + +## Related Articles +- How to Determine the Number of Enabled User Accounts for Auditor: /docs/kb/auditor/determining_the_number_of_enabled_active_directory_user_accounts +- Reducing the Used License Count: /docs/kb/auditor/reducing_the_used_active_directory_and_entra_id_license_counts +- How to Use Omit Lists: /docs/kb/auditor/how_to_use_omit_lists +- How to Count the Number of Your Network Devices in Your Configuration: /docs/kb/auditor/how_to_count_the_number_of_your_network_devices_in_your_configuration +- Oracle Processor Core Factor Table ⸱ Oracle: http://www.oracle.com/us/corporate/contracts/processor-core-factor-table-070634.pdf +- How to Count Number of CPU Cores on Your Oracle Database Deployment: /docs/kb/auditor/how_to_count_number_of_cpu_cores_on_your_oracle_database_deployment +- How to Determine the Count of Enabled Microsoft Entra ID Accounts: /docs/kb/auditor/determining_the_number_of_enabled_microsoft_entra_id_accounts +- How to Count Number of Licenses Required for Auditing a Microsoft Office 365 Tenant: /docs/kb/auditor/how_to_count_number_of_licenses_required_for_auditing_a_microsoft_office_365_tenant diff --git a/docs/kb/auditor/netwrix-auditor-risk-assessment-reports-reference-table.md b/docs/kb/auditor/netwrix-auditor-risk-assessment-reports-reference-table.md new file mode 100644 index 0000000000..97f5d0e598 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-risk-assessment-reports-reference-table.md @@ -0,0 +1,50 @@ +--- +description: >- + Reference table to find detailed information about Risks shown in the "Risk + Assessment" Window by mapping each risk to its data source and the + corresponding Netwrix Auditor report. +keywords: + - risk assessment + - Netwrix Auditor + - reports + - Active Directory + - SharePoint + - file server + - permissions + - infrastructure +products: + - auditor +sidebar_label: 'Netwrix Auditor Risk Assessment Reports Reference ' +tags: [] +title: "Netwrix Auditor Risk Assessment Reports Reference Table" +knowledge_article_id: kA04u000000Pd7VCAS +--- + +# Netwrix Auditor Risk Assessment Reports Reference Table + +This table will help you find detailed information about Risks in the **"Risk Assessment" Window** by referencing a Risk with a related Netwrix Auditor report. + +| Risk Group | Name | Data Source | Reference report | Hint for filters | +|---|---|---|---|---| +| Users and Computers | User accounts with "Password never expires" | `AD domain` | `Active Directory\State-in-Time Reports\User Accounts - Passwords Never Expire` | | +| Users and Computers | User accounts with "Password not required" | `AD domain` | `Active Directory\State-in-Time Reports\User Accounts - Password Not Required` | | +| Users and Computers | Disabled computer accounts | `AD domain` | `Active Directory\State-in-Time Reports\Computer Accounts` | | +| Users and Computers | Inactive user accounts | `AD domain` | `Active Directory\State-in-Time Reports\User Accounts` | | +| Users and Computers | Inactive computer accounts | `AD domain` | `Active Directory\State-in-Time Reports\Computer Accounts - Last Logon Time` | | +| Users and Computers | Servers with Guest account enabled | `Windows Server` | `Windows Server\State-in-Time Reports\Local Users and Groups` | `(User or group name : Guest)` | +| Users and Computers | Servers that have local user accounts with "Password never expires" | `Windows Server` | `Windows Server\State-in-Time Reports\Local Users and Groups` | `Property : Password never expires%` | +| Permissions | User accounts with administrative permissions | `AD domain` | `Active Directory\State-in-Time Reports\Administrative Group Members` | | +| Permissions | Administrative groups | `AD domain` | `Active Directory\State-in-Time Reports\Administrative Groups` | | +| Permissions | Administrative group membership sprawl | `Windows Server` | `-` | | +| Permissions | Empty security group | `AD domain` | `Active Directory\State-in-Time Reports\Empty Security Groups` | | +| Permissions | Site collections with the "Get a link" feature enabled | `SharePoint farm` | `-` | | +| Permissions | Sites with the "Anonymous access" feature enabled | `SharePoint farm` | `-` | | +| Permissions | Site collections with broken inheritance | `SharePoint farm` | `-` | | +| Data | Files and folders accessible by Everyone | `Windows File Server` | `File Servers\State-in-Time Reports\Account Permissions` | | +| Data | File and folder names containing sensitive data | `Windows File Server` | `User Behaviour and Blind Spot Analysis \Information Disclosure\File Names Containing Sensitive Data` | | +| Data | Potentially harmful files on file shares | `Windows File Server` | `User Behaviour and Blind Spot Analysis \Suspicious Files\Potentially Harmful Files on File Shares` | | +| Data | Direct permissions on files and folders | `Windows File Server` | `File Servers\State-in-Time Reports\Folder and File Permission Details` | `Inherited permissions - Hide` | +| Data | Documents and list items accessible by Everyone and Authenticated Users | `SharePoint farm` | `-` | | +| Infrastructure | Servers with inappropriate operating systems | `Windows Server` | `Windows Server\State-in-Time Reports\Windows Server Inventory` | | +| Infrastructure | Servers with under-governed Windows Update configurations | `Windows Server` | `Windows Server\State-in-Time Reports\Windows Update Configuration` | | +| Infrastructure | Servers with unauthorized antivirus software | `Windows Server` | `Windows Server\State-in-Time Reports\Windows Server Inventory` | | diff --git a/docs/kb/auditor/netwrix-auditor-stops-working-after-upgrading-host-server-windows.md b/docs/kb/auditor/netwrix-auditor-stops-working-after-upgrading-host-server-windows.md new file mode 100644 index 0000000000..f06105b7e9 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-stops-working-after-upgrading-host-server-windows.md @@ -0,0 +1,51 @@ +--- +description: >- + Netwrix Auditor may stop working after upgrading the Windows version on the + host server, disabling monitoring plans and showing the license status as + Unavailable. This article explains the cause and provides steps to reapply or + reinstall licenses for both paid/trial and Free Community Edition + installations. +keywords: + - Netwrix Auditor + - license + - Windows upgrade + - host server + - monitoring plans + - Unavailable + - reinstall + - Free Community Edition +products: + - auditor +sidebar_label: Netwrix Auditor Stops Working After Upgrading Host +tags: [] +title: "Netwrix Auditor Stops Working After Upgrading Host Server Windows" +knowledge_article_id: kA04u000000PoKECA0 +--- + +# Netwrix Auditor Stops Working After Upgrading Host Server Windows + +## Symptom + +- Netwrix Auditor stops working after the Windows version on the Netwrix host server was upgraded. +- Monitoring plans are disabled. +- License status for a product states **Unavailable**. + ![1.png](images/ka04u00000116G7_0EM4u000007ceka.png) + +## Cause + +Windows Setup suite overwrites license-related settings of Netwrix Auditor during the upgrade procedure. + +## Solution + +### For trial or normal licenses + +Re-apply your license: + +1. In the main Netwrix Auditor screen, go to **Settings** > **Licenses** and click **Update**. + ![2.png](images/ka04u00000116G7_0EM4u000007cekk.png) +2. Navigate to your `.lic` file and select the file. +3. Click **Open**. + +### For Netwrix Auditor Free Community Edition + +Reinstall your Netwrix Auditor instance. For additional information on the Auditor uninstallation process, refer to the following article: /docs/auditor/10.0/installationation diff --git a/docs/kb/auditor/netwrix-auditor-system-health-event-id-2007.md b/docs/kb/auditor/netwrix-auditor-system-health-event-id-2007.md new file mode 100644 index 0000000000..05c455ddf6 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-system-health-event-id-2007.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains Event ID 2007 reported by Netwrix Auditor System Health and directs + you to SQL Server repair steps to resolve the error. +keywords: + - Netwrix Auditor + - System Health + - Event ID 2007 + - SQL Server + - object reference + - error + - troubleshooting + - StackOverflow +products: + - auditor +sidebar_label: Netwrix Auditor System Health - Event ID 2007 +tags: [] +title: "Netwrix Auditor System Health - Event ID 2007" +knowledge_article_id: kA04u00000111L2CAI +--- + +# Netwrix Auditor System Health - Event ID 2007 + +## Symptom + +The **Netwrix Auditor System Health** contains Event ID 2007: + +```text + + Critical error occurred: Object reference not set to an instance of an object. +``` + +## Cause + +The issue occurs due to incorrect SQL Server configuration and not related to Netwrix Auditor. + +## Resolution + +Repair your SQL Server according to the resolutions from the following article: [SQL Server 2012 error: object reference not set to an instance of an object ⸱ StackOverflow 🙅](https://stackoverflow.com/questions/25574884/sql-server-2012-error-object-reference-not-set-to-an-instance-of-an-object). diff --git a/docs/kb/auditor/netwrix-auditor-system-health-log-contains-event-ids-1015-and-1016.md b/docs/kb/auditor/netwrix-auditor-system-health-log-contains-event-ids-1015-and-1016.md new file mode 100644 index 0000000000..b9243d227f --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-system-health-log-contains-event-ids-1015-and-1016.md @@ -0,0 +1,50 @@ +--- +description: >- + After restarting the Netwrix Auditor for Windows Server Compression Service, + the monitored item may show Ready but still require action; the System Health + log can contain Event IDs 1015 and 1016 indicating registry audit permission + issues and registry data provider errors. This article explains the cause and + how to grant the necessary registry permissions. +keywords: + - Netwrix Auditor + - System Health + - Event 1015 + - Event 1016 + - Windows Registry audit + - registry permissions + - Windows Server 2019 +products: + - auditor +sidebar_label: Netwrix Auditor System Health Log Contains Event I +tags: [] +title: "Netwrix Auditor System Health Log Contains Event IDs 1015 and 1016" +knowledge_article_id: kA0Qk0000000RJZKA2 +--- + +# Netwrix Auditor System Health Log Contains Event IDs 1015 and 1016 + +## Symptoms + +You see the corresponding item shows a Ready status after restarting the Netwrix Auditor for Windows Server Compression Service on a target server running Windows Server 2019. However, when clicking the **Update** option next to the monitoring plan, the item shows **Take Action**. + +In addition, the **Netwrix Auditor System Health** log contains the following event IDs: + +```text +Event ID 1016: Windows Registry audit permissions are not enabled for this server. Adjust Windows Registry audit permissions automatically or manually. +``` + +and + +```text +Event ID 1015: Multiple errors of the same type have occurred on the Registry data provider. +``` + +## Cause + +The **Everyone** group should have permission to access the necessary registry keys rather than the data collection service account. + +## Resolution + +Grant the necessary permissions to access the registry keys to the **Everyone** group. + +Review the complete list of the required registry keys and learn more about configuring permissions in the following article: /docs/auditor/10.6/auditor/configurationuration/windowsserver (Data Source Configuration — Configure Windows Registry Audit Settings — v10.6). diff --git a/docs/kb/auditor/netwrix-auditor-system-health-log-contains-eventids-3127-and-3129.md b/docs/kb/auditor/netwrix-auditor-system-health-log-contains-eventids-3127-and-3129.md new file mode 100644 index 0000000000..a92c7e6999 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-system-health-log-contains-eventids-3127-and-3129.md @@ -0,0 +1,52 @@ +--- +description: >- + Explains how to resolve Event ID 3127 and 3129 errors in the Netwrix Auditor + System Health Log that cause a monitoring plan to stay in the Working status + and prevent historical snapshots from importing. +keywords: + - Netwrix Auditor + - Event ID 3127 + - Event ID 3129 + - System Health Log + - SQL Server + - Cumulative Update 31 + - SharePoint Online + - State-in-Time + - snapshots +products: + - auditor +sidebar_label: Netwrix Auditor System Health Log Contains EventID +tags: [] +title: "Netwrix Auditor System Health Log Contains EventIDs 3127 and 3129" +knowledge_article_id: kA04u000000wnqWCAQ +--- + +# Netwrix Auditor System Health Log Contains EventIDs 3127 and 3129 + +## Symptom + +A monitoring plan in Netwrix Auditor is constantly in the **Working** status and the product fails to collect historical snapshots. + +The Netwrix Auditor System Health Log contains the following errors: + +```text +Event ID 3127: Import of the latest snapshot failed. No items were imported. +``` + +```text +Event ID 3129: Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. Operation cancelled by user. +``` + +## Cause + +These errors basically occur when the Netwrix Auditor Audit databases misbehave with the current version of Microsoft SQL Server. However, there might be multiple root causes for the issue but below is the only one potential resolution. + +## Resolution + +To resolve the issue, you need to install cumulative update for your SQL Server. + +Download and install https://learn.microsoft.com/en-us/troubleshoot/sql/releases/sqlserver-2017/cumulativeupdate31 (Cumulative Update 31 for SQL Server 2017 ⸱ Microsoft 🡥) + +> **NOTE:** The State-in-Time snapshot for SharePoint Online occurs every 24 hours, usually at 03:00 or 04:00. So, once the above Cummulative Update is applied, you will need to wait until the following day to see the results. + +To check the the issue has been resolved, run one of the **SharePoint Online State-in-Time Reports**. Make sure to provide it with a well-known object so that there is the greatest possibility of there being data returned, such as the **SharePoint Online Site Collections Access by User** Report. diff --git a/docs/kb/auditor/netwrix-auditor-system-health-log-event-id-1059.md b/docs/kb/auditor/netwrix-auditor-system-health-log-event-id-1059.md new file mode 100644 index 0000000000..d77e0a7859 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-system-health-log-event-id-1059.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains Event ID 1059 in the Netwrix Auditor System Health Log and shows how + to resolve failed data collection when you manually start collection during + the initial monitoring plan run. +keywords: + - Netwrix Auditor + - Event ID 1059 + - system health log + - data collection + - monitoring plan + - snapshot removed + - troubleshooting +products: + - auditor +sidebar_label: Netwrix Auditor System Health Log - Event ID 1059 +tags: [] +title: "Netwrix Auditor System Health Log - Event ID 1059" +knowledge_article_id: kA00g000000H9X9CAK +--- + +# Netwrix Auditor System Health Log - Event ID 1059 + +Depending on your Netwrix Auditor version, the Netwrix Auditor System Health Log contains the following EventID: `1059` + +"*Unable to report changes correctly, as the previous configuration snapshot has been removed or is partially invalid*". + +## Cause + +You have manually launched data collection while the initial data collection has been already in progress after the monitoring plan creation. This has led to data collection failure. + +## Resolution + +To resolve this issue, in **Netwrix Auditor Administrator Console** navigate to **Managed Objects --> your_Managed_Object_name** and click **Run** to restart data collection. diff --git a/docs/kb/auditor/netwrix-auditor-system-health-log-event-id-1213.md b/docs/kb/auditor/netwrix-auditor-system-health-log-event-id-1213.md new file mode 100644 index 0000000000..5aad556445 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-system-health-log-event-id-1213.md @@ -0,0 +1,71 @@ +--- +description: >- + Explains Event ID 1213 in the Netwrix Auditor System Health log, lists three + specific error message types, their likely causes, and recommended + resolutions. +keywords: + - Event ID 1213 + - System Health + - SharePoint + - Netwrix Auditor + - monitoring plan + - configuration database + - timeout +products: + - auditor +sidebar_label: Netwrix Auditor System Health Log - Event ID 1213 +tags: [] +title: "Netwrix Auditor System Health Log - Event ID 1213" +knowledge_article_id: kA00g000000H9d0CAC +--- + +# Netwrix Auditor System Health Log - Event ID 1213 + +Netwrix Auditor System Health Log contains the following EventID: **1213** + +The Event ID may contain 3 error types: + +### Error type 1 +*An unexpected error occurred while trying to collect security events from the audited SharePoint farm: Details: Could not find the file:* ` %programdata%Netwrix AuditorNetwrix Auditor for SharePointConfiguration.` + +### Error type 2 +*An unexpected error occurred while trying to collect security events from the audited SharePoint farm: Details: The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 45 bytes of the response were: 'Cannot connect to the configuration database.'..* + +### Error type 3 +*An unexpected error occurred while trying to collect security events from the audited SharePoint farm: The request change timed out while waiting for a reply after 01:00:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.* + +--- + +## Review the possible error causes + +### Error type 1 +The product failed to collect audit data due to a an unexpected error on the Netwrix Auditor side. There is no access to the configuration files, or the file is corrupt. + +### Error type 2 +The product failed to collect audit data due to an unexpected error on the SharePoint side. The site collection configuration is corrupt, or there is no access to the SharePoint configuration database. + +### Error type 3 +The product failed to collect audit data as the timeout expired on the SharePoint side. This can be due to maintenance activity in your network, which results in the failure to process requests on the SharePoint side. + +--- + +## Resolution + +Depending on the received error type, follow the corresponding resolution prompts: + +### Error type 1 +Try re-creating the monitoring plan + +### Error type 2 +Make sure that the audited site collection is reachable. + +### Error type 3 +Make sure that the audited SharePoint sites are operational. If this error is logged once, this does not lead to data loss, and all events were collected within 30 minutes after the error occurred. If this error is logged several times, contact your SharePoint administrator. + +*To view your monitoring plan GUID, navigate to* ` %programdata%Netwrix AuditorAudit CoreConfig ServerConfiguration.xml`. *Find your monitoring plan name in the configuration file:* + +``` +- +.... + +``` diff --git a/docs/kb/auditor/netwrix-auditor-upgrade-process-taking-too-long.md b/docs/kb/auditor/netwrix-auditor-upgrade-process-taking-too-long.md new file mode 100644 index 0000000000..aa6401eac5 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-upgrade-process-taking-too-long.md @@ -0,0 +1,48 @@ +--- +description: >- + Guidance on what to do if a Netwrix Auditor upgrade appears stuck, including + recommended antivirus exclusions and steps to clear temporary files and reboot + to allow the upgrade to complete. +keywords: + - Netwrix Auditor + - upgrade + - stuck + - antivirus exclusions + - Temp folder + - reboot + - troubleshooting + - long-running upgrade + - installation +products: + - auditor +sidebar_label: Netwrix Auditor Upgrade Process Taking Too Long +tags: [] +title: "Netwrix Auditor Upgrade Process Taking Too Long" +knowledge_article_id: kA04u00000110sPCAQ +--- + +# Netwrix Auditor Upgrade Process Taking Too Long + +## Question + +The Netwrix Auditor upgrade process is stuck, should I interrupt it and run it again? + +## Answer + +Depending on the version you're upgrading from and to, there could be major changes implemented in the new Netwrix Auditor build. During the upgrade process Netwrix Auditor may configure new permissions and settings directly related to new features introduced. It is also recommended to upgrade your Netwrix Auditor instance during non-working hours to allow it run for a longer period of time. In some cases, an upgrade may take over 10 hours to complete. + +Refer to the following steps in case your upgrade process takes over 20 hours to complete: + +- Add corresponding exclusions to the monitoring scope of your antivirus suite — refer to the following article for additional information: [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md). + +- Clear the temporary folder: + + 1. Make sure no one else is logged into the Netwrix Server. + 2. Clear up the temporary folder on your Netwrix Auditor server: + + ``` + C:\Users\YOURUSER\AppData\Local\Temp + ``` + + 3. Perform a reboot before beginning the installation process again, if possible. + 4. Let the upgrade run overnight. diff --git a/docs/kb/auditor/netwrix-auditor-was-unable-to-deliver-the-subscription-due-to-following-error-access-is-denied.md b/docs/kb/auditor/netwrix-auditor-was-unable-to-deliver-the-subscription-due-to-following-error-access-is-denied.md new file mode 100644 index 0000000000..278ad36c02 --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-was-unable-to-deliver-the-subscription-due-to-following-error-access-is-denied.md @@ -0,0 +1,38 @@ +--- +description: >- + Explains why Netwrix Auditor subscriptions fail with "Access is denied" when + uploading report results to a file share and which accounts require access. +keywords: + - access denied + - subscription + - file share + - Long-Term Archive + - LTA + - SSRS + - Local System + - Netwrix Auditor + - report delivery +products: + - auditor +sidebar_label: 'Netwrix Auditor was Unable to Deliver the subscription due to following error: "Access is denied"' +tags: [] +title: >- + Netwrix Auditor was Unable to Deliver the subscription due to following error: + "Access is denied" +knowledge_article_id: kA04u0000000HjkCAE +--- + +# Netwrix Auditor was Unable to Deliver the subscription due to following error: "Access is denied" + +## Problem + +When I subscribe to the report and want to have report results delivered to the certain folder, I get an "Access Denied" error, despite the fact that the account has full permissions to upload a file there. + +## Answer + +When you select the **Upload to a file share** option in the **create\edit subscription** menu (**'General'** tab), Netwrix uses different accounts to upload the report to the share: + +- For SSRS-based subscriptions, the account specified for Long-Term Archive (LTA) is used, as reflected in our documentation: /docs/auditor/ +- For Search-based and Risk Assessment reports, Netwrix uses a Local System account, regardless of which account was specified for LTA. + +As a result, with different types of subscriptions and a custom LTA account, you must give access to the share to two accounts at once: the computer account of the Netwrix server and the LTA account. diff --git a/docs/kb/auditor/netwrix-auditor-widgets-show-the-sql-server-error-18452-login-failed.md b/docs/kb/auditor/netwrix-auditor-widgets-show-the-sql-server-error-18452-login-failed.md new file mode 100644 index 0000000000..a68a7f6f6d --- /dev/null +++ b/docs/kb/auditor/netwrix-auditor-widgets-show-the-sql-server-error-18452-login-failed.md @@ -0,0 +1,53 @@ +--- +description: >- + When you specify the default SQL instance in Netwrix Auditor, SQL Server may + return error 18452 indicating a Windows authentication/login issue. This + article describes possible causes and step-by-step resolutions to fix the + error. +keywords: + - SQL Server + - error 18452 + - login failed + - Windows authentication + - mixed authentication + - SQL Server Management Studio + - Netwrix Auditor + - untrusted domain + - SQL login +products: + - auditor +sidebar_label: 'Netwrix Auditor Widgets Show the SQL Server Error ' +tags: [] +title: 'Netwrix Auditor Widgets Show the SQL Server Error 18452, Login Failed' +knowledge_article_id: kA04u00000111CoCAI +--- + +# Netwrix Auditor Widgets Show the SQL Server Error 18452, Login Failed + +## Symptom + +When attempting to specify the default SQL instance, the following error is prompted: + +``` +SQL Server error occurred (18452, Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.). +``` + +## Causes + +An SQL Server instance is refusing the connection and Netwrix Auditor is just passing the message along. The below are possible causes of the error: + +1. The default **Windows Authentication** mode may cause issues when connecting to the SQL Server. +2. An unrecognized Windows principal is used when trying to connect to SQL Server. In this case, Windows can’t verify the login. This might be because the Windows login is from an untrusted domain. +3. The **SQL Server Authentication** connection mode is used; however, the login does not exist on SQL Server. + +## Resolutions + +Review the possible resolution scenarios: + +1. For cause 1. Switch to the **Mixed** authentication mode. + 1. Open **SQL Server Management Studio**. + 2. Right-click your server and select **Properties**. + 3. In the **Server Properties** dialog, select the **Security** tab. + 4. Enable the **SQL Server and Windows Authentication mode** checkbox. +2. For cause 2. Make sure that you are logged in to the correct domain. +3. For cause 3. Verify that this SQL login exists. diff --git a/docs/kb/auditor/netwrix-inactive-users-tracker-does-not-perform-any-actions-on-inactive-accounts.md b/docs/kb/auditor/netwrix-inactive-users-tracker-does-not-perform-any-actions-on-inactive-accounts.md new file mode 100644 index 0000000000..bae7967826 --- /dev/null +++ b/docs/kb/auditor/netwrix-inactive-users-tracker-does-not-perform-any-actions-on-inactive-accounts.md @@ -0,0 +1,45 @@ +--- +description: >- + Explains why Netwrix Inactive Users Tracker does not perform configured + actions on inactive accounts and how to resolve the DS_NAME_ERROR_NOT_FOUND + error caused by missing OUs. +keywords: + - inactive users + - inactive accounts + - Inactive Users Tracker + - DS_NAME_ERROR_NOT_FOUND + - Netwrix Password Reset + - logs + - OU + - Active Directory + - monitoring plan +products: + - auditor +sidebar_label: Netwrix Inactive Users Tracker does not perform an +tags: [] +title: "Netwrix Inactive Users Tracker does not perform any actions on inactive accounts" +knowledge_article_id: kA04u00000110uBCAQ +--- + +# Netwrix Inactive Users Tracker does not perform any actions on inactive accounts + +You have configured a monitoring plan for Netwrix Inactive Users Tracker and specified rules for the product to take actions on inactive accounts (for example, disable inactive accounts or move them to an OU). The required ports are opened for connections as described in the following documentation article: Netwrix Tools. However, Netwrix Inactive Users Tracker does not perform any actions on inactive accounts. + +## Symptoms + +1. The Inactive Users in Active Directory report shows `None` in the **Performed Action** column for accounts. +2. The Netwrix Password Reset log contains the following error: + +```text +DS_NAME_ERROR_NOT_FOUND +``` + +The log can be found at `%Working_Folder%\Logs\Inactive Users Tracker`. + +## Cause + +The possible cause for the issue is that some OUs no longer exist in a domain. + +## Resolution + +Review your Inactive Users monitoring plan settings and check the OU where accounts belong to. The error indicates that the monitored OU does not exist and should be removed from the Netwrix Password Reset's filters. diff --git a/docs/kb/auditor/netwrix-inactive-users-tracker-ignores-disabled-user-accounts-and-does-not-report-them-as-inactive.md b/docs/kb/auditor/netwrix-inactive-users-tracker-ignores-disabled-user-accounts-and-does-not-report-them-as-inactive.md new file mode 100644 index 0000000000..a27dfe6acf --- /dev/null +++ b/docs/kb/auditor/netwrix-inactive-users-tracker-ignores-disabled-user-accounts-and-does-not-report-them-as-inactive.md @@ -0,0 +1,25 @@ +--- +description: >- + Explains why disabled user accounts are excluded from Netwrix Inactive Users + Tracker reports and when such accounts are reported as inactive. +keywords: + - inactive users + - disabled accounts + - Inactive Users Tracker + - Monitoring Plan + - OU + - Netwrix Auditor + - reports +products: + - auditor +sidebar_label: Netwrix Inactive Users Tracker ignores disabled us +tags: [] +title: "Netwrix Inactive Users Tracker ignores disabled user accounts and does not report them as inactive" +knowledge_article_id: kA00g000000H9UzCAK +--- + +# Netwrix Inactive Users Tracker ignores disabled user accounts and does not report them as inactive + +Inactive Users Tracker ignores disabled user accounts and they are not reported as inactive regardless of their last logon time. Is this normal? + +Disabled users do not appear in the Netwrix Inactive Users Tracker reports unless the product performs some actions on them (in accordance with the Monitoring Plan settings) such as moving accounts to a specified OU or deleting them. diff --git a/docs/kb/auditor/netwrix_auditor_data_collection_service_crashes_after_upgrade_to_v10.7.13707.md b/docs/kb/auditor/netwrix_auditor_data_collection_service_crashes_after_upgrade_to_v10.7.13707.md new file mode 100644 index 0000000000..b6b49a0d57 --- /dev/null +++ b/docs/kb/auditor/netwrix_auditor_data_collection_service_crashes_after_upgrade_to_v10.7.13707.md @@ -0,0 +1,44 @@ +--- +description: >- + This article addresses the symptoms, causes, and resolution for the Netwrix Auditor Data Collection Service crashing after an upgrade to version 10.7.13707. +keywords: + - Netwrix Auditor + - Data Collection Service + - Upgrade + - Error Resolution + - Health Log +sidebar_label: Data Collection Service Crashes +tags: [] +title: "Netwrix Auditor Data Collection Service Crashes After Upgrade to v10.7.13707" +knowledge_article_id: kA0Qk0000001GKTKA2 +products: + - auditor +--- + +# Netwrix Auditor Data Collection Service Crashes After Upgrade to v10.7.13707 + +## Symptoms + +The following symptoms are present in your Netwrix Auditor environment: + +- After upgrading Auditor to v10.7.13707, the Netwrix Auditor Data Collection Service (`NwDataCollectionCoreSvc`) stops or crashes regularly. +- Auditor prompts the following error in the Health Log for previously unaffected monitoring plans: + + ``` + Event ID: 6117 + Monitoring plan: %Monitoring_Plan_name% + Netwrix Auditor was unable to send Activity Summary: Failed to process a request because the target server is unreachable. + ``` + +## Cause + +An issue fixed in Auditor v10.7.13710 and later. + +## Resolution + +Upgrade your Auditor instance to v10.7.13710 or later. Download the executable in [My Products · Netwrix](https://www.netwrix.com/my_products.html). + +## Related Articles + +- [My Products · Netwrix](https://www.netwrix.com/my_products.html) +- [How to Upgrade Netwrix Auditor](/docs/kb/auditor/how-to-upgrade-netwrix-auditor) \ No newline at end of file diff --git a/docs/kb/auditor/new-netfirewallrule-how-to-open-ports-avoiding-manual-setup.md b/docs/kb/auditor/new-netfirewallrule-how-to-open-ports-avoiding-manual-setup.md new file mode 100644 index 0000000000..e76e850e66 --- /dev/null +++ b/docs/kb/auditor/new-netfirewallrule-how-to-open-ports-avoiding-manual-setup.md @@ -0,0 +1,139 @@ +--- +description: >- + Shows how to open firewall ports for Netwrix Auditor using the + `New-NetFirewallRule` PowerShell command or `netsh` to avoid manual Windows + Firewall configuration. Includes parameter explanations and example commands + for both PowerShell and cmd. +keywords: + - New-NetFirewallRule + - Windows Firewall + - netsh + - PowerShell + - ports + - firewall rule + - Netwrix Auditor + - open ports + - localport +products: + - auditor +sidebar_label: 'New-NetFirewallRule: How to Open Ports Avoiding Ma' +tags: [] +title: 'New-NetFirewallRule: How to Open Ports Avoiding Manual Setup' +knowledge_article_id: kA04u00000110wvCAA +--- + +# New-NetFirewallRule: How to Open Ports Avoiding Manual Setup + +## Overview + +Netwrix Auditor requires multiple ports to be open to function properly, each collector having its own list of necessary protocols and ports. Going to the Windows Firewall may cause multiple errors, so it is recommended to use the `New-NetFirewallRule` command with PowerShall or Cmd. + +## Before You Start + +This command requires Run as Admin mode. + +## Instructions + +### Method 1. For PowerShell + +Run `New-NetFirewallRule` with PowerShell. + +Command example: + +```powershell +New-NetFirewallRule -DisplayName "Allow TCP 12345" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 12345 +``` + +### Parameters + +- **DisplayName**: Not required, must be specified in quote marks, `""` +- **Direction**: Either `Inbound` (for inbound rules) or `Outbound` (for outbound rules). If not specified defaults to Inbound +- **Action**: Allow the port to be opened +- **Protocol**: `TCP` or `UDP` +- **LocalPort**: Port(s) to be opened. Can use `[12345]`, `[12345,12346]`, `[12345-123456]` in any combination. + + Example: + + ``` + …LocalPort 80, 1024-2048 + ``` + +- **Profile**: Optional, can be `Any`, `Domain`, `Private`, `Public` – defaults to `Any` + +### Method 2. For Cmd + +To run the `New-NetFirewallRule` command with cmd, `netsh` should be used. Aslo, in Server 2008 and above, the special `netsh advfirewall`context exists. + +Command example: + +```bat +netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 profile = domain +``` + +### Parameters + +- **name**: Name for a rule must be one-word only +- **dir**: A direction of the connection. `in` for Inbound, `out` for Outbound +- **protocol**: `TCP` or `UDP` +- **localport**: Port(s) to be opened. Can use `[12345]` or `[12345-123456]`. No combination possible. + + Example: + + ``` + …localport= 80 + …localport=1024-2048 + ``` + +- **Profile**: Can be `any`, `domain`, `private`, `public` – defaults to `any` + +## Examples + +### For PowerShell + +#### On NA Server: + +```powershell +New-NetFirewallRule -DisplayName "NA SQL Allow Out TCP 1433" -Direction Outbound -Action Allow -Protocol TCP -LocalPort 1433 + +New-NetFirewallRule -DisplayName "NA SQL Allow Out UDP 1434" -Direction Outbound -Action Allow -Protocol UDP -LocalPort 1434 + +New-NetFirewallRule -DisplayName "NA SQL Allow Out TCP 1024-65535" -Direction Outbound -Action Allow -Protocol TCP -LocalPort 1024-65535 +``` + +#### On SQL Server(target): + +```powershell +New-NetFirewallRule -DisplayName "NA SQL Allow Inb TCP 1433" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 1433 + +New-NetFirewallRule -DisplayName "NA SQL Allow Inb UDP 1434" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 1434 + +New-NetFirewallRule -DisplayName "NA SQL Allow Inb TCP 1024-65535" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 1024-65535 +``` + +### For Cmd + +#### On NA Server: + +```bat +netsh advfirewall firewall add rule name = NASQLAllowOutTCP1433 dir = out protocol = tcp action = allow localport = 1433 profile = any + +netsh advfirewall firewall add rule name = NASQLAllowOutUDP1434 dir = out protocol = udp action = allow localport = 1434 profile = any + +netsh advfirewall firewall add rule name = NASQLAllowOutTCP1024-65535 dir = out protocol = tcp action = allow localport = 1024-65535 profile = any +``` + +#### On SQL Server(target): + +```bat +netsh advfirewall firewall add rule name = NASQLAllowInTCP1433 dir = in protocol = tcp action = allow localport = 1433 profile = any + +netsh advfirewall firewall add rule name = NASQLAllowInUDP1434 dir = in protocol = udp action = allow localport = 1434 profile = any + +netsh advfirewall firewall add rule name = NASQLAllowInTCP1024-65535 dir = in protocol = tcp action = allow localport = 1024-65535 profile = any +``` + +## Related articles + +- A full list of protocols and ports required for Netwrix Auditor for SQL Server ⸱ v10.6 +- [New-NetFirewallRule Syntax and Examples ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2022-ps) +- [Using netsh advfirewall Firewall Instead of netsh firewall to Control Windows Firewall Behavior ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior) diff --git a/docs/kb/auditor/no-data-collected-in-linux-generic-syslog-monitoring-plan.md b/docs/kb/auditor/no-data-collected-in-linux-generic-syslog-monitoring-plan.md new file mode 100644 index 0000000000..449e4530ab --- /dev/null +++ b/docs/kb/auditor/no-data-collected-in-linux-generic-syslog-monitoring-plan.md @@ -0,0 +1,108 @@ +--- +description: >- + Troubleshoot why no data is collected in a Linux Generic Syslog monitoring + plan in Netwrix Auditor by checking port usage and verifying the target IP + address in the add-on settings.xml. +keywords: + - linux syslog + - syslog + - netwrix auditor + - port 514 + - settings.xml + - SyslogService.log + - UDP + - Add-on for Generic Linux Syslog +products: + - auditor +sidebar_label: No Data Collected in Linux Generic Syslog Monitori +tags: [] +title: "No Data Collected in Linux Generic Syslog Monitoring Plan" +knowledge_article_id: kA04u000000wnq7CAA +--- + +# No Data Collected in Linux Generic Syslog Monitoring Plan + +## Symptoms + +### Scenario #1 + +- No data is collected in your Linux Generic Syslog monitoring plan in Netwrix Auditor. +- `Netwrix Auditor Syslog Message Processing Service` is not running. When attempting to start the process, the following error is prompted: + +``` +The Netwrix Auditor Syslog Message Processing Service service on Local Computer started and then stopped. +Some services stop automatically if they are not in use by other services or programs. +``` + +- The `SyslogService.log` file located in `C:\ProgramData\Add-on for Generic Linux Syslog\Logs` contains the following error: + +``` +[MAIN][6][INFO] Start to listen udp at port 514 + +[MAIN][6][ERROR] Error occurred when starting the syslog udp listener. +Only one usage of each socket address (protocol/network address/port) is normally permitted. +``` + +### Scenario #2 + +- No data is collected in your Linux Generic Syslog monitoring plan in Netwrix Auditor. +- The `Netwrix Auditor Syslog Message Processing Service` is running. + +## Causes + +- Scenario #1 − The default UDP port 514 is occupied by another add-on, the Network Device monitoring plan, or a third-party app. +- Scenario #2 − The target IP address is misconfigured. + +## Resolutions + +### Scenario #1 − Reviewing the port + +To verify whether port 514 is free, run the following command in the Command Prompt on the Netwrix Auditor server: + +```bash +netstat -nao | find "514" +``` + +You can specify the port you would like to review instead of port 514. If the command returns nothing, the port is free. + +### Scenario #1 − Modifying the port + +Refer to the following steps: + +1. Locate the `settings.xml` file in the following folder on your Netwrix Auditor server: + + ``` + C:\ProgramData\Add-on for Generic Linux Syslog + ``` + +2. Open the `settings.xml` file with a text editor and locate the following node: + + ```xml + 514 + ``` + +3. Change the 514 UDP port to any other UDP port not used by another add-on, any Network Device monitoring plans, or any third-party apps. + +4. Save the changes to the `settings.xml` file. + +> **IMPORTANT:** Once you've introduced the change, stop and start the `Netwrix Auditor Add-on for Generic Linux Service` on your Netwrix Auditor host. + +### Scenario #2 − Verifying the target IP address + +Refer to the following steps: + +1. Locate the `settings.xml` file in the following folder: + + ``` + C:\ProgramData\Add-on for Generic Linux Syslog + ``` + +2. Open the `settings.xml` file with a text editor and locate the following node: + + ```xml +
%target_address%
+ ``` + +3. Verify the target address, modify it if required, and save the changes. + +> **IMPORTANT:** Once you've introduced the change, stop and start the `Netwrix Auditor Add-on for Generic Linux Service` on your Netwrix Auditor host. diff --git a/docs/kb/auditor/no-data-is-present-in-reports-the-who-field-contains-the-system-value.md b/docs/kb/auditor/no-data-is-present-in-reports-the-who-field-contains-the-system-value.md new file mode 100644 index 0000000000..cc78e7c152 --- /dev/null +++ b/docs/kb/auditor/no-data-is-present-in-reports-the-who-field-contains-the-system-value.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains why reports, Change Summaries, or search results show no data or + display the `System` value in the Who field, and how to enable or configure + auditing to resolve the issue. +keywords: + - Who field + - System value + - no data in reports + - audit settings + - automatic audit configuration + - Netwrix Auditor + - Change Summaries +products: + - auditor +sidebar_label: 'No data is present in reports, the Who field conta' +tags: [] +title: 'No data is present in reports, the Who field contains the "system" value' +knowledge_article_id: kA00g000000H9SICA0 +--- + +# No data is present in reports, the Who field contains the "system" value + +If no data is present in reports, **Change Summaries**, and search results, or the **Who** field contains the `System` value, then most likely your audit settings are configured incorrectly. Enable automatic audit configuration for the problematic data source or configure audit manually. + +## Resolution + +1. Enable automatic audit configuration for the problematic data source. +2. If automatic configuration is not possible, configure audit manually. + +See the Netwrix Auditor configuration overview for more information: +/docs/auditor/10.5/auditor/configurationuration + +If data is still reported incorrectly, refer to the following knowledge base article: +https://kb.netwrix.com/2750 diff --git a/docs/kb/auditor/no-monitoring-plans-found-in-netwrix-auditor.md b/docs/kb/auditor/no-monitoring-plans-found-in-netwrix-auditor.md new file mode 100644 index 0000000000..387bc16b3c --- /dev/null +++ b/docs/kb/auditor/no-monitoring-plans-found-in-netwrix-auditor.md @@ -0,0 +1,101 @@ +--- +description: >- + Troubleshoot the "NO MONITORING PLANS FOUND" message in Netwrix Auditor + reports, including causes and step-by-step resolutions to restore report + availability. +keywords: + - monitoring plans + - Netwrix Auditor + - reports + - Report Manager + - state-in-time + - Audit Database + - Reports folder + - troubleshooting +products: + - auditor +sidebar_label: No Monitoring Plans Found in Netwrix Auditor +tags: [] +title: "No Monitoring Plans Found in Netwrix Auditor" +knowledge_article_id: kA00g000000H9eLCAS +--- + +# No Monitoring Plans Found in Netwrix Auditor + +## Symptom + +When attempting to view a report, the **Monitoring Plan** dropdown list reads as follows: + +``` +NO MONITORING PLANS FOUND +``` + +![Monitoring Plan dropdown showing NO MONITORING PLANS FOUND](images/ka04u00000117TM_0EM4u000008M6Wx.png) + +## Causes + +- A data source type for the report you're viewing is not added to any of your existing monitoring plans. + - E.g., if you're generating a File Servers report, it won't be generated unless you have at least one monitoring plan for a File Servers data source. +- A monitoring plan for the data source type exists, but no data has been collected, or uploaded to your SQL Server instance databases. +- You're attempting to view a report under the **State-in-Time** category, while data collection for State-in-Time reports for the data source is disabled. +- The **Reports** folder is corrupted. + +## Resolutions + +- Create a new monitoring plan for the data source. Refer to the following article for additional information: /docs/auditor/10.6/auditor/admin-guide/monitoringplans (Monitoring Plans – Create a New Plan). + +- Review the corresponding data source settings: + - Review your Health Log for errors related to the monitoring plan containing the data source. + - Review the monitoring plan settings: + 1. In the main Netwrix Auditor menu, click **Monitoring Plans**. + 2. In the left pane, select the appropriate monitoring plan and click **Edit**. + 3. In the right pane, click **Edit settings** under the **Monitoring plan** section. + 4. Review the **Data Collection** tab for correct data collection account credentials. + 5. Review the **Audit Database** tab for correct database specified, as well as credentials. + 6. Make sure the **Audit Database** tab has the **Disable security intelligence and make data available only in activity summaries** checkbox unchecked. + 7. Save the changes. + +- Review the data source with State-in-Time reporting: + 1. In the main Netwrix Auditor menu, click **Monitoring Plans**. + 2. In the left pane, select the appropriate monitoring plan and click **Edit**. + 3. In the right pane, click **Edit data source** under the **Data source** section. + 4. Review the **General** tab to switch the **Collect data for state-in-time reports** switch on. + 5. Save the changes. + +> **NOTE:** Once data is collected (once every 24 hours by default), it should become available in the report. + +- Recreate the **Reports** folder. + 1. In elevated PowerShell, execute the following command to stop the corresponding service: + ```powershell + Stop-Service -DisplayName "Netwrix Auditor Management Service" + ``` + 2. Open Report Manager in your browser. + - You can find the Report Manager URL in your main Netwrix Auditor menu > **Settings** > **Audit Database** tab > **Report Manager URL**. + 3. In the main SQL Server Reporting Services window, locate the **Netwrix Auditor** folder. + 4. Click the meatball **⸱⸱⸱** button, and select **Delete**. + 5. Follow the path provided: + ```text + C:\ProgramData\Netwrix Auditor\Reports + ``` + 6. Delete the contents of the **Reports** folder. + 7. Once deleted, follow the path provided to find the **Reports.zip** archive in the root of the folder: + ```text + C:\ProgramData\Netwrix Auditor + ``` + 8. Extract the contents of the **Reports.zip** archive to the `C:\ProgramData\Netwrix Auditor\Reports` folder. + 9. In elevated PowerShell, execute the following command to start the corresponding service: + ```powershell + Start-Service -DisplayName "Netwrix Auditor Management Service" + ``` + 10. Wait for about 10 minutes for reports to upload to your Report Manager. You can track the progress by following the Report Manager URL and entering the **Netwrix Auditor** folder. + 11. Once the affected report is uploaded, run the report again. + +> **IMPORTANT:** There are downsides to this approach: +> +> - The account specified in **Audit database settings** for Report Server should have local admin permissions, as well as permissions to create folders, and upload folders. +> - Any folder/report access permissions set up in Report Manager directly instead of monitoring plans delegation will have to be reconfigured. Alternatively, you can delete a particular affected report instead of deleting the entire **Netwrix Auditor** reports folder. +> - In case you've previously added a custom report, you will have to manually set it up again. This could apply to the report provided in the following article: /docs/kb/auditor/how_to_monitor_print_service_activity (How to Monitor Print Service Activity). + +## Related articles + +- /docs/auditor/10.6/auditor/admin-guide/monitoringplans (Monitoring Plans – Create a New Plan) diff --git a/docs/kb/auditor/non-owner-mailbox-access-data-missing-in-exchange-auditing-monitoring-plan.md b/docs/kb/auditor/non-owner-mailbox-access-data-missing-in-exchange-auditing-monitoring-plan.md new file mode 100644 index 0000000000..60650f49d6 --- /dev/null +++ b/docs/kb/auditor/non-owner-mailbox-access-data-missing-in-exchange-auditing-monitoring-plan.md @@ -0,0 +1,51 @@ +--- +description: >- + Explains why Activity Records show no non-owner mailbox access data for + on-premise Exchange Server 2013, 2016, or 2019 and provides resolutions + including updates and language settings. +keywords: + - Exchange + - mailbox auditing + - non-owner mailbox access + - Exchange 2013 + - Exchange 2016 + - Exchange 2019 + - monitoring plan + - language settings + - cumulative update +products: + - auditor +sidebar_label: 'Non-Owner Mailbox Access Data Missing In Exchange ' +tags: [] +title: "Non-Owner Mailbox Access Data Missing In Exchange Auditing Monitoring Plan" +knowledge_article_id: kA04u00000111DICAY +--- + +# Non-Owner Mailbox Access Data Missing In Exchange Auditing Monitoring Plan + +## Symptom + +When attempting to review Activity Records for your on-premise Exchange Auditing monitoring plan, no data on non-owner mailbox access data can be found. The affected Exchange Server versions are Exchange Server 2013, 2016, and 2019. + +## Causes + +- The preset language for your on-premise Exchange Server is different from the system language. +- A secondary regional language as the language format is set in your Exchange Server. + +## Resolutions + +- Install the latest cumulative update for the corresponding Exchange Server version. Learn more about affected versions in [Search-AdminAuditLog and Search-MailboxAuditLog with parameters return empty results — Resolution ⸱ Microsoft 🤝](https://learn.microsoft.com/en-US/exchange/troubleshoot/compliance/search-adminauditlog-mailboxauditlog-return-no-result#resolution). +- Check the language format for system accounts. If a secondary regional language is set as the language format, update the format for the system and network service accounts to one of the following primary languages: + + - Arabic (United Arab Emirates) + - English (United States) + - German (Germany) + - French (France) + - Korean (Korea) + - Spanish (Spain) + +Learn more in [Search-AdminAuditLog and Search-MailboxAuditLog with parameters return empty results — Workaround ⸱ Microsoft 🤝](https://learn.microsoft.com/en-US/exchange/troubleshoot/compliance/search-adminauditlog-mailboxauditlog-return-no-result#workaround). + +### Related articles + +- [Search-AdminAuditLog and Search-MailboxAuditLog with parameters return empty results ⸱ Microsoft 🤝](https://learn.microsoft.com/en-US/exchange/troubleshoot/compliance/search-adminauditlog-mailboxauditlog-return-no-result) diff --git a/docs/kb/auditor/not-all-changes-are-included-in-reports-for-database-content-audit.md b/docs/kb/auditor/not-all-changes-are-included-in-reports-for-database-content-audit.md new file mode 100644 index 0000000000..78ae0265ef --- /dev/null +++ b/docs/kb/auditor/not-all-changes-are-included-in-reports-for-database-content-audit.md @@ -0,0 +1,32 @@ +--- +description: >- + When you perform bulk inserts, not all modified rows may appear in Database + content audit reports. Change the SQL Server data source setting that defines + how many row changes per SQL transaction are included in a report (default is + `10`). +keywords: + - SQL Server + - bulk insert + - transactions + - Database content audit + - data source settings + - change reporting + - rows per transaction + - Netwrix Auditor +products: + - auditor +sidebar_label: Not all changes are included in reports for Databa +tags: [] +title: "Not all changes are included in reports for Database content audit" +knowledge_article_id: kA00g000000H9cpCAC +--- + +# Not all changes are included in reports for Database content audit + +When you perform bulk inserts, not all modified rows are reported. How do you change this? + +--- + +In the **SQL Server data source settings** there is a value that defines the number of data changes per SQL transaction to be included in a report. By default it is set to `10`. + +![sql_transactions_9](images/ka04u00000116R6_0EM0g000000hUdK.png) diff --git a/docs/kb/auditor/notifications-are-not-sent-to-distribution-groups.md b/docs/kb/auditor/notifications-are-not-sent-to-distribution-groups.md new file mode 100644 index 0000000000..9d89489252 --- /dev/null +++ b/docs/kb/auditor/notifications-are-not-sent-to-distribution-groups.md @@ -0,0 +1,67 @@ +--- +description: >- + Notifications are not delivered when a distribution group is set as the + recipient because Exchange requires authenticated senders for distribution + groups. This article explains two solutions: enable SMTP authentication in the + Netwrix Auditor management console or disable the authentication requirement + on the distribution group. +keywords: + - notifications + - distribution group + - Exchange + - SMTP authentication + - Netwrix Auditor + - Set-Mailbox + - RequireSenderAuthenticationEnabled +products: + - auditor +sidebar_label: Notifications are not sent to distribution groups +tags: [] +title: "Notifications are not sent to distribution groups" +knowledge_article_id: kA00g000000H9ZFCA0 +--- + +# Notifications are not sent to distribution groups + +If you specify a user's e-mail address as a recipient, notifications work. If you specify a distribution group as the recipient, notifications do not come through. + +--- + +This is related to authentication settings. + +By default, even if the Exchange receive connector accepts anonymous SMTP, sending to distribution groups requires clients to be authenticated. + +http://technet.microsoft.com/en-us/library/bb629676%28v=exchg.80%29.aspx + +--- + +There are two solutions: + +1. Configure SMTP authentication in the settings of the **Netwrix Auditor** management console + + ![SMTP authentication settings in Netwrix Auditor](images/ka04u000000HcSG_0EM700000005pJq.png) + +2. Disable the "require authentication" option in distribution group options as follows + + 1. Launch **Exchange Management Console** + 2. Navigate to **MS Exchange - Recipient configuration - Distribution groups** + 3. Select the required distribution group and open its **Properties** + + ![User-added image](images/ka04u000000HcSG_0EM7000000054Pc.png) + + 4. Go to **Mail Flow Setting** tab + 5. Select **Message Delivery Restrictions** from the list and open its **Properties** + + ![User-added image](images/ka04u000000HcSG_0EM7000000054Ph.png) + + 6. Uncheck **Require that all senders are authenticated** and click **OK** + + ![User-added image](images/ka04u000000HcSG_0EM7000000054Pm.png) + + Alternatively, you can run the following command via Exchange Management Shell: + + ```powershell + Set-Mailbox -RequireSenderAuthenticationEnabled $false -Identity %group%, + ``` + + where ` %group% ` is like `dynamic.group@example.com` diff --git a/docs/kb/auditor/notifications-are-not-sent.md b/docs/kb/auditor/notifications-are-not-sent.md new file mode 100644 index 0000000000..0181c4ce3f --- /dev/null +++ b/docs/kb/auditor/notifications-are-not-sent.md @@ -0,0 +1,65 @@ +--- +description: >- + Troubleshooting steps for when Account Lockout Examiner does not send email + notifications for account lockouts, including how to verify settings and + review logs. +keywords: + - account lockout + - notifications + - SMTP + - ALEService.log + - telnet + - Netwrix Support + - SmtpException + - SocketException +products: + - auditor +sidebar_label: Notifications are not sent +tags: [] +title: "Notifications are not sent" +knowledge_article_id: kA00g000000H9bKCAS +--- + +# Notifications are not sent + +Account Lockout Examiner does not notify about account lockouts although Notifications are enabled. + +An e-mail notification is sent only when an actual lockout security event is tracked. + +There are two possible reasons why notifications typically are not sent — either a lockout is not tracked, or there are errors during sending of the notification. + +## Verify that a lockout event is tracked + +To make sure that an actual lockout event is tracked, verify that the lockout timestamp is correct. If it is not, refer to the following KB article: https://kb.netwrix.com/2763 + +If the lockout timestamp is correct, then a notification should be sent. + +## Verify notification settings + +First, make sure all notification settings are correct: + +1. Go to **File** > **Settings** > **Notifications** +2. Check mail server address and port. +3. Your mail server should accept anonymous SMTP connections. Test with `telnet` to confirm you can connect on the specified port. +4. Make sure that there is no firewall or antivirus software blocking inbound and outbound connections. + +If all the settings are correct, the easiest way to find the error is to review the product log. + +NOTE. If you have a valid support contract you can submit a support ticket and send the log to Netwrix Support. + +By default the log is located in: +`C:Program Files (x86)NetWrixAccount Lockout ExaminerTracingALEService.log` + +Scroll to the very bottom and search for the "NOTIFICATIONS" text in the Up direction. + +NOTE. Messages of Notification type are logged only in case an error occurred. If there are no such messages, then either there were no errors during notification sending, or the product did not try to send it at all — there were no lockout events tracked. + +When you find the corresponding "NOTIFICATIONS" message, the error message is listed in the second line, for example: + +```text +ALEService.exe Warning: 0 : [TID, ] NOTIFICATIONS: smtpserver: , smtpport: , from: , to: +System.Net.Mail.SmtpException: Failure sending mail. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond + at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) + at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception) + --- End of inner exception stack trace --- +``` diff --git a/docs/kb/auditor/nwx-executables-removed-and-readded-to-domain-controllers.md b/docs/kb/auditor/nwx-executables-removed-and-readded-to-domain-controllers.md new file mode 100644 index 0000000000..11f370c6ab --- /dev/null +++ b/docs/kb/auditor/nwx-executables-removed-and-readded-to-domain-controllers.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains why Nwx executables are regularly removed and re-added to domain + controllers and confirms this is expected behavior related to the network + traffic compression service. +keywords: + - netwrix + - nwx + - NwxSaclTunerAgent.exe + - NwxNlaAgent.exe + - NwxFsAgent.exe + - network traffic compression + - domain controller + - compression service + - data collection + - executables +products: + - auditor +sidebar_label: Nwx Executables Removed and Readded to Domain Cont +tags: [] +title: "Nwx Executables Removed and Readded to Domain Controllers" +knowledge_article_id: kA04u000001114GCAQ +--- + +# Nwx Executables Removed and Readded to Domain Controllers + +## Question + +The same Netwrix Auditor-related executable files are being regularly removed and readded to a DC in the environment. The list of files includes `NwxSaclTunerAgent.exe`, `NwxNlaAgent.exe`, and `NwxFsAgent.exe`. Should this behavior be expected? + +## Answer + +Yes, this behavior is to be expected — these executable files represent the network traffic compression service running on domain controllers. The use of the up-to-date version of compression service executables is ensured when copying these files on every data collection. The compression service collects and pre-filters data to send it to your Netwrix Auditor server in a highly compressed format. For additional information on network traffic compression service, refer to the following article: [How the Network Traffic Compression Service Works](/docs/kb/auditor/how-the-network-traffic-compression-service-works.md). + +> **IMPORTANT:** While not recommended, you can disable the compression service. Refer to the following article for additional information on monitoring plan setup: Monitoring Plans — Create a New Plan. diff --git a/docs/kb/auditor/object-deletion-does-not-show-up-in-alerts-and-reports-when-running-netwrix-auditor-under-non-admin-.md b/docs/kb/auditor/object-deletion-does-not-show-up-in-alerts-and-reports-when-running-netwrix-auditor-under-non-admin-.md new file mode 100644 index 0000000000..71b7f3dfc3 --- /dev/null +++ b/docs/kb/auditor/object-deletion-does-not-show-up-in-alerts-and-reports-when-running-netwrix-auditor-under-non-admin-.md @@ -0,0 +1,131 @@ +--- +description: >- + Describes how to modify permissions on the Active Directory Deleted Objects + container so non-administrator accounts (used by Netwrix Auditor) can view + deleted objects on Windows 2000/Server 2003 domain controllers. +keywords: + - Deleted Objects + - DSACLS + - ADAM + - Active Directory + - permissions + - Netwrix Auditor + - Deleted Objects container + - ADAM Administration Tools +products: + - auditor +visibility: public +sidebar_label: Object Deletion does not show up in alerts and rep +tags: [] +title: "Object Deletion does not show up in alerts and reports when running Netwrix Auditor under non-admin account" +knowledge_article_id: kA00g000000H9YECA0 +--- + +# Object Deletion does not show up in alerts and reports when running Netwrix Auditor under non-admin account + +You are running Netwrix Auditor under a non-admin account in domain controllers running Windows 2000 and Windows Server 2003 and object deletion does not show up in reports and alerts. + +## Background + +When an Active Directory object is deleted, its image stays in the `Deleted Objects` container for a specified time. Due to this feature other domain controllers that are replicating changes become aware of the deletion. By default, only `System` account and members of `Administrators` group can view the contents of this container. + +This article describes how to modify the permissions on the deleted objects container. + +You may have to modify permissions on the Deleted Objects container if the following conditions are true: + +- You have enterprise applications or services that bind to Active Directory with a non-System account or a non-Administrator account +- These enterprise applications or services poll directory for changes + +## Resolution + +To modify permissions on the Deleted Objects container so that non-administrators can view this container, use the `DSACLS.exe` program. The `DSACLS.exe` program is included in Active Directory Application Mode (ADAM) Administration Tools. + +### Obtain and install the ADAM Administration Tools + +To obtain and install the ADAM Administration Tools, perform the following steps: + +1. Download the ADAM retail package. This file is available for download from the Microsoft Download Center, please follow this link : http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en; + + **Note:** This version of the ADAM Administration Tools is an upgrade from the version in the Windows Server 2003 Support Tools. This version of the ADAM Administration Tools is supported by Microsoft Windows Server 2003, Standard Edition; Microsoft Windows Server 2003, Enterprise Edition; Microsoft Windows Server 2003, Datacenter Edition; and Microsoft Windows XP Professional. On Microsoft Windows Server 2008 this tool is already installed. + +2. Double-click `Adamsetup.exe` program to start the Active Directory Application Mode Setup Wizard. +3. Select ADAM administration tools only, and then click Next. +4. Proceed with the wizard. + +### Modify permissions on the Deleted Objects container + +After you have installed the ADAM Administration Tools, you can modify the permissions on the deleted objects container. To do this, perform the following steps: + +1. Log on with a user account that is a member of the **Domain Admins** group. +2. Click **Start -> All Programms -> ADAM** and then click **ADAM Tools Command Prompt.** +3. At the command prompt, type a command similar to the following example: + +```bat +dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership +``` + + Note: + + - When you type this command, use the name of the deleted objects container for your domain. + - Each domain in the forest will have its own deleted objects container. + + Output that is similar to the following example should be displayed: + +```text +Owner: ContosoDomain Admins + Group: NT AUTHORITYSYSTEM +Access list: +{This object is protected from inheriting permissions from the parent} +Allow BUILTINAdministrators SPECIAL ACCESS + LIST CONTENTS + READ PROPERTY +Allow NT AUTHORITYSYSTEM SPECIAL ACCESS + DELETE + READ PERMISSONS + WRITE PERMISSIONS + CHANGE OWNERSHIP + CREATE CHILD + DELETE CHILD + LIST CONTENTS + WRITE SELF + WRITE PROPERTY + READ PROPERTY +The command completed successfully +``` + +4. To grant a security principal permission to view the objects in the deleted objects container, type a command that is similar to the following example: + +```bat +dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /g CONTOSOEricLang:LCRP +``` + + Output that is similar to the following example should be displayed: + +```text +Owner: CONTOSODomain Admins +Group: NT AUTHORITYSYSTEM + +Access list: +{This object is protected from inheriting permissions from the parent} +Allow BUILTINAdministrators SPECIAL ACCESS + LIST CONTENTS + READ PROPERTY +Allow NT AUTHORITYSYSTEM SPECIAL ACCESS + DELETE + READ PERMISSONS + WRITE PERMISSIONS + CHANGE OWNERSHIP + CREATE CHILD + DELETE CHILD + LIST CONTENTS + WRITE SELF + WRITE PROPERTY + READ PROPERTY +Allow CONTOSOEricLang SPECIAL ACCESS + LIST CONTENTS + READ PROPERTY + +The command completed successfully +``` + +Explanation: In this example, the user "CONTOSOEricLang" has been granted List Contents and Read Property permissions on the deleted objects container in the "CONTOSO" domain. These permissions let this user view the contents of the deleted objects container, but do not let this user make any changes to objects in the container. These permissions are equivalent to the default permissions that are granted to the Administrators group. By default, only the System account has permission to modify objects in the deleted objects container. diff --git a/docs/kb/auditor/object-reference-not-set-to-instance-of-object-in-inactive-user-tracker-health-log.md b/docs/kb/auditor/object-reference-not-set-to-instance-of-object-in-inactive-user-tracker-health-log.md new file mode 100644 index 0000000000..ad4f6939cf --- /dev/null +++ b/docs/kb/auditor/object-reference-not-set-to-instance-of-object-in-inactive-user-tracker-health-log.md @@ -0,0 +1,47 @@ +--- +description: >- + Explains the "Object reference not set to an instance of an object" error in + the Netwrix Auditor Health Log for the Inactive User Tracker and how to + resolve it by configuring the data collection account permissions. +keywords: + - inactive user tracker + - health log + - object reference + - data collection account + - permissions + - Netwrix Auditor + - Event ID 2002 +products: + - auditor +sidebar_label: 'Object Reference Not Set to Instance of Object in ' +tags: [] +title: "Object Reference Not Set to Instance of Object in Inactive User Tracker Health Log" +knowledge_article_id: kA04u000001118rCAA +--- + +# Object Reference Not Set to Instance of Object in Inactive User Tracker Health Log + +## Symptom + +The following error is prompted in Netwrix Auditor Health Log for your Inactive User Tracker monitoring plan: + +```text +Source: Active Directory Inactive Users Audit Service +Event ID: 2002 +Computer: %computer_name% +Description: Monitoring plan: %Inactive_User_Tracker_monitoring_plan% +The following error has occurred while processing '%computer_name%': +An error occurred: Object reference not set to an instance of an object. +``` + +## Cause + +The data collection account used does not have sufficient permissions to collect data. + +## Resolution + +Configure the permissions for the data collection account used in Inactive User Tracker. For additional information, refer to the following article: Monitoring Plans — Data Collecting Account. + +### Related articles + +- Monitoring Plans — Data Collecting Account ⸱ 10.6 diff --git a/docs/kb/auditor/object-type-and-what-changed-columns-are-empty.md b/docs/kb/auditor/object-type-and-what-changed-columns-are-empty.md new file mode 100644 index 0000000000..f7c79b354f --- /dev/null +++ b/docs/kb/auditor/object-type-and-what-changed-columns-are-empty.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains why the "Object type" and "What Changed" columns can be empty in + reports when the Remote Registry service on the target server is disabled or + unreachable, and how to check service accessibility from the Netwrix host. +keywords: + - Object type + - What Changed + - Remote Registry + - event collector + - Netwrix Auditor + - report columns + - disabled service + - target server +products: + - auditor +sidebar_label: Object type" and "What Changed" columns are empty +tags: [] +title: Object type" and "What Changed" columns are empty +knowledge_article_id: kA00g000000H9ZpCAK +--- + +# Object type" and "What Changed" columns are empty + +![User-added](images/servlet_image_3823966b1661.png) + +--- + +This is a typical report from a target server with a disabled/unavailable Remote Registry service. In that case event collector tries to work with another API and sometimes all events are interpreted as "read" with "Object path" missing. + +--- + +Check if Remote Registry service is running on the target server and is accessible from Netwrix host machine. diff --git a/docs/kb/auditor/object-type-of-rras-administration-connection-point.md b/docs/kb/auditor/object-type-of-rras-administration-connection-point.md new file mode 100644 index 0000000000..035c603ee3 --- /dev/null +++ b/docs/kb/auditor/object-type-of-rras-administration-connection-point.md @@ -0,0 +1,40 @@ +--- +description: >- + Explains why a summary report shows changes to objects titled + "rRASAdministrationConnectionPoint" and how to remove RRAS-related child + objects from computer accounts in Active Directory. +keywords: + - RRAS + - Routing and Remote Access + - Active Directory + - ADSIEdit + - ADUC + - Delete Subtree + - RouterIdentity + - computer objects +products: + - auditor +sidebar_label: Object Type of "RRAS-Administration-Connection-Poi +tags: [] +title: Object Type of "RRAS-Administration-Connection-Point" +knowledge_article_id: kA00g000000H9bYCAS +--- + +# Object Type of "RRAS-Administration-Connection-Point" + +## Summary +The summary report contains a change to an object titled "rRASAdministrationConnectionPoint". + +Computer objects have an Object Type of "RRAS-Administration-Connection-Point" that is named "RouterIdentity" attached to them (RouterIdentity is a visible container in ADSIEdit under the computer object). The computer objects cannot be deleted. + +--- + +## Cause +This could be caused from the use of the Routing and Remote Access service; if the Routing and Remote Access Service runs it stores information in AD as a child object under the particular computer that hosts the RRAS service. Check to see if the affected computers have the Routing and Remote Access Service running. + +It may be a printer or something similar that is installed from the computers in question and published in AD. Again if this is the case, the Delete Subtree resolution below should resolve the inability to delete the computer objects. Using ADUC, from the View menu; select the option for **Users, Groups, and Computers as Containers**. This will show items that are usually objects as containers (similar to an OU). From there you can see what objects exist inside that computer's container. + +--- + +## Resolution +To delete these objects, the `Delete Subtree` permission on Computer objects in addition to the `Delete` permission will be required. The `Delete` permission alone will not work. diff --git a/docs/kb/auditor/odd-characters-in-csv-file.md b/docs/kb/auditor/odd-characters-in-csv-file.md new file mode 100644 index 0000000000..8c9e8fde38 --- /dev/null +++ b/docs/kb/auditor/odd-characters-in-csv-file.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains why a CSV file attachment in a summary report shows odd characters + and how to import it correctly in Microsoft Excel. +keywords: + - CSV + - Excel + - Win1251 + - UTF8 + - encoding + - summary report + - odd characters + - import + - bytes +products: + - auditor +sidebar_label: Odd characters in CSV File +tags: [] +title: "Odd characters in CSV File" +knowledge_article_id: kA00g000000H9bCCAS +--- +# Odd characters in CSV File + +## Symptoms +You receive a CSV file attachment in your summary report and it contains odd characters. + +Example: Size changed from "97Â 280 bytes" to "191Â 488 bytes"" + +## Cause +The CSV file when opened in Excel is opened in a Win1251 Charset. + +## Resolution +1. Use the data import feature of **Microsoft Excel** and import the CSV file in `UTF8` format. diff --git a/docs/kb/auditor/omit-folder-open-events.md b/docs/kb/auditor/omit-folder-open-events.md new file mode 100644 index 0000000000..8c898b1bc0 --- /dev/null +++ b/docs/kb/auditor/omit-folder-open-events.md @@ -0,0 +1,31 @@ +--- +description: >- + Shows how to exclude the Folder Opened event type from Non-owner Mailbox + Access reports generated by Netwrix Auditor. +keywords: + - Non-owner Mailbox Access + - Folder Opened + - omitevents.txt + - Netwrix Auditor + - Exchange + - event filtering + - actFolderOpen +products: + - auditor +sidebar_label: Omit Folder Open events +tags: [] +title: "Omit Folder Open events" +knowledge_article_id: kA00g000000H9WoCAK +--- + +# Omit Folder Open events + +How to exclude Folder Opened event type from Non-owner Mailbox Access reports? + +--- + +1. Navigate to the following path: `C:\Program Files (x86)\Netwrix Auditor\Non-owner Mailbox Access Reporter for Exchange`; +2. Open the file `omitevents.txt`; +3. Find the line `#actFolderOpen`; +4. Remove the `#` at the beginning of the line to be like that `actFolderOpen` (without quotes); +5. Save the file. diff --git a/docs/kb/auditor/operation-has-timed-out-for-cef-export-siem-add-on.md b/docs/kb/auditor/operation-has-timed-out-for-cef-export-siem-add-on.md new file mode 100644 index 0000000000..2c853117aa --- /dev/null +++ b/docs/kb/auditor/operation-has-timed-out-for-cef-export-siem-add-on.md @@ -0,0 +1,68 @@ +--- +description: >- + This article explains how to troubleshoot and resolve the "The operation has + timed out" error when running the Netwrix Auditor Add-on for SIEM CEF Export + PowerShell script. +keywords: + - Netwrix Auditor + - CEF Export + - SIEM + - Integration API + - timeout + - GetResponse + - PowerShell + - Cookie.bin +products: + - auditor +sidebar_label: Operation Has Timed Out for CEF Export SIEM Add-on +tags: [] +title: "Operation Has Timed Out for CEF Export SIEM Add-on" +knowledge_article_id: kA04u00000110u1CAA +--- + +# Operation Has Timed Out for CEF Export SIEM Add-on + +## Symptom + +In Netwrix Auditor Add-on for SIEM, the PowerShell script prompts the following error: + +``` +Cannot acquire Activity Records through Integration API endpoints due to 'Exception calling "GetResponse" with "0" argument(s): "The operation has timed out"' +``` + +## Causes + +- Default TCP port (9699) for API is closed. +- Insufficient hardware resources. + +## Troubleshooting + +Decrease the collection time interval to a few minutes to verify you can run the script: + +1. Open the CEF Export Add-on script with a text editor and search for the following line: + +```powershell +$from = (Get-Date).AddMonths(-1).ToString("yyyy-MM-ddTHH:mm:sszzz"); +``` + +2. Replace it with the following line: + +```powershell +$from = (Get-Date).AddMinutes(-2).ToString("yyyy-MM-ddTHH:mm:sszzz"); +``` + + You can use various values in the `AddMinutes` parameter parentheses (e.g., `-1`, `-3`, etc.) to see if any data is retrieved. + +3. Run the script. + +**IMPORTANT:** Revert the changes to the script and delete the `Cookie.bin` file from the folder containing the script after the troubleshooting stage. + +## Resolutions + +- Verify that the required ports are open. Refer to the following article for additional information on ports required for Netwrix Auditor add-ons to operate: /docs/auditor/10.6/auditor/api (Integration API Ports · v10.6). +- Insufficient RAM may lead to the timeout error. Ensure that you have enough RAM to run the export—refer to the following article for general recommendations on deployment in various environments: /docs/auditor/10.6/auditor/requirements (Sample Deployment Scenarios · v10.6). + +## Related Articles + +- /docs/auditor/10.6/auditor/api (Integration API Ports · v10.6) +- /docs/auditor/10.6/auditor/requirements (Sample Deployment Scenarios · v10.6) diff --git a/docs/kb/auditor/operation-timed-out-in-sharepoint-online-and-teams-monitoring-plans-in-netwrix-auditor.md b/docs/kb/auditor/operation-timed-out-in-sharepoint-online-and-teams-monitoring-plans-in-netwrix-auditor.md new file mode 100644 index 0000000000..e1783d6168 --- /dev/null +++ b/docs/kb/auditor/operation-timed-out-in-sharepoint-online-and-teams-monitoring-plans-in-netwrix-auditor.md @@ -0,0 +1,125 @@ +--- +description: >- + Describes causes and resolutions for "The operation timed out" errors when + auditing SharePoint Online and MS Teams with Netwrix Auditor, and provides + steps to troubleshoot Azure app credentials. +keywords: + - SharePoint Online + - MS Teams + - operation timed out + - monitoring plan + - Netwrix Auditor + - Azure AD app + - Tenant ID + - Application ID + - client secret +products: + - auditor +sidebar_label: Operation Timed Out in SharePoint Online and Teams +tags: [] +title: "Operation Timed Out in SharePoint Online and Teams Monitoring Plans in Netwrix Auditor" +knowledge_article_id: kA04u00000111HyCAI +--- + +# Operation Timed Out in SharePoint Online and Teams Monitoring Plans in Netwrix Auditor + +## Symptom + +One of the following errors is prompted for your SharePoint Online or MS Teams monitoring plan: + +```text +Source: SharePoint Online Audit Service +Event ID: 3205 +Description: Monitoring plan: %monitoring_plan_name% +Item: %item_name% +The following unexpected error occurred: +The operation timed out. +``` + +```text +Source: MS Teams Audit Service +Event ID: 2002 +Description: Monitoring plan: %monitoring_plan_name% +Item: %item_name% +SharePoint Online: The operation timed out. +``` + +## Causes + +- Firewall rules for the Microsoft 365 data source are misconfigured. +- Items from different data sources (e.g., SharePoint Online and MS Teams) were previously added to a single monitoring plan. +- Items share the same Azure app. +- Incorrect credentials for monitoring plan items. + +## Resolutions + +> **NOTE:** The following steps are vaild for the Modern Authentication method in Microsoft 365. + +- Review the firewall rules set up in your environment. Refer to the following articles for additional information on ports required for Microsoft 365-based data sources: Microsoft 365 − Exchange Online Ports ⸱ v10.6, Microsoft 365 − SharePoint Online Ports ⸱ v10.6, Microsoft 365 − Teams Ports ⸱ v10.6. + +- Create separate monitoring plans for the monitored items based on the data source. For additional information, refer to the following articles: Monitoring Plans − Exchange Online Plans ⸱ v10.6, Monitoring Plans − SharePoint Online Plans ⸱ v10.6, Monitoring Plans − MS Teams Plans ⸱ v10.6. + +- Each monitored item requires a separate Azure AD app. For additional information on the Azure app setup procedure, refer to the following articles: Exchange Online − Permissions for Exchange Online Auditing ⸱ v10.6, SharePoint Online − Permissions for SharePoint Online Auditing ⸱ v10.6, Teams − Permissions for Teams Auditing ⸱ v10.6. + +- Review the credentials provided in monitored items: + + - You can use your Tenant ID instead of the domain − proceed to your Azure portal > select **Azure Active Directory** or **Microsoft Entra ID** in the left pane > select **Properties** in the left tab > copy **Tenant ID** and paste it in the **Tenant name** field in the affected item. + - Review the Application ID provided. You can find the Application ID of your app in the **Overview** page once you select the app in the **App registrations** section. Copy it and paste it in the **Application ID** field in the affected item. + - Review the application secret provided. You can find it under the **Value** section in the **Certificates & secrets** tab once you select the app in the **App registrations** section. Copy it and paste it in the **Application secret** field in the affected item. + +## Troubleshooting app credentials + +You can use the following PowerShell query to prompt the validation check using the Azure app credentials: + +```powershell +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; +[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Ssl3, [System.Net.SecurityProtocolType]::Tls, [System.Net.SecurityProtocolType]::Tls11, [System.Net.SecurityProtocolType]::Tls12; +$iwr = 0 +$url = "https://login.windows.net/%Tenant_name%/oauth2/token" +$AppID = "%App_ID%" +$secret = "%Secret_Value%" +$body = "client_id=$AppID&scope=https://graph.microsoft.com/.default&client_secret=$secret&grant_type=client_credentials" +$iwr = Invoke-WebRequest -Uri $url -Body $body -Method:POST -ContentType "application/x-www-form-urlencoded" +$iwr.Content +``` + +Make sure to replace `%Tenant_name%`, `%App_ID%`, and `%Secret_Value%` with actual credentials. In case the query succeeds, make sure to specify the credentials used in the item affected. In case the query returns an error, refer to the following steps: + +- The following error is prompted in case Tenant ID provided is incorrect. Review the steps to discover the Tenant ID value in the **Resolutions** section. + +```text +AADSTS900023: Specified tenant identifier '%tenant_name%' is neither a valid DNS name, nor a valid external domain. +``` + +- The following error is prompted in case Tenant ID provided is incorrect, or in case Unified Audit is disabled. Refer to the following article for additional information: Remote Server Returned Error: (400) Bad Request when Auditing SharePoint Online and Microsoft Entra ID_bad_request_when_auditing_sharepoint_online_and_microsoft_entra_i). + +```text +AADSTS90002: Tenant '%tenant_name%' not found +``` + +- The following error is prompted in case Application ID provided is incorrect, or in case API permissions were not granted. Review the permissions required in the **Resolutions** section. + +```text +AADSTS700016: Application with identifier '%Application_ID%' was not found in the directory '%directory_name%' +``` + +- The following error is prompted in case the Secret value provided is incorrect, or in case the Secret value has expired. Review the steps to discover the Secret value in the **Resolutions** section. + +```text +AADSTS7000215: Invalid client secret provided. +``` + +In case these steps did not help, contact [Netwrix Technical Support](https://www.netwrix.com/open_a_ticket.html). + +## Related articles + +- Microsoft 365 − Exchange Online Ports ⸱ v10.6 +- Microsoft 365 − SharePoint Online Ports ⸱ v10.6 +- Microsoft 365 − Teams Ports ⸱ v10.6 +- Monitoring Plans − Exchange Online Plans ⸱ v10.6 +- Monitoring Plans − SharePoint Online Plans ⸱ v10.6 +- Monitoring Plans − MS Teams Plans ⸱ v10.6 +- Exchange Online − Permissions for Exchange Online Auditing ⸱ v10.6 +- SharePoint Online − Permissions for SharePoint Online Auditing ⸱ v10.6 +- Teams − Permissions for Teams Auditing ⸱ v10.6 +- Remote Server Returned Error: (400) Bad Request when Auditing SharePoint Online and Microsoft Entra ID_bad_request_when_auditing_sharepoint_online_and_microsoft_entra_i) diff --git a/docs/kb/auditor/out-of-memory-exception.md b/docs/kb/auditor/out-of-memory-exception.md new file mode 100644 index 0000000000..d50b7b4ed9 --- /dev/null +++ b/docs/kb/auditor/out-of-memory-exception.md @@ -0,0 +1,36 @@ +--- +description: >- + You receive an Out of Memory Exception error in SQL Auditing for Netwrix + Auditor. Increase the Netwrix server memory and contact Netwrix technical + support to check for a newer build or version. +keywords: + - out of memory + - out of memory exception + - SQL auditing + - Netwrix Auditor + - memory + - server memory + - technical support + - troubleshooting +products: + - auditor +sidebar_label: Out of memory exception +tags: [] +title: "Out of memory exception" +knowledge_article_id: kA00g000000H9ZZCA0 +--- + +# Out of memory exception + +You receive an error message stating that you have an Out of Memory Exception within SQL Auditing for Netwrix Auditor. + +--- + +The issue is that the Netwrix server may be running out of memory, or a newer build may resolve the issue. + +--- + +## Resolution + +1. Increase the memory on the Netwrix server. +2. Contact **Netwrix technical support** to check for a newer version. diff --git a/docs/kb/auditor/parallel-redo-events-in-sql-server-event-log.md b/docs/kb/auditor/parallel-redo-events-in-sql-server-event-log.md new file mode 100644 index 0000000000..97c79144b3 --- /dev/null +++ b/docs/kb/auditor/parallel-redo-events-in-sql-server-event-log.md @@ -0,0 +1,70 @@ +--- +description: >- + Explains why SQL Server event log entries 17137 and 49930 (parallel redo + start/shutdown) appear when AUTO_CLOSE is enabled and how to resolve them by + disabling AUTO_CLOSE, including interactions with Netwrix Auditor. +keywords: + - SQL Server + - AUTO_CLOSE + - parallel redo + - Event ID 49930 + - Event ID 17137 + - Netwrix Auditor + - SQL Server Management Studio + - database options +products: + - auditor + - SQL_Server +sidebar_label: Parallel Redo Events in SQL Server Event Log +tags: [] +title: "Parallel Redo Events in SQL Server Event Log" +knowledge_article_id: kA04u00000111N3CAI +--- + +# Parallel Redo Events in SQL Server Event Log + +## Symptom + +The following **Information** level events are prompted in the SQL Server event log: + +```text +Source: MSSQLSERVER +Event ID: 17137 +Description: Starting up database '%database_name%'. +``` + +```text +Source: MSSQLSERVER +Event ID: 49930 +Description: Parallel redo is started for database '%database_name%' with worker pool size [2]. +``` + +```text +Source: MSSQLSERVER +Event ID: 49930 +Description: Parallel redo is shutdown for database '%database_name%' with worker pool size [2]. +``` + +## Cause + +The AUTO_CLOSE option for the affected database is set to **ON\** **True**. + +> **NOTE:** This behavior is expected with the AUTO_CLOSE option set to **True**. The AUTO_CLOSE option prompts the affected database to be closed after each use. Netwrix Auditor accesses the databases to write collected Activity Records, causing multiple 17137 and 49930 events to occur and be logged. + +## Resolution + +Disable the AUTO_CLOSE option for the affected database: + +1. In your SQL server, launch Microsoft SQL Server Management Studio and connect to the server. +2. In the **Object Explorer** pane, expand the **Databases** folder. +3. Right-click the affected database and select **Properties**. +4. In the left pane, select the **Options** tab, locate the **Auto Close** option under the **Automatic** section, and select the **False** option from the drop-down list. + +![Auto Close option screenshot](images/ka04u00000118GJ_0EM4u000008MgWU.png) + +5. Click **OK** to save changes. + +## Related articles + +- Set the AUTO_CLOSE Database Option to OFF ⸱ Microsoft 🤝 + https://learn.microsoft.com/en-us/sql/relational-databases/policy-based-management/set-the-auto-close-database-option-to-off?view=sql-server-ver16#for-more-information diff --git a/docs/kb/auditor/password-expiration-notifier-email-header-and-footer-reset-after-upgrade.md b/docs/kb/auditor/password-expiration-notifier-email-header-and-footer-reset-after-upgrade.md new file mode 100644 index 0000000000..be9d7cf379 --- /dev/null +++ b/docs/kb/auditor/password-expiration-notifier-email-header-and-footer-reset-after-upgrade.md @@ -0,0 +1,45 @@ +--- +description: >- + After an upgrade, the email header and footer for Netwrix Password Reset may + revert to the default. This article explains how to restore the disabled + header/footer by setting the HideEmailAdditionalInfo registry value. +keywords: + - Password Reset + - Password Expiration Notifier + - HideEmailAdditionalInfo + - registry + - email header + - email footer + - PEN + - Netwrix Auditor + - upgrade +products: + - auditor + - Password_Reset +sidebar_label: Netwrix Password Reset Email Header and Foot +tags: [] +title: "Netwrix Password Reset Email Header and Footer Reset After Upgrade" +knowledge_article_id: kA04u000001116CCAQ +--- + +# Netwrix Password Reset Email Header and Footer Reset After Upgrade + +## Symptoms + +- The Netwrix Password Reset (PEN) email header and footer were reset after the recent upgrade. They were previously disabled as per the following article: /docs/kb/auditor/hide_and_disable_header_and_footer_in_password_expiration_notifier_emails (Hide and Disable Header and Footer in Password Expiration Notifier Emails). +- The **HideEmailAdditionalInfo** key in `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Password Expiration Notifier` is still present. + +## Resolution + +1. Open Registry Editor on the Netwrix Auditor server host. +2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor`. +3. Right-click the **Netwrix Auditor** hive and click **New**. +4. Select **DWORD (32-bit) Value**. +5. Name the key `HideEmailAdditionalInfo`. +6. Right-click the key and select **Modify**. +7. Set the value data to `1` (Hexadecimal). +8. The next round of emails will be sent without the header and footer. + +## Related articles + +- Hide and Disable Header and Footer in Password Expiration Notifier Emails: /docs/kb/auditor/hide_and_disable_header_and_footer_in_password_expiration_notifier_emails diff --git a/docs/kb/auditor/password-expiration-notifier-generates-blank-reports-after-configuring-password-policy-enforcer.md b/docs/kb/auditor/password-expiration-notifier-generates-blank-reports-after-configuring-password-policy-enforcer.md new file mode 100644 index 0000000000..beb2cf9867 --- /dev/null +++ b/docs/kb/auditor/password-expiration-notifier-generates-blank-reports-after-configuring-password-policy-enforcer.md @@ -0,0 +1,41 @@ +--- +description: >- + Blank Netwrix Password Reset reports can occur when the Maximum password age + values differ between the default domain GPO and Netwrix Password Policy + Enforcer; align these settings to restore report data. +keywords: + - password expiration + - password policy + - Maximum password age + - GPO + - Netwrix Password Policy Enforcer + - Netwrix Password Reset + - Netwrix Auditor + - blank reports +products: + - auditor + - password-policy-enforcer +sidebar_label: Password Expiration Notifier Generates Blank Repor +tags: [] +title: "Password Expiration Notifier Generates Blank Repor Policy Enforcer" +knowledge_article_id: kA0Qk0000001IpJKAU +--- + +# Netwrix Password Reset Generates Blank Reports After Configuring Netwrix Password Policy Enforcer + +## Related Query + +- “Netwrix Password Reset reports don't work after configuring policies for Netwrix Password Policy Enforcer.” + +## Symptoms + +- Netwrix Password Policy Enforcer (PPE) is installed and configured in your environment. +- Netwrix Auditor Netwrix Password Reset reports do not contain any data. + +## Cause + +The **Maximum password age** settings mismatch in the default domain GPO and PPE. + +## Resolution + +Configure the **Maximum password age** setting in the default domain GPO and in Netwrix Password Policy Enforcer (PPE) so both use the same value. diff --git a/docs/kb/auditor/password-expiration-notifier-stopped-showing-results.md b/docs/kb/auditor/password-expiration-notifier-stopped-showing-results.md new file mode 100644 index 0000000000..032bfc1167 --- /dev/null +++ b/docs/kb/auditor/password-expiration-notifier-stopped-showing-results.md @@ -0,0 +1,33 @@ +--- +description: >- + If you exclude OUs using the `omitoulist.txt` file, Netwrix Password Reset may + stop showing results if the file contains blank lines. Remove blank lines from + `omitoulist.txt` to restore monitoring plan results. +keywords: + - omitoulist.txt + - blank lines + - password expiration notifier + - Netwrix Password Reset + - monitoring plans + - troubleshooting + - text editor + - PEN +products: + - auditor +sidebar_label: Password expiration notifier stopped showing resul +tags: [] +title: "Password expiration notifier stopped showing resul" +knowledge_article_id: kA04u000000HDgYCAW +--- + +# Password expiration notifier stopped showing resul + +After excluding some OUs from the scope by modifying the `omitoulist.txt` file, you may notice that Netwrix Password Reset has stopped showing any results for any monitoring plans, even after reverting changes back. + +A possible cause is blank lines accidentally added at the beginning, in the middle, or at the end of the `omitoulist.txt` file. To fix that, open the file in any text editor and remove the blank lines. On the screenshot below, the lines 1, 7 and 9 must be removed. + +1. Open `omitoulist.txt` in any text editor. +2. Remove any blank lines at the beginning, middle, or end of the file. +3. Save the file. + +![image.png](images/ka04u000000HdDR_0EM4u0000084XpS.png) diff --git a/docs/kb/auditor/permission-denied-error-code-2146828218.md b/docs/kb/auditor/permission-denied-error-code-2146828218.md new file mode 100644 index 0000000000..829f255949 --- /dev/null +++ b/docs/kb/auditor/permission-denied-error-code-2146828218.md @@ -0,0 +1,55 @@ +--- +description: >- + Explains why non-admin users receive "You do not have a Helpdesk operator + permissions" or "Permission denied" (error code -2146828218) when accessing + the Help-Desk portal, and shows how to grant the Help-Desk Operators role and + verify IIS authentication settings. +keywords: + - helpdesk + - permission denied + - error -2146828218 + - Help-Desk Operators + - Account Lockout Examiner + - IIS Authentication + - Anonymous Authentication + - Helpdesk operator permissions +products: + - auditor +sidebar_label: 'Permission denied, error code -2146828218' +tags: [] +title: 'Permission denied, error code -2146828218' +knowledge_article_id: kA00g000000H9cCCAS +--- + +# Permission denied, error code -2146828218 + +When trying to access the Help-Desk portal, a non-admin user gets a "You do not have a Helpdesk operator permissions" message or "Permission denied" error (error code -2146828218) + +![User-added image](images/ka04u000000HcUx_0EM700000004wyo.png) + +--- + +## Cause + +This message occurs because the user whose credentials were used to enter the Helpdesk portal is not granted Help-Desk operator role in the product settings. + +--- + +## Resolution + +To grant a user access to the Help-Desk portal, add this user to the Help Desk Operators role. + +### To do this, perform the following steps: +1. In the Account Lockout Examiner console, navigate to **File > Settings** and select the **Security roles** tab. +2. In the **Help-Desk Operators** section, click the **Modify** button. +3. In the dialog that opens, click the **Add** button and specify user(s) that you want to add to this role. + +![User-added image](images/ka04u000000HcUx_0EM700000004wyy.png) + +If the issue persists, check that Authentication options are configured properly in IIS: + +4. Start the IIS Manager and navigate to your Account Lockout Examiner web portal virtual directory (by default - `Default Web SiteALE`). +5. Select this folder by left-clicking on it and look for the **Authentication** feature under the IIS block in the central pane. Double-click on it. +6. Make sure that `"Anonymous Authentication"` is disabled. + +![User-added image](images/ka04u000000HcUx_0EM700000004wyt.png) diff --git a/docs/kb/auditor/permission_manifests_for_auditing_office_365_and_microsoft_entra_id_(auditor_v10.0_and_older).md b/docs/kb/auditor/permission_manifests_for_auditing_office_365_and_microsoft_entra_id_(auditor_v10.0_and_older).md new file mode 100644 index 0000000000..a2310ab313 --- /dev/null +++ b/docs/kb/auditor/permission_manifests_for_auditing_office_365_and_microsoft_entra_id_(auditor_v10.0_and_older).md @@ -0,0 +1,196 @@ +--- +description: >- + This article provides step-by-step instructions for setting up permissions for Microsoft 365 and Microsoft Entra ID in Netwrix Auditor v10.0 and older. +keywords: + - Microsoft 365 + - Microsoft Entra ID + - Netwrix Auditor + - permissions + - auditing +sidebar_label: Permission Manifests for Auditing +tags: [] +title: "Permission Manifests for Auditing Office 365 and Microsoft Entra ID (Auditor v10.0 and Older)" +knowledge_article_id: kA04u0000000K9VCAU +products: + - auditor +--- + +# Permission Manifests for Auditing Office 365 and Microsoft Entra ID (Auditor v10.0 and Older) + +> **IMPORTANT:** For Netwrix Auditor v10.6 and later, refer to the following documentation articles: [Microsoft 365 — Permissions for Microsoft Entra ID Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/microsoftentraid/permissions), [Microsoft 365 — Permissions for Exchange Online Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/exchangeonline/permissions), [Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/sharepointonline/permissions), [Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/teams/permissions). + +## Question + +How to set up permissions for Microsoft 365 and Microsoft Entra ID (formerly Azure AD) in Netwrix Auditor v10.0 and older? + +## Answer + +This article contains permission manifests for Microsoft 365 and Microsoft Entra ID to ease the permissions configuration for Netwrix Auditor versions 10.0 and older. Refer to the following steps to configure the application manifest: + +1. Visit the Entra ID portal: [Microsoft Entra Admin Center ⸱ Microsoft 🡥](https://entra.microsoft.com). +2. In the left pane, select **Applications** > **App registrations**. +3. Select the app you would like to configure. +4. In the left pane of the new **Overview** window, select the **Manifest** tab. You can either edit the manifest in the web-based manifest editor, or select **Download** to edit the manifest locally to **Upload** it to reapply it to your application. + + ![Manifest tab in the Overview window](./images/servlet_image_31a741be3a3d.png) + +5. After opening the manifest file, replace the contents of **requiredResourceAccess** with the data provided below. +6. Once changes are introduced, save the manifest and grant administrator permissions in the **API Permissions** tab. + +You can use the following screenshots for permissions reference: + +- **SharePoint Online** + + ![SharePoint Online permissions](./images/servlet_image_b88c6cd43443.png) + +- **Exchange Online** + + ![Exchange Online permissions](./images/servlet_image_a59a6a87d3a0.png) + +- **Microsoft Entra ID** + + ![Microsoft Entra ID permissions](./images/servlet_image_bcb70814f4ea.png) + +### Manifest for SharePoint Online + +```json +"requiredResourceAccess": [ + { + "resourceAppId": "00000003-0000-0000-c000-000000000000", + "resourceAccess": [ + { + "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", + "type": "Role" + } + ] + }, + { + "resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "resourceAccess": [ + { + "id": "594c1fb6-4f81-4475-ae41-0c394909246c", + "type": "Role" + } + ] + }, + { + "resourceAppId": "00000002-0000-0000-c000-000000000000", + "resourceAccess": [ + { + "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04", + "type": "Role" + }, + { + "id": "1cda74f2-2616-4834-b122-5cb1b07f8a59", + "type": "Role" + } + ] + }, + { + "resourceAppId": "00000003-0000-0ff1-ce00-000000000000", + "resourceAccess": [ + { + "id": "678536fe-1083-478a-9c59-b99265e6b0d3", + "type": "Role" + } + ] + } +], +``` + +### Manifest for Exchange Online + +```json +"requiredResourceAccess": [ + { + "resourceAppId": "00000003-0000-0000-c000-000000000000", + "resourceAccess": [ + { + "id": "693c5e45-0940-467d-9b8a-1022fb9d42ef", + "type": "Role" + }, + { + "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", + "type": "Role" + } + ] + }, + { + "resourceAppId": "00000002-0000-0000-c000-000000000000", + "resourceAccess": [ + { + "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04", + "type": "Role" + }, + { + "id": "1cda74f2-2616-4834-b122-5cb1b07f8a59", + "type": "Role" + } + ] + }, + { + "resourceAppId": "00000002-0000-0ff1-ce00-000000000000", + "resourceAccess": [ + { + "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", + "type": "Role" + } + ] + }, + { + "resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "resourceAccess": [ + { + "id": "594c1fb6-4f81-4475-ae41-0c394909246c", + "type": "Role" + } + ] + } +], +``` + +### Manifest for Microsoft Entra ID + +```json +"requiredResourceAccess": [ + { + "resourceAppId": "00000002-0000-0000-c000-000000000000", + "resourceAccess": [ + { + "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04", + "type": "Role" + } + ] + }, + { + "resourceAppId": "00000003-0000-0000-c000-000000000000", + "resourceAccess": [ + { + "id": "b0afded3-3588-46d8-8b3d-9842eff778da", + "type": "Role" + }, + { + "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", + "type": "Role" + } + ] + }, + { + "resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "resourceAccess": [ + { + "id": "594c1fb6-4f81-4475-ae41-0c394909246c", + "type": "Role" + } + ] + } +], +``` + +## Related Articles + +- [Microsoft 365 — Permissions for Microsoft Entra ID Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/microsoftentraid/permissions) +- [Microsoft 365 — Permissions for Exchange Online Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/exchangeonline/permissions) +- [Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/sharepointonline/permissions) +- [Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/teams/permissions) +- [Microsoft Entra Admin Center ⸱ Microsoft 🡥](https://entra.microsoft.com) \ No newline at end of file diff --git a/docs/kb/auditor/permissions-granted-are-insufficient-in-sql-server-reporting-services.md b/docs/kb/auditor/permissions-granted-are-insufficient-in-sql-server-reporting-services.md new file mode 100644 index 0000000000..0268c4354f --- /dev/null +++ b/docs/kb/auditor/permissions-granted-are-insufficient-in-sql-server-reporting-services.md @@ -0,0 +1,70 @@ +--- +description: >- + This article explains how to resolve the 'permissions granted to user are + insufficient' error when accessing SQL Server Reporting Services (SSRS) Report + Manager or viewing reports in Netwrix Auditor by disabling UAC and enabling + active scripting. +keywords: + - SSRS + - rsAccessDenied + - UAC + - EnableLUA + - Active scripting + - Netwrix Auditor + - Report Manager + - permissions +products: + - auditor +visibility: public +sidebar_label: Permissions Granted Are Insufficient in SQL Server +tags: [] +title: "Permissions Granted Are Insufficient in SQL Server Reporting Services" +knowledge_article_id: kA00g000000H9Y0CAK +--- + +# Permissions Granted Are Insufficient in SQL Server Reporting Services + +## Symptoms + +- The following error is prompted when accessing SSRS Report Manager or viewing reports in Netwrix Auditor: + +``` +The permissions granted to user '%domain\\user%' are insufficient for performing this operation. (rsAccessDenied) +``` + +- In older SSRS versions, the error reads as follows: + +``` +User "%domain\\user" does not have required permissions. +Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed. +``` + +- The affected user has sufficient roles granted in the **Security** tab of both **Site Settings** and the Netwrix Auditor **reports** folder. Refer to the following article for additional information on roles required for a service account: /docs/auditor/10.5/auditor/permissions/ssrsaccount (Configure Netwrix Auditor Service Accounts − Configure SSRS Account · v10.6). + +## Causes + +1. User Account Control (UAC) is enabled in the Netwrix Auditor server preventing the access. +2. The active scripting support is disabled. + +## Resolutions + +### Cause #1 − Disable UAC in the Netwrix Auditor server + +1. Launch **Registry Editor**, and locate the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System` key. +2. Locate the `EnableLUA` subkey. Right-click it, select **Modify** > change the value data to `0`, and click **OK**. +3. Reboot the server for changes to take effect. + +### Cause #2 − Enable active scripting support in the Netwrix Auditor server + +1. In **Control Panel**, select **Internet Options**. + +> NOTE: Alternatively, you can find the **Internet Properties** menu via the **Search** bar. + +2. Under the **Security** tab, click **Custom level**. +3. Locate the **Scripting** node, and check the **Enable** option under the **Active scripting** subnode. +4. Click **OK** > **OK** twice to save the changes. A reboot is required for changes to take effect. + +## Related articles + +- Configure Netwrix Auditor Service Accounts − Configure SSRS Account · v10.6 + /docs/auditor/10.5/auditor/permissions/ssrsaccount diff --git a/docs/kb/auditor/preserving-custom-taxonomies.md b/docs/kb/auditor/preserving-custom-taxonomies.md new file mode 100644 index 0000000000..af7de01808 --- /dev/null +++ b/docs/kb/auditor/preserving-custom-taxonomies.md @@ -0,0 +1,43 @@ +--- +description: >- + Describes how to export (backup) and import custom taxonomies in Netwrix Data + Classification so you can protect them from SQL database loss and move them + between instances. +keywords: + - custom taxonomy + - taxonomy backup + - Netwrix Data Classification + - export taxonomy + - import taxonomy + - SQL DB + - XML + - Global Settings +products: + - auditor + - data-classification +sidebar_label: Preserving Custom Taxonomies +tags: [] +title: "Preserving Custom Taxonomies" +knowledge_article_id: kA00g000000Pbd5CAC +--- + +# Preserving Custom Taxonomies + +## Situation + +When installing Netwrix Data Classification there are 12 default Taxonomies that are available out of the box. These taxonomies are added to the SQL DB via the installer. In a situation where you have created a custom taxonomy, it is important to create a backup. This is because as a loss of the SQL DB for any reason will cause you to lose the custom taxonomy and force you to recreate it. This will also allow you to move custom taxonomies to multiple Netwrix Data Classification instances that each have their own SQL DB. + +### Steps to Backup + +1. From the Netwrix Data Classification dashboard (default: `http://localhost/conceptQS`) click **Taxonomies** at the top of the page +2. Navigate to **Global Settings** found in the blue banner near the top of the page +3. Find the custom taxonomy that you have created and click the checkbox to the immediate left of it +4. Click **Export**, you will then be prompted by the browser to save an XML copy of the taxonomy. +5. Place the XML file anywhere you would like for later retrieval. + +### Steps to upload a taxonomy + +1. From the Netwrix Data Classification dashboard (default: `http://localhost/conceptQS`) click **Taxonomies** at the top of the page +2. Navigate to **Global Settings** found in the blue banner near the top of the page +3. Click **Add**, you will then be prompted with three options, in this situation we will be clicking **Upload** +4. The next screen will prompt you to browse for the XML that you intend to upload. Once you’ve specified the correct file location, click **Next** and then **save**. You have successfully uploaded the taxonomy. diff --git a/docs/kb/auditor/process-cannot-access-the-file-in-windows-server-monitoring-plan.md b/docs/kb/auditor/process-cannot-access-the-file-in-windows-server-monitoring-plan.md new file mode 100644 index 0000000000..0d1603179e --- /dev/null +++ b/docs/kb/auditor/process-cannot-access-the-file-in-windows-server-monitoring-plan.md @@ -0,0 +1,41 @@ +--- +description: >- + When configuring a Windows Server monitoring plan, Netwrix Auditor may log an + Event ID 1016 indicating that a file is in use. This article explains the + cause and shows how to resolve it by specifying the computer FQDN. +keywords: + - Windows Server monitoring + - Netwrix Auditor + - Event ID 1016 + - process cannot access the file + - FQDN + - NetBIOS +products: + - auditor +sidebar_label: Process Cannot Access the File in Windows Server M +tags: [] +title: "Process Cannot Access the File in Windows Server M" +knowledge_article_id: kA04u00000110yrCAA +--- + +# Process Cannot Access the File in Windows Server M + +## Symptom + +While configuring a Windows Server monitoring plan, the following error is prompted in Netwrix Auditor System Health Log: + +```text +Event ID: 1016 +The collector Registry data provider gathering data on the server (server name) due to the following error: +The process cannot access the file because it is being uses by another process +``` + +## Cause + +A FQDN name of the computer item should be specified instead of NetBIOS format. + +## Resolution + +1. Navigate to your Windows Server monitoring plan and click **Edit**. +2. On your plan editing wizard, select your computer item and click **Edit item** on the right. +3. Provide a FQDN name of the computer. For example, `DC.corp.local`. diff --git a/docs/kb/auditor/process-document-images-results-in-no-extracted-text-or-invalid-text.md b/docs/kb/auditor/process-document-images-results-in-no-extracted-text-or-invalid-text.md new file mode 100644 index 0000000000..6d290b1126 --- /dev/null +++ b/docs/kb/auditor/process-document-images-results-in-no-extracted-text-or-invalid-text.md @@ -0,0 +1,46 @@ +--- +description: >- + Troubleshoot cases where images or documents produce no extracted text or + invalid OCR text in Netwrix Data Classification and Netwrix Auditor by + verifying OCR settings and image quality. +keywords: + - OCR + - Tesseract + - Process Document Images + - Visual C++ Redistributable + - DPI + - Text Extraction + - Content Type Extraction Methods + - Netwrix Data Classification + - Netwrix Auditor +products: + - auditor + - data-classification +sidebar_label: Process Document Images results in no extracted te +tags: [] +title: "Process Document Images results in no extracted text or invalid text" +knowledge_article_id: kA00g000000H9e1CAC +--- + +# Process Document Images results in no extracted text or invalid text + +Documents containing images, or images themselves are resulting in no extracted text - or invalid text. + +
+ +## No Text + +The first step is to ensure that Netwrix Data Classification's OCR capabilities are enabled, please: + +1. Navigate to the **Config** section of the **Administration Interface** +2. Expand **Text Processing** +3. Select **Content Type Extraction Methods** +4. Edit each of the image types that you wish to **OCR** selecting the **Tesseract** option + +To **OCR** images contained within documents (such as **PDFs**, or **Office documents**) please also enable the **Process Document Images** mode, found within: **Config** → **Core** → **Collector**. + +**Tesseract** requires the **Visual C++ Redistributable** for **Visual Studio 2015** to be installed, this is available from the following [link](https://www.netwrix.com/go/VCRedistributable2015). + +## Invalid Text + +Sometimes **OCR** processing will result in **garbled** or **invalid text**. Typically this is because the document is either **rotated**, or at too **low** a **resolution** for processing (the recommended **DPI** is **300** for **OCR processing**). If this is no the case please raise a support request, attaching the image to the request, for us to investigate further. diff --git a/docs/kb/auditor/process-event-log-backup-without-domain-administrator-permissions.md b/docs/kb/auditor/process-event-log-backup-without-domain-administrator-permissions.md new file mode 100644 index 0000000000..3c0c52cafb --- /dev/null +++ b/docs/kb/auditor/process-event-log-backup-without-domain-administrator-permissions.md @@ -0,0 +1,49 @@ +--- +description: >- + If your service account is not a member of the Domain Administrators group, + follow these steps to allow Netwrix Auditor to process event log backups by + assigning group membership, registry and file permissions, or by deploying a + Group Policy to Domain Controllers. +keywords: + - event log backup + - Domain Controller + - group policy + - registry permissions + - Netwrix Auditor + - service account + - winevt Logs + - network share + - permissions +products: + - auditor +sidebar_label: Process event log backup without domain administra +tags: [] +title: "Process event log backup without domain administrator permissions" +knowledge_article_id: kA00g000000H9S8CAK +--- + +# Process event log backup without domain administrator permissions + +If your service account is not a member of the Domain Administrators group and you want Netwrix Auditor to process event log backups, perform the following steps: + +1. Add your service account to one of the following groups: **Print Operators** or **Server Operators** +2. Specify Read permissions for the following registry node on all Domain Controllers: `HKLM\System\CurrentControlSet\Services\EventLog\Security` +3. Share the folder with event log backups (default is `C:\Windows\System32\winevt\Logs`) on all Domain Controllers +4. Specify read permissions for the event log backup folder (default is `C:\Windows\System32\winevt\Logs`) on all Domain Controllers + +If you have many Domain Controllers, create a Group Policy to apply these settings to all Domain Controllers. To create a new Group Policy, perform the following steps: + +1. Run `gpmc.msc` +2. Create a new policy object and link it to the **Domain Controllers** OU (right-click the **Domain Controllers** OU and select **Link Existing GPO**, then select the policy that you created) +3. Edit the policy that you created +4. Navigate to **Computer Configuration** → **Policies** → **Windows Settings** → **Security Settings** → **Registry** +5. Right-click **Registry**, select **Add Key**, select the following key: `HKLM\System\CurrentControlSet\Services\EventLog\Security`, and press **OK** +6. Add the Netwrix Auditor service account and specify **Read** permissions +7. Navigate to **Computer Configuration** → **Policies** → **Windows Settings** → **Security Settings** → **File System** +8. Right-click **File System**, select **Add File**, select the following folder: `C:\Windows\System32\winevt\Logs`, and press **OK** +9. Add the Netwrix Auditor service account and specify **Full control** +10. Navigate to **Computer Configuration** → **Preferences** → **Windows Settings** → **Network Shares** +11. Right-click **Network Shares** → **New** → **Network Share** +12. Select **Update** in the **Action** drop-down menu, specify **Share name** (for example, EventLogs), specify the following folder in the **Folder Path** area: `C:\Windows\System32\winevt\Logs`, and press **OK** + +After replication, all your Domain Controllers will have the Event Logs shared folder with event logs in it and Netwrix Auditor will be able to process backups. diff --git a/docs/kb/auditor/rbac-authorization-returns-access-denied.md b/docs/kb/auditor/rbac-authorization-returns-access-denied.md new file mode 100644 index 0000000000..560ba2eb8a --- /dev/null +++ b/docs/kb/auditor/rbac-authorization-returns-access-denied.md @@ -0,0 +1,41 @@ +--- +description: >- + This article explains the RBAC 'Access Denied' error caused by missing role + assignments for a service account and shows how to resolve it by adding the + service account to the Exchange Management Group and Organization Management + security groups. +keywords: + - RBAC + - Access Denied + - role assignments + - Exchange Management Group + - Organization Management + - Service Account + - Domain Controller + - permissions + - Exchange +products: + - auditor +sidebar_label: RBAC authorization returns access denied +tags: [] +title: "RBAC authorization returns access denied" +knowledge_article_id: kA00g000000H9aNCAS +--- + +# RBAC authorization returns access denied + +## Symptoms + +You receive the following error message: + +``` +RBAC authorization returns Access Denied for user **[Service Account]**. Reason: No role assignments associated with the specified user were found on Domain Controller **[Domain Controller]** +``` + +## Cause + +Role assignments are missing for the specified user. + +## Resolution + +1. Add the specified Service Account to the **Exchange Management Group** and **Organization Management** security groups. diff --git a/docs/kb/auditor/reading-log-status.md b/docs/kb/auditor/reading-log-status.md new file mode 100644 index 0000000000..00f77f8f03 --- /dev/null +++ b/docs/kb/auditor/reading-log-status.md @@ -0,0 +1,46 @@ +--- +description: >- + If a domain controller shows "Reading log" with a yellow exclamation in the + NetWrix Account Lockout Examiner Console, the program cannot read lockout + events from that controller. This article explains how to reset the readLog + registry value to resolve the issue. +keywords: + - account lockout + - reading log + - readLog + - registry + - domain controller + - event logs + - NetWrix Account Lockout Examiner + - HKLM + - Wow6432Node +products: + - auditor +sidebar_label: Reading log status +tags: [] +title: "Reading log status" +knowledge_article_id: kA00g000000H9TZCA0 +--- + +# Reading log status + +In NetWrix Account Lockout Examiner Console, a domain controller has a yellow exclamation mark in front of the **DC Name** column of the **Monitored Domain Controllers** grid. Connection status is shown **Reading log**. Lockout events from this domain controller cannot be read by the program as well. + +![User-added image](images/ka04u000000HcNK_0EM700000004x01.png) + +--- + +## Symptom + +This issue can appear either right after the NetWrix Account Lockout Examiner installation, or after the NetWrix Account Lockout Examiner Service restart. The program is referring to the event logs created earlier, before the installation or restart, and fails to complete reading the logs. + +## Resolution + +To fix the issue, do the following: + +1. Open **Registry Editor**: navigate to Start - Run, enter `regedit` and click **OK**. +2. In the left pane, navigate to `HKLM Software[Wow6432Node]NetWrixAccount Lockout Examiner`. The step Wow6432Node is only applied to x64 OS. +3. In the right pane, double-click `readLog`, specify `0` in the Value data field and click **OK**. +4. In NetWrix Account Lockout Examiner Console main menu bar, navigate to **File - Settings** and click **OK** to apply registry changes. + +![User-added image](images/ka04u000000HcNK_0EM700000004wzw.png) diff --git a/docs/kb/auditor/recover-access-to-a-sql-server-instance.md b/docs/kb/auditor/recover-access-to-a-sql-server-instance.md new file mode 100644 index 0000000000..69a70a011f --- /dev/null +++ b/docs/kb/auditor/recover-access-to-a-sql-server-instance.md @@ -0,0 +1,36 @@ +--- +description: >- + Use PSExec to run SQL Server Management Studio as the Local System account to + regain sysadmin access and assign another account sysadmin permissions. +keywords: + - SQL Server + - SQL Server Management Studio + - sysadmin + - PSExec + - Local System + - recover access + - ssms + - Sysinternals +products: + - auditor +sidebar_label: Recover access to a SQL Server Instance +tags: [] +title: "Recover access to a SQL Server Instance" +knowledge_article_id: kA00g000000H9WRCA0 +--- + +# Recover access to a SQL Server Instance + +How to log into SQL Server Management Studio if there is no sysadmin account or you don't know the password. + +By default the Local System account on the SQL Server instance has sysadmin rights. To log into SQL Server Management Studio and assign another account sysadmin permissions, follow these steps: + +1. Download PSExec: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx +2. Run the following command in the command prompt, replace the wildcard with the number depending on deployed SQL Server version: + ``` + PsExec -s -i "C:\Program Files (x86)\Microsoft SQL Server*\Tools\Binn\ManagementStudio\Ssms.exe" + ``` + (path in the parentheses is the default installation path to SQL Server Management Studio, it might differ if you have installed it elsewhere) +3. SQL Server Management Studio runs; after you click **Connect** you will be connected with sysadmin permissions. + +**Note**: SQL Server Management Studio might be installed on a different drive, therefore you should change the path to `Ssms.exe` before running the command. diff --git a/docs/kb/auditor/recovery-mode-changes-in-sql-databases.md b/docs/kb/auditor/recovery-mode-changes-in-sql-databases.md new file mode 100644 index 0000000000..a10e083abc --- /dev/null +++ b/docs/kb/auditor/recovery-mode-changes-in-sql-databases.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains why SQL Server recovery model for Netwrix Auditor databases can + change between simple and bulk-logged during State-in-Time snapshot uploads + and how to handle backups for these databases. +keywords: + - SQL Server + - recovery model + - Netwrix Auditor + - State-in-Time + - Long-Term Archive + - backup + - .mdf + - .ldf + - bulk-logged + - simple +products: + - auditor +sidebar_label: Recovery Mode Changes in SQL Databases +tags: [] +title: "Recovery Mode Changes in SQL Databases" +knowledge_article_id: kA00g000000H9drCAC +--- + +# Recovery Mode Changes in SQL Databases + +## Questions + +1. Why does recovery mode change in SQL databases used in Netwrix Auditor? +2. The backup software solution deployed in our environment does not handle revolving recovery models well. Is it possible to keep them static? + +## Answers + +1. Netwrix Auditor databases use simple recovery model by default. The simple model ensures optimal performance and efficient SQL Server resources usage, aimed to minimize the transaction log size. Occasionally the recovery model of Netwrix Auditor databases may switch to bulk-logged to revert back to simple. The change happens during the State-in-Time snapshots upload − the bulk-logged recovery model ensures data consistency when uploading larger data, like State-in-Time snapshots. This behavior is intended for the normal product workflow and cannot be changed. + +2. Netwrix Auditor stores copied collected data in Long-Term Archive to allow the import to a dedicated database when required. There is no need to back up Netwrix databases − it is recommended to exclude them from the scope of your backup software solution. If backup is absolutely needed, it is recommended to use native SQL Server backup functionality instead of backing up `*.mdf` and `*.ldf` files via the file system. If this is not an option, the only solution would be disabling State-in-Time feature for the monitoring plans that use the corresponding databases. + +## Related articles + +- [Recovery Models (SQL Server) ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/recovery-models-sql-server?view=sql-server-ver16) +- Reports − State-in-Time Reports ⸱ v10.6 diff --git a/docs/kb/auditor/reducing-the-used-active-directory-and-entra-id-license-counts.md b/docs/kb/auditor/reducing-the-used-active-directory-and-entra-id-license-counts.md new file mode 100644 index 0000000000..b60490a26b --- /dev/null +++ b/docs/kb/auditor/reducing-the-used-active-directory-and-entra-id-license-counts.md @@ -0,0 +1,101 @@ +--- +description: >- + How to reduce the number of Active Directory and Entra ID licenses used by + Netwrix Auditor by disabling accounts or excluding OUs and users from + monitoring. +keywords: + - Active Directory + - Entra ID + - licenses + - omitUPNlist.txt + - omitpathlist.txt + - monitoring scope + - Netwrix Auditor + - OUs +products: + - auditor +sidebar_label: Reducing the Used Active Directory and Entra ID Li +tags: [] +title: "Reducing the Used Active Directory and Entra ID License Counts" +knowledge_article_id: kA04u000000PoL7CAK +--- + +# Reducing the Used Active Directory and Entra ID License Counts + +> **IMPORTANT:** Netwrix Auditor is licensed per enabled Active Directory (AD) and Entra ID user object. For additional information on determining the number of enabled users, refer to the following articles: [Determining the Number of Enabled Active Directory User Accounts](/docs/kb/auditor/determining-the-number-of-enabled-active-directory-user-accounts) — [Determining the Number of Enabled Microsoft Entra ID Accounts](/docs/kb/auditor/determining-the-number-of-enabled-microsoft-entra-id-accounts). Netwrix Auditor only collects data from objects that are not excluded (omitted), which means that any objects that are omitted will not be monitored. + +## Question + +How can the number of used AD and Entra ID licenses be reduced in Netwrix Auditor? + +## Answer + +Refer to the following options to reduce the count of used AD and Entra ID licenses: + +- Disable the User Objects +- Exclude OUs and User Objects via the Auditor UI +- Exclude an OU via the Omit List +- Exclude Entra ID Users via the omitUPNlist.txt File + +### Disable the User Objects + +Netwrix Auditor is licensed based on the number of enabled user objects in the AD. Disabled user objects are still tracked for changes, but they do not count towards the license count. Refer to the following steps to view a list of all enabled users: + +1. In the main Netwrix Auditor screen, select **Reports** > **Predefined** > **Active Directory** > **Active Directory—State-in-Time** > **User Accounts**. +2. In the filters section, switch the **Status** filter to **Enabled** to get a full list of enabled users. Click **View Report** to update the report. + +> **TIP:** Switch the **Sort By** filter to **Name** to sort the list by the organizational unit (OU). + +Review the list to determine if any accounts should be disabled. + +> **NOTE:** No further actions are required after you disable the user objects—Netwrix Auditor reviews the used AD license count on data collection. + +### Exclude OUs and User Objects via the Auditor UI + +Refer to the following steps to exclude OUs and user objects from the monitoring scope via the Netwrix Auditor UI to reduce the used license count: + +1. In the main Netwrix Auditor menu, click **Monitoring Plans**. +2. Select the relevant AD monitoring plan and click **Edit**. +3. Select the data source and click **Edit data source**. + +![Edit data source](./images/ka0Qk000000EIjS_0EMQk00000661ik.png) + +4. In the left pane, select the **Objects** tab. Select the **Exclude these objects** checkbox, then click **Add** to exclude objects from the monitoring scope. After adding the objects, click **Save & Close**. + +![Exclude these objects](./images/ka0Qk000000EIjS_0EMQk000005FPXt.png) + +Refer to the following examples to learn about how the exclusion rules work for **Objects**. The same logic applies to the inclusion rules: + +- `domain.local/OU` will exclude the OU itself. However, objects within this OU will not be excluded. +- `domain.local/OU/*` will exclude objects within the OU. However, the OU itself will not be excluded. +- `domain.local/OU*` will exclude the OU itself, all objects within it, and also all objects whose path begins with `domain.local/OU` (like `domain.local/OU_HQ`). + +### Exclude an OU via the Omit List + +Populate the `omitpathlist.txt` omit list with the OU you would like to omit. Use the exclusion rules provided above. For additional information on AD omit lists, refer to the following article: [Active Directory Monitoring Scope](/docs/auditor/10.7/admin/monitoringplans/activedirectory/scope). + +### Exclude Entra ID Users via the omitUPNlist.txt File + +To exclude specific Entra ID users from the license count, populate the `omitUPNlist.txt` file with the user principal names (UPNs) of the users you want to omit. Follow these steps: + +1. Locate the `omitUPNlist.txt` file in the Netwrix Auditor installation directory. +2. Edit the file and add the UPNs of the users you want to exclude + +`Wildcard *` is supported and can replace any number of characters. + +> **IMPORTANT:** Excluding users via the `omitUPNlist.txt` file will reduce the Entra ID user count used for licensing but will also exclude these users from monitoring. For more information, please see [Microsoft Entra ID Monitoring Scope](/docs/auditor/10.7/admin/monitoringplans/microsoftentraid/scope). + +## Tips + +- No special syntax is required for OUs with white-space characters in their names (for example, a space). +- Netwrix Auditor updates the monitoring scope after the next scheduled state-in-time snapshot collection (next day by default). Alternatively, you can manually update your Active Directory monitoring plan to update the monitoring scope. +- When using `omitUPNlist.txt` for Entra ID, ensure that UPNs are entered one per line and that there are no extra spaces or invisible characters. +- Use wildcards in `omitUPNlist.txt` to efficiently exclude groups of users with similar UPN patterns (for example, `*@contoso.com`). +- Netwrix Auditor updates the monitoring scope after the next scheduled state-in-time snapshot collection (next day by default). Alternatively, you can manually update your Active Directory or Entra ID monitoring plan to update the monitoring scope. + +## Related Links + +- [Determining the Number of Enabled Active Directory User Accounts](/docs/kb/auditor/determining-the-number-of-enabled-active-directory-user-accounts) +- [Determining the Number of Enabled Microsoft Entra ID Accounts](/docs/kb/auditor/determining-the-number-of-enabled-microsoft-entra-id-accounts) +- [Active Directory Monitoring Scope](/docs/auditor/10.7/admin/monitoringplans/activedirectory/scope) +- [Microsoft Entra ID Monitoring Scope](/docs/auditor/10.7/admin/monitoringplans/microsoftentraid/scope) diff --git a/docs/kb/auditor/remote-service-control-manager-connection-timout.md b/docs/kb/auditor/remote-service-control-manager-connection-timout.md new file mode 100644 index 0000000000..36da11fcea --- /dev/null +++ b/docs/kb/auditor/remote-service-control-manager-connection-timout.md @@ -0,0 +1,35 @@ +--- +description: >- + This article explains the "Failed to connect to remote service control + manager" timeout error that can appear in the daily summary report and shows + how to increase the connection timeout by adding a registry value. +keywords: + - remote service control manager + - timeout + - SvcMaxWaitTime + - registry + - Netwrix Auditor + - domain controller + - wait operation timed out + - daily summary report +products: + - auditor +sidebar_label: Remote service control manager connection timout +tags: [] +title: "Remote service control manager connection timout" +knowledge_article_id: kA00g000000H9WPCA0 +--- + +# Remote service control manager connection timout + +In the daily summary report sometimes you may see the following error: + +`Failed to process DC %DC name% due to the following error: Failed to connect to remote service control manager. Error details: The wait operation timed out.` + +The product tries to connect to the remote service control manager on the domain controller, but it takes more than 30 seconds. This issue is usually caused by the network connection between the Netwrix host and the target domain controller. + +Default connection timeout is 30 seconds, and in order to increase this value please perform the following steps: + +1. Run `regedit`, and navigate to the following key: `HKEY_LOCAL_MACHINESOFTWAREWow6432NodeNetWrixAD Change Reporter` +2. Create a new DWORD key with the following name: `SvcMaxWaitTime` +3. Set decimal value in seconds more than 30 e.g. `60` or `120` diff --git "a/docs/kb/auditor/remote_certificate_is_invalid_according_to_validation_procedure_\342\200\224_subscriptions_error_in_netwrix_aud.md" "b/docs/kb/auditor/remote_certificate_is_invalid_according_to_validation_procedure_\342\200\224_subscriptions_error_in_netwrix_aud.md" new file mode 100644 index 0000000000..c1b92dfcd4 --- /dev/null +++ "b/docs/kb/auditor/remote_certificate_is_invalid_according_to_validation_procedure_\342\200\224_subscriptions_error_in_netwrix_aud.md" @@ -0,0 +1,50 @@ +--- +description: >- + This article addresses the "Remote Certificate Is Invalid According to Validation Procedure" error in Netwrix Auditor, detailing symptoms, causes, and solutions. +keywords: + - Netwrix Auditor + - certificate validation + - SMTP settings +sidebar_label: Remote Certificate Error +tags: [] +title: "Remote Certificate Is Invalid According to Validation Procedure — Subscriptions Error in Netwrix Auditor" +knowledge_article_id: kA04u00000110x5CAA +products: + - auditor +--- + +# Remote Certificate Is Invalid According to Validation Procedure — Subscriptions Error in Netwrix Auditor + +## Symptoms + +- Subscription reports are missing. +- Subscription status reads **Failed** with the following error message: + +``` +The following subscriptions could not be sent to the recipient recipient@domain.com: +Subscription to the %report_name% report +Error: The remote certificate is invalid according to the validation procedure. +``` + +## Causes + +- Certificate validation is enforced for notifications. +- Incorrect SMTP server stated in Notifications SMTP settings. + +## Resolution + +If enforced certificate validation is intended, refer to the following steps to troubleshoot the issue: + +- Ensure your SSL certificate is still valid. Netwrix Auditor stops generating reports once your certificate expires. In case you’re using a self-signed certificate in your environment, you can reboot your Netwrix Auditor server to reissue the certificate. +- If you would like to set up a secure connection between your Netwrix Auditor instance and SQL Server Reporting Services, refer to the following article for additional information: [Set Up Secure Connection Between Netwrix Auditor and SSRS via SSL/TLS Channel](/docs/kb/auditor/set_up_secure_connection_between_auditor_and_ssrs_via_ssltls_channel). +- Make sure the FQDN of your SMTP server is stated instead of the IP address in **Netwrix Auditor settings** > **Notifications**. + +If certificate validation was not intended, refer to the following steps: + +1. In the main Netwrix Auditor screen, select **Settings**. +2. In the left pane, select **Notifications**, and click **Modify** under **Default SMTP Settings**. +3. Uncheck the **Use Secure Socket Layer encrypted connection (SSL/TLS)** checkbox and click **OK** to save changes. + +### Related Articles + +[Set Up Secure Connection Between Netwrix Auditor and SSRS via SSL/TLS Channel](/docs/kb/auditor/set_up_secure_connection_between_auditor_and_ssrs_via_ssltls_channel) \ No newline at end of file diff --git a/docs/kb/auditor/remote_server_returned_error_(400)_bad_request_when_auditing_sharepoint_online_and_microsoft_entra_i.md b/docs/kb/auditor/remote_server_returned_error_(400)_bad_request_when_auditing_sharepoint_online_and_microsoft_entra_i.md new file mode 100644 index 0000000000..45f64c3bf3 --- /dev/null +++ b/docs/kb/auditor/remote_server_returned_error_(400)_bad_request_when_auditing_sharepoint_online_and_microsoft_entra_i.md @@ -0,0 +1,91 @@ +--- +description: >- + This article provides troubleshooting steps for resolving the "Remote Server Returned Error: (400) Bad Request" issue when auditing SharePoint Online and Microsoft Entra ID. +keywords: + - SharePoint Online + - Microsoft Entra ID + - Bad Request + - Netwrix Auditor + - Unified Audit +products: + - auditor +sidebar_label: "Remote Server Returned Error: (400) Bad Request" +tags: [] +title: "Remote Server Returned Error: (400) Bad Request when Auditing SharePoint Online and Microsoft Entra ID" +knowledge_article_id: kA00g000000PbchCAC +--- + +# Remote Server Returned Error: (400) Bad Request when Auditing SharePoint Online and Microsoft Entra ID + +## Symptoms + +The following errors are prompted in the Health Log for your SharePoint Online or Microsoft Entra ID (formerly Azure AD) monitoring plan: + +``` +Cannot collect Azure AD audit data due to the following error: +The remote server returned an error: (400) Bad Request. +``` + +``` +Failed to collect state-in-time snapshot data due to the following error. +The remote server returned an error: (400) Bad Request. +``` + +## Causes + +- The tenant name specified for the monitoring plan is incorrect. +- Netwrix Auditor uses the O365 Management API to collect events from Microsoft cloud services. The O365 API accesses `graph.microsoft.com` and `manage.office.com` endpoints. If unified audit is disabled for O365, the following error will be prompted when connecting to the `manage.office.com/api/v1.0/` endpoint: + +``` +Tenant does not exist. +``` + +## Resolutions + +### Step 1. Review the tenant name + +To ensure the tenant name is specified correctly, refer to the Microsoft article on how to [Locate important IDs for a user ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names). Once you've obtained the correct Tenant ID, specify it in the affected monitoring plan. + +1. In the main **Netwrix Auditor** menu, select **Monitoring Plans**. +2. Select the affected monitoring plan, and click **Edit**. +3. Review the items listed under the monitoring plan by clicking **Edit item** in the right pane and replacing the tenant name with the Tenant ID you've previously obtained. +4. Once the changes are introduced and saved, click **Update** under the **Monitoring Plan** section. + +### Step 2. Enable unified audit for O365 + +Before enabling unified audit, check if the error is present in `%Working Folder%\Logs\SharePoint Online Auditing\%GUID%\SpaOnline.log`. If the error is present, proceed with either of the two solutions provided below. Learn more about enabling unified audit in [Turn Auditing On or Off ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable). + +#### Enable unified audit via PowerShell + +1. Launch elevated PowerShell v.4 and later on your Netwrix server. Run the following commands: + + ```powershell + $UserCredential = Get-Credential + Connect-IPPSSession -Credential $O365Cred + Connect-ExchangeOnline + Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True + Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnable + ``` + + Once the `Connect-IPPSSession -Credential $O365Cred` line is read, a pop-up screen to log in to your Microsoft 365 account will be prompted. Use the credentials for your data collecting account. + +2. Wait for 24 hours and check the status of collections and reports. + +In case of any further issues, submit a case with Netwrix Technical Support. + +#### Enable unified audit via Microsoft Purview compliance portal UI + +1. Log in to the Purview Compliance Portal as an Office 365 admin. Refer to the following link: [Purview Compliance Portal](https://compliance.microsoft.com). +2. In the left pane, select **Solutions** > **Audit**. +3. Select the search option. +4. If search is not enabled, a **Start recording user and admin activity** banner will be prompted. Click it to enable auditing. + +### Related articles + +- [Office 365 Management APIs ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/office/office-365-management-api/) +- [Office 365 Management Activity API FAQs and troubleshooting ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api) +- [Microsoft 365 — Turn Auditing On or Off ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off) +- [Microsoft Purview — Audit ⸱ Microsoft 🡥](https://compliance.microsoft.com/solutioncatalog/solution/auditlogsearch?solutionname=Audit) +- [Microsoft 365 — Permissions for Microsoft Entra ID Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/microsoftentraid/permissions) +- [Microsoft 365 — Permissions for SharePoint Online Auditing ⸱ v10.6](/docs/auditor/10.6/configuration/microsoft365/sharepointonline/permissions) +- [Locate important IDs for a user ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names) \ No newline at end of file diff --git a/docs/kb/auditor/reporting-services-error-cannot-check-the-content-manager-role-on-the-report-server.md b/docs/kb/auditor/reporting-services-error-cannot-check-the-content-manager-role-on-the-report-server.md new file mode 100644 index 0000000000..b6c8260479 --- /dev/null +++ b/docs/kb/auditor/reporting-services-error-cannot-check-the-content-manager-role-on-the-report-server.md @@ -0,0 +1,41 @@ +--- +description: >- + When you run the SQL Server Reporting Services Settings wizard during initial + Audit Database configuration, you may receive an error stating the account is + not granted the Content Manager role. This article explains the cause and + points you to the software requirements to resolve the issue. +keywords: + - reporting services + - content manager + - SQL Server Reporting Services + - Audit Database + - operating system language + - Netwrix Auditor + - installation + - software requirements + - error message +products: + - auditor +sidebar_label: 'Reporting Services Error: Cannot Check the Content' +tags: [] +title: "Reporting Services Error: Cannot Check the Content Manager Role on The Report Server" +knowledge_article_id: kA04u00000111F4CAI +--- + +# Reporting Services Error: Cannot Check the Content Manager Role on The Report Server + +## Symptom + +When you run the **SQL server Reporting Services Settings** wizard during initial Audit Database configuration in Netwrix Auditor, you see the following error: + +```text +Cannot check if the account specified is granted the Content Manager role on the report server. +``` + +## Cause + +This issue is related to the Operating System language. Netwrix Auditor can be installed on English-only OS. + +## Resolution + +Please review the **Operating System** component in the Software Requirements table. For additional information about Auditor software requirements, refer to the following article: Requirements — Software Requirements — v10.6. diff --git a/docs/kb/auditor/reports-for-subscriptions-are-missing-in-netwrix-auditor.md b/docs/kb/auditor/reports-for-subscriptions-are-missing-in-netwrix-auditor.md new file mode 100644 index 0000000000..7d1333fd68 --- /dev/null +++ b/docs/kb/auditor/reports-for-subscriptions-are-missing-in-netwrix-auditor.md @@ -0,0 +1,52 @@ +--- +description: >- + A scheduled report subscription sometimes does not send a report because the + subscription is configured not to send empty reports when no activity + occurred; enable the setting or adjust the schedule to include multiple days + to resolve the issue. +keywords: + - subscriptions + - reports + - empty subscriptions + - schedule + - Netwrix Auditor + - notifications + - recipients + - Send empty subscriptions when no activity occurred +products: + - auditor +sidebar_label: Reports for Subscriptions Are Missing in Netwrix Auditor +tags: [] +title: "Reports for Subscriptions Are Missing in Netwrix Auditor" +knowledge_article_id: kA04u00000111AYCAY +--- + +# Reports for Subscriptions Are Missing in Netwrix Auditor + +## Symptom + +A subscription to a report was previously set up, but on some days no report for the set up subscription is sent to specified recipients. + +## Cause + +The affected subscription has the **Send empty subscriptions when no activity occurred** setting turned off. + +## Resolution + +Enable the **Send empty subscriptions when no activity occurred** setting to receive empty reports on no activity: + +1. In the main Netwrix Auditor menu, select **Subscriptions**. +2. Select the affected subscription, and click **Edit**. +3. In the **General** tab, enable the **Send empty subscriptions when no activity occurred** switch, and click **Save & Close**. + +Refer to the following article for additional information on subscriptions in Netwrix Auditor: /docs/auditor/10.6/auditor/admin-guide/subscriptions (Subscriptions — Create Subscriptions ⸱ v10.6). + +> NOTE: Alternatively, you can alter the schedule to include records from multiple days: +> +> 1. In the main Netwrix Auditor menu, select **Subscriptions**. +> 2. Select the affected subscription, and click **Edit**. +> 3. In the left pane, select **Schedule** − select the appropriate time window to build reports for, and click **Save & Close**. + +## Related articles + +- /docs/auditor/10.6/auditor/admin-guide/subscriptions (Subscriptions — Create Subscriptions ⸱ v10.6) diff --git a/docs/kb/auditor/reports-generation-takes-a-while-and-completes-with-errors.md b/docs/kb/auditor/reports-generation-takes-a-while-and-completes-with-errors.md new file mode 100644 index 0000000000..a8447164c5 --- /dev/null +++ b/docs/kb/auditor/reports-generation-takes-a-while-and-completes-with-errors.md @@ -0,0 +1,67 @@ +--- +description: >- + Predefined reports and subscriptions that query wide date ranges can be slow + to generate and may complete with dataset or server errors. This article lists + possible causes and step-by-step resolutions to address report timeouts and + SQL Server memory issues for Netwrix Auditor. +keywords: + - reports + - report generation + - timeout + - SQL Server + - Netwrix Auditor + - performance + - dataset error + - internal server error + - report history + - memory +products: + - auditor +sidebar_label: Reports Generation Takes a While and Completes Wit +tags: [] +title: "Reports Generation Takes a While and Completes With Errors" +knowledge_article_id: kA00g000000H9YBCA0 +--- + +# Reports Generation Takes a While and Completes With Errors + +## Symptom + +Predefined reports and subscriptions for wide date ranges are generated slowly and complete with one of the errors below: + +```text +Cannot read the next data row for the Dataset DS. +``` + +```text +The remote server returned the error: (500) Internal Server Error. +``` + +```text +Report processing has been canceled by the user. +``` + +## Cause + +Too much audit data in the report. + +## Resolution + +To resolve the issue, do one of the following: + +- On your SQL Server host, restart the **SQL Server (Instance name)** windows service. + +- Follow the recommendations to improve the overall Netwrix Auditor performance. Learn more in [Long Data Collection — Improving the Performance](/docs/kb/auditor/long-data-collection-improving-the-performance). + +- Disable the report generating timeout by following these steps: + 1. Open the **ReportManager URL** and click the **Site Settings** link in the top-right corner. + 2. In the left-hand panel, click the **General** tab. + 3. Set the **Limit the copies of report history** to **5**. + 4. Select the **Do not timeout report** checkbox. + 5. Click **Apply** to save changes. + +- Set a limit to SQL server memory consumption. Learn more in [Server memory configuration options ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/server-memory-server-configuration-options?view=sql-server-ver16). Consider that the min. and max. SQL memory values are completely dependent on the environment and how many resources you have. For the maximum value, Netwrix recommends do not exceed more than 80% of the total resources for the SQL server. And ideally, SQL Server should be on the different server as Netwrix Auditor itself. + +### Related Articles + +- [Long Data Collection — Improving the Performance](/docs/kb/auditor/long-data-collection-improving-the-performance) diff --git a/docs/kb/auditor/request-is-not-supported-windows-server-auditing.md b/docs/kb/auditor/request-is-not-supported-windows-server-auditing.md new file mode 100644 index 0000000000..f98d94cf34 --- /dev/null +++ b/docs/kb/auditor/request-is-not-supported-windows-server-auditing.md @@ -0,0 +1,64 @@ +--- +description: >- + This article describes the "The request is not supported" error (Event ID + 2009) for a Windows Server monitoring plan and provides possible causes and + step-by-step resolutions including firewall, antivirus exclusions, gMSA + configuration, and enabling network traffic compression. +keywords: + - Windows Server + - Event ID 2009 + - The request is not supported + - gMSA + - network traffic compression + - firewall + - antivirus exclusions + - Netwrix Auditor + - HRESULT 0x80070032 +products: + - auditor +sidebar_label: Request Is Not Supported — Windows Server Auditing +tags: [] +title: "Request Is Not Supported — Windows Server Auditing" +knowledge_article_id: kA04u00000110xeCAA +--- + +# Request Is Not Supported — Windows Server Auditing + +## Symptom + +The following error for Windows Server monitoring plan in Health Log: + +```text +Source:Windows Server Audit Service +Event ID:2009 +Description:Monitoring plan: %Windows_Server_MP_name% +Item: %item_name% +The following error has occurred while processing '%item_name%': +The Scheduled Tasks data provider failed to get information on task ? due to the following error: +The request is not supported. (Exception from HRESULT: 0x80070032) +``` + +## Causes + +- Firewall permissions are misconfigured. +- Antivirus exclusions are not set up. +- gMSA account used for data collection is misconfigured. +- Network traffic compression is disabled for your monitoring plan. + +## Resolution + +- Review the firewall permissions: + - Refer to the list of protocols and ports required for Netwrix Auditor for Windows Server: Protocols and Ports — Windows Server. + - Refer to the list of inbound connection rules to be configured: Windows Servers — Windows Firewall Inbound Connection Rules. + +- Review the recommended antivirus exclusions — refer to the following article for additional information: [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md). + +- Review the gMSA configuration — refer to the following article for additional information: Data Collection Account — Group Managed Service Account (gMSA). + +> **NOTE:** It is required to add the data collection gMSA account to the Local Admins group on the Netwrix Auditor server. + +- Enable network traffic compression for your Windows Server monitoring plan: + + 1. In the main Netwrix Auditor screen, select **Monitoring plans** under the **Configuration** tab. + 2. Select the affected Windows Server monitoring plan and click **Edit**. + 3. Review the list of affected data sources — in the right pane, click **Edit data source**, and check the **Enable network traffic compression** checkbox for each item. Click **Save** to save changes. diff --git a/docs/kb/auditor/reset-collection-history-for-generic-events-event-log-management.md b/docs/kb/auditor/reset-collection-history-for-generic-events-event-log-management.md new file mode 100644 index 0000000000..892b3c2f21 --- /dev/null +++ b/docs/kb/auditor/reset-collection-history-for-generic-events-event-log-management.md @@ -0,0 +1,35 @@ +--- +description: >- + Describes how to reset the Generic Event (Event Log Management) collection + history in Netwrix Auditor so the system re-collects event logs that were + previously collected. +keywords: + - Generic Events + - Event Log Management + - collection history + - audit archive + - Logs folder + - Managed Object + - Netwrix Auditor + - reset collection history + - event logs + - archive +products: + - auditor +sidebar_label: Reset collection history for Generic Events (Event +tags: [] +title: "Reset collection history for Generic Events (Event Log Management)" +knowledge_article_id: kA00g000000H9WCCA0 +--- + +# Reset collection history for Generic Events (Event Log Management) + +How to reset the Generic Event (Event Log Management) collections in order to collect data that had been collected in the past. + +--- + +In cases where Netwrix Auditor - Generic Events (Event Log Management) is not being used to archive event data but rather collect it "on demand" you must remove prior collection history for the server you are trying to collect from so that event logs are collected that were already collected in the past. + +In order to do this please perform the following: + +1) Navigate to the **audit archive** location (location specified under **Settings -> Audit Archive**) and drill down into the **Logs** folder. In this folder find the **name of the Managed Object** and inside that there is a folder for **each of the computers** the product is collecting from. **Delete** the folder for the computer in question. diff --git a/docs/kb/auditor/response-action-example-moving-user-account-to-the-quarantine-ou.md b/docs/kb/auditor/response-action-example-moving-user-account-to-the-quarantine-ou.md new file mode 100644 index 0000000000..22fcba756e --- /dev/null +++ b/docs/kb/auditor/response-action-example-moving-user-account-to-the-quarantine-ou.md @@ -0,0 +1,112 @@ +--- +description: >- + Shows how to configure a Netwrix Auditor alert response action to move a + suspected Active Directory user account to a quarantine OU using a PowerShell + script. The article includes prerequisites, the script, alert configuration, + simulation steps, and verification. +keywords: + - Netwrix Auditor + - response action + - quarantine OU + - Active Directory + - PowerShell + - mass data removal + - alert + - CSV + - monitoring plan +products: + - auditor +sidebar_label: 'Response Action Example: Moving User Account to th' +tags: [] +title: 'Response Action Example: Moving User Account to the Quarantine OU' +knowledge_article_id: kA00g000000H9dtCAC +--- + +# Response Action Example: Moving User Account to the Quarantine OU + +## Overview + +This article explains how to set up a response action in Netwrix Auditor alert to move an AD user account to the quarantine Organizational Unit (OU). Read more about alert response action settings in the Administration – Alerts – Configure a Response Action for Alert ⸱ v10.6 article: /docs/auditor/10.6/admin/alertsettings/responseaction + +A quarantine OU is an OU with restrictive policies applied, used to limit access to sensitive and business-critical resources. Removal of a significant number of files from a file server within a short period of time may indicate potentially harmful user activity. To mitigate the risks of account usage with malicious intent, it is recommended to move suspicious user accounts to the quarantine OU. With this measure, you can limit user privileges without deleting the account from Active Directory. With Netwrix Auditor alerting and response action feature, you can automate and verify this course of action. To simulate suspicious activity and trigger the response action, you can do the following: + +> IMPORTANT. It is strongly recommended that before implementing this course of action in your production environment, you perform these steps in your test lab. Please also note that we are only performing the moving action, creating/designating a Quarantine OU is not included in this procedure. + +1. Check prerequisites and take preparatory steps, as described below. +2. Modify the PowerShell script provided later in this document and save it to Netwrix Auditor server. +3. Enable the **Mass Data Removal from File Servers** alert in Netwrix Auditor and configure response action for this alert to run the PowerShell script. +4. On your file server, create 10+ files, then remove these files using test AD user account. +5. Wait for notification on the alert triggering and check response action results in the Active Directory Users and Computers. + +## Instructions + +### Step 1. Check Prerequisites + +Make sure the following is present in the test AD domain: + +- Test AD user account +- Quarantine OU +- A privileged account with sufficient rights to move AD users to the quarantine OU — you may need a domain administrator account for that purpose. + +On Netwrix Auditor server, check the following: + +- **Active Directory Module for Windows PowerShell** is installed and enabled. For example, to enable this module on Windows Server 2016: + + 1. Go to Server Manager, click **Manage**. + 2. Select **Features** > **Remote Server Administration Tools** > **Role Administration Tools** > **AD DS & AD LDS Tools** > **Active Directory module for Windows PowerShell**. + 3. Complete the wizard to save the settings. + +- The file server you want to monitor for file deletions is included in the corresponding monitoring plan; data collection is enabled, and audit data is stored to the database. + +### Step 2. Prepare a PowerShell Script + +1. With a plain text editor (for example, Notepad), copy the script content provided below. In the ` $OUTargetPath ` parameter, specify the distinguished name of your quarantine OU. + +```powershell +#Target OU +$OUTargetPath = "OU=q,DC=DC11,DC=Loc" +$PathToCSV = "$Args" +$scriptdir=$PSScriptRoot +$PathToResultFile = Join-Path $scriptdir "result" +$PathToResultFile = (Copy-Item -Path $PathToCSV -Destination $PathToResultFile -PassThru) +$csv = Import-Csv -Path $PathToResultFile -Delimiter "`t" + +$Who = $csv | Select Who| Sort-Object -Property Who -Unique + +foreach ($item in $Who) +{ + Move-ADObject (Get-ADUser -Identity ((New-Object System.Security.Principal.NTAccount($item."Who")).Translate([System.Security.Principal.SecurityIdentifier])).Value).DistinguishedName -TargetPath $OUTargetPath +} +``` + +2. Save the customized script as a `.PS1` file in a folder on the Netwrix Auditor server. + +### Step 3. Configure the Alert + +1. In Netwrix Auditor, go to **Alerts** and select **Mass Data Removal from File Servers**. +2. On the **General** tab, turn alerting on. +3. On the **Recipients** tab, specify your email address to get a notification on the alert triggering. +4. On the **Filters** tab, in the **Where** field, specify the name of file server you will be monitoring: + ![response_action_filter.png](./images/ka0Qk000000EAE1_0EM4u000008LFTc.png) +5. On the **Thresholds** tab, leave the default values — the alert will be triggered if _10+_ files are created by the same user within _600_ seconds. +6. On the **Response Action** tab, do the following: + - Enable the response action by switching the slider ON. + - In the **Run** field, specify the path to the executable file as in your system — in our example this is `C:WindowsSystem32WindowsPowerShell1.0powershell.exe`. + - In the **With parameters** field, enter: `-command ` — here `path_to_PS1_file` is the path to the PowerShell script you prepared at Step 2. + - Leave the **Working directory** field as is. + - Select **Write data to CSV file** option, leave **Limit row count** as is. + - Select **Use custom credentials** and enter the account that will be used to move the suspicious user to the quarantine OU (see Step 1, #3). In our example, this is `dc11administrator`. + +### Step 4. Create and Delete Files + +1. On the file server, create 10 or more files. (To access the file server, use any account with sufficient rights — other than test AD user account.) +2. On Netwrix Auditor server, update the related monitoring plan to collect the latest audit data (alternatively, you can wait about 10 minutes for automatic data collection to complete). +3. Then use test AD user account to delete these files; this operation should not take more than 600 seconds (for the alert to be triggered). +4. Back on the Netwrix Auditor server, update the related monitoring plan to collect the latest audit data. After it is collected, monitoring plan status will change from _Working_ to _Enabled_. + +### Step 5. Verify Response Action Results + +1. Open the mailbox of the alert recipient you specified at Step 3 and make sure the notification on the "Mass Data Removal from File Servers" alert was received. +2. Use the domain admin account to log on to domain controller, open **Users and Computers** snap-in and check that test AD user account is now in the quarantine OU. + +> NOTE. You may need to wait several minutes until moving to the quarantine OU completes. After verifying this course of action in your lab, you can implement it in the production environment, skipping Step 4 (simulation of suspicious actions). diff --git a/docs/kb/auditor/result_administrator_restricted_access_to_users_of_your_domain..md b/docs/kb/auditor/result_administrator_restricted_access_to_users_of_your_domain..md new file mode 100644 index 0000000000..a655a0ec66 --- /dev/null +++ b/docs/kb/auditor/result_administrator_restricted_access_to_users_of_your_domain..md @@ -0,0 +1,46 @@ +--- +description: >- + This article addresses the error message "Result: Administrator restricted access to users of your domain" encountered during the enrollment or password reset process on the Self-Service portal. +keywords: + - administrator restricted access + - self-service portal + - password reset +sidebar_label: Administrator Restricted Access +tags: [] +title: "Result: Administrator Restricted Access to Users of Your Domain" +knowledge_article_id: kA00g000000H9TLCA0 +products: + - auditor +--- + +# Result: Administrator Restricted Access to Users of Your Domain + +## Overview + +This article addresses the error message "Result: Administrator restricted access to users of your domain" encountered during the enrollment or password reset process on the Self-Service portal. + +![Error message indicating restricted access](./images/servlet_image_427ba59f8bbf.png) + +## Symptom + +You may see the following error message when attempting to enroll or reset your password on the Self-Service portal: + +``` +Result: Administrator restricted access to users of your domain +``` + +## Cause + +This issue typically occurs when the domain of the user account that receives the error is not listed among the managed domains. + +## Resolution + +To resolve the issue, ensure that the domain of the user account that receives the error appears in the list of managed domains. Follow these steps: + +1. Go to the Administrative portal (by default, `http:///pm/admin`). +2. Click the **Domains** button. +3. Verify that the domain of the user account that receives the error appears in the list of managed domains. +4. Ensure there are no additional symbols in the domain name (spaces, unnecessary characters). +5. Add the domain if necessary. + +![Domains management in the Administrative portal](./images/servlet_image_cf580c3eff6f.png) \ No newline at end of file diff --git a/docs/kb/auditor/retrieving_a_list_of_expiring_ssltls_certificates_and_their_expiration_dates.md b/docs/kb/auditor/retrieving_a_list_of_expiring_ssltls_certificates_and_their_expiration_dates.md new file mode 100644 index 0000000000..20713bc061 --- /dev/null +++ b/docs/kb/auditor/retrieving_a_list_of_expiring_ssltls_certificates_and_their_expiration_dates.md @@ -0,0 +1,49 @@ +--- +description: >- + This article provides instructions on how to retrieve a list of SSL/TLS certificates installed on your system, along with their expiration dates. +keywords: + - SSL/TLS certificates + - expiration dates + - PowerShell +sidebar_label: Retrieve SSL/TLS Certificates +tags: [] +title: "Retrieving a List of Expiring SSL/TLS Certificates and Their Expiration Dates" +knowledge_article_id: kA0Qk0000001sBFKAY +products: + - auditor +--- + +# Retrieving a List of Expiring SSL/TLS Certificates and Their Expiration Dates + +> **IMPORTANT:** If you are using Netwrix Access Analyzer (formerly Enterprise Auditor) v12.0, you may refer to the following [7.Certificate Authority Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/overview). This job should be functional in v12.0, but if not, you should contact [Netwrix Technical Support](https://www.netwrix.com/support.html) to open a ticket and proceed with the following steps as a workaround. + +## Overview + +This article provides instructions on how to retrieve a list of SSL/TLS certificates installed on your system, if using a pre-v12.0 version, along with their expiration dates. This can be useful for monitoring and ensuring timely certificate renewal. + +## Instructions + +Follow the steps below to obtain the list of SSL/TLS certificates and their expiration dates: + +1. Open an Admin PowerShell or ISE window. +2. Run the following PowerShell command to retrieve the certificates: + + ```powershell + Get-ChildItem -Path Cert:\LocalMachine\ -Recurse | + Select-Object -Property * | + Sort-Object NotAfter -Descending | + Format-Table Thumbprint, FriendlyName, NotAfter, PSParentPath -AutoSize + ``` + +**NOTE:** Expiration dates are noted as **NotAfter**, which indicates when the certificate will no longer be valid. + +### Optional Filtering + +If you need to filter the output, follow these steps: + +1. Modify the command by adding a `| Where-Object Subject -like "*EDIT-AS-NEEDED*"` clause between the `Sort` and `Format` pipes. +2. Replace `*EDIT-AS-NEEDED*` with the desired filter criteria. + +Your results should resemble the following example output: + +![Example output showing a table of certificates with their thumbprints, friendly names, expiration dates, and parent paths](./images/servlet_image_a39f37f6c350.png) \ No newline at end of file diff --git a/docs/kb/auditor/rif-document-is-not-compatible-with-this-code-version.md b/docs/kb/auditor/rif-document-is-not-compatible-with-this-code-version.md new file mode 100644 index 0000000000..a6789f53c4 --- /dev/null +++ b/docs/kb/auditor/rif-document-is-not-compatible-with-this-code-version.md @@ -0,0 +1,36 @@ +--- +description: >- + Explains the "SQL Server Reporting Services is not up to date" pop-up and how + to resolve it by installing CU2 or a later update for SQL Server 2012 SP1. +keywords: + - SQL Server Reporting Services + - SQL Server 2012 + - CU2 + - SP1 + - reporting + - update + - RIF + - compatibility +products: + - auditor +sidebar_label: RIF document is not compatible with this code vers +tags: [] +title: "RIF document is not compatible with this code vers" +knowledge_article_id: kA00g000000H9Z2CAK +--- + +# RIF document is not compatible with this code vers + +You receive the following pop-up related to Reporting: + +![User-added image](images/ka04u000000HcS3_0EM700000005HCR.png) + +--- + +SQL Server Reporting Services is not up to date. + +--- + +This is a known issue in SQL Server 2012 Reporting Services. The fix was first introduced in CU2 for SQL Server 2012 SP1. You can get the CU2 for SQL Server 2012 SP1 or a later update from the following blog: + +http://blogs.msdn.com/b/sqlreleaseservices/ diff --git a/docs/kb/auditor/rollback-for-attribute-has-failed-error-in-object-restore-for-active-directory.md b/docs/kb/auditor/rollback-for-attribute-has-failed-error-in-object-restore-for-active-directory.md new file mode 100644 index 0000000000..f44d8364ed --- /dev/null +++ b/docs/kb/auditor/rollback-for-attribute-has-failed-error-in-object-restore-for-active-directory.md @@ -0,0 +1,77 @@ +--- +description: >- + Explains causes and resolutions for the "The rollback for the attribute + %attribute% of %user% from %state% to %state% has failed" error when restoring + attributes or changes with Netwrix Auditor Object Restore for Active + Directory. +keywords: + - Active Directory + - Object Restore + - rollback + - omitproplist_rw.txt + - sidHistory + - User Account Control + - UAC + - Deleted Objects + - permissions + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Rollback for Attribute Has Failed Error in Object ' +tags: [] +title: "Rollback for Attribute Has Failed Error in Object Restore for Active Directory" +knowledge_article_id: kA04u00000110v4CAA +--- + +# Rollback for Attribute Has Failed Error in Object Restore for Active Directory + +## Symptom + +An attribute was collected in a snapshot and is visible in reports after it has been removed. When you try to restore an attribute or a change via Netwrix Auditor Object Restore, the following error is prompted: + +```text +The rollback for the attribute %attribute% of %user% from %state% to %state% has failed +``` + +## Causes + +- Insufficient permissions for the account used to run Netwrix Auditor Object Restore. +- The Object Restore for Active Directory tool is unable to restore specific object attributes. +- The Enabled User Account Control (UAC) option causes errors when restoring Active Directory objects with the tool. + +## Resolutions + +- Ensure the account you use to run the Netwrix Auditor Object Restore tool is a member of the Domain Administrators user group and has permissions to read the Deleted Objects container. Refer to the following article for additional information: /docs/auditor/10.7/auditor/configurationuration/activedirectory + +- Particular AD object attributes cannot be restored with the tool. You can review the `omitproplist_rw.txt` file to see the list of object types and attributes excluded from the list of changes available for rollback. Refer to the following default path to find the .txt file: + +```text +C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing +``` + + Alternatively, the file will be found in the Auditor installation folder specified during the installation process. Refer to the path `%Netwrix_Auditor_installation folder%\Netwrix Auditor\Active Directory Auditing`. + + > **NOTE:** If you would like specific objects and/or attributes to become restorable after deletion, either comment the line using the `#` symbol at the beginning of the line or just delete the required line. + +- Disable User Account Control (UAC), and restart the Object Restore for Active Directory tool. Learn more about how to disable UAC in How to disable User Account Control (UAC) on Windows Server ⸱ Microsoft: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-user-account-control + +### List of Attributes Unavailable for a Rollback for a User + +- user.badPwdCount +- user.objectCategory +- user.lastLogoff +- user.sAMAccountType +- user.badPasswordTime +- user.logonCount +- user.cn +- user.lastLogon +- user.pwdLastSet +- sidHistory + +> **NOTE:** The sidHistory attribute is a system control attribute. Changing the permissions on the attribute will not grant you rights to add new SIDs; you can only remove existing SIDs. You can only add new SIDs using the DsAddSidHistory function, which has a number of prerequisites that must be met for the function to be successful. For more information, please see: https://learn.microsoft.com/en-us/answers/questions/973114/how-can-i-add-permissions-to-sidhistory-attribute + +## Related Links + +- Permissions for AD Auditing: Grant Permissions for 'Deleted Objects' Container — /docs/auditor/10.7/auditor/configurationuration/activedirectory +- How to disable User Account Control (UAC) on Windows Server ⸱ Microsoft — https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-user-account-control +- How can I add permissions to sidHistory attribute? — https://learn.microsoft.com/en-us/answers/questions/973114/how-can-i-add-permissions-to-sidhistory-attribute diff --git a/docs/kb/auditor/rscannotvalidateencrypteddata-unable-to-validate-integrity-of-encrypted-data.md b/docs/kb/auditor/rscannotvalidateencrypteddata-unable-to-validate-integrity-of-encrypted-data.md new file mode 100644 index 0000000000..9855ef86ee --- /dev/null +++ b/docs/kb/auditor/rscannotvalidateencrypteddata-unable-to-validate-integrity-of-encrypted-data.md @@ -0,0 +1,64 @@ +--- +description: >- + Describes causes and remediation steps for rsCannotValidateEncryptedData and + related encryption key errors in SQL Server Reporting Services, including + restoring a backup encryption key or deleting encrypted content and restarting + services. +keywords: + - rsCannotValidateEncryptedData + - encryption key + - SQL Server Reporting Services + - ReportServer + - DeleteEncryptedContent + - Report Server Configuration Manager + - Netwrix Management Service + - encrypted data +products: + - auditor +sidebar_label: rsCannotValidateEncryptedData — Unable to Validate +tags: [] +title: "rsCannotValidateEncryptedData — Unable to Validate Integrity of Encrypted Data" +knowledge_article_id: kA04u000001111lCAA +--- + +# rsCannotValidateEncryptedData — Unable to Validate Integrity of Encrypted Data + +## Symptom + +You've encountered either of the following errors when running a report: + +``` +The report server was unable to validate the integrity of encrypted data in the database. +(rsCannotValidateEncryptedData) +Keyset does not exist (Exception from HRESULT: 0x80090016) +``` + +``` +The report server cannot decrypt the symmetrical key used to access sensitive or encrypted data in a report server database +``` + +## Cause + +SQL Server Reporting Services suite is unable to access the reports as it cannot validate the encryption key configured for the SQL instance. + +## Solutions + +- You can restore the encryption key via a previously generated backup key: + + 1. Run **Report Server Configuration Manager** in your SQL server. + 2. Once authorized, select **Encryption Keys** in the left pane, and click **Restore**. + 3. Specify the location of your backup encryption key and the password set up for the encryption key, and click **OK**. + +- If you do not have the backup encryption key, you can execute the following query to delete the encrypted content: + +```sql +USE ReportServer +EXEC [dbo].[DeleteEncryptedContent] +``` + + Once the query completes, restart the SQL Server Reporting Services service in your SQL server, and Netwrix Management Service in the Netwrix server. + + You can also generate a backup encryption key after you've deleted the encrypted content: + + 1. Run **Report Server Configuration Manager** in your SQL server, and select **Encryption Keys** in the left pane, once authorized. + 2. Click **Backup**, and specify the file location and password for the backup key. diff --git a/docs/kb/auditor/sa_11.6_010.md b/docs/kb/auditor/sa_11.6_010.md new file mode 100644 index 0000000000..6818cef48e --- /dev/null +++ b/docs/kb/auditor/sa_11.6_010.md @@ -0,0 +1,68 @@ +--- +description: >- + This article addresses the issue of the RBA Report Viewer role not functioning with Vault and provides detailed instructions for resolution. +keywords: + - RBA Report Viewer + - Vault + - hotfix + - StealthAUDIT + - troubleshooting +sidebar_label: RBA Report Viewer Role Issue +tags: [] +title: "RBA Report Viewer Role Not Working with Vault" +knowledge_article_id: kA0Qk0000000Q2XKAU +products: + - auditor +--- + +# RBA Report Viewer Role Not Working with Vault + +## Overview + +This article addresses the issue of the RBA Report Viewer role not functioning with Vault. It provides detailed instructions for resolving this issue. + +### Summary + +RBA Report Viewer role not working with Vault. + +### Submitted by + +**Michael Burrofato** + +### Affected Versions + +11.6 + +### Affected Module + +SA Core + +### Dev Ticket + +305849 + +### Resolved in Version + +PrivateAssemblies\Stealthbits.StealthAUDIT.RoleBasedAccess.dll + +### KB Type + +**Hotfix** + +### Escalations + +**390322** + +## Instructions + +1. Unblock the hotfix zip file in the Windows property dialog, if an unblock button exists there. +2. Close all instances of StealthAUDIT (check Task Manager under processes for all users). +3. Stop the `Netwrix Enterprise Auditor Web Server` service. +4. Update all files in your `%SAInstallDir%`. +5. Start the `Netwrix Enterprise Auditor Web Server` service. + +For the hotfix, download it from the following link: [Hotfix Download](https://releases.netwrix.com/products/stealthaudit/11.6/stealthaudit-hotfix-11.6.0.10.zip) + +## Comments + +This hotfix specifically resolves the RBA Report Viewer role functionality with Vault. Make sure to restart the Web Server service after applying the update. \ No newline at end of file diff --git a/docs/kb/auditor/scmlib.datacollecting.dnsdataproviderexception2_error_in_windows_server_monitoring_plan.md b/docs/kb/auditor/scmlib.datacollecting.dnsdataproviderexception2_error_in_windows_server_monitoring_plan.md new file mode 100644 index 0000000000..290ff308a4 --- /dev/null +++ b/docs/kb/auditor/scmlib.datacollecting.dnsdataproviderexception2_error_in_windows_server_monitoring_plan.md @@ -0,0 +1,57 @@ +--- +description: >- + This article addresses the SCMLib.DataCollecting.DNSDataProviderException2 error encountered in the Health Log for Windows Server monitoring plans and provides resolutions to fix the issue. +keywords: + - SCMLib.DataCollecting.DNSDataProviderException2 + - Windows Server + - monitoring plan + - advanced audit settings + - TLS protocols +sidebar_label: SCMLib.DataCollecting.DNSDataProviderException2 Error +tags: [] +title: "SCMLib.DataCollecting.DNSDataProviderException2 Error in Windows Server Monitoring Plan" +knowledge_article_id: kA0Qk0000000KDFKA2 +products: + - auditor +--- + +# SCMLib.DataCollecting.DNSDataProviderException2 Error in Windows Server Monitoring Plan + +## Symptom + +The following error is prompted in the Health Log for your Windows Server monitoring plan: + +``` +Monitoring plan: %monitoring_plan_name% +The following error has occurred while processing '%FQDN%': +The DNS data provider failed to process data from \\%FQDN%\Root\MicrosoftDNS:MicrosoftDNS_Server.Path="%FQDN%" due to the following error: +Exception of type 'SCMLib.DataCollecting.DNSDataProviderException2' was thrown. +``` + +## Causes + +- Advanced audit settings for Windows Server are misconfigured. +- TLS protocols in your environment are mismatched, causing the inability to communicate. +- The path stated in the error message is incorrect or cannot be resolved. + +## Resolutions + +### Step 1 − Configure Advanced Audit Settings + +1. In the main **Netwrix Auditor** menu, select **Monitoring Plans**. +2. In the left pane, select the affected monitoring Windows Server plan, and click **Edit**. +3. In the right pane, select **Edit data source** > uncheck the **Adjust audit settings automatically** checkbox under the **Configure audit settings** section. +4. Configure advanced audit settings for your Windows Server plan − refer to the following article for additional information: [Windows Server − Configure Advanced Audit Policies · v10.6](/docs/auditor/10.6/configuration/windowsserver/advancedpolicy). + +### Step 2 − Configure Auditor and Monitored Servers to Support a Common Protocol + +Review your environment to verify a common TLS protocol can be selected for incoming and outgoing communication. Refer to the following article for additional information: Connection Issue when TLS 1.2 Is Required. + +### Step 3 − Review the Path + +Review the path stated in the error message to verify it can be resolved and is specified correctly. + +## Related Articles + +- [Windows Server − Configure Advanced Audit Policies · v10.6](/docs/auditor/10.6/configuration/windowsserver/advancedpolicy) +- Connection Issue when TLS 1.2 Is Required \ No newline at end of file diff --git a/docs/kb/auditor/search-takes-too-long-to-complete.md b/docs/kb/auditor/search-takes-too-long-to-complete.md new file mode 100644 index 0000000000..d9d38dd13d --- /dev/null +++ b/docs/kb/auditor/search-takes-too-long-to-complete.md @@ -0,0 +1,36 @@ +--- +description: >- + If search queries in Netwrix Auditor are slow to complete, narrow the search + scope with filters and verify SQL Server resources and network bandwidth. This + article lists recommended steps to optimize search queries. +keywords: + - search performance + - slow search + - SQL Server + - filters + - Netwrix Auditor + - Data source filter + - When filter + - query optimization +products: + - auditor +sidebar_label: Search Takes Too Long to Complete +tags: [] +title: "Search Takes Too Long to Complete" +knowledge_article_id: kA04u000000wnllCAA +--- + +# Search Takes Too Long to Complete + +## Question + +A search query in Netwrix Auditor takes too long to complete and are slow. What are the recommended steps to optimize the search queries? + +## Answer + +1. Narrow down the search scope by introducing additional filters: + + - The **When** filter can significantly reduce the amount of Activity Records depending on the time frame specified. + - The **Data source** filter allows to limit the search scope to a particular source of monitoring data. Both **Data source** and **When** filters help to focus on relevant Activity Records either in a larger environment, or when the SQL Server Express edition with multiple audit databases is implemented. + +2. Review the resources allocated to your SQL Server − Netwrix Auditor is directly dependent on the SQL Server performance when the search queries are resolved. In case your SQL Server instance does not share the same server with Netwrix Auditor, the network bandwidth should be considered. diff --git a/docs/kb/auditor/security-groups-are-not-fully-displayed-in-the-azure-ad-accounts-attributes-report.md b/docs/kb/auditor/security-groups-are-not-fully-displayed-in-the-azure-ad-accounts-attributes-report.md new file mode 100644 index 0000000000..6db5770658 --- /dev/null +++ b/docs/kb/auditor/security-groups-are-not-fully-displayed-in-the-azure-ad-accounts-attributes-report.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains why the Azure AD Accounts — Attributes report shows “XXX and more” + for the Member of attribute and how to view the full group list using the + Azure AD Accounts - Effective Group Membership report. +keywords: + - Azure AD + - security groups + - group membership + - Azure AD Accounts + - Effective Group Membership + - Expand Group Membership + - Netwrix Auditor + - Attributes report +products: + - auditor +sidebar_label: Security Groups are Not Fully Displayed in the Azu +tags: [] +title: "Security Groups are Not Fully Displayed in the Azure AD Accounts – Attributes Report" +knowledge_article_id: kA0Qk0000000ITBKA2 +--- + +# Security Groups are Not Fully Displayed in the Azure AD Accounts – Attributes Report + +## Question + +Why does the **Azure AD Accounts — Attributes** report show security groups membership (the **Member of** attribute) for an account in the format **XXX and more** instead of the full groups list? + +## Answer + +In short, the answer is lack of space on the report page. Since there are a lot of groups those users are members of, the report does not have enough space to show all of them. + +However, as an alternative, you can use the **Azure AD Accounts - Effective Group Membership** report along with the **Azure AD Accounts – Attributes** reports. + +The thing is that when you click the **Expand Group Membership** link in the **Azure AD Accounts - Attributes** report, it basically redirects you to the information from the **Azure AD Accounts - Effective Group Membership** report. + +Therefore, by using both reports simultaneously, you will be able to check the effective group membership information from the other report (**Azure AD Accounts - Effective Group Membership**) which will have the full list of the groups an account is a member of. + +> **IMPORTANT:** If you run Netwrix Auditor from a **remote server (client)**, please verify it has the same version and build as your Auditor Server. They must be exactly the same. diff --git a/docs/kb/auditor/security-log-overwrites-occurred-on-this-dc.md b/docs/kb/auditor/security-log-overwrites-occurred-on-this-dc.md new file mode 100644 index 0000000000..51287a086a --- /dev/null +++ b/docs/kb/auditor/security-log-overwrites-occurred-on-this-dc.md @@ -0,0 +1,49 @@ +--- +description: >- + Explains the cause and resolution for the "Security log overwrites occurred on + this DC" message reported in daily Activity Summary emails or Netwrix Auditor + Health Log. +keywords: + - security log + - event log + - domain controller + - Netwrix Auditor + - log overwrite + - event log size + - retention settings + - troubleshooting + - Activity Summary +products: + - auditor +sidebar_label: Security Log Overwrites Occurred on This DC +tags: [] +title: "Security Log Overwrites Occurred on This DC" +knowledge_article_id: kA00g000000H9YJCA0 +--- + +# Security Log Overwrites Occurred on This DC + +## Symptom + +The following error is prompted either in daily Activity Summary emails or Netwrix Auditor Health Log: + +``` +Security log overwrites occurred on this DC since the last data collection. +Please increase the maximum size of the Security event log +``` + +## Causes + +- Misconfigured Security event log size. +- Insufficient DC resources affecting the operation. + +## Resolution + +- To configure the Security event log size and retention settings, refer to the following article: /docs/auditor/10.6/auditor/configurationuration/fileservers/windows (Windows File Servers − Configure Event Log Size and Retention Settings ⸱ v10.6). +- For additional information on sample deployment scenarios and corresponding hardware requirements, refer to the following article: /docs/auditor/10.6/auditor/requirements (Requirements − Sample Deployment Scenarios ⸱ v10.6). + +## Related articles + +- /docs/auditor/10.6/auditor/configurationuration/fileservers/windows (Windows File Servers − Configure Event Log Size and Retention Settings ⸱ v10.6) + +- /docs/auditor/10.6/auditor/requirements (Requirements − Sample Deployment Scenarios ⸱ v10.6) diff --git a/docs/kb/auditor/security-log-settings-do-not-apply-via-gpo.md b/docs/kb/auditor/security-log-settings-do-not-apply-via-gpo.md new file mode 100644 index 0000000000..097cc90203 --- /dev/null +++ b/docs/kb/auditor/security-log-settings-do-not-apply-via-gpo.md @@ -0,0 +1,44 @@ +--- +description: >- + When a Group Policy sets the maximum security event log size but the computer + does not honor it, legacy registry settings may override the GPO. This article + explains how to find the registry key and restore the policy behavior. +keywords: + - GPO + - Group Policy + - security log + - Event Log Service + - MaxSize + - registry + - gpresult + - gpupdate + - ADMX + - EventLog +products: + - auditor +sidebar_label: Security log settings do not apply via GPO +tags: [] +title: "Security log settings do not apply via GPO" +knowledge_article_id: kA04u000000HDk6CAG +--- + +# Security log settings do not apply via GPO + +## Symptoms +When configuring maximum security event log size via Group Policy, you may notice that after the policy is applied, the log size on a specific computer is still not set to the value specified in the GPO (Group Policy Object). + +## Cause +A legacy registry setting overwrites the GPO. + +## Resolution +Open a regedit on the problematic server and check if the following key exists: + +``` +KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ +``` + +The values inside this key, like `MaxSize`, are legacy and usually set by ADMX templates. Check in your current domain and local policies applied to the problematic computer if the following section is configured: +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Event Log Service** > **Security** + +The easiest way to find the right policy is using the `gpresult` tool. +To fix the issue, simply set the policy back to `Not configured` and execute `gpupdate`. diff --git a/docs/kb/auditor/service-did-not-respond-to-the-start-or-control-request-error-in-user-activity-service.md b/docs/kb/auditor/service-did-not-respond-to-the-start-or-control-request-error-in-user-activity-service.md new file mode 100644 index 0000000000..abdbef1549 --- /dev/null +++ b/docs/kb/auditor/service-did-not-respond-to-the-start-or-control-request-error-in-user-activity-service.md @@ -0,0 +1,59 @@ +--- +description: >- + The Netwrix Auditor User Activity Audit Service fails to start and shows Error + 1053. This article lists possible causes and resolutions to restore User + Activity monitoring. +keywords: + - Netwrix Auditor + - User Activity + - Error 1053 + - service did not respond + - antivirus exclusions + - ports + - .NET Framework 4.8 +products: + - auditor +sidebar_label: Service Did Not Respond to the Start or Control Re +tags: [] +title: "Service Did Not Respond to the Start or Control Request Error in User Activity Service" +knowledge_article_id: kA0Qk0000000ajRKAQ +--- + +# Service Did Not Respond to the Start or Control Request Error in User Activity Service + +## Symptoms + +Your Netwrix Auditor instance exhibits the following symptoms: + +- The User Activity monitoring plan is not collecting any data. +- **Netwrix Auditor User Activity Audit Service is stopped**. When you attempt to start the service manually, the service prompts the following error: + +```text +Windows could not start the Netwrix Auditor User Activity Audit Service service on Local Computer. + +Error 1053: The service did not respond to the start or control request in a timely fashion. +``` + +- **Optional:** The change in behavior occurred after the recent Netwrix Auditor upgrade (e.g., v10.5 to v10.6). + +## Causes + +Refer to the following possible causes for the symptoms: + +1. The antivirus suite in your environment hinders the Netwrix Auditor User Activity Audit Service operation. +2. Incorrectly configured ports in your environment hinder the Netwrix Auditor User Activity Audit Service operation. +3. The .NET Framework version installed in your environment (i.e., both on the target and Netwrix Auditor servers) is outdated. + +## Resolutions + +Depending on the cause, implement the corresponding resolution to address the issue: + +1. Exclude Netwrix Auditor-related folders from the monitoring scope of your antivirus solution. Refer to the following article to learn more about recommended antivirus exclusions: [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md). +2. Verify the open ports in both the target and Netwrix Auditor servers. Refer to the following article to learn more about the ports required for correct User Activity operation: Data Source Configuration − User Activity Ports · v10.6. +3. Verify that the .NET Framework v4.8 is installed on both the target and Netwrix Auditor servers. Refer to the following article to learn more about software requirements in Netwrix Auditor v10.6: Requirements − Software Requirements · v10.6. + +## Related Articles + +- [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md) +- Data Source Configuration − User Activity Ports · v10.6 +- Requirements − Software Requirements · v10.6 diff --git a/docs/kb/auditor/set-up-direct-send-for-netwrix-auditor-and-netwrix-data-classification.md b/docs/kb/auditor/set-up-direct-send-for-netwrix-auditor-and-netwrix-data-classification.md new file mode 100644 index 0000000000..c25ad717be --- /dev/null +++ b/docs/kb/auditor/set-up-direct-send-for-netwrix-auditor-and-netwrix-data-classification.md @@ -0,0 +1,68 @@ +--- +description: >- + How to configure direct send via Microsoft 365 or Office 365 for Netwrix + Auditor and Netwrix Data Classification, including prerequisites, SMTP + settings, and SPF recommendations. +keywords: + - direct send + - Microsoft 365 + - Office 365 + - SMTP + - MX endpoint + - SPF + - port 25 + - Netwrix Auditor + - Netwrix Data Classification +products: + - auditor + - data-classification +sidebar_label: Set Up Direct Send for Netwrix Auditor and Netwrix +tags: [] +title: "Set Up Direct Send for Netwrix Auditor and Netwrix Data Classification" +knowledge_article_id: kA04u00000110ycCAA +--- + +# Set Up Direct Send for Netwrix Auditor and Netwrix Data Classification + +## Question + +How to set up direct send via Microsoft 365 or Office 365 for Netwrix Auditor or Netwrix Data Classification? + +## Answer + +### Prerequisites + +- Port `25` is required and must be unblocked in your network. +- A static IP address is recommended for an SPF record to be created for your domain. Learn more on SPF in [Set up SPF to Help Prevent Spoofing ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide). + +### Settings for Netwrix Auditor notifications + +In the main Netwrix Auditor menu, click **Settings**. In the left pane, select the **Notifications** tab. Click **Modify** under the **Default SMTP Settings** section. The following settings should be used for Netwrix Auditor to implement direct send in your environment: + +- Specify your MX endpoint in the **SMTP server** field. +- Specify port `25` in the **Port number** field. +- Specify any email address for one of your Microsoft 365 or Office 365 accepted domains in the **Sender address** field. This email does not need to have a mailbox. +- The use of SSL/TLS is optional. + +![Netwrix Auditor SMTP settings](images/ka04u00000116zv_0EM4u000008Ll2v.png) + +> **NOTE:** When sending messages from a static IP, add the IP to your SPF record in your domain registrar's DNS settings to avoid having messages flagged as spam: +> +> ```text +> v=spf1 ip4:%Static IP Address%include:spf.protection.outlook.com ~all +> ``` + +### Settings for Netwrix Data Classification notifications + +In the main Netwrix Data Classification screen, click **Settings**. In the left pane, select the **Communication** tab, and click **Email Servers**. Click **Add** to create a separate email server configuration. The following settings should be used for Netwrix Data Classification to implement direct send in your environment: + +- Specify your MX endpoint in the **Host** field. +- Specify port `25` in the **Port number** field. +- Specify any email address for one of your Microsoft 365 or Office 365 accepted domains in the **Sender address** field. This email does not need to have a mailbox. +- The use of SSL is optional. + +![Netwrix Data Classification Email Server settings](images/ka04u00000116zv_0EM4u000008LlzE.png) + +> **NOTE:** Direct send does not support SMTP AUTH. You can enter any SMTP credentials to proceed. + +Learn more on direct send in [Send Email Using Microsoft 365 or Office 365 ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/Exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365?redirectSourcePath=%252fen-gb%252farticle%252fhow-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-365-69f58e99-c550-4274-ad18-c805d654b4c4#option-2-send-mail-directly-from-your-printer-or-application-to-microsoft-365-or-office-365-direct-send). diff --git a/docs/kb/auditor/set_up_secure_connection_between_auditor_and_ssrs_via_ssltls_channel.md b/docs/kb/auditor/set_up_secure_connection_between_auditor_and_ssrs_via_ssltls_channel.md new file mode 100644 index 0000000000..ea0108a555 --- /dev/null +++ b/docs/kb/auditor/set_up_secure_connection_between_auditor_and_ssrs_via_ssltls_channel.md @@ -0,0 +1,68 @@ +--- +description: >- + This article provides step-by-step instructions for setting up a secure connection between Netwrix Auditor and SQL Server Reporting Services (SSRS) using SSL/TLS. +keywords: + - Netwrix Auditor + - SSRS + - SSL + - TLS + - secure connection +sidebar_label: Set Up Secure Connection +tags: [] +title: "Set Up Secure Connection Between Auditor and SSRS via SSL/TLS Channel" +knowledge_article_id: kA00g000000PblFCAS +products: + - auditor +--- + +# Set Up Secure Connection Between Auditor and SSRS via SSL/TLS Channel + +## Overview + +Netwrix Auditor uses SQL Server Reporting Services (SSRS) to generate reports. In environments with Auditor and SSRS installed on different servers, it is recommended to use a secure communication channel. To ensure secure communication, you can set it up via HTTPS using SSL or TLS protocol. This will encrypt your data communicated between your SSRS server and Netwrix Auditor. + +## Instructions + +> **IMPORTANT:** Every certificate has a validity period. Auditor will stop generating reports once your certificate expires. If your self-signed certificate has expired, it will be reissued upon a reboot. + +### Configure SSRS to Use the Secure Channel + +1. Open **Report Server Configuration Manager**, specify the **Server Name** and **Report Server Instance**, and click **Connect**. +2. In the left pane, select **Web Service URL**. +3. In the **HTTPS Certificate** dropdown list, select the certificate you installed previously. Both **HTTPS Port** and **Report Server Web Services URL** fields will fill in automatically. + + > **NOTE:** For additional information on installing and using self-signed and authority-issued certificates, refer to the following articles: [Use Certificate Authority-issued Certificates in SSRS](/docs/kb/auditor/use-certificate-authority-issued-certificates-in-ssrs), [Generate Self-signed SSL Certificate for SSRS](/docs/kb/auditor/generate-self-signed-ssl-certificate-for-ssrs). + +4. Click **Apply**. +5. Select the **Web Portal URL** tab in the left pane—the **Virtual Directory** field should fill in automatically. +6. In the **Web Portal URL** tab, click **Advanced**. Click **Add** under the **Multiple HTTPS Identities** section. +7. In the new pop-up window, select the **(All IPv4)** value in the **IP Address** field, specify the port (**443** by default for HTTPS), and select the certificate issued. Click **OK**. +8. Click **Add** under the **Multiple HTTPS Identities** section and create an additional HTTPS identity for the **(All IPv6)** IP address. Specify the port (**443** by default for HTTPS) and select the certificate issued. Click **OK** > **OK** > **Apply**. + +### Testing Connection With Auditor Server + +Refer to the following steps to test the connection via a secure channel: + +1. Launch a browser on your Auditor server and open the SSRS Web Portal URL. You can copy the target URL from the **Web Portal URL** tab in Report Server Configuration Manager. + + > **NOTE:** Verify the URL has the `https` prefix. + +2. Input the credentials to connect to the Web Portal. Use the account that has sufficient access rights for the SSRS portal. +3. The SSRS portal should open without any additional messages. If so, the certificate was published correctly. + +### Configure Auditor to Use SSL to Communicate With the SSRS Server + +Refer to the following steps to use SSL in Auditor and SSRS communication: + +1. In Report Server Configuration Manager, locate **Web Service URL** and **Web Portal URL** tabs. Review the lists of URLs and copy the latest values added—these should have the `https` prefix and the `443` port (depending on the HTTPS port used). +2. In the main Auditor menu, select **Settings** > **Audit Database**. +3. Click **Modify** under the **Audit Database Settings** section. Alternatively, click **Configure** if you are configuring the audit database settings for the first time. +4. Fill in, review, and verify the **Default SQL Server Settings** fields. Click **Next**. In the **SQL Server Reporting Services Settings** window, update the URL values. Specify the new **Web Portal URL** value in the **Report Manager URL** field. Specify the **Web Service URL** in the **Report Server URL** as mentioned in step #1. +5. Click **Finish** to save changes. + +The traffic between Auditor and SSRS is now encrypted. It is recommended to update the SQL Server password used to access the default SQL Server instance. + +## Related Articles + +- [Use Certificate Authority-issued Certificates in SSRS](/docs/kb/auditor/use-certificate-authority-issued-certificates-in-ssrs) +- [Generate Self-signed SSL Certificate for SSRS](/docs/kb/auditor/generate-self-signed-ssl-certificate-for-ssrs) \ No newline at end of file diff --git a/docs/kb/auditor/setting-up-account-lockout-alert.md b/docs/kb/auditor/setting-up-account-lockout-alert.md new file mode 100644 index 0000000000..47aaf81020 --- /dev/null +++ b/docs/kb/auditor/setting-up-account-lockout-alert.md @@ -0,0 +1,45 @@ +--- +description: >- + Shows how to set up a real-time alert to detect account lockouts in Active + Directory using Netwrix Auditor. Includes steps to configure filters and + notification email. +keywords: + - account lockout + - alert + - Netwrix Auditor + - Active Directory + - real-time alert + - OU + - filter + - notification +products: + - auditor +visibility: public +sidebar_label: Setting up Account Lockout Alert +tags: [] +title: "Setting up Account Lockout Alert" +knowledge_article_id: kA00g000000H9YeCAK +--- + +# Setting up Account Lockout Alert + +## Overview +This article explains how to set up an account lockout alert in Netwrix Auditor for Active Directory. + +## Steps +1. Select **New Real-Time Alert** by clicking on **Real-Time Alert** and then right-clicking on **Real-Time Alert** + ![User-added image](images/ka04u000000HcRf_0EM70000000xMZN.png) + +2. Name the alert, then click **Next**. Click **Add** to add the alert filters needed. + ![User-added image](images/ka04u000000HcRf_0EM70000000xMZS.png) + +3. Here, if you would like to see lockouts for a specific OU, select the highlighted box. This can also be left as `*` for a wildcard to monitor all user account lockouts. + ![User-added image](images/ka04u000000HcRf_0EM70000000xMZc.png) + +4. Select the existing attribute filter that is added by default and select **Edit**. + ![User-added image](images/ka04u000000HcRf_0EM70000000xMZr.png) + +5. Place in the following attribute filters to see all account lockouts. + ![User-added image](images/ka04u000000HcRf_0EM70000000xMZw.png) + +6. Hit **OK** and follow the rest of the prompts for filling in the specified e-mail address the alert will go to. diff --git a/docs/kb/auditor/sharepoint-application-deployment-for-ndc.md b/docs/kb/auditor/sharepoint-application-deployment-for-ndc.md new file mode 100644 index 0000000000..c65a250c89 --- /dev/null +++ b/docs/kb/auditor/sharepoint-application-deployment-for-ndc.md @@ -0,0 +1,48 @@ +--- +description: >- + Step-by-step instructions to deploy the Netwrix Data Classification SharePoint + app from the App Catalog to Site Collections, including how to add, trust, and + schedule deployment of the `conceptClassifierApp`. +keywords: + - SharePoint + - App Catalog + - Site Collection + - Netwrix Data Classification + - conceptClassifierApp + - deployment + - Site Contents +products: + - auditor + - data-classification +sidebar_label: SharePoint Application Deployment for NDC +tags: [] +title: "SharePoint Application Deployment for NDC" +knowledge_article_id: kA00g000000PbcqCAC +--- + +# SharePoint Application Deployment for NDC + +This is part two of the SharePoint app installation KB; it is assumed that you have already [installed the Netwrix Data Classification SharePoint app](https://kb.netwrix.com/5486). + +**Note:** To enable the app you will need to be a site collection administrator. +To enable the app you will need to add the app to the **App Catalog** then deploy the app to the required Site Collections. +**Note:** you cannot add the app directly to a Site Collection. + +1. Navigate to the **App Catalog** → **Site Contents** and ensure you are using the classic experience. +2. Click **Add an app** and select `conceptClassifierApp`. + +![User-added image](images/ka04u000000HcXd_0EM4u000002D96q.png) + +3. Click **Trust It** to accept the app permissions and allow the app to be installed into the App Catalog. + ![User-added image](images/ka04u000000HcXd_0EM4u000002D975.png) +4. Once the app has been added to the App Catalog, configure the deployment by hovering over the app then clicking on the ellipsis in the top right corner of the app and clicking **Deployment**. + ![User-added image](images/ka04u000000HcXd_0EM4u000002D97U.png) +5. Select how to deploy the app to a combination of specific Sire Collections, by pats, and by a template. Click **OK**. + + **Note:** The default order of the page is to show the newest app first, so you should see the app as one of the first options (if you do not you can search for “conceptClassifierApp”): + +6. The app will then be scheduled for deployment to the chosen Site Collections. This can take a few minutes and on completion, `conceptClassifierApp` will appear in the Site Contents of these Site Collections. + +![User-added image](images/ka04u000000HcXd_0EM4u000002D97j.png) + +7. To complete the setup, navigate to the **Site Collection** → **Site Contents** and select `conceptClassifierApp`. This will complete the installation of the app on the Site Collection and allow you to configure the writing of classifications (if licensed). diff --git a/docs/kb/auditor/sharepoint-application-installation-for-netwrix-data-classification.md b/docs/kb/auditor/sharepoint-application-installation-for-netwrix-data-classification.md new file mode 100644 index 0000000000..b5cb2cc1db --- /dev/null +++ b/docs/kb/auditor/sharepoint-application-installation-for-netwrix-data-classification.md @@ -0,0 +1,124 @@ +--- +description: >- + Guide for deploying the SharePoint application required to enable write-back + for Netwrix Data Classification. Includes installer usage, app principal + registration, IIS HTTPS binding notes, and on-premises trust configuration. +keywords: + - SharePoint + - Netwrix Data Classification + - conceptClassifierApp + - app catalog + - conceptQS + - ACS + - S2S + - installer + - IIS +products: + - auditor + - data-classification +sidebar_label: SharePoint Application Installation for Netwrix Da +tags: [] +title: "SharePoint Application Installation for Netwrix Data Classification" +knowledge_article_id: kA00g000000PbcuCAC +--- + +# SharePoint Application Installation for Netwrix Data Classification + +This guide is for deploying the SharePoint application. This is the app needed for enabling write-back within SharePoint. + +The `conceptClassifierAppInstaller.exe` can be used to install or upgrade the `conceptClassifierApp`. [Download](https://www.netwrix.com/download/Netwrix_Data_Classification_for_SharePoint.zip) and copy this file to your local server: + +- `ConceptClassifierAppInstaller.zip` + +Extract the files and run `conceptClassifierAppInstaller.exe`. + +![User-added image](images/ka04u000000HcXh_0EM4u000002Qx7U.png) + +1. Click *next* after reading the wizard introduction and recommendations. + +Read and confirm that you accept the EULA and click *next*. + +![User-added image](images/ka04u000000HcXh_0EM4u000002Qx7Z.png) + +Specify connection details for your organization's app catalog (you may have more than one of these if you are working across multiple web applications; if so, you will need to run the installer once per app catalog). + +![User-added image](images/ka04u000000HcXh_0EM4u000002Qx7t.png) + +Enter the location of the conceptSearching server (which must be installed onto a secure server with a secure (HTTPS) endpoint): in the case of SharePoint Online, the certificate used must be externally verifiable (from a trusted source). +Select the **Use SharePoint Online Login** checkbox if you want to use the new authentication method. + +![User-added image](images/ka04u000000HcXh_0EM4u000002Qx8I.png) + +Please also note, the HTTPS binding in IIS should have the host header specified — in the case of the above example the host header would be `secure.conceptsearching.com`. To do this please follow these steps: + +## Configure the IIS HTTPS binding host header + +Open Internet Information Services (IIS) Manager + +1. Open Internet Information Services (IIS) Manager +2. Edit the Site Bindings for the website you which to assign an SSL certificate (right-click, select **Edit Bindings**) +3. Select the HTTPS port and select **Edit** +4. Where possible edit the Host Name (Host Header field); if it is not possible please continue: +5. Launch the Microsoft Management Console (MMC) + - Select Start → Run + - Type in `MMC` and hit enter + - From the console, select **File → Add / Remove Snap-in** + - Select **Certificates** from the Add / Remove dialog + - Select **Computer Account** when prompted for which certificates the snap-in will manage + - Select **Local Computer** when prompted + - Click **OK** to add the Snap-in to the MMC +6. Locate your SSL certificate + - For self-signed (SELFSSL), look in **Personal** + - For installed / purchased, look in the appropriate folder the certificate was originally installed in +7. Right-click on the certificate and select **Properties** +8. Edit the **Friendly Name** field so the name starts with an `*` +9. Repeat steps #1 – 3 above + +Note that the Host Name (Host Header) field is now available for editing. + +Assuming you have not completed any of the steps of the installation previously you will then be shown the following screen, otherwise (if this is an upgrade), the installer will indicate that you can skip this step. + +![User-added image](https://kb.netwrix.com/wp-content/uploads/2020/04/SP-app-install5.png) + +This screen provides the information required to configure the app principal registration information which allows the conceptSearching products to communicate with SharePoint. + +Please follow the link provided and enter the information as shown. You will be required to generate a "Client Secret"; this is required for Azure ACS enabled environments, and not for on-premise environments that wish to use a certificate trust configuration. Click the "Generate" button for the client secret and make a note of this in a secure location. Here is an example of the completed registration form: + +![User-added image](https://kb.netwrix.com/wp-content/uploads/2020/04/SP-app-install6.png) + +The app should then be ready for installation, click "Install" to proceed. + +The app will now be deployed to your app catalog and ready for installation on your site collections. + +--- + +### If you wish to use the conceptClassifierApp in an on-premise environment you will need to complete a few additional steps shown in step 1, otherwise, skip to step 2. + +#### 1. Building the trust relationship for an on-premise environment + +(A) To begin the app model should be enabled on the farm. By following the steps in the following link the SharePoint farm will be ready to make use of any SharePoint apps: + +http://technet.microsoft.com/en-us/library/fp161236(v=office.15).aspx + +(B) Next, it is necessary to build a trust relationship between the SharePoint server and the server that will be hosting the conceptQS; this is to allow the QS to make requests back to SharePoint (please note that this is still necessary even if the QS is hosted on the same server as the SharePoint site). Please now proceed through the following help guide: + +http://msdn.microsoft.com/en-us/library/office/fp179901(v=office.15).aspx + +#### 2. Configuring the services with the authentication configuration + +First, navigate to the following URL: + +`/conceptQS/Sources/SharePoint/AppConfiguration` + +Select the appropriate tab: + +- Azure Access Control Service (ACS) should be used for Office 365 +- Server-to-Server (S2S) should be used for an on-premise environment + +Please complete the necessary fields. If you are an Office 365 customer you will need your client secret; otherwise, you will need the values completed in step 1(B) above. + +--- + +### If you would like to continue with the deployment of the SharePoint Application: + +[Follow this article](https://kb.netwrix.com/5505) diff --git a/docs/kb/auditor/sharepoint-configuration-changes-are-reported-with-a-wrong-timestamp.md b/docs/kb/auditor/sharepoint-configuration-changes-are-reported-with-a-wrong-timestamp.md new file mode 100644 index 0000000000..bd16bfa7f7 --- /dev/null +++ b/docs/kb/auditor/sharepoint-configuration-changes-are-reported-with-a-wrong-timestamp.md @@ -0,0 +1,34 @@ +--- +description: >- + Reports and Change Summaries for SharePoint configuration changes may display + the time when the daily Change Summary was generated rather than the exact + date and time the change occurred. This affects several SharePoint + configuration change types such as farm topology, web applications, site + collections, and customizations. +keywords: + - SharePoint + - timestamp + - Change Summary + - reports + - configuration changes + - daily summary + - Netwrix Auditor + - site collection + - web application +products: + - auditor +sidebar_label: SharePoint configuration changes are reported with +tags: [] +title: "SharePoint configuration changes are reported with a wrong timestamp" +knowledge_article_id: kA00g000000H9dLCAS +--- + +# SharePoint configuration changes are reported with a wrong timestamp + +The timestamp shown in the reports and Change Summaries for the SharePoint configuration changes may represent not the exact date and time when the change was made, but the time when the daily Change Summary was generated. The following configuration changes are affected: + +- Farm physical topology: addition and removal of servers, changes to service status +- Web application creation or deletion, changes to key web application settings +- Changes to web application security policies: anonymous access policy, user policy, security policy levels +- Creation and deletion of site collections, changes to key site collection settings +- Customizations: addition/removal and deployment of SharePoint solutions; addition/removal and activation/deactivation of farm-wide features diff --git a/docs/kb/auditor/sharepoint-core-service-deployment-failed.md b/docs/kb/auditor/sharepoint-core-service-deployment-failed.md new file mode 100644 index 0000000000..308b4c4e4d --- /dev/null +++ b/docs/kb/auditor/sharepoint-core-service-deployment-failed.md @@ -0,0 +1,64 @@ +--- +description: >- + Automatic or manual deployment of Netwrix Auditor for SharePoint Core Service + on Web Front-end (WFE) servers can fail due to insufficient service account + permissions. This article explains the cause and provides steps for manual + installation of the Core Service. +keywords: + - SharePoint + - Core Service + - deployment + - Netwrix Auditor + - WFE + - permissions + - Add-SPSolution + - Install-SPSolution + - .wsp +products: + - auditor +sidebar_label: SharePoint Core Service Deployment Failed +tags: [] +title: "SharePoint Core Service Deployment Failed" +knowledge_article_id: kA00g000000PcSXCA0 +--- + +# SharePoint Core Service Deployment Failed + +## Symptom + +Automatic or manual deployment of Netwrix Auditor for SharePoint Core Service in Web Front-end (WFE) servers fails. + +## Cause + +The service account used to upgrade or install Core Service has insufficient permissions. + +## Resolution + +Review the permissions granted to the service account. Refer to the following article for additional information on required permissions: /docs/auditor/10.6/auditor/configurationuration/sharepoint (SharePoint — Permissions for SharePoint Auditing · v10.6). + +### Manual Installation + +Refer to the following steps to manually install Core Service in all WFE servers: + +1. Extract the SharePoint solution package—locate the `.msi` file placed by default in `C:\Program Files (x86)\Netwrix Auditor\SharePoint Auditing\SharePointPackage` and extract the contents via 7-Zip. + +2. Once extracted, copy the `.wsp` file to each WFE server. Run the following lines in each WFE in elevated PowerShell to install the solution package: + +```powershell +Add-SPSolution -LiteralPath c:\Netwrix.SharePoint.Audit.wsp +Install-SPSolution -identity Netwrix.SharePoint.Audit.wsp -GACDeployment -Local -Force +``` + +**IMPORTANT:** Replace the placeholder `-LiteralPath` path with the actual path for the `.wsp` package. + +3. Confirm the deployment in each server by running the following line in PowerShell: + +```powershell +Get-SPSolution -Identity 'Netwrix.SharePoint.Audit.wsp' | FT +``` + +Verify that Core Service is installed globally. + +## Related Articles + +- /docs/auditor/10.6/auditor/configurationuration/sharepoint (SharePoint — Permissions for SharePoint Auditing · v10.6) diff --git a/docs/kb/auditor/sharepoint-term-set-tree-fails-to-load-or-unable-to-edit-a-clue-or-term.md b/docs/kb/auditor/sharepoint-term-set-tree-fails-to-load-or-unable-to-edit-a-clue-or-term.md new file mode 100644 index 0000000000..82d66c9b06 --- /dev/null +++ b/docs/kb/auditor/sharepoint-term-set-tree-fails-to-load-or-unable-to-edit-a-clue-or-term.md @@ -0,0 +1,60 @@ +--- +description: >- + When using Taxonomy Manager with a SharePoint Term Set, the tree may fail to + load or you may be unable to edit a clue or term. This article describes + likely causes and steps to verify connection credentials, credential + permissions, and the conceptClassifier solution for SharePoint 2010. +keywords: + - SharePoint + - Term Set + - Taxonomy Manager + - credentials + - '401' + - '403' + - '500' + - conceptClassifier +products: + - auditor + - data-classification +sidebar_label: SharePoint Term Set tree fails to load or unable t +tags: [] +title: "SharePoint Term Set tree fails to load or unable to edit a clue or term" +knowledge_article_id: kA00g000000H9dzCAC +--- + +# SharePoint Term Set tree fails to load or unable to edit a clue or term + +When using **Taxonomy Manager** with a **SharePoint Term Set** either the tree fails to load or you are unable to edit a clue/term. You will typically receive one of the following errors: + +- 401 Unauthorized +- 403 Access denied. You do not have permission to perform this action or access this resource +- 500 Internal Server Error + +This issue is typically related to: + +- **Invalid Credentials**, or +- The **SharePoint** solution not being correctly deployed (**SharePoint 2010**) + +## Verify Connection Credentials + +Each registered **SharePoint Term Set** has configured connection credentials allowing you to request/load the **Term Set data** from **SharePoint**. The **credentials** used for the **connection** can be viewed by: + +1. Open the **QS Administration Interface** +2. Select "**Taxonomies**" from the top navigation +3. Select "**Global Settings**" from the sub navigation +4. For each affected **Term Set** select: + 1. "**Test**" to confirm **connectivity** + 2. "**Edit**" to amend the **username**/**password** + +## Verify Credential Permissions + +To support amending the **Term Set** structure and editing clues the specified connection credentials must either be a: + +- **Term Group Manager**, or a +- **Term Store Administrator** + +You can confirm this via the **Term Store Manager** interface in **SharePoint** by selecting the appropriate level (**Group**/**Store**) and verifying that the **connection credentials** are specified in the **administrator** input. + +## Verify conceptClassifier Solution (SharePoint 2010 Only) + +When connecting to **SharePoint 2010 Term Sets** the **conceptClassifier** for **SharePoint farm solution** must be deployed. diff --git a/docs/kb/auditor/slow-examination.md b/docs/kb/auditor/slow-examination.md new file mode 100644 index 0000000000..a44fce8806 --- /dev/null +++ b/docs/kb/auditor/slow-examination.md @@ -0,0 +1,51 @@ +--- +description: >- + Explains causes and troubleshooting steps when Account Lockout Examiner + examinations run for several hours without returning results. +keywords: + - Account Lockout Examiner + - lockout + - examination + - ALEService.exe + - slow + - performance + - troubleshooting + - firewall + - bandwidth +products: + - auditor +sidebar_label: Slow examination +tags: [] +title: "Slow examination" +knowledge_article_id: kA00g000000H9bRCAS +--- + +# Slow examination + +Examination of lockouts runs for several hours without returning any results. + +--- + +During examination Account Lockout Examiner service connects to the workstation where the lockout occurred and scans it. +Time of examination depends on several factors, e.g. +- Bandwidth of the connection to the workstation - for workstations located on other continents examination might run for a long time +- The Account Lockout Examiner service load - if there are a lot of events to process in your environment, the service might not have resources to perform the examination +- Permissions or connection issues. +- etc + +--- + +Ensure that: +1. Workstation is reachable from the Account Lockout Examiner server. +2. Connection is not blocked by the firewall. +3. CPU and Memory usage of Account Lockout Examiner (`ALEService.exe` process) is normal +4. The Account Lockout Examiner service account has local administrator permissions on the target workstation. +5. There is not a network bottleneck between the two endpoints (Account Lockout Examiner and target workstation). + +It is recommended to perform examination of workstations located in the same site with the Account Lockout Examiner host machine. Using separate installations of Account Lockout Examiner for other sites is recommended. + +If all above factors are OK, please try to perform the steps from the following articles and re-run examination: + +- https://kb.netwrix.com/2763 +- https://kb.netwrix.com/1406 +- https://kb.netwrix.com/2777 diff --git a/docs/kb/auditor/some-accounts-were-not-moved-or-deleted-in-inactive-user-tracker-report.md b/docs/kb/auditor/some-accounts-were-not-moved-or-deleted-in-inactive-user-tracker-report.md new file mode 100644 index 0000000000..d59433663b --- /dev/null +++ b/docs/kb/auditor/some-accounts-were-not-moved-or-deleted-in-inactive-user-tracker-report.md @@ -0,0 +1,43 @@ +--- +description: >- + Explains why some accounts in the Inactive User Tracker report were not moved + or deleted and provides troubleshooting steps to resolve statuses such as + `Cannot delete the account`. +keywords: + - Inactive User Tracker + - IUT + - Netwrix Auditor + - Cannot delete the account + - domain controller + - Delete account with all its subnodes + - Protect object from accidental deletion + - data collection account +products: + - auditor +sidebar_label: Some Accounts Were Not Moved or Deleted in Inactiv +tags: [] +title: "Some Accounts Were Not Moved or Deleted in Inactive User Tracker Report" +knowledge_article_id: kA04u000001111gCAA +--- + +# Some Accounts Were Not Moved or Deleted in Inactive User Tracker Report + +## Question + +Your report states some accounts were not moved or deleted. Why were they not affected? + +## Answer + +Since Inactive User Tracker (IUT) in Netwrix Auditor has the ability to make actual changes within your Active Directory, it has requirements to meet to introduce these changes. IUT requires all DCs to be operating, otherwise it cannot verify that a user is truly inactive. In case there are non-operable or decommissioned domain controllers in your network, you can omit them — refer to the following article for additional information: [Exclude Non-operable Domain Controllers from Monitoring](/docs/kb/auditor/how-to-exclude-non-operable-domain-controllers-from-monitoring-in-netwrix-auditor). + +If you still encounter reports showing the `Cannot delete the account` status for accounts after omitting the inoperable DCs, refer to the following steps: + +- This error might appear if the targeted computer account is not an end object but a container for other objects. IUT won't be able to remove those accounts unless the **Delete account with all its subnodes** checkbox is checked. + + ![Delete account with all its subnodes checkbox](images/ka04u000001179H_0EM4u000008Lt2y.png) + + > **IMPORTANT:** This will lead to the deletion of the entire container considered as inactive by IUT. + +- The data collection account used by IUT does not have sufficient rights and permissions. Refer to the following article for additional information on roles, rights, and permissions required for Inactive User Tracker data collection account: Monitoring Plans — Data Collecting Account. + +- The account has the **Protect object from accidental deletion** checkbox checked in **Properties** > **Object**. This is a Windows Active Directory feature to prevent the deletion and moving of flagged objects without admin intervention. IUT cannot override this feature; you must manually edit the flag. diff --git a/docs/kb/auditor/some-sharepoint-events-may-be-lost-and-not-reflected-in-reports-and-change-summaries.md b/docs/kb/auditor/some-sharepoint-events-may-be-lost-and-not-reflected-in-reports-and-change-summaries.md new file mode 100644 index 0000000000..c2592d4c5d --- /dev/null +++ b/docs/kb/auditor/some-sharepoint-events-may-be-lost-and-not-reflected-in-reports-and-change-summaries.md @@ -0,0 +1,32 @@ +--- +description: >- + Netwrix Auditor may not reflect some SharePoint events in reports and Change + Summaries under certain conditions, such as manual trimming of the ContentDB, + restores within 30 minutes after backup, or deletion within 30 minutes of + changes. +keywords: + - SharePoint + - events + - reports + - Change Summaries + - ContentDB + - site collection + - backup + - restore + - deletion + - Netwrix Auditor +products: + - auditor +sidebar_label: Some SharePoint events may be lost and not reflect +tags: [] +title: "Some SharePoint events may be lost and not reflected in reports and Change Summaries" +knowledge_article_id: kA00g000000H9SRCA0 +--- + +# Some SharePoint events may be lost and not reflected in reports and Change Summaries + +Some SharePoint events may be lost and not reflected in reports and Change Summaries when: + +- The `ContentDB` database of the designated site collection was manually trimmed. +- The site collection was restored within 30 minutes after backup. The information on changes made within this period will be lost. +- The site collection was deleted. The information on changes made to the site collection within 30 minutes before its deletion will be lost. diff --git a/docs/kb/auditor/specified-logon-session-does-not-exist-error-in-netwrix-auditor.md b/docs/kb/auditor/specified-logon-session-does-not-exist-error-in-netwrix-auditor.md new file mode 100644 index 0000000000..37b4c49dbb --- /dev/null +++ b/docs/kb/auditor/specified-logon-session-does-not-exist-error-in-netwrix-auditor.md @@ -0,0 +1,48 @@ +--- +description: >- + Explains how to resolve the "A specified logon session does not exist" error + when enabling the Leverage Integration API in Netwrix Auditor by assigning a + new SSL certificate. +keywords: + - Netwrix Auditor + - Integration API + - SSL certificate + - logon session + - error + - certificate store + - migration + - Settings + - Leverage Integration API +products: + - auditor +sidebar_label: Specified Logon Session Does Not Exist Error in Ne +tags: [] +title: "Specified Logon Session Does Not Exist Error in Netwrix Auditor" +knowledge_article_id: kA04u00000111HPCAY +--- + +# Specified Logon Session Does Not Exist Error in Netwrix Auditor + +## Symptom + +When you enable **Leverage Integration API** in the Netwrix Auditor **Settings** menu, the following error is prompted: + +```text +Cannot save the settings. +A specified logon session does not exist. It may already have been terminated. +``` + +The **Leverage Integration API** switch is turned off subsequently. + +## Causes + +- An SSL certificate required to run Integration API is missing. +- In case of a prior Netwrix Auditor migration, the previously used SSL certificate cannot be found in the certificate store of the new Netwrix Auditor server. + +## Resolution + +Assign a new SSL certificate to Integration API. Refer to the following article for additional information on commands: /docs/auditor/10.6/auditor/api (Integration API − Security ⸱ v10.6). + +### Related articles + +- Integration API − Security ⸱ v10.6: /docs/auditor/10.6/auditor/api diff --git a/docs/kb/auditor/specified-network-name-is-no-longer-available-error-in-logon-activity-monitoring-plan.md b/docs/kb/auditor/specified-network-name-is-no-longer-available-error-in-logon-activity-monitoring-plan.md new file mode 100644 index 0000000000..1a990ed90d --- /dev/null +++ b/docs/kb/auditor/specified-network-name-is-no-longer-available-error-in-logon-activity-monitoring-plan.md @@ -0,0 +1,108 @@ +--- +description: >- + This article explains the "The specified network name is no longer available" + error (Event ID 5037) that can appear in Health Log for a Logon Activity + monitoring plan in Netwrix Auditor and provides steps to diagnose and resolve + it, including commands to review and rename domain controller computer names + and update DFSR objects. +keywords: + - Netwrix Auditor + - Logon Activity + - Event ID 5037 + - specified network name is no longer available + - domain controller + - netdom + - DFSR + - SYSVOL + - audit policies +products: + - auditor +sidebar_label: Specified Network Name Is No Longer Available Erro +tags: [] +title: "Specified Network Name Is No Longer Available Error in Logon Activity Monitoring" +knowledge_article_id: kA00g000000H9eSCAS +--- + +# Specified Network Name Is No Longer Available Error in Logon Activity Monitoring + +## Symptom + +The following error is prompted in Health Log for your Logon Activity monitoring plan in Netwrix Auditor: + +``` +Source:Active Directory Logon Activity Audit Service +Event ID: 5037 +Description:Monitoring plan: %Logon_Activity_monitoring_plan_name%. +Domain: %domain%. +Unable to configure the Hub Service on the server '%DCName.Domain.local%'. Error: The specified network name is no longer available +``` + +## Causes + +The affected domain controller name cannot be resolved. Refer to the following list of possible causes: + +- Misconfigured ports for the Logon Activity monitoring. +- Misconfigured audit policies. +- Misconfigured data collecting account permissions. +- The name of the affected domain contoller has been changed. + +## Resolutions + +- Review the ports configured for the Logon Activity monitoring — refer to the following link for additional information: /docs/auditor/10.6/auditor/configurationuration/logonactivity (Logon Activity − Logon Activity Ports ⸱ v10.6). +- Review the audit policies set up in your environment — refer to the following links: + - /docs/auditor/10.6/auditor/configurationuration/logonactivity (Logon Activity − Configure Basic Domain Audit Policies ⸱ v10.6) + - /docs/auditor/10.6/auditor/configurationuration/logonactivity (Logon Activity − Configure Advanced Audit Policies ⸱ v10.6) +- Review the permissions for your Logon Activity data collecting account — refer to the following article for additional information on requirements: /docs/auditor/10.6/auditor/configurationuration/logonactivity (Logon Activity − Permissions for Logon Activity Auditing ⸱ v10.6). + +In case the error occurred after a recent domain controller name change, review the following steps: + +IMPORTANT: The affected domain controller name is provided in the error message. In the command samples provided below, the **DCName.Domain.local** name will be used. Make sure to replace it with the appropriate FQDN for your domain controller. + +1. Launch elevated Command Prompt. +2. To review computer names applied to a particular DC, run the following command: + +```bat +netdom computername DCName.Domain.local /enumerate +``` + +3. To select the primary name for your domain controller, run the following command: + +```bat +netdom computername DCName.Domain.local /makeprimary:%new_primary_DC_name% +``` + +4. To remove the old name, run the following command: + +```bat +netdom computername %new_primary_DC_name% /remove:DCName.Domain.local +``` + +5. To confirm the changes have been applied, run the following command: + +```bat +netdom computername %new_primary_DC_name% /enumerate +``` + +The domain controller should now have the appropriate computer name. Next, update the DFSR member object: + +1. Open **Active Directory Users and Computers**. +2. In the **View** menu, select **Advanced Features**. +3. If SYSVOL is replicated via DFSR, expand the **System** node > **DFSR-GlobalSettings** > **Domain System Volume** > **Topology**. +4. Right-click the object named after the old DC name, and select **Rename**. +5. Specify the new DC name, and save the new name. + +Once completed, this will ensure the renamed domain controller is able to replicate the SYSVOL contents. + +## Related articles + +- Logon Activity − Logon Activity Ports ⸱ v10.6 + /docs/auditor/10.6/auditor/configurationuration/logonactivity + +- Logon Activity − Configure Basic Domain Audit Policies ⸱ v10.6 + /docs/auditor/10.6/auditor/configurationuration/logonactivity + +- Logon Activity − Configure Advanced Audit Policies ⸱ v10.6 + /docs/auditor/10.6/auditor/configurationuration/logonactivity + +- Logon Activity − Permissions for Logon Activity Auditing ⸱ v10.6 + /docs/auditor/10.6/auditor/configurationuration/logonactivity diff --git a/docs/kb/auditor/specify-custom-sql-server-port-for-netwrix-auditor-audit-database.md b/docs/kb/auditor/specify-custom-sql-server-port-for-netwrix-auditor-audit-database.md new file mode 100644 index 0000000000..3ce7a40e95 --- /dev/null +++ b/docs/kb/auditor/specify-custom-sql-server-port-for-netwrix-auditor-audit-database.md @@ -0,0 +1,38 @@ +--- +description: >- + This article explains how to specify a custom SQL Server port for Netwrix + Auditor so it can communicate with the Audit Database. +keywords: + - Netwrix Auditor + - SQL Server + - custom port + - audit database + - SQL instance + - database connection + - port configuration + - SERVER-SQL +products: + - auditor +sidebar_label: Specify Custom SQL Server Port for Netwrix Auditor +tags: [] +title: "Specify Custom SQL Server Port for Netwrix Auditor Audit Database" +knowledge_article_id: kA04u00000110rCCAQ +--- + +# Specify Custom SQL Server Port for Netwrix Auditor Audit Database + +## Question + +How to specify a custom port for Netwrix Auditor to communicate with the SQL Server instance? + +## Answer + +1. In the main Netwrix Auditor menu, open **Settings**. +2. In the left pane, select **Audit Database** and click **Modify** under **Audit database settings**. +3. Specify your computer and instance name, followed by a comma, and the port in the **SQL Server instance** field: + +``` +SERVER-SQL\TEST-SQL,14337 +``` + +![Specify custom SQL Server port image](images/ka04u00000117sv_0EM4u000008LXSz.png) diff --git a/docs/kb/auditor/sql-server-express-database-size-reached-10gb.md b/docs/kb/auditor/sql-server-express-database-size-reached-10gb.md new file mode 100644 index 0000000000..3bc90ae0d4 --- /dev/null +++ b/docs/kb/auditor/sql-server-express-database-size-reached-10gb.md @@ -0,0 +1,77 @@ +--- +description: >- + Explains why SQL Server Express encounters a 10 GB limit with Netwrix Auditor + and provides step-by-step actions to recreate the database, stop/start + services, and optimize data collection to continue using Express edition. +keywords: + - SQL Server Express + - 10GB limit + - database size + - Netwrix Auditor + - monitoring plan + - Archive Service + - database deletion + - Database Statistics + - retention period +products: + - auditor + - SQL_Server +sidebar_label: SQL Server Express Database Size Reached 10GB +tags: [] +title: "SQL Server Express Database Size Reached 10GB" +knowledge_article_id: kA04u00000110wRCAQ +--- + +# SQL Server Express Database Size Reached 10GB + +## Question + +Database size reached 10GB − the following database state is prompted: + +``` +Failed to store data +``` + +``` +Unable to allocate additional space to save data to the Audit Database +``` + +Is it still possible to use SQL Server Express instead of the Standard or Enterprise editions? + +## Answer + +While it is highly recommended to implement either a SQL Server Standard or Enterprise edition in a production environment, you can still use SQL Server Express. Due to the 10GB database size limitation, you may encounter errors related to the inability to store data in the **Health Status** dashboard. Refer to the following steps to optimize the use of Express edition in your environment: + +- Recreate the database for the monitoring plan: + + > **IMPORTANT:** The monitoring plan data collected previously will be available in the Long-Term Archive. Refer to the following article for additional information on investigations: /docs/auditor/10.6/auditor/admin-guide/settings (Netwrix Auditor Settings − Investigations · v10.6). + + 1. Confirm the name of the affected database − it should be stated both in the error message and **Database Statistics**. The **Database Statistics** data will also include the affected monitoring plan name. + 2. Disable the data collection for the affected monitoring plan − in the main Netwrix Auditor screen, select **Monitoring Plans** > **%affected_monitoring_plan%** > **Edit** > **Edit data source** > switch the **Monitor this data source and collect activity data** switch off > click **Save & Close**. + + > **NOTE:** To confirm the affected database is used in the monitoring plan, click **Edit settings** under the **Monitoring Plan** section in the monitoring plan view, and click the **Audit Database** tab. + 3. In your Netwrix Auditor server, run the following line in elevated PowerShell to stop `Netwrix Auditor Archive Service`: + + ```powershell + Stop-Service -DisplayName "Netwrix Auditor Archive Service" + ``` + 4. In your SQL server, open **Microsoft SQL Server Management Studio**. Connect to your SQL instance and locate the **Databases** subfolder under the server node in the left pane. + 5. Locate the affected database, right-click it and select **Delete**. + 6. In the **Delete Object** window, check the **Close existing connections** checkbox, and click **OK**. + 7. In your Netwrix Auditor server, run the following lines in elevated PowerShell to start `Netwrix Auditor Archive Service` and restart `Netwrix Auditor Management Service`: + + ```powershell + Start-Service -DisplayName "Netwrix Auditor Archive Service" + Restart-Service -DisplayName "Netwrix Auditor Management Service" + ``` + 8. Enable the data collection − in the affected monitoring plan view, click **Edit data source** > in the **General** tab, switch the **Monitor this data source and collect activity data** switch on. Click **Save & Close**. + +- Split items in multiple monitoring plans to decrease the amount of data written to a single database. + +- Decrease the database retention period. Refer to the following article for additional information: /docs/kb/auditor/how_to_reduce_audit_database_size_for_netwrix_auditor (How to Reduce Audit Database Size for Netwrix Auditor). + +## Related Articles + +- /docs/auditor/10.6/auditor/admin-guide/settings (Netwrix Auditor Settings − Investigations · v10.6) +- /docs/kb/auditor/how_to_reduce_audit_database_size_for_netwrix_auditor (How to Reduce Audit Database Size for Netwrix Auditor) +- /docs/kb/auditor/could_not_allocate_space_for_object_(objectname)_in_database_(databasename) (Could not allocate space for object (ObjectName) in database (DatabaseName)) diff --git a/docs/kb/auditor/ssl-exception-failed-to-deliver-netwrix-auditor-health-summary-email.md b/docs/kb/auditor/ssl-exception-failed-to-deliver-netwrix-auditor-health-summary-email.md new file mode 100644 index 0000000000..43f1c0bce0 --- /dev/null +++ b/docs/kb/auditor/ssl-exception-failed-to-deliver-netwrix-auditor-health-summary-email.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains why Netwrix Auditor health summary emails fail with an SSL Exception + and how to verify TLS/SSL certificate expiration. +keywords: + - ssl + - tls + - certificate + - health summary + - email + - Netwrix Auditor + - Event ID 5302 + - SSL Exception + - SSRS +products: + - auditor +sidebar_label: 'SSL Exception — Failed to Deliver Netwrix Auditor ' +tags: [] +title: "SSL Exception — Failed to Deliver Netwrix Auditor Health Summary Email" +knowledge_article_id: kA04u00000110qJCAQ +--- + +# SSL Exception — Failed to Deliver Netwrix Auditor Health Summary Email + +## Symptom and Cause + +Regular emailed reports are missing. Netwrix Auditor Health Log contains the following error: + +```text +Event ID: 5302 +Description:Netwrix Auditor was unable to deliver the health summary email for YYYY/MM/DD due to the following error: +'Failed to deliver the Netwrix Auditor health summary email. Reason: Cannot send an email: SSL Exception' +``` + +Your TLS\SSL certificate has expired — Netwrix Auditor stops generating reports on SSL\TLS certificate expiration. + +## Resolution + +To establish whether your certificate has expired, check the Microsoft Management Console (MMC) Certificates Snap-in (your certificate store). For additional information on setting up the SSL\TLS channel communication, refer to the following article: /docs/kb/auditor/set_up_secure_connection_between_auditor_and_ssrs_via_ssltls_channel (Set Up Secure Connection Between Netwrix Auditor and SSRS via SSL/TLS Channel). diff --git a/docs/kb/auditor/ssrs-tempdb-permanently-grows-large-and-occupies-disk-space.md b/docs/kb/auditor/ssrs-tempdb-permanently-grows-large-and-occupies-disk-space.md new file mode 100644 index 0000000000..7171c72dab --- /dev/null +++ b/docs/kb/auditor/ssrs-tempdb-permanently-grows-large-and-occupies-disk-space.md @@ -0,0 +1,47 @@ +--- +description: >- + The temporary SSRS database (TempDB) can grow continuously when you run + reports or investigations. This article explains the cause and shows how to + grant the required permissions to the SQL Server service account to allow + TempDB cleanup. +keywords: + - SSRS + - TempDB + - SQL Server + - permissions + - db_owner + - Netwrix Auditor + - audit database + - disk space +products: + - auditor +sidebar_label: SSRS TempDB Permanently Grows Large and Occupies D +tags: [] +title: "SSRS TempDB Permanently Grows Large and Occupies Disk Space" +knowledge_article_id: kA0Qk0000000PhZKAU +--- + +# SSRS TempDB Permanently Grows Large and Occupies Disk Space + +## Symptom + +The temporary SSRS database (TempDB) in your environment permanently grows large when you run reports or investigations. + +## Cause + +The SQL Server service account has insufficient permissions to clear the TempDB. + +## Resolution + +> **NOTE:** To establish the SQL Server service account, click **Settings** in the main **Netwrix Auditor** menu > **Audit Database** > **User name**. + +Grant the `db_owner` role to the SQL Server service account. + +1. Run Microsoft SQL Server Management Studio and connect to the SQL instance. +2. In **Object Explorer**, proceed to **Security** > **Logins** > right-click the affected SQL Server service account > **Properties**. +3. In the **User Mapping** tab, locate the TempDB, highlight it and review the roles assigned to the affected account in the **Database role membership** window. +4. Check the `db_owner` checkbox and click **OK** to save changes. + +## Related articles + +- Requirements − Requirements for SQL Server to Store Audit Data · v10.6 diff --git a/docs/kb/auditor/state-in-time-reports-do-not-show-gpo-settings-values.md b/docs/kb/auditor/state-in-time-reports-do-not-show-gpo-settings-values.md new file mode 100644 index 0000000000..a8a51f1cfe --- /dev/null +++ b/docs/kb/auditor/state-in-time-reports-do-not-show-gpo-settings-values.md @@ -0,0 +1,73 @@ +--- +description: >- + State-in-time (SIT) GPO reports in Netwrix Auditor may show only summary + information and omit most GPO settings when the Auditor VM is on a different + subnet and the data processing account uses NETBIOS domain\account format. + This article explains the affected environment, cause, and the resolution. +keywords: + - GPO + - state in time + - SIT + - GPO settings + - Netwrix Auditor + - NETBIOS + - FQDN + - data processing account + - subnet + - WINS +products: + - auditor +sidebar_label: State in time reports do not show GPO settings val +tags: [] +title: "State in time reports do not show GPO settings values" +knowledge_article_id: kA04u000000Pcy9CAC +--- + +# State in time reports do not show GPO settings values + +GPO SIT reports do not show GPO settings values. Only GPO summary information is present. +For example: “Empty Group Policy Objects” report lists Policies that actually contain some settings set. + +![User-added image](./images/ka04u000000HdEa_0EM4u000002CmYD.png) + +Another example: “Group Policy Objects by Policy Name” report lists only settings of the following sections: + +- General/Delegation +- General/Details +- General/Links +- General/Security Filtering + +![User-added image](./images/ka04u000000HdEa_0EM4u000002CmYI.png) + +All the other data is missing from the report: +![User-added image](./images/ka04u000000HdEa_0EM4u000002CmYN.png) + +## Affected environment + +The conditions below must take place altogether: + +1. Netwrix Auditor VM belongs to the different network subnet than the monitored active directory domain. + + Example: + Netwrix Auditor VM: + - IP address: `10.0.0.12` + - Subnet Mask: `255.255.0.0 / 16` + Domain Controller VM: + - IP address: `192.168.8.4` + - Subnet Mask: `255.255.252.0 / 22` + +2. You are not using any custom WINS servers for NETBIOS names resolution. + +3. Domain Item Data Processing Account in the Netwrix Auditor configuration setting for the monitored domain is set in a format of `NETBIOSDOMAINNAME\ACCOUNTSAMACCOUNTMANE` (e.g. `corp\administrator`). + +![User-added image](./images/ka04u000000HdEa_0EM4u000002CmYS.png) + +## Cause + +By default NetBios names cannot be resolved across different subnets using broadcasting. + +## Resolution + +Set the data processing account for the monitored domain item in a format of `FQDNDOMAINNAME\ACCOUNTSAMACCOUNTNAME` (e.g. `corp.local\administrator`) + +![User-added image](./images/ka04u000000HdEa_0EM4u000002CsNQ.png) diff --git a/docs/kb/auditor/subscription-attachments-exceeding-the-size-limit-are-missing-from-lostandfound.md b/docs/kb/auditor/subscription-attachments-exceeding-the-size-limit-are-missing-from-lostandfound.md new file mode 100644 index 0000000000..c8b9910811 --- /dev/null +++ b/docs/kb/auditor/subscription-attachments-exceeding-the-size-limit-are-missing-from-lostandfound.md @@ -0,0 +1,60 @@ +--- +description: >- + Explains why subscription attachments larger than 50MB may not appear in the + LostAndFound folder and provides steps to resolve the issue. +keywords: + - subscription + - attachments + - LostAndFound + - Netwrix Auditor + - 50MB + - share permissions + - working folder + - mail server +products: + - auditor +sidebar_label: 'Subscription Attachments Exceeding the Size Limit ' +tags: [] +title: "Subscription Attachments Exceeding the Size Limit Are Missing from LostAndFound" +knowledge_article_id: kA04u00000111CUCAY +--- + +# Subscription Attachments Exceeding the Size Limit Are Missing from LostAndFound + +## Symptom + +Subscription attachments exceeding the 50MB size are missing from your `\\Netwrix_Auditor_Subscriptions$\LostAndFound` folder. + +## Causes + +- Misconfigured permissions for the service account. +- Misconfigured share path. +- Maximum attachment size limitation defined in your mail server conflicts with the maximum attachment size defined by Netwrix Auditor. + +## Resolutions + +- Review the share access permissions for the data collecting account. + +> **NOTE:** If you have multiple data collecting accounts set up, review the affected subscription to establish the corresponding monitoring plan and data collecting account. + +1. Open the **Computer Management** tool. +2. In the left pane, expand the **System Tools** tree. Expand the **Shared Folders** folder, and click **Shares**. +3. Select the **Netwrix_Auditor_Subscriptions$** share, right-click it, and select **Properties**. +4. In the **Share Permissions** tab, review the users added. Make sure the serivce account for the affected monitoring plan is included with **Full Control** permissions. +5. Apply the changes, and close the window. + +- Review the share folder path. + +> **NOTE:** The location of your **Working Folder** can be established by following main Netwrix Auditor menu > **Health Status** > clicking **Open diagnostic logs folder** button under **Working Folder** tab > switching to the parent folder. + +1. Open the **Computer Management** tool. +2. In the left pane, expand the **System Tools** tree. Expand the **Shared Folders** folder, and click **Shares**. +3. Select the **Netwrix_Auditor_Subscriptions$** share, right-click it, and select **Properties**. +4. In the **General** tab, review the **Folder path** field. It should point to `%Working Folder%\Data\Subscriptions`. +5. Apply the changes, and close the window. + +- Review the maximum attachment size defined by your mail server. The maximum attachment size defined by Netwrix Auditor is 50MB. In case the maximum attachment size setting for your mail server is less than 50MB, your subscription reports may be rejected by the mail server with no reports saved to the share folder. + +## Related articles + +- Subscriptions — Create Subscriptions ⸱ v10.6 diff --git a/docs/kb/auditor/subscription-generation-fails-due-to-incorrect-date-from-value.md b/docs/kb/auditor/subscription-generation-fails-due-to-incorrect-date-from-value.md new file mode 100644 index 0000000000..68692bd00a --- /dev/null +++ b/docs/kb/auditor/subscription-generation-fails-due-to-incorrect-date-from-value.md @@ -0,0 +1,47 @@ +--- +description: >- + Subscription generation fails for reports with date/time fields when a + non-English system locale is set; changing the system locale to English + (United States) resolves the error. +keywords: + - subscription + - Date_From + - system locale + - report parameter + - Netwrix Auditor + - subscription generation + - locale + - date + - time +products: + - auditor +sidebar_label: Subscription Generation Fails Due To Incorrect Dat +tags: [] +title: "Subscription Generation Fails Due To Incorrect Date_From Value" +knowledge_article_id: kA04u00000111KECAY +--- + +# Subscription Generation Fails Due To Incorrect Date_From Value + +## Symptom + +The subscription generation fails and the subscription history contains the following error: + +```text +The value provided for the report parameter 'Date_From' is not valid for its type. +``` + +## Cause + +The issue occurs for subscriptions based on reports with date and time fields when a non-English locale has been enabled in the OS on the computer that hosts Netwrix Auditor Server. + +## Resolution + +Change the system locale to English (United States). To do that: + +1. On the computer that hosts Netwrix Auditor Server, navigate to **Control Panel** > **Region** > **Administrative** tab. +2. Click the **Change system locale ...** button and select **English (United States)** in the *Current system locale:* field. +3. Change the system locale for the system accounts. To do that: + - Navigate to **Control Panel** > **Region** > **Administrative** tab. + - Click **Copy settings ...** and tick *Welcome screen and system accounts*. +4. Reboot Netwrix Auditor Server. diff --git a/docs/kb/auditor/subscription-reports-errors.md b/docs/kb/auditor/subscription-reports-errors.md new file mode 100644 index 0000000000..9336072bd6 --- /dev/null +++ b/docs/kb/auditor/subscription-reports-errors.md @@ -0,0 +1,72 @@ +--- +description: >- + Describes errors you may see when viewing subscription reports in Netwrix + Auditor and provides steps to resolve them, including restoring the Reports + folder and verifying SSRS authentication. +keywords: + - subscription reports + - SSRS authentication + - Reports folder + - Netwrix Auditor + - ReportID missing + - rsItemNotFound + - Reports.zip + - Netwrix Auditor Management Service +products: + - auditor +sidebar_label: Subscription Reports Errors +tags: [] +title: "Subscription Reports Errors" +knowledge_article_id: kA04u00000110sZCAQ +--- + +# Subscription Reports Errors + +## Symptoms + +Netwrix Auditor prompts one of the following errors when you're viewing a subscription report: + +``` +The report with ReportID %REPORT_UID% is missing on your server. +``` + +``` +Could not find a part of the path C:\ProgramData\Netwrix Auditor\Reports. +``` + +``` +The item '/Netwrix Auditor/%Report_name%' cannot be found.(rsItemNotFound) +``` + +## Causes + +1. Your SSRS instance limits the available authentication methods. +2. The content of your **Reports** folder has been corrupted. + +## Resolutions + +1. Verify that your SSRS instance allows all authentication methods (NTLM, Kerberos, Negotiate) in your environment—learn more in Configure Windows Authentication on the Report Server — Configure a Report Server to Use Windows Integrated Security · Microsoft: + https://learn.microsoft.com/en-us/sql/reporting-services/security/configure-windows-authentication-on-the-report-server?view=sql-server-ver16#configure-a-report-server-to-use-windows-integrated-security + +2. Recreate the **Reports** folder: + + > **NOTE:** If you have previously added a custom report, you must set it up again manually. + + 1. On the Auditor Server host, proceed to the following folder: + ``` + C:\ProgramData\Netwrix Auditor\Reports + ``` + 2. If none exists, locate the `Reports.zip` archive in the following folder: + ``` + C:\ProgramData\Netwrix Auditor\ + ``` + If the **Reports** folder exists, create a backup of the folder, delete the original folder and recreate it by following the provided steps. + 3. Create a **Reports** folder in `C:\ProgramData\Netwrix Auditor\`. Extract the contents of the `Reports.zip` archive to the **Reports** folder. Wait 10 minutes for the reports to rebuild. + + > **NOTE:** Alternatively, you can restart the `Netwrix Auditor Management Service`. + 4. Manually rerun the subscription—open the failed subscription and click **Try Again**. + +## Related Articles + +- Configure Windows Authentication on the Report Server — Configure a Report Server to Use Windows Integrated Security · Microsoft: + https://learn.microsoft.com/en-us/sql/reporting-services/security/configure-windows-authentication-on-the-report-server?view=sql-server-ver16#configure-a-report-server-to-use-windows-integrated-security diff --git a/docs/kb/auditor/supplied-object-has-not-been-initialized-for-investigations.md b/docs/kb/auditor/supplied-object-has-not-been-initialized-for-investigations.md new file mode 100644 index 0000000000..fdd818aa81 --- /dev/null +++ b/docs/kb/auditor/supplied-object-has-not-been-initialized-for-investigations.md @@ -0,0 +1,65 @@ +--- +description: >- + Explains causes and solutions for the "The Supplied object has not been + initialized" error when running investigations in Netwrix Auditor. Provides + steps to assign db_owner, verify investigation credentials, or rebuild the + Netwrix_ImportDB database. +keywords: + - error + - investigations + - Netwrix Auditor + - Netwrix_ImportDB + - db_owner + - SQL Server + - Investigations settings + - database corruption +products: + - auditor +sidebar_label: Supplied Object Has Not Been Initialized for Inves +tags: [] +title: "Supplied Object Has Not Been Initialized for Investigations" +knowledge_article_id: kA04u00000110vECAQ +--- + +# Supplied Object Has Not Been Initialized for Investigations + +## Symptom + +The following error appears when trying to complete an investigation: + +`The Supplied object has not been initialized` + +## Cause + +- The account used for investigations the SQL Server instance has insufficient rights. +- The password for the account used for investigations in incorrect. +- The database used to import data from Long-Term Archive is corrupt. + +## Solution + +- Assign the `db_owner` role to the account used for investigations. + + 1. On the computer where the SQL Server instance with `Netwrix_ImportDB` resides, navigate to **Start** > **All Programs** > **Microsoft SQL Server** > **SQL Server Management Studio**. + 2. Connect to the server using the credentials for the account with sufficient permissions to assign roles. + 3. In the left pane, expand the **Security** node. Expand the **Logins** node and select the login used for investigation. Right-click it and select **Properties**. + 4. In the left pane, select **User Mapping** and select the `Netwrix_ImportDB` database. + 5. In the **Database role membership** section, select **db_owner**. Click **OK** to save changes, and try running the investigation. + +- Verify the password provided in **Investigations** settings. + + 1. In the main Netwrix Auditor screen, click **Settings**. + 2. In the left pane, select the **Investigations** tab. + 3. Under the **SQL Server settings**, click **Modify**. + 4. Provide the credentials and proceed to save the changes. + 5. Try running the investigation. + +- Delete the `Netwrix_ImportDB` database and rebuild the database. + + 1. In Windows Services Manager on your Netwrix host, stop both Netwrix Auditor Archive Service and Netwrix Auditor Management Service. + 2. Run your SQL Management Studio instance and navigate to ` %SQL_Server_database_name%` > **Databases** > `Netwrix_ImportDB`. Right-click the database and select **Delete**. + 3. In the **Delete Object** window, check both option checkboxes: + - Delete backup and restore history information for databases. + - Close existing connections. + 4. Once the database has been deleted, restart Netwrix Auditor Archive Service and Netwrix Auditor Management Service. + 5. In the main Netwrix Auditor screen, click **Settings**. + 6. In the left pane, select the **Investigations** tab. Configure an investigation scope and run the investigation to recreate the `Netwrix_ImportDB` database. diff --git a/docs/kb/auditor/support-and-maintenance-contract-has-expired-for-account-lockout-examiner.md b/docs/kb/auditor/support-and-maintenance-contract-has-expired-for-account-lockout-examiner.md new file mode 100644 index 0000000000..09fc137f0d --- /dev/null +++ b/docs/kb/auditor/support-and-maintenance-contract-has-expired-for-account-lockout-examiner.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains how to stop the "Support and Maintenance contract has expired" + message for NetWrix Account Lockout Examiner after the contract has been + renewed and a new license has been entered. +keywords: + - account lockout examiner + - license + - support contract + - maintenance expired + - users.dat + - services.msc + - NetWrix + - license renewal +products: + - auditor +sidebar_label: 'Support and Maintenance contract has expired" for ' +tags: [] +title: Support and Maintenance contract has expired" for Account Lockout Examiner +knowledge_article_id: kA00g000000PbdFCAS +--- + +# Support and Maintenance contract has expired" for Account Lockout Examiner + +The "Support and Maintenance contract has expired" message persists event after the contract has been renewed and a new license has been entered. + +Perform the following procedure to stop getting this message: + +1. Stop the **NetWrix Account Lockout Examiner service** (navigate to **Start** -> **Run** and type `services.msc`, locate the service, right-click it and select **Stop**). +2. Navigate to the NetWrix Account Lockout Examiner installation directory. +3. Locate the `users.dat` file and delete it. +4. Restart the **NetWrix Account Lockout Examiner service**. +5. Re-enter the license, if necessary. diff --git a/docs/kb/auditor/support-for-fine-grained-password-policies-in-netwrix-password-expiration-notifier.md b/docs/kb/auditor/support-for-fine-grained-password-policies-in-netwrix-password-expiration-notifier.md new file mode 100644 index 0000000000..3ecb923c5b --- /dev/null +++ b/docs/kb/auditor/support-for-fine-grained-password-policies-in-netwrix-password-expiration-notifier.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains how to configure Netwrix Password Reset to report only users who have + Fine-Grained Password Policies applied. Includes the steps to enable the + option in a monitoring plan's Advanced Options. +keywords: + - Fine-Grained Password Policies + - FGPP + - Netwrix Password Reset + - PEN + - Monitoring Plan + - Advanced Options + - password policies +products: + - auditor +sidebar_label: Support for Fine-Grained Password Policies in Netw +tags: [] +title: "Support for Fine-Grained Password Policies in Netwrix Password Reset" +knowledge_article_id: kA00g000000PbdGCAS +--- + +# Support for Fine-Grained Password Policies in Netwrix Password Reset + +## Question + +Does Netwrix Password Reset (PEN) support Fine-Grained Password Policies? + +## Answer + +Yes, PEN supports Fine-Grained Password Policies. To configure PEN to work only with Fine-Grained Password Policies, follow these steps: + +1. Launch **PEN**. +2. Select or create a **Monitoring Plan** that will apply Fine-Grained Password Policies. +3. Click the **Advanced Tab**. +4. At the bottom of the Advanced Options window, select the **Only report on users with Fine-Grained Password Policies** applied box. + ![Fine-grained password policies applied](images/ka0Qk0000006sTx_0EMQk000008Iaq1.png) +5. Click **Save**. diff --git a/docs/kb/auditor/symbolic-link-cannot-be-followed-error-in-file-server-monitoring-plan.md b/docs/kb/auditor/symbolic-link-cannot-be-followed-error-in-file-server-monitoring-plan.md new file mode 100644 index 0000000000..93ac510024 --- /dev/null +++ b/docs/kb/auditor/symbolic-link-cannot-be-followed-error-in-file-server-monitoring-plan.md @@ -0,0 +1,65 @@ +--- +description: >- + This article explains how to resolve the "The symbolic link cannot be + followed" (0x80049610) error that appears during State-in-Time data collection + for a File Server monitoring plan. It shows how to check and enable symbolic + link evaluation settings using fsutil on the Netwrix Auditor server. +keywords: + - symbolic link + - symlink + - fsutil + - SymlinkEvaluation + - Netwrix Auditor + - File Server monitoring + - State-in-Time + - 2147784208 + - Health Log +products: + - auditor +sidebar_label: Symbolic Link Cannot Be Followed Error in File Ser +tags: [] +title: "Symbolic Link Cannot Be Followed Error in File Server Monitoring Plan" +knowledge_article_id: kA04u0000011141CAA +--- + +# Symbolic Link Cannot Be Followed Error in File Server Monitoring Plan + +## Symptom + +You see the following error in the Health Log for your File Server monitoring plan: + +``` +Error: 0x80049610 +The symbolic link cannot be followed +Make sure the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations are enabled on the computer that hosts Netwrix Auditor Server. +``` + +The error shows only during State-in-Time data collection. + +## Cause + +Symbolic links (symlinks) are disabled or misconfigured. + +## Resolution + +Enable all symbolic link types. + +1. On your **Netwrix Auditor server**, open an elevated Command Prompt and run: + + ```text + fsutil behavior query SymlinkEvaluation + ``` + + Once executed, you'll see the settings for symbolic links (enabled or disabled). + + ![SymlinkEvaluation output](images/servlet_image_3823966b1661.png) + +2. To enable a symlink type, run the following command: + + ```text + fsutil behavior set SymlinkEvaluation R2L:1 + ``` + + The `R2L:1` stands for remote-to-local enabled. You can change `R` to `L` and vice versa to enable the disabled symlink. + +Learn more about fsutil syntax in the Microsoft documentation: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior (fsutil behavior ⸱ Microsoft) diff --git a/docs/kb/auditor/system-cannot-find-the-path-specified-in-logon-activity-monitoring-plan.md b/docs/kb/auditor/system-cannot-find-the-path-specified-in-logon-activity-monitoring-plan.md new file mode 100644 index 0000000000..47b363dcfe --- /dev/null +++ b/docs/kb/auditor/system-cannot-find-the-path-specified-in-logon-activity-monitoring-plan.md @@ -0,0 +1,53 @@ +--- +description: >- + A Logon Activity monitoring plan fails with Event ID 5004 and the error "The + system cannot find the path specified", preventing data collection. This + article explains the cause and provides steps to upgrade or repair Netwrix + Auditor to resolve the issue. +keywords: + - logon activity + - Event ID 5004 + - data collection failed + - The system cannot find the path specified + - Netwrix Auditor + - Logon Activity Audit Service + - repair installation + - upgrade +products: + - auditor +sidebar_label: System Cannot Find the Path Specified in Logon Act +tags: [] +title: "System Cannot Find the Path Specified in Logon Activity Monitoring Plan" +knowledge_article_id: kA04u00000111CeCAI +--- + +# System Cannot Find the Path Specified in Logon Activity Monitoring Plan + +## Symptoms + +- The following error is prompted in Health Log for the Logon Activity monitoring plan: + +``` +Source: Active Directory Logon Activity Audit Service +Event ID: 5004 +Monitoring plan: %monitoring_plan_name% +Data collection has failed. Error: The system cannot find the path specified +``` + +- No data is collected in your affected monitoring plan. + +## Causes + +Netwrix Auditor Logon Activity Audit Service is corrupted or cannot be found. + +## Resolutions + +- Upgrade your Netwrix Auditor instance to the latest version to repair the corrupted service. Refer to the following article for additional information: Installation — Upgrade to the Latest Version ⸱ v10.6. + +- If the latest Netwrix Auditor version is installed in your environment, you can repair your Netwrix Auditor instance. Refer to the following article for additional information: [How to Repair Netwrix Auditor Installation](/docs/kb/auditor/how-to-repair-netwrix-auditor-installation.md). + +### Related articles + +- Installation — Upgrade to the Latest Version ⸱ v10.6 + +- [How to Repair Netwrix Auditor Installation](/docs/kb/auditor/how-to-repair-netwrix-auditor-installation.md) diff --git a/docs/kb/auditor/system-changed-client-operating-system.md b/docs/kb/auditor/system-changed-client-operating-system.md new file mode 100644 index 0000000000..bebcbd9c71 --- /dev/null +++ b/docs/kb/auditor/system-changed-client-operating-system.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains why Active Directory reports changes to Operating System attributes + as made by System and how client restarts affect reporting. +keywords: + - Active Directory + - System + - Operating System + - Operating System Version + - Service Pack + - Netwrix Auditor + - client restart + - computer account + - attribute updates +products: + - auditor +sidebar_label: System Changed Client Operating System +tags: [] +title: "System Changed Client Operating System" +knowledge_article_id: kA00g000000H9SaCAK +--- + +# System Changed Client Operating System + +## Question + +Why were changes to Operating System, Operating System Version or Operating System Service Pack attributes reported as made by System? + +## Answer + +This behavior is expected. Changes to the Operating System, Operating System Version and Operating System Service Pack attributes are reported as made by System due to the Active Directory architecture. Active Directory represented by System relies on individual computer accounts to update these attributes on each computer restart. + +- Active Directory receives the Operating System Version attribute data during the communication with a client. This data is then stored in the Active Directory client account. Once local changes occur, the client operating system relays new data to Active Directory. + +If these attributes were changed manually, Netwrix Auditor will report the corresponding user account that introduced these changes. + +> **NOTE:** Once you restart the client with changed attributes, Active Directory represented by System will modify these attributes to be reported by System. diff --git a/docs/kb/auditor/system-changed-directory-objects-for-foreign-security-principals.md b/docs/kb/auditor/system-changed-directory-objects-for-foreign-security-principals.md new file mode 100644 index 0000000000..4dabeee871 --- /dev/null +++ b/docs/kb/auditor/system-changed-directory-objects-for-foreign-security-principals.md @@ -0,0 +1,31 @@ +--- +description: >- + Explains why changes to Active Directory Foreign Security Principals appear as + made by the System account and confirms this behavior is expected. +keywords: + - Active Directory + - Foreign Security Principals + - System account + - security principals + - external trust + - Netwrix Auditor + - auditing +products: + - auditor +sidebar_label: System Changed Directory Objects for Foreign Secur +tags: [] +title: "System Changed Directory Objects for Foreign Security Principals" +knowledge_article_id: kA00g000000H9SoCAK +--- + +# System Changed Directory Objects for Foreign Security Principals + +## Question + +Why were changes to the directory objects for Foreign Security Principals reported as made by System? + +## Answer + +This behavior is expected. The Foreign Security Principals container in Active Directory represent security principals from trusted domains external to the forest. It allows foreign security principals to become members of groups within the domain. The Foreign Security Principals objects are created automatically by Active Directory represented by System. Changes of foreignSecurityPrincipal objects reported as made by System are reported as intended. + +For additional information on the Foreign Security Principals container and the Foreign Security Principals objects, refer to the following Microsoft articles: [When to Create an External Trust](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755427(v=ws.10)?redirectedfrom=MSDN) and [How Security Principals Work](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779144(v=ws.10)?redirectedfrom=MSDN). diff --git a/docs/kb/auditor/system-changed-object-path-after-account-name-change.md b/docs/kb/auditor/system-changed-object-path-after-account-name-change.md new file mode 100644 index 0000000000..552e88f409 --- /dev/null +++ b/docs/kb/auditor/system-changed-object-path-after-account-name-change.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains why Netwrix Auditor shows System in the WHO field for an Object Path + change after an account name change and how the Canonical-Name attribute is + involved. +keywords: + - Active Directory + - Canonical-Name + - object path + - WHO field + - Netwrix Auditor + - account name change + - OU +products: + - auditor +sidebar_label: System Changed Object Path after Account Name Chan +tags: [] +title: "System Changed Object Path after Account Name Chan" +knowledge_article_id: kA00g000000H9SgCAK +--- + +# System Changed Object Path after Account Name Chan + +## Question + +Why did System stated in the WHO field change Object Path after the account name change? + +## Answer + +This behavior is expected. When an account name is modified, the Active Directory Activity Summary contains 2 changes: + +- The change indicating the name modification. +- The change indicating the modifications to the Object Path of the same account. + +When an account name is modified, Active Directory represented by System automatically changes the account attribute named Canonical-Name. Netwrix Auditor interprets changes to this attribute as object path changes as Canonical-Name attribute reflects the full path to the object in Active Directory. In addition to the name change, Netwrix Auditor creates a change entry with System in the WHO column to reflect the Object Path change details. For additional information on the attribute, refer to the following Microsoft article: https://learn.microsoft.com/en-us/windows/win32/adschema/a-canonicalname?redirectedfrom=MSDN. + +Netwrix Auditor reports the second change as Active Directory represented by System changes Object Path in the Canonical-Name attribute. The actual object path wasn't changed as the account is still in the OU. If you move an account to another OU, WHO field will contain the corresponding account name. diff --git a/docs/kb/auditor/system-changed-service-principle-name-attribute.md b/docs/kb/auditor/system-changed-service-principle-name-attribute.md new file mode 100644 index 0000000000..317c370cfb --- /dev/null +++ b/docs/kb/auditor/system-changed-service-principle-name-attribute.md @@ -0,0 +1,53 @@ +--- +description: >- + Explains why changes to the Service Principle Name attribute may be reported + as made by System or a user account, and how to exclude this attribute from + auditing in Netwrix Auditor. +keywords: + - Service Principle Name + - SPN + - Active Directory + - System account + - Netwrix Auditor + - omitproplist + - unomitproplist + - Kerberos +products: + - auditor +sidebar_label: System Changed Service Principle Name Attribute +tags: [] +title: "System Changed Service Principle Name Attribute" +knowledge_article_id: kA00g000000H9SlCAK +--- + +# System Changed Service Principle Name Attribute + +## Question + +Why was a Service Principle Name attribute change reported as made by System or a user account? + +## Answer + +A Kerberos Service Principle Name attribute allows a service on a specific server to be associated with an account responsible for management of the service. Once associated, a mutual Kerberos authentication is permitted. Changes to this attribute are usually made by System in response to the operating system changes on a specific computer, e.g. installation of operating system updates, name changes, installation of SQL Server, etc. +The WHO field for changes related to the Service Principle Name attribute may contain the following: + +- Made by a computer account with $ prefix (**DOMAINXVISIO$**) — the Service Principle Name attribute was changed by a local system service of the computer. +- Made by a domain controller account with $ prefix (**DOMAINXPTDC$**) — the Service Principle Name attribute was changed by a local system service on the domain controller. +- Made by the **System** account — the Service Principle Name attribute was changed by Active Directory represented by System in response to the operating system changes on computer, but the corresponding security event wasn't generated for this system change. +- Made by an actual user account — the Service Principle Name attribute was modified manually. + +Since the Service Principle Name attribute is changed only for system purpose, you can exclude this attribute from the monitoring scope: + +1. In ` %Netwrix Auditor installation folder%\Active Directory Auditing`, add the following line to the `omitproplist.txt` file: + +```text +*.ServicePrincipleName +``` + +2. In the same folder, remove the following line from the `unomitproplist.txt` file: + +```text +*.ServicePrincipleName +``` + +For additional information on Service Principal Name attribute, refer to the following articles: [Service-Principal-Name Attribute](https://learn.microsoft.com/en-us/windows/win32/adschema/a-serviceprincipalname?redirectedfrom=MSDN), [Service Principal Names](https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names?redirectedfrom=MSDN) and [Service Principal Names (previous documentation)](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961723(v=technet.10)?redirectedfrom=MSDN). diff --git a/docs/kb/auditor/target-computer-cannot-be-identified-in-user-activity-monitoring-plan.md b/docs/kb/auditor/target-computer-cannot-be-identified-in-user-activity-monitoring-plan.md new file mode 100644 index 0000000000..76a4fd9e0d --- /dev/null +++ b/docs/kb/auditor/target-computer-cannot-be-identified-in-user-activity-monitoring-plan.md @@ -0,0 +1,61 @@ +--- +description: >- + You see "The target computer cannot be identified" for a User Activity + monitoring plan in Netwrix Auditor; this article lists possible causes and + step-by-step resolutions to restore connectivity. +keywords: + - User Activity + - Remote Registry + - SMBv2 + - SMBv3 + - ports + - antivirus exclusions + - User Activity Core Service + - Netwrix Auditor +products: + - auditor +sidebar_label: Target Computer Cannot Be Identified in User Activ +tags: [] +title: "Target Computer Cannot Be Identified in User Activity Monitoring Plan" +knowledge_article_id: kA04u000000wnknCAA +--- + +# Target Computer Cannot Be Identified in User Activity Monitoring Plan + +## Symptom + +You see the following error in the Health Log for your User Activity monitoring plan in Netwrix Auditor: + +```text +Source:User Activity Audit Service +The following error has occurred while processing '%monitored_client%': +The target computer cannot be identified. +Make sure that it is online and reachable, Remote Registry service is enabled. +``` + +## Causes + +- The Remote Registry service is disabled in the affected client. +- Ports required for User Activity monitoring are blocked. +- The antivirus suite used in your environment is blocking access to Netwrix-related folders. +- The SMB v2/v3 protocol is disabled in your environment. +- User Activity Core Service is not installed in the target server or does not match the Auditor server version. + +> IMPORTANT: While SMB v1 can be disabled in your environment, the SMB v2/v3 protocol is required to be enabled for Netwrix Auditor to be operating correctly. + +## Resolutions + +- Enable the Remote Registry service in the affected client — refer to the following article for additional information: Windows File Servers − Enable Remote Registry Service ⸱ v10.6. +- Review the allowed connections in the affected server in accordance with the following article guidelines: User Activity − User Activity Ports ⸱ v10.6. +- Exclude the Netwrix-related folders from the monitoring scope of your antivirus suite — refer to the following article for additional information: [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md). +- Enable the SMB v2/v3 protocol in both the client and server — learn more in [Detect, Enable and Disable SMBv1, SMBv2, and SMBv3 ⸱ Windows Learn](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server#how-to-detect-status-enable-and-disable-smb-protocols). +- Review the list of apps installed in the affected server. If User Activity Core Service is either missing or is outdated, refer to the following articles for additional information: Installation − Install for User Activity Core Service · v10.6 and [Manually Update User Activity Core Service](/docs/kb/auditor/manually-update-user-activity-core-service.md). + +## Related articles + +- Windows File Servers − Enable Remote Registry Service ⸱ v10.6 +- User Activity − User Activity Ports ⸱ v10.6 +- [Antivirus Exclusions for Netwrix Auditor](/docs/kb/auditor/antivirus-exclusions-for-netwrix-auditor.md) +- [Detect, Enable and Disable SMBv1, SMBv2, and SMBv3 ⸱ Windows Learn](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server#how-to-detect-status-enable-and-disable-smb-protocols) +- Installation − Install for User Activity Core Service · v10.6 +- [Manually Update User Activity Core Service](/docs/kb/auditor/manually-update-user-activity-core-service.md) diff --git a/docs/kb/auditor/the-account-lockout-examiner-service-account.md b/docs/kb/auditor/the-account-lockout-examiner-service-account.md new file mode 100644 index 0000000000..8dd4e35631 --- /dev/null +++ b/docs/kb/auditor/the-account-lockout-examiner-service-account.md @@ -0,0 +1,82 @@ +--- +description: >- + Instructions to create and configure a less-privileged service account for the + Account Lockout Examiner so you do not need to grant Domain Admin rights. + Covers Group Policy user rights, group membership, WMI, DCOM, and local + administrator privileges. +keywords: + - account lockout + - service account + - WMI + - DCOM + - Event Log Readers + - Account Operators + - Group Policy + - local administrator +products: + - auditor +sidebar_label: The Account Lockout Examiner service account +tags: [] +title: "The Account Lockout Examiner service account" +knowledge_article_id: kA00g000000H9dJCAS +--- + +# The Account Lockout Examiner service account + +If you do not want to grant Domain Admin rights to the service account, you can create a less-privileged one. To create an account that has all required rights, perform the following steps. + +On any Domain Controller that has Group Policy Management: + +## Step 1. Enable the Manage auditing and security log user right for this account +1. Run **Group Policy Management** +2. Navigate to the Group Policy Object applied to all Domain Controllers (for example, **Default Domain Controllers Policy**) +3. Right-click on it and select **Edit** +4. Expand **Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment** +5. Double-click the **Manage auditing and security log** policy +6. Click **Add user or group**, specify the Account Lockout Examiner **service account**, and click **OK** + +[![User-added image](images/ka04u000000HcW3_0EM700000004wqQ.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xdsb&feoid=00N700000032Pj2&refid=0EM700000004wqQ) + +## Step 2. Add the service account to the required security groups +1. Run **Active Directory Users and Computers** +2. Expand **`` - Built-in** +3. Click the **Account Operators** group and select **Properties** +4. Go to the **Members** tab and add the user account you want to use for the Account Lockout Examiner service to the list +5. For **Windows 2008 and above** Domain Controllers, add the service account to the **Event Log Readers** group + +[![User-added image](images/ka04u000000HcW3_0EM700000004wqL.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xdsb&feoid=00N700000032Pj2&refid=0EM700000004wqL) + +## Step 3. On every monitored Domain Controller, enable WMI access +1. Run **Computer Management** (Start -> Administrative Tools -> Computer Management) +2. Expand **Services and Applications -> WMI Control** +3. Right-click on it and select **Properties** +4. Go to the **Security** tab and expand **Root -> CIMV2** +5. Highlight **CIMV2** and click the **Security** button at the bottom of the window +6. Add the user account you want to use for the Account Lockout Examiner service to the list +7. Grant it the **Remote Enable** permission (put a check in the **Allow** checkbox) + +[![User-added image](images/ka04u000000HcW3_0EM700000004wqV.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xdsb&feoid=00N700000032Pj2&refid=0EM700000004wqV) + +## Step 4. Configure DCOM settings +1. Open **Component Services** (Start -> Programs -> Administrative Tools -> Component Services) +2. Navigate to **Component Services - Computers - My Computer**. Right-click it and select **Properties** +3. Go to the **COM Security** tab +4. Click the **Edit Limits** button in the **Launch and Activation Permissions** group box +5. Add the user account you want to use for the Account Lockout Examiner service to the top window +6. Set the **Allow** checkbox for the **Remote Activation** option + +[![User-added image](images/ka04u000000HcW3_0EM700000004wqa.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xdsb&feoid=00N700000032Pj2&refid=0EM700000004wqa) + +**NOTE:** Steps 3 and 4 might require a reboot to apply the new settings. + +## Step 5. On the machine where NetWrix Account Lockout Examiner is installed, grant local administrator rights to the service account +1. Run **Computer Management** +2. Expand **System Tools -> Local Users and Groups -> Groups** +3. Right-click the **Administrators** group and select **Add to group** +4. Click **Add** and specify the service account. Click **OK** + +[![User-added image](images/ka04u000000HcW3_0EM700000004wqf.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xdsb&feoid=00N700000032Pj2&refid=0EM700000004wqf) + +## Step 6. On all machines that need to be examined by Account Lockout Examiner, grant local administrator rights to the service account +- Grant local administrator rights either manually or by Group Policy. +- Local admin rights are also necessary to find the root process causing invalid logons. diff --git a/docs/kb/auditor/the-best-way-to-find-the-attribute-name-when-configuring-real-time-alerts.md b/docs/kb/auditor/the-best-way-to-find-the-attribute-name-when-configuring-real-time-alerts.md new file mode 100644 index 0000000000..4e1c570122 --- /dev/null +++ b/docs/kb/auditor/the-best-way-to-find-the-attribute-name-when-configuring-real-time-alerts.md @@ -0,0 +1,48 @@ +--- +description: >- + Shows how to find the exact attribute name (PropNameInt) for configuring Real + Time Alerts in Netwrix Auditor by querying the NetWrix Active Directory SQL + database. +keywords: + - netwrix auditor + - real time alerts + - attribute name + - PropNameInt + - PropChanges + - SQL + - Active Directory +products: + - auditor +visibility: public +sidebar_label: The best way to find the Attribute Name when confi +tags: [] +title: "The best way to find the Attribute Name when configuring Real Time Alerts" +knowledge_article_id: kA00g000000H9WFCA0 +--- + +# The best way to find the Attribute Name when configuring Real Time Alerts + +When configuring Real Time Alerts in Netwrix Auditor it can sometimes be difficult to ensure you have the proper attribute names selected. + +There are various methods for ensuring you get the proper attribute name; however, the best method if you have access to the Netwrix SQL databases is to simply run a query to find exactly what it is. + +1. Find a change in your Change Summary Reports that you want to create a real time alert for. +2. Note the bold text in the **Details** column. For purposes of this KB we will call this the **friendly attribute name**. +3. Log into **SQL Management Studio** and connect to the SQL Instance which contains your Netwrix Active Directory database. +4. Expand **Databases** and find the Netwrix Active Directory database. By default this is `NetWrix_AD_Change_Reporter`. +5. **Right click** the database and select **New Query**. +6. Run the following query against the database replacing the variables between the %. + +```sql +Select * from dbo.PropChanges where PropName like '%friendly attribute name%' +``` + +For example, if you are wanting to create a real time alert for when someone gets locked out, the friendly attribute name would be `User Account Locked Out` and so you would run the following query against the database: + +```sql +Select * from dbo.PropChanges where PropName like 'User Account Locked Out' +``` + +7. In the query results you will see two columns **PropName** and **PropNameInt**. All `PropName` values should be exactly what you queried for and the resulting `PropNameInt` is the attribute name you will use in your real time alert. + +For the above example the `PropNameInt` for `User Account Locked Out` is `lockoutTime`. diff --git a/docs/kb/auditor/the-changes-are-reported-with-the-unknown-value-in-the-who-changed-column-for-sharepoint.md b/docs/kb/auditor/the-changes-are-reported-with-the-unknown-value-in-the-who-changed-column-for-sharepoint.md new file mode 100644 index 0000000000..ad8e7da619 --- /dev/null +++ b/docs/kb/auditor/the-changes-are-reported-with-the-unknown-value-in-the-who-changed-column-for-sharepoint.md @@ -0,0 +1,30 @@ +--- +description: >- + Certain SharePoint changes may be reported with the "Unknown" value in the + "Who Changed" column, for example automatic creation of SharePoint groups on + site creation and actions performed by the "Anonymous" user when permitted by + security policy. +keywords: + - SharePoint + - Unknown + - Who Changed + - Anonymous + - SharePoint groups + - permissions + - Netwrix Auditor +products: + - auditor +sidebar_label: 'The changes are reported with the "Unknown" value ' +tags: [] +title: >- + The changes are reported with the "Unknown" value in the "Who Changed" + column for SharePoint +knowledge_article_id: kA00g000000H9STCA0 +--- + +# The changes are reported with the `Unknown` value in the **Who Changed** column for SharePoint + +The following changes are reported with the `Unknown` value in the **Who Changed** column: + +- Automatic creation of SharePoint groups on site creation if it uses unique permissions instead of inheriting them +- All changes made by the `Anonymous` user if the security policy permits such changes diff --git a/docs/kb/auditor/the-changes-can-be-reported-with-the-not-applicable-value-in-the-workstation-field-for-sharepoint.md b/docs/kb/auditor/the-changes-can-be-reported-with-the-not-applicable-value-in-the-workstation-field-for-sharepoint.md new file mode 100644 index 0000000000..07e22f69f4 --- /dev/null +++ b/docs/kb/auditor/the-changes-can-be-reported-with-the-not-applicable-value-in-the-workstation-field-for-sharepoint.md @@ -0,0 +1,57 @@ +--- +description: >- + Explains which SharePoint changes are reported with the "Not applicable" value + in the "Workstation" field and when the field is missing in Netwrix Auditor + audit reports. +keywords: + - SharePoint + - Workstation + - Change Summary + - audit reports + - Not applicable + - content security + - farm configuration + - Netwrix Auditor + - PowerShell + - Upload Multiple Files +products: + - auditor +sidebar_label: The changes can be reported with the "Not applicab +tags: [] +title: >- + The changes can be reported with the "Not applicable" value in the + "Workstation" field for SharePoint +knowledge_article_id: kA00g000000H9SZCA0 +--- + +# The changes can be reported with the "Not applicable" value in the "Workstation" field for SharePoint + +The following changes are reported with the "Not applicable" value in the "Workstation" field in the Change Summary + +emails (in audit reports the "Workstation" field will be missing for these changes): + +- **Content Security changes:** + - Assignment of permissions to SharePoint sites,lists, libraries, folders, documents or items + - Permission inheritance break or restore on any SharePoint object + - Creation and deletion of SharePoint groups, as well as changes to group membership + - Creation, deletion and modification of permission levels + +- **Farm configuration changes:** + - Changes to the Farm administrators group membership + - Addition and removal of servers, changes to service status + - Web application creation and deletion, changes to key web application settings + - Changes to the following web application security policies: anonymous access policy, user policy, security policy levels + - Site collection creation and deletion, changes to key site collection settings + - Addition, removal and deployment of SharePoint solutions + - Addition and removal, activation and deactivation of farm-wide features + +The **"Workstation"** field is not reported for content changes if they were made in one of the following ways: + +- Through PowerShell cmdlets +- Through the **Site settings --> Content and Structure** menu +- Through Microsoft Office applications integrated with SharePoint +- Through SharePoint workflows +- Through the **Upload Multiple Files** menu option +- Through the **Open With Explorer** menu option +- Through a shared folder +- Deletion of items through the context menu diff --git a/docs/kb/auditor/the-conceptqs-application-pool-crashes-on-startup.md b/docs/kb/auditor/the-conceptqs-application-pool-crashes-on-startup.md new file mode 100644 index 0000000000..01f93f7862 --- /dev/null +++ b/docs/kb/auditor/the-conceptqs-application-pool-crashes-on-startup.md @@ -0,0 +1,56 @@ +--- +description: >- + The conceptQS Application Pool may crash on startup due to a conflict with the + Microsoft Monitoring Agent. Uninstalling the Microsoft Monitoring Agent and + restarting the server typically resolves the issue. +keywords: + - conceptQS + - Application Pool + - Microsoft Monitoring Agent + - PerfMon64.dll + - w3wp.exe + - Event ID 1000 + - Application Error +products: + - auditor + - data-classification +sidebar_label: The conceptQS Application Pool crashes on startup +tags: [] +title: "The conceptQS Application Pool crashes on startup" +knowledge_article_id: kA00g000000H9eCCAS +--- + +# The conceptQS Application Pool crashes on startup + +The **conceptQS** **Application** **Pool** crashes on startup with multiple errors entered into the **Windows** → **Application** event logs. + +The error message may look like the below: + +```text +Log Name: Application +Source: Application Error +Date: XX.XX.XXXX XX:XX:XX +Event ID: 1000 +Task Category: (100) +Level: Error +Keywords: Classic +User: N/A +Computer: <COMPUTERNAME> +Description: +Faulting application name: w3wp.exe, version: 8.0.9200.16384, time stamp: 0x50108835 +Faulting module name: PerfMon64.dll, version: 8.0.10918.0, time stamp: 0x577fd168 +Exception code: 0xc0000409 +Fault offset: 0x0000000000149794 +Faulting process id: 0x2c38 +Faulting application start time: 0x01d24405d195eb6a +Faulting application path: c:windowssystem32inetsrvw3wp.exe +Faulting module path: C:Program FilesMicrosoft Monitoring AgentAgentAPMDOTNETAgentV8.0.10918.0PerfMon64.dll +``` + +This issue can occur when the **Microsoft Monitoring Agent** is installed on the server. In order to resolve this issue, follow the steps below: + +1. Open the **Control Panel** +2. Open **Programs and Features** +3. Select the " **Microsoft Monitoring Agent** " and select " **Remove** "/" **Uninstall** " +4. **Restart** the server +5. Test accessing the **conceptQS** application diff --git a/docs/kb/auditor/the-conceptserviceviewer-application-fails-to-show-the-current-service-statuses-after-installation.md b/docs/kb/auditor/the-conceptserviceviewer-application-fails-to-show-the-current-service-statuses-after-installation.md new file mode 100644 index 0000000000..b6d024e08f --- /dev/null +++ b/docs/kb/auditor/the-conceptserviceviewer-application-fails-to-show-the-current-service-statuses-after-installation.md @@ -0,0 +1,63 @@ +--- +description: >- + After installation, the conceptServiceViewer application may fail to display + current service statuses and log a WMI schema registration error. This article + describes the error and provides step-by-step remediation, including ensuring + service accounts are local administrators and repairing the installation. +keywords: + - conceptServiceViewer + - Concept Searching Event Viewer + - WMI schema + - local administrator + - services.msc + - conceptInstaller + - Server 2016 + - conceptCollector + - conceptIndexer + - conceptClassifier +products: + - auditor + - data-classification +sidebar_label: The conceptServiceViewer application fails to show +tags: [] +title: "The conceptServiceViewer application fails to show the current service statuses after installation" +knowledge_article_id: kA00g000000H9eICAS +--- + +# The conceptServiceViewer application fails to show the current service statuses after installation + +## Symptom + +Typically an **error** similar to the below is logged to the **Concept Searching** **Event Viewer** log: + +```text +Error: System.Exception: This schema for this assembly has not been registered with WMI. +at System.Management.Instrumentation.Instrumentation.Initialize(Assembly assembly) +at System.Management.Instrumentation.Instrumentation.GetInstrumentedAssembly(Assembly assembly) +at System.Management.Instrumentation.Instrumentation.GetFireFunction(Type type) +at System.Management.Instrumentation.BaseEvent.get_FireFunction() +at System.Management.Instrumentation.BaseEvent.Fire() +``` + +The specified **error** can occur when the initial **installation** is completed with an **account** that does not have **local administration** **rights**. + +## Resolution + +1. Ensure that the **account** specified to run each **Windows** **service** is configured as a **local** **administrator**: + 1. Open the **Run** window by clicking the **Start** button and then clicking **Run**. + 2. In the **Run** window, type `services.msc` and then click **OK**. + 3. Locate each **Windows** service (`conceptCollector`, `conceptIndexer`, and `conceptClassifier`). + 4. Ensure that each **user** specified as the `Log on as` value is a **local administrator**. +2. **Restart** the **Server**. +3. **Logon** as the specified service account (or another **local administrator**). +4. Re-run the **conceptInstaller application** and run a **"Repair"** operation. + +## Making the user a local administrator on Server 2016 computer + +1. Click **Start** > **Server Manager**. +2. On the upper-right corner of the **Server Manager** dashboard page, click **Tools** > **Computer Management**. +3. In the navigation pane of the **Computer Management** page, expand **Local Users and Groups**, and then click **Users**. +4. From the **Users** list, right-click the **user** to which you want to assign **administrator** rights, and click **Properties**. +5. Click the **Member Of** tab, and click **Add**. +6. On the **Select Group** page, type `Administrators`, and then click **OK**. +7. Click **Apply** and **OK**. diff --git a/docs/kb/auditor/the-disk-on-a-monitored-file-server-is-overfilled.md b/docs/kb/auditor/the-disk-on-a-monitored-file-server-is-overfilled.md new file mode 100644 index 0000000000..49b2ad46e7 --- /dev/null +++ b/docs/kb/auditor/the-disk-on-a-monitored-file-server-is-overfilled.md @@ -0,0 +1,51 @@ +--- +description: >- + Describes causes and resolution steps when a monitored file server disk is + filled by Security event log auto archives. +keywords: + - security event log + - auto archives + - disk space + - CleanAutoBackupLogs + - ProcessBackupLogs + - Netwrix Auditor + - audit archives + - Event Viewer + - registry +products: + - auditor +sidebar_label: The disk on a monitored file server is overfilled +tags: [] +title: "The disk on a monitored file server is overfilled" +knowledge_article_id: kA00g000000H9ZcCAK +--- + +# The disk on a monitored file server is overfilled + +The disk on a monitored file server is overfilled with Security event log auto archives. + +## Possible causes + +Disk overfilling can be caused by the following reasons: + +- Removal of processed auto archives is not configured. +- The maximum size of the Security event log does not meet [Microsoft](http://support.microsoft.com/kb/957662) recommendations, so Netwrix Auditor cannot process auto archives and remove them. +- The disk where auto archives are stored is too small to contain all archives accumulated between two Netwrix Auditor data collections. + +## Resolution + +1. Check whether the automatic removal is configured. On the computer where Netwrix Auditor is installed, perform the following: + 1. Navigate to **Start -> Run** and type `regedit`. + 2. Expand `HKEY_LOCAL_MACHINE/SOFTWARE/(Wow6432Node)/Netwrix/File Server Change Reporter.` + 3. Make sure `ProcessBackupLogs` is set to `1`. + 4. Make sure `CleanAutoBackupLogs` is set to X - a positive integer number (the archive is removed when all events are older than `X` hours). + +Refer to [Netwrix Auditor Installation and Configuration Guide](http://www.netwrix.com/download/documents/Netwrix_Auditor_Installation_Configuration_Guide.pdf) for more information. + +2. If the automatic removal option is enabled, check the audit archives creation date. + - If archives are stored longer than it is defined by the limiting `CleanAutoBackupLogs` parameter, make sure that `Security` event log can be reached by Netwrix Auditor, and the log"s size meets [Microsoft](http://support.microsoft.com/kb/957662) requirements. + - If archives are not stored longer than it is defined by the limiting `CleanAutoBackupLogs` parameter, and `Security` event log can be reached by Netwrix Auditor, and the log"s size meets [Microsoft](http://support.microsoft.com/kb/957662) requirements, it means that audit archives fill the free disk space before Netwrix Auditor removes them. To resolve this issue, do one of the following: + - Change location of the Event Viewer log files. Move them to a disk with more free space available. Audit archives will be accumulated on the disk and removed after the data collection. **Note**: For information on how to do this for Windows 2000 and Windows Server 2003, refer to the following [Microsoft technical article](http://support.microsoft.com/kb/315417). For Windows Server 2008 and above, log location can be changed under the log properties. It is recommended to reboot your server after this manipulations. + - Configure Netwrix Auditor to run data collection more frequently and decrease the value of the `CleanAutoBackupLogs` parameter. If the task runs frequently enough to prevent the Security event log from being overfilled, you can disable the automatic archiving option (the disk will not be overfilled, but this can lead to audit data loss). To adjust the data collection schedule, in Netwrix Auditor, navigate to **Settings -> Data Collection**, click **Modify** next to **Default data collection and Change Summary generation schedule.** In the **Modify Schedule** dialogue select **Advanced** and adjust the schedule as necessary. + +**Note:** Before updating the `CleanAutoBackupLogs` parameter, make sure that Netwrix Auditor has enough time to process audit archives for other audited systems before the archives are removed. diff --git a/docs/kb/auditor/the-domain-param-parameter-is-missing-a-value.md b/docs/kb/auditor/the-domain-param-parameter-is-missing-a-value.md new file mode 100644 index 0000000000..8d0b4a9cd5 --- /dev/null +++ b/docs/kb/auditor/the-domain-param-parameter-is-missing-a-value.md @@ -0,0 +1,38 @@ +--- +description: >- + Explains how to resolve the warning that the Domain Param parameter is missing + a value during Active Directory snapshot report generation by enabling + snapshot reporting or importing snapshots into Netwrix Auditor. +keywords: + - Active Directory + - snapshot + - snapshot reporting + - Domain Param + - Netwrix Auditor + - State-in-Time Reports + - reports + - import snapshot + - warning +products: + - auditor +sidebar_label: The 'Domain Param' parameter is missing a value +tags: [] +title: The 'Domain Param' parameter is missing a value +knowledge_article_id: kA00g000000H9bECAS +--- + +# The 'Domain Param' parameter is missing a value + +You are getting the following warning during AD snapshot report generation: + +![User-added image](images/ka04u000000HcTz_0EM700000005AFx.png) + +--- + +It can happen if the snapshot reporting feature is disabled and/or no AD snapshots were uploaded to the database. + +--- + +In order to fix this issue please open the Netwrix Auditor and make sure that snapshot reporting feature is enabled under **Active Directory | Reports | Snapshot Reports (State-in-Time Reports)** tab. + +Otherwise, on the same page you can import the snapshot you want to report on to the database. In order to do this, transfer the snapshot from the **"All available snapshots"** to the **"SNapshots available for reporting"** column and then click the **"Apply"** button. diff --git a/docs/kb/auditor/the-email-address-column-in-the-enrollment-report.md b/docs/kb/auditor/the-email-address-column-in-the-enrollment-report.md new file mode 100644 index 0000000000..32babb6c7b --- /dev/null +++ b/docs/kb/auditor/the-email-address-column-in-the-enrollment-report.md @@ -0,0 +1,42 @@ +--- +description: >- + Explains why the Email Address column in the Enrollment report is blank and + how to enable Additional authentication using the user email so enrolled users + have email addresses populated for password reset. +keywords: + - Enrollment report + - Email Address column + - password reset + - Authentication Policy + - Additional authentication + - enrollment + - user email + - reset link + - enrolled users +products: + - auditor +sidebar_label: The Email Address column in the Enrollment report +tags: [] +title: "The Email Address column in the Enrollment report" +knowledge_article_id: kA00g000000H9U3CAK +--- + +# The Email Address column in the Enrollment report + +When you run the Enrollment report, the Email Address column fields are blank for all user accounts. What should this column show and what can you do to make this work? + +![User-added image](images/ka04u000000HcNo_0EM700000004xIo.png) + +--- + +The **Email Address** column returns the email address used for **Additional authentication using the user email** feature. + +An email with a unique link to the password reset page is sent to this address after the user answers secret questions. The user then should follow the link to complete password reset. The Email Address field contains data for the enrolled users only, because this email is specified during the enrollment procedure if the Authentication policy feature is enabled. + +![User-added image](images/ka04u000000HcNo_0EM700000004xIy.png) + +To enable this feature: + +1. On the **Administrative portal - Settings - Authentication Policy** tab, select the **Additional authentication using the user email** check box. + +![User-added image](images/ka04u000000HcNo_0EM700000004xIt.png) diff --git a/docs/kb/auditor/the-event-logs-reports-for-windows-server-does-not-contain-any-data.md b/docs/kb/auditor/the-event-logs-reports-for-windows-server-does-not-contain-any-data.md new file mode 100644 index 0000000000..416098f773 --- /dev/null +++ b/docs/kb/auditor/the-event-logs-reports-for-windows-server-does-not-contain-any-data.md @@ -0,0 +1,41 @@ +--- +description: >- + If you configured a Windows Servers monitoring plan in Netwrix Auditor but the + Windows Server → Event Log reports show no data, configure a monitoring plan + for Netwrix Auditor Event Log Manager and set Audit Archiving filters. This + article explains the steps to configure Event Log Manager, test changes, and + run reports. +keywords: + - event logs + - Windows Server + - Netwrix Auditor + - Event Log Manager + - Audit Archiving Filters + - monitoring plan + - reports + - troubleshooting +products: + - auditor +sidebar_label: The Event Logs reports for Windows Server does not +tags: [] +title: "The Event Logs reports for Windows Server does not contain any data" +knowledge_article_id: kA04u00000110yXCAQ +--- + +# The Event Logs reports for Windows Server does not contain any data + +## Symptom + +You have configured a **Windows Servers** monitoring plan in Netwrix Auditor, the data is being collected, however, the reports under **Windows Server** -> **Event Log** do not show any data. + +## Cause + +To review your data in these reports, you should configure a monitoring plan for Netwrix Auditor Event Log Manager. + +## Resolution + +1. On the computer that hosts Netwrix Auditor Server, run Netwrix Auditor Event Log Manager. +2. Navigate to Audit Archiving filters and configure them as described in Configure Audit Archiving Filters for Event Log. + ![User-added image](images/ka04u0000011776_0EM4u000008Ls7s.png) +3. Perform any test changes, for example, log in to a server for which you want to review data in reports. +4. Wait for 10 - 15 minutes for changes to take effect and run reports. diff --git a/docs/kb/auditor/the-following-error-occurred-during-the-sql-database-content-audit-configuration-could-not-obtain-in.md b/docs/kb/auditor/the-following-error-occurred-during-the-sql-database-content-audit-configuration-could-not-obtain-in.md new file mode 100644 index 0000000000..698b1934ac --- /dev/null +++ b/docs/kb/auditor/the-following-error-occurred-during-the-sql-database-content-audit-configuration-could-not-obtain-in.md @@ -0,0 +1,40 @@ +--- +description: >- + Explains how to resolve the SQL database content audit error "Could not obtain + information about Windows NT group/user '......', error code 0x5" by granting + the Netwrix Data Processing Account appropriate permissions on the SQL Server + and restarting services. +keywords: + - SQL error 0x5 + - Windows NT group + - Netwrix + - Data Processing Account + - sysadmin + - SQL Server Management Studio + - SQL Agent + - Reporting Services +products: + - auditor +sidebar_label: 'The following error occurred during the SQL database content audit configuration' +tags: [] +title: 'The following error occurred during the SQL database content audit configuration: Could not obtain information about Windows NT group/user "......", error code 0x5.' +knowledge_article_id: kA00g000000H9ZtCAK +--- + +# The following error occurred during the SQL database content audit configuration: Could not obtain information about Windows NT group/user ''......'', error code 0x5. + +You are getting the following error message in the summary reports and the product: "The following error occurred during the SQL database content audit configuration: Could not obtain information about Windows NT group/user '......', error code 0x5." + +--- + +There is a permission issue with the Netwrix Data Processing Account. + +--- + +In order to resolve the issue please perform the following steps: + +1. Run **SQL Server Management Studio**; +2. Connect to the target SQL server with `sa` or owner of the server account; +3. Under **Security -> Logins** find the the Netwrix Data processing account and open it's properties; +4. Open the **Server Roles** tab and select **sysadmin** role; +5. Restart the **SQL service**, **SQL Agent Service** and **Reporting** and **Analysis services** if installed. diff --git a/docs/kb/auditor/the-following-issues-have-been-detected-when-trying-to-configure-exchange-server-administrator-audit.md b/docs/kb/auditor/the-following-issues-have-been-detected-when-trying-to-configure-exchange-server-administrator-audit.md new file mode 100644 index 0000000000..e2df4d57ef --- /dev/null +++ b/docs/kb/auditor/the-following-issues-have-been-detected-when-trying-to-configure-exchange-server-administrator-audit.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains how to resolve the AdminAuditLogParameters error by setting + AdminAuditLogParameters to "*" and provides the exact Set-AdminAuditLogConfig + command to run in Exchange PowerShell. +keywords: + - Exchange + - AdminAuditLogParameters + - Set-AdminAuditLogConfig + - Administrator Audit Logging + - PowerShell + - AdminAuditLogCmdlets +products: + - auditor +sidebar_label: 'The following issues have been detected when trying to configure Exchange Server Administrator Audit Logging' +tags: [] +title: 'The following issues have been detected when trying to configure Exchange Server Administrator Audit Logging settings: Parameter "AdminAuditLogParameters" of cmdlet "Set-AdminAuditLogConfig" must be set to "*"' +knowledge_article_id: kA00g000000H9ZRCA0 +--- + +# The following issues have been detected when trying to configure Exchange Server Administrator Audit Logging settings: Parameter 'AdminAuditLogParameters' of cmdlet 'Set-AdminAuditLogConfig' must be set to '*' + +## Issue + +You receive the follow error: + +The following issues have been detected when trying to configure Exchange Server Administrator Audit Logging settings: Parameter 'AdminAuditLogParameters' of cmdlet 'Set-AdminAuditLogConfig' must be set to '*' + +--- + +The AdminAuditLogParameter needs to be set to * + +--- + +## Resolution + +1. Run the following command within your Exchange PowerShell environment: + +```powershell +Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogAgeLimit 30 -AdminAuditLogCmdlets * -AdminAuditLogParameters * +``` diff --git a/docs/kb/auditor/the-minimal-rights-for-the-netwrix-password-expiration-notifier-service-account.md b/docs/kb/auditor/the-minimal-rights-for-the-netwrix-password-expiration-notifier-service-account.md new file mode 100644 index 0000000000..205c43c88d --- /dev/null +++ b/docs/kb/auditor/the-minimal-rights-for-the-netwrix-password-expiration-notifier-service-account.md @@ -0,0 +1,31 @@ +--- +description: >- + Lists the minimal rights required for the Netwrix Password Reset service + account, including group membership, local administrative rights, and SMTP + send permissions. +keywords: + - password expiration + - service account + - permissions + - Domain Admins + - local administrators + - SMTP + - Netwrix Password Reset + - rights +products: + - auditor +sidebar_label: The minimal rights for the Netwrix Password Reset service account +tags: [] +title: "The minimal rights for the Netwrix Password Reset service account" +knowledge_article_id: kA00g000000Pbd0CAC +--- + +# The minimal rights for the Netwrix Password Reset service account + +What are the minimal rights required for the Netwrix Password Reset service account? + +--- + +- Member of Domain Admins +- Member of the local administrator group on the computer where Netwrix Password Reset is installed +- Granted permissions to send emails using the specified SMTP server. diff --git a/docs/kb/auditor/the-name-of-the-process-that-caused-an-account-lockout-does-not-appear-in-examination-results.md b/docs/kb/auditor/the-name-of-the-process-that-caused-an-account-lockout-does-not-appear-in-examination-results.md new file mode 100644 index 0000000000..6a46acc5ea --- /dev/null +++ b/docs/kb/auditor/the-name-of-the-process-that-caused-an-account-lockout-does-not-appear-in-examination-results.md @@ -0,0 +1,40 @@ +--- +description: >- + Explains why the name of the process that caused an account lockout may not + appear in examination results and how to verify it by checking the Windows + Security log. +keywords: + - account lockout + - invalid logon + - event 4625 + - event 529 + - Kerberos + - Security log + - process name + - Account Lockout Examiner + - Netwrix +products: + - auditor +sidebar_label: The name of the process that caused an account loc +tags: [] +title: "The name of the process that caused an account lockout does not appear in examination results" +knowledge_article_id: kA00g000000H9dMCAS +--- + +# The name of the process that caused an account lockout does not appear in examination results + +Netwrix Account Lockout Examiner relies on the Windows audit system. + +The name of the process is logged in the invalid logon event (`4625` in Windows Vista/2008/7/2008R2, events `529-539` in older versions). + +[![User-added image](images/ka04u000000HcW6_0EM700000004wzN.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAcv&feoid=00N700000032Pj2&refid=0EM700000004wzN) + +**Account Lockout Examiner** will not show the name of the process if either there is no corresponding invalid logon event or the name of the process is not tracked by Windows Audit. + +This can occur due to several reasons, for example: + +1. Kerberos authentication that takes place before an actual account logon failed, so there is only an invalid Kerberos logon event but no account logon event tracked (the most common). +2. Windows XP invalid logon events (event `529`) do not contain the name of the process that caused this event. +3. Events logged due to entering invalid credentials in an RDP client window normally do not contain the name of the process that caused this event. + +There are a lot of other situations when the name of a process can be not logged. The easiest way to make sure that **Account Lockout Examiner** reflects all information correctly is to manually check the invalid logon event in the Security log. diff --git a/docs/kb/auditor/the-order-in-which-domains-appear-in-the-managed-domains-list.md b/docs/kb/auditor/the-order-in-which-domains-appear-in-the-managed-domains-list.md new file mode 100644 index 0000000000..59c544a3e3 --- /dev/null +++ b/docs/kb/auditor/the-order-in-which-domains-appear-in-the-managed-domains-list.md @@ -0,0 +1,29 @@ +--- +description: >- + Explains that the managed domains list on the Self-Service Portal is sorted + alphabetically and is case-sensitive, and how to place a domain at the top of + the list. +keywords: + - managed domains + - Self-Service Portal + - Administrative Portal + - domains list + - alphabetical + - case-sensitive + - uppercase + - domain order +products: + - auditor +sidebar_label: The order in which domains appear in the managed d +tags: [] +title: "The order in which domains appear in the managed d" +knowledge_article_id: kA00g000000H9dUCAS +--- + +# The order in which domains appear in the managed d + +The list of managed domains shown on the **Self-Service Portal** is sorted alphabetically and is case-sensitive. + +To sort domains, specify the domain name you want at the top in capital letters in the **Domains** section of the **Administrative Portal**. + +[![User-added image](images/ka04u000000HcWF_0EM700000004xUV.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xdsq&feoid=00N700000032Pj2&refid=0EM700000004xUV) diff --git a/docs/kb/auditor/the-product-does-not-report-on-changes-to-calendar.md b/docs/kb/auditor/the-product-does-not-report-on-changes-to-calendar.md new file mode 100644 index 0000000000..8f410299e0 --- /dev/null +++ b/docs/kb/auditor/the-product-does-not-report-on-changes-to-calendar.md @@ -0,0 +1,34 @@ +--- +description: >- + The Calendar folder is excluded from auditing by default to avoid reporting + shared calendars as unauthorized non-owner mailbox access. This article + explains how to include the Calendar folder in monitoring by editing the + exclusion file. +keywords: + - calendar + - mailbox + - non-owner access + - auditing + - Netwrix + - Exchange + - mailboxestoexclude.txt + - monitoring + - exclude + - Calendar folder +products: + - auditor +sidebar_label: The product does not report on changes to Calendar +tags: [] +title: "The product does not report on changes to Calendar" +knowledge_article_id: kA00g000000H9XyCAK +--- + +# The product does not report on changes to Calendar + +The **Calendar** folder is excluded from auditing by default, because users often share their calendars. Access to a shared mailbox folder by non-owners will be qualified as unauthorized non-owner access to the mailbox by the product. + +If you still want to monitor the **Calendar** folder, do the following: + +1. Navigate to the Netwrix Non-Owner Mailbox Access Reporter for Exchange installation directory. +2. Open the `mailboxestoexclude.txt` file and delete the `*/calendar*` line. +3. Save the changes. diff --git a/docs/kb/auditor/the-remote-procedure-call-failed-error-when-collecting-logs.md b/docs/kb/auditor/the-remote-procedure-call-failed-error-when-collecting-logs.md new file mode 100644 index 0000000000..f055a05941 --- /dev/null +++ b/docs/kb/auditor/the-remote-procedure-call-failed-error-when-collecting-logs.md @@ -0,0 +1,51 @@ +--- +description: >- + This article explains causes and resolutions for the "The remote procedure + call failed and did not execute" error that can occur when Netwrix Auditor + collects logs from target systems. It lists possible causes related to + firewall, permissions, and RPC server availability and provides links to + further guidance. +keywords: + - RPC + - The remote procedure call failed + - event logs + - firewall rules + - permissions + - Netwrix Auditor + - data collection + - RPC server unavailable +products: + - auditor +sidebar_label: The Remote Procedure Call Failed Error When Collec +tags: [] +title: "The Remote Procedure Call Failed Error When Collecting Logs" +knowledge_article_id: kA04u000001114LCAQ +--- + +# The Remote Procedure Call Failed Error When Collecting Logs + +## Symptom + +When trying to collect data from target systems with Netwrix Auditor, the following error appears: + +```text +The remote procedure call failed and did not execute. +``` + +## Causes + +Here are the possible causes for the issue: + +- Cause 1. Current Firewall configuration blocks access to event logs. +- Cause 2. Insufficient permissions for the account used for data collection. +- Cause 3. Issues with RPC server (RPC server is unavailable). + +## Resolutions + +Review the possible resolutions depending on you cause: + +- For cause 1. Make sure you configured Firewall rules. For additional information on the Firewall rules configuration, refer to the following article: /docs/auditor/10.6/auditor/requirements (Requirements – Protocols and Ports Required — v10.6). + +- For cause 2. Make sure you assigned all required rights and permissions to the account used for data collection. For additional information on the data collecting account configuration, refer to the following article: /docs/auditor/10.6/auditor/admin-guide/monitoringplans (Monitoring Plans – Data Collecting Account — v10.6). + +- For cause 3. For additional information on the data collecting account configuration, refer to the following article: /docs/kb/auditor/error_0x800706ba_−_rpc_server_is_unavailable (Error: The RPC server is unavailable). diff --git a/docs/kb/auditor/the-sharepoint-application-pools-are-stopped-after-the-netwrix-auditor-agent-for-sharepoint-installa.md b/docs/kb/auditor/the-sharepoint-application-pools-are-stopped-after-the-netwrix-auditor-agent-for-sharepoint-installa.md new file mode 100644 index 0000000000..9b474de16d --- /dev/null +++ b/docs/kb/auditor/the-sharepoint-application-pools-are-stopped-after-the-netwrix-auditor-agent-for-sharepoint-installa.md @@ -0,0 +1,36 @@ +--- +description: >- + If SharePoint application pools stop after installing or uninstalling the + Netwrix Auditor Core Service for SharePoint, follow the steps below to restart + them using IIS Manager. This article explains the scenario and provides the + exact steps to start the pools. +keywords: + - SharePoint + - application pools + - IIS + - Netwrix Auditor + - Timeout Expired + - installation + - reinstallation + - core service + - start application pools +products: + - auditor +sidebar_label: The SharePoint application pools are stopped after +tags: [] +title: "The SharePoint application pools are stopped after the Netwrix Auditor Agent for SharePoint installation/uninstallation." +knowledge_article_id: kA00g000000H9ZnCAK +--- + +# The SharePoint application pools are stopped after the Netwrix Auditor Agent for SharePoint installation/uninstallation. + +When trying to deploy Netwrix Auditor Core Service for SharePoint on large farms with more than 10 application pools, you may get the "Timeout Expired" error. + +After successful re-installation of the core service, the SharePoint application pools may appear stopped. + +To start your SharePoint application pools, perform the following steps: + +1. On your SharePoint servers, navigate to **Start → Control Panel → System and Security → Administrative Tools**. +2. Launch **Internet Information Services (IIS) Manager**. +3. In **Internet Information Services (IIS) Manager**, expand your server and navigate to the **Application Pools** node. +4. Select your SharePoint application pools and click **Start**. diff --git a/docs/kb/auditor/the-sharepoint-managed-object-has-unable-to-connect-to-netwrix-auditor-service-for-sharepoint-error-.md b/docs/kb/auditor/the-sharepoint-managed-object-has-unable-to-connect-to-netwrix-auditor-service-for-sharepoint-error-.md new file mode 100644 index 0000000000..991719e942 --- /dev/null +++ b/docs/kb/auditor/the-sharepoint-managed-object-has-unable-to-connect-to-netwrix-auditor-service-for-sharepoint-error-.md @@ -0,0 +1,41 @@ +--- +description: >- + After rebooting a computer with Netwrix Auditor installed, the SharePoint + Managed Object may show an "Unable to connect to Netwrix Auditor Service for + Sharepoint" error because required services stopped. This article explains how + to start the services and how to proceed if the issue recurs on every reboot. +keywords: + - Netwrix Auditor + - SharePoint + - Managed Object + - Unable to connect + - .Net TCP Port Sharing + - service timeout + - reboot + - Start service +products: + - auditor +sidebar_label: The SharePoint Managed Object has "Unable to conne +tags: [] +title: >- + The SharePoint Managed Object has "Unable to connect to Netwrix Auditor + Service for Sharepoint" error status +knowledge_article_id: kA00g000000H9ZeCAK +--- + +# The SharePoint Managed Object has "Unable to connect to Netwrix Auditor Service for Sharepoint" error status + +## Symptoms + +The SharePoint Managed Object has "Unable to connect to Netwrix Auditor Service for Sharepoint" error status after the computer with Netwrix Auditor installed has been rebooted. + +## Cause + +After the computer has been rebooted the **.Net TCP Port Sharing** and **Netwrix Auditor Service for SharePoint (your_server_name)** services are stopped. + +## Resolution + +1. In the **Netwrix Auditor** console, navigate to **Managed Objects → your_SharePoint_Managed_Object → SharePoint**. +2. In the right pane, click **Start**. + +**NOTE:** If this error occurs every time your computer is rebooted, you must increase the service time out period. Refer to Microsoft documentation for more information: http://technet.microsoft.com/en-us/library/cc756342(v=ws.10).aspx diff --git a/docs/kb/auditor/the-sharepoint-object-id-is-shown-in-the-what-column-instead-of-its-name.md b/docs/kb/auditor/the-sharepoint-object-id-is-shown-in-the-what-column-instead-of-its-name.md new file mode 100644 index 0000000000..bae84b5fad --- /dev/null +++ b/docs/kb/auditor/the-sharepoint-object-id-is-shown-in-the-what-column-instead-of-its-name.md @@ -0,0 +1,28 @@ +--- +description: >- + Explains why SharePoint group or permission level names may appear as object + IDs in the "What" column in Netwrix Auditor reports and Change Summaries, and + describes the condition that causes it. +keywords: + - SharePoint + - object ID + - What column + - cache + - group + - permission level + - Netwrix Auditor + - SharePoint Native Audit + - Editing Users and Permissions +products: + - auditor +sidebar_label: The SharePoint object ID is shown in the "What" co +tags: [] +title: The SharePoint object ID is shown in the "What" column instead of its name +knowledge_article_id: kA00g000000H9SeCAK +--- + +# The SharePoint object ID is shown in the "What" column instead of its name + +Netwrix Auditor saves group and permission level names in cache every 30 minutes to be able to retrieve it in case the object is deleted. Nevertheless, the name of the group or permission level will fail to be saved in cache in the following situation: + +If you create a group or role while **SharePoint Native Audit (Editing Users and Permissions)** is turned off and delete this object or change its settings later when it is on, the **"What"** column in the reports and Change Summaries will show the object ID instead of its name. diff --git a/docs/kb/auditor/the-sharepoint-object-value-is-shown-in-the-object-type-column-in-the-reports-instead-of-the-object-.md b/docs/kb/auditor/the-sharepoint-object-value-is-shown-in-the-object-type-column-in-the-reports-instead-of-the-object-.md new file mode 100644 index 0000000000..cd67d36e2b --- /dev/null +++ b/docs/kb/auditor/the-sharepoint-object-value-is-shown-in-the-object-type-column-in-the-reports-instead-of-the-object-.md @@ -0,0 +1,29 @@ +--- +description: >- + When Netwrix Auditor collects permission change data for SharePoint, it uses + the native SharePoint audit (SPaudit) to determine object types. If an object + is deleted within 30 minutes after its permissions were modified, the report + shows "SharePoint Object" in the "Object Type" column because the object ID is + unknown. +keywords: + - SharePoint + - SPaudit + - Object Type + - SharePoint Object + - permissions + - Netwrix Auditor + - audit + - deleted object +products: + - auditor +sidebar_label: The "SharePoint Object" value is shown in the "Obj +tags: [] +title: >- + The "SharePoint Object" value is shown in the "Object Type" column in the + reports instead of the object itself. +knowledge_article_id: kA00g000000H9SACA0 +--- + +# The "SharePoint Object" value is shown in the "Object Type" column in the reports instead of the object itself. + +When collecting data on permission changes, Netwrix Auditor employs the native SharePoint audit (`SPaudit`) to get the object type by its ID. If an object is deleted within 30 minutes after its permissions were modified, permission modifications will be reported with the "SharePoint Object" value in the **"Object Type"** column because the object ID is unknown. diff --git a/docs/kb/auditor/the-user-activity-video-reporter-agent-is-not-being-installed-on-monitored-server.md b/docs/kb/auditor/the-user-activity-video-reporter-agent-is-not-being-installed-on-monitored-server.md new file mode 100644 index 0000000000..5fdd3daffc --- /dev/null +++ b/docs/kb/auditor/the-user-activity-video-reporter-agent-is-not-being-installed-on-monitored-server.md @@ -0,0 +1,53 @@ +--- +description: >- + Describes how to troubleshoot the " Installation failed" error when the User + Activity Video Reporter agent is not installed on a monitored server in + Netwrix Auditor. +keywords: + - user activity + - agent installation + - Installation failed + - remote registry + - RPC + - firewall + - Netwrix Auditor + - ports + - troubleshooting +products: + - auditor +sidebar_label: The User Activity Video Reporter Agent is not bein +tags: [] +title: "The User Activity Video Reporter Agent is not being installed on monitored server" +knowledge_article_id: kA00g000000H9awCAC +--- + +# The User Activity Video Reporter Agent is not being installed on monitored server + +The **" Installation failed"** error message is being listed for one of the monitored computers in the Netwrix Auditor UI (monitored computers list). + +--- + +## Cause + +This error indicates that the agent failed to be installed for one of the following reasons: + +1. RPC is not available on the target machine. +2. Firewall blocks product activity. +3. Remote Registry service is not available. +4. Target machine is not properly configured. + +--- + +## Resolution + +To troubleshoot the issue with agent installation, perform the following steps: + +1. Make sure that target computers are configured properly per the article: + - /docs/auditor/10.5/auditor/configurationuration/useractivity + +2. Make sure the following ports are opened on the local machine and target machine firewall settings: + - /docs/auditor/10.5/auditor/configurationuration/ports + Or disable the firewall for testing purposes to localize the problem. The agent status should be updated in `10 - 15 minutes`. + +3. Try to connect to the target machine from the local server through Remote Registry: + - http://technet.microsoft.com/en-us/library/cc785793(v=ws.10).aspx diff --git a/docs/kb/auditor/the-windows-security-log-contains-multiple-events-5140-generated-by-netwrix-auditor-server.md b/docs/kb/auditor/the-windows-security-log-contains-multiple-events-5140-generated-by-netwrix-auditor-server.md new file mode 100644 index 0000000000..2400352cc6 --- /dev/null +++ b/docs/kb/auditor/the-windows-security-log-contains-multiple-events-5140-generated-by-netwrix-auditor-server.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains why the Windows Security log on a server audited by Netwrix Auditor + contains multiple Event ID 5140 entries and how to interpret them. +keywords: + - Event ID 5140 + - Windows Security log + - network share + - Netwrix Auditor + - file share + - auditing + - Microsoft event 5140 +products: + - auditor +sidebar_label: The Windows Security Log Contains Multiple Events +tags: [] +title: "The Windows Security Log Contains Multiple Events 5140 Generated by Netwrix Auditor Auditor" +knowledge_article_id: kA04u0000011125CAA +--- + +# The Windows Security Log Contains Multiple Events 5140 Generated by Netwrix Auditor + +## Symptom + +The Windows Security log of the server audited by Netwrix Auditor contains multiple events with the Event ID 5140: + +```text +5140(S, F): A network share object was accessed. +``` + +## Cause + +You get these events from your Netwrix Auditor Server because during the data collection, Netwrix Auditor for File Servers or Windows Servers reads the list of shared objects which triggers events 5140. + +## Resolution + +This event is being generated for each attempt to access a file share within a network that is considered as normal behavior according to Microsoft. + +Learn more about this event in 5140(S, F): A network share object was accessed ⸱ Microsoft: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140 diff --git a/docs/kb/auditor/this-shared-resource-does-not-exist-error-in-file-servers-monitoring-plan.md b/docs/kb/auditor/this-shared-resource-does-not-exist-error-in-file-servers-monitoring-plan.md new file mode 100644 index 0000000000..8f26b6f741 --- /dev/null +++ b/docs/kb/auditor/this-shared-resource-does-not-exist-error-in-file-servers-monitoring-plan.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains how to resolve the "This shared resource does not exist" (0x80070906) + error in a File Servers monitoring plan in Netwrix Auditor, including causes + and step-by-step resolutions. +keywords: + - shared resource does not exist + - 2147944710 + - file servers monitoring + - Netwrix Auditor + - snapshot processing + - permissions + - UNC path + - monitoring plan +products: + - auditor +sidebar_label: 'This Shared Resource Does Not Exist Error in File ' +tags: [] +title: "This Shared Resource Does Not Exist Error in File Servers Monitoring Plan" +knowledge_article_id: kA00g000000H9bHCAS +--- + +# This Shared Resource Does Not Exist Error in File Servers Monitoring Plan + +## Symptom + +The following message is prompted in Health Log for your File Servers monitoring plan in Netwrix Auditor: + +```text +Snapshot processing for the server %affected_server% completed with errors: +Object: %share%, Error: 0x80070906 This shared resource does not exist. +``` + +## Causes + +1. Misconfigured permissions for the Auditor data collecting account. +2. The affected share is specified incorrectly in the coresponding monitoring plan. + +## Resolutions + +1. Verify the permissions for the data collecting account used in the File Servers monitoring plan. Refer to the following article for additional information: Windows File Server − Permissions for Windows File Server Auditing · v10.6. +2. In the affected monitoring plan, select the affected item and click **Edit item** to verify the UNC path or file server name. + +## Related articles + +- Windows File Server − Permissions for Windows File Server Auditing · v10.6 diff --git a/docs/kb/auditor/timeout-expired-error-on-sharepoint-core-service-deployment.md b/docs/kb/auditor/timeout-expired-error-on-sharepoint-core-service-deployment.md new file mode 100644 index 0000000000..a82b5d75c5 --- /dev/null +++ b/docs/kb/auditor/timeout-expired-error-on-sharepoint-core-service-deployment.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains causes and resolutions for the `Timeout Expired` error + that occurs when deploying Netwrix Auditor for SharePoint Core Service. It + lists common causes and step-by-step actions to resolve the issue. +keywords: + - Timeout Expired + - SharePoint Core Service + - Netwrix Auditor + - SharePoint + - deployment + - SPAdminV4 + - timeout + - software requirements +products: + - auditor +sidebar_label: Timeout Expired Error on SharePoint Core Service D +tags: [] +title: "Timeout Expired Error on SharePoint Core Service D" +knowledge_article_id: kA00g000000H9YfCAK +--- + +# Timeout Expired Error on SharePoint Core Service D + +## Symptom + +The `Timeout Expired` error is prompted during the deployment of **Netwrix Auditor for SharePoint Core Service**. + +## Causes + +1. One or several servers are unreachable. +2. The SharePoint Administration (`SPAdminV4`) service is not started in any of the servers. +3. Your SharePoint farm exceeds the recommended capacity limits. +4. The .NET Framework instance installed in the SharePoint Central Administration host of the audited SharePoint farm is outdated. + +## Resolutions + +1. Make sure the servers within your SharePoint farm are available. +2. Enable SharePoint Administration Service in your SharePoint farm servers − refer to the following article for additional information: Configuration − SharePoint · v10.6. +3. Review the boundaries and limits applicable to the SharePoint instance set up in your environment − learn more in [Software Boundaries and Limits for SharePoint Servers 2016 and 2019 ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/sharepoint/install/software-boundaries-limits-2019). +4. Refer to the following article to learn more about software requirements for SharePoint monitoring: Requirements − Software Requirements · v10.6. + +For additional information on manual deployment of SharePoint Core Service, refer to the following article: Installation − Install for SharePoint Core Service · v10.6. + +## Related articles + +- Configuration − SharePoint · v10.6 +- [Software Boundaries and Limits for SharePoint Servers 2016 and 2019 ⸱ Microsoft 🤝](https://learn.microsoft.com/en-us/sharepoint/install/software-boundaries-limits-2019) +- Requirements − Software Requirements · v10.6 +- Installation − Install for SharePoint Core Service · v10.6 diff --git a/docs/kb/auditor/tracing-was-disabled-in-sql-server-monitoring-plan.md b/docs/kb/auditor/tracing-was-disabled-in-sql-server-monitoring-plan.md new file mode 100644 index 0000000000..f36ab061aa --- /dev/null +++ b/docs/kb/auditor/tracing-was-disabled-in-sql-server-monitoring-plan.md @@ -0,0 +1,119 @@ +--- +description: >- + Explains why Netwrix Auditor logs indicate that SQL Server tracing was + disabled for a monitoring plan, and provides troubleshooting steps to restore + and preserve SQL tracing for accurate auditing. +keywords: + - SQL Server tracing + - Netwrix Auditor + - sqlcr_sp.sql + - sqlcr_startup.sql + - SQL trace logs + - antivirus exclusions + - monitoring plan +products: + - auditor +sidebar_label: Tracing Was Disabled in SQL Server Monitoring Plan +tags: [] +title: "Tracing Was Disabled in SQL Server Monitoring Plan" +knowledge_article_id: kA00g000000H9YKCA0 +--- + +# Tracing Was Disabled in SQL Server Monitoring Plan + +## Symptoms + +- Reports and Activity Summaries return the **System** value in the **Who** field. +- Activity Summaries and Health Log for the SQL Server monitoring plan contain the following errors: + +```text +Tracing was disabled on the %SQL_Server_name% server. +As a result, SQL Server logon activity data may be lost. +SQL Server change reports may show incorrect data in the 'Who' and 'When' fields. +``` + +```text +Tracing is required for successful change and logon activity auditing, and it has been automatically enabled. +``` + +```text +The Who Changed and When Changed fields in the change report may show incorrect data +because tracing was disabled on the %SQL_Server_name% during report generation. +Tracing is required for the change reporting process +and it has been automatically enabled for future reports. +``` + +## Causes + +- If logged once upon the first data collection, Netwrix Auditor automatically detected the default SQL Server log path and enabled the tracing via this path. This is a standard notification sent after the first data collection. These errors can be ignored. +- If logged repeatedly upon each data collection, SQL Server is misconfigured as it does not return the default SQL server log path. Netwrix Auditor cannot enable the audit tracing. +- If logged repeatedly upon every SQL server restart, SQL Server tracing stops on every reboot. +- If logged every day, the antivirus exclusions in your environment may be misconfigured. + +## Resolutions + +### Resolution 1 − Include the traces folder to AV exclusions + +Add the folder containing traces to exclusions of your antivirus suite. Refer to the following default path for traces storage: + +```text +C:\Program Files\Microsoft SQL Server\MSSQL%V%.MSSQLSERVER\MSSQL\Log +``` + +Learn more in Configure antivirus software to work with SQL Server ⸱ Microsoft 🡥: +https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/security/antivirus-and-sql-server + +### Resolution 2 − Specify the default path to SQL Server trace logs + +Refer to the following steps to specify the default path to SQL Server trace logs: + +- Locate the `pathtotracelogs.txt` file in %Netwrix_Auditor_installation_folder%\SQL Server Auditing. Refer to the following default path: + +```text +C:\Program Files (x86)\Netwrix Auditor\SQL Server Auditing +``` + +- Specify the UNC path to your SQL Server instance following the reference example: + +```text +SQLSRV01\MSSQL2016|C:\Logs\SQL trace logs\ +``` + +> **NOTE:** If you would like to specify trace logs locations for multiple instances of one SQL server, make sure the specified UNC paths are unique across these instances. + +### Resolution 3 − Manually enable SQL tracing + +Refer to the following prerequisites to comply with: + +- The user must be a member of the Domain Admins group. +- The SQL Server instance stores logs in the default path: + +```text +%Program Files%\Microsoft SQL Server\MSSQL\Log +``` + +To verify the path, refer to the following steps: + +1. Launch **SQL Server Management Studio**. +2. Right-click the server in **Object Explorer**, and select **Properties**. +3. In the left pane, select **Database Settings**, and review the **Log** location in the **Database default locations** section. + +> **IMPORTANT:** In case the **Log** path in your SQL Server instance differs from ` %Program Files%\Microsoft SQL Server\MSSQL\Log`, edit the `sqlcr_sp.sql` file. Change the path stated in the `SET @pathtolog =` line to the **Log** path before running the script. + +Refer to the following steps to enable SQL tracing: + +1. In your Netwrix Auditor server, navigate to `C:\Program Files(x86)\Netwrix Auditor\SQL Server Auditing`. +2. Locate the `sqlcr_sp.sql` and `sqlcr_startup.sql` script files. + +> **IMPORTANT:** In case the **Log** path in your SQL Server instance differs from ` %Program Files%\Microsoft SQL Server\MSSQL\Log`, edit the `sqlcr_sp.sql` file. Change the path stated in the `SET @pathtolog =` line to the **Log** path before running the script. + +3. Connect to the affected SQL server. +4. Run the `sqlcr_sp.sql` script file in the affected server to store a procedure with special settings. +5. Run the `sqlcr_startup.sql` script file in the affected server to create a special stored procedure for SQL server reboot instances. +6. Once completed, the special tracing settings will be enabled automatically each time your SQL server restarts. +7. Wait for the next data collection or launch it manually. In the main Netwrix Auditor screen, select **Monitoring Plans** > select your SQL monitoring plan and click **Edit** > click **Update** in the right pane. + +## Related articles + +- Configure antivirus software to work with SQL Server ⸱ Microsoft 🡥 + https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/security/antivirus-and-sql-server diff --git a/docs/kb/auditor/transport-failed-to-connect-to-server.md b/docs/kb/auditor/transport-failed-to-connect-to-server.md new file mode 100644 index 0000000000..3b6407db1a --- /dev/null +++ b/docs/kb/auditor/transport-failed-to-connect-to-server.md @@ -0,0 +1,53 @@ +--- +description: >- + This article explains why the "The transport failed to connect to the server" + error appears when testing Notifications in Netwrix Password Reset and + provides step-by-step resolutions to restore email notifications. +keywords: + - transport failed to connect + - SMTP + - TLS 1.2 + - implicit SSL + - Netwrix Password Reset + - notifications + - monitoring plan + - SMTP port +products: + - auditor +sidebar_label: Transport Failed to Connect to Server +tags: [] +title: "Transport Failed to Connect to Server" +knowledge_article_id: kA0Qk0000000Jc9KAE +--- + +# Transport Failed to Connect to Server + +## Symptom + +When verifying **Notifications** settings in Netwrix Password Reset, the following error is prompted: + +```text +Test failed: The transport failed to connect to the server. +Exception has been thrown by the target of an invocation. +``` + +## Causes + +- `TLS 1.2` is misconfigured in the Netwrix server. +- The implicit SSL connection mode is enabled. +- SMTP settings are misconfigured. +- The monitoring plan is corrupted. + +## Resolution + +1. Review the TLS protocol versions enabled in your environment − refer to the following article for additional information: Сonnection Issue when TLS 1.2 Is Required. +2. Uncheck the **Use the Implicit SSL connection mode** checkbox in the **Notifications** tab in Netwrix Password Reset (PEN), and verify the SMTP settings. +3. Verify the SMTP settings − make sure the specified port corresponds to the server port. Learn more in [How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 ⸱ Microsoft 🫝](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365). +4. Review the list of ports and protocols required for Netwrix Password Reset (PEN) to operate − refer to the following article for additional information: Tools − Netwrix Password Reset ⸱ v10.6. +5. Recreate your Netwrix Password Reset (PEN) monitoring plan − it is required to perform the setup manually as there's no option to copy the existing plan automatically. + +## Related articles + +- Сonnection Issue when TLS 1.2 Is Required +- [How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 ⸱ Microsoft 🫝](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365) +- Tools − Netwrix Password Reset ⸱ v10.6 diff --git a/docs/kb/auditor/troubleshoot_sharepoint_serveron-premise_errors.md b/docs/kb/auditor/troubleshoot_sharepoint_serveron-premise_errors.md new file mode 100644 index 0000000000..78c6af21f6 --- /dev/null +++ b/docs/kb/auditor/troubleshoot_sharepoint_serveron-premise_errors.md @@ -0,0 +1,59 @@ +--- +description: >- + This article provides a reference list of articles for troubleshooting errors in SharePoint Server and On-premise monitoring plans. +keywords: + - SharePoint + - troubleshooting + - monitoring plans +sidebar_label: Troubleshoot SharePoint Errors +tags: [] +title: "Troubleshoot SharePoint Server and On-premise Errors" +knowledge_article_id: kA0Qk0000000NcXKAU +products: + - auditor +--- + +# Troubleshoot SharePoint Server and On-premise Errors + +## Overview + +This is a reference list of articles on troubleshooting errors in SharePoint Server and On-premise monitoring plans. + +### Related Articles + +- [SharePoint Core Service Deployment Failed](/docs/kb/auditor/sharepoint-core-service-deployment-failed) +- [Timeout Expired Error on SharePoint Core Service Deployment](/docs/kb/auditor/timeout-expired-error-on-sharepoint-core-service-deployment) +- [Event ID 1204 in Health Log](/docs/kb/auditor/event-id-1204-in-health-log) +- [Event ID 1205 in Health Log](/docs/kb/auditor/event-id-1205-in-health-log) +- [Event ID 1206 in Health Log](/docs/kb/auditor/error-event-id-1206-in-health-log) +- [Event ID 1208 in Health Log](/docs/kb/auditor/event-id-1208-in-health-log) +- [Event ID 1209 in Health Log](/docs/kb/auditor/event-id-1209-in-health-log) +- [Event ID 1210 in Health Log](/docs/kb/auditor/event-id-1210-in-health-log) +- [Event ID 1214 in Health Log](/docs/kb/auditor/event-id-1214-in-health-log) +- [Event ID 1223 in Health Log](/docs/kb/auditor/event-id-1223-in-health-log) +- [Event ID 1225 in Health Log](/docs/kb/auditor/event-id-1225-in-health-log) +- [Event ID 1236 in Health Log](/docs/kb/auditor/event-id-1236-in-health-log) +- [Event ID 1237/1238 in Health Log](/docs/kb/auditor/event_id_12371238_in_health_log) +- [Event ID 1239 in Health Log](/docs/kb/auditor/event-id-1239-in-health-log) +- [Event ID 1240 in Health Log](/docs/kb/auditor/event-id-1240-in-health-log) +- [Event ID 1241 in Health Log](/docs/kb/auditor/event-id-1241-in-health-log) +- [Event ID 1242 in Health Log](/docs/kb/auditor/event-id-1242-in-health-log) +- [Event ID 1243 in Health Log](/docs/kb/auditor/event-id-1243-in-health-log) +- [Event ID 1244 in Health Log](/docs/kb/auditor/event-id-1244-in-health-log) +- [Event ID 1245 in Health Log](/docs/kb/auditor/event-id-1245-in-health-log) +- [Event ID 1249 in Health Log](/docs/kb/auditor/event-id-1249-in-health-log) +- [Event ID 1250 in Health Log](/docs/kb/auditor/event-id-1250-in-health-log) +- [Event ID 1251 - 1254, 1256 - 1258 in Health Log](/docs/kb/auditor/event-id-1251-1254-1256-1258-in-health-log) +- [Event ID 1255 in Health Log](/docs/kb/auditor/event-id-1255-in-health-log) +- [Event ID 1259 in Health Log](/docs/kb/auditor/event-id-1259-in-health-log) +- [Event ID 1260 − 1266 in Health Log](/docs/kb/auditor/event-id-1260-1266-in-health-log) +- [Event ID 1267 − 1273 in Health Log](/docs/kb/auditor/event-id-1267-1273-in-health-log) +- [Event ID 1274 in Health Log](/docs/kb/auditor/event-id-1274-in-health-log) +- [Event ID 1275 in Health Log](/docs/kb/auditor/event-id-1275-in-health-log) +- [Event ID 1276 in Health Log](/docs/kb/auditor/event-id-1276-in-health-log) +- [Event ID 1280 in Health Log](/docs/kb/auditor/event-id-1280-in-health-log) +- [Event ID 1285 in Health Log](/docs/kb/auditor/event-id-1285-in-health-log) +- [Event ID 1286 in Health Log](/docs/kb/auditor/event-id-1286-in-health-log) +- [Event ID 1287 in Health Log](/docs/kb/auditor/event-id-1287-in-health-log) +- [Event ID 1288 in Health Log](/docs/kb/auditor/event-id-1288-in-health-log) +- [Event ID 1289 in Health Log](/docs/kb/auditor/event-id-1289-in-health-log) \ No newline at end of file diff --git a/docs/kb/auditor/ts-collection-failed-warning.md b/docs/kb/auditor/ts-collection-failed-warning.md new file mode 100644 index 0000000000..ead30d4cdc --- /dev/null +++ b/docs/kb/auditor/ts-collection-failed-warning.md @@ -0,0 +1,49 @@ +--- +description: >- + Explains the "TS collection failed: Can't open output file" permission denied + warning for Windows Server 2008 domain controllers and provides steps to + resolve it for Netwrix Auditor. +keywords: + - TS collection failed + - permission denied + - .ts files + - UAC + - Windows Server 2008 + - Netwrix Auditor + - ADCR_Agent + - domain controller +products: + - auditor +sidebar_label: TS collection failed warning +tags: [] +title: "TS collection failed warning" +knowledge_article_id: kA00g000000H9baCAC +--- + +# TS collection failed warning + +Netwrix Auditor includes the "**Failed to process DC: %domain controller name% The error is: TS collection failed: Can't open output file: `C:WindowsADCR_Agent%domain contoller name%.ts.` Permission denied**" warning for Windows Server 2008 domain controllers in summary reports. + +--- + +*.ts files are being used by Netwrix Auditor to collect time stamps of when Active Directory objects were changed, these files are being created by the Netwrix Auditor agent, which is running under the Local System account but being collected by the main Netwrix Auditor process which is running under the specified service account. The error appear when User Account Control (UAC) (http://technet.microsoft.com/en-us/library/cc709691(v=ws.10).aspx) considers this difference as a potential security issue and blocks access to the *.ts file for the service account Netwrix Auditor is being run under. + +--- + +## Resolution + +To resolve this issue, you need to disable User Account Control (UAC) on the problematic domain controller and delete the *.ts file Netwrix Auditor was able to access: + +1. Log on the problematic domain controller +2. Disable User Account Control (UAC) + - Click **Start**, and then click **Control Panel**. + - In Control Panel, click **User Accounts**. + - In the User Accounts window, click **User Accounts**. + - In the User Accounts tasks window, click **Turn User Account Control on or off**. + - If UAC is currently configured in Admin Approval Mode, then the User Account Control message appears. Click **Continue**. + - Clear the **Use User Account Control (UAC) to help protect your computer** check box, and then click **OK**. + - Restart domain controller +3. Once the domain controller is restarted, log onto it and delete the *.ts file Netwrix Auditor was able to access: + - Navigate to `C:WindowsADCR_Agent` + - Find the file listed in the error (`%domain contoller name%.ts`) and delete it + - Do not enable User Account Control (UAC) back. diff --git a/docs/kb/auditor/types-of-the-data-collection-for-file-servers-auditing.md b/docs/kb/auditor/types-of-the-data-collection-for-file-servers-auditing.md new file mode 100644 index 0000000000..3dfb46f07e --- /dev/null +++ b/docs/kb/auditor/types-of-the-data-collection-for-file-servers-auditing.md @@ -0,0 +1,29 @@ +--- +description: >- + Explains the two types of data collection for File Servers auditing in Netwrix + Auditor: the default Enhanced mode and the Basic mode (Large Server Support). +keywords: + - file servers + - data collection + - large server support + - file auditing + - Netwrix Auditor + - snapshot + - Windows Security event log + - file attributes + - permissions +products: + - auditor +sidebar_label: Types of the data collection for File Servers audi +tags: [] +title: "Types of the data collection for File Servers auditing" +knowledge_article_id: kA00g000000H9RzCAK +--- + +# Types of the data collection for File Servers auditing + +There are 2 types of the data collection for File Server auditing solution: + +1. Default - Enhanced mode, that processes extended information, such as file attributes and permissions in addition to native Windows audit events. During the data collection Netwrix Auditor creates a full snapshot of the file server shares and compare it to the snapshot collected during the previous data collection, this way it gets changes. Afterwards Netwrix Auditor uses the security event logs to get the Who/What/When/Where information. + +2. Basic mode (Large Server Support), that process only native audit events generated by the Windows Security event log. It is recommended to speed up data collection from file servers storing a large amount of data (`500 000` and more files). To access this option, expand the required **Managed Object** node in the left **Netwrix Auditor** console pane and select the **File Servers** node. The option’s box **Enable large server support** will be displayed on the settings page on the right. diff --git a/docs/kb/auditor/uavr-core-service-not-responding.md b/docs/kb/auditor/uavr-core-service-not-responding.md new file mode 100644 index 0000000000..acad9d9dab --- /dev/null +++ b/docs/kb/auditor/uavr-core-service-not-responding.md @@ -0,0 +1,49 @@ +--- +description: >- + Describes troubleshooting steps when the User Activity Video Recording (UAVR) + Core Service shows "Not Responding" after installation, including firewall, + ports, required services, remote connection tests, and agent reinstallation. +keywords: + - UAVR + - User Activity Video Recording + - core service + - Not Responding + - UACoreSvcSetup.msi + - ports + - Windows Firewall + - WMI + - RPC + - Remote Registry + - agent reinstall +products: + - auditor +sidebar_label: UAVR Core Service not Responding +tags: [] +title: "UAVR Core Service not Responding" +knowledge_article_id: kA00g000000H9agCAC +--- + +# UAVR Core Service not Responding + +## Symptom + +User Activity Video Recording Core Service shows the following status: + +```text + Not Responding after install +``` + +## Cause + +This issue is often caused by the ports being blocked by Windows Firewall or some other software/hardware. + +## Resolution + +In order to troubleshoot the issue please perform the following steps: + +1. Disable Windows Firewall on local and target servers. +2. Make sure that the following ports are opened on the local and target server: User Activity Protocols and Ports ⸱ v10.6 +3. Make sure that the following services are started - *WMI, RPC, Remote Registry*. +4. Try to connect to services remotely while logged in as the service account (`services.msc`) + - This can be done by opening **Services** and right-clicking **Services (Local)** then select "Connect to Another Computer" +5. Try to re-install the agent on the target server with the `UACoreSvcSetup.msi` found in the install path on the Netwrix Host (default path: `C:\Program Files (x86)\Netwrix Auditor\User Activity Video Recording`) diff --git a/docs/kb/auditor/unable-to-audit-target-server-by-ip-address.md b/docs/kb/auditor/unable-to-audit-target-server-by-ip-address.md new file mode 100644 index 0000000000..d70651dc1b --- /dev/null +++ b/docs/kb/auditor/unable-to-audit-target-server-by-ip-address.md @@ -0,0 +1,41 @@ +--- +description: >- + You are unable to audit a target server by IP address or by using `localhost`, + and the Activity Records report shows an incorrect server name. This article + explains causes and provides steps to fix DNS cache and hosts-file issues so + you can audit by FQDN. +keywords: + - netwrix auditor + - IP address + - localhost + - hosts file + - DNS cache + - ipconfig + - flushdns + - Activity Records + - FQDN +products: + - auditor +sidebar_label: Unable to audit target server by IP address +tags: [] +title: "Unable to audit target server by IP address" +knowledge_article_id: kA00g000000H9axCAC +--- + +# Unable to audit target server by IP address + +## Symptoms +1. Unable to audit a target server by using `IP address`. +2. Unable to audit a host server by using `localhost`. +3. **Activity Records** summary report shows incorrect server name. + +## Cause +1. There is stale data in the `DNS cache` of the host and target machines. +2. There is incorrect data in the `hosts` file of the host and target machines. + +## Resolution +To resolve this issue, perform the following steps: + +1. On the target and the host machines, remove all records which contain the `IP address` of the host and the target machines from the following file: `C:\Windows\system32\drivers\etc\hosts` +2. Flush the `DNS cache` on the host and the target machines by executing the following command: `ipconfig /flushdns` +3. Use the FQDN-name of the target machine instead of `IP address` or `localhost` when adding it as an item in Netwrix Auditor. diff --git a/docs/kb/auditor/unable-to-configure-audit-policies-in-domain-controllers.md b/docs/kb/auditor/unable-to-configure-audit-policies-in-domain-controllers.md new file mode 100644 index 0000000000..4a17dc7dce --- /dev/null +++ b/docs/kb/auditor/unable-to-configure-audit-policies-in-domain-controllers.md @@ -0,0 +1,41 @@ +--- +description: >- + Describes the error "Event ID:1016" that appears when creating a monitoring + plan for Domain Controllers and explains why it occurs and how to resolve it + by configuring audit policies via Group Policy. +keywords: + - audit policies + - domain controller + - Group Policy + - Windows Server + - Netwrix Auditor + - Event ID 1016 + - monitoring plan + - local policy +products: + - auditor +sidebar_label: Unable to Configure Audit Policies in Domain Contr +tags: [] +title: "Unable to Configure Audit Policies in Domain Controllers" +knowledge_article_id: kA04u0000011196CAA +--- + +# Unable to Configure Audit Policies in Domain Controllers + +## Symptom + +When trying to create a monitoring plan for Windows Servers explicitely for Domain Controllers, the following error appears: + +``` +Event ID:1016: Unable to configure the following audit policies on this computer because it is a domain controller. +``` + +## Cause + +Netwrix Auditor configures target servers for auditing by applying local audit policies that can be overwritten by domain (group) policies. Domain Controllers do not have local policies that makes it difficult for the product to configure audit automatically. + +## Resolution + +Open the **Group Policies** snap-in on the target Domain Controller and configure audit policies. + +For the full list of audit policies to be configured, refer to the following article: /docs/auditor/10.6/auditor/configurationuration/windowsserver (Windows Server Configuration — Configuration via Group Policy · v10.6) diff --git a/docs/kb/auditor/unable-to-connect-to-remote-server.md b/docs/kb/auditor/unable-to-connect-to-remote-server.md new file mode 100644 index 0000000000..bc690a366c --- /dev/null +++ b/docs/kb/auditor/unable-to-connect-to-remote-server.md @@ -0,0 +1,58 @@ +--- +description: >- + When you run reports in a web browser, you may see the "Unable to connect to + the remote server." error. This article lists possible causes and resolutions, + including SSRS service issues, failed SQL Server upgrades, and expired SSRS + evaluation licenses. +keywords: + - SSRS + - SQL Server Reporting Services + - unable to connect to the remote server + - reports + - subscriptions + - SQL Server + - evaluation license + - repair installation +products: + - auditor +sidebar_label: Unable to Connect to Remote Server +tags: [] +title: "Unable to Connect to Remote Server" +knowledge_article_id: kA04u00000111AdCAI +--- + +# Unable to Connect to Remote Server + +## Symptom + +When trying to run reports in web browser, the following error message appears: + +```text +Unable to connect to the remote server. +``` + +Subscriptions may also be affected by this error. + +## Causes + +- The **SQL Server Reporting Services** service has stopped in your SQL server. +- In case of the recent SQL Server upgrade, the SQL Server suite could be corrupted. +- The SSRS instance evaluation license has expired. + +## Resolutions + +In case the **SQL Server Reporting Services** service has stopped − enable the service and disable disable timeout for reports. Refer to the following articles for additional information: + +- Learn how to enable the **SQL Server Reporting Services** service in [Start and Stop the Report Server Service · Microsoft 🤝](https://learn.microsoft.com/en-us/sql/reporting-services/report-server/start-and-stop-the-report-server-service?view=sql-server-ver16). +- Learn more on timeouts in [Setting Time-out Values for Report and Shared Dataset Processing (SSRS) · Microsoft 🤝](https://learn.microsoft.com/en-us/sql/reporting-services/report-server/setting-time-out-values-for-report-and-shared-dataset-processing-ssrs?view=sql-server-ver16). + +In case of the failed SQL Server upgrade, repair your SQL Server installation. Learn more in [Repair a Failed SQL Server Installation · Microsoft 🤝](https://learn.microsoft.com/en-us/sql/database-engine/install-windows/repair-a-failed-sql-server-installation?view=sql-server-ver16). + +For additional information on expired evaluation license in SSRS, refer to the following article: [Error 503 − Reports and Subscriptions Not Working](/docs/kb/auditor/error-503-reports-and-subscriptions-not-working). + +## Related articles + +- [Error 503 − Reports and Subscriptions Not Working](/docs/kb/auditor/error-503-reports-and-subscriptions-not-working) +- [Start and Stop the Report Server Service · Microsoft 🤝](https://learn.microsoft.com/en-us/sql/reporting-services/report-server/start-and-stop-the-report-server-service?view=sql-server-ver16) +- [Setting Time-out Values for Report and Shared Dataset Processing (SSRS) · Microsoft 🤝](https://learn.microsoft.com/en-us/sql/reporting-services/report-server/setting-time-out-values-for-report-and-shared-dataset-processing-ssrs?view=sql-server-ver16) +- [Repair a Failed SQL Server Installation · Microsoft 🤝](https://learn.microsoft.com/en-us/sql/database-engine/install-windows/repair-a-failed-sql-server-installation?view=sql-server-ver16) diff --git a/docs/kb/auditor/unable-to-create-real-time-alerts.md b/docs/kb/auditor/unable-to-create-real-time-alerts.md new file mode 100644 index 0000000000..018a3f0eb5 --- /dev/null +++ b/docs/kb/auditor/unable-to-create-real-time-alerts.md @@ -0,0 +1,61 @@ +--- +description: >- + When creating real-time alerts, Kerberos UDP packets may be fragmented and + dropped, causing errors. This article explains how to force Kerberos to use + TCP by editing the registry to resolve the issue. +keywords: + - kerberos + - UDP + - TCP + - MaxPacketSize + - real-time alerts + - event viewer + - KerberosParameters + - registry + - fragmentation + - Netwrix Auditor +products: + - auditor +sidebar_label: Unable to create real-time alerts +tags: [] +title: "Unable to create real-time alerts" +knowledge_article_id: kA00g000000H9btCAC +--- + +# Unable to create real-time alerts + +The first time you create a real-time alert, you see the following errors: + +![Error 1](images/ka04u000000HcUe_0EM7000000050xL.png) + +![Error 2](images/ka04u000000HcUe_0EM7000000050xQ.png) + +Also in the event viewer System log you can find events like this: + +| Product: | Windows Operating System | +|---|---| +| ID: | 10 | +| Source: | Microsoft-Windows-Security-Kerberos | +| Version: | 6.0 | +| Symbolic Name: | KERBEVT_UDP_TIMEOUT | +| Message: | The kerberos subsystem is having problems fetching tickets from your domain controller using the UDP network protocol. This is typically due to network problems. Please contact your system administrator. | + +--- + +By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the network hardware configuration, these larger packets have to be fragmented when going through a network. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order. + +--- + +According to the following [Microsoft TechNet Article](http://technet.microsoft.com/en-us/library/cc733891%28v=ws.10%29.aspx), please force Kerberos to use the TCP instead of the UDP network protocol, because TCP is connection oriented, it is a more reliable means of transport across the network. Even if the packets are dropped, the server will re-request the missing data packet. + +To do this, follow these steps: + +1. Start Registry Editor. +2. Locate and then click the following registry subkey: + `HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa KerberosParameters` + **Note:** If the **Parameters** key does not exist, create it now. +3. On the **Edit** menu, point to **New**, and then click **DWORD Value**. +4. Type `MaxPacketSize`, and then press ENTER. +5. Double-click `MaxPacketSize`, type `1` in the **Value data** box, click to select the **Decimal** option, and then click **OK**. +6. Quit Registry Editor. +7. Restart your computer. diff --git a/docs/kb/auditor/unable-to-generate-reports-after-migration.md b/docs/kb/auditor/unable-to-generate-reports-after-migration.md new file mode 100644 index 0000000000..db3515c8d5 --- /dev/null +++ b/docs/kb/auditor/unable-to-generate-reports-after-migration.md @@ -0,0 +1,44 @@ +--- +description: >- + After migration, some Netwrix Auditor reports may fail with the error: "Unable + to cast object of type 'System.Guid' to type 'System.String'". This article + explains the cause and provides step-by-step resolution to recreate the + reports folder and restore report generation. +keywords: + - Netwrix Auditor + - reports + - migration + - SSRS + - Report Manager + - System.Guid + - System.String + - Netwrix Auditor Management Service +products: + - auditor +sidebar_label: Unable to Generate Reports After Migration +tags: [] +title: "Unable to Generate Reports After Migration" +knowledge_article_id: kA0Qk0000000WsjKAE +--- + +# Unable to Generate Reports After Migration + +## Symptom + +After migration, some Netwrix Auditor reports are generating the following error: + +```text +Unable to cast object of type 'System.Guid' to type 'System.String' +``` + +## Cause + +Some files were corrupted in the **Reports** folder after migration. + +## Resolution + +1. In Netwrix Auditor, navigate to **Settings** > **Audit Database**. +2. Open the **Report Manager URL** to access the SQL Server Reporting Services (SSRS) site. +3. Remove the **Netwrix Auditor** root folder in SSRS. +4. On the computer that hosts the Auditor Server, open the **Services** snap-in. You can do this by searching for *Services*. +5. Restart the **Netwrix Auditor Management Service**. This will recreate the reports folder and resolve the error. The reports will take 5-10 minutes to re-upload. diff --git a/docs/kb/auditor/unable-to-launch-netwrix-auditor-user-activity-core-service.md b/docs/kb/auditor/unable-to-launch-netwrix-auditor-user-activity-core-service.md new file mode 100644 index 0000000000..20858bdd1b --- /dev/null +++ b/docs/kb/auditor/unable-to-launch-netwrix-auditor-user-activity-core-service.md @@ -0,0 +1,74 @@ +--- +description: >- + This article describes how to resolve the "Unable to launch the Netwrix + Auditor User Activity Core Service" error and how to manually install the User + Activity Core Service using the CLI or the MSI installer. +keywords: + - Netwrix Auditor + - User Activity Core Service + - UACoreSvcSetup + - msiexec + - E_ACCESSDENIED + - UAVR_SERVERNAME + - installation + - ports +products: + - auditor +sidebar_label: Unable to Launch Netwrix Auditor User Activity Cor +tags: [] +title: "Unable to Launch Netwrix Auditor User Activity Core Service" +knowledge_article_id: kA0Qk0000000L65KAE +--- + +# Unable to Launch Netwrix Auditor User Activity Core Service + +## Symptom + +When trying to deploy the Netwrix Auditor User Activity Core Service, the following error appears: + +``` +Unable to launch the Netwrix Auditor User Activity Core Service. +See the Netwrix Auditor System Health event log for more information. +Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) +``` + +## Cause + +The Remote procedure call failed error can have a number of root causes such as a closed port, Antivirus or EDR software, resource availability on the target system, etc. + +## Resolutions + +When, for some reasons, Netwrix Auditor cannot not install or upgrade the Netwrix Auditor User Activity Core Service automatically, you should install the service manually via CLI or from the .MSI file directly. + +### To install the service via CLI: + +1. Run command prompt on the computer that hosts your Auditor Server. +2. Execute the following commands: + +``` +cd C:\Program Files (x86)\Netwrix Auditor\User Activity Video Recording +``` + +``` +msiexec.exe /i "UACoreSvcSetup.msi" ALLUSERS=1 /qn /norestart /log output.log UAVR_SERVERNAME=yourservername UAVR_SERVERPORT=9004 +``` + +where `yourservername` is the name of your SMTP server in the FQDN format and `9004` is the required port number. + +### To run the service via the .MSI file: + +1. On the computer that hosts your Auditor Server, navigate to `C:\Program Files (x86)\Netwrix Auditor\User Activity Video Recording`. +2. Run the **UACoreSvcSetup.msi** file. +3. Follow the installation prompts up to the **Specify User Activity Video Reporter server and TCP port** step. +4. On this step, provide your SMTP server name in the FQDN format in the **Host server** field and provide the port number **9004**. + +![User-added image](images/ka0Qk0000001S2H_0EMQk000001wr0A.png) + +5. Complete the installation. + +> NOTE: In case User Activity Core Service is installed in target servers, make sure to check the Core Service version in **Apps & Features**. In case of version mismatch, refer to the following article for additional information: [Manually Update User Activity Core Service](/docs/kb/auditor/manually-update-user-activity-core-service.md). + +### Related articles + +- Configuration — User Activity — User Activity Ports — v10.6 +- [Manually Update User Activity Core Service](/docs/kb/auditor/manually-update-user-activity-core-service.md) diff --git a/docs/kb/auditor/unable-to-process-item-error-when-using-gmsa-in-netwrix-auditor.md b/docs/kb/auditor/unable-to-process-item-error-when-using-gmsa-in-netwrix-auditor.md new file mode 100644 index 0000000000..0e0e9ba3fe --- /dev/null +++ b/docs/kb/auditor/unable-to-process-item-error-when-using-gmsa-in-netwrix-auditor.md @@ -0,0 +1,44 @@ +--- +description: >- + Explains logon/impersonation errors encountered when using group Managed + Service Accounts (gMSA) with Netwrix Auditor and provides causes and + upgrade-based solutions. +keywords: + - gMSA + - group managed service account + - Netwrix Auditor + - impersonation + - logon type + - KB5022291 + - upgrade + - Health Log + - pre-10.5.11041 +products: + - auditor +sidebar_label: Unable to Process Item Error when Using gMSA in Ne +tags: [] +title: "Unable to Process Item Error when Using gMSA in Netwrix Auditor" +knowledge_article_id: kA04u0000000GuNCAU +--- + +# Unable to Process Item Error when Using gMSA in Netwrix Auditor + +## Symptom + +You may get a variety of errors referring to the logon/impersonation issues, depending on the data collection scope affected. + +For instance, using gMSA for Netwrix Auditor for File Servers, you encounter the following error in the Health Log: + +```text +Unable to process item: A logon request contained an invalid logon type value. +``` + +## Causes + +On January 10th 2023 Microsoft has released a security update affecting the pre-10.5.11041 Netwrix Auditor versions ability to impersonate gMSA. Refer to the following article for additional information on the update: https://support.microsoft.com/en-us/topic/january-10-2023-kb5022291-os-build-20348-1487-38772acf-103f-463e-9d60-486174e806b2 (Update KB5022291). + +In Netwrix Auditor version 9.96 group managed service accounts can be used instead of regular service accounts in a limited number of cases. Refer to the following article for additional information: /docs/auditor/10.6/auditor/requirements (Requirements – Use Group Managed Service Account(gMSA) ⸱ v10.6). Permissions for gMSA are the same as for regular service accounts, refer to the following article for additional information: /docs/auditor/10.6/auditor/admin-guide/monitoringplans (Monitoring Plans – Data Collecting Account ⸱ v10.6). + +## Solution + +For the pre-10.5.11041 Netwrix Auditor version, make sure to update your Netwrix Auditor instance — refer to the following articles for additional information: /docs/kb/auditor/how_to_upgrade_netwrix_auditor (How to Upgrade Netwrix Auditor) and /docs/kb/auditor/upgrade_increments_for_netwrix_auditor (Upgrade Increments for Netwrix Auditor). diff --git a/docs/kb/auditor/unable-to-run-reports-system-cannot-find-the-file-specified.md b/docs/kb/auditor/unable-to-run-reports-system-cannot-find-the-file-specified.md new file mode 100644 index 0000000000..5502f14bf3 --- /dev/null +++ b/docs/kb/auditor/unable-to-run-reports-system-cannot-find-the-file-specified.md @@ -0,0 +1,54 @@ +--- +description: >- + This article explains how to resolve the "System cannot find the file + specified" (0x80070002) rsInternalError when running reports in Netwrix + Auditor, typically caused by a missing report server database. It lists + symptoms, cause, and step-by-step resolution. +keywords: + - report server + - rsInternalError + - '0x80070002' + - Report Manager + - SSRS + - deploy report server database + - Netwrix Auditor + - Archive Service + - Management Service +products: + - auditor +sidebar_label: Unable to Run Reports — System Cannot Find the Fil +tags: [] +title: "Unable to Run Reports — System Cannot Find the File Specified" +knowledge_article_id: kA04u00000110zpCAA +--- + +# Unable to Run Reports — System Cannot Find the File Specified + +## Symptoms + +1. When trying to run a report via Netwrix Auditor, you encounter the following error: + +```text +An internal error occurred on the report server. See the error log for more details. (rsInternalError) +The system cannot find the file specified. (Exception from HRESULT: 0x80070002) +``` + +2. When trying to access the Report Manager via URL (specified in Netwrix Auditor **Settings** > **Audit Database**), you encounter the following error: + +```text +The service is not available. +The report server can't connect to its database. Make sure the database is running and accessible. +``` + +## Cause + +A report server database is missing. + +## Resolution + +Refer to the following steps to resolve the issue: + +1. In your Netwrix Auditor server, disable **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service** via **Services**. +2. Deploy the report server database — refer to the following article for in-depth instructions: /docs/kb/auditor/deploying_the_report_server_database (Deploying the Report Server Database). +3. Once you've configured the report server database, grant the roles to the SSRS service account the roles required. Refer to the following article for additional information: /docs/auditor/10.5/auditor/permissions/ssrsaccount (Configure SSRS Account). +4. Restart **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service** on your Netwrix Auditor server via **Services**. diff --git a/docs/kb/auditor/unable-to-save-reports-as-office-document-excel-word-or-powerpoint-with-ssrs-2019.md b/docs/kb/auditor/unable-to-save-reports-as-office-document-excel-word-or-powerpoint-with-ssrs-2019.md new file mode 100644 index 0000000000..18a374a89a --- /dev/null +++ b/docs/kb/auditor/unable-to-save-reports-as-office-document-excel-word-or-powerpoint-with-ssrs-2019.md @@ -0,0 +1,46 @@ +--- +description: >- + Users cannot save reports as Excel, Word, or PowerPoint files with SSRS 2019 + due to a registry access error. This article describes the symptom, cause, and + steps to grant the required registry permission. +keywords: + - SSRS 2019 + - Avalon.Graphics + - registry + - rrRenderingError + - ReportingServicesService.exe + - Excel + - Word + - PowerPoint +products: + - auditor +sidebar_label: Unable to Save Reports as Office Document with SSRS 2019 +tags: [] +title: "Unable to Save Reports as Office Document (Excel, Word, or PowerPoint) with SSRS 2019" +knowledge_article_id: kA0Qk0000000WRJKA2 +--- + +# Unable to Save Reports as Office Document (Excel, Word, or PowerPoint) with SSRS 2019 + +## Symptom + +Users are unable to save any reports as Excel, Word, or PowerPoint files with SSRS 2019. PDFs and some other formats work, but the Office-specific ones fail with the following error: + +```text +An error occurred during rendering of the report. (rrRenderingError) +An error occurred during rendering of the report. +The type initializer for 'MS.Utility.EventTrace' threw an exception. +Requested registry access is not allowed. +``` + +## Cause + +The **ReportingServicesService.exe** process is getting an ACCESS DENIED error for the **Avalon.Graphics** (Microsoft) registry key. + +## Resolution + +To resolve the issue, you need to grant the the execution account (not the account that runs the service) **Read access** to the **Avalon.Graphics** registry key: + +1. On the computer that hosts your SQL Server instance, open **Registry Editor**. +2. Navigate to `HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics`. +3. Assign the **Read** permission to all occurrences of the **Avalon.Graphics** key in the registry. diff --git a/docs/kb/auditor/unable-to-save-subscription-file-to-a-shared-location.md b/docs/kb/auditor/unable-to-save-subscription-file-to-a-shared-location.md new file mode 100644 index 0000000000..f2f718cb1d --- /dev/null +++ b/docs/kb/auditor/unable-to-save-subscription-file-to-a-shared-location.md @@ -0,0 +1,49 @@ +--- +description: >- + When configuring subscriptions, the product is unable to upload the + subscription file to a shared file server location; the configuration + completes with the error "Could not find a part of the path." This article + describes the cause and steps to resolve the issue. +keywords: + - subscription + - shared location + - file share + - permissions + - domain admin + - monitoring plan + - Active Directory + - error + - Could not find a part of the path + - Netwrix Auditor +products: + - auditor +sidebar_label: Unable to Save Subscription File to a Shared Locat +tags: [] +title: "Unable to Save Subscription File to a Shared Location" +knowledge_article_id: kA0Qk0000000PKzKAM +--- + +# Unable to Save Subscription File to a Shared Location + +## Symptom + +When configuring subscriptions, the product is unable to upload the subscription file to a shared file server location. The configuration completes with the following error: + +``` +Could not find a part of the path. +``` + +## Cause + +Insufficient permissions for the account specified in the monitoring plan settings. + +## Resolution + +Perform the following steps to fix the error: + +1. Check the user specified for the problematic monitoring plan with your AD user via **Active Directory Users and Computers** (permission or membership). The account should be a **domain admin** account or member of the **domain admins** group. +2. Add this computer account to the target file share. + +### Related Article + +- Data Source Configuration — Permissions for Active Directory Auditing — v10.6 diff --git a/docs/kb/auditor/unable-to-update-netwrix-auditor-due-to-contract-or-subscription-expiration.md b/docs/kb/auditor/unable-to-update-netwrix-auditor-due-to-contract-or-subscription-expiration.md new file mode 100644 index 0000000000..e22efa0333 --- /dev/null +++ b/docs/kb/auditor/unable-to-update-netwrix-auditor-due-to-contract-or-subscription-expiration.md @@ -0,0 +1,55 @@ +--- +description: >- + When attempting to update Netwrix Auditor you may receive errors indicating a + maintenance contract or subscription expiration. This article explains the + cause and how to remove expired module licenses so you can update the product. +keywords: + - Netwrix Auditor + - update error + - expired license + - maintenance contract + - subscription expired + - upgrade increments + - licenses +products: + - auditor +sidebar_label: Unable to Update Netwrix Auditor Due to Contract o +tags: [] +title: "Unable to Update Netwrix Auditor Due to Contract or Subscription Expiration" +knowledge_article_id: kA00g000000H9cGCAS +--- + +# Unable to Update Netwrix Auditor Due to Contract or Subscription Expiration + +## Symptom + +Attempting to update Netwrix Auditor generates one of the following errors: + +``` +To be able to download and install the new version, renew your maintenance contract +``` + +``` +Your subscription plan for Netwrix Auditor has expired +``` + +![AboutNetwrixAuditor.png](images/ka0Qk0000002uxN_0EM4u000008LHag.png) + +## Cause + +At least one Netwrix Auditor module has an expired license. + +## Resolution + +Even if you have valid support and maintenance licenses, you might still have some expired licenses. You can delete them by following these steps: + +1. Open Netwrix Auditor and select **Settings**. +2. In the left pane, select **Licenses**. +3. Select any expired licenses and click **Remove**. + +If you would like to upgrade to the latest product version from a version that is no longer supported, refer to the following incremental upgrade guide: [Upgrade Increments for Netwrix Auditor](/docs/kb/auditor/upgrade-increments-for-netwrix-auditor.md). + +## Related articles + +- Installation — Upgrade to the Latest Version ⸱ v10.6 +- [Upgrade Increments for Netwrix Auditor](/docs/kb/auditor/upgrade-increments-for-netwrix-auditor.md) diff --git a/docs/kb/auditor/unable-to-update-the-compression-service.md b/docs/kb/auditor/unable-to-update-the-compression-service.md new file mode 100644 index 0000000000..1376b47d41 --- /dev/null +++ b/docs/kb/auditor/unable-to-update-the-compression-service.md @@ -0,0 +1,62 @@ +--- +description: >- + A monitoring plan shows the Take Action status and Netwrix Auditor logs + EventID 2009 indicating the Compression Service could not be updated on the + target server. This article explains causes and step-by-step resolutions, + including manually installing the Compression Service MSI. +keywords: + - compression service + - Windows Server + - monitoring plan + - EventID 2009 + - Data Collecting Account + - ports + - Netwrix Auditor + - Netwrix.WSA.CompressionService.Setup.msi + - installation + - Update +products: + - auditor +visibility: public +sidebar_label: Unable to Update the Compression Service +tags: [] +title: "Unable to Update the Compression Service" +knowledge_article_id: kA04u000001114BCAQ +--- + +# Unable to Update the Compression Service + +## Symptom + +A monitoring plan in Netwrix Auditor has the **Take Action** status, and the Netwrix Auditor Health Log contains `EventID 2009`: + +``` +The Compression Service has encountered an internal error: +Unable to update the Compression Service on the following server (%affected_server_name%). +``` + +## Causes + +One of the following causes may lead to this error: + +- The Windows Server Compression Service was not installed on the target server. +- The Windows Server Compression Service cannot be updated on the target server. + +## Resolutions + +- Verify the rights and permissions for the Data Collecting Account in the affected Windows Server monitoring plan. For additional information on the rights and permissions of Data Collecting Accounts, refer to the following article: /docs/auditor/10.6/auditor/configurationuration/windowsserver (Windows Server – Permissions for Windows Server Auditing ⸱ v10.6). + +- Verify that the ports required to audit the target server are open. For additional information on required ports and protocols, refer to the following article: /docs/auditor/10.6/auditor/configurationuration/windowsserver (Windows Server – Windows Server Ports ⸱ v10.6). + +- Install the Windows Server Compression Service manually on the affected server. Refer to the following steps: + + 1. On the Auditor server, navigate to `C:\Program Files (x86)\Netwrix Auditor\Windows Server Auditing`. + 2. Locate the `Netwrix.WSA.CompressionService.Setup.msi` installation file. + 3. Copy the file to the affected target server (the server referenced in the error message). + 4. Run the installation on the target server and follow the installation prompts. + 5. When done, click the **Update** button beside the required monitoring plan. + +## Related Articles + +- /docs/auditor/10.6/auditor/configurationuration/windowsserver (Windows Server – Permissions for Windows Server Auditing ⸱ v10.6) +- /docs/auditor/10.6/auditor/configurationuration/windowsserver (Windows Server – Windows Server Ports ⸱ v10.6) diff --git a/docs/kb/auditor/unable-to-upload-session-to-long-term-archive-access-to-state-in-time-folder-is-denied.md b/docs/kb/auditor/unable-to-upload-session-to-long-term-archive-access-to-state-in-time-folder-is-denied.md new file mode 100644 index 0000000000..c4b71ababe --- /dev/null +++ b/docs/kb/auditor/unable-to-upload-session-to-long-term-archive-access-to-state-in-time-folder-is-denied.md @@ -0,0 +1,55 @@ +--- +description: >- + Explains how to resolve the "Access to the path ... is denied" error when + Netwrix Auditor cannot upload state-in-time sessions to the Long-Term Archive + by correcting service account permissions. +keywords: + - Long-Term Archive + - LTA + - state-in-time + - Health Log + - permissions + - Netwrix Auditor + - Short-Term Archive + - service account +products: + - auditor +sidebar_label: Unable to Upload Session to Long-Term Archive − Ac +tags: [] +title: "Unable to Upload Session to Long-Term Archive − Access to State-in-Time Folder Is Denied" +knowledge_article_id: kA0Qk0000000LSfKAM +--- + +# Unable to Upload Session to Long-Term Archive − Access to State-in-Time Folder Is Denied + +## Symptom + +The following error is prompted in **Health Log** for one of or multiple monitoring plans in Netwrix Auditor: + +``` +Description: Monitoring plan: %monitoring_plan% +The following error has occurred: +While processing the state-in-time data, Netwrix Auditor was unable to upload the session to the Long-Term Archive: +Access to the path '%Long-Term_Archive%\%monitoring_plan_SiT_folder%' is denied. +``` + +## Cause + +Misconfigured permissions for the Long-Term Archive (LTA) service account. + +## Resolution + +NOTE: You can establish the affected Long-Term Archive service account by following **Settings** > **Long-Term Archive** tab > **Modify** under the **Long-Term Archive** section. + +1. Allow **Full Control** permissions to the Long-Term Archive service account for the following 2 folders: + + - Long-term Archive − you can establish the location by following **Settings** > **Long-Term Archive** > **Write audit data to**. The default location is ` %PROGRAMDATA%\Netwrix Auditor\Data`. + - Short-Term Archive − you can establish the location by following **Health Status** > **Open diagnostic logs folder** under **Working folder** > parent folder of the **Logs** folder. The default location is `C:\ProgramData\Netwrix Auditor\ShortTerm`. + + NOTE: Alternatively, you can run the following line in Command Prompt in your Netwrix Auditor server to get the value of the `DataPathOverride` subkey entry. The output will contain the location of Short-Term Archive in your Netwrix Auditor server: + + ```powershell + reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\DataPathOverride" + ``` + +2. Grant the Long-Term Archive service account Local Administrators permissions in the Netwrix Auditor server. diff --git a/docs/kb/auditor/unable_to_determine_administrative_site_for_domain.sharepoint.com_error_accessing_remote_registry.md b/docs/kb/auditor/unable_to_determine_administrative_site_for_domain.sharepoint.com_error_accessing_remote_registry.md new file mode 100644 index 0000000000..648eed9ec4 --- /dev/null +++ b/docs/kb/auditor/unable_to_determine_administrative_site_for_domain.sharepoint.com_error_accessing_remote_registry.md @@ -0,0 +1,43 @@ +--- +description: >- + This article addresses the error encountered when attempting to run an SPAA/SPSEEK scan against a SharePoint Online host, detailing the symptoms, causes, and resolutions. +keywords: + - SharePoint Online + - SPAA + - SPSEEK + - remote registry error + - Netwrix Enterprise Auditor +sidebar_label: Unable to Determine Administrative Site Error +tags: [] +title: "Unable to Determine Administrative Site for Domain.sharepoint.com Error Accessing Remote Registry" +knowledge_article_id: kA0Qk0000001i2DKAQ +products: + - auditor +--- + +# Unable to Determine Administrative Site for Domain.sharepoint.com Error Accessing Remote Registry + +## Symptom + +When attempting to run an SPAA/SPSEEK scan against a SharePoint Online host, you receive the following error: + +``` +Unable to determine administrative site for domain.sharepoint.com error accessing remote registry: The network path was not found +``` + +## Cause + +This error appears when attempting to scan SharePoint Online with On-Prem/AD Credentials. + +## Resolutions + +Refer to the following options to resolve this error: + +1. Confirm that the SharePoint Online app has been configured for auditing by referring to the following link: SharePoint Online Access & Sensitive Data Auditing Configuration. + +2. Confirm that a connection profile has been created in **Netwrix Enterprise Auditor** for SharePoint Online auditing using the following link: SharePoint Custom Connection Profile & Host List. + +3. Configure the SPAA/SPSEEK jobs to scan the SharePoint Online host and use the SharePoint Online connection profile. For more information, please see the articles below: + - SharePoint Custom Connection Profile & Host List + - SharePoint Online Access & Sensitive Data Auditing Configuration + - SP_RegisterAzureAppAuth Job \ No newline at end of file diff --git a/docs/kb/auditor/unexpected-end-of-file-error-in-file-server-monitoring-plan.md b/docs/kb/auditor/unexpected-end-of-file-error-in-file-server-monitoring-plan.md new file mode 100644 index 0000000000..63cbc1ef8c --- /dev/null +++ b/docs/kb/auditor/unexpected-end-of-file-error-in-file-server-monitoring-plan.md @@ -0,0 +1,82 @@ +--- +description: >- + Explains how to resolve "Unexpected end of file" errors (EventIDs 2002 and + 2004) in Netwrix Auditor file server monitoring plans caused by missing + permissions on the Microsoft Link-Layer Discovery Protocol driver. +keywords: + - Netwrix Auditor + - MSLLDP + - EventID 2002 + - EventID 2004 + - sc sdset + - security descriptor + - file server monitoring + - ProgramData +products: + - auditor +sidebar_label: Unexpected End of File Error in File Server Monito +tags: [] +title: "Unexpected End of File Error in File Server Monitoring Plan" +knowledge_article_id: kA0Qk0000000ZCHKA2 +--- + +# Unexpected End of File Error in File Server Monitoring Plan + +## Symptom + +The Netwrix Auditor Health Log contains EventIDs 2002 and 2004: + +``` +Unexpected end of file has occurred. +The following elements are not closed refering to Netwrix .xml files in +the ProgramData directory of the Netwrix server specific to the monitoring plan. +``` + +## Cause + +This error is related to the link-layer protocol. It indicates that no service account has been granted permission to access the Microsoft Link-Layer Discovery Protocol (MSLLD) driver. + +## Resolution + +To address this issue, follow these steps: + +1. Run elevated Command Prompt to execute the following command: + + ```text + SC sdshow MSLLDPCopy + ``` + + The output should read similar to the following: + + ```text + D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) + (A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO) + (A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453) + S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) + ``` + +2. Execute the following command: + + ```text + SC sdshow MUPCopy + ``` + + The output should read similar to the following: + + ```text + D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) + (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU) + (A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) + ``` + +3. Locate the entry for `NT AUTHORITY\ SERVICE` represented as `(A;;CCLCSWLOCRRC;;;SU)`. Add it to the original MSLLDP security descriptor property, just before the last `S:(AU…` group. + +4. Apply the new security descriptor to the MSLLDP service using the following command. Delete the carriage return symbols when copying the command. + + ```text + sc sdset mslldp D: + (D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) + (A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO) + (A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU) + S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) + ``` diff --git a/docs/kb/auditor/uninstalling-user-activity-monitoring-agents.md b/docs/kb/auditor/uninstalling-user-activity-monitoring-agents.md new file mode 100644 index 0000000000..6189270240 --- /dev/null +++ b/docs/kb/auditor/uninstalling-user-activity-monitoring-agents.md @@ -0,0 +1,114 @@ +--- +description: >- + Provides PowerShell functions to remove User Activity monitoring agents + (Netwrix Auditor User Activity Core Service) that Netwrix Auditor could not + uninstall automatically. Includes parameter details, function descriptions, + and usage examples. +keywords: + - Uninstall + - User Activity + - UAVR + - PowerShell + - Netwrix Auditor + - ADV-2022-003 + - uninstall script + - agents + - CIDR + - LDAPQuery +products: + - auditor +sidebar_label: Uninstalling User Activity Monitoring Agents +tags: [] +title: "Uninstalling User Activity Monitoring Agents" +knowledge_article_id: kA04u000000TssMCAS +--- + +# Uninstalling User Activity Monitoring Agents + +The attached PowerShell functions assist customers with removing User Activity monitoring agents (Netwrix Auditor User Activity Core Service) that Netwrix Auditor could not automatically uninstall. You can download the script from our website: https://www.netwrix.com/download/products/KnowledgeBase/Uninstall-NetwrixProduct.ps1 + +## Prerequisites + +- Windows PowerShell 5.1 +- If using this script to remotely uninstall agents: + - You must be authenticated to the system you're running the script on with an account that has administrative privileges across all systems you wish to uninstall the agent from + - This account must also have the ability to read from Active Directory + +## Functions + +- `Uninstall-UAVRAgents` + Uninstalls all versions of the User Activity data source agent. + +- `Uninstall-ADV2022003UAVRAgents` + Uninstalls versions of the User Activity data source agent affected by the vulnerability detailed in security advisory ADV-2022-003 (https://security.netwrix.com/Advisories/ADV-2022-003). + +- `Uninstall-GenericProduct` + Uses built-in `PackageManager` features to uninstall a specified product. Used by the other helper functions. + +- `Get-IPRange` + An internal function to resolve CIDR notation to an enumeration of IP addresses. + +## Parameters + +| Name | Description | Example | +|------|-------------|---------| +| **LDAPQuery** | - Used to query Active Directory for Computer Objects.
- When this is used the CIDR and ComputerNames parameters cannot be used | `(&(ObjectClass=computer)(OperatingSystem=*Windows Server*))` | +| **CIDR** | - Provide a CIDR range to uninstall agents from a range of IP addresses
- When this is used the LDAPQuery and ComputerNames parameters cannot be used | `10.0.0.0/24` | +| **ComputerNames** | - Provide a string array of computerNames or IP Addresses to uninstall agents from.
- When this is used the LDAPQuery and CIDR parameters cannot be used | `Server1, Server2, 10.0.0.15`

`(Get-Content C:\Temp\ComputerNames.txt)` | +| **Quiet** | Do not show the progress banner | `-Quiet` | +| **NoDNSResolution** | Do not attempt to resolve IP Addresses to DNS Names | `-NoDNSResolution` | +| **ProductName** | Input for a custom product name to be removed for the `Uninstall-GenericProduct` function. Get the name using the `Get-Package` cmdlet | `"Netwrix Auditor User Activity Core Service"` | +| **versionsBefore** | Only uninstall versions prior to the version mentioned | `"10.5"` | +| **DetectOnly** | Do not uninstall the product | `-DetectOnly` | +| **ProviderName** | Specifies a specific provider for packages for discovery and uninstallation | `msi` | + +# Examples + +### Uninstall agents affected by the vulnerability detailed in ADV-2022-003 on all Windows servers + +This example demonstrates how to uninstall versions of the `Netwrix Auditor User Activity Core Service` affected by the vulnerability detailed in ADV-2022-003 from all Windows servers in Active Directory. + +```powershell +. .\Uninstall-NetwrixProduct.ps1 +Uninstall-ADV2022003UAVRAgents -Verbose +``` + +### Uninstall agents affected by the vulnerability detailed in ADV-2022-003 from specific target hosts + +This example demonstrates how to uninstall vulnerable versions of the `Netwrix Auditor User Activity Core Service` from specified target hosts. In this example, to reduce errors, the IP Address specified (10.0.0.25) will be attempted to be resolved to a DNS before connecting. Resolution of IP addresses to DNS names can be disabled using the `NoDNSResolution` switch. + +```powershell +. .\Uninstall-NetwrixProduct.ps1 +Uninstall-ADV2022003UAVRAgents -ComputerNames 10.0.0.25, DC1, Server2, Server3 +``` + +### Uninstall from hosts in CIDR Range + +This example demonstrates how to uninstall all versions of the `Netwrix Auditor User Activity Core Service` from a CIDR range, and will attempt to resolve the DNS name of each IP address. + +```powershell +. .\Uninstall-NetwrixProduct.ps1 +Uninstall-UAVRAgents -CIDR 10.0.0.0/24 +``` + +### Uninstall on hosts retrieved from Active Directory with a custom LDAP query + +This example demonstrates the ability to use custom LDAP query to select computers from Active Directory to uninstall the `Netwrix Auditor User Activity Core Service` from. The following query will retrieve all computers which belong to the "Technology" department. + +```powershell +. .\Uninstall-NetwrixProduct.ps1 +Uninstall-UAVRAgents -LDAPQuery "(&(objectClass=computer)(Department=Technology)) +``` + +## Notes + +When using IP addresses, either with the CIDR or ComputerNames parameters, an attempt will be made to resolve them using DNS. This substantially reduces errors with remote command execution using PowerShell's `Invoke-Command` cmdlet, as the extra configuration required to enable `Invoke-Command` to work with IP addresses is rarely configured. + +To disable IP address to DNS name resolution, use the `-NoDNSResolution` switch. + +To export the results to a CSV file the `Export-CSV` command can be used. This can be done by piping the output of `Uninstall-ADV2022003UAVRAgents` or `Uninstall-UAVRAgents` to `Export-CSV`, examples of this are shown below. + +```powershell +Uninstall-ADV2022003UAVRAgents | Export-CSV C:\Temp\VulnerableUAVRAgents.csv +Uninstall-UAVRAgents | Export-CSV C:\Temp\UAVRAgents.csv +``` diff --git a/docs/kb/auditor/upgrade-increments-for-netwrix-auditor.md b/docs/kb/auditor/upgrade-increments-for-netwrix-auditor.md new file mode 100644 index 0000000000..594b1f0b68 --- /dev/null +++ b/docs/kb/auditor/upgrade-increments-for-netwrix-auditor.md @@ -0,0 +1,77 @@ +--- +description: >- + Describes the approved incremental upgrade paths for Netwrix Auditor up to + version 10.5 and provides recommendations and prerequisites for successful + upgrades. +keywords: + - Netwrix Auditor + - upgrade + - incremental upgrade + - database upgrade + - 10.5 + - 9.9 + - license +products: + - auditor +sidebar_label: Upgrade Increments for Netwrix Auditor +tags: [] +title: "Upgrade Increments for Netwrix Auditor" +knowledge_article_id: kA00g000000H9eJCAS +--- + +# Upgrade Increments for Netwrix Auditor + +## Overview + +When upgrading from old versions of Netwrix Auditor, you must do that **incrementally**. Below is the list of approved upgrade paths up to the version 10.5. + +## Before you start + +To successfully access the download packages, ensure you are logged in with your customer portal account at [Netwrix.com](https://www.netwrix.com/my_account.html). + +> **IMPORTANT:** Make sure the free disk space in your SQL server totals to at least 30% of the total size of all Netwrix Auditor-related databases. This will allow for the database growth during the upgrade. + +## Upgrade Recommendations + +### For versions older than 9.5 + +- **Upgrading from versions older than 9.5 is not recommended!** Incremental upgrades may cause error accumulation and cause issues with the product stability post-upgrade. Best practices recommend that you leave your Netwrix Auditor as is for historical reports and start a new server with the latest version installed. Proceed only if you absolutely have to. +- Make sure to wait at least 24 hours before upgrading to the next version, so that the product has enough time time upgrade your databases. +- Contact Technical Support for download links for Netwrix Auditor 8.5 and 9.5 +- Once 8.5 is installed, you will need to run the upgrade of your Audit Databases manually. To do this, launch Netwrix Auditor Administrator Console, navigate to **Audit Archive** > **Audit Database** and then click **Upgrade**. + +### For Versions 9.5 and Newer + +- Upgrading to Netwrix Auditor v10.6 requires .NET 4.8 on the Auditor server and on any servers included in a Windows Server or User Activity Monitoring Plan that have the Compression Service enabled. + +> **IMPORTANT:** Plan your upgrade carefully. .NET 4.8 requires Windows Server 2016 or later and may require a server reboot after installation. + +- Starting from the version 9.9 Netwrix implemented the new license format. To reissue the license: + - If you upgrade incrementally, just follow steps given in the **Upgrade Paths** table below, and your license will upgrade automatically. + - If you leave your Netwrix Auditor as is and start a new server with the latest version, contact your Account Manager and request the newly formatted license. +- Do not pause the upgrade chain in the middle for a long time as this may leave your system in a vulnerable state. The latest product version includes all functionality from the previous versions, adds new features and includes important security updates. +- After each incremental update, you must wait for the DBs to be upgraded. In large/busy environments, this may take up to 24 hours. Check the **Health Log** to see if database was upgraded successfully. Event IDs **4410** and **4405** indicate that upgrade was done successfully, any other 44XX Event IDs indicate that there was an error. +- If you have the capability to capture a snapshot of the server, we recommend doing so. Before we begin, launch a PowerShell session as Administrator and execute the following command: + +```powershell +Stop-Service -Displayname Netwrix* +``` + +This will stop all Netwrix Services and prevent complications during the upgrade. + +## Upgrade Paths + +| Version | Can Upgrade To | Additional Info | +|----------------|----------------|-----------------| +| 8.0 | 8.5 | Not recommended! | +| 8.5 / 9.0 | 9.5 | Not recommended! | +| 9.5 | 9.7 | [Download](https://www.netwrix.com/my_products.html) | +| 9.7 / 9.8 | 9.9 | [Download](https://www.netwrix.com/my_products.html) | +| 9.9 | 9.96 | [Download](https://www.netwrix.com/my_products.html)
Refer to the following article for additional information:
How to upgrade to from 9.9 to 9.96 if I get the error “Your Netwrix Auditor version cannot be upgraded” ) | +| 9.96 / 10.0 | 10.5 | [Download](https://www.netwrix.com/my_products.html) | +| 10 / 10.5 | 10.6 | [Download](https://www.netwrix.com/my_products.html) | +| 10.5 / 10.6 | 10.7 | [Download](https://www.netwrix.com/my_products.html) | + +### Related articles + +[How To Upgrade Netwrix Auditor](/docs/kb/auditor/how-to-upgrade-netwrix-auditor.md) diff --git a/docs/kb/auditor/upgrade_from_9.9_to_9.96_with_your_netwrix_auditor_version_cannot_be_upgraded_error.md b/docs/kb/auditor/upgrade_from_9.9_to_9.96_with_your_netwrix_auditor_version_cannot_be_upgraded_error.md new file mode 100644 index 0000000000..bbe7055874 --- /dev/null +++ b/docs/kb/auditor/upgrade_from_9.9_to_9.96_with_your_netwrix_auditor_version_cannot_be_upgraded_error.md @@ -0,0 +1,39 @@ +--- +description: >- + This article provides step-by-step instructions on how to upgrade from Netwrix Auditor version 9.9 to 9.96 when encountering an upgrade error. +keywords: + - Netwrix Auditor + - upgrade + - error resolution +sidebar_label: Upgrade Netwrix Auditor +tags: [] +title: "Upgrade from 9.9 to 9.96 with Your Netwrix Auditor Version Cannot Be Upgraded Error" +knowledge_article_id: kA04u000000HDkzCAG +products: + - auditor +--- + +# Upgrade from 9.9 to 9.96 with Your Netwrix Auditor Version Cannot Be Upgraded Error + +## Question + +How to upgrade from 9.9 to 9.96 if I get the following error: + +``` +Your Netwrix Auditor version cannot be upgraded to 9.96. +Before you can upgrade to the latest version, install previous version of Netwrix Auditor, and then retry upgrade. +``` + +## Answer + +To upgrade to v9.96, contact Technical Support for download links for the latest builds of Netwrix Auditor 9.95 and 9.96. Then, upgrade sequentially right to version 9.96: + +## Instructions + +1. Upgrade from 9.9 to 9.95 +2. Upgrade from 9.95 to 9.96 + +## Related Articles + +- [Upgrade Increments for Netwrix Auditor](/docs/kb/auditor/upgrade-increments-for-netwrix-auditor) +- [How To Upgrade Netwrix Auditor](/docs/kb/auditor/how-to-upgrade-netwrix-auditor) \ No newline at end of file diff --git a/docs/kb/auditor/upgrading-sql-server-instance.md b/docs/kb/auditor/upgrading-sql-server-instance.md new file mode 100644 index 0000000000..ac5301cb96 --- /dev/null +++ b/docs/kb/auditor/upgrading-sql-server-instance.md @@ -0,0 +1,60 @@ +--- +description: >- + Explains prerequisites and verification steps for upgrading a SQL Server + instance used by Netwrix Auditor, including stopping and starting services and + validating database and reporting settings. +keywords: + - SQL Server + - upgrade + - Netwrix Auditor + - Audit Database + - PowerShell + - SSRS + - Database Statistics + - Report Server +products: + - auditor + - SQL_Server +sidebar_label: Upgrading SQL Server Instance +tags: [] +title: "Upgrading SQL Server Instance" +knowledge_article_id: kA04u0000011154CAA +--- + +# Upgrading SQL Server Instance + +## Question + +SQL Server upgrade is required in our environment—are there any special requirements or prerequisites to comply with when upgrading a SQL Server instance? + +## Answer + +1. Prior to the upgrade, stop **Netwrix Auditor Archive Service** and **Netwrix Auditor Management Service** on your Netwrix Auditor server. Run the following commands in elevated PowerShell: +```powershell +Stop-Service -DisplayName "Netwrix Auditor Archive Service" +Stop-Service -DisplayName "Netwrix Auditor Management Service" +``` + +2. Once stopped, proceed with the upgrade procedure as recommended by Microsoft. + +3. After the upgrade is complete, start the previously stopped services on your Netwrix Auditor server. Use the following commands in elevated PowerShell: +```powershell +Start-Service -DisplayName "Netwrix Auditor Archive Service" +Start-Service -DisplayName "Netwrix Auditor Management Service" +``` + +Learn more about SQL Server upgrades in Upgrade SQL Server ⸱ Upgrade documentation ⸱ Microsoft: https://learn.microsoft.com/en-us/sql/database-engine/install-windows/upgrade-sql-server?view=sql-server-ver16#upgrade-documentation + +## Post-upgrade verification + +Refer to the following steps to verify Netwrix Auditor has detected the change after the SQL Server upgrade: + +1. In the main Netwrix Auditor menu, select **Health Status** > click **View details** under the **Database Statistics** pane. The top **SQL Server instance** line should reflect the server FQDN and the current SQL Server version. For additional information on the SQL Server setup, refer to the following article: Netwrix Auditor Settings − Audit Database · v10.7: /docs/auditor/10.7/auditor/admin-guide/settings + +2. Verify SQL Server Reporting Services operate as intended — in the main Netwrix Auditor menu, select **Settings** > **Audit Database** > verify both the **Report Server URL** and **Report Manager URL** are operational. For additional information on the SSRS setup, refer to the following article: Requirements − SQL Server Reporting Services · v10.7: /docs/auditor/10.7/auditor/requirements + +## Related articles + +- Netwrix Auditor Settings − Audit Database · v10.7: /docs/auditor/10.7/auditor/admin-guide/settings +- Requirements − SQL Server Reporting Services · v10.7: /docs/auditor/10.7/auditor/requirements +- Upgrade SQL Server ⸱ Upgrade documentation ⸱ Microsoft: https://learn.microsoft.com/en-us/sql/database-engine/install-windows/upgrade-sql-server?view=sql-server-ver16#upgrade-documentation diff --git a/docs/kb/auditor/use-certificate-authority-issued-certificates-in-ssrs.md b/docs/kb/auditor/use-certificate-authority-issued-certificates-in-ssrs.md new file mode 100644 index 0000000000..63f28b2de3 --- /dev/null +++ b/docs/kb/auditor/use-certificate-authority-issued-certificates-in-ssrs.md @@ -0,0 +1,58 @@ +--- +description: >- + Shows how to add a certificate issued by a third-party or internal Certificate + Authority (CA) to the SSRS server certificate store so Netwrix Auditor and + SSRS communicate securely across servers. +keywords: + - SSRS + - certificate + - Certificate Authority + - CA + - Netwrix Auditor + - certificate store + - MMC + - import certificate + - secure communication +products: + - auditor +sidebar_label: Use Certificate Authority-issued Certificates in S +tags: [] +title: "Use Certificate Authority-issued Certificates in SSRS" +knowledge_article_id: kA0Qk0000001HQDKA2 +--- + +# Use Certificate Authority-issued Certificates in SSRS + +## Overview + +Netwrix Auditor uses SQL Server Reporting Services (SSRS) to generate reports. In environments with Netwrix Auditor and SSRS installed on different servers, you should use a secure communication channel. This article covers the steps to implement a certificate issued by a third-party certification authority (CA) or your internal company CA to use in SSRS. + +## Instructions + +CA provides you with a certificate to add to the certificate store on the SSRS server. Ensure the root certificate of the CA is present in the certificate store. While global CA root certificates are updated automatically using Windows Update, publish the root certificate manually in case your company has its CA: + +- Publish the root certificate manually on the Netwrix Auditor server and client servers. +- Publish the root certificate manually on your SSRS server. + +Refer to the following steps to publish a root certificate in the certificate store on your SSRS server: + +### Using a Certificate From a Third-Party Certificate Authority + +CA provides you with a security certificate that should be added to the certificate repository on the SSRS server. Ensure that the root certificate of the CA is present in the certificate store. While global CA root certificates are updated automatically using Windows Update, publish the root certificate manually in case your company has its CA: + +1. On your SSRS server, start the Microsoft Management Console (MMC). You can start it by running `MMC` in the **Run** command window. +2. In the top menu bar, select **File** > **Add/Remove Snap-in**. +3. In the left window, select **Certificates** and click **Add** in the middle section. +4. In the pop-up window, select **Computer account** and click **Next**. +5. Select **Local computer** and click **Finish**. +6. Click **OK** to close the pop-up window. +7. Double-click **Certificates (Local Computer)** in the central pane. +8. Right-click the **Personal** folder and select **All Tasks** > **Import**. +9. Follow the Certificate Import Wizard to import your certificate: + 1. Browse the certificate file and enter the associated password when prompted. + 2. If desired, select the **Mark This Key as Exportable** option. + 3. When prompted, choose to automatically place the certificate in the certificate store based on the type of the certificate. + 4. Click **Finish** to close the wizard. +10. Close the MMC console. + +You have successfully imported the certificate to the certificate store on your SSRS server. diff --git a/docs/kb/auditor/user-activity-video-is-not-being-captured.md b/docs/kb/auditor/user-activity-video-is-not-being-captured.md new file mode 100644 index 0000000000..39002cec1b --- /dev/null +++ b/docs/kb/auditor/user-activity-video-is-not-being-captured.md @@ -0,0 +1,48 @@ +--- +description: >- + If User Activity monitoring shows no errors but you are not receiving video + recordings, verify that recording is enabled and follow the troubleshooting + steps to resolve common causes. +keywords: + - User Activity + - video recordings + - monitoring plan + - Data Collection Account + - Netwrix Auditor + - Health Log + - Local Administrator + - troubleshooting +products: + - auditor +sidebar_label: User Activity video is not being captured +tags: [] +title: "User Activity video is not being captured" +knowledge_article_id: kA00g000000PbczCAC +--- + +# User Activity video is not being captured + +If there are no errors listed for your User Activity monitoring plan and you are not receiving video recordings for your monitored computers, ensure you have the recording option **enabled**. + +## Verify recording is enabled + +1. Navigate to your User Activity monitoring plan(s). +2. Select **Edit Data Source**. + +![Edit Data Source](https://kb.netwrix.com/wp-content/uploads/2020/04/1-1-1024x328.png) + +3. Ensure the **Record video of user activity within sessions** option is enabled. + +![Record video of user activity within sessions](https://kb.netwrix.com/wp-content/uploads/2020/04/2-1024x326.png) + +## Troubleshooting + +If this option is enabled and videos are still not being captured, proceed with the following troubleshooting: + +- Ensure the Data Collection Account is a **Local Administrator** on **all** target servers. +- Validate Configuration Settings: + - See the Configuration Settings documentation: https://helpcenter.netwrix.com/Configure_IT_Infrastructure/User_Activity/UAVR_Data_Collection.html#Configur +- Review the Netwrix Auditor Health Log for any errors related to User Activity. + - The support team often encounters environmental errors, such as remote services becoming unavailable. +- Add the Netwrix Auditor Host Server as an item under your User Activity Monitoring Plan and attempt to capture video. + - This may provide more insight on issues related to networking or configuration. diff --git a/docs/kb/auditor/user-and-workstation-do-not-match.md b/docs/kb/auditor/user-and-workstation-do-not-match.md new file mode 100644 index 0000000000..67d97dfaa3 --- /dev/null +++ b/docs/kb/auditor/user-and-workstation-do-not-match.md @@ -0,0 +1,43 @@ +--- +description: >- + Explains why the Who (User) and Workstation fields may not match in file + server reports and how Logon ID mapping with event ID 4624 and subsequent + events cause this behavior. +keywords: + - Logon ID + - Workstation mismatch + - File Server + - Event ID 4624 + - Event ID 4663 + - Netwrix Auditor + - Source Network Address + - Logoff +products: + - auditor +sidebar_label: User and Workstation Do Not Match +tags: [] +title: "User and Workstation Do Not Match" +knowledge_article_id: kA04u000001110iCAA +--- + +# User and Workstation Do Not Match + +## Question + +The fields **Who** (User) and **Workstation** mismatch in File Server-related reports. The **Workstation** specified does not belong to the user in question. Should this be considered a malicious user activity? + +## Answer + +Netwrix Auditor for File Servers collects certain events to allow data audit. These events do not contain any information on originating workstations, but they have a distinct Logon ID field that can be matched to the Logon ID in local logon events (`4624`). These logon events include the Source Network Address for the originating workstation to be resolved to FQDN and be displayed in Netwrix Auditor. + +1. When a user logs on to the file server using a certain account via the machine **A**, the Logon ID **A** is assigned to the session **A**. + + > **NOTE:** The Logon ID along with the IP address of the machine are picked from the Event ID `4624`. + +2. If the user disconnects without logging off to close the Logon ID **A** session, no logoff event is created for the session **A**. + +3. Once another person logs on using the same account via the machine **B**, a new Logon ID **B** and another IP address (belonging to the machine **B**) are logged to a new logon event (`4624`). + +4. Since the session **A** was not closed and did not generate a logoff event, the session **B** is perceived to be the same session as session **A** by the OS. + + > **NOTE:** If the second person makes any changes on the file server, the corresponding events `4663` and others will contain the initial Logon ID **A** to match the machine **A** logon. diff --git a/docs/kb/auditor/user-behavior-analytics-configuration.md b/docs/kb/auditor/user-behavior-analytics-configuration.md new file mode 100644 index 0000000000..b756a94e53 --- /dev/null +++ b/docs/kb/auditor/user-behavior-analytics-configuration.md @@ -0,0 +1,33 @@ +--- +description: >- + User Behavior Analytics (UBA) is a closed-enrollment feature for Netwrix + Auditor that uses the cloud-based Netwrix Behavior Anomaly Insight module to + detect behavior anomalies and help investigate suspicious activity. +keywords: + - User Behavior Analytics + - UBA + - Behavior Anomaly Insight + - Netwrix Auditor + - anomaly detection + - cloud-based module + - security incidents + - licensing +products: + - auditor +sidebar_label: User Behavior Analytics Configuration +tags: [] +title: "User Behavior Analytics Configuration" +knowledge_article_id: kA00g000000PbccCAC +--- + +# User Behavior Analytics Configuration + +## What is it? + +User Behavior Analytics (UBA) is a feature that is currently in a closed enrollment stage. Here is an excerpt taken from the Netwrix Auditor 9.9 Installation and Configuration Guide: + +"Netwrix Behavior Anomaly Insight is an advanced cloud-based module of Netwrix Auditor solution that enables you to detect behavior anomalies in your IT environment, such as activity surges or mass deletions of archived data. As you investigate suspicious activity and review incidents, you can identify intruders or in-house actors who keep violating your company's security policies. The behavior anomalies assessment provides both a high-level visualization and a detailed history of malicious user activity. It accumulates historical data over time and gives you a bird's eye view on the activity patterns. With Netwrix Behavior Anomaly Insight you can step beyond individual actions and investigate more complicated user behavior scenarios that might otherwise stay concealed for a long time." + +## How can I opt-in for UBA? + +To benefit from Netwrix Behavior Anomaly Insight functionality, you will need a special license. Contact your Netwrix sales representative for details. diff --git a/docs/kb/auditor/users-access-their-own-mailboxes.md b/docs/kb/auditor/users-access-their-own-mailboxes.md new file mode 100644 index 0000000000..81437b0a48 --- /dev/null +++ b/docs/kb/auditor/users-access-their-own-mailboxes.md @@ -0,0 +1,40 @@ +--- +description: >- + Explains why the Non-owner Mailbox Access Reporter shows users accessing their + own mailboxes and how to omit those events by generating and copying a mailbox + omit list. +keywords: + - Non-owner Mailbox Access Reporter + - mailbox archive + - Microsoft Exchange + - Get-Mailbox + - usermailboxesomitlist + - Netwrix Auditor + - Outlook + - omit events +products: + - auditor +sidebar_label: Users access their own mailboxes +tags: [] +title: "Users access their own mailboxes" +knowledge_article_id: kA00g000000H9buCAC +--- + +# Users access their own mailboxes + +The Non-owner Mailbox Access Reporter shows that users access their own mailboxes. + +There is a Mailbox Archive option in Microsoft Exchange that creates a linked mailbox with the same name as the user's own mailbox. The user is not an owner of that linked archive mailbox. Each time the user runs Outlook, it reads the archive mailbox content, basically performing non-owner access. + +In order to omit such events perform the following steps: + +1. On the Exchange server, run the Exchange Management Shell and perform the following cmdlet (without quotes and replace the `%domain name%` with the NetBIOS name of your domain): + +```powershell +Get-Mailbox | %{$mailboxstring = ""; $mailboxstring += "%domain name%";$mailboxstring += "";$mailboxstring += $_.samaccountname; $mailboxstring += "="; $mailboxstring += $_.emailaddresses[0].addressstring; echo $mailboxstring >> C:\usermailboxesomitlist.txt} +``` + +2. Copy the `usermailboxesomitlist.txt` from the Exchange server to the Non-owner Mailbox Access Reporter installation folder; by default it is: +`C:\Program Files (x86)\Netwrix Auditor\Non-owner Mailbox Access Reporter for Exchange` + +**NOTE:** If you create a new user with mailbox, you should add it to the existing `usermailboxesomitlist.txt` file located at the Non-owner Mailbox Access Reporter home folder using the following format: `domainusername=mailbox` (E.g.: `CORPjsmith=jsmith@corp.com`). diff --git a/docs/kb/auditor/volume-shadow-copy-service-support-in-netwrix-auditor-for-file-servers.md b/docs/kb/auditor/volume-shadow-copy-service-support-in-netwrix-auditor-for-file-servers.md new file mode 100644 index 0000000000..3197a34604 --- /dev/null +++ b/docs/kb/auditor/volume-shadow-copy-service-support-in-netwrix-auditor-for-file-servers.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains how to enable Volume Shadow Copy Service (VSS) support in Netwrix + Auditor and where Shadow Copy data is stored. Shows the steps in the Netwrix + Auditor UI and clarifies that snapshot data is stored on the audited file + server. +keywords: + - VSS + - Volume Shadow Copy + - Shadow Copy + - Netwrix Auditor + - file server + - snapshot + - file versioning + - rollback +products: + - auditor +sidebar_label: Volume Shadow Copy Service support in Netwrix Audi +tags: [] +title: "Volume Shadow Copy Service support in Netwrix Auditor for File Servers" +knowledge_article_id: kA00g000000H9TiCAK +--- + +# Volume Shadow Copy Service support in Netwrix Auditor for File Servers + +How do you enable the **Volume Shadow Copy Service support** in **Netwrix Auditor**? Where will the **Shadow Copy** data be stored: on an audited file server or on a computer where **Netwrix Auditor** is installed? + +## Enable Volume Shadow Copy Service (VSS) support + +The **Volume Shadow Copy Service** (hereafter **VSS**) can be enabled via **Netwrix Auditor**. To do it, + +1. Navigate to **Managed Objects -> your_File_Servers_Managed_Object_name -> File Servers.** +2. Click **Configure** next to **Advanced Settings** and select the **Enable file versioning and rollback capabilities (based on Volume Shadow Copy).** + +![User-added image](images/ka04u000000HcNV_0EM700000007LkF.png) + +## Where Shadow Copy data is stored + +The **Shadow Copy** data is stored on the audited file server. **VSS** is a built-in **Windows** service, and when you enable the VSS support, **Netwrix Auditor** just triggers creation of a snapshot. If you have not configured **VSS**, you may want to turn it off (especially if you do not have enough space on that server). To know precisely where the **Shadow Copy** data is stored, refer to the **Shadow Copy** information on the drive volume. diff --git a/docs/kb/auditor/vserver-api-missing-vserver-parameter-error-when-auditing-netapp-cluster.md b/docs/kb/auditor/vserver-api-missing-vserver-parameter-error-when-auditing-netapp-cluster.md new file mode 100644 index 0000000000..5afb2de323 --- /dev/null +++ b/docs/kb/auditor/vserver-api-missing-vserver-parameter-error-when-auditing-netapp-cluster.md @@ -0,0 +1,51 @@ +--- +description: >- + Explains how to resolve the "Vserver API missing vserver parameter" ONTAPI + error that prevents NetApp cluster auditing in Netwrix Auditor. +keywords: + - netapp + - ontapi + - vserver + - error + - auditing + - svm + - management-interface + - netwrix + - audit +products: + - auditor +sidebar_label: '"Vserver API missing vserver parameter" error when' +tags: [] +title: '"Vserver API missing vserver parameter" error when auditing NetApp Cluster' +knowledge_article_id: kA00g000000PcikCAC +--- + +# "Vserver API missing vserver parameter" error when auditing NetApp Cluster + +## Symptom +When you add NetApp for auditing and the collection fails immediately with the error below: + +`"Cannot start auditing the 'ServerName' server. +Failed to get file server information (0x8004959A ONTAPI error: Vserver API missing vserver parameter.)."` + +## Cause +The specified management interface is not the management interface of the CIFS SVM you are trying to audit. + +## Solution +1. Open the **Network Interfaces** setting in the Cluster management console. +2. Find the interface that has **Management Access** enabled and is assigned to the SVM you are trying to audit. +3. Remember its IP address and specify it in the properties of the NetApp item in Netwrix Auditor in the **ONTAPI** node. + +![Management_Interface_NetApp](images/ka04u000000HcZ5_0EM0g000002CGLg.png) + +Also make sure the account used to collect to ONTAPI is assigned a custom role on the SVM that has the following capabilities with access query levels: + +| Capability | Access level | +|-------------------------------------|--------------| +| Version | readonly | +| Volume | readonly | +| vserver audit | all | +| vserver audit rotate-log | all | +| vserver cifs | readonly | + +See [Creating Role on NetApp Clustered Data ONTAP 8 or ONTAP 9 and Enabling AD User Access](/docs/auditor/). diff --git a/docs/kb/auditor/warning-53-the-network-path-was-not-found.md b/docs/kb/auditor/warning-53-the-network-path-was-not-found.md new file mode 100644 index 0000000000..78b093f1a3 --- /dev/null +++ b/docs/kb/auditor/warning-53-the-network-path-was-not-found.md @@ -0,0 +1,49 @@ +--- +description: >- + Shows how to resolve the "(53) The network path was not found" warning from + Netwrix Auditor by granting the local System account proper permissions or + ensuring the scheduled task account has required rights. +keywords: + - network path not found + - 53 + - network traffic compression + - SYSTEM account + - shared folder permissions + - Netwrix Auditor + - scheduled task +products: + - auditor +sidebar_label: 'Warning: "(53) The network path was not found"' +tags: [] +title: 'Warning: "(53) The network path was not found"' +knowledge_article_id: kA00g000000H9XtCAK +--- + +# Warning: "(53) The network path was not found" + +The audit report from Netwrix Auditor contains the following warning: "(53) The network path was not found. Path: `servershare`" + +If you have the `Network traffic compression` option enabled, grant the local System account the appropriate permissions: + +1. Select the required shared folder and right-click it. +2. In the pop-up menu, select **Properties** and open the **Security** tab. +3. On the **Security** tab, click the **Advanced** button. +4. In the **Advanced Security Settings for ``** dialog, select the `SYSTEM` permission entry and click **Change Permissions**. +5. In the next dialog, select the `SYSTEM` permission entry and click **Edit**. +6. In the **Permission Entry for ``** dialog, allow the following permissions: + - `Traverse folder / execute file` + - `Read attributes` + - `Read extended attributes` + - `Read permissions` + + In the **Advanced Security Settings for ``** dialog, open the **Effective Permissions** tab and check all the permissions for the `SYSTEM` service account. Click **OK**. +7. In the **`` Properties** dialog, open the **Sharing** tab and click **Share**. +8. In the **File Sharing** dialog, add the `SYSTEM` service account and select the `Read/Write` permission level for it. +9. To save the changes, click **Share** and then **Done**. + +If you do not use the `Network traffic compression` option, make sure that the account configured to run the Netwrix Auditor scheduled task has the following rights and permissions on the monitored file server: + +- The local administrator rights +- Read access to the monitored shared folder + +If the steps provided do not resolve your issue, please [contact Netwrix Technical Support](https://www.netwrix.com/support_ticket.html). diff --git a/docs/kb/auditor/warning-the-following-error-occurred-when-trying-to-perform-automatic-audit-configuration.md b/docs/kb/auditor/warning-the-following-error-occurred-when-trying-to-perform-automatic-audit-configuration.md new file mode 100644 index 0000000000..73a4c4b1fe --- /dev/null +++ b/docs/kb/auditor/warning-the-following-error-occurred-when-trying-to-perform-automatic-audit-configuration.md @@ -0,0 +1,32 @@ +--- +description: >- + Explains how to resolve the "[WARNING] The following error occurred when + trying to perform automatic audit configuration" message in Netwrix Auditor + change summary emails and System Health logs, and provides two options to fix + the issue. +keywords: + - Netwrix Auditor + - automatic audit configuration + - DC collection warnings + - GPO + - System Health + - change summary emails + - audit settings +products: + - auditor +sidebar_label: '[WARNING] The following error occurred when trying' +tags: [] +title: "[WARNING] The following error occurred when trying to perform automatic audit configuration" +knowledge_article_id: kA00g000000H9ZwCAK +--- + +# [WARNING] The following error occurred when trying to perform automatic audit configuration + +Change summary emails and **Netwrix Auditor System Health** log show the error saying: **DC collection warnings:** ` %DCName%` The message is: **[WARNING] The following error occurred when trying to perform automatic audit configuration:** ` %Error details%` + +--- + +There are 2 options to fix the issue: + +1. Remove or reconfigure settings that are conflicting with automatic audit configuration. Details of the error message usually specify which GPO affects this +2. Disable automatic audit configuration and configure audit settings manually as per the guidance from the Help Center: /docs/auditor/10.5/auditor/configurationuration diff --git a/docs/kb/auditor/warning-the-netwrixsqlcraudit-database-with-audit-data-does-not-exist-or-cannot-be-accessed.md b/docs/kb/auditor/warning-the-netwrixsqlcraudit-database-with-audit-data-does-not-exist-or-cannot-be-accessed.md new file mode 100644 index 0000000000..75326e9690 --- /dev/null +++ b/docs/kb/auditor/warning-the-netwrixsqlcraudit-database-with-audit-data-does-not-exist-or-cannot-be-accessed.md @@ -0,0 +1,43 @@ +--- +description: >- + Explains possible causes and solutions for the "Warning: The NetwrixSQLCRAudit + database with audit data does not exist or cannot be accessed" error when a + Change Summary contains incorrect or missing data. +keywords: + - Netwrix Auditor + - NetwrixSQLCRAudit + - Change Summary + - audit database + - SQL Server + - db_owner + - SQL Server Management Studio + - Compatibility level +products: + - auditor +sidebar_label: 'Warning: "The NetwrixSQLCRAudit database with audit data does not exist or cannot be accessed"' +tags: [] +title: 'Warning: "The NetwrixSQLCRAudit database with audit data does not exist or cannot be accessed"' +knowledge_article_id: kA00g000000H9ZjCAK +--- + +# Warning: "The NetwrixSQLCRAudit database with audit data does not exist or cannot be accessed" + +You received a Change Summary containing incorrect data or no data at all. You also see the following message: " **Warning: The NetwrixSQLCRAudit database with audit data does not exist or cannot be accessed** ". + +--- + +Review the possible causes of this issue: + +1. The database was not created and does not exist on the monitored server. +2. The default Data Processing Account used to collect data from the monitored SQL Servers was changed. +3. The database is in the recovery mode. +4. The account, which is assigned the database owner role of the monitored database, has no access to the **NetwrixSQLCRAudit** database. + +--- + +Depending on the issue cause, try one of the following solutions: + +1. Check if the **NetwrixSQLCRAudit** database exists on the monitored server. +2. Make sure that the account under which Netwrix Auditor is running has enough privileges on the SQL Server. Make sure it is assigned the **db_owner** role. +3. Grant all **db_owners** of the monitored databases rights to write into the **NetWrixSQLCRAudit** database. Alternatively, replace all **db_owner** accounts with the account under which Netwrix Auditor runs. +4. In SQL Server Management Studio, right-click the monitored database and select **Properties**, navigate to the **Options** tab. Make sure that the **Compatibility level** is set to the SQL Server version that is currently running. diff --git a/docs/kb/auditor/weak_password_job_errors_system.io.filenotfoundexception_could_not_load_file_or_assembly_dsinternals.md b/docs/kb/auditor/weak_password_job_errors_system.io.filenotfoundexception_could_not_load_file_or_assembly_dsinternals.md new file mode 100644 index 0000000000..d466d2e872 --- /dev/null +++ b/docs/kb/auditor/weak_password_job_errors_system.io.filenotfoundexception_could_not_load_file_or_assembly_dsinternals.md @@ -0,0 +1,36 @@ +--- +description: >- + This article addresses the error encountered when the Active Directory > 2.Users > AD_WeakPasswords job fails due to a missing assembly file. +keywords: + - Active Directory + - Weak Passwords + - System.IO.FileNotFoundException +sidebar_label: Weak Password Job Errors +tags: [] +title: "Weak Password Job Errors: System.IO.FileNotFoundException: Could Not Load File or Assembly: DSInternals.Replication.Interop.dll" +knowledge_article_id: kA0Qk0000001u09KAA +products: + - auditor +--- + +# Weak Password Job Errors: System.IO.FileNotFoundException: Could Not Load File or Assembly: DSInternals.Replication.Interop.dll + +## Symptom + +The **Active Directory > 2.Users > AD_WeakPasswords** job fails, and you receive the following error: + +``` +System.IO.FileNotFoundException: Could not load file or assembly 'DSInternals.Replication.Interop.dll' or one of its dependencies. The specified module could not be found. +``` + +## Cause + +The required Windows component **Microsoft Visual C++ Redistributable x86** is not installed. + +> **NOTE:** Netwrix Enterprise Auditor requires the x86 version of the C++ Redistributable. + +## Resolution + +Download and install **Microsoft Visual C++ Redistributable x86** onto the Netwrix Enterprise Auditor server. + +- [Download Microsoft Visual C++ Redistributable x86](https://aka.ms/vs/16/release/vc_redist.x86.exe) \ No newline at end of file diff --git a/docs/kb/auditor/what-are-netwrix-auditor-for-active-directory-bandwidth-requirements.md b/docs/kb/auditor/what-are-netwrix-auditor-for-active-directory-bandwidth-requirements.md new file mode 100644 index 0000000000..8010c47d87 --- /dev/null +++ b/docs/kb/auditor/what-are-netwrix-auditor-for-active-directory-bandwidth-requirements.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains how bandwidth usage for Netwrix Auditor collecting Active Directory + data depends on whether network traffic compression is enabled and shows how + to enable the compression option. +keywords: + - Netwrix Auditor + - Active Directory + - bandwidth + - compression + - domain controllers + - network traffic + - monitoring plan + - AD changes +products: + - auditor +sidebar_label: What are Netwrix Auditor for Active Directory band +tags: [] +title: "What are Netwrix Auditor for Active Directory bandwidth requirements?" +knowledge_article_id: kA00g000000H9dqCAC +--- + +# What are Netwrix Auditor for Active Directory bandwidth requirements? + +## Bandwidth overview + +Bandwidth requirements for Netwrix Auditor depend on whether or not the network traffic compression option is enabled to collect data from domain controllers. + +### Without the compression service + +- Bandwidth is calculated as a sum of the security logs for each monitored domain controller. + For example, if 7 domain controllers generate 50 MB of events per day, 350 MB will be transferred daily. + +### With the compression service + +- Network traffic compression service is used to optimize traffic usage. The service is a lightweight executable that runs on domain controllers, collects data, pre-filters it and sends to Netwrix Auditor in a highly compressed format. +- Compression service requires approximately `1 Kb per AD change`. Essentially, the bandwidth requirements depend on the amount of changes to the AD environment. For example, if 100 changes are done daily, `100 Kb` of data will be transferred across all domain controllers. + +## Enable network traffic compression + +To enable the traffic compression option, do the following: + +1. In the product console navigate to **Netwrix Auditor -> your Monitoring Plan**. +2. Select **Active Directory** data source. +3. Double-click it or click **Edit data source**. +4. Check **"Enable network traffic compression"** option. diff --git a/docs/kb/auditor/what-cmdlets-are-used-for-aal-changes-collection.md b/docs/kb/auditor/what-cmdlets-are-used-for-aal-changes-collection.md new file mode 100644 index 0000000000..0330b3e1ce --- /dev/null +++ b/docs/kb/auditor/what-cmdlets-are-used-for-aal-changes-collection.md @@ -0,0 +1,56 @@ +--- +description: >- + Lists the Exchange cmdlets Netwrix Auditor uses to collect Administrator Audit + Logging (AAL) events and explains the required "Audit Logs" role assignment + and PowerShell commands to check, assign, and remove the role. +keywords: + - AAL + - Administrator audit logging + - Search-AdminAuditLog + - Audit Logs + - Get-AdminAuditLogConfig + - Get-ManagementRoleAssignment + - New-ManagementRoleAssignment +products: + - auditor +sidebar_label: What cmdlets are used for AAL changes collection? +tags: [] +title: "What cmdlets are used for AAL changes collection?" +knowledge_article_id: kA00g000000H9WVCA0 +--- + +# What cmdlets are used for AAL changes collection? + +I need to specify the service account permission to read AAL(Administrator audit logging), what cmdlets are being used to collect AAL data? Also you may see the following error in the daily summary report: + +*Connection with the Exchange server was interrupted: The term 'Search-AdminAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included verify that the path is correct and try again*. + +--- + +## Cmdlets used to collect AAL events + +In order to collect AAL events Netwrix Auditor uses the following cmdlets: + +- [Get-AdminAuditLogConfig](http://technet.microsoft.com/en-us/library/dd298077%28v=exchg.150%29.aspx) +- [Search-AdminAuditLog](http://technet.microsoft.com/en-us/library/ff459250%28v=exchg.150%29.aspx) + +## Required permissions + +In order to run these cmdlets the service account should have appropriate permissions (`Audit Logs` role assignment). In order to check the Audit logs role assignment use the following cmdlet: + +``` +Get-ManagementRoleAssignment -Role "Audit Logs" +``` + +In order to provide Audit logs role assignment to the service account please run the following cmdlet: + +- [New-ManagementRoleAssignment -Role "Audit Logs" -User ``](http://technet.microsoft.com/en-us/library/jj150497(v=exchg.150).aspx#auditinginecp) + +In order to remove the assigned Role please run: + +Command: +``` +Get-ManagementRoleAssignment -RoleAssignee USERNAME@Domain.onmicrosoft.com -Role "Audit Logs" -Delegating $false | Remove-ManagementRoleAssignment +``` + +Reference: https://docs.microsoft.com/en-us/exchange/remove-a-role-from-a-user-or-usg-exchange-2013-help diff --git a/docs/kb/auditor/what-does-automatic-audit-configuration-do-on-the-monitored-servers.md b/docs/kb/auditor/what-does-automatic-audit-configuration-do-on-the-monitored-servers.md new file mode 100644 index 0000000000..b6f27ba132 --- /dev/null +++ b/docs/kb/auditor/what-does-automatic-audit-configuration-do-on-the-monitored-servers.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains what the automatic audit configuration feature does on monitored + servers and points you to the installation guide for a list of audit + configuration changes that are performed manually or automatically through the + Audit Configuration wizard. +keywords: + - automatic audit configuration + - audit configuration + - monitored servers + - Audit Configuration wizard + - Windows Server Configuration Change Reporter + - installation guide + - Netwrix +products: + - auditor +visibility: public +sidebar_label: 'What does automatic audit configuration do on the ' +tags: [] +title: "What does automatic audit configuration do on the monitored servers" +knowledge_article_id: kA00g000000H9U8CAK +--- + +# What does automatic audit configuration do on the monitored servers + +What exactly does **automatic audit configuration** do on the monitored servers? + +--- + +For a list of changes to audit configuration that must be performed manually or automatically through the **Audit Configuration** wizard, refer to **Section 5. CONFIGURING AUDIT SETTINGS ON TARGET SERVERS** of [NetWrix Windows Server Configuration Change Reporter Installations Guide](https://www.netwrix.com/download/documents/NetWrix_Windows_Server_Change_Reporter_Installation_Guide.pdf). diff --git a/docs/kb/auditor/what-is-sessionid-in-netwrix-auditor-for-file-servers.md b/docs/kb/auditor/what-is-sessionid-in-netwrix-auditor-for-file-servers.md new file mode 100644 index 0000000000..024cc54f99 --- /dev/null +++ b/docs/kb/auditor/what-is-sessionid-in-netwrix-auditor-for-file-servers.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains what the SessionID attribute represents in Netwrix Auditor for File + Servers and how it helps distinguish events and changes within a user's logon + session. +keywords: + - SessionID + - session id + - Netwrix Auditor + - file servers + - Statement ID + - logon ID + - activity record + - user session + - events +products: + - auditor +sidebar_label: What Is SessionID in Netwrix Auditor for File Serv +tags: [] +title: "What Is SessionID in Netwrix Auditor for File Servers?" +knowledge_article_id: kA0Qk0000000LndKAE +--- + +# What Is SessionID in Netwrix Auditor for File Servers? + +## Question + +What is SessionID in Netwrix Auditor for File Servers? + +## Answer + +This attribute is based on the user’s logon ID within the current session. Being unique for a user’s logon session, it usually helps to distinguish the events and changes that occurred within that session. + +Session IDs are used to identify changes made by users with unique logon ID's. Session IDs are a combination of both the logon ID itself and the current session associated with this logon ID, to help identifying who made the change. Thus, session ID can be changed due to the fact that Netwrix would count that as a separate activity record too. + +![User-added image](images/ka0Qk0000001OrV_0EMQk000002Tph8.png) + +In addition, Netwrix Auditor generates the following attribute besides Session ID, associated with the object and reserved for internal use: + +**Statement ID** — This attribute appears if an object was moved/renamed due to its root object modifications. + +Since the product associates Session IDs with the current session of the user, this is expected behavior to see the different session ID for the same user after that user was logged out. + +### Related Article + +- [How Does Merging Logon Activity Events Work?](/docs/kb/auditor/how-does-merging-logon-activity-events-work.md) diff --git a/docs/kb/auditor/what-is-tombstonelifetime-attribute-and-what-is-it-used-for.md b/docs/kb/auditor/what-is-tombstonelifetime-attribute-and-what-is-it-used-for.md new file mode 100644 index 0000000000..a5bb316235 --- /dev/null +++ b/docs/kb/auditor/what-is-tombstonelifetime-attribute-and-what-is-it-used-for.md @@ -0,0 +1,45 @@ +--- +description: >- + Explains the Active Directory tombstoneLifetime attribute, how it affects + object restore, and how to change it using ADSI Edit. Also explains how to + align Netwrix Auditor Long-Term Archive retention with the tombstone lifetime. +keywords: + - tombstoneLifetime + - Active Directory + - AD tombstones + - object restore + - Long-Term Archive + - ADSI Edit + - Netwrix Auditor + - tombstone lifetime +products: + - auditor +sidebar_label: 'What is "tombstoneLifetime" attribute and what is ' +tags: [] +title: What is "tombstoneLifetime" attribute and what is it used for? +knowledge_article_id: kA00g000000H9UDCA0 +--- + +# What is "tombstoneLifetime" attribute and what is it used for? + +You can restore deleted Active Directory objects and their attributes using the **Netwrix Auditor Object Restore for Active Directory** tool integrated with Netwrix Auditor. The tool finds the information on deleted objects in the product snapshots (this data is stored in the **Long-Term Archive**, local file-based storage of audit data), and in **AD tombstones**. + +To be able to restore deleted AD objects, you must adjust the AD tombstone lifetime property (set by default to `60` days in Windows 2003 and to `180` in Windows 2008 and above). Netwrix recommends setting it to 2 years (`730` days). For example, if you change both values to `365` days, you will only be able to restore objects that were deleted within this period. You can specify any number of days, but a selected value should not exceed the Long-Term Archive retention period. Take into consideration that increasing `tombstone` lifetime may affect Active Directory performance and operability. + +## To adjust the `tombstoneLifetime` attribute, perform the following steps: + +NOTE: To perform this procedure, you will need the ADSI Edit utility. In Windows 2003 systems, this utility is a component of Windows Server Support Tools. If it has not been installed, download Windows Server Support Tools from the official website. On Windows 2008 systems and above, this component is installed together with the AD DS role. + +1. Navigate to **Start** -> **Programs** -> **Administrative Tools** -> **ADSI Edit**. +2. Right-click the **ADSI Edit** node and select the **Connect To** option. In the **Connection Settings** dialog, enable the **Select a well-known Naming Context** option and select **Configuration** from the drop-down list. +3. In the left pane, navigate to `Configuration ` -> `CN=Configuration` -> `CN=Services` -> `CN=Windows NT` -> `CN=Directory Service` node. Right-click it and select **Properties**. +4. In the **CN=Directory Service Properties** dialog, in the **Attribute Editor** tab, locate the `tombstoneLifetime` attribute. +5. Select this attribute and click the **Edit** button. +6. Set this attribute to any desired value (in days). + +## To modify the Long-Term Archive retention setting, perform the following steps: + +1. In Netwrix Auditor, navigate to the **Settings** node and select **Long-Term Archive**. +2. Under **Keep audit data for:** enter the value (in months) that corresponds to your tombstone lifetime attribute setting. + +> **NOTE:** All data older than the specified value will be deleted automatically on next data collection. diff --git a/docs/kb/auditor/what-load-does-sql-audit-generate-for-a-sql-server.md b/docs/kb/auditor/what-load-does-sql-audit-generate-for-a-sql-server.md new file mode 100644 index 0000000000..61eb310838 --- /dev/null +++ b/docs/kb/auditor/what-load-does-sql-audit-generate-for-a-sql-server.md @@ -0,0 +1,29 @@ +--- +description: >- + Explains the performance impact that SQL auditing by Netwrix Auditor can have + on SQL servers, especially during the initial data collection and scheduled + collections. +keywords: + - SQL audit + - performance + - SQL Server + - Netwrix Auditor + - data collection + - baseline + - maintenance + - scheduled collections +products: + - auditor +sidebar_label: What load does SQL audit generate for a SQL server +tags: [] +title: "What load does SQL audit generate for a SQL server?" +knowledge_article_id: kA00g000000H9UACA0 +--- + +# What load does SQL audit generate for a SQL server? + +## Impact on SQL servers + +The most noticeable impact on your SQL servers will be during the initial data collection. Netwrix Auditor runs several SQL scripts to build and store a ‘baseline’ of data against which it will compare future collections. However, even this initial collection will result in very little performance impact unless you are already running your servers at capacity. During subsequent data collections the impact will be even lower. + +With daily collections running at `03.00 AM` by default and SIT collections running at `4:00 AM`, there may be a conflict with maintenance tasks running at the same time. If you are planning to run heavy maintenance jobs on your SQL servers during off-hours, please consider doing that before `03:00 AM`. diff --git a/docs/kb/auditor/when-is-the-password-expiration-notification-sent.md b/docs/kb/auditor/when-is-the-password-expiration-notification-sent.md new file mode 100644 index 0000000000..1b561daa62 --- /dev/null +++ b/docs/kb/auditor/when-is-the-password-expiration-notification-sent.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains when the password expiration notification is sent and shows the + calculation used by Netwrix Password Reset to determine the sending date. +keywords: + - password expiration + - notification + - PwdLastset + - maximum password age + - Active Directory + - Netwrix Password Reset + - expiration notification + - sending date +products: + - auditor +sidebar_label: When is the Password Expiration Notification sent? +tags: [] +title: "When is the Password Expiration Notification sent?" +knowledge_article_id: kA00g000000PbdACAS +--- + +# When is the Password Expiration Notification sent? + +When is the password expiration notification sent? + +--- + +**Netwrix Password Reset uses the following algorithm to calculate when to send a password expiration notification:** + +**Sending date** = *Last password change* (value of the account's `PwdLastset` attribute) + *Maximum password age* (`AD` value) – *Number of days before the upcoming password expiration* (Netwrix Password Reset value). diff --git a/docs/kb/auditor/where-does-netwrix-auditor-collect-security-logs.md b/docs/kb/auditor/where-does-netwrix-auditor-collect-security-logs.md new file mode 100644 index 0000000000..c6ea338275 --- /dev/null +++ b/docs/kb/auditor/where-does-netwrix-auditor-collect-security-logs.md @@ -0,0 +1,46 @@ +--- +description: >- + Explains where Netwrix Auditor collects security logs and what the Lightweight + Agents do, including how to enable them and how to configure the agent.ini + file with an example. +keywords: + - security logs + - Lightweight Agents + - agent.ini + - domain controllers + - Netwrix Auditor + - log collection + - agent configuration +products: + - auditor +sidebar_label: Where does Netwrix Auditor collect security logs? +tags: [] +title: "Where does Netwrix Auditor collect security logs?" +knowledge_article_id: kA00g000000H9TUCA0 +--- + +# Where does Netwrix Auditor collect security logs? + +Where does Netwrix Auditor collect security logs? What are the Lightweight Agents designed for? + +Security logs are automatically collected from all domain controllers. The Agents can also be enabled to improve and speed up this process in highly loaded networks. An agent is a lightweight executable that runs on domain controllers, collects data, pre-filters it and then sends it to Netwrix Auditor in a highly compressed format. + +To enable Agents, navigate to **Netwrix Auditor -> `` -> Active Directory** and check **"Enable Lightweight Agents"** option. By default, this option will enable agents on all domain controllers. You can also enable agent during the Managed Object creation. + +The `agent.ini` file in the program installation folder provides for more specific and granular control over the agent behavior. This file can be used to specify the domain controllers to be processed by the agents with the following options: + +- `Remote`: process a domain controller without agent +- `Agent`: process a domain controller with agent +- `Skip`: do not process a domain controller + +**Example**: +You have 6 domain controllers; 5 of them are located in New York and 1 in Seattle. You do not need to use agents in the New York domain controllers since they have fast network connections while the one loocated in Seattle is slow due to its distance from the main office. You can enable Lightweight Agents in Netwrix Auditor, open `agent.ini` and specify the agent monitoring as follows: + +``` +[NY1.acme.com](http://NY1.acme.com)=remote +[NY2.acme.com](http://NY2.acme.com)=remote +[NY3.acme.com](http://NY3.acme.com)=remote +[NY4.acme.com](http://NY4.acme.com)=remote +[NY5.acme.com](http://NY5.acme.com)=remote +[Seattle.acme.com](http://Seattle.acme.com)=agent +``` diff --git a/docs/kb/auditor/which-applications-should-be-whitelisted-for-the-auditor-to-function-properly.md b/docs/kb/auditor/which-applications-should-be-whitelisted-for-the-auditor-to-function-properly.md new file mode 100644 index 0000000000..59fba06eeb --- /dev/null +++ b/docs/kb/auditor/which-applications-should-be-whitelisted-for-the-auditor-to-function-properly.md @@ -0,0 +1,36 @@ +--- +description: >- + If you use third-party application whitelisting on the Netwrix Auditor server + or the SQL Server host, some Auditor components can be blocked and cause + errors such as SSRS temp files being locked. This article explains what to + check and how to allow Netwrix Auditor components to run. +keywords: + - whitelisting + - application whitelisting + - Netwrix Auditor + - SSRS + - SQL Server + - Auditor components + - third-party software + - temp files +products: + - auditor +sidebar_label: Which Applications Should be Whitelisted for the Auditor to Function Properly? +tags: [] +title: "Which Applications Should be Whitelisted for the Auditor to Function Properly?" +knowledge_article_id: kA04u000000wnlMCAQ +--- + +# Which Applications Should be Whitelisted for the Auditor to Function Properly? + +## Question + +Which Applications Should be Whitelisted for the Auditor to Function Properly? + +## Answer + +If you have a third-party Application Whitelisting software installed in your infrastructure (the Netwrix Auditor Server or the computer where SQL Server resides), please consider that some Netwrix Auditor components can be blocked by this software and that might cause unexpected Netwrix Auditor errors and warnings. + +For example, Netwrix Auditor reports might fail because SSRS temp files were locked. + +In this scenario, refer to your Whitelisting software documentation for instructions on how to allow specific Netwrix Auditor components to run. diff --git a/docs/kb/auditor/while_auditing_from_external_domain_failed_4768_event_'a_kerberos_authentication_ticket_(tgt)_was_re.md b/docs/kb/auditor/while_auditing_from_external_domain_failed_4768_event_'a_kerberos_authentication_ticket_(tgt)_was_re.md new file mode 100644 index 0000000000..44cb8df6dc --- /dev/null +++ b/docs/kb/auditor/while_auditing_from_external_domain_failed_4768_event_'a_kerberos_authentication_ticket_(tgt)_was_re.md @@ -0,0 +1,65 @@ +--- +description: >- + This article discusses the failed 4768 events logged in the Security log when auditing from an external domain and provides insights into the causes and resolutions. +keywords: + - Kerberos + - Netwrix Auditor + - Event 4768 +products: + - auditor +sidebar_label: Failed 4768 Event Resolution +tags: [] +title: While Auditing From External Domain Failed 4768 Event 'A Kerberos Authentication Ticket (TGT) was Requested' Logged on DCs of That Domain +knowledge_article_id: kA0Qk0000002sVlKAI +--- + +# While Auditing From External Domain Failed 4768 Event 'A Kerberos Authentication Ticket (TGT) was Requested' Logged on DCs of That Domain + +## Symptom + +- Netwrix Auditor is installed on a computer in the **dom1.local** domain. +- Netwrix Auditor is configured to audit the **dom2.local** domain using appropriate credentials in UPN format (for example, **administrator@dom2.local**). +- Failed 4768 events are written in the Security log of the domain controller **dc1.dom1.local** in the **dom1.local** domain. +- The event has a **Result Code** of **0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN** ("The username does not exist"). +- Event 4768 (S, F): A Kerberos authentication ticket (TGT) was requested. + +## Cause + +Netwrix Auditor, running on a computer in **dom1.local**, uses the Microsoft `activeds.dll` to bind to Active Directory with the provided credentials. + +- Although the computer’s own domain controller (**dc1.dom1.local**) logs a failed Event 4768 (0x6), the bind to Active Directory succeeds and Netwrix Auditor works correctly. +- This behavior is due to the standard [RFC 6806: Kerberos Principal Name Canonicalization and Cross-Realm Referrals ⸱ IETF 🡥](https://datatracker.ietf.org/doc/html/rfc6806). According to RFC 6806, an Active Directory UPN is interpreted as an NT-ENTERPRISE Kerberos name type. +- With an NT-ENTERPRISE (UPN) name, the Windows Kerberos client sets the canonicalize bit and sends its first AS-REQ to canonicalize **administrator@dom2.local**. For example, "request may specify a client name of 'bob@EXAMPLE.COM' as an NT-ENTERPRISE name with the 'canonicalize' KDC option set" (RFC 6806 §6). +- You can verify that the failed 4768 event was caused by a canonicalize Kerberos ticket. The failed event’s **Ticket Options** field will have bit **0x00010000** set, which corresponds to the "canonicalize" bit 15 (big-endian style) in the Kerberos documentation (RFC 4120). +- Per RFC 6806 §7: "the client machine will send the AS-REQ to a convenient realm… for example, the realm of the client machine." +- Because **dc1.dom1.local** does not hold that user, it replies with error 6 and gives the client a referral ticket pointing at **dom2**. This exchange is part of the normal referral flow and is not a fatal error. + +## Resolution + +> **NOTE:** Netwrix Auditor continues to function correctly. The failed events described above do not cause any issues and are part of normal Kerberos operation for canonicalization and cross-realm referrals. + +### Workaround 1: Filter Security Log Events + +Filter the Security log for Event 4768 where **Status** is **0x6** and the **Ticket Options** field includes the canonicalize bit (**0x00010000** mask). + +### Workaround 2: Use NetBIOS Format for Username + +Use the username in the **NetBIOS domain name\username** format (for example, **DOMAIN\username**). + +### Why Is a Failed 4768 Event Not Generated When Using DOMAIN\username Format? + +The **NetBIOS domain name\username** format is not a Kerberos principal name; it is a NetBIOS identifier. Microsoft’s “User Name Formats” page distinguishes between the User Principal Name (**name@example.com**) and the Down-Level Logon Name (**DOMAIN\username**), which uses the NetBIOS domain. + +When a NetBIOS name is supplied, LSASS uses DC-Locator (DNS or NetBIOS locator). "When an application requests a DC but specifies a short NetBIOS-style domain name, DC location always tries to map that short domain name to a DNS domain name. If DC location can map the domain names successfully, it uses DNS-based discovery with the mapped DNS domain name" (Microsoft source). + +Before Kerberos can proceed, Windows first discovers which DNS realm owns the NetBIOS name (for example, **DOM2**). + +The `DsGetDcName` function is called with **DS_KDC_REQUIRED**, guaranteeing a KDC. The API that Netlogon uses can be told to return only controllers that are running the Kerberos service: "DS_KDC_REQUIRED – Requires that the returned domain controller be currently running the Kerberos Key Distribution Center service." (Microsoft source) + +Therefore, the function returns **dc2.dom2.local**, which is both a domain controller and a KDC. + +Because the client already has the target domain KDC’s address, it does not communicate with its own domain’s KDC, so no 4768 event is logged on **dc1.dom1.local**. + +## Related Link + +- [RFC 6806: Kerberos Principal Name Canonicalization and Cross-Realm Referrals ⸱ IETF 🡥](https://datatracker.ietf.org/doc/html/rfc6806) \ No newline at end of file diff --git a/docs/kb/auditor/who-changed-is-showing-system-in-netwrix-auditor-for-sql-server-reports.md b/docs/kb/auditor/who-changed-is-showing-system-in-netwrix-auditor-for-sql-server-reports.md new file mode 100644 index 0000000000..58582ce747 --- /dev/null +++ b/docs/kb/auditor/who-changed-is-showing-system-in-netwrix-auditor-for-sql-server-reports.md @@ -0,0 +1,41 @@ +--- +description: >- + Netwrix Auditor for SQL Server may show "System" in the WHO field when it + cannot find the corresponding SQL Server native auditing event; this article + explains why that happens and how to verify the change in the SQL Server audit + logs. +keywords: + - Netwrix Auditor + - SQL Server + - WHO field + - System + - native auditing + - SQL Server Profiler + - audit log + - snapshot + - WHO CHANGED + - WHEN CHANGED +products: + - auditor +sidebar_label: WHO changed is showing "System" in Netwrix Auditor +tags: [] +title: WHO changed is showing "System" in Netwrix Auditor for SQL Server reports +knowledge_article_id: kA00g000000H9VyCAK +--- + +# WHO changed is showing "System" in Netwrix Auditor for SQL Server reports + +Netwrix Auditor for SQL Server changes have "System" reported in the WHO field. + +## Explanation + +Netwrix Auditor for SQL Server is using two sources of data for analysis: + +- [SQL Server native auditing](http://technet.microsoft.com/en-us/library/dd392015(v=sql.100).aspx) - used for retrieving change details +- SQL Server configuration snapshot - used for determining what has changed since the previous data collection + +For example: you have changed the column parameters. This action must be captured by SQL Server native auditing and logged into the auditing log on the SQL Server (with information on Who made the change and When the change was made). Netwrix Auditor for SQL Server will detect that change during the snapshot comparison (the column parameter has been changed) and then search the SQL Server native auditing logs for corresponding events to add WHO CHANGED and WHEN CHANGED information. If the corresponding event cannot be found, the product reports WHO as SYSTEM. + +You can always prove the system changes by reviewing the SQL Server native auditing logs. In order to do that please open the SQL Server Profiler application and open SQL traces from `C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log` + +Note: the path above may vary depending on the version of SQL Server you have installed. diff --git a/docs/kb/auditor/why-a-registry-key-is-missing-in-both-gpmc-and-local.md b/docs/kb/auditor/why-a-registry-key-is-missing-in-both-gpmc-and-local.md new file mode 100644 index 0000000000..7e07bc06af --- /dev/null +++ b/docs/kb/auditor/why-a-registry-key-is-missing-in-both-gpmc-and-local.md @@ -0,0 +1,44 @@ +--- +description: >- + Registry audit settings are required for some data sources such as Logon + Activity Auditing. This article explains how to manually create missing + registry audit keys using the Group Policy Management Console so the settings + apply to affected computers. +keywords: + - registry + - GPMC + - Group Policy Management Console + - Local Audit Policies + - Logon Activity Auditing + - registry key + - GPO + - audit settings + - permissions +products: + - auditor +sidebar_label: 'Why A Registry Key is Missing in Both: GPMC and Lo' +tags: [] +title: 'Why A Registry Key is Missing in Both: GPMC and Local?' +knowledge_article_id: kA0Qk0000000Po1KAE +--- + +# Why A Registry Key is Missing in Both: GPMC and Local? + +## Question + +Why a registry key is missing in both: Group Policy Management Console and Local Audit Policies? + +## Answer + +Registry audit settings are required for some data sources, for example, for Logon Activity Auditing. In some cases, the required registry keys might be missing. Follow the steps below to create the key(s) manually via **Group Policy Management Console**: + +1. Open **Group Policy Management Console**. +2. Navigate to **Computer Configuration** -> **Policies** -> **Windows Settings** -> **Security Settings** -> **Registry**. +3. Click **Add key**. +4. Add the key you are trying to add permissions to, then click **OK**. +5. On this screen that pops up, add the required permissions. +6. On the next screen, you’ll be prompted to configure the key, then how you want the settings to be applied; or not allow permission to be replaced. +7. Manually add the path to the Registry Key in the **Selected Key** dialog. + ![User-added image](images/ka0Qk0000001VD3_0EMQk000002dT5q.png) + +This will apply the key settings to the GPO, and all computers affected by the GPO. diff --git a/docs/kb/auditor/why-do-i-get-multiple-events-on-password-changing-in-reports.md b/docs/kb/auditor/why-do-i-get-multiple-events-on-password-changing-in-reports.md new file mode 100644 index 0000000000..d5849b5924 --- /dev/null +++ b/docs/kb/auditor/why-do-i-get-multiple-events-on-password-changing-in-reports.md @@ -0,0 +1,44 @@ +--- +description: >- + Explains why repeated activity records show a computer account password change + in reports — automatic computer account password changes in Active Directory + and how domain controllers appear in audit logs. +keywords: + - active directory + - computer account + - password change + - audit events + - domain controller + - local user + - Netwrix Auditor +products: + - auditor +sidebar_label: 'Why Do I get Multiple Events on Password Changing ' +tags: [] +title: "Why Do I get Multiple Events on Password Changing in Reports?" +knowledge_article_id: kA04u000000wnt1CAA +--- + +# Why Do I get Multiple Events on Password Changing in Reports? + +## Question + +Why do I get multiple activity records of the following format? + +``` +Who:CORP\ITSQLTR$ +Action:Modified +Object type:Local User +What:System Information\Local Users\ITSQLARC$ +When:11/15/2023 4:25:09 AM +Where:DCD003.CORP.net +Data source:Windows Server +Monitoring plan:DC Monitoring Plan +Item: DCD003.CORP.net' (Computer) +RID:2023111500000000000000000000000000 +Details:Password changed +``` + +## Answer + +The event you are seeing is an automatic password change for a computer account in Active Directory, which occurs every 30 days by default. Since Domain Controllers are in the auditing scope, the domain computer account was picked up and interpreted as a local user for the DC. diff --git a/docs/kb/auditor/why-do-i-have-incomplete-information-on-failed-logons.md b/docs/kb/auditor/why-do-i-have-incomplete-information-on-failed-logons.md new file mode 100644 index 0000000000..df2b80587c --- /dev/null +++ b/docs/kb/auditor/why-do-i-have-incomplete-information-on-failed-logons.md @@ -0,0 +1,43 @@ +--- +description: >- + Explains why failed logon entries in Search Results or Reports may lack + information in the What field. Describes how Windows event types for + workstations and domain controllers affect the available data and links to + investigation resources. +keywords: + - failed logon + - 4771 + - 4768 + - 4769 + - 4625 + - Event Log + - Kerberos + - Netwrix Auditor + - domain controller +products: + - auditor +sidebar_label: Why Do I Have Incomplete Information on Failed Log +tags: [] +title: "Why Do I Have Incomplete Information on Failed Logons?" +knowledge_article_id: kA04u0000000HNFCA2 +--- + +# Why Do I Have Incomplete Information on Failed Logons? + +## Situation +In Search Results or Reports there is no information in **What** (the destination point of a login) field. + +## Explanation +Netwrix Auditor Logon Activity uses native Windows tools to collect data. It uses Event log events to do so. Windows uses different types of events for failed logons on **Workstations** and **Domain Controllers**. + +Within a Domain, all the logons go through a **Domain Controller** using [KERBEROS](https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview) ticketing system for Authentication. When logon on a **Workstation** fails, three events will be created: [`4768`](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768), [`4769`](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769), [`4771`](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771). The first two are the informational events registering the request of KERBEROS authentication, the third one (`4771`) is the event that contains all the information about the authentication requester. + +The problem here is that as a result of a **failed** logon, the request doesn't go **past** KERBEROS pre-authentication and therefore does not contain the information about the destination point of a logon request; consequently, the `4771` event does not contain such information and, as we rely only on native tools to gather information, we can't populate the **What** field of a failed logon. + +When logon on a **Domain Controller** fails, the process is simpler as it is considered a failed *local* logon attempt (event [`4625`](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625) will appear) and the data for the destination point will be present. + +If you would like to have information on how to investigate Failed Logons, check out these articles: + +- [Investigating Failed Logons](https://kb.netwrix.com/5198) +- [How to detect the root cause of multiple failed logons](https://kb.netwrix.com/3553) +- [How to Find Destination of Failed NTLM Logons?](/docs/kb/auditor/how-to-find-destination-of-failed-ntlm-logons.md) diff --git a/docs/kb/auditor/why-do-i-receive-my-sharepoint-online-audit-data-too-late-or-do-not-receive-at-all.md b/docs/kb/auditor/why-do-i-receive-my-sharepoint-online-audit-data-too-late-or-do-not-receive-at-all.md new file mode 100644 index 0000000000..21b613b879 --- /dev/null +++ b/docs/kb/auditor/why-do-i-receive-my-sharepoint-online-audit-data-too-late-or-do-not-receive-at-all.md @@ -0,0 +1,36 @@ +--- +description: >- + Explains why SharePoint Online audit data may be delayed or missing when + collected by Netwrix Auditor, including Microsoft Management Activity API + limitations, maintenance windows, and retention policies. Advises keeping the + Monitoring Plan active to ensure complete data collection. +keywords: + - SharePoint Online + - audit data + - Management Activity API + - Netwrix Auditor + - Monitoring Plan + - audit log + - Office 365 + - retention + - delay +products: + - auditor + - Azure_AD_and_Office_365 +sidebar_label: SharePoint Online Audit Data Delays or Missing +tags: [] +title: "Why do I receive my SharePoint Online audit data too late (or do not receive at all)?" +knowledge_article_id: kA00g000000H9V7CAK +--- + +# Why do I receive my SharePoint Online audit data too late (or do not receive at all)? + +## Explanation + +Due to Microsoft Management Activity API limitations, Netwrix Auditor may experience delays when collecting audit data. + +- It may take up to 12 hours since the **Monitoring Plan** creation to start collecting audit data. For more information, refer to the following Microsoft article: https://msdn.microsoft.com/office-365/office-365-management-activity-api-reference +- After initial configuration, it may take approximately 15 minutes for events to appear in the activity log after the change occurred. +- In case of Microsoft maintenance works, audit data may be unavailable for a few days. For more information, refer to the following Microsoft article: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US + +Also, Microsoft automatically removes events that are older than 7 days—Netwrix Auditor will be unable to collect them. To ensure your audit data is always complete, make sure the **Monitoring Plan** is always active. diff --git a/docs/kb/auditor/why-does-risk-assessment-overview-dashboard-shows-unexpected-issues-for-windows-server.md b/docs/kb/auditor/why-does-risk-assessment-overview-dashboard-shows-unexpected-issues-for-windows-server.md new file mode 100644 index 0000000000..eed9ef47ac --- /dev/null +++ b/docs/kb/auditor/why-does-risk-assessment-overview-dashboard-shows-unexpected-issues-for-windows-server.md @@ -0,0 +1,36 @@ +--- +description: >- + When the Risk Assessment Overview dashboard shows unexpected infrastructure + issues but the linked reports return no results, verify data collection and + State-in-Time snapshots in Netwrix Auditor to resolve discrepancies. +keywords: + - Risk Assessment Overview + - dashboard + - Server Inventory Report + - State-in-Time snapshots + - Monitoring Plan + - unauthorized antivirus + - Windows Server + - Netwrix Auditor + - snapshot + - data refresh +products: + - auditor +sidebar_label: 'Why does Risk Assessment Overview Dashboard Shows ' +tags: [] +title: "Why does Risk Assessment Overview Dashboard Shows Unexpected Issues for Windows Server?" +knowledge_article_id: kA04u000000wns8CAA +--- + +# Why does Risk Assessment Overview Dashboard Shows Unexpected Issues for Windows Server? + +## Overview + +When you review the **Risk Assessment Overview** dashboard, some infrastructure items show incorrect values. For example, an unexpected number of **Servers with unauthorized antivirus software**. However, when you drill down to the linked report, it returns no results. Is this normal behavior for Netwrix Auditor? + +## Instructions + +1. First, you need to run the **Server Inventory Report** to validate that data was being retrieved. +2. If the report does not contain any data about the issues showed on the dashboard, you need to check an out-of-date State-in-Time snapshots for the Monitoring Plan in which those servers are listed. +3. For that, navigate to a problematic monitoring plan, click **Edit Data Source** -> **Manage State-in-Time Snapshots**. +4. The date of the current snapshot should be today's date. If not, wait a day or two for the data to update. diff --git a/docs/kb/auditor/why-does-the-netwrix-auditor-application-deployment-service-not-start-or-is-terminated-upon-launch.md b/docs/kb/auditor/why-does-the-netwrix-auditor-application-deployment-service-not-start-or-is-terminated-upon-launch.md new file mode 100644 index 0000000000..fea554e4f1 --- /dev/null +++ b/docs/kb/auditor/why-does-the-netwrix-auditor-application-deployment-service-not-start-or-is-terminated-upon-launch.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains why the Netwrix Auditor Application Deployment Service may not appear + in services.msc, may stop, or be terminated, and why this behavior is + expected. +keywords: + - Netwrix Auditor + - Application Deployment Service + - services.msc + - Windows File Server + - Logon Activity + - compression service + - service terminated +products: + - auditor +sidebar_label: Why Deployment Service Not Start or Terminated +tags: [] +title: "Why Does the Netwrix Auditor Application Deployment Service Not Start or Is Terminated upon Launch?" +knowledge_article_id: kA0Qk0000000Ne9KAE +--- + +# Why Does the Netwrix Auditor Application Deployment Service Not Start or Is Terminated upon Launch? + +## Question + +Why does the Netwrix Auditor Application Deployment Service not start or is terminated upon launch? + +## Answer + +There are some Netwrix services that are not shown in **services.msc** snap-in. They run as processes and disappear when finished. For example, the processes to audit **Windows File Server** and **Logon Activity**. + +A parent service called **Netwrix Auditor Application Deployment Service** manages them. When you enable a compression service, the Application Deployment service is installed on the target server. Then, the Application Deployment service helps deploying the compression services ("processes") and manages them. Once the Application Deployment service completes its tasks, such as installing the compression service on the target, it goes into idle mode. When needed again, it starts automatically. + +Therefore, you do not need to manually start this service or worry if the service gets stopped. diff --git a/docs/kb/auditor/why-does-the-when-field-disappear-in-subscriptions.md b/docs/kb/auditor/why-does-the-when-field-disappear-in-subscriptions.md new file mode 100644 index 0000000000..81a742df69 --- /dev/null +++ b/docs/kb/auditor/why-does-the-when-field-disappear-in-subscriptions.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains why the WHEN field is not available for search-based subscriptions + and how delivery frequency is determined by the subscription schedule. +keywords: + - subscription + - WHEN field + - delivery frequency + - schedule + - YESTERDAY + - Netwrix Auditor + - search-based subscription +products: + - auditor +sidebar_label: Why Does the 'When' Field Disappear in Subscriptio +tags: [] +title: Why Does the 'When' Field Disappear in Subscriptions? +knowledge_article_id: kA04u000001118DCAQ +--- + +# Why Does the 'When' Field Disappear in Subscriptions? + +## Question + +When creating a search-based subscription, the **WHEN** field disappears in the list of available filters. Where can I configure subscription delivery frequency? + +## Answer + +This is normal behavior and Netwrix Auditor is working as expected. The **WHEN** of a subscription is based on the schedule of that subscription. + +For example, if you want the **WHEN** to equal **YESTERDAY**, then you would create your subscription with a **Schedule** of **Daily**. + +For additional information on how to create subscriptions, refer to the following article: Administration – Subscriptions. diff --git a/docs/kb/auditor/why-false-positive-read-access-attempts-are-reported-by-netwrix-auditor.md b/docs/kb/auditor/why-false-positive-read-access-attempts-are-reported-by-netwrix-auditor.md new file mode 100644 index 0000000000..829e0c944a --- /dev/null +++ b/docs/kb/auditor/why-false-positive-read-access-attempts-are-reported-by-netwrix-auditor.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains why Netwrix Auditor may report false positive Read access attempts + due to how Windows and other software browse files, and which audit events + Netwrix Auditor looks for. +keywords: + - Netwrix Auditor + - false positive + - Read access + - EventID 4656 + - EventID 4663 + - File Explorer + - auditing + - access attempts +products: + - auditor +sidebar_label: Why False Positive Read Access Attempts Are Report +tags: [] +title: "Why False Positive Read Access Attempts Are Reported by Netwrix Auditor?" +knowledge_article_id: kA04u000000wnoaCAA +--- + +# Why False Positive Read Access Attempts Are Reported by Netwrix Auditor? + +## Question + +When running a report, Netwrix Auditor lists files as Read even though the files were never opened. Why Netwrix reports false positive Read access attempts? + +## Answer + +Successful reads can be tricky and is prone to false positives. This is because of the way Windows and other software browse files. To trigger a "Read" event Netwrix Auditor is looking for two events in conjunction: + +``` + +EventID Audit Type Description Accesses Time ObjectName User +4656 Audit Success Handle request Read* time name user +4663 Audit Success Access Read* time name user +Read access type includes ReadData, ReadAttributes, ReadExtendedAttributes, ReadControl, Synchronize, AccessSystemSecurity +``` + +What this means is that in some circumstances, just browsing files or clicking through the folder the files are in can trigger reads. In Windows File Explorer, for example, just navigating to a file doesn't always trigger the read but clicking on a file or hovering the mouse over it long enough for the tool tip to pop up, can sometime report as a read. diff --git a/docs/kb/auditor/why-i-get-alerts-on-accounts-that-cannot-be-locked-out.md b/docs/kb/auditor/why-i-get-alerts-on-accounts-that-cannot-be-locked-out.md new file mode 100644 index 0000000000..1f6b4c1632 --- /dev/null +++ b/docs/kb/auditor/why-i-get-alerts-on-accounts-that-cannot-be-locked-out.md @@ -0,0 +1,39 @@ +--- +description: >- + Netwrix Auditor may generate alerts when Windows records lockout events even + if an account cannot actually be locked. This article explains why Event ID + 4740 triggers alerts and how to view the related activity record. +keywords: + - Event ID 4740 + - account lockout + - lockout alert + - Netwrix Auditor + - RID + - Windows auditing + - security event + - alert details +products: + - auditor +sidebar_label: Why I Get Alerts on Accounts That Cannot Be Locked +tags: [] +title: "Why I Get Alerts on Accounts That Cannot Be Locked Out?" +knowledge_article_id: kA04u00000111EBCAY +--- + +# Why I Get Alerts on Accounts That Cannot Be Locked Out? + +## Question + +Why Netwrix Auditor sends alerts on accounts that cannot be locked out? + +## Answer + +If an account was to be locked based on certain rules within Windows such as too many bad password attempts, even if it cannot be locked, Windows will still generate `Event ID 4740` despite the failure. + +Learn more about this event in [4740(S): A user account was locked out. ⸱ Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740) + +If you configured alerts triggered by lockout events, Netwrix Auditor reacts to these Events even in case of failed attempts and sends the corresponding alert. + +Alerts contain also an account RID, that is a unique ID within Netwrix that ties it to the alert that was fired off which would allow you to look into it more thoroughly. + +You can then select an alert that fired off and click **Show activity record in a new window** to the bottom right, which will show you the details of the event. diff --git a/docs/kb/auditor/why-netwrix-auditor-reads-ad-fs-dkm-key-and-is-it-normal.md b/docs/kb/auditor/why-netwrix-auditor-reads-ad-fs-dkm-key-and-is-it-normal.md new file mode 100644 index 0000000000..19a190d63c --- /dev/null +++ b/docs/kb/auditor/why-netwrix-auditor-reads-ad-fs-dkm-key-and-is-it-normal.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains why Windows Defender flags the "Suspected AD FS DKM key read" alert + caused by Netwrix Auditor activity and shows how to exclude the AD FS DKM key + from auditing scope. +keywords: + - AD FS DKM + - DKM key + - Windows Defender + - Netwrix Auditor + - DirSync + - omitstorelist.txt + - thumbnailPhoto + - Active Directory auditing +products: + - auditor +sidebar_label: "Why Netwrix Auditor Reads AD FS DKM Key and Is It Normal?" +tags: [] +title: "Why Netwrix Auditor Reads AD FS DKM Key and Is It Normal?" +knowledge_article_id: kA04u000000wns3CAA +--- + +# Why Netwrix Auditor Reads AD FS DKM Key and Is It Normal? + +## Question + +Windows Defender generates the **Suspected AD FS DKM key read** alert due to activity from the Netwrix account. Is it a normal behavior for the product? + +## Answer + +Reading this key is expected behavior as part of enumerating all AD attributes during DirSync. + +Avoiding reading it entirely seems to be impossible because Netwrix Auditor has to enumerate all keys to determine what needs to be collected. However, you can fine-tune Netwrix Auditor to exclude the **AD FS DKM key** from the auditing scope. To do that: + +1. On the computer that hosts Netwrix Auditor Server, navigate to ` %Installation Path%\Active Directory Auditing\`. +2. Open the `omitstorelist.txt` file with any text editor, for example, with Notepad. +3. Add the following as a new line: + + `*.thumbnailPhoto` + +4. Save your edits. diff --git a/docs/kb/auditor/why-reports-reflect-folders-that-were-not-supposed-to-be-scanned.md b/docs/kb/auditor/why-reports-reflect-folders-that-were-not-supposed-to-be-scanned.md new file mode 100644 index 0000000000..955f2da77e --- /dev/null +++ b/docs/kb/auditor/why-reports-reflect-folders-that-were-not-supposed-to-be-scanned.md @@ -0,0 +1,29 @@ +--- +description: >- + Explains why Netwrix Auditor reports may include folders that were not + intended for scanning and how to exclude them using audit settings or the + omitstorelist.txt file. +keywords: + - netwrix auditor + - UNC path + - omitstorelist.txt + - Windows Security log + - Managed Items + - folder inheritance + - audit settings + - shared folder +products: + - auditor +sidebar_label: Why reports reflect folders that were not supposed +tags: [] +title: "Why reports reflect folders that were not supposed to be scanned?" +knowledge_article_id: kA00g000000H9WXCA0 +--- + +# Why reports reflect folders that were not supposed to be scanned? + +A few shares are enabled, but in the reports, you are seeing a folder that wasn't supposed to be scanned. + +--- + +For the most part, Netwrix Auditor collects events from the Windows Security log. If a UNC path is specified in **Managed Items** as `\server\share\folder`, but the actual share is `\server\share`, in your report you can get events related to `\server\share\folder2` which was not supposed to be scanned. Take a closer look at the reported folders' audit settings - it can be inherited from some of the root folders and make it appear in reports. Also, you can use the `omitstorelist.txt` file which is located in the Netwrix Auditor installation directory to exclude any folder or file from being reported. diff --git a/docs/kb/auditor/windows-server-inventory-report-shows-windows-defenders-as-the-only-antivirus-installed.md b/docs/kb/auditor/windows-server-inventory-report-shows-windows-defenders-as-the-only-antivirus-installed.md new file mode 100644 index 0000000000..2b3ac48fb8 --- /dev/null +++ b/docs/kb/auditor/windows-server-inventory-report-shows-windows-defenders-as-the-only-antivirus-installed.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains why the Windows Server Inventory Report in Netwrix Auditor lists + Windows Defender as the only antivirus on Windows Server 2016/2019 systems and + how to resolve it. +keywords: + - Windows Server Inventory + - Windows Defender + - SecurityCenter2 + - WMI + - antivirus detection + - Windows Server 2016 + - Windows Server 2019 + - Netwrix Auditor +products: + - auditor +sidebar_label: Windows Server Inventory Report shows Windows Defe +tags: [] +title: "Windows Server Inventory Report shows Windows Defenders as the only Antivirus installed" +knowledge_article_id: kA04u000000XmGgCAK +--- + +# Windows Server Inventory Report shows Windows Defenders as the only Antivirus installed + +## Scenario +When running the Windows Server Inventory Report in Netwrix Auditor, the results show Windows Defender as the only installed Antivirus. + +## Cause +This is due to the fact that Windows Server 2016 and 2019 are missing the WMI SecurityCenter2 namespace, resulting in the OS only recognizing Windows Defender. + +## Solution +Once a 3rd party software is installed, disable Windows Defender. The WMI SecurityCenter2 namespace will regenerate and identify the alternative Antivirus software. + +For more information, visit this Microsoft article: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility diff --git a/docs/kb/auditor/wmi-classes-data-provider-failed-service-cannot-be-started.md b/docs/kb/auditor/wmi-classes-data-provider-failed-service-cannot-be-started.md new file mode 100644 index 0000000000..982cb1ede9 --- /dev/null +++ b/docs/kb/auditor/wmi-classes-data-provider-failed-service-cannot-be-started.md @@ -0,0 +1,53 @@ +--- +description: >- + Netwrix Auditor Health Log can show Event ID 1016 when the WMI Classes data + provider cannot query Win32_SystemSlot because the Windows Management + Instrumentation service is stopped. This article describes the cause and steps + to start the service to restore data collection. +keywords: + - WMI + - Windows Management Instrumentation + - Event ID 1016 + - Health Log + - Win32_SystemSlot + - '0x80070422' + - services.msc + - monitoring plan +products: + - auditor +sidebar_label: 'WMI Classes Data Provider Failed − Service Cannot ' +tags: [] +title: "WMI Classes Data Provider Failed − Service Cannot Be Started" +knowledge_article_id: kA04u000000wnjLCAQ +--- + +# WMI Classes Data Provider Failed − Service Cannot Be Started + +## Symptom + +The following error is prompted in Health Log for your Windows Server monitoring plan in Netwrix Auditor: + +``` +Source: Windows Server Audit Service +Event ID: 1016 +Description: Monitoring plan: %Windows_Server_monitoring_plan% +Item: %server_name% +The WMI Classes data provider failed to get information on Win32_SystemSlot due to the following error: +The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. +Exception from HRESULT: 0x80070422 +``` + +## Cause + +The Windows Management Instrumentation service has been stopped in the **Item** server. + +> **NOTE:** This could happen due to a recent OS update in the affected server. + +## Resolution + +Start the Windows Management Instrumentation service on the affected **Item** server: + +1. Search for **Services** in the search bar, or run `services.msc` in the Run command window. +2. Locate the **Windows Management Instrumentation** service, right-click it and click **Start**. + +Data collection should resume once the **Windows Management Instrumentation** service starts − you can update the affected Windows Server monitoring plan to check if the error was solved. diff --git a/docs/kb/auditor/wmi-classes-data-provider-failed-to-get-the-information-on-win32-printer-error.md b/docs/kb/auditor/wmi-classes-data-provider-failed-to-get-the-information-on-win32-printer-error.md new file mode 100644 index 0000000000..da279fe426 --- /dev/null +++ b/docs/kb/auditor/wmi-classes-data-provider-failed-to-get-the-information-on-win32-printer-error.md @@ -0,0 +1,80 @@ +--- +description: >- + Explains the cause and resolutions for Event ID 1016 where the WMI Classes + data provider cannot get Win32_Printer information; includes steps to start + the Print Spooler service and alternatives to omit printer monitoring. +keywords: + - Win32_Printer + - Print Spooler + - WMI + - Event ID 1016 + - omitcollectlist.txt + - omiterrors.txt + - Netwrix Auditor + - monitoring +products: + - auditor +sidebar_label: WMI Classes Data Provider Failed to Get the Inform +tags: [] +title: "WMI Classes Data Provider Failed to Get the Information on Win32_Printer Error" +knowledge_article_id: kA00g000000H9bkCAC +--- + +# WMI Classes Data Provider Failed to Get the Information on Win32_Printer Error + +## Symptom + +The Netwrix Auditor Health Log contains the following error: + +```text +Event ID 1016: : Error: The WMI Classes data provider failed to get the information on "Win32_Printer" due to the following error: 'Generic failure'" +``` + +## Cause + +The Print Spooler service is stopped or disabled on the monitored server. + +## Resolution + +1. Log on to the problematic server. +2. Start the **Services** snap-in (Click **Start** > **Run**, type `services.msc` and press Enter). +3. Locate the **Print Spooler** service and double-click it. +4. In the **General** tab, review the **Startup type** value − switch it to **Automatic** and click **Start**. +5. Click **Apply**. + +![User-added image](images/ka0Qk0000001f7Z_0EM4u000002CQsV.png) + +--- + +Both of the alternative resolutions are aimed at removing the error from reports. The downside is that the collector will not report any information regarding printers on omitted servers. Use the alternative resolutions if you would like to disable Print Spooler service monitoring on selected servers. + +### Alternative Resolution 1 + +You may choose to omit this error using the `omitcollectlist.txt` (for Activity Records) or `omitsitcollectlist.txt` (for State-in-Time data). + +Use the following syntax: + +```text +monitoring plan name, server name, WIN32_PRINTER +``` + +Refer to the following article for additional information: /docs/auditor/10.6/auditor/configurationuration/windowsserver + +This method can be used to exclude the error by excluding the Print Spooler events from the monitoring scope. Refer to the following article for the full list of objects monitored on Windows Servers: /docs/auditor/10.6/auditor/configurationuration/windowsserver Scroll down to **Object type** > **Printing**. + +The **Printer Changes** report for Windows Server also will show only events collected before this resolution. + +### Alternative Resolution 2 + +You may omit the error itself from being displayed in the Netwrix Auditor Health Log using the `omiterrors.txt` file. + +Use the following syntax: + +```text +monitoring plan name, server name,*The WMI Classes data provider failed to get information on Win32_Printer due to the following error: Generic failure* +``` + +## Related articles + +- /docs/auditor/10.6/auditor/configurationuration/windowsserver +- /docs/auditor/10.6/auditor/configurationuration/windowsserver diff --git a/docs/kb/auditor/workstation-field-reported-as-unknown.md b/docs/kb/auditor/workstation-field-reported-as-unknown.md new file mode 100644 index 0000000000..146b716b0a --- /dev/null +++ b/docs/kb/auditor/workstation-field-reported-as-unknown.md @@ -0,0 +1,59 @@ +--- +description: >- + Explains reasons why the Workstation field can be reported as unknown in + Activity Summary, reports, and search results for Active Directory, and points + to configuration and troubleshooting resources for Netwrix Auditor and Netwrix + OneSecutre. +keywords: + - Workstation + - unknown + - Activity Summary + - Active Directory + - Netwrix Auditor + - OneSecutre + - Security log + - monitoring plan + - data collecting account + - event log +products: + - auditor + - onesecure +sidebar_label: Workstation Field Reported as Unknown +tags: [] +title: "Workstation Field Reported as Unknown" +knowledge_article_id: kA00g000000H9VdCAK +--- + +# Workstation Field Reported as Unknown + +## Question + +Why is the **Workstation** field returned as **unknown** in Activity Summary, reports, and search results? + +## Answer + +> **NOTE:** This article only applies to Active Directory (AD). + +This could be caused by one of the following reasons: + +- The data collecting account used in the affected monitoring plan does not have access to the domain controller. This could be related to the format the account is specified in, or permissions granted to the account. For additional information on permissions, refer to the following article: Monitoring Plans − Data Collecting Account ⸱ v10.6. + +- Warnings for AD auditing are related to the Originating Workstation feature. Netwrix Auditor and Netwrix OneSecutre collect user logon and logoff events to identify the user session for the change as no data on a specific workstation to introduce a change to AD in Security events on domain controllers is usually indicated. This workflow can be inaccurate as there might be several open sessions on different workstations for a single user, or no recent logons or logoffs events on workstations registered. This warning is expected and doesn't affect general data collection—in this case it can be safely ignored. + +- Security log overwrites. For example, a user logged to the workstation from which a change was made before Netwrix Auditor or Netwrix OneSecutre was installed, and log overwrites occurred before the product ran the first data collection. For instructions on how to configure the Security event log size and retention policy to prevent log overwrites, refer to Active Directory – Adjust Security Event Log Size and Retention · v10.6. This cause is usually accompanied by corresponding errors in the Netwrix Auditor or Netwrix OneSecutre System Health log. + +- Audit policies are configured incorrectly. You can configure them automatically in Netwrix Auditor or Netwrix OneSecutre or manually. For instructions, refer to Configuration – Active Directory · v10.6. This cause is usually accompanied by corresponding errors in the Netwrix Auditor or Netwrix OneSecutre System Health log. + +- The change to the audited domain was made through the interface of Exchange Server installed in a different domain. + +- The change to the audited domain was made through Exchange Management Shell with the impersonation of another user's account. For example, a user logged to a workstation under their account and then opened a different session through Exchange Management Shell which enabled them to perform operations by using the permissions associated with another user's account. + +- Native Windows logon events lack the information on the IP address of the originating workstation. + +- The change was made under a computer account (e.g., computer password resets, account lockouts, changes to Service Principal names, etc.). This is the most popular reason. In order to confirm it, check the **Who** field of the corresponding change—if the account name ends with '$'—this is a computer account and the workstation is expected to be 'unknown'. + +## Related Articles + +- Monitoring Plans − Data Collecting Account ⸱ v10.6. +- Active Directory – Adjust Security Event Log Size and Retention · v10.6 +- Configuration – Active Directory · v10.6 diff --git a/docs/kb/auditor/workstation-name-is-not-shown.md b/docs/kb/auditor/workstation-name-is-not-shown.md new file mode 100644 index 0000000000..4c14f4eb4c --- /dev/null +++ b/docs/kb/auditor/workstation-name-is-not-shown.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains why the Workstation field is empty in Account Lockout Examiner + reports and how this relates to the Caller Machine Name field in Windows + security event logs. +keywords: + - account lockout + - workstation + - Caller Machine Name + - event ID 4740 + - event ID 644 + - security logs + - domain controller + - Netwrix Auditor +products: + - auditor +sidebar_label: Workstation Name Is not Shown +tags: [] +title: "Workstation Name Is not Shown" +knowledge_article_id: kA00g000000H9dPCAS +--- + +# Workstation Name Is not Shown + +## Question + +Netwrix Account Lockout Examiner shows no data in the **Workstation** field, while the fields **Domain Controller** and **Lockout Time** are populated correctly. Why is it happening? + +## Answer + +Because Netwrix Account Lockout Examiner processes Windows security logs, it only gets the data that is present in those logs. This issue means that the Account locked out event (ID `644` for Windows XP/2003, ID `4740` for the later versions of Windows) contains an empty **Caller Machine Name** field. Here is an example of the Account locked out event `644` with the empty **Caller Machine Name** field: + +[![User-added image](images/ka04u00000118ES_0EM700000004udP.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g0000004KSJ&feoid=00N700000032Pj2&refid=0EM700000004udP) + +The field can be empty for events where a local computer account was locked out due to a local policy or as a result of computer synchronization with a mobile device. diff --git a/docs/kb/auditor/workstations-cloned-with-windows-server-auditing-service-pre-installed.md b/docs/kb/auditor/workstations-cloned-with-windows-server-auditing-service-pre-installed.md new file mode 100644 index 0000000000..5671a9ef6f --- /dev/null +++ b/docs/kb/auditor/workstations-cloned-with-windows-server-auditing-service-pre-installed.md @@ -0,0 +1,160 @@ +--- +description: >- + Describes symptoms, cause, and step-by-step resolution for duplicated AgentID + values on cloned virtual machines that cause monitoring data loss in Netwrix + Auditor. +keywords: + - cloned VMs + - AgentID + - Windows Server Change Reporter Agent + - Netwrix Auditor + - monitoring plans + - Windows Server Compression Service + - User Activity + - RemoteAgentState.xml +products: + - auditor +sidebar_label: Workstations Cloned with Windows Server Auditing S +tags: [] +title: "Workstations Cloned with Windows Server Auditing Service Pre-installed" +knowledge_article_id: kA04u00000110jcCAA +--- + +# Workstations Cloned with Windows Server Auditing Service Pre-installed + +## Symptoms + +- Multiple VM instances have the same `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix Auditor\Windows Server Change Reporter Agent\AgentID` registry key. +- Servers or events for specific VM servers are missing from reports. +- Events in VM server reports are replicated in reports for other irrelevant servers. + +## Cause + +When a newly created VM server template is monitored via Netwrix Auditor, it will have Windows Server Compression Service instance installed for monitoring and data collection purposes. Every instance of Windows Server Compression Service is supposed to have a unique AgentID to allow Netwrix Auditor to differentiate the collected data in terms of its source. + +In case a monitored VM template is duplicated, Agent IDs are duplicated as well. If Agent IDs match for two or more VMs, the collection process will be hindered — Netwrix Auditor will be satisfied with a single response instead of the actual number of responses it is supposed to get as in one response per machine. Subsequently, this leads to monitoring data losses and inconsistent monitoring data. + +## Affected servers + +To establish the affected servers, refer to the following steps: + +1. Choose a single server you suspect to be affected and navigate to the following registry key in Registry Editor: + + ```Registry + Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix Auditor\Windows Server Change Reporter Agent + ``` + + Copy the **AgentID** value. + + ![Registry AgentID screenshot](images/ka04u000001177u_0EM4u000008Lr6o.png) + +2. In your Netwrix Auditor host, navigate to the `C:\ProgramData\Netwrix Auditor\ShortTerm\WSA\Agents\` folder. Look for a folder named after **AgentID** (e.g.,52656fc3-d325-424d-9bef-fb68d14bc919). The **RemoteAgentState.xml** file contains a list of affected servers. + +## Resolution + +### Netwrix Auditor host + +1. Stop Netwrix Auditor for Windows Server Audit Service: + + 1. In the search bar, type **Services** and open the application. + You can also launch `Services.msc` via Run command window. + 2. Scroll down the **Services (Local)** list to find the Netwrix Auditor for Windows Server Audit Service. + 3. Right-click the service and select **Stop**. + +2. Stop Windows Server monitoring plans with affected servers: + + 1. Open your Netwrix Auditor application. + 2. In the main screen, open the **Monitoring Plans** menu. + 3. Select a Windows Server monitoring plan and click **Edit**. + 4. Select the appropriate data source and click **Edit data source** in the right pane. + 5. Switch the **Monitor this data source and collect activity data** switch to **Off**. + +3. Add the template server to exclusions: + + 1. In the main Netwrix Auditor screen, open the **Monitoring Plans** menu. + 2. Select a Windows Server monitoring plan and click **Edit**. + 3. Select the Active Directory container containing the template server and click **Edit item** in the right pane. + 4. In the left pane, select Containers and Computers and check the **Exclude these objects** checkbox. + 5. Click **Add Computer** to add your template server to exclusions. + +### Affected servers + +> NOTE: These steps should be applied to the template VM as well. + +1. Uninstall Netwrix Auditor for Windows Server Compression Service on affected servers. + + 1. In your **Start** menu, open **Settings**. + 2. Open the **Apps** menu. + 3. Select Netwrix Auditor for Windows Server Compression Service application and click **Uninstall**. + +2. Remove the following folders from affected servers: + + - `C:\ProgramData\Netwrix Auditor\Windows Server Compression Service` + - `C:\Program Files (x86)\Netwrix Auditor\Windows Server Compression Service` + +3. Delete `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix Auditor\Windows Server Change Reporter Agent` registry keys from affected servers. + +4. Launch Netwrix Auditor for Windows Server Audit Service in your Netwrix Auditor host. Refer to the prior steps for additional information. + +5. Start the previously disabled monitoring plans with affected servers. + +6. Netwrix Auditor for Windows Server Audit Service should automatically launch during the next data collection to reinstall Windows Server Compression Service applications. In case they won't, refer to the following steps: + + 1. Open the folder `C:\Program Files (x86)\Netwrix Auditor\Windows Server Auditing` in the Netwrix server. + 2. Copy the Netwrix.WSA.CompressionService.Setup.msi file to each affected server. + 3. Install it manually. + +> NOTE: User Activity service will be affected as well. Refer to the following steps for troubleshooting: + +### Netwrix Auditor host (User Activity) + +1. Stop Netwrix Auditor User Activity Core Service: + + 1. In the search bar, type **Services** and open the application. + You can also launch `Services.msc` via Run command window. + 2. Scroll down the **Serivces (Local)** list to find the Netwrix Auditor User Activity Core Service. + 3. Right-click the service and select **Stop**. + +2. Stop User Activity monitoring plans with affected servers: + + 1. Open your Netwrix Auditor application. + 2. In the main screen, open the **Monitoring Plans** menu. + 3. Select the User Activity monitoring plan and click **Edit**. + 4. Select the data source and click **Edit data source** in the right pane. + 5. In the left pane, select the **General** tab, and toggle the **Monitor this data source and collect activity data** off. + +3. Remove the VM template from the monitoring plan. + + 1. Open your Netwrix Auditor application. + 2. In the main screen, open the Monitoring Plans menu. + 3. Select the User Activity monitoring plan and click Edit. + 4. Select the VM template item in the list and click **Remove item** in the right pane. + +4. Navigate to `C:\ProgramData\Netwrix Auditor`, back up and delete the **User Activity Video Reporter** folder. + +### Affected servers (User Activity) + +> NOTE: These steps should be applied to the template VM as well. + +1. Uninstall Netwrix Auditor User Activity Core Service on affected servers. + + 1. In your **Start** menu, open **Settings**. + 2. Open the **Apps** menu. + 3. Select Netwrix Auditor User Activity Core Service and click **Uninstall**. + +2. Delete the following folders from affected servers: + + - `C:\ProgramData\Netwrix Auditor\User Activity Core Service` + - `C:\Program Files (x86)\Netwrix Auditor\User Activity Core Service` + +3. Delete `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix\User Activity Video Reporter Agent` from affected servers. + +4. Launch Netwrix Auditor User Activity Core Service in your Netwrix Auditor host. Refer to the prior steps for additional information. + +5. Start the previously disabled monitoring plans with affected servers. + +6. Netwrix Auditor User Activity Core Service should automatically launch during the next data collection to reinstall User Activity applications. In case it won't, refer to the following steps: + + 1. Open the folder `C:\Program Files (x86)\Netwrix Auditor\User Activity Video Recording` in the Netwrix server. + 2. Copy the **UACoreSvcSetup.msi** file to each cloned server. + 3. Install it manually. diff --git "a/docs/kb/auditor/\321\201onnection_issue_when_tls_1.2_is_required.md" "b/docs/kb/auditor/\321\201onnection_issue_when_tls_1.2_is_required.md" new file mode 100644 index 0000000000..510ed82fee --- /dev/null +++ "b/docs/kb/auditor/\321\201onnection_issue_when_tls_1.2_is_required.md" @@ -0,0 +1,131 @@ +--- +description: >- + This article provides guidance on setting up connections between internal environments and Microsoft 365 when facing TLS version mismatches and limited ciphers. +keywords: + - TLS 1.2 + - Microsoft 365 + - WinHTTP +sidebar_label: Connection Issue with TLS 1.2 +tags: [] +title: "Connection Issue When TLS 1.2 Is Required" +knowledge_article_id: kA00g000000H9eOCAS +products: + - auditor +--- + +# Connection Issue When TLS 1.2 Is Required + +## Question + +How to set up connections between the internal environment and Microsoft (Office) 365 with mismatched TLS versions and limited ciphers? + +## Answers + +### Option 1: For Up-to-Date Environments + +For up-to-date environments, refer to the following KB article for additional information: [Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm](/docs/kb/auditor/client-and-server-cannot-communicate-because-they-do-not-possess-a-common-algorithm). You can also use this registry key to achieve the same results: [TLS Registry Key](https://netwrix.com/download/products/KnowledgeBase/TLSRegkey.reg). + +### Option 2: For Pre-Windows Server 2019 Environments and Earlier + +> **NOTE:** For additional information, refer to the following Microsoft articles: [How to enable TLS 1.2 on clients ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client) and [TLS best practices — Configuring security via the Windows Registry ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry). + +#### Step 1: Update Windows and WinHTTP + +Earlier versions of Windows (e.g., Windows 7, Windows Server 2012, etc.) do not enable TLS 1.1 or TLS 1.2 by default for secure communications using WinHTTP. For earlier versions of Windows, install [Update 3140245 ⸱ Microsoft Support 🡥](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392) to enable the registry value below, which can be set to add TLS 1.1 and TLS 1.2 to the default secure protocols list for WinHTTP. With the patch installed, create the following registry values: + +> **NOTE:** Enable these settings for all clients running earlier versions of Windows **before** enabling TLS 1.2 and disabling the older protocols in the Configuration Manager servers. Otherwise, you can inadvertently orphan them. + +Verify the value of the **DefaultSecureProtocols** registry setting: + +```Registry +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\ +DefaultSecureProtocols = (DWORD): 0xAA0 +HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\ +DefaultSecureProtocols = (DWORD): 0xAA0 +``` + +The Microsoft article [Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows ⸱ Microsoft 🡥](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392) lists hexadecimal values for each protocol. By default in Windows, the value **0x0A0** is used to enable SSL 3.0 and TLS 1.0 for WinHTTP. The example provided above allows you to keep default values and enable TLS 1.1 and TLS 1.2 for WinHTTP. This configuration ensures the change doesn't affect any other application that might still rely on SSL 3.0 or TLS 1.0. You can use the **0xA00** value to only enable TLS 1.1 and TLS 1.2. Configuration Manager supports the most secure protocol supported by both Windows devices. + +> **NOTE:** If you change this value, make sure to reboot your computer to apply these changes. + +#### Step 2: Ensure That TLS 1.2 Is Enabled as a Protocol for SChannel at the Operating System Level + +Verify the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols` registry subkey setting, as specified in the following article: [TLS best practices — Configuring security via the Windows Registry ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry). + +#### Step 3: Update and Configure the .NET Framework to Support TLS 1.2 + +##### Step 3.1: Install .NET Updates + +Install .NET updates to enable strong cryptography. Some versions of .NET Framework might require updates to enable strong cryptography; refer to the following guidelines: + +- .NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry settings; no additional changes are required. + + > **NOTE:** Starting version 2107, Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems, clients, and the console. If possible in your environment, install the latest version of .NET version 4.8. + +- Update .NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For additional information, refer to the following article: [.NET Framework versions and dependencies ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/versions-and-dependencies). + +- If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server 2012 R2, or Windows Server 2012, it is strongly recommended to install the latest security updates for .NET Framework 4.5.1 and 4.5.2 to ensure TLS 1.2 can be enabled. + + > **NOTE:** TLS 1.2 was first introduced into .NET Framework 4.5.1 and 4.5.2 with the following hotfix rollups: + + - For Windows 8.1 and Server 2012 R2: [Hotfix rollup 3099842 ⸱ Microsoft 🡥](https://support.microsoft.com/topic/hotfix-rollup-3099842-for-the-net-framework-4-5-2-and-the-net-framework-4-5-1-on-windows-7b629c7e-bea4-4838-2512-e22e8bad368a). + + - For Windows Server 2012: [Hotfix rollup 3099844 ⸱ Microsoft 🡥](https://support.microsoft.com/topic/hotfix-rollup-3099844-for-the-net-framework-4-5-2-4-5-1-and-4-5-on-windows-ee48ac0d-79be-28f7-563d-e7bd46040dd3). + +##### Step 3.2: Configure for Strong Cryptography + +Configure .NET Framework to support strong cryptography. Set the **SchUseStrongCrypto** registry setting to **DWORD:00000001**. This value disables the RC4 stream cipher and requires a restart. For additional information on the setting, refer to the following article: [Microsoft Security Advisory 296038 ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358). + +Make sure to set the following registry keys on any computer that communicates across the network with a TLS 1.2-enabled system. For example, Configuration Manager clients, remote site system roles not installed on the site server, and the site server itself. + +For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit OSs, update the following subkey values: + +```Registry +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] + "SystemDefaultTlsVersions" = dword:00000001 + "SchUseStrongCrypto" = dword:00000001 +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] + "SystemDefaultTlsVersions" = dword:00000001 + "SchUseStrongCrypto" = dword:00000001 +``` + +For 32-bit applications that are running on 64-bit OSs, update the following subkey values: + +```Registry +[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] + "SystemDefaultTlsVersions" = dword:00000001 + "SchUseStrongCrypto" = dword:00000001 +[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] + "SystemDefaultTlsVersions" = dword:00000001 + "SchUseStrongCrypto" = dword:00000001 +``` + +> **NOTE:** The `SchUseStrongCrypto` setting allows .NET to use TLS 1.1 and TLS 1.2. The **SystemDefaultTlsVersions** setting allows .NET to use the OS configuration. For additional information, refer to the following article: [TLS best practices ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls). + +### Attached Files + +- [TLS Registry Key](https://netwrix.com/download/products/KnowledgeBase/TLSRegkey.reg) + +### Related Articles + +- [Client and Server Cannot Communicate, Because They Do Not Possess a Common Algorithm](/docs/kb/auditor/client-and-server-cannot-communicate-because-they-do-not-possess-a-common-algorithm) + +- [How to enable TLS 1.2 on clients ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client) + +- [TLS best practices — Configuring security via the Windows Registry ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry) + +- [Update 3140245 ⸱ Microsoft Support 🡥](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392) + +- [Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows ⸱ Microsoft 🡥](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392) + +- [TLS best practices — Configuring security via the Windows Registry ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry) + +- [.NET Framework versions and dependencies ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/versions-and-dependencies) + +- [Hotfix rollup 3099842 ⸱ Microsoft 🡥](https://support.microsoft.com/topic/hotfix-rollup-3099842-for-the-net-framework-4-5-2-and-the-net-framework-4-5-1-on-windows-7b629c7e-bea4-4838-2512-e22e8bad368a) + +- [Hotfix rollup 3099844 ⸱ Microsoft 🡥](https://support.microsoft.com/topic/hotfix-rollup-3099844-for-the-net-framework-4-5-2-4-5-1-and-4-5-on-windows-ee48ac0d-79be-28f7-563d-e7bd46040dd3) + +- [Microsoft Security Advisory 296038 ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358) + +- [TLS best practices ⸱ Microsoft 🡥](https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls) \ No newline at end of file diff --git a/docs/kb/dataclassification/503_service_unavailable_ndc_dashboard.md b/docs/kb/dataclassification/503_service_unavailable_ndc_dashboard.md new file mode 100644 index 0000000000..6b4aaaa7fa --- /dev/null +++ b/docs/kb/dataclassification/503_service_unavailable_ndc_dashboard.md @@ -0,0 +1,48 @@ +--- +description: >- + This article provides troubleshooting steps for resolving the "503 Service Unavailable" error encountered when loading the NDC Dashboard. +keywords: + - HTTP Error 503 + - NDC Dashboard + - IIS Application Pool +sidebar_label: 503 Service Unavailable +tags: [] +title: "Error: 503 Service Unavailable NDC Dashboard" +knowledge_article_id: kA00g000000PbcsCAC +products: + - data-classification +--- + +# Error: 503 Service Unavailable NDC Dashboard + +## Symptom + +When attempting to load the Dashboard, you receive the following error: + +``` +HTTP Error 503. The service is unavailable. +``` + +## Cause + +This error is caused by the **conceptQSAppPool** being stopped. + +## Resolution + +In most situations, you can resolve this by simply restarting the application pool in IIS and refreshing the QS page. + +If the error persists after the application pool has been restarted, then the issue is most likely tied to the application pool identity, which can be seen listed in the **Identity** column in the screenshot below. The **ConceptQSAppPool** needs local admin rights to prevent it from crashing. Granularly, the **ConceptQSAppPool** identity needs the **Logon as batch** and **Logon as service** user rights assignment applied. Either grant the existing identity local admin rights or change the identity to an existing account with local admin rights. + +For example: + +![NDC Dashboard Identity Settings](https://kb.netwrix.com/wp-content/uploads/2020/04/503-3-1024x541.png) + +To assign granularly: + +1. Right-click on the **conceptQSAppPool** and select **Advanced Settings...** +2. Scroll down to **Identity** and enter a new username in the **domain\username** format. +3. Click **OK** and start the application pool. + +The NDC dashboard will load in the browser. + +If none of the solutions above solve the issue, check **Windows Event Log** → **Applications** → **NDC** for errors. \ No newline at end of file diff --git a/docs/kb/dataclassification/_category_.json b/docs/kb/dataclassification/_category_.json new file mode 100644 index 0000000000..31ba0aed9c --- /dev/null +++ b/docs/kb/dataclassification/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/dataclassification/antivirus-exclusions-for-netwrix-data-classification.md b/docs/kb/dataclassification/antivirus-exclusions-for-netwrix-data-classification.md new file mode 100644 index 0000000000..55d2cd2498 --- /dev/null +++ b/docs/kb/dataclassification/antivirus-exclusions-for-netwrix-data-classification.md @@ -0,0 +1,50 @@ +--- +description: >- + Explains which antivirus exclusions to add for Netwrix Data Classification to + prevent slowdowns and locked index or temporary files. +keywords: + - antivirus + - exclusions + - Netwrix Data Classification + - CSE files + - index files + - collector + - indexer + - classifier +products: + - data-classification +sidebar_label: Antivirus Exclusions for Netwrix Data Classification +tags: [] +title: "Antivirus Exclusions for Netwrix Data Classification" +knowledge_article_id: kA04u000001111WCAQ +--- + +# Antivirus Exclusions for Netwrix Data Classification + +## Symptoms + +An antivirus suite can slow down or even prevent correct operation of Netwrix Data Classification: + +- Reduced speed of processing +- Locked index files or temporary collected files + +## Cause + +Netwrix Data Classification writes information to CSE files in small chunks at short intervals — an antivirus will attempt to read the entire file looking for threats after each writing session. + +This considerably slows down processes of the service, as each short writing session is expected to occur frequently, while a full read of a file might take a long time (especially in a larger environment). + +## Resolution + +Add the following exclusions for the antivirus: + +> **NOTE:** In Netwrix Data Classification v5.6, the first path to exclude is `C:\Program Files\Conceptseraching\Index` + +1. NDC Index databases: CSE files, located by default `C:\Program Files\Netwrix\Data Classification\Index` +2. Temp files: `C:\Users\SERVICEACCOUNTNAMEHERE\AppData\Local\Temp\Netwrix\Data Classification\Collector` + +During data collection, a collector uses a specific to store copies of the files it is currently collecting and then places them in the temp location until they have been processed and moved on to the **Indexer** and **Classifier** services. + +## Related articles + +- [How to back up Netwrix Data Classification Index](/docs/kb/dataclassification/how-to-back-up-the-ndc-index.md) diff --git a/docs/kb/dataclassification/certificate-key-size-value-error-when-validating-sharepoint-online-source.md b/docs/kb/dataclassification/certificate-key-size-value-error-when-validating-sharepoint-online-source.md new file mode 100644 index 0000000000..26a978ddf4 --- /dev/null +++ b/docs/kb/dataclassification/certificate-key-size-value-error-when-validating-sharepoint-online-source.md @@ -0,0 +1,45 @@ +--- +description: >- + When validating a SharePoint Online source, you might encounter an error + indicating the certificate key size is too small. This article explains the + cause and resolution for the error. +keywords: + - SharePoint Online + - certificate + - Azure AD + - 2048 + - key size + - certificate authority + - Data Classification + - Azure app + - validation error + - helpcenter +products: + - data-classification +sidebar_label: Certificate Key Size Value Error When Validating S +tags: [] +title: "Certificate Key Size Value Error When Validating SharePoint Online Source" +knowledge_article_id: kA04u00000111KJCAY +--- + +# Certificate Key Size Value Error When Validating SharePoint Online Source + +## Symptom + +When validating a SharePoint Online source, the following error appears: + +```text +The certificate used must have a key size of at least 2048 bits. +``` + +## Cause + +The issue occurs when a third-party certificate authority has been used and the generated certificate for Azure app is only 1024 bit. + +## Resolution + +Create a new 2048 bit certificate using your certificate authority tool. + +Then import and upload it to to Azure for SharePoint Online app per normal configuration insctructions. + +For additional information on how to prepare the certificate for your Azure AD app, refer to the following article: Step 1: Prepare application certificate. diff --git a/docs/kb/dataclassification/classification-troubleshooting.md b/docs/kb/dataclassification/classification-troubleshooting.md new file mode 100644 index 0000000000..e4f10f1328 --- /dev/null +++ b/docs/kb/dataclassification/classification-troubleshooting.md @@ -0,0 +1,57 @@ +--- +description: >- + Troubleshoot why a document is not classified as expected in Netwrix Data + Classification. Steps to check workflow logs, reindexing, OCR extraction, and + taxonomy debugging. +keywords: + - classification + - Netwrix Data Classification + - taxonomy + - OCR + - reindex + - workflow logs + - PageId + - collector tracing +products: + - data-classification +sidebar_label: Classification Troubleshooting +tags: [] +title: "Classification Troubleshooting" +knowledge_article_id: kA0Qk0000000Q0vKAE +--- + +# Classification Troubleshooting + +## Question + +Why is my document not classified as expected? + +## Answer + +Identify a document with incorrect classifications: + +### Step #1: Check the status of a document + +Go to the workflow logs (`https://[YourNDCServerName]/NDC/Workflows/Logs`) on your Netwrix Data Classification server and check the status: + +- If it's **negative**, then there was an error. Enable collector tracing and reindex the file, then view the event logs for details of the issue. You will usually see either the `PageID`, `PageURL`, or both in the logs to know which errors are related. +- If it's less than 400, it means that it is not classified and needs to finish processing first. Check codes in the `Netwrix Data Classification Page Status Codes` article: /docs/kb/data-classification/ndc_page_status_codes +- If the status is **Classified (400)** and the **ReindexStatus** is 3, then it means it hasn't been reindexed or reclassified. This means that a change was detected or the user manually requested reprocessing. Give Netwrix Data Classification time to reprocess the document. +- If the status is 400 and the reindex status is 0, check the **Text** and **Metadata** tabs. This is an easy way to confirm issues where Optical Character Recognition (OCR) has failed to extract the text you're looking for or if there was an issue processing text extraction for the document. If it doesn't match, enable collector tracing and reindex the document for details in the logs. + +### Step #2: Investigate content configuration + +If it has the expected text and metadata, investigate why the expected classification/term is not present on the document: + +1. Make a note of the **PageId**. +2. Navigate to **Taxonomies** and select the taxonomy you need to diagnose. +3. Click the **Search** tab and then select **Add custom filter**. +4. Select the **Include documents (PageIds)** filter type and type in the PageId of the document you wish to check and then click **Add** > **Search**. + +> **TIP:** The document should be shown. If it is not, then check to see if security trimming is enabled and hiding the document. + +5. Click on the calculator icon. This will confirm which clues matched and if any filters have been applied. +6. See if the details shown differ from what is expected. You should understand why you expect this document to be classified, so you will see certain matching clues. By comparing the expectations to the results in the classification debug, you can identify which clues are not matching as expected. You may also notice if a mandatory clue hasn't been matched and then adjust the clues accordingly. +7. If the document shows as classified in the calculations dialog but is not shown as classified in the page info dialog, then it's possible that the taxonomy clues have changed since the document was last classified. + + Select the document, select **Re-classify**, and then select **Reset Cache** > **Ok**. Then, observe whether the status of the document changes to **Reclassified**, and then recheck the page info **classifications** tab. diff --git a/docs/kb/dataclassification/documents-are-crawled-successfully-with-no-text-extracted.md b/docs/kb/dataclassification/documents-are-crawled-successfully-with-no-text-extracted.md new file mode 100644 index 0000000000..471c77e247 --- /dev/null +++ b/docs/kb/dataclassification/documents-are-crawled-successfully-with-no-text-extracted.md @@ -0,0 +1,51 @@ +--- +description: >- + Explains why Netwrix Data Classification crawls documents but extracts no text + and provides steps to diagnose extraction failures, enable backup extraction + methods, and identify common causes. +keywords: + - text extraction + - OCR + - iFilter + - Netwrix Data Classification + - crawling + - re-index + - Collect Date Time + - Page Info + - logging +products: + - data-classification +sidebar_label: Documents Are Crawled Successfully with No Text Ex +tags: [] +title: "Documents Are Crawled Successfully with No Text Ex" +knowledge_article_id: kA00g000000H9eHCAS +--- + +# Documents Are Crawled Successfully with No Text Ex + +## Question + +Why is Netwrix Data Classification (NDC) crawling your documents successfully, but no text has been extracted? + +## Answer + +Issues with text extraction can have a range of causes. You can find a summary of text extraction errors in the **Stats** dashboard. Click **Details** to view a breakdown by type of error. + +![thumbnail_image.png](images/ka0Qk000000309x_0EMQk000004P1LC.png) + +### Steps to Diagnose Text Extraction Failure + +1. Enable Collector and OCR tracing and ensure that the log level is set to `Errors, Warnings & Info`. +2. Find a document that has failed text extraction and re-index it. +3. Wait for the **Collect Date Time** to be updated. This can be viewed from the **Page Info** screen. +4. Review the event logs for a detailed error message about the document's collection. + +### Intermittent Issues and Backup Extraction Method + +If you experience intermittent issues extracting a particular document type, you can enable a backup extraction method through the **Content Type Extraction Methods** screen in **Settings > Text Processing**. For example, enabling iFilter as a backup extraction method for Office OLE files may assist with extracting text from problematic documents. + +### Common Issues + +- Missing iFilter: If the content type is configured to use iFilters, make sure that the correct iFilter pack is installed on all servers that NDC is installed on. +- Password Protected Documents: Opening password-protected documents is not currently supported. +- Corrupt Files: Try opening the file manually to verify it. Microsoft Office documents can sometimes be recovered by opening and resaving the file. diff --git a/docs/kb/dataclassification/error-certificate-for-the-source-is-due-to-expire.md b/docs/kb/dataclassification/error-certificate-for-the-source-is-due-to-expire.md new file mode 100644 index 0000000000..1d942f3e4b --- /dev/null +++ b/docs/kb/dataclassification/error-certificate-for-the-source-is-due-to-expire.md @@ -0,0 +1,53 @@ +--- +description: >- + Netwrix Data Classification notifies you when the certificate used to + authenticate a Microsoft 365-based source is about to expire. Follow the steps + to update the certificate and avoid interruption in monitoring. +keywords: + - certificate expiration + - Microsoft 365 + - source certificate + - Netwrix Data Classification + - renew certificate + - Azure AD app + - modern authentication + - crawling + - classification +products: + - data-classification +sidebar_label: 'Error: Certificate for the Source Is Due to Expire' +tags: [] +title: 'Error: Certificate for the Source Is Due to Expire' +knowledge_article_id: kA0Qk0000001RSnKAM +--- + +# Error: Certificate for the Source Is Due to Expire + +## Symptom + +Netwrix Data Classification (NDC) prompts the following error for your Microsoft 365-based source: + +```text +Problem Details: + +Problem Type: Source Certificate Expiring +Problem Severity: Error +Problem Source: %M365_source% +Problem Description + +The certificate for the source: %M365_source% is due to expire on %datestamp%. +Configure a new certificate and update the credentials to maintain connectivity. +Current Certificate Name: %certificate_name%. +``` + +## Cause + +The certificate used to authenticate to your Microsoft 365-based source is due to expire. This is a warning to allow you to renew the certificate before it expires and avoid any interruption in monitoring the source. + +## Resolution + +Update your certificate. Keep the existing certificate in place until you deploy the new certificate to all NDC servers and update the configuration to avoid any interruption in monitoring. Refer to the following steps for additional information: /docs/data-classification/5.7/ndc/configurationuration/configurationinfrastructure (Configure Microsoft Exchange for Crawling and Classification — Create Azure AD app for Modern Authentication · v5.7). + +## Related Articles + +- Configure Microsoft Exchange for Crawling and Classification — Create Azure AD app for Modern Authentication · v5.7: /docs/data-classification/5.7/ndc/configurationuration/configurationinfrastructure diff --git a/docs/kb/dataclassification/error-end-encrypted-private-key-not-found.md b/docs/kb/dataclassification/error-end-encrypted-private-key-not-found.md new file mode 100644 index 0000000000..c96fa68ba3 --- /dev/null +++ b/docs/kb/dataclassification/error-end-encrypted-private-key-not-found.md @@ -0,0 +1,82 @@ +--- +description: >- + When adding box.com as a source in Netwrix Data Classification, you may + receive the "END ENCRYPTED PRIVATE KEY not found" error due to incorrect + private key formatting in the JSON file. This article explains the cause and + shows how to fix the key by replacing `\n` sequences with actual line breaks. +keywords: + - encrypted private key + - box.com + - JSON + - Netwrix Data Classification + - private key formatting + - END ENCRYPTED PRIVATE KEY + - error + - keypair +products: + - data-classification +sidebar_label: 'Error: END ENCRYPTED PRIVATE KEY Not Found' +tags: [] +title: 'Error: END ENCRYPTED PRIVATE KEY Not Found' +knowledge_article_id: kA00g000000PbcrCAC +--- + +# Error: END ENCRYPTED PRIVATE KEY Not Found + +## Symptom + +When you add box.com as a source in Netwrix Data Classification, you generate a public/private keypair for your app. When you fill in all of the required fields and click **Save**, you receive the following error: + +```text +System.Exception: Error validating source: +-----END ENCRYPTED PRIVATE KEY not found ---> +System.IO.IOException: +-----END ENCRYPTED PRIVATE KEY not found +``` + +## Cause + +The formatting of the private key in the JSON file is incorrect. Refer to the following example: + +![private key example](images/ka0Qk0000005chN_0EMQk000007eSHh.png) + +The private key contains multiple `\n` entries that represent line breaks. + +## Resolution + +Replace the `\n` entries with carriage returns symbols. Refer to the code block below for an example: + +```text +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI/iZkymGz+4ECAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECD4Y7asdVSJXBIIEyOcarDTHINB9 +qmPZrv3W966rOBD1Cxi9+CnfvDNazkJsKcFYz51OM585smhKqTNLcC0WVuCPLUfj +xODTlJ2gotlK41vtGQpTaPdJYNHhR5NzkxJ1o1WbYQNicOkXJaRyyXcAzQQIdnvH +JEZJlMRBSzcFmEzZNemhWRyFbnXO0oqU5UcqUxsSXXzea6s6wAcNKSEYRBwvaDAZ +yBRYPv6v5Zw/jx3V6lAgylWMDUexPxy+gVoHv3hrtUfPMo+vxBC1UTE/XLaEtFPY +FxjPuR7+SoQ1uu4sBBWTSYwGRxlFktap58pOyeC8PL4jTP7q5Zpb8A+MtUD46jw0 +PFrFd2Pn+f5X6qoERfjkDNSPIk823Hb85MgjF87hqr8RTZlsRekwqIMtLIUutPIk +QbEscKp8zJ2/nsHr5XxrDv2jLmWlxdpTC4uj4vh1aiNUWMXvJBfMRWDZq4TVjo9G +9vIldfYjDdRTrKVuQK141EKiY6TKljMURVhRmkgdTtN8fN1gz6GWiDKG8jU8PFDj +uvFYqMdtKPgn06sxHvUCkKM93BKvvk9ASrnUEW2EhohHxFJS1xbzqWw8bPhvQz7J +DUMJw5mLU8hZWlOclh/xEG0pYM6QogmYGTbnqUHsbX4UF9vpzpJIx/ESF25T5kTK +S2BzDOksd6ZPELLksavJSLDevM1fK5iFWR8CBGP+o5MRBOhaNBR0wkIFE+K+uCim +N9IcvTLGWNeS6iNO6pnaRajt2GjCXU/gjMMkKeZ3ZFpUGHGzLwCWDCX3VCMWBndq +GhdbNlD5RXIA+DakIdXTKyZ4Ecm9unH8DfRcwgzaWByzyIEwhHPU/Kf7vSdRLVVi +4+GT+LH3XTZplWYFy2RhhgFci/vpDWINHl5bckzhrrtQp0Khak4+tkQkM1l/Cta3 +BFNoJCBqTLKies7AMqtgWvG0oc/RCWvQsEhKSJmVKzmO227NKBA7ZOmlTs8g5lx7 +/soEwm0HtFYWkzNBbaMT7U21LfSwGZ7afU3stj898eVh0xEA+IpH/WuaMpHtkdI4 +yAEJegf+VyZUfNHKo3sztvx8wmhSyrcfhludcVT26VH63LkhPfFd8Cvzs9903IH0 +S0cr9Nk6KACTpDbZpiQ8zgktKBau5nCwd7voa9UBaEMXXF/j50oWhMubrHEmlbmY +7ZkhjNv+1qKfCh0u5L/LF6s5qgAV9ooODCpr8fA5Jf1bOlJ8+8KwcXKeUyZVi1r/ +NWdAwifNUdLlr7nngwjP2uVe6mE5BoQL/Vr9pugKthcxcCMcZje4Sb1OWvdu8fve +fVSlXjer4+HTa1h8zT/QOywrQf00Pqm4CmM5baGdVwP7eVeG7kpAvATxhOOLSj0/ +Df2e6ybPusoDB4/NPg2x4Q5zK9JLHU8ZAMcE3N9FkZVP5c8FgSpJwJ3HGJ7shTwL +HR0gU4Bzob9AIK+EHARfL+JlR/l1qWPNur7JV69SJm2Vt09ixCTejLJEHqrOBp1B +RDKV0PyZWLKmKe4fMFrJX+ktsEWlRcvIqQ0yW2aN2sdYER+HiFv+NDIyERF8lXT3 +YKQfIMQfYsS7WbqzbDnK3KQnrc7v7zRH3efohP4xpJUzJv6mAxhZruAkpCRDVrwZ +Vqpu4Jo+HuQbz9moqbhWCQ== +-----END ENCRYPTED PRIVATE KEY----- +``` + + diff --git a/docs/kb/dataclassification/error-failed-to-load-classifier-data-cache.md b/docs/kb/dataclassification/error-failed-to-load-classifier-data-cache.md new file mode 100644 index 0000000000..cfc23cc290 --- /dev/null +++ b/docs/kb/dataclassification/error-failed-to-load-classifier-data-cache.md @@ -0,0 +1,39 @@ +--- +description: >- + Describes how to resolve the "Failed-to-load-Classifier-data-cache" error in + Netwrix Data Classification caused by a failed connection to a SharePoint + termset. +keywords: + - classifier + - cache + - SharePoint + - termset + - GlobalSettings + - Taxonomies + - Netwrix Data Classification + - Classifier Service + - credentials +products: + - data-classification +sidebar_label: 'Error: "Failed to load Classifier data cache"' +tags: [] +title: 'Error: "Failed to load Classifier data cache"' +knowledge_article_id: kA04u000000XmHACA0 +--- + +# Error: "Failed to load Classifier data cache" + +## Scenario + +The Netwrix Data Classification: Service Viewer displays the following error message for the Classifier Service: + +`Failed-to-load-Classifier-data-cache` + +![User-added image](images/ka04u000000HdG2_0EM4u000001rDFG.png) + +## Solution + +1. Open `http://hostname/conceptQS/Taxonomies/GlobalSettings`. +2. Confirm the status of each taxonomy. This error will be caused by a failed connection to a SharePoint termset. +3. Find the faulting termset and update the credentials and/or confirm account permissions for that termset. +4. Restart the classifier service. After restarting, the service should immediately begin processing documents pending classifications. diff --git a/docs/kb/dataclassification/error-unable-to-decrypt-encryption-key.md b/docs/kb/dataclassification/error-unable-to-decrypt-encryption-key.md new file mode 100644 index 0000000000..ce3a715a8e --- /dev/null +++ b/docs/kb/dataclassification/error-unable-to-decrypt-encryption-key.md @@ -0,0 +1,51 @@ +--- +description: >- + When Netwrix Data Classification displays "Unable to decrypt encryption key" + in the browser or Service Viewer, follow these checks to ensure the same + service account runs services across DQS servers or to correct DPAPI + configuration by upgrading to a fixed version. +keywords: + - data classification + - encryption key + - DPAPI + - DQS + - Netwrix Data Classification + - upgrade + - error + - decrypt +products: + - data-classification +sidebar_label: 'Error: Unable to Decrypt Encryption Key' +tags: [] +title: 'Error: Unable to Decrypt Encryption Key' +knowledge_article_id: kA04u00000110liCAA +--- + +# Error: Unable to Decrypt Encryption Key + +## Symptom + +Netwrix Data Classification (NDC) prompts the following error in the browser and NDC Service Viewer: + +```text +Unable to decrypt encryption key +``` + +## Causes + +One of the following causes is present in your environment: + +1. In a DQS environment, different service accounts run the NDC services in different DQS servers. +2. In a Netwrix Data Classification v5.7.0.58 environment, the Data Protection Application Programming Interface (DPAPI) used to share encryption keys between the application servers is misconfigured. Learn more about DPAPI in How to: Use Data Protection · Microsoft 🤝: https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection + +## Resolutions + +Refer to the corresponding resolution steps: + +1. In a DQS environment, verify that the same service account runs the Netwrix Data Classification services on all DQS servers. +2. Netwrix Data Classification v5.7.1.20 and later versions introduced a check to verify the correct setup of the DPAPI-related registry key. Upgrade your Netwrix Data Classification instance to v5.7.1.20 or later to resolve the issue. Download the new Netwrix Data Classification version in My Products · Netwrix: https://www.netwrix.com/my_products.html + +## Related Articles + +- How to: Use Data Protection · Microsoft 🤝: https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection +- My Products · Netwrix: https://www.netwrix.com/my_products.html diff --git a/docs/kb/dataclassification/export-not-available-for-dsar-searches.md b/docs/kb/dataclassification/export-not-available-for-dsar-searches.md new file mode 100644 index 0000000000..905413ee35 --- /dev/null +++ b/docs/kb/dataclassification/export-not-available-for-dsar-searches.md @@ -0,0 +1,39 @@ +--- +description: >- + If the Export button for a completed DSAR search is greyed out, specify an + output location in the DSAR settings to enable export. This article shows + where to configure the output location in Netwrix Data Classification. +keywords: + - DSAR + - export + - output location + - Data Analysis + - DSAR settings + - Netwrix Data Classification + - export greyed out +products: + - data-classification +sidebar_label: Export Not Available for DSAR Searches +tags: [] +title: "Export Not Available for DSAR Searches" +knowledge_article_id: kA04u00000110u6CAA +--- + +# Export Not Available for DSAR Searches + +## Symptom + +After you complete a DSAR search, the **Export** button is greyed out. + +## Cause + +Exporting DSAR reports requires that you specify an output location. + +## Answer + +1. In the administrative web console of **Netwrix Data Classification**, navigate to **Data Analysis** > **DSAR**. +2. On the **Settings** tab, specify the output location in the corresponding field. + +Refer to the following article for additional information on DSAR settings: DSAR Settings. + +![DSAR Settings screenshot](images/ka04u000001170U_0EM4u000008LceH.png) diff --git a/docs/kb/dataclassification/export-term-sets-to-an-xml-file-using-concepttermstoremanager.md b/docs/kb/dataclassification/export-term-sets-to-an-xml-file-using-concepttermstoremanager.md new file mode 100644 index 0000000000..4a9858c356 --- /dev/null +++ b/docs/kb/dataclassification/export-term-sets-to-an-xml-file-using-concepttermstoremanager.md @@ -0,0 +1,49 @@ +--- +description: >- + Shows how to export a SharePoint term set structure to an XML file using the + conceptTermStoreManager utility. The resulting XML contains the entire term + set structure and custom properties in the proprietary conceptSearching XML + format. +keywords: + - term sets + - conceptTermStoreManager + - conceptSearching + - XML export + - term store + - SharePoint + - taxonomy + - conceptQS + - export term sets +products: + - data-classification +sidebar_label: Export Term Sets to an XML File using conceptTermS +tags: [] +title: "Export Term Sets to an XML File using conceptTermStoreManager" +knowledge_article_id: kA04u000000XmGCCA0 +--- + +# Export Term Sets to an XML File using conceptTermStoreManager + +Export a term set structure to an XML file via the conceptTermStoreManager using the steps listed in this article. + +## Steps + +1. Navigate to `C:\inetpub\wwwroot\conceptQS\bin\conceptTermStoreManager.exe` +2. Run the `conceptTermStoreManager.exe` and observe the following screen: + + ![User-added image](images/ka04u000000HdFy_0EM4u000001rAT5.png) + +3. Click the **Export** box to export a term set structure to an XML file. +4. On the **Export Term Sets** page, enter the details of the site collection where the Term Store can be accessed using the credentials supplied. + + ![User-added image](images/ka04u000000HdFy_0EM4u000001rAV6.png) + +5. Click **Next**. +6. Select the term sets you wish to export by using the checkboxes on the right-hand side. + + ![User-added image](images/ka04u000000HdFy_0EM4u000001rAVB.png) + +7. Click either the **Selected** button to export the checked items or the **All** button to export all term sets found in the term store. +8. Name and save the XML file when the **Save As** window appears. + +The resulting XML file will contain the entire Term Set structure, including all custom properties, in the proprietary conceptSearching XML format. This file can be used to load the term set into another term store using the Import facility. diff --git a/docs/kb/dataclassification/how-to-apply-netwrix-data-classification-license.md b/docs/kb/dataclassification/how-to-apply-netwrix-data-classification-license.md new file mode 100644 index 0000000000..d49bf70d5f --- /dev/null +++ b/docs/kb/dataclassification/how-to-apply-netwrix-data-classification-license.md @@ -0,0 +1,47 @@ +--- +description: >- + Apply your Netwrix Data Classification license by uploading the license file + in the web interface. You need a Netwrix Data Classification account with a + Superuser role to complete the process. +keywords: + - Netwrix Data Classification + - license + - apply license + - NDC + - Superuser + - licensing + - upload license + - license file + - Settings + - Config +products: + - data-classification +sidebar_label: How to Apply Netwrix Data Classification License +tags: [] +title: "How to Apply Netwrix Data Classification License" +knowledge_article_id: kA04u0000000GtoCAE +--- + +# How to Apply Netwrix Data Classification License + +## Before you start + +- You must have a Netwrix Data Classification account with a Superuser role. + +## Instructions + +### Step 1. Obtain a license + +- Check an email from our licensing team or contact our licensing team by emailing licensing@netwrix.com. + +### Step 2. Apply the license + +1. Open the Netwrix Data Classification web interface. +2. Go to **Settings** > **Config** > **Licensing** (right pane). +3. Click **Add license** and upload the license file. + +## Related articles + +- Read about role types and how to apply a role in the DSAR Roles article: /docs/data-classification/5.7/ndc/admin-guide/dsar +- NDC Licensing ⸱ v5.6.2: /docs/data-classification/5.6.2/ndc/configurationuration +- NDC Licensing ⸱ v5.7: /docs/data-classification/5.7/ndc/configurationuration diff --git a/docs/kb/dataclassification/how-to-back-up-the-ndc-index.md b/docs/kb/dataclassification/how-to-back-up-the-ndc-index.md new file mode 100644 index 0000000000..c43f8588a3 --- /dev/null +++ b/docs/kb/dataclassification/how-to-back-up-the-ndc-index.md @@ -0,0 +1,63 @@ +--- +description: >- + This article describes how to back up the Netwrix Data Classification index + (NDC) to provide a recovery point in case of index corruption and minimize + downtime. +keywords: + - NDC + - Netwrix Data Classification + - index backup + - CSE + - ConceptDB + - Indexer + - Collector + - Classifier + - SQL + - index corruption +products: + - data-classification +sidebar_label: How to back up the Netwrix Data Classification index +tags: [] +title: "How to back up the Netwrix Data Classification index" +knowledge_article_id: kA04u000000PcvZCAS +--- + +# How to back up the Netwrix Data Classification index + +This article details steps to back up the Netwrix Data Classification (NDC) index. You should back up the index to provide a safety net in case of index corruption. Maintaining a proper NDC index reduces the time lost if an index becomes corrupted. + +## What causes index corruption? + +Corruption within the index occurs when one of two situations happens: + +1. The Indexer process is terminated without being allowed to stop gracefully, for example by a power interruption or by using the “End Task” option in Task Manager. +2. The Indexer is prevented from editing the files by another utility (ransomware protection, anti-virus, etc.) during that same window, or the utility modifies those files itself. + +## How to prevent the index from corrupting? + +You can reduce the risk of index corruption by doing the following: + +1. Ensure that automatic restarts are disabled on the server. +2. Ensure that the CSE files are excluded from any running anti-virus. (Default CSE location: `C:\Program Files\ConceptSearching\ConceptDB\`) +3. Educate users of the Netwrix Data Classification product to avoid manually stopping the Indexer process. + +## My index has corrupted — can I perform a root cause analysis? + +Yes. Logs are generally the best method for root cause analysis, though it may be difficult if considerable time has passed. One option is to review the following SQL data: + +```sql +SELECT * FROM ApplicationLog WHERE Operation = 1 AND ModuleID = 2 ORDER BY LogDateTime DESC +``` + +If the service was improperly shut down, you would expect to see a **Started** entry without a corresponding **Shutdown** entry. + +## How to back up the index? + +Follow these steps to back up the index: + +1. Stop all services: **Collector**, **Indexer**, **Classifier**. If you are using a DQS (clustered NDC), stop all three services on each server in the cluster. +2. Take a backup of the CSE file folder on each server. (Default CSE location: `C:\Program Files\ConceptSearching\ConceptDB\`) +3. Take a backup of the SQL database. It is very important that the SQL database is in sync with the CSE files — stop the services first to ensure consistency. +4. Start all services. + +For best results, perform these steps weekly to ensure minimal data loss in the event of index corruption. diff --git a/docs/kb/dataclassification/how-to-change-the-default-iis-port-for-netwrix-data-classification-web-console.md b/docs/kb/dataclassification/how-to-change-the-default-iis-port-for-netwrix-data-classification-web-console.md new file mode 100644 index 0000000000..f744234574 --- /dev/null +++ b/docs/kb/dataclassification/how-to-change-the-default-iis-port-for-netwrix-data-classification-web-console.md @@ -0,0 +1,43 @@ +--- +description: >- + Shows how to change the default IIS port used by the Netwrix Data + Classification Web Console by editing site bindings in IIS Manager. +keywords: + - Netwrix Data Classification + - IIS + - port + - site bindings + - web console + - IIS Manager + - binding + - port 80 + - change port +products: + - data-classification +sidebar_label: How to Change the Default IIS Port for Netwrix Dat +tags: [] +title: >- + How to Change the Default IIS Port for Netwrix Data Classification Web + Console? +knowledge_article_id: kA0Qk0000000MzpKAE +--- + +# How to Change the Default IIS Port for Netwrix Data Classification Web Console? + +## Question + +How to change the port 80 that comes with a default Netwrix Data Classification installation? + +## Answer + +The default IIS configuration of the Netwrix Data Classification is typically performed on the **Administration Web Application** step of the installation procedure. Learn more in Deployment — Install Netwrix Data Classification — v5.7 + +Follow the steps below to change the default IIS port for the web console: + +1. Start the **IIS Manager**: navigate to **Control Panel** **Administrative Tools** > **Internet Information Services (IIS) Manager**. +2. In the **Connections** menu on the left, expand **Sites** > **Default Website**. +3. Click the **Bindings** link under **Actions**. +4. In the **Site Binding** window, click **Edit**. +5. Modify the binding port, for example, `403`. + +The new port is now set. diff --git a/docs/kb/dataclassification/how-to-configure-granular-permissions-for-a-service-account.md b/docs/kb/dataclassification/how-to-configure-granular-permissions-for-a-service-account.md new file mode 100644 index 0000000000..f2e22713c4 --- /dev/null +++ b/docs/kb/dataclassification/how-to-configure-granular-permissions-for-a-service-account.md @@ -0,0 +1,47 @@ +--- +description: >- + Explains how to configure granular permissions for a service account so you + can implement the Principle of Least Privilege and avoid granting local + administrator rights when deploying Netwrix Data Classification. +keywords: + - Netwrix Data Classification + - service account + - granular permissions + - NTFS + - SQL Server + - Logon as a service + - Principle of Least Privilege + - index files +products: + - data-classification +sidebar_label: How to Configure Granular Permissions for a Servic +tags: [] +title: "How to Configure Granular Permissions for a Service Account" +knowledge_article_id: kA04u00000110j3CAA +--- + +# How to Configure Granular Permissions for a Service Account + +## Overview + +Granular permissions are needed to reduce the number of accounts with unnecessary administrative rights when implementing the Principle of Least Privilege (POLP). Using granular permissions, you can avoid granting local admin rights to the Netwrix Data Classification Service Account. + +## Instructions + +To configure granular permissions for a Service Account: + +1. Check if your Service Account has the following permissions: + - Permissions to run the Windows Services and IIS Application pool + - SQL Server DBO permissions to the Netwrix Data Classification SQL database (if using Windows Authentication to access SQL Server) + - The Logon as a service privilege + + Read more in the Accounts and Required Permissions article. + +2. Add Read permissions to the folder where Netwrix Data Classification is installed (NTFS Permissions). + +3. Add Write permissions to the index files' location (NTFS Permissions). + The index files' location can be looked up in `conceptConfig.exe` in `C:\inetpub\wwwroot\NDC\bin`: + + ![index_files_location.png](images/ka0Qk0000005NaH_0EM4u000008LGlJ.png) + +> **TIP:** In some instances, the Netwrix Data Classification Service Viewer Utility won't work correctly if the service account is not a member of the Local Administrators group on the Netwrix Data Classification server. In this case, you should use the **Service Viewer** built into the web UI. diff --git a/docs/kb/dataclassification/how-to-configure-stopwords.md b/docs/kb/dataclassification/how-to-configure-stopwords.md new file mode 100644 index 0000000000..6edddfcdfe --- /dev/null +++ b/docs/kb/dataclassification/how-to-configure-stopwords.md @@ -0,0 +1,40 @@ +--- +description: >- + Describes how to configure stopwords used by Netwrix Data Classification and + explains the two stoplist tables in the NDC SQL Database. +keywords: + - stopwords + - stoplists + - StoplistsExpand + - NDC SQL Database + - Netwrix Data Classification + - indexing + - diacritics + - SQL editor + - Query Analyser +products: + - data-classification +sidebar_label: How to configure stopwords +tags: [] +title: "How to configure stopwords" +knowledge_article_id: kA04u000000Pd4WCAS +--- + +# How to configure stopwords + +Netwrix Data Classification provides a pair of stoplists for each of the supported languages. + +These stoplists are contained in two tables in the NDC SQL Database: + +- Stoplists +- StoplistsExpand + +The first table contains a list of very common words (such as: “and”, “it” and “the” in English) that contribute very little to the searching process. These words are completely removed from the index reducing its size significantly. + +The second table contains fewer common words that need to be included in the index but is excluded from compound (i.e. multi-word) terms. This list typically includes common prepositions, conjunctions, and adverbs for each of the supported languages. + +The stoplists may be edited to suit particular application requirements with words being added or removed from either list. In general, a word removed from the Stoplist table should be moved into the StoplistExpand table. + +Note that all terms in these tables have a field that associates them with a particular language. Also, all stopwords should be entered with appropriate diacritics since all stopword processing is based on the extended ASCII character set. + +Currently, entries in the Stoplists tables must be managed directly using an appropriate SQL editor such as Microsoft’s Query Analyser. A future version of Netwrix Data Classification will provide a graphical front-end utility to manage all system configuration settings. diff --git a/docs/kb/dataclassification/how-to-crawl-a-website-that-does-not-require-credentials.md b/docs/kb/dataclassification/how-to-crawl-a-website-that-does-not-require-credentials.md new file mode 100644 index 0000000000..5753ed7991 --- /dev/null +++ b/docs/kb/dataclassification/how-to-crawl-a-website-that-does-not-require-credentials.md @@ -0,0 +1,87 @@ +--- +description: >- + Describes how to resolve a 403 Forbidden error when crawling a website that + does not require credentials by setting a custom User-Agent in Netwrix Data + Classification. +keywords: + - Netwrix Data Classification + - crawler + - 403 Forbidden + - User-Agent + - Collector Using Agent + - collector + - web scanning + - site crawl +products: + - data-classification +sidebar_label: How to Crawl a Website That Does Not Require Crede +tags: [] +title: "How to Crawl a Website That Does Not Require Crede?" +knowledge_article_id: kA04u000000wnoVCAQ +--- + +# How to Crawl a Website That Does Not Require Crede? + +## Question + +When trying to scan a website that does not require credentials to access it, the following error appears: + +```text +Version: 5.7.0.58 + +Instance: abandc-test + +Component: Collector Service + +Level: Error + +Page ID: 443213 + +CollectorEnumerator.CollectPage + +Page Collection Exception + +Exception: Location: CollectorEnumerator.CollectPage + +A Web Exception 'Forbidden occured during processing -> The remote server returned an error: (403) Forbidden. + +Details: Error: AccessDeniedError (-403) + +Page Id: 443213 + +conceptCore.PageCollectionException: Location: CollectorEnumerator.CollectPage + +A Web Exception 'Forbidden occured during processing ---> System.Net.WebException: The remote server returned an error: (403) Forbidden. + + at System.Net.HttpWebRequest.GetResponse() + + at conceptHttp.Collection.HttpPageCollector.Get(Boolean forceCollect, Boolean& changedSinceLastCollection) + + at conceptEngine.ServiceFramework.Collection.CollectorEnumerator._() + + --- End of inner exception stack trace --- + + +Inner Exception: System.Net.WebException: The remote server returned an error: (403) Forbidden. + + at System.Net.HttpWebRequest.GetResponse() + + at conceptHttp.Collection.HttpPageCollector.Get(Boolean forceCollect, Boolean& changedSinceLastCollection) + + at conceptEngine.ServiceFramework.Collection.CollectorEnumerator._() +``` + +How to past this error when the site doesn't require any credentials? + +## Answer + +This error is gone after adding a specific line in the **Collector Using Agent** field. For that: + +1. In **Netwrix Data Classification**, navigate to **Config** -> **Collector** -> **Advanced**. +2. Add the following line in the **Collector Using Agent** field: + +```text +Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Sa +``` + +![User-added image](images/ka0Qk000000DiGA_0EM4u000008pbhE.png) diff --git a/docs/kb/dataclassification/how-to-export-event-logs.md b/docs/kb/dataclassification/how-to-export-event-logs.md new file mode 100644 index 0000000000..a253d071da --- /dev/null +++ b/docs/kb/dataclassification/how-to-export-event-logs.md @@ -0,0 +1,39 @@ +--- +description: >- + Steps to export Netwrix Data Classification event logs from Windows Event + Viewer so you can collect and share logs for troubleshooting. +keywords: + - Netwrix Data Classification + - event logs + - export + - Event Viewer + - NDC + - conceptSearching + - Save All Events As +products: + - data-classification +visibility: public +sidebar_label: How to Export Event Logs +tags: [] +title: "How to Export Event Logs" +knowledge_article_id: kA00g000000H9eECAS +--- + +# How to Export Event Logs + +## Question + +How To Export the Netwrix Data Classification Event Logs? + +## Answer + +1. Open **Event Viewer** (`eventvwr.msc`) on each of the affected server(s) (Run → `eventvwr.msc`). +2. Expand **Applications and Services Logs.** +3. Depending on a product version: + - For Netwrix Data Classification v5.7: Right-click the log named **NDC.** + - For Netwrix Data Classification older versions: Right-click the log named **conceptSearching.** +4. Select **Save All Events As.** +5. Enter a file name that includes the log type and the server it was exported from. + + For example, when exporting the Application event log from server named `SRV01`, enter `Application_SRV01`. +6. In **Save as type**, select **Event Files.** diff --git a/docs/kb/dataclassification/how-to-manually-uninstall-netwrix-data-classification.md b/docs/kb/dataclassification/how-to-manually-uninstall-netwrix-data-classification.md new file mode 100644 index 0000000000..c27d5d0166 --- /dev/null +++ b/docs/kb/dataclassification/how-to-manually-uninstall-netwrix-data-classification.md @@ -0,0 +1,44 @@ +--- +description: >- + This article describes how to manually uninstall Netwrix Data Classification + by removing the SQL database, uninstalling Windows services, and deleting + installation and index folders. +keywords: + - uninstall + - Netwrix Data Classification + - ConceptSearching + - InstallUtil + - SQL Server Management Studio + - services + - index + - '*.cse' + - SETUP +products: + - data-classification +sidebar_label: How to Manually Uninstall Netwrix Data Classificat +tags: [] +title: "How to Manually Uninstall Netwrix Data Classification" +knowledge_article_id: kA04u000000XmISCA0 +--- + +# How to Manually Uninstall Netwrix Data Classification + +## Overview + +To manually uninstall Netwrix Data Classification, follow the instructions below. + +## Instructions + +1. Delete the **SQL database** using SQL Server Management Studio. +2. Uninstall the three Windows services by issuing these commands from the command prompt: + +```text +C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil /u "C:\Program Files\ConceptSearching\Services\conceptCollectorService\conceptCollectorService.exe"" +C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil /u "C:\Program Files\ConceptSearching\Services\conceptIndexer\conceptIndexerService.exe" +C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil /u "C:\Program Files\ConceptSearching\Services\conceptIndexer\conceptClassifierService.exe" +``` + +> **NOTE:** You may need to adjust these commands to reflect the locations of your `Windows Folder`, the `version(s) of Microsoft.NET Runtime` installed, and the location of your `conceptSearching installation`. + +3. Delete the folder at `C:\Program Files\ConceptSearching`. +4. Delete the folder that contains the `conceptSearching index` ("*.cse") files. **Note** that this is included in the above folder location by default, but can be changed from within the SETUP utility. diff --git a/docs/kb/dataclassification/how-to-migrate-netwrix-data-classification-to-another-server.md b/docs/kb/dataclassification/how-to-migrate-netwrix-data-classification-to-another-server.md new file mode 100644 index 0000000000..d8dc8e7e7a --- /dev/null +++ b/docs/kb/dataclassification/how-to-migrate-netwrix-data-classification-to-another-server.md @@ -0,0 +1,54 @@ +--- +description: >- + Explains how to change or replace the server hosting Netwrix Data + Classification, including stopping services, backing up the database and index + files, reinstalling the same version, and restoring services. +keywords: + - Netwrix Data Classification + - migration + - server replacement + - backup + - index files + - ConceptSearching + - Service Viewer + - SQL + - installation +products: + - data-classification +sidebar_label: How to Migrate Netwrix Data Classification to Anot +tags: [] +title: "How to Migrate Netwrix Data Classification to Another Server" +knowledge_article_id: kA04u0000000HMMCA2 +--- + +# How to Migrate Netwrix Data Classification to Another Server + +## Overview + +This article describes how to change or replace the server on which Netwrix Data Classification (NDC) is running. + +## Instructions + +1. Stop/disable **all NDC services** on the application server (**conceptClassifier, conceptIndexer, conceptCollector**). + + ![User-added image](images/ka0Qk0000007H0v_0EM4u000002Qwyh.png) + + > **NOTE:** You can also disable the NDC services using the **Service Viewer** located at: `C:\Program Files\ConceptSearching\ServiceViewer` (by default). + +2. Back up the **NDC database** and the files in the **NDC Index** at `C:\Program Files\ConceptSearching\ConceptDB` (by default). + +3. Prior to installation, ensure that the necessary software [pre-requisites](/docs/dataclassification/) are in place. + +4. Install the same version of NDC on the new server, pointing to the original database location with the same service account. The installer should detect an existing NDC schema. (You may refer to Install Netwrix Data Classification for instructions on NDC installation.) + + > **NOTE:** The account being used for the installation of NDC should ideally be the same service account used to connect with the SQL database, and this account will need local admin rights on the new server. + +5. During the install, ensure that the box to stop services on application start is **checked**. + +6. Copy the **backed-up Index files** from the old server to the new server's index location (`C:\Program Files\ConceptSearching\ConceptDB` by default). + +7. Start **all services** on the new server, and collection should resume as normal. The **conceptCollector/Indexer/Classifier** services should stay disabled on the **old server** to prevent re-connecting to the database. NDC can be uninstalled once the migration is successful. + +## Related Articles + +- Install Netwrix Data Classification diff --git a/docs/kb/dataclassification/how-to-migrate-the-netwrix-data-classification-database.md b/docs/kb/dataclassification/how-to-migrate-the-netwrix-data-classification-database.md new file mode 100644 index 0000000000..eac05700f5 --- /dev/null +++ b/docs/kb/dataclassification/how-to-migrate-the-netwrix-data-classification-database.md @@ -0,0 +1,81 @@ +--- +description: >- + Explains how to migrate the Netwrix Data Classification database to a target + SQL Server, including stopping and starting services, backing up and restoring + the database, and updating configuration. +keywords: + - Netwrix Data Classification + - database migration + - SQL Server + - backup + - restore + - conceptConfig.exe + - Service Viewer + - DQS + - database backup + - migration +products: + - data-classification +sidebar_label: How to Migrate the Netwrix Data Classification Dat +tags: [] +title: "How to Migrate the Netwrix Data Classification Database" +knowledge_article_id: kA04u0000000H6nCAE +--- + +# How to Migrate the Netwrix Data Classification Database + +## Question + +How can you migrate the Netwrix Data Classification database? + +## Answer + +> **NOTE:** In Netwrix Data Classification version 5.6 and earlier, refer to the following paths: +> +> ```text +> C:\Program Files\ConceptSearching\Services\ConceptCollectorService\conceptConfig.exe +> C:\inetpub\wwwroot\conceptQS\bin\conceptConfig.exe +> C:\Program Files\ConceptSearching\Services\conceptIndexer\conceptConfig.exe +> C:\inetpub\wwwroot\conceptQS\bin\conceptConfig.exe +> ``` + +Follow these steps to migrate the Netwrix Data Classification database: + +1. Open the **Service Viewer** and stop all three Netwrix Data Classification services. The default path is: + + ```text + C:\Program Files\Netwrix\Data Classification\ServiceViewer + ``` + + > **NOTE:** In a DQS environment, stop the Netwrix Data Classification services on all Netwrix Data Classification servers. + +2. Perform a full Netwrix Data Classification database backup. For details about the backup process, see: [Create a Full Database Backup ⸱ Microsoft](https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/create-a-full-database-backup-sql-server?view=sql-server-ver16#SSMSProcedure). + +3. Restore the Netwrix Data Classification database file from the device to the target SQL Server. For more information, see: [Restore a Database Backup Using SSMS ⸱ Microsoft](https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/restore-a-database-backup-using-ssms?view=sql-server-ver16#a-restore-a-full-database-backup). + +4. Go to the following folder to update the Netwrix Data Classification configuration: + + ```text + C:\inetpub\wwwroot\NDC\bin\conceptConfig.exe + ``` + + Review the server name and the credentials of the database account. The database name should remain the same unless you changed it during the migration process. + + > **NOTE:** In a DQS environment, apply the changes on each Netwrix Data Classification server in the DQS cluster. + + > **IMPORTANT:** If you are using the Windows Authentication method, verify that the user has the `db_owner` role assigned in the Netwrix Data Classification database. Alternatively, run `conceptConfig.exe` using the service account. + + ![conceptConfig.exe configuration window with database server and credentials fields visible](images/ka0Qk0000005157_0EMQk000006Wq6T.png) + +5. Open the **Service Viewer** and start all three Netwrix Data Classification services. The default path is: + + ```text + C:\Program Files\Netwrix\Data Classification\ServiceViewer + ``` + + > **NOTE:** In a DQS environment, start the Netwrix Data Classification services on all Netwrix Data Classification servers. + +## Related Articles + +- [Create a Full Database Backup ⸱ Microsoft](https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/create-a-full-database-backup-sql-server?view=sql-server-ver16#SSMSProcedure) +- [Restore a Database Backup Using SSMS ⸱ Microsoft](https://learn.microsoft.com/en-us/sql/relational-databases/backup-restore/restore-a-database-backup-using-ssms?view=sql-server-ver16#a-restore-a-full-database-backup) diff --git a/docs/kb/dataclassification/how-to-move-indexed-files.md b/docs/kb/dataclassification/how-to-move-indexed-files.md new file mode 100644 index 0000000000..f6833ea8fa --- /dev/null +++ b/docs/kb/dataclassification/how-to-move-indexed-files.md @@ -0,0 +1,60 @@ +--- +description: >- + Shows how to move indexed files (CSE files) used by Netwrix Data + Classification from one drive to another, including stopping services, copying + files, updating configuration, and restarting services. +keywords: + - Netwrix Data Classification + - CSE files + - ConceptDB + - conceptConfig.exe + - conceptServiceViewer.exe + - indexed files + - ConceptCollectorService + - conceptIndexer +products: + - data-classification +sidebar_label: How to Move Indexed Files +tags: [] +title: "How to Move Indexed Files" +knowledge_article_id: kA00g000000H9eTCAS +--- + +# How to Move Indexed Files + +## Question + +How can you move the indexed files created by Netwrix Data Classification? + +## Answer + +If indexed files need to be moved from one drive to another, refer to the following steps: + +1. Run the Netwrix Data Classification Service Viewer utility: + - if NDC has been upgraded to a newer version, its default location is ` %ProgramFiles%\ConceptSearching\ServiceViewer\conceptServiceViewer.exe` + - if NDC v5.6 has been installed for the first time, its default location is ` %Program Files%\Netwrix\Data Classification\ServiceViewer\conceptServiceViewer.exe` + +2. Stop the following Netwrix Data Classification services: + - Collector Service + - Indexer Service + - Classifier Service + +3. Copy all CSE files from the original folder (by default, located in either ` %ProgramFiles%/ConceptSearching/ConceptDB` or ` %Program Files%/Netwrix/Data Classification/ConceptDB`) to a new location. + +4. Run `conceptConfig.exe` from one of the locations below (default paths), enter the new directory path in the **Folder for CSE Files** field, and click **Save**: + + ``` + C:\inetpub\wwwroot\conceptQS\bin + %ProgramFiles%\ConceptSearching\Services\ConceptCollectorService + %ProgramFiles%\ConceptSearching\Services\conceptIndexer + ``` + + or + + ``` + C:\inetpub\wwwroot\conceptQS\bin + %Program Files%\Netwrix\Data Classification\Services\ConceptCollectorService + %Program Files%\Netwrix\Data Classification\Services\conceptIndexer + ``` + +5. Start Netwrix Data Classification services using Windows Services Manager. diff --git a/docs/kb/dataclassification/how-to-partially-rebuild-the-dqs-index.md b/docs/kb/dataclassification/how-to-partially-rebuild-the-dqs-index.md new file mode 100644 index 0000000000..0bc2c772f8 --- /dev/null +++ b/docs/kb/dataclassification/how-to-partially-rebuild-the-dqs-index.md @@ -0,0 +1,62 @@ +--- +description: >- + Describes how to rebuild corrupted indexes on a single Distributed Query + Server (DQS) by replacing CSE files and reindexing the affected content to + avoid rebuilding indexes on multiple servers. +keywords: + - DQS + - CSE + - ConceptDB.zip + - reindex + - NDC + - Lexicon + - IndexerChecksum + - DQSID +products: + - data-classification +sidebar_label: How to Partially Rebuild the DQS Index +tags: [] +title: "How to Partially Rebuild the DQS Index" +knowledge_article_id: kA04u000000wniXCAQ +--- + +# How to Partially Rebuild the DQS Index + +## Overview + +This article describes how to rebuild corrupted indexes on a single server. This process is designed to avoid the effort-intensive method of rebuilding indexes on multiple servers. + +## Instructions + +1. Stop services on the Distributed Query Server (DQS). +2. Download a blank copy of the CSE files (`ConceptDB.zip`). +3. Replace the CSE files on the DQS Server with the downloaded blank CSE files. + +> **NOTE:** `Text.CSE` is not in this download and should be left unchanged. + +4. Delete the following files and folders: + - Lexicon shards folder + - `Indexer.CSE` + - `LexiconCache.CSE` + - `LexiconCacheQS.CSE` + - `LexiconSizeDistribution.CSE` + - `PostingsDistribution.CSE` + - `IndexerChecksum.CSE` + +5. To reindex the affected content, run the following SQL statement: + +```sql +UPDATE Pages Set Status = 200 WHERE DQSID = X AND Status > 200 +``` + +where `X` is the value of your DQSID. + +> **IMPORTANT:** Find the correct DQSID from the NDC configuration. + +6. Start services on the DQS Server. + +## Attachments + +Use the following file to replace active NDC files (`.CSE`): + +- https://dl.netwrix.com/products/utilities/ConceptDB.zip diff --git a/docs/kb/dataclassification/how-to-set-up-single-sign-on-via-microsoft-entra-id-authentication.md b/docs/kb/dataclassification/how-to-set-up-single-sign-on-via-microsoft-entra-id-authentication.md new file mode 100644 index 0000000000..521ab40445 --- /dev/null +++ b/docs/kb/dataclassification/how-to-set-up-single-sign-on-via-microsoft-entra-id-authentication.md @@ -0,0 +1,111 @@ +--- +description: >- + Step-by-step instructions to configure single sign-on (SSO) for Netwrix Data + Classification using Microsoft Entra ID authentication, including app + registration, web.config updates, and using bearer tokens with REST APIs. +keywords: + - single sign-on + - SSO + - Microsoft Entra ID + - Netwrix Data Classification + - NDC + - App registration + - web.config + - Bearer token +products: + - data-classification +visibility: public +sidebar_label: How to Set Up Single Sign-On via Microsoft Entra I +tags: [] +title: "How to Set Up Single Sign-On via Microsoft Entra ID Authentication" +knowledge_article_id: kA00g000000H9e8CAC +--- + +# How to Set Up Single Sign-On via Microsoft Entra ID Authentication + +## Question + +How can you set up single sign-on (SSO) for Netwrix Data Classification (NDC) via Microsoft Entra ID authentication (formerly Azure AD)? + +> **IMPORTANT:** The Netwrix Data Classification and Netwrix Auditor integration (NDC Provider) currently does not support single sign-on (SSO). SSO needs to be disabled in Netwrix Data Classification for the account used by the NDC Provider to authenticate. For up-to-date information on the NDC Provider integration, refer to the following documentation article: /docs/auditor/10.6/auditor/admin-guide/settings (Sensitive Data Discovery — Permissions for Integration with Netwrix Data Classification · v10.6). + +## Answer + +### Register Netwrix Data Classification (NDC) in the Azure Portal + +1. Assign a certificate to the default website where NDC is hosted. +2. Make sure that the NDC Administration Console is accessible in your browser (for example, `https://classification.contoso.com/NDC`). +3. Add your Microsoft Entra account as a Superuser: + 1. On the main NDC screen, select **Settings**. + 2. Select the **Users** tab, and click **Add user**. + + > **NOTE:** Make sure to check the **Superuser** checkbox. + + ![Add user Superuser screenshot](images/ka0Qk0000004LM1_0EMQk000005O4sP.png) + +4. Visit the App registrations menu in your Microsoft Azure Portal to register an application: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps + + 1. In the upper navigation bar, click **New registration**. + 2. In the **Redirect URI** section, select **Web** in the dropdown menu and enter the Administration Console URL in the corresponding field (for example, `https://classification.contoso.com/NDC`). + 3. Click **Register** to save your changes. + 4. Copy the **Application (Client) ID** of the newly created application. + 5. Select your application and open the **Authentication** tab in the left pane. + + ![Authentication tab screenshot](images/ka0Qk0000004LM1_0EMQk000005O4u1.png) + + 6. Check the **ID tokens (used for implicit and hybrid flows)** checkbox and click **Save**. + +5. Back up the `web.config` file in the NDC IIS folder (located in `C:\inetpub\wwwroot\NDC` by default). You can check your actual NDC IIS folder path by right-clicking the **NDC** node under **Default Web Site** in IIS and selecting **Explore**. +6. Edit the original `web.config` file from the NDC IIS folder to add the following lines to the `` node: + +```xml + + + +``` + +![web.config snippet screenshot](images/ka0Qk0000004LM1_0EMQk000005O4qo.png) + +> **NOTE:** Replace the **Application (Client) ID** with the one copied previously and the `tenantname.onmicrosoft.com` with your tenant's name. + +7. Close all your browser windows and then open the NDC Administration Console (for example, `https://classification.contoso.com/NDC`). +8. **NOTE:** In a DQS environment, steps 5 and 6 must be completed on each server NDC is installed on before proceeding to step 7. + +> **NOTE:** If you have previously configured the application to use ADFS, refer to the following steps: +> +> 1. On the main NDC screen, select **Settings**. +> 2. Select the **Users** tab, select all users, and select **Delete**. +> 3. Open the `web.config` file (located in `C:\inetpub\wwwroot\NDC` by default) and remove `appSettings` entries specific to ADFS: +> +> ``` +> ida:ADFSMetadata +> ida:Wtrealm +> ``` + +### Make a REST API call using Bearer Auth + +When using NDC REST APIs with Microsoft Entra authentication, the first step is to retrieve a bearer token. Each API call should include the bearer token as its method of authentication. The code snippet provided below (C#) uses RestSharp to connect to Microsoft Entra ID and retrieve a bearer token to be used with REST APIs: + +```csharp +var tenancy = "conceptsearching.com"; +var clientId = "NewAzureADClientID (GUID)"; +var clientSecret = ""; +var username = "developer%40conceptsearching.com"; +var password = ""; + +var client = new RestClient($"https://login.microsoftonline.com/{tenancy}/oauth2/token"); +var request = new RestRequest(Method.POST); +request.AddHeader("Cache-Control", "no-cache"); +request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); +request.AddParameter("undefined", $"grant_type=password&username={username}&password={password}&client_id={clientId}&resource={clientId}&client_secret={clientSecret}", ParameterType.RequestBody); +IRestResponse response = client.Execute(request); +``` + +The `access_token` value from the response should be included in each subsequent request via REST APIs as a header variable in the following format: + +Key: `Authorization` +Value: `Bearer YOURTOKEN` + +## Related Articles + +- My Dashboard — App Registrations · Entra ID: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps diff --git a/docs/kb/dataclassification/how-to-update-service-account-password.md b/docs/kb/dataclassification/how-to-update-service-account-password.md new file mode 100644 index 0000000000..db2dd94c97 --- /dev/null +++ b/docs/kb/dataclassification/how-to-update-service-account-password.md @@ -0,0 +1,115 @@ +--- +description: >- + Instructions to update the service account password used by Netwrix Data + Classification services and IIS application pools, including notes about + service-name variations between upgraded and fresh v5.7 installations. +keywords: + - service account + - password + - Netwrix Data Classification + - IIS + - application pool + - ConceptIndexer + - ConceptConfig + - DQS + - services.msc +products: + - data-classification +sidebar_label: How to Update Service Account Password +tags: [] +title: "How to Update Service Account Password" +knowledge_article_id: kA04u00000110uzCAA +--- + +# How to Update Service Account Password + +## Before You Start + +> IMPORTANT: this article is made for versions **5.6** and **5.7.** Variation in the service name is very likely as between these two major versions they were changed. If you previously had 5.6 and upgraded to 5.7, you will retain old service names; if a fresh install, you get new service names. Keep it in mind if setting up Distributed Query Server (DQS) where one server was set up before the others in your environment (read more about applying DQS mode in Configuring NDC Servers Cluster and Load Balancing with DQS Mode ・ v 5.7: /docs/data-classification/5.7/ndc/requirements). + +### Check Your Netwrix Data Classification Version + +Check for the current Netwrix Data Classification version on any of the Netwrix Data Classification pages. + +### Check Service Names + +| 5.7 but upgraded from 5.6.x.x | Fresh install of 5.7.x.x | +|---|---| +| ConceptCollector | NDC Collector | +| ConceptIndexer | NDC Indexer | +| ConceptClassifier | NDC Classifier | + +## Instructions + +1. Login to your Netwrix Data Classification server(s). + +2. Stop the services: + 1. Press WIN + R on the keyboard. + 2. Enter `services.msc.` and click **OK**. + Result: the **Services** window appears. + 3. Right click a service with the **Running** status and select **Stop**. + + > TIP: you can change startup type to **Manual**, so then they don’t startup on their own: + > ![User-added image](images/ka0Qk000000Codl_0EM4u000008Liup.png) + +3. In the **Services** window, scroll down to find the following services: + - NDC Classifier + - NDC Collector + - NDC Indexer + +4. For each service, do the following: + ![Picture2.png](images/ka0Qk000000Codl_0EM4u000008LhoR.png) + 1. Right click a service name, select **Properties** and go to the **Log on** tab. + 2. Enter new password. + 3. Click on **Apply**. + +5. Launch the Internet Information Services / Internet Information Services Manager (IIS) and do the following: + 1. Expand the server and head into **Application Pools**. + 2. Look for your corresponding application. + + > NOTE: there is a variation in name between versions: + > + > **V5.7 but upgraded from 5.6.x.x**: ConceptQSAppPool + > **Fresh install of v5.7.x.x**: NDCAppPool + + 3. Click on the application and then on the right pane, click on **Advanced Settings**. + ![Picture3.png](images/ka0Qk000000Codl_0EM4u000008LhrQ.png) + +6. Once you are in the **Advanced Settings**, go to **Process Model** > **Identity** > **...** + ![Picture4.png](images/ka0Qk000000Codl_0EM4u000008Lhog.png) + +7. In the **Application Pool Identity** window do the following: + 1. Click on **Set**. + 2. Enter new credentials (always enter your domain before the user as not doing so can cause problems later). + 3. Click on **OK**. + ![Picture5.png](images/ka0Qk000000Codl_0EM4u000008Lhol.png) + +8. Since you are in the IIS, head into your Netwrix Data Classification webpage by doing the following: + 1. Expand the **Sites** folder. + 2. Expand **Default Web Site** then click on **NDC2** or **ConceptQS**. + 3. Click on **Browse** on the right pane. + ![Picture6.png](images/ka0Qk000000Codl_0EM4u000008LhrV.png) + Result: the Netwrix Data Classification's **System Dashboard** section appears: + ![Picture7.png](images/ka0Qk000000Codl_0EM4u000008Lhrk.png) + + > IMPORTANT: follow the steps below if only you have setup the same Service Account for more than just the services such as SQL Access or SQL Server Instance Services + +9. Go to your Netwrix Data Classification installation directory. The default directory varies depending on the version: + - **V5.7 but upgraded from 5.6.x.x**: `c:\Program Files\conceptsearching` + - **Fresh install of 5.7.x.x**: `c:\Program Files\Netwrix\Data Classification` + +10. Go to the **Services** folder and do the following: + 1. Open the `conceptindexer` folder. + 2. To sort documents, click **Type** once. + 3. Open the `ConceptConfig.exe` file. + ![Picture8.png](images/ka0Qk000000Codl_0EM4u000008Lhp0.png) + +11. In the **Netwrix Data Classification: Database Configuration** window, proceed as follows: + 1. Change user password. + 2. Click on **Test Connection** to have Netwrix Data Classification try to connect with your new credentials. + ![Picture9.png](images/ka0Qk000000Codl_0EM4u000008LhpP.png) + Result: a dialog window with the **Connection Test Succeeded** message appears. + +12. Repeat for the other service folder. + +13. Go to `c:\inetpub\wwwroot\NDC` (or ConceptQS) and repeat the same process as above (classify by type and launch `ConceptConfig.exe`). diff --git a/docs/kb/dataclassification/how-to-upgrade-a-dqs-deployment.md b/docs/kb/dataclassification/how-to-upgrade-a-dqs-deployment.md new file mode 100644 index 0000000000..147c170551 --- /dev/null +++ b/docs/kb/dataclassification/how-to-upgrade-a-dqs-deployment.md @@ -0,0 +1,37 @@ +--- +description: >- + Describes prerequisites and step-by-step instructions to upgrade a DQS + deployment (NDC cluster), including preparing installation media, account + requirements, backups, and verifying the upgrade via the NDC dashboard. +keywords: + - DQS + - NDC + - upgrade + - cluster + - conceptQS + - conceptcollector + - snapshot + - SQL database +products: + - data-classification +sidebar_label: How to Upgrade a DQS Deployment +tags: [] +title: "How to Upgrade a DQS Deployment" +knowledge_article_id: kA00g000000PbcmCAC +--- + +# How to Upgrade a DQS Deployment + +**Before upgrading a DQS it is important to have a few things in place.** + +1. Make sure that the installation media is copied to each individual node in the cluster ahead of time, this will speed up the process. +2. Ensure that you are using an account that is a local admin on each server in the cluster, using the NDC service account is preferred. +3. Ensure that you take a snapshot of each node in the cluster and backup the NDC SQL database, this will provide a backup in case the upgrade runs into issues. Also, it is best practice to upgrade clients sequentially by version number (ie: 5.5.1 > 5.5.2 > 5.5.3). + +## Steps to Upgrade + +1. Stop all three NDC services on each node in the cluster (`conceptcollector`, `conceptindexer`, `conceptclassifier`) +2. On the primary node (the original NDC server, also referred to as DQS1), run the installer for the new version as an administrator. Select **Next** on each prompt until the installer completes. +3. To ensure that the upgrade was a success, open a browser and navigate to the NDC dashboard which is found here by default: (`http://localhost/conceptQS`). Ensure that the version and build correspond to the version that you were attempting to upgrade to, if that is the case then you have successfully upgraded the server. +4. Repeat steps 2 and 3 for all subsequent nodes in the cluster, upgrading one server at a time and confirming that the upgrade was a success via the browser. +5. Once all nodes in the cluster are showing the same version, you have completed the upgrade successfully. diff --git a/docs/kb/dataclassification/how_groups_and_types_are_classified.md b/docs/kb/dataclassification/how_groups_and_types_are_classified.md new file mode 100644 index 0000000000..b95d1e12b3 --- /dev/null +++ b/docs/kb/dataclassification/how_groups_and_types_are_classified.md @@ -0,0 +1,48 @@ +--- +description: >- + This article explains how Netwrix Directory Manager classifies groups into unmanaged and managed categories, detailing their features and security types. +keywords: + - Directory Manager + - group classification + - unmanaged groups + - managed groups + - security types +sidebar_label: Group Classification +tags: [] +title: "How Groups and Types Are Classified" +knowledge_article_id: kA0Qk0000002LrZKAU +products: + - data-classification +--- + +# How Groups and Types Are Classified + +## Applies To + +Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) classifies groups into two main categories: **Unmanaged** and **Managed**. Each category supports different group management features and security types. This article explains these classifications and the security types available for groups in Directory Manager. + +## Details + +### Unmanaged Groups + +An unmanaged group, also called a static group, is typically created directly in a directory, such as with the Users and Computers option in Active Directory. Although you can create unmanaged groups using the Directory Manager portal, Directory Manager does not support dynamic updates for these groups. Any changes to membership must be made manually. + +### Managed Groups (Smart Groups) + +A managed group, also known as a Smart Group, dynamically maintains its membership based on user-defined rules. These rules are applied through an LDAP query, which is scheduled for membership updates using a Smart Group Update job. When the job runs, it applies the rules to update group membership automatically. + +A dynasty is a collection of Smart Groups created based on the values of a defined attribute. These groups are governed by a parent group, called the "Parent" dynasty. When you update the Parent dynasty, its middle and leaf dynasties are automatically updated. This automated group management allows administrators to maintain large distribution lists and security groups without manual intervention. + +You can create and manage Smart Groups using the Directory Manager portal. + +### Security Types of Groups + +For both unmanaged and managed groups, Directory Manager classifies groups into three security types. These types define the access level for a group: + +- **Private groups:** Membership is determined solely by the group owner. The owner decides who can join or leave the group, and additional owners can also manage membership. Users cannot request to join or leave a private group. By default, unmanaged groups are classified as Private, but you can change their security type in Directory Manager. +- **Semi-private groups:** These groups have an owner who determines membership, but members can request to join or leave the group. +- **Public groups:** Open to all users. Users can join or leave a public group without owner permission. Administrators can configure email notifications to be sent to the group owner when a member joins or leaves the group. \ No newline at end of file diff --git a/docs/kb/dataclassification/images/ka04u000000HcZd_0EM4u000002PY09.png b/docs/kb/dataclassification/images/ka04u000000HcZd_0EM4u000002PY09.png new file mode 100644 index 0000000000..abb3ce000c Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HcZd_0EM4u000002PY09.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAT5.png b/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAT5.png new file mode 100644 index 0000000000..b376c580ee Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAT5.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAV6.png b/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAV6.png new file mode 100644 index 0000000000..edbd58fed8 Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAV6.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAVB.png b/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAVB.png new file mode 100644 index 0000000000..12a05f9721 Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdFy_0EM4u000001rAVB.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rATU.png b/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rATU.png new file mode 100644 index 0000000000..e164813b30 Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rATU.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAU8.png b/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAU8.png new file mode 100644 index 0000000000..528c0a0907 Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAU8.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAUS.png b/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAUS.png new file mode 100644 index 0000000000..06ac9ecf7b Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAUS.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAVQ.png b/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAVQ.png new file mode 100644 index 0000000000..0d95581681 Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdFz_0EM4u000001rAVQ.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAVf.png b/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAVf.png new file mode 100644 index 0000000000..638256bb35 Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAVf.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAVp.png b/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAVp.png new file mode 100644 index 0000000000..6e0b345788 Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAVp.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAW9.png b/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAW9.png new file mode 100644 index 0000000000..b5d232d0bf Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdG0_0EM4u000001rAW9.png differ diff --git a/docs/kb/dataclassification/images/ka04u000000HdG2_0EM4u000001rDFG.png b/docs/kb/dataclassification/images/ka04u000000HdG2_0EM4u000001rDFG.png new file mode 100644 index 0000000000..d733c35536 Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000000HdG2_0EM4u000001rDFG.png differ diff --git a/docs/kb/dataclassification/images/ka04u000001170U_0EM4u000008LceH.png b/docs/kb/dataclassification/images/ka04u000001170U_0EM4u000008LceH.png new file mode 100644 index 0000000000..c3b4ace6aa Binary files /dev/null and b/docs/kb/dataclassification/images/ka04u000001170U_0EM4u000008LceH.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBat.png b/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBat.png new file mode 100644 index 0000000000..870f8ecea4 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBat.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBay.png b/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBay.png new file mode 100644 index 0000000000..985174c596 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBay.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBb3.png b/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBb3.png new file mode 100644 index 0000000000..21ae0bb039 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000000wyT_0EM4u000004dBb3.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000002ekX_0EM4u0000084eUX.png b/docs/kb/dataclassification/images/ka0Qk0000002ekX_0EM4u0000084eUX.png new file mode 100644 index 0000000000..64ce77631d Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000002ekX_0EM4u0000084eUX.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000309x_0EMQk000004P1LC.png b/docs/kb/dataclassification/images/ka0Qk000000309x_0EMQk000004P1LC.png new file mode 100644 index 0000000000..356e6316be Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000309x_0EMQk000004P1LC.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000455x_0EM4u000001rDFz.png b/docs/kb/dataclassification/images/ka0Qk000000455x_0EM4u000001rDFz.png new file mode 100644 index 0000000000..26a8e152c0 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000455x_0EM4u000001rDFz.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000455x_0EM4u000001rDGn.png b/docs/kb/dataclassification/images/ka0Qk000000455x_0EM4u000001rDGn.png new file mode 100644 index 0000000000..9917dba1f8 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000455x_0EM4u000001rDGn.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4qo.png b/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4qo.png new file mode 100644 index 0000000000..0fe8b98be7 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4qo.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4sP.png b/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4sP.png new file mode 100644 index 0000000000..4b5534a847 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4sP.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4u1.png b/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4u1.png new file mode 100644 index 0000000000..86bb71f1dc Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000004LM1_0EMQk000005O4u1.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000005157_0EMQk000006Wq6T.png b/docs/kb/dataclassification/images/ka0Qk0000005157_0EMQk000006Wq6T.png new file mode 100644 index 0000000000..3e8b538f3b Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000005157_0EMQk000006Wq6T.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000005NaH_0EM4u000008LGlJ.png b/docs/kb/dataclassification/images/ka0Qk0000005NaH_0EM4u000008LGlJ.png new file mode 100644 index 0000000000..b12e6d12c6 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000005NaH_0EM4u000008LGlJ.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000005chN_0EMQk000007eSHh.png b/docs/kb/dataclassification/images/ka0Qk0000005chN_0EMQk000007eSHh.png new file mode 100644 index 0000000000..4802af25ee Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000005chN_0EMQk000007eSHh.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk0000007H0v_0EM4u000002Qwyh.png b/docs/kb/dataclassification/images/ka0Qk0000007H0v_0EM4u000002Qwyh.png new file mode 100644 index 0000000000..25d9af2a55 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk0000007H0v_0EM4u000002Qwyh.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhoR.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhoR.png new file mode 100644 index 0000000000..5c2933457c Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhoR.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhog.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhog.png new file mode 100644 index 0000000000..b7135d2f03 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhog.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhol.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhol.png new file mode 100644 index 0000000000..047ed2c798 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhol.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhp0.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhp0.png new file mode 100644 index 0000000000..217d5f3f4f Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhp0.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhpP.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhpP.png new file mode 100644 index 0000000000..e7bb90e389 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhpP.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhrQ.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhrQ.png new file mode 100644 index 0000000000..468dd19dbf Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhrQ.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhrV.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhrV.png new file mode 100644 index 0000000000..b78ea86241 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008LhrV.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhrk.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhrk.png new file mode 100644 index 0000000000..4b887eeba1 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Lhrk.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Liup.png b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Liup.png new file mode 100644 index 0000000000..ad54f93a1e Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000Codl_0EM4u000008Liup.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000DiGA_0EM4u000008pbhE.png b/docs/kb/dataclassification/images/ka0Qk000000DiGA_0EM4u000008pbhE.png new file mode 100644 index 0000000000..45ed29afb0 Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000DiGA_0EM4u000008pbhE.png differ diff --git a/docs/kb/dataclassification/images/ka0Qk000000FgmvIAC.jpeg b/docs/kb/dataclassification/images/ka0Qk000000FgmvIAC.jpeg new file mode 100644 index 0000000000..2b4a538b8f Binary files /dev/null and b/docs/kb/dataclassification/images/ka0Qk000000FgmvIAC.jpeg differ diff --git a/docs/kb/dataclassification/import-terms-sets-from-an-xml-file-using-concepttermstoremanager.md b/docs/kb/dataclassification/import-terms-sets-from-an-xml-file-using-concepttermstoremanager.md new file mode 100644 index 0000000000..e9e209b85d --- /dev/null +++ b/docs/kb/dataclassification/import-terms-sets-from-an-xml-file-using-concepttermstoremanager.md @@ -0,0 +1,52 @@ +--- +description: >- + Import a term set structure from an XML file using the + conceptTermStoreManager. This article provides step-by-step instructions to + import term sets, configure actions, and review import options and logs. +keywords: + - term set + - XML import + - conceptTermStoreManager + - term store + - Office 365 + - taxonomy + - conceptQS + - import + - Process Deletions + - Report Only +products: + - data-classification +sidebar_label: Import Terms Sets from an XML File using conceptTe +tags: [] +title: "Import Terms Sets from an XML File using conceptTermStoreManager" +knowledge_article_id: kA04u000000XmGHCA0 +--- + +# Import Terms Sets from an XML File using conceptTermStoreManager + +Import a term set structure from an XML file via the `conceptTermStoreManager` using the steps listed in this article. + +## Procedure + +1. Navigate to `C:\inetpub\wwwroot\conceptQS\bin\conceptTermStoreManager.exe`. +2. Run the `conceptTermStoreManager.exe` and observe the following screen: + ![User-added image](images/ka04u000000HdFz_0EM4u000001rATU.png) +3. Click the **Import** button to import a term set structure from an XML file. +4. Enter the location of the XML file and the destination term store: + ![User-added image](images/ka04u000000HdFz_0EM4u000001rAU8.png) + - This example uses an Office 365 destination. +5. Click **Next**. +6. Check the boxes of the term sets you wish to import. +7. For each term set, use the drop down list to select a desired **Action**: + ![User-added image](images/ka04u000000HdFz_0EM4u000001rAUS.png) + - In this example, the **Regions** term set will be merged with the existing term set in the **Taxonomies** term group. +8. Click **Next**. +9. Review the summary on the final page: + ![User-added image](images/ka04u000000HdFz_0EM4u000001rAVQ.png) + - If you wish to ensure terms not found in the source are removed from the destination (`Matching GUID`), check the **Process Deletions** box. + - If you wish to prevent any changes from occurring in the destination, check the **Report Only** box. + - Any changes that would have been made to term sets will be logged to the individual term sets logs, which are visible by clicking the **View Log File** link. + - Optional advanced options can be found by clicking the **Advanced** button. +10. Click **Begin Import**. + +Imported term sets will now be available! diff --git a/docs/kb/dataclassification/keyset-does-not-exist-exception-from-hresult-0x80090016.md b/docs/kb/dataclassification/keyset-does-not-exist-exception-from-hresult-0x80090016.md new file mode 100644 index 0000000000..0445abd3fb --- /dev/null +++ b/docs/kb/dataclassification/keyset-does-not-exist-exception-from-hresult-0x80090016.md @@ -0,0 +1,62 @@ +--- +description: >- + Netwrix Data Classification may display a "Keyset does not exist ( exception + from HRESULT : 0x80090016)" error. This article explains how to regenerate the + machine keys without reinstalling IIS. +keywords: + - Keyset does not exist + - HRESULT 0x80090016 + - MachineKeys + - IIS + - applicationhost.config + - Netwrix Data Classification + - iissetup + - configProtectedData +products: + - data-classification +sidebar_label: 'Keyset does not exist ( exception from HRESULT : 0' +tags: [] +title: 'Keyset does not exist ( exception from HRESULT : 0x80090016)' +knowledge_article_id: kA04u000000XmHFCA0 +--- + +# Keyset does not exist ( exception from HRESULT : 0x80090016) + +## Scenario + +Netwrix Data Classification displays the following error: + +```text +Error: There was an error while performing this operation. +Details: +Keyset does not exist ( exception from HRESULT : 0x80090016) +``` + +## Solution + +You can regenerate these machine keys without reinstalling IIS completely. To do that follow the steps below: + +1. Rename the files listed below or move them to a different location from `C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\` + - `iisConfigurationKey 6de9cb26d2b98c01ec4e9e8b34824aa2_GUID` + - `NetFrameworkConfigurationKey d6d986f09a1ee04e24c949879fdb506c_GUID` + - `iisWasKey 76944fb33636aeddb9590521c2e8815a_GUID` + +2. Backup `applicationhost.config`, then delete everything inside the tags below in `applicationhost.config`. Delete the contents within the `configProtectedData` or `providers` sections: + +```xml + + + ... + + +``` + +3. Open a command prompt in admin mode and run the command below: + +```text +"%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries" +``` + +4. Keys should be recreated in the `C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\` folder. Now the IIS App pool user can be changed. + +These steps, along with more information, can be found here as well: https://techcommunity.microsoft.com/t5/iis-support-blog/keyset-does-not-exist-exception-from-hresult-0x8009000d-or-or/ba-p/342955 diff --git a/docs/kb/dataclassification/missing-search-results.md b/docs/kb/dataclassification/missing-search-results.md new file mode 100644 index 0000000000..c16aff5d21 --- /dev/null +++ b/docs/kb/dataclassification/missing-search-results.md @@ -0,0 +1,56 @@ +--- +description: >- + Explains why documents that are classified may not appear in Browse or Search + results due to security trimming, and shows how to confirm and address the + issue across supported repository types. +keywords: + - search + - security trimming + - SharePoint + - ACL + - QS Administration + - Microsoft Entra ID + - ADFS + - federated accounts + - repositories +products: + - data-classification +sidebar_label: Missing search results +tags: [] +title: "Missing search results" +knowledge_article_id: kA00g000000H9e5CAC +--- + +# Missing search results + +There can be a situation where documents are **classified** to a particular term but are not showing within the **Browse** results, or expected results are missing from **Search**. This article applies to content stored in the following repository types: + +- **SharePoint** (Including **SharePoint Online**) +- **File Shares** +- **Box** +- **Microsoft Exchange** +- **CMIS Repositories** +- **Google Drives** + +Missing documents are typically related to **security trimming** — particularly depending on the configured **authentication** mechanism. **Search** results are automatically trimmed based on source security. In the case of SharePoint this takes into account: + +- Explicitly defined user security (AD Users/Groups) +- SharePoint Groups + +At search time the system enumerates your access, identifying all applicable usernames (including alternate domains) and all application AD groups. These are then matched to the security (**ACLs**) of each document before returning the **trimmed** search results. There are two simple methods to confirm if trimming is the cause of missing results: + +1. Compare Security + A simple method is to confirm the two **ACL** lists, comparing the end-user's security list to that of the document itself: + 1. **User** — An end-user's security can be reviewed by requesting that they access the **QS Administration interface**, and navigate to the following URL: `/conceptQS/ShowUser` + 2. **Document** — Compare that to the document's security, which you can view by selecting the **i** within **Sources/Reports/Taxonomies** and viewing the **Properties** tab + +2. Disable Security Trimming + Security trimming can be disabled by following the steps below for all sources: + 1. Log into the **QS Administration Interface** and access the **Config** area + 2. Select the **Logging** tab + 3. Enable the **ACL** trace + +Most **sources** also support disabling security on a more granular basis by selecting the **Allow Anonymous Access** option on the source edit screen. While disabling security may be the most appropriate option, the problem may instead be related to federation of user accounts. This occurs when the environment is not on the same domain as the source system(s). To assist with this scenario the product supports two **SSO** methods, allowing the logged-in username to match the source system(s) security — as well as allowing for federated security groups to be passed through to conceptSearching: + +- **Microsoft Entra ID (formerly Azure AD)** — Instructions for a **Microsoft Entra ID** deployment can be found as a separate KB article +- **ADFS 3.0** — Instructions for an **ADFS** deployment can be found within the partners site in the **Documentation** section (**QS AD FS Configuration Guide**) diff --git a/docs/kb/dataclassification/netwrix-data-classification-collector-indexer-and-classifier-threads.md b/docs/kb/dataclassification/netwrix-data-classification-collector-indexer-and-classifier-threads.md new file mode 100644 index 0000000000..19e10d541a --- /dev/null +++ b/docs/kb/dataclassification/netwrix-data-classification-collector-indexer-and-classifier-threads.md @@ -0,0 +1,59 @@ +--- +description: >- + Explains how to configure the Collector Threads slider in Netwrix Data + Classification, including defaults, recommended calculation for maximum + threads, and automatic (dynamic) allocation. Also covers where to set the + value and the restart requirement for services after changes. +keywords: + - Collector Threads + - threads + - NDC + - Indexer + - NDC Management Web Console + - hardware requirements + - CPU cores + - dynamic allocation + - Netwrix Data Classification +products: + - data-classification +sidebar_label: 'Netwrix Data Classification Collector, Indexer, an' +tags: [] +title: 'Netwrix Data Classification Collector, Indexer, and Classifier Threads' +knowledge_article_id: kA00g000000H9eKCAS +--- + +# Netwrix Data Classification Collector, Indexer, and Classifier Threads + +## Overview + +In this article you will learn how to configure the **Collector Threads** slider in Netwrix Data Classification. The **Collector Threads** slider determines the number of concurrent background processes (threads) that the server can use for data collection tasks. Proper configuration of this setting can optimize performance based on your server's hardware. + +## Instructions + +### Understanding the Collector Threads Slider + +The **Collector Threads** slider allows you to set the number of concurrent threads that Netwrix Data Classification can use. Each thread represents a background process that handles data collection. The optimal number of threads depends on your server's CPU resources. + +- **Default value:** **24**. This is suitable for many environments. +- **Recommended value:** Set the number of threads to match your server's capabilities. The general formula is: **Sockets × Processors × 2 = Maximum threads**. For example, a server with 2 sockets and 4 processors (cores) per socket has 8 cores; 8 × 2 = 16 threads. +- **Logical processors:** If Task Manager shows `Logical processors`, use that number as the maximum threads value. +- **Dynamic allocation:** Setting the slider to `0` enables automatic detection. Netwrix Data Classification will dynamically determine the optimal number of threads based on available resources. This is the recommended setting if you are unsure of the best value for your environment. + +You can set the Collector Threads value in the **NDC Management Web Console** at `http://localhost/conceptQS/Configuration`. + +![Collector Threads slider in the NDC Management Web Console configuration page](images/ka0Qk000000FgmvIAC.jpeg) + +> **NOTE:** If you notice a decrease in processing capacity, set the **Collector Threads** slider to `0` to enable dynamic allocation. + +### Automatic Threading + +When the **Collector Threads** slider is set to `0`, Netwrix Data Classification automatically detects the number of available CPU cores and allocates threads accordingly. This ensures optimal use of system resources without manual configuration. + +For more information on hardware requirements, see Netwrix Data Classification — Hardware Requirements: +/docs/data-classification/5.7/ndc/requirements + +> **NOTE:** After changing the **Collector Threads** value, restart the corresponding service in Windows Services Manager. For example, restart the NDC Indexer service if you change the number of Indexer threads. + +## Related Links + +- Netwrix Data Classification — Hardware Requirements: /docs/data-classification/5.7/ndc/requirements diff --git a/docs/kb/dataclassification/original-documents-attributes-updated-during-migration.md b/docs/kb/dataclassification/original-documents-attributes-updated-during-migration.md new file mode 100644 index 0000000000..8bf0907545 --- /dev/null +++ b/docs/kb/dataclassification/original-documents-attributes-updated-during-migration.md @@ -0,0 +1,38 @@ +--- +description: >- + When you use the Migration action for Workflows, migrated files may lose + original attributes such as creation and modification dates. This occurs when + the account used for migration lacks Full Control permissions on the + destination folder. +keywords: + - migration + - workflows + - original attributes + - creation date + - modification date + - Full Control + - permissions + - destination folder + - migrated documents + - data classification +products: + - data-classification +sidebar_label: Original Documents Attributes Updated During Migra +tags: [] +title: "Original Documents Attributes Updated During Migration" +knowledge_article_id: kA04u00000111AnCAI +--- + +# Original Documents Attributes Updated During Migration + +## Symptom + +The **Migration** action for Workflows does not work as expected. Instead of keeping original attributes of migrated files (like original creation and modification dates), it updates ones for all migrated documents. + +## Cause + +The account does not have the **Full Control** permissions to the destination folder (the folder where migrated files should be moved). + +## Resolution + +Grant the account used for migration the **Full Control** permissions to the migration destination folder. diff --git a/docs/kb/dataclassification/process-pending-deletes.md b/docs/kb/dataclassification/process-pending-deletes.md new file mode 100644 index 0000000000..9e192275b6 --- /dev/null +++ b/docs/kb/dataclassification/process-pending-deletes.md @@ -0,0 +1,40 @@ +--- +description: >- + Explains why the Indexer service reports "process pending deletes" in the + Netwrix Data Classification service viewer and how to improve Pending Deletes + processing performance. +keywords: + - pending deletes + - indexer + - Netwrix Data Classification + - Collector Service + - Classifier Service + - indexing performance + - DB tables + - index files + - pending deletes processing +products: + - data-classification +sidebar_label: Process Pending Deletes +tags: [] +title: "Process Pending Deletes" +knowledge_article_id: kA04u0000000H6OCAU +--- + +# Process Pending Deletes + +## Situation + +The Indexer service is reporting a status of “process pending deletes” in the Netwrix Data Classification service viewer + +## Cause + +Pending Deletes is a complex operation of removing all data and references to a Document that has been removed or is no longer accessible to Netwrix Data Classification. + +Processing these pending deletes involves clearing up a number of Tables in the DB (about 10 queries per single Pending Delete) and Index files on Netwrix Data Classification Server(s). + +This is a normal process for Netwrix Data Classification and is typically not a cause for concern. However, if you are noticing the index service only showing this status and affecting overall indexing speed then please review the information below + +## Resolution + +You can improve Pending Deletes processing performance by stopping the **Collector Service** (Netwrix Data Classification will stop registering new Pending Deletes) and **Classifier Service**, which will free up some extra resources for Indexer Service. diff --git a/docs/kb/dataclassification/resolving-index-and-license-key-related-errors-in-windows-services.md b/docs/kb/dataclassification/resolving-index-and-license-key-related-errors-in-windows-services.md new file mode 100644 index 0000000000..1166f285a8 --- /dev/null +++ b/docs/kb/dataclassification/resolving-index-and-license-key-related-errors-in-windows-services.md @@ -0,0 +1,119 @@ +--- +description: >- + Learn how to resolve index and license key-related errors reported in Windows + Services and ConceptSearching event logs by validating configuration, + restarting services, and resetting key validation. +keywords: + - ConceptSearching + - license key + - index keys + - CSE + - Windows Services + - conceptConfig + - ConceptIndexer + - ConceptCollectorService + - SQL +products: + - data-classification +sidebar_label: 'Resolving Index and License Key-Related Errors in ' +tags: [] +title: "Resolving Index and License Key-Related Errors in Windows Services" +knowledge_article_id: kA00g000000H9dsCAC +--- + +# Resolving Index and License Key-Related Errors in Windows Services + +## Overview + +During the initial installation process or in case of configuration changes, you may encounter one of the following errors prompted in Windows Services indicating an invalid license key: + +``` +The registered license key is invalid. +``` + +``` +The index files key is invalid. +``` + +``` +Index keys do not match. +``` + +These errors may be accompanied by the following errors in ConceptSearching event logs: + +``` +The registered license key is invalid. +``` + +``` +The Index files (CSE) key does not match the connected SQL database identifier. +``` + +To troubleshoot the issue, refer to the following steps: + +1. Validate the configuration. +2. Restart the Windows Services. +3. Reset the key validation. + +## Instructions + +### Step 1 − Validate the configuration + +Validate the configuration is as expected for all services/applications: + +1. Open each of the service/application config locations. Refer to the following default locations: + +```text +C:\Program Files\ConceptSearching\Services\ConceptCollectorService +``` + +```text +C:\Program Files\ConceptSearching\Services\ConceptIndexer +``` + +```text +C:\inetpub\wwwroot\conceptQS\bin +``` + +2. Run `conceptConfig.exe` in each location. + +3. Verify and validate each location to point to the following items: + +- Correct CSE file location, located in `C:\Program Files\ConceptSearching\conceptDB` by default. In a DQS environment, the CSE file location might differ in each separate server. +- Correct SQL database. + +4. If you're using Windows Authentication, ensure the services and application pools are configured to run under the correct user. You can verify this via `services.msc` and `inetmgr` respectively. + +### Step 2 − Restart the Windows Services + +After validating the configuration, restart the related services and confirm if the issue is resolved. If not − proceed to the Step 3. + +### Step 3 − Reset the key validation check + +The key validation check should be reset in case CSE files were: + +- Manually replaced. +- Moved from another system. +- Updated manually. + +> IMPORTANT: The validation check should be reset only after you've confirmed the configuration is correct. While resetting the validation will allow the services to begin processing files, it may lead to the index corruption (if services are pointing to wrong files). + +Refer to the following steps: + +1. Stop all services. + +2. Run the following SQL statement: + +- In a single server (non-DQS) environment: + +```sql +Environment: UPDATE Config SET LicenseKey = NULL +``` + +- In a DQS environment: + +```sql +UPDATE DQS SET LicenseKey = NULL +``` + +3. Restart the services. diff --git a/docs/kb/dataclassification/rolling_log_fix_error_nnt.hub.serviceclient.hubadapter_-_hubadapter.authenticate()_error_authenticat.md b/docs/kb/dataclassification/rolling_log_fix_error_nnt.hub.serviceclient.hubadapter_-_hubadapter.authenticate()_error_authenticat.md new file mode 100644 index 0000000000..e9e3e45e4e --- /dev/null +++ b/docs/kb/dataclassification/rolling_log_fix_error_nnt.hub.serviceclient.hubadapter_-_hubadapter.authenticate()_error_authenticat.md @@ -0,0 +1,75 @@ +--- +description: >- + This article addresses the "ERROR NNT.Hub.ServiceClient.HubAdapter - HubAdapter.Authenticate()" issue, detailing its symptoms, causes, and resolutions for affected Linux devices. +keywords: + - TLS error + - Netwrix Agent + - Linux device connection +products: + - data-classification +sidebar_label: Rolling Log Fix +tags: [] +title: "Rolling Log Fix: ERROR NNT.Hub.ServiceClient.HubAdapter - HubAdapter.Authenticate() Error Authenticating to Hub" +knowledge_article_id: kA04u0000000JjwCAE +--- + +# Rolling Log Fix: "ERROR NNT.Hub.ServiceClient.HubAdapter - HubAdapter.Authenticate() Error Authenticating to Hub" + +## Symptoms + +``` +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +# Example Message: # +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + +2018-07-31 13:03:22,240 [HubClient-PollHubThreadProcessing] ERROR NNT.Hub.ServiceClient.HubAdapter - +HubAdapter.Authenticate() Error authenticating to hub at https://example.ip/api/ - Error writing headers (Error +while sending TLS Alert (Fatal:InternalError): System.IO.IOException: The authentication or decryption has failed. ---> +System.IO.IOException: EndRead failure ---> System.Net.Sockets.SocketException: Connection reset by peer +``` + +## Cause + +If you have recently disabled TLS 1.0/1.1 on your Windows Hub, it is likely that a few of your Linux devices are offline and cannot connect to your Hub (mostly disabled for audit/compliance standards). + +If the Linux device is currently at Mono 4.5, you will receive this error if you disable TLS 1.0/1.1 on your Windows Hub. + +Since Mono 4.5 has compatibility issues with TLS 1.2, you will need to upgrade Mono to a later version (Mono 5.0.1.1). Instructions below on how to install/remedy this issue. + +## Resolution + +If you are receiving this error, the Netwrix Agent is **NOT** reporting to your hub. This is a critical error, and for monitoring to continue, it must be resolved. To resolve this error: + +1. Stop the Netwrix Agent Service: + ``` + # service nntgen7agent stop + ``` + +2. Download the [nnt-mono-5.0.1.1-5.x86_64.rpm](https://dl.netwrix.com/products/utilities/ChangeTracker/nnt-mono-5.0.1.1-5.x86_64.rpm) package. + +3. Copy the download over to a directory on the Linux device (e.g., `/tmp` directory). + +4. Change directory to that folder: + ``` + # cd /tmp + ``` + +5. Next, upgrade to the downloaded mono package: + ``` + # rpm -Uvh nnt-mono-5.0.1.1-5.x86_64.rpm + ``` + +6. Start the Netwrix Agent Service: + ``` + # service nntgen7agent start + ``` + +This will need to be done to all Linux devices that have been disconnected and show this error. + +### Related Articles + +- [Hub Offline, connection retries exhausted (The remote server returned an error: (403) Forbidden)](https://kb.netwrix.com/8307) +- [ERROR HubDetails - Crypto error. Has the agent process account changed since the password data was entered?](https://kb.netwrix.com/8287) +- [ERROR NNT.Hub.ServiceClient.HubAdapter - HubAdapter.Authenticate() Error Authenticating to Hub at https://.../api/ - Error Writing Headers (Error While Sending TLS Alert (Fatal:InternalError):](https://kb.netwrix.com/8364) +- [Script Error Executing Line 6: ExecuteAndCaptureChunked - /NNT_FILEHASH_LINUX_X64: Permission Denied (AGENTLESS LINUX)](https://kb.netwrix.com/8253) +- [Hub Connection Failed (403 Server Message: IP Address Blocked: Login Failures)](https://kb.netwrix.com/8171) \ No newline at end of file diff --git a/docs/kb/dataclassification/search-logic-netwrix-data-classification.md b/docs/kb/dataclassification/search-logic-netwrix-data-classification.md new file mode 100644 index 0000000000..e02762d698 --- /dev/null +++ b/docs/kb/dataclassification/search-logic-netwrix-data-classification.md @@ -0,0 +1,58 @@ +--- +description: >- + How to restrict search results by using keywords, phrases, and operators in + Netwrix Data Classification. Explains required and excluded term syntax and + spacing rules, including Compound Term Processing behavior. +keywords: + - search + - keywords + - compound term processing + - operators + - required terms + - excluded terms + - Netwrix Data Classification +products: + - data-classification +sidebar_label: Search Logic - Netwrix Data Classification +tags: [] +title: "Search Logic - Netwrix Data Classification" +knowledge_article_id: kA04u000000XmDXCA0 +--- + +# Searching + +Restrict the search results by the specified keywords or phrases. When Compound Term Processing is enabled, enclosing multiple words in double quotes (") will perform a search for that phrase. + +--- + +## Required Terms + +The plus operator may be used to mark individual words and concepts as mandatory. For example: + +`tennis +Wimbledon` + +This example will search for the words “tennis” and “Wimbledon” but all documents returned would need to contain the second word. Quotation marks may be used to identify a mandatory concept. For example: + +`tennis +"Wimbledon Championships"` + +Here the concept “Wimbledon Championships” would be required in every document returned. When using the plus operator, there must be no spaces between the plus sign and the mandatory word (or concept). In the below example the plus sign is ignored. + +`tennis +Wimbledon` + +## Excluded Terms + +The minus operator may be used to mark individual words or concepts as excluded. For example: + +`tennis -Wimbledon` + +This example will search for the word “tennis”, but will exclude any document containing the word “Wimbledon”. Quotation marks may be used to identify an excluded concept. For example: + +`tennis -"Wimbledon Championships"` + +This example will search for the word “tennis”, but will exclude any document containing the concept “Wimbledon Championships”. When using the minus operator, there must be no spaces between the minus sign and the excluded word (or concept). In the below example the minus sign is ignored, because it is followed by a space. + +`tennis - Wimbledon` + +When using the minus operator, there must be a space preceding the minus sign (unless it is at the start of a new line). In the below example the minus sign is ignored, because it is not preceded by a space. + +`Wimbledon-fortnight` diff --git a/docs/kb/dataclassification/service-account-password-reset-for-netwrix-data-classification.md b/docs/kb/dataclassification/service-account-password-reset-for-netwrix-data-classification.md new file mode 100644 index 0000000000..b8d8595ee3 --- /dev/null +++ b/docs/kb/dataclassification/service-account-password-reset-for-netwrix-data-classification.md @@ -0,0 +1,53 @@ +--- +description: >- + Shows where to update the service account password after resetting it for + Netwrix Data Classification, including Windows services, ConceptConfig + locations, IIS application pool, and taxonomy global settings. +keywords: + - service account + - password reset + - Netwrix Data Classification + - IIS + - ConceptConfig + - Application Pool + - taxonomy + - conceptQS +products: + - data-classification +sidebar_label: Service Account Password Reset for Netwrix Data Cl +tags: [] +title: "Service Account Password Reset for Netwrix Data Classification" +knowledge_article_id: kA04u000000XmHKCA0 +--- + +# Service Account Password Reset for Netwrix Data Classification + +## Overview + +After resetting the service account password for Netwrix Data Classification there are several locations within the product and IIS that you must update to reflect this change. This article shows where you need to supply the new password. + +## Services + +![User-added image](images/ka0Qk000000455x_0EM4u000001rDFz.png) + +Update the **Logon As** value for each of the services listed above to reflect the password change. + +## ConceptConfig + +Navigate to each of the locations below. These locations control the SQL database connection and the account used to make that connection. Update the account credentials for all three locations. + +1. `C:\Program Files\ConceptSearching\Services\ConceptCollectorService\conceptConfig.exe` +2. `C:\inetpub\wwwroot\conceptQS\bin\conceptConfig.exe` +3. `C:\Program Files\ConceptSearching\Services\conceptIndexer\conceptConfig.exe` + +## IIS + +Open IIS and click **Application Pools** on the left-hand pane. Right-click on the **conceptQSAppPool** and click **Advanced Settings**. + +Find the **Identity** and update the password to match the new password for the account, then restart the application pool. + +![User-added image](images/ka0Qk000000455x_0EM4u000001rDGn.png) + +## Taxonomy Global Settings + +Navigate to `http://hostname/conceptQS/Taxonomies/GlobalSettings` and confirm the status of each taxonomy. Find the faulting termsets and update the credentials for each. diff --git a/docs/kb/dataclassification/synchronizing-term-sets-using-the-concepttermstoragemanager.md b/docs/kb/dataclassification/synchronizing-term-sets-using-the-concepttermstoragemanager.md new file mode 100644 index 0000000000..22a1d5af27 --- /dev/null +++ b/docs/kb/dataclassification/synchronizing-term-sets-using-the-concepttermstoragemanager.md @@ -0,0 +1,50 @@ +--- +description: >- + Use the conceptTermStoreManager to synchronize term set structures between two + SharePoint instances. This article provides step-by-step instructions and + screenshots. +keywords: + - SharePoint + - term set + - term store + - conceptTermStoreManager + - synchronize + - taxonomy + - term group + - Process Deletions + - Report Only +products: + - data-classification +sidebar_label: Synchronizing Term Sets using the conceptTermStora +tags: [] +title: "Synchronizing Term Sets using the conceptTermStorageManager" +knowledge_article_id: kA04u000000XmGMCA0 +--- + +# Synchronizing Term Sets using the conceptTermStorageManager + +Synchronize term set structures between two SharePoint instances via the conceptTermStoreManager using the steps listed in this article + +--- + +## Procedure + +1. Navigate to `C:\inetpub\wwwroot\conceptQS\bin\conceptTermStoreManager.exe` +2. Run the `conceptTermStoreManager.exe` and observe the following screen: + - ![User-added image](images/ka04u000000HdG0_0EM4u000001rAVf.png) +3. Click the **Synchronise** box +4. Enter the **Source SharePoint farm** and **Destination SharePoint farm** URLs +5. Provide credentials that have access to the Term Store +6. Click **Next** +7. Check the boxes for each desired term set +8. Use the drop down box to select an action + - ![User-added image](images/ka04u000000HdG0_0EM4u000001rAVp.png) + - In this example, the **Regions** term set will be merged into the existing term sets in the **Taxonomies** term group +9. Click **Next** +10. Review the summary on the final page + - ![User-added image](images/ka04u000000HdG0_0EM4u000001rAW9.png) + - If you wish to ensure terms not found in the source are removed from the destination (Matching GUID), check the **Process Deletions** box + - If you wish to prevent any changes from occurring in the destination, check the **Report Only** box + - Any changes that would have been made to term sets will be logged to the individual term sets logs, which are visible by clicking the **View Log File** link. + - Optional advanced options can be found by clicking the **Advanced** button. +11. Click **Begin Synchronisation** diff --git a/docs/kb/dataclassification/text-not-being-extracted-from-zip-files.md b/docs/kb/dataclassification/text-not-being-extracted-from-zip-files.md new file mode 100644 index 0000000000..47f56a34ef --- /dev/null +++ b/docs/kb/dataclassification/text-not-being-extracted-from-zip-files.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains that `.zip` files are classified based on the combined content of + their documents and instructs you to install the Microsoft Filter Pack so + Netwrix Data Classification can extract text from ZIP archives. +keywords: + - zip + - .zip + - text extraction + - ifilters + - Filter Pack + - NDC server + - DQS cluster + - Netwrix Data Classification + - classification + - zip files +products: + - data-classification +sidebar_label: Text not being extracted from ZIP files +tags: [] +title: "Text not being extracted from ZIP files" +knowledge_article_id: kA04u0000000H69CAE +--- + +# Text not being extracted from ZIP files + +## Expected Behavior + +`*.zip` files should be classified based on the sum of their content. This means that the documents within are read as a single file and the `.zip` is classified as a whole. + +## Issue + +When you review `.zip` files in the Netwrix Data Classification interface you may realize that no text has been extracted from them and they are therefore not being classified based on their content. + +## Resolution + +To extract text from a `.zip` file Netwrix Data Classification uses **ifilters**. For `.zip` files, [this filter pack](https://download.microsoft.com/download/0/A/2/0A28BBFA-CBFA-4C03-A739-30CCA5E21659/FilterPack64bit.exe) must be installed on the NDC server (or each server in a DQS cluster). diff --git a/docs/kb/dataclassification/using-sharepoint-modern-authentication.md b/docs/kb/dataclassification/using-sharepoint-modern-authentication.md new file mode 100644 index 0000000000..adf464ac37 --- /dev/null +++ b/docs/kb/dataclassification/using-sharepoint-modern-authentication.md @@ -0,0 +1,92 @@ +--- +description: >- + This article describes how to configure Sharepoint modern authentication by + preparing an application certificate, registering an app in Microsoft Entra + ID, granting required permissions, uploading the certificate, and obtaining + the Tenant ID for use with Netwrix Data Classification. +keywords: + - Sharepoint + - Microsoft Entra ID + - certificate + - app registration + - Netwrix Data Classification + - Tenant ID + - Sites.FullControl.All + - TermStore.ReadWrite.All +products: + - data-classification +sidebar_label: Using Sharepoint Modern Authentication +tags: [] +title: "Using Sharepoint Modern Authentication" +knowledge_article_id: kA04u0000000K8wCAE +--- + +# Using Sharepoint Modern Authentication + +## Step 1: Preparing an Application Certificate + +Prepare the application certificate as follows: + +1. Create (or load) an IIS certificate on NDC Server (recommended). + **NOTE**: This certificate should be installed for the local machine so that it can be accessed by Netwrix Data Classification and other services. +2. Export the certificate (`.CER` file): + 1. Open the certificate in IIS management console. + 2. Go to the Details tab. + 3. Select Copy to File. + **NOTE**: Do not export private key. + 4. Set file type to DER-encoded `CER`. + +## Step 2: Creating and Registering a New App in Microsoft Entra ID (formerly Azure AD) + +To register a new application, do the following: + +1. Sign into the **Microsoft 365 Admin Center** (with your Global Administrator, Application Administrator or Cloud Application Administrator account). +2. Search for and select the **Microsoft Entra admin center**. +3. Under the Azure Directory select the **App registrations** section. +4. Select **New registration**. + ![Picture1.png](images/ka0Qk0000000wyT_0EM4u000004dBat.png) +5. In the **Name** field, enter the application name. +6. In the **Supported account types** select who can use this application – use the **Accounts in this organizational directory only** option. +7. Click the **Register** button. + ![Picture2.png](images/ka0Qk0000000wyT_0EM4u000004dBay.png) + **NOTE**: Application redirect URL is optional; you can leave it blank on this step. +8. Copy your application ID from the **Overview** section to a safe location. + +## Step 3: Granting Required Permissions + +Next, you need to grant your new application the required API permissions. Azure AD applications can be assigned *Delegated* or *Application* permissions: + +- Delegated permissions require a signed-in user present who consents to the permissions every time an API call is sent. +- Application permissions are consented by an administrator once granted. + +For the newly created app, you should use *Application* permissions. +**NOTE**: By default, a new application is granted one delegated permission for **Microsoft Graph API – User.Read.** It is not required and can be removed. + +Do the following: When found, click on the entry and proceed with adding the necessary permissions. The steps from here on remain the same, so in most cases you would need the Application permissions entry, and the relevant set of permissions therein. + +1. Select the relevant entries, then click **Add permissions**. +2. On the **Request API permissions → Microsoft APIs** pane, scroll down and select **SharePoint**. +3. Select **Application Permissions**. +4. Apply the following permissions: + 1. Graph – Application permissions (With admin consent granted) + - `Sites.FullControl.All` (Crawling) + 2. SharePoint – Application permissions (With admin consent granted) + - `Sites.FullControl.All` (Crawling) + - `TermStore.ReadWrite.All` (Term Set access) + **NOTE**: For taxonomy manager to fully operate you must also make the user `app@sharepoint` a taxonomy admin (or group admin) + ![Picture3.png](images/ka0Qk0000000wyT_0EM4u000004dBb3.png) +5. Click **Add permissions**. + +## Step 4: Configuring Certificates & Secrets + +Having configured the app, you can upload its application certificate. + +1. In the app settings, click **Certificates & secrets** and select **Upload certificate**. +2. Upload the `.CER` file you prepared in Step 1: Preparing an Application Certificate (see /docs/data-classification/5.6.2/ndc/configuration-infrastructure). +3. Copy the certificate thumbprint to a safe location. + +## Step 5: Obtaining Tenant ID + +1. Open **Microsoft Entra admin center**. +2. Select **Azure Active Directory > Overview** section for the required Exchange Online organization. +3. Locate the **Tenant ID** and copy it to a safe location. diff --git a/docs/kb/dataclassification/warning-indexer-service-has-been-improperly-shutdown.md b/docs/kb/dataclassification/warning-indexer-service-has-been-improperly-shutdown.md new file mode 100644 index 0000000000..c4386cd22a --- /dev/null +++ b/docs/kb/dataclassification/warning-indexer-service-has-been-improperly-shutdown.md @@ -0,0 +1,51 @@ +--- +description: >- + Explains the cause and resolution for the "Indexer service has been improperly + shutdown." warning in Netwrix Data Classification, including steps to inspect + lock archive files and Windows Application logs to identify the root cause. +keywords: + - indexer + - lock archive + - Netwrix Data Classification + - indexer service + - shutdown + - warning + - lock files + - troubleshooting +products: + - data-classification +sidebar_label: 'Warning: Indexer Service Has Been Improperly Shutd' +tags: [] +title: 'Warning: Indexer Service Has Been Improperly Shutdown' +knowledge_article_id: kA04u000000wnpJCAQ +--- + +# Warning: Indexer Service Has Been Improperly Shutdown + +## Symptom + +The following warning appears in Netwrix Data Classification: + +```text +Indexer service has been improperly shutdown. +``` + +## Cause + +This message occurs if the Indexer service has been forcibly stopped, such as by **Task Manager** -> **End Task**, or via a machine restart. + +## Resolution + +To identify the root cause of the issue, open the lock files in the lock archive and check the date and time of the last recorded activity: + +1. On the computer that hosts Netwrix Data Classification, navigate to the lock archive location. + + The location of the lock archive should be called out in the warning message, but the default location is `C:\Program Files\Netwrix\Data Classification\Index\LockArchive`. + +2. Open the Lock Archive with a text editor, such as **Notepad**. + +3. Find the date and time of the last recorded activity. This will help you to understand when the indexer was shutdown improperly. + +4. Review the **Windows Application** logs to look for potential causes, such as a machine reboot, and speak to any users who were logged on to the machine at that time and may know what was happening. + +5. When the cause has been identified, you can resolve the issue. Use suspended services if your machine did automatic Windows updates. diff --git a/docs/kb/dataclassification/what-usage-and-license-data-is-sent-to-netwrix-by-netwrix-data-classification.md b/docs/kb/dataclassification/what-usage-and-license-data-is-sent-to-netwrix-by-netwrix-data-classification.md new file mode 100644 index 0000000000..5307cf03a9 --- /dev/null +++ b/docs/kb/dataclassification/what-usage-and-license-data-is-sent-to-netwrix-by-netwrix-data-classification.md @@ -0,0 +1,45 @@ +--- +description: >- + This article explains what usage and license data Netwrix Data Classification + sends to Netwrix. It confirms that collected sensitive data remains + on-premises and lists the specific telemetry counters transmitted. +keywords: + - usage + - license + - telemetry + - data-classification + - on-premises + - sensitive-data + - taxonomies + - sources +products: + - data-classification +sidebar_label: 'What usage and license data is sent to Netwrix by ' +tags: [] +title: "What usage and license data is sent to Netwrix by Netwrix Data Classification" +knowledge_article_id: kA04u0000000JvTCAU +--- + +# What usage and license data is sent to Netwrix by Netwrix Data Classification + +## Question + +I want to know if sensitive data is sent outside of my IT Infrastructure by Netwrix Data Classification. + +## Answer + +All collected data remains on-prem. The product does send usage statistics, however. This includes the following high level / counter information: + +### Top Level + +- Licence information (licensee, expiry date, features enabled) +- Number of custom taxonomies +- Number of sensitive data taxonomies (# of our predefined taxonomies that have been enabled) + +### Per Source Type + +- Number of sources +- Is tagging licenced? +- Number of documents in source +- GB of content in source +- Average text length of content in source diff --git a/docs/kb/dataclassification/workflow-isn-t-running-or-is-running-unexpectedly.md b/docs/kb/dataclassification/workflow-isn-t-running-or-is-running-unexpectedly.md new file mode 100644 index 0000000000..2daa604436 --- /dev/null +++ b/docs/kb/dataclassification/workflow-isn-t-running-or-is-running-unexpectedly.md @@ -0,0 +1,49 @@ +--- +description: >- + Step-by-step guidance to troubleshoot workflows in Netwrix Data Classification + when they do not run, run unexpectedly, or when documents are misclassified. +keywords: + - workflow + - classification + - troubleshooting + - logs + - reclassify + - Windows Event Logs + - trace logging + - document migration +products: + - data-classification +sidebar_label: Workflow Isn't Running or Is Running Unexpectedly +tags: [] +title: Workflow Isn't Running or Is Running Unexpectedly +knowledge_article_id: kA0Qk0000000PpdKAE +--- + +# Workflow Isn't Running or Is Running Unexpectedly + +## Overview + +This article offers step-by-step guidance for resolving common workflow issues. Whether your workflow isn't working, runs unexpectedly, or documents are misclassified, the guide provides solutions for each scenario. + +## Instructions + +### Workflow isn't running + +1. Please make sure that the workflow is enabled. +2. Go to the **Log** section and check if there were attempts to run the workflow for the document. Depending on the result, follow one of the instructions below: + + - **There was a successful attempt to run the workflow** – Check the workflow action configuration. Then enable workflow trace logging and reclassify the document. Check the Windows Event Logs for details of any issues. (e.g., skipping redaction because the file type isn't supported). + + - **Failed to run the workflow** – A basic error message will be displayed that may assist you with troubleshooting the issue. If it doesn't give enough details, then enable workflow trace logging and reclassify the document. Check the Windows Event Logs for details of any issues. + + - **No attempts to run the workflow** – Check that the conditions are configured correctly for the workflow and workflow rule. If the workflow and workflow rules are configured correctly, then check the classifications of the document. If the classifications aren't as expected, then please reference the following documentation for the troubleshooting steps: /docs/kb/data-classification/classification_troubleshooting (Classification Troubleshooting). + +3. Filter the workflow logs and check if there are other workflows being run for the document. Workflows run in a priority order. If there is more than one migration action, then the second migration will fail as the document has already been moved. + +### Workflow is running unexpectedly + +This typically means that the document has a classification that isn't expected to have or that the conditions in the workflow rule are not configured correctly. + +1. Check the workflow rule conditions. Pay attention to the parameters. Learn more about rule configuration and description of classification rules: /docs/data-classification/5.7/ndc/admin-guide/workflows/advancedwindow (Configure a Workflow using Advanced dialog ⸱ v5.7) + +2. Check the document's classifications. If there is a classification that is not intended, then reference the following documentation for troubleshooting steps: /docs/kb/data-classification/classification_troubleshooting (Document isn't classified as expected) diff --git a/docs/kb/directorymanager/_category_.json b/docs/kb/directorymanager/_category_.json new file mode 100644 index 0000000000..209a45df71 --- /dev/null +++ b/docs/kb/directorymanager/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/kb/directorymanager/add-active-directory-attribute-to-replication-schema.md b/docs/kb/directorymanager/add-active-directory-attribute-to-replication-schema.md new file mode 100644 index 0000000000..6b22122b40 --- /dev/null +++ b/docs/kb/directorymanager/add-active-directory-attribute-to-replication-schema.md @@ -0,0 +1,53 @@ +--- +description: >- + Add new or custom Active Directory (AD) attributes to the Netwrix Directory + Manager replication schema so they are included in replication to the + Elasticsearch repository. +keywords: + - directory manager + - replication schema + - active directory + - attributes + - Elasticsearch + - schema replication + - identity store + - Smart Group + - replication attributes +products: + - directory-manager +sidebar_label: Add Active Directory Attribute to Replication Sche +tags: [] +title: "Add Active Directory Attribute to Replication Sche" +knowledge_article_id: kA0Qk0000002EdBKAU +--- + +# Add Active Directory Attribute to Replication Sche + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +Add new or custom Active Directory (AD) attributes to the Netwrix Directory Manager (formerly GroupID) replication schema so they are included in replication to the Elasticsearch repository. + +## Instructions + +### When to Add a New Attribute + +- You have defined a new custom attribute in AD and want to use it with Netwrix Directory Manager. +- An attribute does not appear in the Smart Group criteria, roles, or filters. + +### Steps to Add a New AD Attribute to the Replication Schema + +1. Identify the custom or existing AD attribute that is missing from roles, filters, or Smart Group criteria in Netwrix Directory Manager. +2. Log in to the Netwrix Directory Manager Admin Centre. +3. In the navigation pane, select the **Identity Stores** tab. Click the three-dot icon next to the required identity store, and select **Edit**. + ![Options menu for Identity Store in Directory Manager 11](images/ka0Qk000000EMa9_0EMQk00000BZenT.png) +4. In the **Settings** pane, locate **Schedules**. Find the **Schema Replication** schedule, click the three-dot icon and select **Run**. + ![Running the Schema Replication schedule in Directory Manager 11](images/ka0Qk000000EMa9_0EMQk00000BZfd5.png) +5. Wait five to ten minutes for the schema replication to complete. +6. In the **Settings** pane, select the **Replication** tab. Click **Add Replication Attributes**. + ![Add Replication Attributes in Replication Settings in Directory Manager 11](images/ka0Qk000000EMa9_0EMQk00000BZgCY.png) +7. In the prompt, search for the new or missing attribute, select it, and click **Save**. + ![Searching for attributes in Replication Settings in Directory Manager 11](images/ka0Qk000000EMa9_0EMQk00000BZgUI.png) diff --git a/docs/kb/directorymanager/add_a_future_date_in_a_description_field.md b/docs/kb/directorymanager/add_a_future_date_in_a_description_field.md new file mode 100644 index 0000000000..a38fe3d6d5 --- /dev/null +++ b/docs/kb/directorymanager/add_a_future_date_in_a_description_field.md @@ -0,0 +1,49 @@ +--- +description: >- + This article explains how to automatically add a future date to the Description field of a user account in Netwrix Directory Manager, streamlining offboarding and account management processes. +keywords: + - future date + - Description field + - Netwrix Directory Manager +sidebar_label: Add Future Date to Description Field +tags: [] +title: "Add a Future Date in a Description Field" +knowledge_article_id: kA0Qk0000002bJdKAI +products: + - directory-manager +--- + +# Add a Future Date in a Description Field + +## Related Queries + +- "Add a future date in a Description field." +- "Is it possible to add the following text and a future date to the Description field: 'User Terminated – Delete On '" + +## Overview + +This article explains how to automatically add a future date to the **Description** field of a user account in **Netwrix Directory Manager** (formerly GroupID) Synchronize. This is useful for marking when a terminated employee's account should be deleted, streamlining offboarding and account management processes. + +## Instructions + +1. Open the **Synchronize** portal and click **All Jobs** in the left pane. +2. Select the Synchronize job you want to edit and click **Edit**. +3. On the **Map Fields** page, click the **Transform** button for the **Description** field. + + ![Map Fields page with Transform button for Description field highlighted](./images/servlet_image_9047bdcaeea4.png) + +4. In the **Transform** dialog box, select **Script** from the dropdown menu. + + ![Transform dialog box with Script option selected in dropdown menu](./images/servlet_image_abc59d241180.png) + +5. Copy and paste the following script into the Script Editor: + + ```vbnet + Dim newDate As DateTime = DateTime.Now.AddDays(30) + DTM.Result = "User Terminated – Delete On " & newDate.ToString("yyyy-MM-dd") + ``` + +6. Click the **Build** button at the top of the Script Editor to test the script. In the dialog box, click **Run Script** to verify the output. +7. Save your changes to the Synchronize job. + +> **NOTE:** You can adjust the number of days by changing the value in `AddDays(30)` to any desired period. \ No newline at end of file diff --git a/docs/kb/directorymanager/add_the_organizational_unit_field_to_the_my_groups_page.md b/docs/kb/directorymanager/add_the_organizational_unit_field_to_the_my_groups_page.md new file mode 100644 index 0000000000..5f8d5edd80 --- /dev/null +++ b/docs/kb/directorymanager/add_the_organizational_unit_field_to_the_my_groups_page.md @@ -0,0 +1,60 @@ +--- +description: >- + This article explains how to add the Organizational Unit (OU) field as a column on the My Groups page in Netwrix Directory Manager. +keywords: + - Organizational Unit + - Directory Manager + - My Groups page +sidebar_label: Add OU Field to My Groups Page +tags: [] +title: "Add the Organizational Unit Field to the My Groups Page" +knowledge_article_id: kA0Qk0000002Du1KAE +products: + - directory-manager +--- + +# Add the Organizational Unit Field to the My Groups Page + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to customize the portal to meet your organization's needs. You can add additional fields, such as the Organizational Unit (OU), to the My Groups page. The My Groups page displays the groups owned by the logged-in user and search results for group queries. This article explains how to add the Organizational Unit field as a column on the My Groups page. + +![Default My Groups page in Directory Manager portal](./images/servlet_image_c404394cf047.png) + +## Instructions + +### Add the Organizational Unit Column to the My Groups Page + +1. In the **Directory Manager Admin Console**, select **Application > Directory Manager Portals > [required portal]**. +2. Click the three-dot icon and go to **Settings > Design Settings**. +3. Select the identity store, then go to the **Search Forms** tab and select **Search Results**. +4. In the **Name** list, select **Groups** and click **Edit**. + + ![Editing Groups search results in Directory Manager portal](./images/servlet_image_f5da28b187d5.png) + +5. On the **Edit Search Results** dialog, click **Add Field**. + + ![Add Field dialog in Directory Manager portal](./images/servlet_image_19079df456f0.png) + +6. In the Add Field dialog box, enter the following: + - From the **Field** list, select *DistinguishedName*. + - In the **Display Name** box, enter *Organizational Unit* or *OU*. This text will appear as the field name in the portal. + - In the **Tooltip** box, keep the default text (for example, *WEB_Type_changes*). + - From the **Display Type** list, select *Text*. + +7. Click **OK**. + + ![Organizational Unit field added in Directory Manager portal](./images/servlet_image_018060635225.png) + +8. On the Edit Search Results dialog, drag the fields to change their order if needed and click **OK**. +9. Click **Save** in the design settings. + + ![Saving design settings in Directory Manager portal](./images/servlet_image_f80fc6a9eeb4.png) + +10. Refresh your Directory Manager portal page. The Organizational Unit column will now be displayed on the My Groups page. + + ![My Groups page with Organizational Unit column in Directory Manager portal](./images/servlet_image_05bf02c09996.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/adjust-heap-size-for-elasticsearch-service.md b/docs/kb/directorymanager/adjust-heap-size-for-elasticsearch-service.md new file mode 100644 index 0000000000..efc002a0dd --- /dev/null +++ b/docs/kb/directorymanager/adjust-heap-size-for-elasticsearch-service.md @@ -0,0 +1,57 @@ +--- +description: >- + Shows how to increase the Java heap size for the Elasticsearch service in + Netwrix Directory Manager 11.1 by editing the registry values for `-Xms` and + `-Xmx` and restarting the service. +keywords: + - Elasticsearch + - heap size + - Xms + - Xmx + - registry + - GroupIDElasticSearchService11 + - Netwrix Directory Manager + - memory +products: + - directory-manager +sidebar_label: Adjust Heap Size for Elasticsearch Service +tags: [] +title: "Adjust Heap Size for Elasticsearch Service" +knowledge_article_id: kA0Qk0000002CRhKAM +--- + +# Adjust Heap Size for Elasticsearch Service + +## Applies To +Netwrix Directory Manager 11.1 + +## Overview +This article explains how to increase the Java heap size for the Elasticsearch service in Netwrix Directory Manager v11.1. Adjusting the heap size can improve search performance and help prevent memory-related issues. + +Elasticsearch relies on allocated heap memory for storing and processing data. If the heap size is too small, it can cause performance degradation or service instability. Allocating too much memory can also negatively affect system resources. + +Heap size settings are defined in the registry and control the minimum and maximum memory allocated to Elasticsearch: + +- `-Xms`: Initial heap size +- `-Xmx`: Maximum heap size + +It is recommended to set both values to the same amount to maintain performance consistency. + +## Instructions +1. Open the **Registry Editor** on the server running Elasticsearch. +2. Navigate to the following registry path: + `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\GroupIDElasticSearchService11\Parameters\Java` +3. Locate the parameters for heap size: + - `-Xms` (Initial heap size) + - `-Xmx` (Maximum heap size) +4. Modify both values as needed. For example, to allocate 4 GB of memory: + - `-Xms4g` + - `-Xmx4g` + + > **NOTE:** Make sure both `Xms` and `Xmx` values are the same. + +5. ![Registry Editor showing Xms and Xmx heap size parameters for Elasticsearch](images/ka0Qk000000Dv0T_0EMQk00000BSBWr.png) +6. Close the **Registry Editor** after saving the changes. +7. Restart the **GroupIDElasticSearchService11** service for the changes to take effect. + +> **NOTE:** To restart the service, open **Services** (`services.msc`), locate **GroupIDElasticSearchService11**, right-click it, and select **Restart**. diff --git a/docs/kb/directorymanager/allow_unauthenticated_users_to_send_email_to_a_distribution_list.md b/docs/kb/directorymanager/allow_unauthenticated_users_to_send_email_to_a_distribution_list.md new file mode 100644 index 0000000000..2c3f3d85ae --- /dev/null +++ b/docs/kb/directorymanager/allow_unauthenticated_users_to_send_email_to_a_distribution_list.md @@ -0,0 +1,59 @@ +--- +description: >- + This article explains how to allow unauthenticated users to send email to a distribution list in Netwrix Directory Manager by exposing the msExchRequireAuthToSendTo attribute. +keywords: + - unauthenticated users + - distribution list + - msExchRequireAuthToSendTo +sidebar_label: Allow Unauthenticated Users to Send Email +tags: [] +title: "Allow Unauthenticated Users to Send Email to a Distribution List" +knowledge_article_id: kA0Qk0000002Rs9KAE +products: + - directory-manager +--- + +# Allow Unauthenticated Users to Send Email to a Distribution List + +## Overview + +By default, Netwrix Directory Manager (formerly GroupID) and Active Directory require that only authenticated users can send email to a distribution group. However, you can allow unauthenticated users to send email by exposing the **msExchRequireAuthToSendTo** attribute as a checkbox in the New Group wizard or group properties in the User portal. Clearing this checkbox allows unauthenticated users to send email to the group. + +## Instructions + +### Expose the msExchRequireAuthToSendTo Attribute in the User Portal + +1. In the Admin Center, select **Applications**. +2. Under **Directory Manager Portal**, click the three-dot icon for your portal and select **Settings**. + + ![Accessing portal settings in Directory Manager Admin Center](./images/servlet_image_891532e4d16b.png) + +3. On the **Server Settings** tab, select your portal under **Design Settings**. + + ![Selecting portal under Design Settings](./images/servlet_image_a56a10d1994f.png) + +4. Select **Create Object**. From **Select Directory Object**, select **Group** and click the **+** icon. + + ![Create Object wizard in Directory Manager portal](./images/servlet_image_135aec2587e8.png) + +5. Give a name to the new category and select a visibility role for it. + + ![Naming new category and selecting visibility role](./images/servlet_image_796ef8c36739.png) + +6. Click **Add Field** and select the **msExchRequireAuthToSendTo** attribute in the **Field** list. Specify a display name for the field, such as *Requires that all senders are authenticated*. From the **Display Type** list, select **Check**. + + ![Adding msExchRequireAuthToSendTo field as a check box](./images/servlet_image_a910fcc95e21.png) + +7. Click **Advanced Options** and select the **Default value is checked** and **is Required** checkboxes. + + ![Advanced options for msExchRequireAuthToSendTo field](./images/servlet_image_3296dd82de6d.png) + +8. Click **OK** and save the configuration. + +### Test the Configuration + +1. Launch the User portal and create a distribution group. +2. You will see a new page in the wizard with the *Requires that all senders are authenticated* checkbox. +3. Clear this checkbox to allow unauthenticated users to send email to the distribution group. + + ![Requires that all senders are authenticated check box in New Group wizard](./images/servlet_image_c8b480052254.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/asset-export-utility-configuration.md b/docs/kb/directorymanager/asset-export-utility-configuration.md new file mode 100644 index 0000000000..9af2f540a7 --- /dev/null +++ b/docs/kb/directorymanager/asset-export-utility-configuration.md @@ -0,0 +1,80 @@ +--- +description: >- + Step-by-step instructions to migrate schedules and synchronize jobs from + Netwrix Directory Manager 10 to Netwrix Directory Manager 11 using the Asset + Export utility, including preparing the target server and copying required + folders. +keywords: + - Asset Export + - Directory Manager + - GroupID + - migrate schedules + - synchronize jobs + - ProgramData + - Reports + - encryption key +products: + - directory-manager +sidebar_label: Asset Export Utility Configuration +tags: [] +title: "Asset Export Utility Configuration" +knowledge_article_id: kA0Qk00000015thKAA +--- + +# Asset Export Utility Configuration + +## Overview + +This article provides step-by-step instructions for migrating schedules and synchronize jobs from Netwrix Directory Manager 10 to Netwrix Directory Manager 11 using the **Asset Export** utility. The process involves exporting assets from Directory Manager 10, preparing the Directory Manager 11 server, and importing the assets. + +## Instructions + +### Prepare the Directory Manager 11 Server + +- Ensure the Directory Manager 10 installation folder is present at the default location (`C:\Program Files\Imanami\GroupID10`) on the Directory Manager 11 server. +- Copy the Directory Manager 10 folder from `ProgramData` to the Directory Manager 11 server. + +### Export Assets from Directory Manager 10 + +1. Run the **Asset Export** utility on the Directory Manager 10 server. +2. Select the option **Directory Manager 10.0 to Directory Manager 11.0**. +3. Select the schedules and synchronize jobs to export. +4. Click **Export** and select a folder to save the exported assets. + +![Asset Export utility main screen on Directory Manager 10](images/ka0Qk0000004nIH_0EMQk000004nICn.png) ![Selecting schedules and synchronize jobs for export](images/ka0Qk0000004nIH_0EMQk000004nICo.png) ![Export folder selection dialog](images/ka0Qk0000004nIH_0EMQk000004nICp.png) + +### Provide the Encryption Key + +1. When prompted, enter the encryption key (passphrase) used for database encryption in Directory Manager 10. The key must match the one used in Directory Manager 10 SR 2. + +![Encryption key entry screen in Asset Export utility](images/ka0Qk0000004nIH_0EMQk000004nICq.png) + +### Copy Required Folders to Directory Manager 11 Server + +- Copy the default installation folder of Directory Manager 10 to the Directory Manager 11 server. + +![Default installation folder location for Directory Manager 10](images/ka0Qk0000004nIH_0EMQk000004nICr.png) + +- Copy the `ProgramData` location to the Directory Manager 11 server for synchronize jobs. + +![ProgramData folder for synchronize jobs](images/ka0Qk0000004nIH_0EMQk000004nICs.png) + +- Copy the `Reports` folder in ProgramData to the Directory Manager 11 server. + +![Reports folder in ProgramData on Directory Manager 11 server](images/ka0Qk0000004nIH_0EMQk000004nICt.png) + +> **NOTE:** The `schedules` and `synchronize job` folders should be empty (the Asset Export utility will import these files). However, for the `Reports` folder, copy reports from the Directory Manager 10 server for the respective schedules upgrade. + +### Import Assets into Directory Manager 11 + +1. Run the **Asset Export** utility on the Directory Manager 11 server. +2. Select **Directory Manager 10.0 to Directory Manager 11.0**. +3. Click **Browse**, select the exported file, and click **Import**. +4. The schedules and synchronize jobs will be imported into the respective folders on the Directory Manager 11 server. +5. After import, run the upgrade on the Directory Manager 11 server. + +![Asset Export utility import screen on Directory Manager 11](images/ka0Qk0000004nIH_0EMQk000004nICu.png) ![Import progress screen](images/ka0Qk0000004nIH_0EMQk000004nICv.png) ![Imported schedules and synchronize jobs in Directory Manager 11](images/ka0Qk0000004nIH_0EMQk000004nICw.png) ![Upgrade process on Directory Manager 11 server](images/ka0Qk0000004nIH_0EMQk000004nICx.png) + +## Related Links + +- [How to Upgrade Directory Manager](/docs/directory-manager/latest/) diff --git a/docs/kb/directorymanager/best-practices-for-controlling-changes-to-group-membership.md b/docs/kb/directorymanager/best-practices-for-controlling-changes-to-group-membership.md new file mode 100644 index 0000000000..c3680b9102 --- /dev/null +++ b/docs/kb/directorymanager/best-practices-for-controlling-changes-to-group-membership.md @@ -0,0 +1,110 @@ +--- +description: >- + Describes best practices for controlling and monitoring changes to group + membership in Netwrix Directory Manager, including workflows, access controls, + Out of Bounds settings, and Management Shell restrictions. +keywords: + - group membership + - groups + - Netwrix Directory Manager + - Query Designer + - workflows + - access control + - Management Shell + - out of bounds + - self-service portal + - alerts +products: + - directory-manager +sidebar_label: Best Practices for Controlling Changes to Group Me +tags: [] +title: "Best Practices for Controlling Changes to Group Membership" +knowledge_article_id: kA0Qk0000000I4zKAE +--- + +# Best Practices for Controlling Changes to Group Membership + +## Applies To: + +- Netwrix Directory Manager 11 + +## Modules: + +- Netwrix Directory Manager Group Management +- Netwrix Directory Manager User Management +- Management Shell + +## Business Statement: + +Managing directory groups and using them to control access to resources is a critical job for IT administrators. Groups help manage mailing lists and enumerate permissions to resources. For these very reasons, groups should never be out of order and changes to group memberships must be tracked. + +In light of this, Netwrix Directory Manager offers some best practices that enable organizations to control changes to group memberships. + +## Netwrix Directory Manager Best Practices: + +Turns out, Netwrix Directory Manager is equipped with a host of features that allow IT administrators to keep a sharp eye on any changes that may occur in group membership. Controls can be applied at multiple levels, enabling administrators to view tentative membership changes before committing them. + +The following best practices act as preemptive and reactive measures to guard group membership: + +- Configure the Out of Bounds settings for an identity store. + + These settings enable you to specify the maximum number of members a group can have. + + You can also set up a group membership update threshold, that compares the existing member count to the new member count in order to detect unusual and large changes to group membership. In the event of a threshold violation, Netwrix Directory Manager notifies the group owner or administrator via email, who can approve or deny the change. Click here for more: https://support.imanami.com/knowledgebase/article/KA-01200/en-us?how-to-prevent-massive-changes-to-group-membership + +- Define a workflow that is triggered when a user makes a change to the query of a Smart Group or Dynasty. + + In Netwrix Directory Manager, the Query Designer enables you to define membership update queries for Smart Groups and Dynasties. As a proactive measure, create a workflow for an identity store, that routes an approval request to an authorized approver when a user makes a change to this query in the Query Designer. The request must be approved for changes to take effect. Click here for more: https://imanami.microsoftcrmportals.com/knowledgebase/article/KA-01201/en-us + +- For a Netwrix Directory Manager portal, use the Visibility and Access controls to restrict user roles from viewing and updating Smart Group and Dynasty queries. + + Individual fields in a Self-Service portal are subject to the following controls: + + - **Visibility level** determines the security roles who can view a field in the portal. + - **Access level** determines the security roles that can update the value of a field using the portal. + + You can hide the Smart Group query and Dynasty query fields or render them as read-only in the portal for all except an authoritative user role. Click here for more: https://support.imanami.com/knowledgebase/article/KA-01199/en-us?how-to-control-access-and-visibility-on-the-group-query-in-the-self-service-portal + +- Allow selective security roles to access Netwrix Directory Manager Management Shell. + + For a security role, you can choose to allow or deny access to a Netwrix Directory Manager client, such as Management Shell. Make sure only selective security roles have access to it for creating and updating groups. + +- Restrict access to the Netwrix Directory Manager server. + + To ensure that only authorized users log on to the Netwrix Directory Manager server, create a group with permissions on the Netwrix Directory Manager server and limit its membership to those users. + +These practices make use of workflows, access controls, and alerts to offer foolproof security for your groups, which in turn secure your organization. + +## References: + +- Netwrix Directory Manager Online Help topic: Workflows + /docs/directory-manager/11.0/groupid/admin-guidecenter/workflow + +- Netwrix Directory Manager Online Help topic: Query Designer dialog box + /docs/directory-manager/11.0/groupid/portal/group/querydesigner + +- Netwrix Directory Manager Online Help topic: Group Membership Settings + /docs/directory-manager/11.0/groupid/admin-guidecenter/identitystore/configurationure/directoryservice + +- Netwrix Directory Manager Online Help topic: Customize Object Properties + /docs/directory-manager/11.0/groupid/admin-guidecenter/mobileservice/design + +### Related Articles: + +- Walkthrough Search Policy - Define Scope and Filter Results + /docs/kb/directory-manager/walkthrough_search_policy_-_define_scope_and_filter_results + +- How To Enforce Users to Create Groups in a Specific OU + /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou + +- How To Import Members to a Group Using Self-Service Import Wizard + /docs/kb/directory-manager/how_to_import_members_to_a_group_using_self-service_import_wizard + +- How to Trigger a workflow When a User Сreates a Group + /docs/kb/directory-manager/how_to_trigger_a_workflow_when_a_user_сreates_a_group + +- How To Add Message Approvers in Group Properties in Self-Service + /docs/kb/directory-manager/how_to_add_message_approvers_in_group_properties_in_groupid_portal + +- Best Practices for Preventing Accidental Data Leakage + /docs/kb/directory-manager/best_practices_for_preventing_accidental_data_leakage diff --git a/docs/kb/directorymanager/best-practices-for-preventing-accidental-data-leakage.md b/docs/kb/directorymanager/best-practices-for-preventing-accidental-data-leakage.md new file mode 100644 index 0000000000..41a9f33dd8 --- /dev/null +++ b/docs/kb/directorymanager/best-practices-for-preventing-accidental-data-leakage.md @@ -0,0 +1,113 @@ +--- +description: >- + Best practices to prevent accidental internal and external data leakage when + using Netwrix Directory Manager, including role-based scope limits, group + creation controls, membership import methods, and mail-related safeguards. +keywords: + - directory-manager + - groups + - membership + - RBAC + - data-leak + - GAL + - security-roles + - bulk-import + - delivery-restrictions +products: + - directory-manager +sidebar_label: Best Practices for Preventing Accidental Data Leak +tags: [] +title: "Best Practices for Preventing Accidental Data Leakage" +knowledge_article_id: kA0Qk0000000IPxKAM +--- + +# Best Practices for Preventing Accidental Data Leakage + +## Applies To: +- Netwrix Directory Manager 10 or above + +## Business Scenario: +Our objective is to establish and enforce best practices to prevent external and internal data breaches while using Netwrix Directory Manager, ensuring the security and confidentiality of sensitive information. + +## Best Practices: +Following are some of the Best Practices to avoid any kind of external/internal Data breaches while using Netwrix Directory Manager. + +### Using Security Roles to Limit Scope of Search +Netwrix Directory Manager uses an RBAC model through which you can define Security Roles and delegate permissions to different users. You can set Netwrix Directory Manager search so that AD objects (for example, Groups, Users, Contacts) can only be searched within a specific OU and filtered based on Active Directory attributes. + +For more information on how to set up a limit on the search scope for a particular Security Role, visit the following KB article: + +- /docs/kb/directory-manager/walkthrough_search_policy_-_define_scope_and_filter_results (Walkthrough Search Policy - Define Scope and Filter Results) + +### Using Security Roles to Specify Specific Area Where Groups Can be Created or Have a Fixed and Hidden Path. +In Netwrix Directory Manager, you can apply policies to security roles so that role members use Netwrix Directory Manager in keeping with the policy restrictions. Netwrix Directory Manager’s New Object policy enables you to restrict role members to create new groups in a specific OU only. + +For more information on how to set up a New Object policy for specific security roles, visit the following KB article: + +- /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou (How To Enforce Users to Create Groups in a Specific OU) + +### Importing Membership via Netwrix Directory Manager Bulk Membership Import Feature for Groups +Many times, organizations create groups (Security and Distribution) in advance, i.e., before the actual usage of groups. To avoid any critical information being leaked out, it is recommended that such groups be created without populating membership upon creation. + +Instead, you can use the **Bulk Import Membership** feature of Netwrix Directory Manager to update groups with the correct memberships just before their actual usage starts. Bulk import allows for external source files like a CSV or an Excel sheet to import membership when it is needed. + +In Netwrix Directory Manager, bulk import of memberships is possible using the Import Wizard available in the Netwrix Directory Manager Portal. The following KB article provides step-by-step instructions to bulk import members into a group: + +- /docs/kb/directory-manager/how_to_import_members_to_a_group_using_self-service_import_wizard (How To Import Members to a Group Using Self-Service Import Wizard) + +### Creating Smart Group Without Updating Memberships +Another way to ensure that the group memberships do not update beforehand, if a group has been created in advance, is by just previewing the query results of a Smart group without updating the group memberships. + +A query-based dynamic *smart group* is one whose membership is determined by the supplied criteria. The results can be previewed but not acted upon until needed. Keeping out of the update schedule ensures that membership updates only occur when you manually trigger them. + +![User-added image](images/ka0Qk000000Dg6H_0EMQk000001iOqr.png) + +### Keep Group Hidden from GAL Until it is Ready to be Used +Keeping a group and its membership hidden from discoverability by external tools like Outlook can also help you comply with organizational policies for ensuring secrecy. + +Using the Netwrix Directory Manager Portal, if a mail-enabled group is created, you can hide the group and its membership from the Address Book and GAL in the following way: + +![User-added image](images/ka0Qk000000Dg6H_0EMQk000001iOsT.png) + +### Selecting Appropriate Security Type for Groups +During the creation of a group via the Netwrix Directory Manager Portal, you can designate the security type as Private, Semi-Private, or Public. This classification, serving as a pseudo attribute within Netwrix Directory Manager, governs the permission levels for joining the group. It is always recommended to choose Private as the Security Type for sensitive groups. + +- **Private** – A closed group where the group owner solely determines group membership. +- **Semi-Private** – The group owner approves users' requests to join or leave the group. +- **Public** – An open group that anyone can join or leave. + +### Setting up Delivery Restrictions on Mail-Enabled Groups +It is always recommended to ensure/limit the inflow of email messages received by critical groups in the production environment. Netwrix Directory Manager allows you to set Delivery Restrictions on such groups by leveraging the `AuthOrig` and `UnAuthOrig` attributes from Active Directory. Both Self-Service and Automate give Group Owners and Administrators the ability to set rules for accepting/rejecting emails from certain users for a particular group. + +To set Delivery Restrictions via the Netwrix Directory Manager portal, simply search for the group and navigate to the **Delivery Restriction** tab in **Group Properties**. + +![User-added image](images/ka0Qk000000Dg6H_0EMQk000001iOu5.png) + +### Setting up Approver Workflows for the Creation of New Groups +One of the most efficient methods to effectively manage the number and quality of groups being created by end users is the implementation of a continuous monitoring process where admins can approve the group being created. + +Netwrix Directory Manager allows you to set up customized workflow approval processes with tailored filters to cater to use-case-specific triggering. This process ensures that whenever a group is created an approval request is sent to the concerned authorities for approval. + +For more information on implementing such workflows, visit the following KB article: + +- /docs/kb/directory-manager/how_to_trigger_a_workflow_when_a_user_сreates_a_group (How to Trigger a workflow When a User Сreates a Group) + +### Setting up Message Moderators for Mail-Enabled Groups +Another way to ensure that no unauthorized message is sent to critical groups is to set up moderator approval processes for Microsoft Exchange. Netwrix Directory Manager can be easily customized to provide the necessary attributes in the Group Properties visible on the portal to initiate a message approval process and assign moderators for certain critical distribution lists. + +For more information on customization to the portal, visit the following KB article: + +- /docs/kb/directory-manager/how_to_add_message_approvers_in_group_properties_in_groupid_portal (How To Add Message Approvers in Group Properties in Self-Service) + +### Other Best Practices to Improve Compliance. +In addition to the above-mentioned best practices for making sure the production environment is secure and compliant with company policy, visit the following KB article to learn about best practices for controlling changes to group memberships after creation: + +- /docs/kb/directory-manager/best_practices_for_controlling_changes_to_group_membership (Best Practices for Controlling Changes to Group Membership) + +## Related Articles: +- /docs/kb/directory-manager/walkthrough_search_policy_-_define_scope_and_filter_results (Walkthrough Search Policy - Define Scope and Filter Results) +- /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou (How To Enforce Users to Create Groups in a Specific OU) +- /docs/kb/directory-manager/how_to_import_members_to_a_group_using_self-service_import_wizard (How To Import Members to a Group Using Self-Service Import Wizard) +- /docs/kb/directory-manager/how_to_trigger_a_workflow_when_a_user_сreates_a_group (How to Trigger a workflow When a User Сreates a Group) +- /docs/kb/directory-manager/how_to_add_message_approvers_in_group_properties_in_groupid_portal (How To Add Message Approvers in Group Properties in Self-Service) +- /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou (Best Practices for Controlling Changes to Group Membership) diff --git a/docs/kb/directorymanager/bulk-export-and-sort-all-smart-groups-and-dynasties.md b/docs/kb/directorymanager/bulk-export-and-sort-all-smart-groups-and-dynasties.md new file mode 100644 index 0000000000..f301b8ce4e --- /dev/null +++ b/docs/kb/directorymanager/bulk-export-and-sort-all-smart-groups-and-dynasties.md @@ -0,0 +1,74 @@ +--- +description: >- + Learn how to export all managed groups and Dynasties from Netwrix Directory + Manager to a CSV file and sort them by group type using the Directory Manager + Management Shell. +keywords: + - Netwrix Directory Manager + - Smart Groups + - Dynasties + - Export CSV + - ManagedGroupType + - Get-SmartGroup + - PowerShell + - Directory Manager Management Shell +products: + - directory-manager +sidebar_label: Bulk Export and Sort All Smart Groups and Dynasties +tags: [] +title: "Bulk Export and Sort All Smart Groups and Dynasties" +knowledge_article_id: kA0Qk0000002CWXKA2 +--- + +# Bulk Export and Sort All Smart Groups and Dynasties + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article explains how you can export all managed groups and Dynasties from Netwrix Directory Manager to a CSV file and sort them by group type using the **Directory Manager Management Shell**. This process is useful for analyzing and managing large numbers of groups in your directory. + +The `ManagedGroupType` attribute identifies the type of each group and returns the following values: + +- `1` = Non-managed group +- `2` = Smart Group +- `3` = Parent Dynasty +- `4` = Middle Dynasty +- `5` = Leaf Dynasty +- `6` = Password Expiry SmartGroup + +## Instructions +1. Launch the **Directory Manager Management Shell**. +2. Log in to the Management Shell with your service account. +3. Run the following cmdlet to retrieve Smart Groups and Dynasties, sort them by `ManagedGroupType`, and export them to a CSV file: + +```powershell +Get-SmartGroup | select DisplayName, ManagedGroupType | Sort-Object ManagedGroupType | Export-CSV "C:\list.csv" –NoTypeInformation +``` + +4. The above cmdlet will: + - Retrieve all managed groups using `Get-SmartGroup`. + - Select the `DisplayName` and `ManagedGroupType` attributes. + - Sort the results in ascending order based on the `ManagedGroupType` attribute. + - Export the sorted list to a CSV file named **list.csv** at `C:\list.csv`. + +> **NOTE:** You can change the export directory by updating the file path in the cmdlet (for example, `D:\exports\list.csv`). + +![Exported CSV file example](images/ka0Qk000000DvA9_0EMQk00000BSFdi.png) +![Directory Manager Management Shell output](images/ka0Qk000000DvA9_0EMQk00000BSG3V.png) + +5. To retrieve additional details, you can append more attributes to the cmdlet. Example attributes include: + - `smartGroupType` + - `expiration` + - `managedBy` + - `whenCreated` + - `UPN` + - `criteria` + - `SearchContainer` + - `SearchContainersScopeList` + - `Identity` + - `ShouldReturnCollection` + - `MaxItemsToDisplay` + - `ObjectType` + - `LdapFilter` + - `SmartFilter` diff --git a/docs/kb/directorymanager/bulk-update-smart-group-object-types.md b/docs/kb/directorymanager/bulk-update-smart-group-object-types.md new file mode 100644 index 0000000000..90efad2371 --- /dev/null +++ b/docs/kb/directorymanager/bulk-update-smart-group-object-types.md @@ -0,0 +1,65 @@ +--- +description: >- + Use the Directory Manager Management Shell in Netwrix Directory Manager to + bulk update Smart Group object types for multiple Smart Groups in an OU. + Includes the exact PowerShell cmdlet and a mapping table for object type + values. +keywords: + - smart group + - object types + - Set-SmartGroup + - Get-SmartGroup + - PowerShell + - OU + - IMSGManagedGroupType + - Netwrix Directory Manager +products: + - directory-manager +sidebar_label: Bulk Update Smart Group Object Types +tags: [] +title: "Bulk Update Smart Group Object Types" +knowledge_article_id: kA0Qk0000002JZdKAM +--- + +# Bulk Update Smart Group Object Types + +## Overview + +Use the Directory Manager Management Shell in Netwrix Directory Manager to bulk update the object types for multiple Smart Groups within a specific Organizational Unit (OU). This is useful when your business requirements change and you need to update membership criteria for many Smart Groups at once. + +## Instructions + +1. Launch the Directory Manager Management Shell. +2. Log in using your service account. +3. Run the following command to update object types for all Smart Groups in the specified OU: + +```powershell +Get-SmartGroup -SearchContainer "Distinguished Name of Organizational Unit" -SmartFilter "(IMSGManagedGroupType=2)" | Set-SmartGroup -ObjectTypes "1","2","3" +``` + +![PowerShell command to update Smart Group object types in Netwrix Directory Manager Management Shell](images/ka0Qk000000EZ5x_0EMQk00000Bu2Dh.png) + +4. This command updates all Smart Groups in the specified OU to include the following object types: + - Users with Mailboxes + - Users with External Email Addresses + - Contacts with External Email Addresses + +5. If your requirements differ, use the table below to identify the correct object type values. + +> **NOTE:** The cmdlet may take time to execute depending on the number of Smart Groups in the OU. It is recommended to first test it on a smaller OU to validate results before applying it in a production environment. + +## Object type values + +| Object Type | Value | +|-------------------------------------|:-----:| +| Users with Mailboxes | `1` | +| Users with External Email Addresses | `2` | +| Contacts with External Email Addresses | `3` | +| Mail-Enabled Groups | `4` | +| Mail-Enabled Public Folders | `5` | +| Users | `6` | +| Contacts | `7` | +| Groups | `8` | +| Workstations | `9` | +| Servers | `10` | +| Domain Controllers | `11` | diff --git a/docs/kb/directorymanager/change-log-level-from-error-to-debug-v11.md b/docs/kb/directorymanager/change-log-level-from-error-to-debug-v11.md new file mode 100644 index 0000000000..005d6f700a --- /dev/null +++ b/docs/kb/directorymanager/change-log-level-from-error-to-debug-v11.md @@ -0,0 +1,53 @@ +--- +description: >- + Learn how to change the log level from Error to Debug in Netwrix Directory + Manager 11 to capture more detailed logging for troubleshooting and support. +keywords: + - Netwrix Directory Manager + - logging + - debug + - Admin Center + - troubleshooting + - log level + - services + - replication + - scheduler +products: + - directory-manager +sidebar_label: Change Log Level from Error to Debug v11 +tags: [] +title: "Change Log Level from Error to Debug v11" +knowledge_article_id: kA0Qk0000002F6DKAU +--- + +# Change Log Level from Error to Debug v11 + +## Applies To +Netwrix Directory Manager 11 + +## Overview +By default, Netwrix Directory Manager records only critical errors in its logs. If you need to investigate unexpected behavior, debug a failed process, or work with support, you can increase the log level to capture more detailed information. Setting the log level to **Debug** provides deeper insight into system operations and helps you identify and resolve issues more effectively. + +## Instructions + +### Change Log Level from Error to Debug +1. Go to the **Admin Center**. +2. Navigate to **Applications**. +3. Open the **Settings** for the application you want to modify. +4. Go to **Deployments**. +5. Select **Logging**. +6. Set both **File Logging** and **Windows Logging** to **Debug** using the dropdown lists. +7. Click **Save** to apply the changes. + ![Logging settings in Netwrix Directory Manager application](images/ka0Qk000000EPRZ_0EMQk00000BbJji.png) +8. Repeat these steps for each of the following applications: + - Replication Service + - Admin Center + - Data Service + - Security Service + - Email Service + - Mobile Service + - Scheduler Service + +![List of Netwrix Directory Manager services for log configuration](images/ka0Qk000000EPRZ_0EMQk00000BbINr.png) + +9. Once complete, Netwrix Directory Manager will capture detailed logs for better system monitoring and troubleshooting. diff --git a/docs/kb/directorymanager/change-self-service-portal-url-in-workflow-email-notifications.md b/docs/kb/directorymanager/change-self-service-portal-url-in-workflow-email-notifications.md new file mode 100644 index 0000000000..e8f1dbe622 --- /dev/null +++ b/docs/kb/directorymanager/change-self-service-portal-url-in-workflow-email-notifications.md @@ -0,0 +1,43 @@ +--- +description: >- + If you change the hostname for the Netwrix Directory Manager Self-Service + portal, update the portal URL in each workflow so workflow email notifications + include the correct address. +keywords: + - Netwrix Directory Manager + - self-service portal + - workflow + - email notifications + - portal URL + - group owners + - membership requests +products: + - directory-manager +sidebar_label: Change Self-Service Portal URL in Workflow Email N +tags: [] +title: "Change Self-Service Portal URL in Workflow Email Notifications" +knowledge_article_id: kA0Qk0000002ElFKAU +--- + +# Change Self-Service Portal URL in Workflow Email Notifications + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +If you change the hostname for the Netwrix Directory Manager (formerly GroupID) Self-Service portal, workflow email notifications may still include the old portal URL. Update the portal URL in each workflow to ensure notifications direct users to the correct address. + +## Instructions + +### Change the Self-Service Portal URL in Workflow Email Notifications + +1. In the Netwrix Directory Manager Admin portal, click the **Identity Stores** tab. +2. On the **Identity Stores** tab, click the three-dot icon next to the relevant identity store and select **Edit**. +3. Click the **Workflows** tab. Select the workflow for which you want to change the portal URL and click **Edit**. + To change the URL in email notifications that alert group owners to approve or deny membership requests, select **Workflow to Join a Group**. + ![Editing a workflow in Directory Manager 11](images/ka0Qk000000EMbl_0EMQk00000Ba629.png) +4. In the **Portal URL** box, select the portal URL you want to use. + ![Selecting the Portal URL in Directory Manager 11](images/ka0Qk000000EMbl_0EMQk00000Ba65N.png) +5. Click **Update Workflow** and save your changes. The email notifications for this workflow will now include the specified portal URL. Repeat these steps for each workflow as needed. diff --git a/docs/kb/directorymanager/change-the-default-dynasty-operator.md b/docs/kb/directorymanager/change-the-default-dynasty-operator.md new file mode 100644 index 0000000000..884881ae3d --- /dev/null +++ b/docs/kb/directorymanager/change-the-default-dynasty-operator.md @@ -0,0 +1,90 @@ +--- +description: >- + Explains how to change the default Dynasty grouping operator in Netwrix + Directory Manager so you can use Starts with or Ends with filters to group + users by partial Title values. +keywords: + - dynasty + - grouping + - Netwrix Directory Manager + - starts with + - ends with + - Group-By + - custom attribute + - titles +products: + - directory-manager +sidebar_label: Change the Default Dynasty Operator +tags: [] +title: "Change the Default Dynasty Operator" +knowledge_article_id: kA0Qk0000001qW1KAI +--- + +# Change the Default Dynasty Operator + +## Applies To + +Netwrix Directory Manager 10 Automate and Netwrix Directory Manager 11 Group Management + +## Overview + +In some organizations, the **Title** field may include multiple abbreviations (such as A1, B2, or C1) or a full job title with tiers (such as Systems and Network Engineer). In these cases, using the default **Is Exactly** operator when creating Dynasties may not produce the desired group structure. + +Instead, you can use the **Starts with** or **Ends with** operator to better match partial title values and group users accordingly. + +### Example: Using a Custom Attribute + +If the **Title** and **Tier** are separated—such as placing the title in **Custom Attribute 1**—you can group by that attribute to simplify results. + +**Attribute value:** `Custom Attribute 1 = SOC Analyst` + +**Sample group created:** Everyone who is SOC Analyst + +### Example: Using the Full Title Field + +If the **Title** field includes both the title and tier (e.g., SOC Analyst I, SOC Analyst II), Netwrix Directory Manager will create a group for each unique value. + +**Attribute values:** +- **Title** = `SOC Analyst I` +- **Title** = `SOC Analyst II` + +**Sample groups created:** +- Everyone who is SOC Analyst I +- Everyone who is SOC Analyst II + +To avoid excessive group creation, use the **Group-By** filter to focus only on the desired portion of the value—for example, everyone who is **SOC Analyst**. + +## Instructions + +You can update the default Dynasty grouping behavior when creating a new Dynasty or editing an existing parent Dynasty. Follow the steps below based on your scenario. + +### Creating a New Dynasty + +1. When creating a new Dynasty, continue through the wizard until you reach the **Dynasty Options** window. +2. Select the attribute you want to group by and click **Edit**. In the **GroupBy settings** dialog, click **Filter**. + + ![Dynasty Options in Dynasty Creation Wizard - Netwrix Directory Manager 10](images/ka0Qk000000DUI2_0EMQk000009t78Z.png) + + ![Dynasty Options in Dynasty Creation Wizard - Netwrix Directory Manager 11](images/ka0Qk000000DUI2_0EMQk000009tEWb.png) + +3. To change the default operator, choose **Left** and enter the desired number of characters if using **Starts with**. Choose **Right** to switch to **Ends with**. + + ![Filter Options in Netwrix Directory Manager 10](images/ka0Qk000000DUI2_0EMQk000009tETN.png) + + ![Filter Options in Netwrix Directory Manager 11](images/ka0Qk000000DUI2_0EMQk000009tEUz.png) + +4. After saving your changes, the Dynasty will reflect the updated grouping behavior. + +### Editing an Existing Dynasty + +1. To configure an existing Dynasty using the same filter method, open the parent Dynasty’s properties. +2. Navigate to the **Netwrix Directory Manager** tab and click **Options**. +3. Follow steps 2 and 3 in the **Creating a New Dynasty** section above to configure and apply the GroupBy filter. + + ![Dynasty Option in an existing parent dynasty in Netwrix Directory Manager 10](images/ka0Qk000000DUI2_0EMQk000009t4Na.png) + + ![Dynasty Option in an existing parent dynasty in Netwrix Directory Manager 11](images/ka0Qk000000DUI2_0EMQk000009tEI7.png) + +4. After saving your changes, the Dynasty will reflect the updated grouping behavior. + + ![Modified Attribute Filter Example](images/ka0Qk000000DUI2_0EMQk000009tEYD.png) diff --git a/docs/kb/directorymanager/change-the-default-naming-convention-for-dynasties.md b/docs/kb/directorymanager/change-the-default-naming-convention-for-dynasties.md new file mode 100644 index 0000000000..be3e79a5ac --- /dev/null +++ b/docs/kb/directorymanager/change-the-default-naming-convention-for-dynasties.md @@ -0,0 +1,37 @@ +--- +description: >- + Learn how to change the default naming convention for Dynasties in Netwrix + Directory Manager so you can display attributes (for example, department) + before the Dynasty name. +keywords: + - dynasty + - naming convention + - display name template + - alias template + - groups + - dynasties + - directory-manager + - netwrix +products: + - directory-manager +visibility: public +sidebar_label: Change the Default Naming Convention for Dynasties +tags: [] +title: "Change the Default Naming Convention for Dynasties" +knowledge_article_id: kA0Qk0000001609KAA +--- + +# Change the Default Naming Convention for Dynasties + +## Overview + +This article explains how you change the default naming convention for Dynasties in Netwrix Directory Manager. You can customize the convention to fit organizational needs, such as displaying the department name before the Dynasty name. + +## Instructions + +1. In the Directory Manager Portal, navigate to **Groups** > **All Groups** > **Dynasties**. +2. Open the properties of the parent Dynasty you want to modify. +3. Go to the **Dynasty Options** tab. +4. In the **Display name template** and **Alias template** fields, adjust the naming pattern. +5. By default, the format is `DynastyName%GroupBy%`. To place the department name first, change the format to `%GroupBy%DynastyName`. +6. Click **Save** to apply the new naming convention. diff --git a/docs/kb/directorymanager/change-the-default-sort-attribute-for-search-results.md b/docs/kb/directorymanager/change-the-default-sort-attribute-for-search-results.md new file mode 100644 index 0000000000..c4b4e7847b --- /dev/null +++ b/docs/kb/directorymanager/change-the-default-sort-attribute-for-search-results.md @@ -0,0 +1,44 @@ +--- +description: >- + Explain how to change the default sort attribute for search results in the + Netwrix Directory Manager User Portal; by default results sort by + `displayName` but you can choose another attribute such as `department`. +keywords: + - sort attribute + - search results + - displayName + - department + - Netwrix Directory Manager + - user portal + - Advanced Settings +products: + - directory-manager +sidebar_label: Change the Default Sort Attribute for Search Resul +tags: [] +title: "Change the Default Sort Attribute for Search Results" +knowledge_article_id: kA0Qk0000002CgDKAU +--- + +# Change the Default Sort Attribute for Search Results + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article explains how to configure the default sort attribute for search results in the Netwrix Directory Manager User Portal. By default, search results are sorted by the `displayName` attribute, but you can change this to another attribute, such as `department`, to better suit your business requirements. + +## Instructions +1. In the Netwrix Directory Manager Admin Center, go to **Applications**. For the application or portal where you want to change the setting, click the three dots and select **Settings**. + + ![Accessing portal settings in Directory Manager Admin Center](images/ka0Qk000000DvQH_0EMQk00000BSXab.png) + +2. Click **Advanced Settings**. In the right pane, find the **Sort Search** option and select your desired sort attribute from the drop-down menu. + + ![Selecting the default sort attribute in Advanced Settings](images/ka0Qk000000DvQH_0EMQk00000BSXfR.png) + +3. Scroll down and click **Save** to apply your changes. + +## Impact +This setting applies to listings on the All Groups, My Groups, and Users pages, as well as searches performed using Advanced Search and the Find dialog box. After applying the setting, results are sorted by the specified attribute in ascending order. + +> **NOTE:** If the attribute you select for sorting is not available as a column header in the listing or search results, Netwrix Directory Manager will default to sorting by `displayName`. diff --git a/docs/kb/directorymanager/change-the-header-and-footer-logo-in-notifications.md b/docs/kb/directorymanager/change-the-header-and-footer-logo-in-notifications.md new file mode 100644 index 0000000000..03c32cc42e --- /dev/null +++ b/docs/kb/directorymanager/change-the-header-and-footer-logo-in-notifications.md @@ -0,0 +1,61 @@ +--- +description: >- + You can change the header and footer logos used in Netwrix Directory Manager + notification emails by updating the NotificationResources table in the + database. This article explains where the images are stored and provides the + SQL to replace them. +keywords: + - notification logo + - header logo + - footer logo + - Netwrix Directory Manager + - NotificationResources + - ResourceImage + - SQL + - OPENROWSET + - database + - replace image +products: + - directory-manager +sidebar_label: Change the Header and Footer Logo in Notifications +tags: [] +title: "Change the Header and Footer Logo in Notifications" +knowledge_article_id: kA0Qk00000015iPKAQ +--- + +# Change the Header and Footer Logo in Notifications + +## Question + +Can you change the logo in the header and footer of Netwrix Directory Manager notifications? + +![Notification Logo Screenshot](images/ka0Qk000000DSOH_0EMQk000004nEE1.png) + +## Answer + +Yes, it is possible to change the logos in the header and footer of notifications. However, you cannot do this through the Directory Manager Admin Center. Instead, you must update the image files directly in the database. + +### Before You Begin + +Notification logos are stored in the `GroupID.NotificationResources` database table as binary data. The relevant column is `ResourceImage`, which includes the following entries: + +- `ID 1` – Header logo +- `ID 2` – Footer logo +- `ID 3` – Title image + +The image ID located at the end of the query specifies which image will be replaced. + +### How to Replace an Image + +1. Run the SQL query below, updating `PathToUpdatedImage.jpg` and the `WHERE id =` value with the image and ID you want to replace: + +```sql +UPDATE [DB Name].[GroupID].[NotificationResources] +SET ResourceImage = ( + SELECT BulkColumn + FROM OPENROWSET(BULK 'PathToUpdatedImage.jpg', SINGLE_BLOB) AS x +) +WHERE id = 1; +``` + +After executing the query, all future notifications will display the updated image. diff --git a/docs/kb/directorymanager/change_the_display_name_format_to_first.last_in_the_portal.md b/docs/kb/directorymanager/change_the_display_name_format_to_first.last_in_the_portal.md new file mode 100644 index 0000000000..7952bc1ff7 --- /dev/null +++ b/docs/kb/directorymanager/change_the_display_name_format_to_first.last_in_the_portal.md @@ -0,0 +1,81 @@ +--- +description: >- + This article explains how to change the display name format in the Netwrix Directory Manager portal from Last, First to First.Last by modifying the portal's JavaScript file. +keywords: + - display name format + - Netwrix Directory Manager + - JavaScript customization +sidebar_label: Change Display Name Format +tags: [] +title: "Change the Display Name Format to First.Last in the Portal" +knowledge_article_id: kA0Qk0000002QKzKAM +products: + - directory-manager +--- + +# Change the Display Name Format to First.Last in the Portal + +## Applies To + +Directory Manager 11 + +## Overview + +By default, Netwrix Directory Manager (formerly GroupID) formats a user's display name as **Last, First** during user creation in the portal. Some organizations may require the **First.Last** format instead. You can change this by modifying the portal’s JavaScript file. This article explains how to make this customization. + +![Default display name format in Directory Manager portal](./images/servlet_image_0945c0342a68.png) + +## Instructions + +> **NOTE:** Test this change in a non-production environment first. Always back up original files before making any modifications. + +### Modify the Display Name Format in the Portal + +1. Navigate to the following directory on your Directory Manager server: + `C:\Program Files\Imanami\GroupID 11.0\GroupIDPortal\Inetpub\\Web\wwwroot\Scripts` + +2. Locate the following files: + - `CreateWizard.js` + - `CreateWizard.min.js` + +3. Rename `CreateWizard.min.js` to `CreateWizard.min.backup.js`. + +4. Open `CreateWizard.js` in **Notepad++** or another text editor. + +5. Search for the function named `getFullName`, or go directly to **line 392** in Notepad++. + +6. Replace the existing function: + ```javascript + function getFullName(firstNameText, lastNameText) { + var comma = ","; + if (firstNameText === "" || lastNameText === "") { + comma = ""; + } + return lastNameText + comma + firstNameText + } + ``` + with the following version: + ```javascript + function getFullName(firstNameText, lastNameText) { + var comma = "."; + if (firstNameText === "" || lastNameText === "") { + comma = ""; + } + return firstNameText + comma + lastNameText + } + ``` + + ![Editing getFullName function in CreateWizard.js](./images/servlet_image_5a9e2c271111.png) + +7. Save the file. + +8. Rename `CreateWizard.js` to `CreateWizard.min.js`. + +9. Open **Command Prompt** as Administrator and run the following command: + ```plaintext + iisreset + ``` + +10. After the IIS reset is complete, log in to the portal and create a new user. The **Display Name** will now appear in the **First.Last** format. + +![Display Name in First.Last format in Directory Manager portal](./images/servlet_image_f33ddc126856.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/collecting-all-log-files-in-v11.md b/docs/kb/directorymanager/collecting-all-log-files-in-v11.md new file mode 100644 index 0000000000..457cb9a222 --- /dev/null +++ b/docs/kb/directorymanager/collecting-all-log-files-in-v11.md @@ -0,0 +1,49 @@ +--- +description: >- + Shows how to collect and save all Netwrix Directory Manager v11 log files + using the Logs Download feature in the Admin Center. +keywords: + - directory manager + - logs + - log files + - Logs Download + - Admin Center + - v11 + - troubleshooting + - Downloads + - logging +products: + - directory-manager +visibility: public +sidebar_label: Collecting All Log Files in v11 +tags: [] +title: "Collecting All Log Files in v11" +knowledge_article_id: kA0Qk0000002CbNKAU +--- + +# Collecting All Log Files in v11 + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) is a suite of applications that perform a wide range of identity and access management functions. To help track and troubleshoot anomalies, Directory Manager includes a comprehensive logging mechanism. If logging is enabled for the identity store, the application generates log files for its various modules and events and saves them in different locations on the file system. + +## Instructions + +Follow the steps below to use the **Logs Download** feature to collect and save all Directory Manager log files to a specific location, rather than locating each log file individually. + +1. From the Directory Manager v11 server, open the **Admin Center**. +2. Navigate to **Settings**. +3. Select the **Logs** option. +4. On the Logs screen: + - Select the **Select all** checkbox. This will select all logs from: + - Applications + - Tools & Management Shell + - Event Viewer +5. Click **Download**. +6. A zipped file containing the logs will be downloaded to your server's Downloads folder. + +![Logs Download screen in Directory Manager Admin Center](images/ka0Qk000000DvID_0EMQk00000BSOM1.png) diff --git a/docs/kb/directorymanager/configure-email-notifications-for-an-identity-store.md b/docs/kb/directorymanager/configure-email-notifications-for-an-identity-store.md new file mode 100644 index 0000000000..8b79d4bbab --- /dev/null +++ b/docs/kb/directorymanager/configure-email-notifications-for-an-identity-store.md @@ -0,0 +1,69 @@ +--- +description: >- + Learn how to configure email notifications for an identity store in Netwrix + Directory Manager, including SMTP settings, recipient options, lifecycle + notifications, and testing. +keywords: + - email notifications + - identity store + - SMTP + - notification settings + - Netwrix Directory Manager + - group membership + - password portal + - membership lifecycle + - Managed By + - test email +products: + - directory-manager +sidebar_label: Configure Email Notifications for an Identity Stor +tags: [] +title: "Configure Email Notifications for an Identity Store" +knowledge_article_id: kA0Qk0000002JmXKAU +--- + +# Configure Email Notifications for an Identity Store + +## Overview + +Email notifications in Netwrix Directory Manager (formerly GroupID) inform users, group owners, and managers when changes are made to directory objects, such as group membership updates or user profile modifications. To ensure notifications are generated and sent to the correct recipients, specific configurations must be set for the identity store. This article provides step-by-step instructions for configuring notifications. + +## Instructions + +1. In the **Netwrix Directory Manager Management Console**, click the **Identity Stores** node. +2. On the **Identity Stores** tab, double-click the required identity store to open its properties. +3. Select the **Configurations** tab, then click **Notification** in the left pane. + +![Notification configuration tab in Directory Manager identity store properties](images/ka0Qk000000EZCP_0EMQk00000BuMPJ.png) + +4. Configure the following notification settings: + +- **SMTP server:** Enter the IP address or FQDN of the SMTP server that will route notifications. +- **From email address:** Enter the sender address for notification emails (for example, `no-reply@domain.com` or `notification@demo.com`). + ![From email address field in notification settings](images/ka0Qk000000EZCP_0EMQk00000BuMNh.png) +- **Port:** Enter the port number for the SMTP server. +- **Test:** After entering the email address and port, click **Test** to verify the server settings. Enter a destination address to send a test notification. If successful, a confirmation message appears and a test email is sent. +- **Use SMTP User Authentication:** By default, the credentials of the logged-in user are used. To use a different account, select **Use SMTP User Authentication** and enter the **Username** and **Password** for an authorized account. +- **SSL Enabled:** Select this check box if the SMTP server requires SSL. +- **Recipients - To and CC:** Enter the email addresses of recipients in the **To** and **CC** fields. + +5. Configure notification options as needed: + +- **Notify logged-in users about changes being made to objects:** Select to notify the logged-in user about changes they make to directory objects. Applies only to mail-enabled users. +- **Notify owner/manager:** Select to notify the primary owner and additional owners (for groups), and the manager (for users/contacts) about changes to their objects. +- **Notify object being modified:** Select to notify objects (group, user, contact) when they are modified. For groups, members are notified; for users or contacts, the individual is notified. +- **Notify public group owner of membership change:** Select to notify primary and additional owners of a public group when membership changes. Owners are notified whenever someone joins or leaves. +- **Notify newly added group members on addition:** Select to notify objects when they are added to a group. +- **Notify removed group member on removal:** Select to notify objects when they are removed from a group. +- **Password Portal URL:** Enter the URL of a Password Center portal. This URL is included in password expiry warning emails. +- **Membership Lifecycle Notification Options:** Membership lifecycle notifications are sent when the Membership Life Cycle job adds or removes users temporarily from a group. In the **Membership Lifecycle Notification Options** area, select your desired options: + - **User joins the group:** Notify users when they temporarily join a group. + - **User leaves the group:** Notify users when they temporarily leave a group. + - **X days before user leaves the group:** Select and specify the number of days (e.g., `2`) to notify users before they are removed from group membership. +- **Managed By Notification Options:** Set up notifications for objects when the Managed By lifecycle job adds or removes them as temporary additional owners for groups or managers for users. When a group is set or removed as a temporary additional owner, all its members are notified. In the **Managed By Notification Options** area, select your desired options: + - **Make options same as membership lifecycle:** Apply the membership lifecycle notification settings to the managed by lifecycle and disable the settings in the Managed By Notification Options area. + - **Object is added as additional owner/manager:** Notify when the Managed By lifecycle job adds an object as a temporary additional owner of a group or manager of a user. The primary owner or manager is also notified. + - **Object is removed as additional owner/manager:** Notify when the Managed By lifecycle job removes an object as a temporary additional owner of a group or manager of a user. The primary owner or manager is also notified. + - **X days before object is removed as additional owner/manager:** Select and specify the number of days (e.g., `2`) to notify temporary additional managers/owners before removal. + +6. Click **Apply** and then **OK** to save your changes. diff --git a/docs/kb/directorymanager/configure_a_default_container_for_creating_new_objects.md b/docs/kb/directorymanager/configure_a_default_container_for_creating_new_objects.md new file mode 100644 index 0000000000..e7d9459c68 --- /dev/null +++ b/docs/kb/directorymanager/configure_a_default_container_for_creating_new_objects.md @@ -0,0 +1,87 @@ +--- +description: >- + This article explains how to configure a default container for creating new objects in Netwrix Directory Manager, including options for user selection and enforcement of defaults. +keywords: + - default container + - Directory Manager + - object creation +sidebar_label: Configure Default Container +tags: [] +title: "Configure a Default Container for Creating New Objects" +knowledge_article_id: kA0Qk0000002Q9hKAE +products: + - directory-manager +--- + +# Configure a Default Container for Creating New Objects + +## Applies To + +Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows administrators to configure a default container for creating new objects, such as groups, users, contacts, and mailboxes. You can control whether users can select a different container, enforce the default container, or hide the container selection entirely. This flexibility helps ensure that new objects are created in the correct location according to your organization's policies. + +## Instructions + +### Access Portal Design Settings + +1. In the **Directory Manager Admin Center**, select **Applications**. +2. Under **Directory Manager Portal**, select the three-dot icon for your portal and click **Settings**. + + ![Accessing portal settings in Directory Manager Admin Center](./images/servlet_image_d426e93f625f.png) + +3. On the **Server Settings** tab, under **Design Settings**, select your portal. + + ![Selecting portal under Design Settings](./images/servlet_image_61b3d2b9e09a.png) + +4. Click the **Create Object** tab to customize the Object Creation wizard. +5. In the **Select Directory Object** drop-down list, select the object type for which you want to set a default container (for example, *Group*). +6. In the **Name** list, select **General** and click **Edit**. + + ![Editing General settings for object creation](./images/servlet_image_502dc35f432d.png) + +7. In the **Edit Category** dialog box, select **Container** in the **Fields** area and click **Edit**. + + ![Editing the Container field in Directory Manager](./images/servlet_image_9e904c20e782.png) + +8. In the **Edit Field** dialog box, click **Advanced options**. + + ![Advanced options in Edit Field dialog](./images/servlet_image_6e6ebdcead10.png) + +### Configure Default Container Options + +1. Specify a default container while allowing users to change it. +2. In the **Default Value** box, enter the distinguished name of the container you want to set as default. +3. Click **OK** and **Save** your changes. + + ![Setting a default container value](./images/servlet_image_68bd3ffb42de.png) + + Expected Result: On the **Create Group** wizard in the User portal, the specified container is selected by default, but users can click **Browse** to select another container. + + ![Default container selected in Create Group wizard](./images/servlet_image_5b375f305cc3.png) + +### Enforce a Default Container and Disable Container Selection + +1. In the **Edit Field** dialog box, specify a default container and select the **Is Read Only** check box. +2. Click **OK** and **Save** your changes. + + ![Enforcing default container and disabling selection](./images/servlet_image_f94cfcef3b0f.png) + + Expected Result: On the **Create Group** wizard, the specified container is displayed as the default, and the **Container** field is disabled. Users can only create new groups in the default container. + + ![Container field disabled in Create Group wizard](./images/servlet_image_b6c33ded2ece.png) + +### Enforce a Default Container and Hide Container Selection + +1. In the **Edit Field** dialog box, use the **Visibility Role** option to select which user roles can see the **Container** field. Only the selected role and roles with a higher priority value will see the field. All roles with a lower priority value will not see or change the default container. +2. Click **OK** to save your changes. + + ![Hiding container selection using Visibility Role](./images/servlet_image_354ef396a169.png) + + Expected Result: On the **Create Group** wizard in the Self-Service portal, the **Container** field is hidden, and users create groups without knowing the container being used. + + ![Container field hidden in Create Group wizard](./images/servlet_image_8bb1521513c5.png) + +> **NOTE:** If you hide the **Container** field for any role, you must provide a default value for this field. Otherwise, those roles will not be able to create groups. \ No newline at end of file diff --git a/docs/kb/directorymanager/configure_multi-valued_attributes_in_the_self-service_portal.md b/docs/kb/directorymanager/configure_multi-valued_attributes_in_the_self-service_portal.md new file mode 100644 index 0000000000..cca9324fed --- /dev/null +++ b/docs/kb/directorymanager/configure_multi-valued_attributes_in_the_self-service_portal.md @@ -0,0 +1,59 @@ +--- +description: >- + This article explains how to configure the Self-Service portal in Netwrix Directory Manager to support multi-valued attributes, using the carLicense attribute as an example. +keywords: + - Directory Manager + - multi-valued attributes + - self-service portal +sidebar_label: Configure Multi-Valued Attributes +tags: [] +title: "Configure Multi-Valued Attributes in the Self-Service Portal" +knowledge_article_id: kA0Qk0000002LmjKAE +products: + - directory-manager +--- + +# Configure Multi-Valued Attributes in the Self-Service Portal + +## Applies To + +Directory Manager 11 + +## Overview + +This article explains how to configure the Self-Service portal in Netwrix Directory Manager (formerly GroupID) to support multi-valued attributes, using `carLicense` as an example. + +Multi-valued attributes in Active Directory, such as `carLicense` or phone numbers, allow users to store multiple unique values in a single field. In contrast, single-valued attributes, such as names, can hold only one value. Active Directory does not create attributes with empty values, and each value in a multi-valued attribute must be unique. + +## Instructions + +1. In the Directory Manager Admin Center, go to **Applications**. On the application or portal where you want to add the attribute, click the three-dot icon and select **Settings**. + + ![Accessing portal settings in Directory Manager](./images/servlet_image_965115af01f6.png) + +2. Under **Design Settings**, expand your identity store’s name. + + ![Expanding identity store in Design Settings](./images/servlet_image_7e87b556674f.png) + +3. On the **Properties** tab, select *User* from the **Select Directory Object** list. +4. Select **General** in the **Name** list and click the edit symbol under **Actions**. + + ![Editing General properties in Directory Manager](./images/servlet_image_7bf69f003296.png) + +5. On the **Edit Design Category** page, click **Add Field**. + + ![Adding a new field in Directory Manager](./images/servlet_image_adda9f41da45.png) + +6. Select the **carLicense** attribute in the **Field** list, enter the display name as *carLicense*, and set the display type to *MultiValue*. + + ![Configuring carLicense as a multi-valued attribute](./images/servlet_image_67916a8d7c9f.png) + +7. Click **OK**. Scroll down and click **Save**. +8. Launch the user portal. The **carLicense** multi-valued box appears on the General tab in user properties. +9. To add a license number, click **Add**, enter the license number, and click **OK**. You can add multiple license numbers to this field. + + ![Adding multiple values to carLicense in the user portal](./images/servlet_image_b2185e961102.png) + +10. View the license numbers added to the user's profile. + + ![Viewing multi-valued carLicense entries in the user profile](./images/servlet_image_030611c3b553.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/configuring_custom_fine-grained_permissions_for_entra_id_group_management.md b/docs/kb/directorymanager/configuring_custom_fine-grained_permissions_for_entra_id_group_management.md new file mode 100644 index 0000000000..e2ee90d6d3 --- /dev/null +++ b/docs/kb/directorymanager/configuring_custom_fine-grained_permissions_for_entra_id_group_management.md @@ -0,0 +1,106 @@ +--- +description: >- + This article explains how to configure fine-grained permissions for managing groups and distribution lists in Entra ID when integrating with Netwrix Directory Manager. +keywords: + - Entra ID + - RBAC roles + - PowerShell +sidebar_label: Configuring Custom Fine-Grained Permissions +tags: [] +title: "Configuring Custom Fine-Grained Permissions for Entra ID Group Management" +knowledge_article_id: kA0Qk0000002y6XKAQ +products: + - directory-manager +--- + +# Configuring Custom Fine-Grained Permissions for Entra ID Group Management + +## Overview + +This article explains how to configure fine-grained permissions for managing groups and distribution lists in Entra ID (formerly Azure AD) when integrating with Netwrix Directory Manager. By creating custom RBAC roles and assigning only the necessary permissions, you can minimize security exposure and avoid granting broad administrative rights. The article provides an overview and PowerShell steps for implementation. + +## Instructions + +1. Assign the required Microsoft Graph and Exchange Online permissions: + - `Directory.Read.All`: Allows reading users, groups, and directory information. + - `Group.ReadWrite.All`: Allows creating, modifying, and managing groups and memberships. + - `Exchange.ManageAsApp`: Enables app-only access to Exchange Online for managing distribution lists and mail settings. + + > **NOTE:** The **Exchange Administrator** role is not required for basic group management. Instead, assign custom RBAC roles for granular control. `Exchange.ManageAsApp` is required for app-only authentication to Exchange Online, but it does not grant rights until a role is attached. Actual permissions are determined by the RBAC roles you assign. + +2. Create custom Exchange Online RBAC roles using PowerShell: + + **Example: Custom role for distribution group management (`NDM_DL_Role`)** + - Base role: Distribution Groups + - Recommended cmdlets: + - `New-DistributionGroup` + - `Set-DistributionGroup` + - `Remove-DistributionGroup` + - `Add-DistributionGroupMember` + - `Remove-DistributionGroupMember` + - `Update-DistributionGroupMember` + - `Get-Group` + - `Get-DistributionGroup` + - `Get-DistributionGroupMember` + + **Example: Custom read-only role (`NDM_Mail_Read`)** + - Base role: Mail Recipients + - Recommended cmdlets: + - `Get-Mailbox` + - `Get-User` + - `Get-Recipient` + + **PowerShell example:** + ```powershell + $AppID = "0cd36e8d-697d-402c-87e3-de02b8bfafae" + $SpObject = "ebcd05c6-6543-4f2d-bbfc-6d8bc663bdf2" + $DLRole = "NDM_DL_Role" + $ReadRole = "NDM_Mail_Read" + + # DL management cmdlets + $DLKeep = @( + "New-DistributionGroup","Set-DistributionGroup","Remove-DistributionGroup", + "Add-DistributionGroupMember","Remove-DistributionGroupMember", + "Update-DistributionGroupMember","Get-Group","Get-DistributionGroup","Get-DistributionGroupMember" + ) + + # Mail-read cmdlets + $ReadKeep = @("Get-Mailbox","Get-Recipient","Get-User") + + # Create and prune the Distribution List Management Role + New-ManagementRole -Name $DLRole -Parent "Distribution Groups" + $allDLNames = (Get-ManagementRoleEntry -Identity "$DLRole*").Name + $toPruneDL = $allDLNames | Where-Object { $DLKeep -notcontains $_ } + foreach ($cmd in $toPruneDL) { + $entryId = "$DLRole\$cmd" + Write-Host "Pruning entry $entryId" + Remove-ManagementRoleEntry -Identity $entryId -Confirm:$false + } + Get-ManagementRoleEntry -Identity "$DLRole*" | Select-Object Name + + # Create and prune the Read-Only Mail Role + New-ManagementRole -Name $ReadRole -Parent "Mail Recipients" + $allRead = (Get-ManagementRoleEntry -Identity "$ReadRole*").Name + $toPruneRead = $allRead | Where-Object { $ReadKeep -notcontains $_ } + foreach ($cmd in $toPruneRead) { + $entryId = "$ReadRole\$cmd" + Write-Host "Pruning entry $entryId" + Remove-ManagementRoleEntry -Identity $entryId -Confirm:$false + } + Get-ManagementRoleEntry -Identity "$ReadRole*" | Select-Object Name + + # Assign custom roles to the service principal + New-ManagementRoleAssignment -Name "${DLRole}-SP" -Role $DLRole -App $AppId + New-ManagementRoleAssignment -Name "${ReadRole}-SP" -Role $ReadRole -App $AppId + + # Verify assignments + Get-ManagementRoleAssignment | Where-Object { $_.RoleAssigneeName -eq $SpObject } | Format-Table Name,Role,RoleAssigneeName + ``` + +3. Assign the custom RBAC roles directly to the Directory Manager application service principal in Exchange Online using the `New-ManagementRoleAssignment` cmdlet. + +4. Scope each role to specific groups as needed to further restrict access. + +5. Review and adjust as needed. If your use cases expand (for example, Teams channel management or mailbox permissions), update the custom roles to include additional cmdlets. + + > **IMPORTANT:** Always review the permissions included in each custom role to ensure you are granting only what is necessary. The `AppId` and `ObjectId` values must match your registered service principal. Use `Get-AzureADServicePrincipal -Filter "AppId eq '$AppId'"` to confirm. \ No newline at end of file diff --git a/docs/kb/directorymanager/convert-between-smart-groups-and-static-groups.md b/docs/kb/directorymanager/convert-between-smart-groups-and-static-groups.md new file mode 100644 index 0000000000..cd3230c275 --- /dev/null +++ b/docs/kb/directorymanager/convert-between-smart-groups-and-static-groups.md @@ -0,0 +1,48 @@ +--- +description: >- + Shows how to convert a Smart Group to a static group and vice versa in Netwrix + Directory Manager by clearing or applying an LDAP query in the application + portal while preserving current membership. +keywords: + - Netwrix Directory Manager + - Smart Group + - static group + - LDAP query + - convert group + - group membership + - group management +products: + - directory-manager +sidebar_label: Convert Between Smart Groups and Static Groups +tags: [] +title: "Convert Between Smart Groups and Static Groups" +knowledge_article_id: kA0Qk0000002IKDKA2 +--- + +# Convert Between Smart Groups and Static Groups + +## Applies To +Netwrix Directory Manager 11 + +## Overview +In Netwrix Directory Manager, you can convert a Smart Group to a static group by clearing its LDAP query or convert a static group to a Smart Group by applying an LDAP query in the application portal. This functionality enables flexible management of group types based on organizational requirements. + +## Instructions + +### Convert a Smart Group to a Static Group +1. Log in to the application portal of Netwrix Directory Manager. +2. Open the properties of the Smart Group you want to convert to a static group. +3. On the properties page, navigate to the **Smart Group** tab. +4. Click the **Clear** button next to the Smart Group query. +5. When prompted, click **Clear query text** to confirm. The group will be converted to a static group, and the current membership will remain unchanged. + +![Clearing Smart Group query in Directory Manager](images/ka0Qk000000EYrR_0EMQk00000BpDeP.png) + +### Convert a Static Group to a Smart Group +1. Log in to the application portal of Netwrix Directory Manager. +2. Open the properties of the static group you want to convert to a Smart Group. +3. On the properties page, click the **Upgrade to** button. Two options will populate, select **Smart Group**. +4. When prompted, confirm the action. The query designer will open, allowing you to specify the LDAP query as required. +5. After confirming the query, the group will be converted to a Smart Group. + +![Upgrading a static group to a Smart Group in Directory Manager](images/ka0Qk000000EYrR_0EMQk00000BpDcn.png) diff --git a/docs/kb/directorymanager/copy-smart-group-query-criteria-using-import-and-export.md b/docs/kb/directorymanager/copy-smart-group-query-criteria-using-import-and-export.md new file mode 100644 index 0000000000..d51b9f52f9 --- /dev/null +++ b/docs/kb/directorymanager/copy-smart-group-query-criteria-using-import-and-export.md @@ -0,0 +1,45 @@ +--- +description: >- + Shows how to export and import Smart Group query definitions in JSON format + using the Query Designer so you can copy complex criteria between Smart Groups + in Netwrix Directory Manager. +keywords: + - smart group + - query + - JSON + - export + - import + - Netwrix Directory Manager + - Query Designer + - group management +products: + - directory-manager +sidebar_label: Copy Smart Group Query Criteria Using Import and E +tags: [] +title: "Copy Smart Group Query Criteria Using Import and Export" +knowledge_article_id: kA0Qk0000002ILpKAM +--- + +# Copy Smart Group Query Criteria Using Import and Export + +## Applies To +Netwrix Directory Manager 11 + +## Overview +Netwrix Directory Manager supports exporting and importing Smart Group query definitions in JSON format through the Query Designer. This functionality allows you to replicate complex query criteria across multiple Smart Groups, ensuring consistency and reducing manual configuration. + +## Instructions + +### Copy Smart Group Query Criteria Using Import and Export + +1. In the application portal of Netwrix Directory Manager, click **Groups > All Groups > Smart Groups**. +2. Open the properties of the Smart Group whose criteria you want to copy. +3. Navigate to the **Smart Group** tab and open **Query Designer**. +4. In the Query Designer window, click the three-dot icon and select **Export query**. The JSON file will be downloaded to your default download location. + ![Exporting a Smart Group query in Directory Manager Query Designer](images/ka0Qk000000EYwH_0EMQk00000BpDrJ.png) +5. Open the properties of the Smart Group where you want to apply the copied criteria. +6. Navigate to the **Smart Group** tab and open **Query Designer**. +7. In the Query Designer window, click the three-dot icon and select **Import query** to upload the previously exported JSON file. + ![Importing a Smart Group query in Directory Manager Query Designer](images/ka0Qk000000EYwH_0EMQk00000BpBfq.png) +8. Click **Preview** to confirm that the query returns the expected results. +9. Complete the remaining steps of the Smart Group wizard to save your changes. diff --git a/docs/kb/directorymanager/create_and_use_a_multi-valued_control_custom_display_type.md b/docs/kb/directorymanager/create_and_use_a_multi-valued_control_custom_display_type.md new file mode 100644 index 0000000000..ce9cefd658 --- /dev/null +++ b/docs/kb/directorymanager/create_and_use_a_multi-valued_control_custom_display_type.md @@ -0,0 +1,87 @@ +--- +description: >- + This article explains how to create and use a Multi-Valued Control custom display type in Netwrix Directory Manager, allowing users to select multiple predefined values for Active Directory attributes. +keywords: + - Multi-Valued Control + - Directory Manager + - Active Directory +sidebar_label: Multi-Valued Control Custom Display Type +tags: [] +title: "Create and Use a Multi-Valued Control Custom Display Type" +knowledge_article_id: kA0Qk0000002sM5KAI +products: + - directory-manager +--- + +# Create and Use a Multi-Valued Control Custom Display Type + +## Applies To + +Directory Manager 11 + +## Overview + +This article explains how to use the **Multi-Valued Control** custom display type in Netwrix Directory Manager (formerly GroupID). This control lets users select multiple predefined values for multi-valued Active Directory attributes, such as `otherTelephone`. It is designed for scenarios like assigning official contact numbers (for example, IT Helpdesk, HR, or Finance) to user profiles. The attribute you bind to this control must be multi-valued; single-valued attributes are not supported. + +## Instructions + +### Define a Multi-Valued Control Display Type + +1. In the Admin Center, select **Applications** from the left pane. On the **Directory Manager Portal** tab, locate the portal card. +2. Click the three-dot icon for a portal and select **Settings**. + + ![Portal settings menu showing ellipsis and Settings option](./images/servlet_image_838afdd9728e.png) + +3. Under **Design Settings**, select an identity store to define a custom display type. Each portal can have different identity store designs. + + ![Design Settings showing available identity stores](./images/servlet_image_fea3fbed856a.png) + +4. Click **Custom Display Types** in the left pane. +5. On the **Custom Display Types** page, click the **+** icon. + + ![Custom Display Types page with add icon](./images/servlet_image_afa10e0d547c.png) + +6. In the **New Display Type** pane, enter a name for the display type and select **Multi-Valued Control** in the **Type** drop-down list. + You cannot change the name after creation. + + ![New Display Type pane with Multi-Valued Control option](./images/servlet_image_01944865d03d.png) + +7. In the **Values** area, configure the options for the multi-valued drop-down list: + - Click **Add Value**. + - Enter a *Value* and a *Display Text*. The value is stored in the directory or database, while the display text appears in the portal. + - Use the **Visibility** drop-down list to specify which security roles can see the value. + - Use the **Accessibility** drop-down list to specify which roles can select the value. Users without access see the value greyed out. + - Click **OK** to add the value to the list. + + ![Values area showing multiple options for Multi-Valued Control](./images/servlet_image_be23d68c0d2d.png) + +8. Repeat step 7 to add more values. You can also edit or delete values as needed. + + ![Values list with edit and delete options](./images/servlet_image_3de32358d4ee.png) + +9. Optional: Select one or more values in the **Default Selection** list to set them as default. +10. Optional: In **Custom Value Edit Roles**, allow specific roles to enter new values directly in the portal. +11. Click **OK**, then **Save** on the **Custom Display Types** page. + +### Attach the Multi-Valued Control to an Attribute + +1. In the Admin Center, select **Applications** from the left pane. +2. Click the three-dot icon for a portal and select **Settings**. +3. Select an identity store under **Design Settings**. +4. Click **Properties** in the left pane. +5. On the **Properties** page, select **User** in the **Select Directory Object** list. + + ![Properties page showing directory object selection](./images/servlet_image_7bd539394c44.png) + +6. On the **User Properties** page, click **Edit** for the **Phone/Notes** tab. +7. On the **Edit Design Category** pane, edit the `otherTelephone` field. Under **Display Type**, select your custom multi-valued control. + + ![Linking otherTelephone field to Multi-Valued Control display type](./images/servlet_image_17dfc113b856.png) + +8. Click **OK** to close the panes, then click **Save** on the **Custom Display Types** page. + +Users will now see a drop-down list for the `otherTelephone` field, allowing them to select multiple values that update in Active Directory. + +![Portal UI showing otherTelephone field with multi-valued drop-down](./images/servlet_image_940193d7017a.png) + +![Multi-valued drop-down in action with multiple selections](./images/servlet_image_15e29be6b499.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/creating-and-managing-dynasties.md b/docs/kb/directorymanager/creating-and-managing-dynasties.md new file mode 100644 index 0000000000..229959ddf7 --- /dev/null +++ b/docs/kb/directorymanager/creating-and-managing-dynasties.md @@ -0,0 +1,69 @@ +--- +description: >- + Describes how to create and manage Dynasties—sets of groups automatically + created and managed based on Active Directory attributes—using Netwrix + Directory Manager. +keywords: + - dynasty + - groups + - Netwrix Directory Manager + - Active Directory + - group automation + - dynasty templates + - Organizational Dynasty + - Query Designer +products: + - directory-manager +sidebar_label: Creating and Managing Dynasties +tags: [] +title: "Creating and Managing Dynasties" +knowledge_article_id: kA0Qk0000002BQnKAM +--- + +# Creating and Managing Dynasties + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +A Dynasty is a set of groups automatically created and managed in Netwrix Directory Manager based on unique values of a selected Active Directory attribute (the **Group By** attribute). For example, if you group by **Department**, Netwrix Directory Manager creates a group for each department and adds users to the appropriate group according to their department value. + +You can also create nested Dynasties by grouping on multiple attributes, such as **Country** and **City**. In this case, city groups are nested within their respective country groups. + +Child groups are standard security groups or distribution lists. Netwrix Directory Manager Automate keeps group membership up to date: when a user’s attribute changes (for example, their department), they are automatically moved to the correct group. New groups are created as needed, and groups with no members can be deleted automatically (if configured). + +Child groups inherit properties from their parent Dynasty, including group type, security settings, expiry policy, owner, delivery restrictions, and message size limits. This automation saves significant time compared to manually creating and managing groups and their settings. + +#### Dynasty Templates + +Netwrix Directory Manager offers three types of Dynasty templates to help you get started: + +- **Organizational Dynasty:** Creates a child group for each Company, Department, and Title. +- **Geographical Dynasty:** Creates a child group for each Country, State, and City. +- **Managerial Dynasty:** Creates a child group for the direct reports of each manager, including subordinates of the manager's direct reports. +- **Custom:** Creates a Dynasty by AD attributes of your choice. + +The three templates are configurable, whereas the custom Dynasty can fulfill numerous other requirements. + +## Instructions + +### Creating an Organizational Dynasty + +1. In Netwrix Directory Manager Portal, select **Create New** > **Organizational Dynasty** template and click **Next**. + ![Selecting Organizational Dynasty template](images/ka0Qk000000Du4P_0EMQk00000BS5BL.png) +2. On the **Group Options** page, enter the group name, select the container where the group will be created, and specify the group type, scope, and security settings. + ![Group Options page](images/ka0Qk000000Du4P_0EMQk00000BS8nW.png) +3. On the **Dynasty Options** page, review and modify the attributes that will be used to create child groups. For example, you can remove *Title* and add *Office* as needed. + ![Dynasty Options page](images/ka0Qk000000Du4P_0EMQk00000BS9zh.png) +4. On the **Query Options** page, review the current configuration of your Dynasty. You can click **Query Designer** to launch the Query Designer, where you can modify the query to filter the objects for group membership. For example, you may filter out disabled users or get a specific employee type. + ![Query Options page](images/ka0Qk000000Du4P_0EMQk00000BRwsy.png) +5. Once your query is complete, proceed to the **Update Options** page. The Dynasty can be updated manually or via an automated schedule. + ![Update Options page](images/ka0Qk000000Du4P_0EMQk00000BS4Gs.png) +6. On the **Owners** page, you can specify additional owners for the group. By default, Netwrix Directory Manager sets the logged-in user as the primary owner. The primary owner will be inherited by all child groups. You can add additional owners by clicking the **Add** button. Users, contacts, and even security groups can be set as additional owners. + ![Owners page](images/ka0Qk000000Du4P_0EMQk00000BS48q.png) +7. The **Completion** page gives a summary of the selected settings. Click **Finish**. +8. If you selected **Now** for your update options, a parent Dynasty will be created with the name provided on the **Group Options** page, and child groups will be created according to the configured template. + +> **NOTE:** The Dynasty created in this article is just an example; you can customize the naming template, separator, inheritance, and much more. diff --git a/docs/kb/directorymanager/customizing_notification_template_to_remove_footer_in_directory_manager_v11.1.1.md b/docs/kb/directorymanager/customizing_notification_template_to_remove_footer_in_directory_manager_v11.1.1.md new file mode 100644 index 0000000000..30c163dfdc --- /dev/null +++ b/docs/kb/directorymanager/customizing_notification_template_to_remove_footer_in_directory_manager_v11.1.1.md @@ -0,0 +1,68 @@ +--- +description: >- + This article provides step-by-step instructions on how to customize the notification template in Netwrix Directory Manager v11.1.1 to remove the default footer from notifications. +keywords: + - notification template + - Directory Manager + - customize footer +sidebar_label: Remove Footer from Notification Template +tags: [] +title: "Customizing Notification Template to Remove Footer in Directory Manager V11.1.1" +knowledge_article_id: kA0Qk0000002WAHKA2 +products: + - directory-manager +--- + +# Customizing Notification Template to Remove Footer in Directory Manager V11.1.1 + +## Overview + +This article provides step-by-step instructions on how to customize the notification template in Netwrix Directory Manager (formerly GroupID) v11.1.1 to remove the default footer from notifications. + +## Instructions + +1. Open the **Directory Manager Admin Center**. +2. Navigate to the **Notification Editor** and search for the notification template you want to customize. +3. Click on the **Edit** button to access the **Source Code** for the template. +4. In the **Source Code** tab, locate the following code. For ease, you can search for ``. This code is typically located towards the end of the source code: + + ```html +
+ + + + + + + + + + + +
Please do not reply to this email.
Thank you.Powerful Group Management
Tools for Active Directory.
The Messaging Team.
+ ``` + +5. Comment out the above code by adding `` to the last line. Alternatively, replace the code with the following commented-out version: + + ```html + + ``` + +6. Save the changes and exit the **Notification Editor**. +7. Test the notification to ensure the footer has been successfully removed. + +> **NOTE:** It is recommended to take a backup of the original source code before making any changes. \ No newline at end of file diff --git a/docs/kb/directorymanager/display-groups-with-additional-ownership-in-the-my-groups-tab.md b/docs/kb/directorymanager/display-groups-with-additional-ownership-in-the-my-groups-tab.md new file mode 100644 index 0000000000..e8b3d4b7e8 --- /dev/null +++ b/docs/kb/directorymanager/display-groups-with-additional-ownership-in-the-my-groups-tab.md @@ -0,0 +1,44 @@ +--- +description: >- + Enable displaying groups where you are an additional owner in the My Groups + tab of Netwrix Directory Manager; an administrator can enable this globally, + or you can adjust it per account in the application portal. +keywords: + - Netwrix Directory Manager + - My Groups + - additional owner + - group ownership + - application portal + - listing displays + - admin settings +products: + - directory-manager +sidebar_label: Display Groups with Additional Ownership in the My +tags: [] +title: "Display Groups with Additional Ownership in the My Groups Tab" +knowledge_article_id: kA0Qk0000002JL7KAM +--- + +# Display Groups with Additional Ownership in the My Groups Tab + +## Overview + +Use these steps to configure the **My Groups** tab in Netwrix Directory Manager to display groups where the logged-in user is listed as an additional owner, in addition to groups where the user is the primary owner. An administrator can enable this behavior globally, or you can adjust it yourself in the application portal. + +## Instructions + +1. From the Admin portal, navigate to **Applications** > **your application portal**. +2. Click the three-dot icon and select **Settings**. + + ![Admin portal navigation to application portal settings](images/ka0Qk000000EZ4L_0EMQk00000Bsr2b.png) +3. In the settings menu, go to **Advanced Settings** > **Listing Displays**. + + ![Advanced settings and listing displays in admin portal](images/ka0Qk000000EZ4L_0EMQk00000Bsr4D.png) +4. Find the option for **Display Groups in My Groups** and toggle it to include groups where the user is an additional owner. + + ![Toggle for Display Groups in My Groups setting](images/ka0Qk000000EZ4L_0EMQk00000Bsr0z.png) +5. Click **Save** and then **OK** to apply the changes. +6. Log in to the application portal. The **My Groups** page will now display groups for which the logged-in user is an additional owner. +7. Individual users can adjust their own settings in the application portal to view groups they own as both primary and additional owner. After changing this setting, remember to click **Save**. + + ![User-level setting to display groups as primary and additional owner](images/ka0Qk000000EZ4L_0EMQk00000Bsr5p.png) diff --git a/docs/kb/directorymanager/displaying-moderators-for-exchange-distribution-lists-in-the-portal.md b/docs/kb/directorymanager/displaying-moderators-for-exchange-distribution-lists-in-the-portal.md new file mode 100644 index 0000000000..782fd667b0 --- /dev/null +++ b/docs/kb/directorymanager/displaying-moderators-for-exchange-distribution-lists-in-the-portal.md @@ -0,0 +1,90 @@ +--- +description: >- + Instructions to configure the Netwrix Directory Manager Portal to display + Exchange distribution list moderation settings by adding specific Active + Directory attributes and portal fields. +keywords: + - Netwrix Directory Manager + - Exchange + - distribution lists + - moderation + - msExchEnableModeration + - msExchModeratedByLink + - msExchBypassModerationLink + - portal + - identity store +products: + - directory-manager +sidebar_label: Displaying Moderators for Exchange Distribution Li +tags: [] +title: "Displaying Moderators for Exchange Distribution Li" +knowledge_article_id: kA0Qk0000002FivKAE +--- + +# Displaying Moderators for Exchange Distribution Li + +## Applies To + +Netwrix Directory Manager 11 or above + +## Overview + +This article outlines the process of modifying the Netwrix Directory Manager portal to show moderator settings for distribution lists configured in Microsoft Exchange, using specific Active Directory attributes. + +The following attributes are associated with message moderation for on-premise Microsoft Exchange: + +- `msExchEnableModeration`: Enables or disables message moderation for a distribution group. When enabled, messages sent to the group require moderator approval before delivery. +- `msExchModeratedByLink`: Associates a moderated recipient with a distribution list or security group whose members serve as moderators. +- `msExchBypassModerationLink`: Associates a moderated recipient with a distribution list or security group whose members are allowed to bypass message moderation. + +By utilizing these attributes, you can create a customized view in the Netwrix Directory Manager Portal to display the appropriate message approvers for distribution lists. This customization helps you manage message moderation effectively within your organization's Exchange environment. + +## Instructions + +Follow the instructions below to configure the Netwrix Directory Manager Portal: + +1. Open the **Identity Stores** tab in the **Netwrix Directory Manager Admin Center** and click **Edit** under the ellipses menu on the appropriate Identity Store card. + +2. On the **Replication** tab, click **Add Replication Attributes** and add the required attributes. + + ![Replication attribute screenshot](images/ka0Qk000000E76T_0EMQk00000BdPOP.png) + +3. Click **Settings**. A new page will appear. + + ![Portal settings screenshot](images/ka0Qk000000E76T_0EMQk00000BdNHn.png) + +4. Select the appropriate **Identity Store**. + + ![Identity Store selection screenshot](images/ka0Qk000000E76T_0EMQk00000BdPHx.png) + +5. Under the **Properties** tab, select **Group** from the **Select Directory Object** list. + +6. Select **Advanced** in the **Name** list and click the **Pencil** icon. + + ![Advanced group design](images/ka0Qk000000E76T_0EMQk00000BdPRd.png) + +7. On the Edit Design Category dialog box, click **Add Field**. + + ![Add Field screenshot](images/ka0Qk000000E76T_0EMQk00000BdPJZ.png) + +8. Select `mxExchEnableModeration` from the **Field** list, enter the display name as **Is Moderation Enabled** and set the display type to **Check**. + +9. Click **OK** and then click **Add Fields** again. + + ![ModeratedByLink field screenshot](images/ka0Qk000000E76T_0EMQk00000BdPLB.png) + +10. Select `mxExchModeratedByLink`, enter the display name as **Moderators**, and set the display type to **DNs**. + +11. Click **OK** and then click **Add Fields** again. + + ![A screenshot of adding attribute.](images/ka0Qk000000E76T_0EMQk00000BdDrv.png) + +12. Select `mxExchBypassModerationLink`, enter the display name as **Bypass Moderation**, and set the display type to **DNs**. + +13. Click **OK** and then click the **Save** icon at the top of the page. + + ![Bypass moderators field screenshot](images/ka0Qk000000E76T_0EMQk00000BdPMn.png) + +14. Launch the **Netwrix Directory Manager Portal**. The new attributes should appear under the **Groups** tab under **Advanced**. + + ![Final portal attributes screenshot](images/ka0Qk000000E76T_0EMQk00000BdPQ1.png) diff --git a/docs/kb/directorymanager/enable-and-configure-workflow-approver-acceleration.md b/docs/kb/directorymanager/enable-and-configure-workflow-approver-acceleration.md new file mode 100644 index 0000000000..d2fe6e52c7 --- /dev/null +++ b/docs/kb/directorymanager/enable-and-configure-workflow-approver-acceleration.md @@ -0,0 +1,83 @@ +--- +description: >- + Shows how to enable, configure, and disable Workflow Approver Acceleration in + Netwrix Directory Manager 10 and 11, including rules and the scheduled + acceleration job. +keywords: + - workflow approver acceleration + - workflow escalation + - Netwrix Directory Manager + - identity store + - workflow route + - Workflow Acceleration job + - SMTP + - approval escalation +products: + - directory-manager +sidebar_label: Enable and Configure Workflow Approver Acceleratio +tags: [] +title: "Enable and Configure Workflow Approver Acceleration" +knowledge_article_id: kA0Qk0000002C3VKAU +--- + +# Enable and Configure Workflow Approver Acceleration + +## Applies To +Netwrix Directory Manager 10 and 11 + +## Overview +Netwrix Directory Manager workflows provide oversight and control for changes made to directory data, such as Active Directory. When a user initiates an action—like creating a group—a workflow request is generated and requires approval before proceeding. If the assigned approver is unavailable, requests can accumulate and delay business operations. + +To address this, Netwrix Directory Manager includes workflow approver acceleration. This feature automatically escalates pending requests to the next approver after a specified number of days, ensuring that no request remains unaddressed. Administrators can also review and act on any workflow request at any time from the **All Requests** node in the Netwrix Directory Manager Management Console. + +## Instructions + +### Enable Workflow Approver Acceleration for an Identity Store in Netwrix Directory Manager 10 +1. In the Netwrix Directory Manager Management Console, click the **Identity Stores** node. +2. On the **Identity Stores** tab, double-click an identity store to open its properties. +3. On the **Workflow** tab, click the **Advanced Options** link. + ![Workflows tab in Netwrix Directory Manager 10 Identity Properties](images/ka0Qk000000DunZ_0EMQk00000BZ9rj.png) +4. Select the **Enable Approver Acceleration** checkbox to apply the settings and rules to all workflow routes defined for the identity store. + ![Workflow Approver Acceleration in Workflow Options](images/ka0Qk000000DunZ_0EMQk00000BZFvX.png) +5. To disable approver acceleration for a route, see the "Disable Approver Acceleration for a Workflow Route" section. +6. In the **Maximum Levels** box, specify the maximum number of escalation levels (for example, `2`). Requests not approved or denied at the maximum level are routed to the default approver, as specified in group life cycle settings for the identity store. +7. In the **Repeat every days** box, specify the number of days (for example, `5`). If an approver does not act within this period, the request is escalated to the next approver in the chain. +8. Click **OK** to save your changes. + +### Enable Workflow Approver Acceleration for an Identity Store in Netwrix Directory Manager 11 +1. Log in to the Netwrix Directory Manager Admin Center, click the **Identity Stores** tab, and then edit the required identity store. + ![Identity Stores tab in Netwrix Directory Manager 11 Admin Center](images/ka0Qk000000DunZ_0EMQk00000BZdBR.png) +2. From the Settings pane, select **Workflows**, then select **Advanced Workflow Settings** on the card menu on the right. + ![Advanced Workflow Settings in Netwrix Directory Manager 11](images/ka0Qk000000DunZ_0EMQk00000BZbJK.png) +3. Toggle **Approver Acceleration** and configure the options as needed. Click **Save** at the bottom right of the screen. + +> **NOTE:** Approver acceleration requires that an SMTP server is configured for the identity store. + +For example, if User A (the approver) does not act on a request within the specified number of days, the request is escalated to User B (first escalation level). If User B does not act, it escalates to User C (second level), and so on, up to the maximum level. If still not approved or denied, the request is routed to the default approver. + +### Disable Approver Acceleration for a Workflow Route +Workflow approver acceleration settings apply to all workflow routes in an identity store, but you can disable it for individual routes. + +Follow the steps below for Netwrix Directory Manager 10: +1. In the Netwrix Directory Manager Management Console, click the **Identity Stores** node. +2. On the **Identity Stores** tab, double-click an identity store to open its properties. +3. On the **Workflow** tab, select a workflow to disable approver acceleration for, and click **Edit**. +4. In the **Workflow Route** dialog box, select the **Disable approver acceleration** checkbox to exempt this workflow route from approver acceleration. + +Follow the steps below for Netwrix Directory Manager 11: +1. Log in to the Netwrix Directory Manager Admin Center, then navigate to the **Identity Stores** tab from the navigation pane. +2. Click the options (three dots) for the required identity store and select **Edit**. +3. Click **Workflows** from the Settings tab. In the list of workflows, click the options (three dots) for the workflow you want to update, then select **Edit**. + ![Disable Approver Acceleration - Workflow Edit Menu - Netwrix Directory Manager 11](images/ka0Qk000000DunZ_0EMQk00000BZUPv.png) +4. Clear the **Approver Acceleration** option and click **Update Workflow**. Then scroll down and click **Save**. +5. This will exempt the workflow from approver acceleration. + +### Workflow Approver Acceleration Rules +If an approver does not act on a workflow request within the specified number of days, Netwrix Directory Manager applies the following rules to escalate the request: +- If the approver is a user and does not act, the request is escalated to the user’s primary manager. This continues up to the maximum escalation level. +- After the last escalation level, if the request is still not acted upon, it is escalated to the default approver (as specified in group life cycle settings). +- If the default approver does not act, the request remains in the system as static. +- If a group is an approver and no group member acts, the request is escalated to the group’s primary owner. + +### Workflow Acceleration Job +A scheduled job, **Workflow Acceleration**, is predefined in Netwrix Directory Manager for each identity store. By default, this job runs daily to escalate workflow requests according to the acceleration settings and rules. It also generates notifications to inform approvers about pending workflow requests. diff --git a/docs/kb/directorymanager/enable-group-owner-suggestion-for-orphan-groups.md b/docs/kb/directorymanager/enable-group-owner-suggestion-for-orphan-groups.md new file mode 100644 index 0000000000..560d992bd1 --- /dev/null +++ b/docs/kb/directorymanager/enable-group-owner-suggestion-for-orphan-groups.md @@ -0,0 +1,54 @@ +--- +description: >- + Shows how to enable and use the Group Owner Suggestion feature in Netwrix + Directory Manager to detect orphan groups and recommend owners based on group + membership. +keywords: + - orphan groups + - owner suggestion + - group owner + - Netwrix Directory Manager + - identity store + - self-service portal + - Admin Console +products: + - directory-manager +sidebar_label: Enable Group Owner Suggestion for Orphan Groups +tags: [] +title: "Enable Group Owner Suggestion for Orphan Groups" +knowledge_article_id: kA0Qk0000002I7JKAU +--- + +# Enable Group Owner Suggestion for Orphan Groups + +## Applies To +Netwrix Directory Manager 11 + +## Overview +Orphaned groups are directory groups that do not have an assigned owner. Over time, these groups can accumulate and complicate directory management. Manually identifying and assigning owners to orphaned groups is inefficient and prone to error, especially in dynamic environments. Netwrix Directory Manager provides automated functionality to detect orphaned groups and recommend suitable owners based on group membership data. This article describes how to configure and use the Group Owner Suggestion feature. + +## Instructions +There are two ways to address Orphan Groups: + +- **Orphan Group Update Job:** Define and schedule an Orphan Group Update job for an identity store. This job scans for orphan groups and automatically assigns an owner to each group. Configure this job in **Admin Console > Identity Store Properties > Schedules**. +- **Group Owner Suggestion:** Enable the Owner Suggestion feature in the Netwrix Directory Manager portal to dynamically suggest an owner for an orphan group. Unlike the Orphan Group Update job, this feature allows users to choose an owner from a list of suggested users, ranked by relevance based on group membership. + +## Configure Group Owner Suggestion +1. In the Netwrix Directory Manager Admin Console, select **Application > Directory Manager Portals > [required portal]**. +2. Click the three-dot icon and go to **Settings > Advanced Settings > Misc**. +3. Scroll down and enable the **Suggest Owner/Manager** setting. This setting enables the Self-Service portal to suggest owners for orphan groups and managers for users without managers. +4. Netwrix Directory Manager will suggest a primary owner for an orphan group on the **Owner** tab in group properties. The suggestion is based on group membership. Netwrix Directory Manager checks the managers of group members and suggests the user who appears most frequently as a manager, even if that user is not a group member. +5. Click the **Save** icon on the toolbar. + +![Suggest Owner/Manager setting in Directory Manager portal settings](images/ka0Qk000000EWsr_0EMQk00000Bo2pu.png) + +## Use Owner Suggestion in the Portal +1. Log in to the Netwrix Directory Manager portal. +2. Go to the properties page of an orphan group and click the **Owner** tab. + +![Owner tab in group properties showing suggested owner](images/ka0Qk000000EWsr_0EMQk00000BoBA3.png) + +3. Netwrix Directory Manager will display a suggested owner for the group. +4. Click **Make Owner** to set the suggested user as the group's primary owner. +5. To view more options before setting an owner, click **Show more options** to see a list of suggested owners. +6. After making your selection, click **Save** to apply the changes. diff --git a/docs/kb/directorymanager/enable_or_disable_user_login_via_smart_card_using_custom_display_types.md b/docs/kb/directorymanager/enable_or_disable_user_login_via_smart_card_using_custom_display_types.md new file mode 100644 index 0000000000..29b11e6383 --- /dev/null +++ b/docs/kb/directorymanager/enable_or_disable_user_login_via_smart_card_using_custom_display_types.md @@ -0,0 +1,55 @@ +--- +description: >- + This article explains how to enable or disable user login via Smart Card in Netwrix Directory Manager by adding a custom field to the portal. +keywords: + - Smart Card login + - userAccountControl + - Directory Manager +sidebar_label: Enable or Disable User Login via Smart Card +tags: [] +title: "Enable or Disable User Login via Smart Card Using Custom Display Types" +knowledge_article_id: kA0Qk0000002TE1KAM +products: + - directory-manager +--- + +# Enable or Disable User Login via Smart Card Using Custom Display Types + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to enable or disable user login via Smart Card by adding a custom field to the portal. Helpdesk users can use this field to control the **userAccountControl** attribute for each user. When the *Smart card is required for interactive logon* option is enabled, the **userAccountControl** attribute is set to `328192`; when disabled, it is set to `66048`. This article explains how to configure this functionality using custom display types. + +## Instructions + +### Create a Custom Display Type for Smart Card Login + +1. In the Admin Center, go to **Application > Portals > [Required portal] > Designs > [Required portal]**. +2. On the **Custom Display Types** tab, click **Add**. + ![Custom Display Types tab in Directory Manager Admin Center](./images/servlet_image_a71488556914.png) +3. In the **New Display Type** dialog box, provide a name for the display type and select its type (for example, *Dropdown List*). Click **Add Value**. + ![New Display Type dialog in Directory Manager](./images/servlet_image_7dc3b3aa07c2.png) +4. Create two values for the drop-down list: + - **Disabled**: Value `66048`, set visibility to Helpdesk. + - **Enabled**: Value `328192`, set visibility to Helpdesk. +5. Click **OK** and save the settings. + +### Add the Smart Card Field to the User Properties + +1. Go to the **Properties** tab and select **User** from the **Select Directory Object** list. Click **Add**. +2. In the **Name** field, enter a name for the new tab (for example, *Smart Card*). Select a visibility level and access level, then click **Add Fields**. + ![Adding a new Smart Card tab in Directory Manager](./images/servlet_image_b77e450ac65f.png) +3. Select the **userAccountControl** attribute from the **Field** list. Enter a display name and select the custom display type you created. Click **OK**. + ![Selecting userAccountControl attribute and custom display type](./images/servlet_image_fa32d45335a0.png) +4. Click **OK** and **Save** the changes. + ![Saving changes in Directory Manager Admin Center](./images/servlet_image_99702efd2852.png) + +### Test the Results + +1. Log in to the Directory Manager Portal and open the properties of a user object. +2. You will see a new tab named *Smart Card*. Use the **Smart Card** drop-down list to select *Enabled* or *Disabled*. +3. This sets the corresponding value for the **userAccountControl** attribute in Active Directory. + ![Smart Card tab in user properties in Directory Manager portal](./images/servlet_image_bdbdf11e3bd5.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/enforce_group_naming_convention_and_input_validation_with_regular_expressions.md b/docs/kb/directorymanager/enforce_group_naming_convention_and_input_validation_with_regular_expressions.md new file mode 100644 index 0000000000..1f82ae9099 --- /dev/null +++ b/docs/kb/directorymanager/enforce_group_naming_convention_and_input_validation_with_regular_expressions.md @@ -0,0 +1,100 @@ +--- +description: >- + This article explains how to enforce group naming conventions and input validation in Netwrix Directory Manager using regular expressions. It provides step-by-step instructions for creating and associating display types. +keywords: + - group naming conventions + - input validation + - regular expressions +sidebar_label: Enforce Group Naming Convention +tags: [] +title: "Enforce Group Naming Convention and Input Validation with Regular Expressions" +knowledge_article_id: kA0Qk0000002NN7KAM +products: + - directory-manager +--- + +# Enforce Group Naming Convention and Input Validation with Regular Expressions + +## Overview + +This article explains how to enforce group naming conventions and input validation in Netwrix Directory Manager (formerly GroupID) by using regular expressions. Administrators can define naming policies for groups created through the User portal by configuring regular expressions for input fields. + +Enforcing naming standards is especially important when users have access to Active Directory via the User portal. The process involves two main steps: + +- [Create a display type](#create-display-type) +- [Associate the display type with the desired field](#associate-display-type) + +## Instructions + +### Create a Display Type + +1. In the **Directory Manager Admin Panel**, select **Applications**. Click the three-dot icon on the desired portal/application and select **Settings**. + + ![Accessing application settings in GroupID Admin Panel](./images/servlet_image_677f21527b05.png) + +2. Under **Design Settings**, select your identity store’s name to expand it. + + ![Expanding identity store under Design Settings](./images/servlet_image_1a6e50068bb6.png) + +3. Select **Custom Display Types** and click **Add**. + + ![Adding a custom display type](./images/servlet_image_a1edb8bd189c.png) + +4. On the **New Display Type** page, enter a name for the display type in the **Name** box (for example, **Regular Expression Policy 1**). From the **Type** list, select **Textbox** and click **OK**. Complete the other options as described below: + + | **Field** | **Description** | + |----------------------|-----------------------------------------------------------------------------------------------------| + | *Default Value* | Specify a default value to display in the textbox. | + | *Regular Expression* | Enter a regular expression to validate the data entered in the textbox. | + | *Error Message* | Enter the error message to display when the input does not match the regular expression. | + + ![Configuring regular expression and error message for display type](./images/servlet_image_21d548cd380a.png) + +5. Click **OK** and then **Save** to save your changes. The new display type appears under **Custom Display Types**. + +### Associate the Display Type with a Field + +1. In the **Directory Manager Admin Panel**, select **Applications**. Click the three-dot icon on the desired portal/application and select **Settings**. +2. Under **Design Settings**, select your identity store’s name to expand it. +3. Scroll down and click **Create Object**. Under **Select Directory Object**, select **Group** from the drop-down list. +4. In the **Name** list, select **General** and click **Edit**. + + ![Editing general settings for group object](./images/servlet_image_96e97acfbe1a.png) + +5. On the **Edit Design Category** page, select **Group name** in the **Fields** area and click **Edit**. + + ![Editing group name field](./images/servlet_image_4909739e6c29.png) + +6. On the **Edit Field** page, select the display type you created (for example, *Regular Expression Policy 1*) from the **Display Type** drop-down list. + + ![Selecting display type for group name field](./images/servlet_image_43757b5dda2e.png) + +7. Click **OK** twice to close the dialog boxes, then scroll down and click **Save** to apply the changes. The display type is now linked to the **Group name** field in the **Create Group** wizard. + +## Result + +The naming convention defined by the regular expression ensures that group names meet your requirements. For example, if the policy allows only alphabetic characters, the portal will reject names with spaces or special characters and display the specified error message. + +![Error message for invalid group name input](./images/servlet_image_4739340f8812.png) + +### Regular Expression Examples + +- **Example 1:** Allow only alphabetic characters (A–Z, a–z) and digits (0–9), with a length of 1 to 25 characters. + ```plaintext + ^[A-Za-z0-9-]{1,25}$ + ``` + +- **Example 2:** Allow alphabetic characters, digits, underscores (_), hyphens (-), asterisks (*), commas (,), and spaces, with a length of 1 to 30 characters. + ```plaintext + ^[A-Za-z0-9-,_*\s]{1,30}$ + ``` + +- **Example 3:** Enforce North American phone number format: (555) 123-4567. + ```plaintext + ^\ (\d\d\d\) \d\d\d-\d\d\d\d$ + ``` + +- **Example 4:** Accept telephone numbers in the format: 1 555 555 5555. + ```plaintext + ^[01]?[- .]?(\([2-9]\d{2}\)|[2-9]\d{2})[- .]?\d{3}[- .]?\d{4}$ + ``` \ No newline at end of file diff --git a/docs/kb/directorymanager/entraid-application-proxy-configuration.md b/docs/kb/directorymanager/entraid-application-proxy-configuration.md new file mode 100644 index 0000000000..130a279f69 --- /dev/null +++ b/docs/kb/directorymanager/entraid-application-proxy-configuration.md @@ -0,0 +1,120 @@ +--- +description: >- + Step-by-step instructions to configure Entra Tenant Application Proxy for use + with Netwrix Directory Manager, including installing the outbound connector, + configuring the application proxy, updating URLs, and managing SSL + certificates. +keywords: + - EntraID + - Application Proxy + - Netwrix Directory Manager + - outbound connector + - SSL certificate + - svc.client + - web.config + - internal URL + - external URL + - App Registration +products: + - directory-manager +visibility: public +sidebar_label: EntraID Application Proxy Configuration +tags: [] +title: "EntraID Application Proxy Configuration" +knowledge_article_id: kA0Qk00000015gnKAA +--- + +# EntraID Application Proxy Configuration + +## Overview + +This article provides step-by-step instructions for configuring Entra Tenant Application Proxy for use with Netwrix Directory Manager. The process includes installing the outbound connector, configuring the application proxy, updating URLs, and managing SSL certificates. + +## Instructions + +### Configure Entra Tenant Application Proxy + +![Entra Tenant Application Proxy configuration screen with key fields visible](images/ka0Qk000000DUWX_0EMQk000004n3iR.png) + +### Install Outbound Connector on Directory Manager Machine + +![Outbound connector installation window on Directory Manager machine](images/ka0Qk000000DUWX_0EMQk000004n3iS.png) + +### Configure Outbound Proxy + +![Outbound proxy configuration screen](images/ka0Qk000000DUWX_0EMQk000004n3iT.png) + +![Additional outbound proxy configuration options](images/ka0Qk000000DUWX_0EMQk000004n3iU.png) + +### Configure the Application + +1. Click **Configure an App**. +2. Provide a suitable name for the application. +3. Copy the external application URL: + + - Visible URL (as shown in the portal): `https://GroupID10SSP-5l607h.msappproxy.net/GroupID/` + - HREF (link target provided by the portal): `https://GroupID10SSP-5l607h.msappproxy.net/Directory Manager/` + +4. Add the internal URL in the Application Proxy configuration: + + - Internal URL: `https://onenexx2:4443/` + - Link: https://onenexx2:4443/ + + ![Application proxy configuration with internal and external URLs](images/ka0Qk000000DUWX_0EMQk000004n3iV.png) + +### Register the Application and Assign Users + +1. Go to **App Registration** and open **All Applications**. + + ![App Registration screen showing all applications](images/ka0Qk000000DUWX_0EMQk000004n3iW.png) + +2. Assign users to this application. + + ![Assigning users to the application in App Registration](images/ka0Qk000000DUWX_0EMQk000004n3iX.png) + +### Create and Upload an SSL Certificate + +1. Create an SSL certificate. + + ![SSL certificate creation window](images/ka0Qk000000DUWX_0EMQk000004n3iY.png) + + ![SSL certificate details screen](images/ka0Qk000000DUWX_0EMQk000004n3iZ.png) + + ![SSL certificate management interface](images/ka0Qk000000DUWX_0EMQk000004n3ia.png) + +2. Upload the certificate. + + ![Upload certificate screen](images/ka0Qk000000DUWX_0EMQk000004n3ib.png) + +> **NOTE:** Self-signed certificates will not work. Add a public certificate instead. You can turn off SSL in the application proxy to test the configuration. + +### Update Portal URLs with External URLs (Application Proxy) + +1. Change the portal URLs to use the external URLs provided by the application proxy. + + ![Portal URL configuration screen](images/ka0Qk000000DUWX_0EMQk000004n3ic.png) + +2. Verify that the changes are reflected in the `svc.client` table and `web.config` file. + + The following `web.config` changes are required: + + - External URL (visible): `https://GroupID10SSP-5l607h.msappproxy.net/GroupID/` + - External URL (HREF/target provided by portal): `https://GroupID10SSP-5l607h.msappproxy.net/Directory Manager/` + + ![web.config file showing updated external URL](images/ka0Qk000000DUWX_0EMQk000004n3id.png) + +3. Edit the **Issuer** and **Realm** URLs as needed: + + ![Issuer and Realm URL configuration screen](images/ka0Qk000000DUWX_0EMQk000004n3ie.png) + +4. Update the `svc.client` table in the database with the return, error, and realm URLs. + +> **NOTE:** Paste all URLs with a forward slash at the end. For example: `https://groupid10ssp-5l607h.msappproxy.net/Directory Manager/` + +![svc.client table showing updated URLs](images/ka0Qk000000DUWX_0EMQk000004n3if.png) + +## Related Links + +- [External Application URL for Directory Manager](https://GroupID10SSP-5l607h.msappproxy.net/GroupID/) +- [Internal URL for Application Proxy](https://onenexx2:4443/) +- [Issuer and Realm URL Example](https://groupid10ssp-5l607h.msappproxy.net/GroupID/) diff --git a/docs/kb/directorymanager/error_cannot_connect_to_identity_store_when_using_gmsa.md b/docs/kb/directorymanager/error_cannot_connect_to_identity_store_when_using_gmsa.md new file mode 100644 index 0000000000..4478a87b89 --- /dev/null +++ b/docs/kb/directorymanager/error_cannot_connect_to_identity_store_when_using_gmsa.md @@ -0,0 +1,87 @@ +--- +description: >- + This article addresses the error "Cannot connect to identity store" when using Group Managed Service Accounts (gMSA) in Directory Manager, detailing the symptoms, causes, and resolutions. +keywords: + - gMSA + - Identity Store + - Directory Manager + - authentication error + - SQL Server +sidebar_label: Cannot Connect to Identity Store +tags: [] +title: "Error: Cannot Connect to Identity Store When Using gMSA" +knowledge_article_id: kA0Qk0000002djdKAA +products: + - directory-manager +--- + +# Error: Cannot Connect to Identity Store When Using gMSA + +## Related Queries + +- "Directory Manager 11 EntraID replication always runs from scratch" +- "Replication does not use stored timestamps to perform delta updates" +- "Getting delta Groups from server. ShouldGetObjectsFromScratch = True" + +## Symptom + +- Group Managed Service Account (gMSA) initially connects successfully to the Identity Store in Directory Manager, but shortly afterward a **Cannot connect to identity store** error appears. +- Identity store settings in the UI become greyed out and inaccessible. + +## Cause + +This issue is caused by improper handling of the password value in the database: + +- When using gMSA, Directory Manager erroneously stores a password string in the `SSPR_IdentityStoreValue` table. +- Since gMSAs do not use static passwords, this stored value causes authentication to fail. + +## Resolutions + +1. **Review the Database Table** + Open SQL Server Management Studio and run the following query: + + ```sql + SELECT * FROM SSPR_IdentityStoreValue WHERE AttributeID = ; + ``` + + Replace `` with the actual ID for the password field. + + Example record before fix: + + | AttributesValueID | IdentityStoreID | AttributeID | AttributeValue | + |--------------------|------------------|-------------|-----------------| + | 3 | 2 | 2 | 0AA##0PV7#ayMdKyDlK3yyacs=p/4xL3vHhY438M8BlHsVUyFR+... | + +2. **Clear the Stored Password** + Update the record to clear the encrypted password: + + ```sql + UPDATE SSPR_IdentityStoreValue + SET AttributeValue = NULL + WHERE AttributeID = ; + ``` + +3. **Reconfigure Identity Store to Use gMSA** + In the Directory Manager UI, update the Identity Store configuration to use the gMSA (for example, `gmsagroupid$`). + +4. **Restart Services** + - Recycle the **Directory Manager SecurityService**. + - Run `iisreset` from an elevated command prompt. + - (Optional) Restart the server to ensure a clean environment. + +5. **Re-enter Credentials Using Full Domain Format** + When prompted, use the full domain-qualified format: + + ```plaintext + DOMAIN\gmsaAccount$ + ``` + + > **NOTE:** Using only `gmsagroupid$` may fail. Specifying the full domain format is required after a reset. + +## Additional Notes + +- Regular service accounts may work without the domain prefix. +- gMSA accounts require the full format: `DOMAIN\account$`. +- Ensure any stored password in SQL is cleared. +- Use the full domain-qualified format for the gMSA account. +- Restart all relevant services after making changes. \ No newline at end of file diff --git a/docs/kb/directorymanager/error_entra_id_replication_always_runs_from_scratch_due_to_domain_case_sensitivity.md b/docs/kb/directorymanager/error_entra_id_replication_always_runs_from_scratch_due_to_domain_case_sensitivity.md new file mode 100644 index 0000000000..6ff00e4246 --- /dev/null +++ b/docs/kb/directorymanager/error_entra_id_replication_always_runs_from_scratch_due_to_domain_case_sensitivity.md @@ -0,0 +1,102 @@ +--- +description: >- + This article addresses the issue of Entra ID replication running from scratch due to domain case sensitivity, detailing symptoms, causes, and resolutions. +keywords: + - Entra ID + - replication + - domain case sensitivity +sidebar_label: Entra ID Replication Issue +tags: [] +title: "Error: Entra ID Replication Always Runs from Scratch Due to Domain Case Sensitivity" +knowledge_article_id: kA0Qk000000312nKAA +products: + - directorymanager +--- + +# Error: Entra ID Replication Always Runs from Scratch Due to Domain Case Sensitivity + +## Related Queries + +- "Directory Manager 11 EntraID replication always runs from scratch" +- "Replication does not use stored timestamps to perform delta updates" +- "Getting delta Groups from server. ShouldGetObjectsFromScratch = True" + +## Symptoms + +- Replication cycles against Microsoft Entra ID stores take many hours (for example, 19 hours for approximately 6,500 groups). +- Replication logs show `ShouldGetObjectsFromScratch = True` on every run. +- Replication does not use stored timestamps and always performs a full sync. + +## Cause + +This issue occurs due to a case sensitivity mismatch in the **SVC.IdentityStoreReplication** table: + +- The database stores the domain as `domain.org` (lowercase "d"). +- The replication engine expects `Domain.org` (uppercase "D"). + +Because the check is case-sensitive, the system fails to find the existing timestamp and assumes it must replicate from scratch. + +## Resolution + +1. Identify the affected Entra ID store(s): + + ```sql + SELECT is1.IdentityStoreId, is1.IdentityStoreName, st.StoreTypeName + FROM SVC.IdentityStore is1 + JOIN SVC.StoreType st ON is1.StoreTypeId = st.StoreTypeId + WHERE st.StoreTypeName LIKE '%Entra%' OR st.StoreTypeName LIKE '%Azure%'; + ``` + + Note the **IdentityStoreId** of the production Entra ID store. + +2. Verify current domain values: + + ```sql + SELECT isr.IdentityStoreId, + is1.IdentityStoreName, + isr.Domain, + isr.TimeStamps + FROM SVC.IdentityStoreReplication isr + JOIN SVC.IdentityStore is1 ON isr.IdentityStoreId = is1.IdentityStoreId + WHERE isr.IdentityStoreId = ; + ``` + + If you see `woodmenlife.org` (lowercase "w"), this confirms the mismatch. + + If the domain already matches the correct casing (`Woodmenlife.org`), no change is needed. + +3. Backup the table (precaution): + + ```sql + SELECT * + INTO dbo.IdentityStoreReplication_Backup_ + FROM SVC.IdentityStoreReplication + WHERE IdentityStoreId = ; + ``` + +4. Correct the domain casing: + + ```sql + UPDATE SVC.IdentityStoreReplication + SET Domain = 'Domain.org' + WHERE IdentityStoreId = + AND Domain = 'domain.org'; + ``` + +5. Re-run the verification query from Step 2. The domain should now be stored as `Woodmenlife.org`. + +6. On the next replication cycle, confirm in the logs: + + - `ShouldGetObjectsFromScratch = False` + - Replication runtime drops significantly (minutes instead of hours). + - Only changed groups are processed. + +## Risk and Rollback + +- Risk level: Low – the update changes only the casing of the domain value. +- Rollback: Restore from the backup table created in Step 3 if needed. + +## Additional Notes + +- This issue is environment-specific and not widespread. +- If Directory Manager 11 Entra ID replication always runs from scratch, check the domain casing in **SVC.IdentityStoreReplication**. Correcting a single character in the domain field (lowercase “d” → uppercase “D”) restores delta replication and reduces runtime from hours to minutes. \ No newline at end of file diff --git a/docs/kb/directorymanager/export-enrolled-user-reports-with-additional-fields.md b/docs/kb/directorymanager/export-enrolled-user-reports-with-additional-fields.md new file mode 100644 index 0000000000..4a679d8bcd --- /dev/null +++ b/docs/kb/directorymanager/export-enrolled-user-reports-with-additional-fields.md @@ -0,0 +1,104 @@ +--- +description: >- + Shows how to export enrolled user reports from Netwrix Directory Manager using + the management shell to include additional fields such as SamAccountName and + Email Address. +keywords: + - directory manager + - password center + - export + - enrolled users + - Get-ADUser + - PowerShell + - SamAccountName + - enrollment +products: + - directory-manager +sidebar_label: Export Enrolled User Reports with Additional Field +tags: [] +title: "Export Enrolled User Reports with Additional Fields" +knowledge_article_id: kA0Qk0000002GqHKAU +--- + +# Export Enrolled User Reports with Additional Fields + +## Applies To +Netwrix Directory Manager 10 + +## Overview +By default, the Netwrix Directory Manager (formerly GroupID) Password Center Help Desk Portal allows you to export a report of enrolled users with the following fields: + +- Display Name +- Identity Store +- Locked +- Last Password Set +- Password Expires On +- Enrolled With + +![Default enrolled users export fields in Directory Manager 10](images/ka0Qk000000EWo1_0EMQk00000Bh5ni.png) + +However, you cannot add additional fields to the exported file using the Password Center interface, as the design node is not available in the MMC for design changes. As a workaround, you can use the Netwrix Directory Manager management shell to export user data with additional fields such as `SamAccountName` and `Email Address`. + +## Instructions + +### Export Enrolled User Data with Additional Fields +1. Open the **Directory Manager Management Shell** and run it as an administrator. +2. Import the Active Directory module by running the following command: + ``` + import-module ActiveDirectory + ``` +3. To export all users with additional fields, run the command below. This will include fields such as `SamAccountName`, `DisplayName`, `PasswordLastSet`, `Mail`, `UserPrincipalName`, `ObjectGUID`, and `LockedOut`, and will export the results to a CSV file: + ```powershell + $a = Get-ADUser -Filter * -Properties Mail, SamAccountName, PasswordLastSet, UserPrincipalName, DisplayName, LockedOut, ObjectGUID | + Select-Object SamAccountName, UserPrincipalName, DisplayName, Mail, PasswordLastSet, LockedOut, ObjectGUID + + $results = foreach ($user in $a) { + # Retrieve enrollment info + $enrollment = Get-UserEnrollment -Identity $user.SamAccountName + + # Convert the array to a comma-separated string + $enrollmentString = $enrollment -join ', ' # Join array elements with a comma and space + + [PSCustomObject]@{ + DisplayName = $user.DisplayName + SamAccountName = $user.SamAccountName + EmailAddress = $user.mail + UserPrincipalName= $user.UserPrincipalName + ObjectGuid = $user.ObjectGuid + PasswordLastSet = $user.PasswordLastSet + LockedOut = $user.LockedOut + EnrollmentInfo = $enrollmentString + } + } + $results | Export-Csv -Path c:\UsersEnrollmentReport.csv -NoTypeInformation + ``` +4. To run the export for a single user, run the command below. Replace ` "enter the name of the user" ` with the actual username: + ```powershell + $a = Get-ADUser -Identity "enter the name of the user" -Properties Mail, SamAccountName, PasswordLastSet, UserPrincipalName, DisplayName, LockedOut, ObjectGUID | + Select-Object SamAccountName, UserPrincipalName, DisplayName, Mail, PasswordLastSet, LockedOut, ObjectGUID + + $results = foreach ($user in $a) { + # Retrieve enrollment info + $enrollment = Get-UserEnrollment -Identity $user.SamAccountName + + # Convert the array to a comma-separated string + $enrollmentString = $enrollment -join ', ' # Join array elements with a comma and space + + [PSCustomObject]@{ + DisplayName = $user.DisplayName + SamAccountName = $user.SamAccountName + EmailAddress = $user.mail + UserPrincipalName= $user.UserPrincipalName + ObjectGuid = $user.ObjectGuid + PasswordLastSet = $user.PasswordLastSet + LockedOut = $user.LockedOut + EnrollmentInfo = $enrollmentString + } + } + $results | Export-Csv -Path c:\UserEnrollmentReport.csv -NoTypeInformation + ``` +5. To view all available attributes for a user that can be exported, run the command below. This will list all attributes in Active Directory for the specified user: + ```powershell + get-aduser -identity "enter the name of user" -Properties * + ``` + You can copy any additional attributes you want to include and add them to the export commands above. diff --git a/docs/kb/directorymanager/export-owners-and-additional-owners-for-groups-using-management-shell.md b/docs/kb/directorymanager/export-owners-and-additional-owners-for-groups-using-management-shell.md new file mode 100644 index 0000000000..473cbc9edb --- /dev/null +++ b/docs/kb/directorymanager/export-owners-and-additional-owners-for-groups-using-management-shell.md @@ -0,0 +1,64 @@ +--- +description: >- + Shows how to use the Directory Manager Management Shell in Netwrix Directory + Manager to export a list of owners and additional owners for Smart Groups and + all group types, and how to include additional attributes in the export. +keywords: + - Netwrix Directory Manager + - export + - owners + - additional owners + - Smart Groups + - Management Shell + - PowerShell + - CSV +products: + - directory-manager +sidebar_label: Export Owners and Additional Owners for Groups Usi +tags: [] +title: "Export Owners and Additional Owners for Groups Using Management Shell" +knowledge_article_id: kA0Qk0000002JbFKAU +--- + +# Export Owners and Additional Owners for Groups Using Management Shell + +## Overview + +This article explains how to use the Directory Manager Management Shell in Netwrix Directory Manager to export a list of owners and additional owners for groups and dynasties. This process is useful for environments with a large number of groups, providing visibility and management of group ownership. + +## Instructions + +1. Launch the Directory Manager Management Shell. +2. Log in to the Management Shell with your service account. +3. Run the cmdlet below to export owner and additional owner information for all Smart Groups. The CSV file will be saved to the `C:\` directory with the name `smartgroups.csv`. + +```powershell +Get-SmartGroup | Select Name, @{Name="Owner"; Expression={ (Get-User -Identity $_.ManagedBy).Name }}, @{Name="AdditionalOwner"; Expression={ ($_.AdditionalOwner.split(",") | ForEach-Object { (Get-User -Identity $_).Name }) -join ", " }} | Export-Csv "C:\smartgroups.csv" -NoTypeInformation +``` + +> **NOTE:** To change the directory, replace `C:\smartgroups.csv` with the desired directory path. + +![Exporting Smart Group owners and additional owners in Directory Manager Management Shell](images/ka0Qk000000EZ7Z_0EMQk00000BuCxp.png) + +4. To export the owner and additional owner list for all types of groups (managed and unmanaged), run the command below. This cmdlet will provide the owner and additional owner information for all types of groups. + +```powershell +Get-Group | Select Name, @{Name="Owner"; Expression={ (Get-User -Identity $_.ManagedBy).Name }}, @{Name="AdditionalOwner"; Expression={ ($_.AdditionalOwner.split(",") | ForEach-Object { (Get-User -Identity $_).Name }) -join ", " }} | Export-Csv "C:\Groups.csv" -NoTypeInformation +``` + +5. If additional information is required, you can append the desired attributes to the cmdlet. Examples of additional attributes include: + +- `smartGroupType` +- `security` +- `expiration` +- `whencreated` +- `UPN` +- `criteria` +- `SearchContainer` +- `Identity` +- `MaxItemsToDisplay` +- `ObjectType` +- `LdapFilter` +- `SmartFilter` + +These attributes can be added to the `Select` statement in the cmdlet to gather more detailed information for each group. diff --git a/docs/kb/directorymanager/force_users_to_validate_their_directory_profiles.md b/docs/kb/directorymanager/force_users_to_validate_their_directory_profiles.md new file mode 100644 index 0000000000..6a3c7ea868 --- /dev/null +++ b/docs/kb/directorymanager/force_users_to_validate_their_directory_profiles.md @@ -0,0 +1,97 @@ +--- +description: >- + This article provides step-by-step instructions for configuring user profile validation in Netwrix Directory Manager, ensuring that directory profiles remain accurate and up-to-date. +keywords: + - Directory Manager + - Profile Validation + - User Management +sidebar_label: Validate Directory Profiles +tags: [] +title: "Force Users to Validate Their Directory Profiles" +knowledge_article_id: kA0Qk0000002OcXKAU +products: + - directory-manager +--- + +# Force Users to Validate Their Directory Profiles + +## Applies To + +Directory Manager 11 + +## Overview + +Organizations need accurate employee directory profiles, but manual updates are often inefficient and lead to outdated information. Netwrix Directory Manager (formerly GroupID) addresses this by enabling administrators to require users to regularly review and update their own directory profiles. The Profile Validation feature automates this process and helps keep user information current. + +## Instructions + +### Configure User Profile Validation for an Identity Store + +1. In the Admin Center, click the **Identity Stores** node. +2. On the **Identity Stores** tab, go to the settings of the required identity store. +3. On the **Configurations** tab, click the **Profile Validation** option in the left pane. +4. In the **Profile Criteria** area, specify a group to apply profile validation to. Members of this group must validate their profiles using the portal. +5. In the **User’s Profile Validation Life Cycle** box, set the profile validation life cycle period. The default is 100 days, meaning users must validate their profiles once every 100 days. When a user validates their profile, the current cycle closes and the next cycle begins for that user. +6. In the **Extension Period Settings** area, specify the number of days to grant as an extension period to expired users. +7. In the **Reminder Notification Settings** area, add or edit the email notification information. These notifications remind users to validate their profiles. +8. Click **OK**. + +![Profile Validation configuration screen in Directory Manager Admin Center](./images/servlet_image_2d039145ce56.png) + +### Define a User Life Cycle Job for the Identity Store + +The profile validation feature is monitored by the User Life Cycle job. This job checks the profile validation dates for users in the specified group, sends reminder notifications, and expires users who do not validate their profiles within the given period. + +1. In the Admin Center, click the identity store node and open the properties of the required identity store. +2. Click the **Schedules** node and create a new schedule for the **User Life Cycle Job**. +3. Provide a schedule name and portal URL. +4. Set the trigger time and authentication for the scheduled job. +5. Click **Create Schedule** and save the changes. + +![User Life Cycle job scheduling screen in Directory Manager](./images/servlet_image_91b42553a485.png) + +### Specify Schema Attributes for Validation + +1. In the Admin Center, click **Applications** and go to the settings of the portal. +2. Select an identity store to specify fields for profile validation. +3. Click the **Property Validation** tab. +4. From the **Select Directory Object** list, select **User**. All fields currently available for profile validation in the portal are listed under **Display Name**. +5. You can **add**, **edit**, or **remove** fields as needed. +6. To add a new field (schema attribute) for profile validation, click the **+** icon. +7. Use the **Field(s)** box to specify a schema attribute. +8. In the **Display Name** box, specify a name to display as the field’s label in the portal. +9. From the **Display Type** drop-down list, select a display type for rendering the attribute(s) in the portal. +10. From the **Visibility Role** drop-down list, select a security role. The field will be visible to users of the selected role and to roles with a higher priority value. +11. Use the **Exclude Role** option to exclude a higher priority role or roles from seeing the field. +12. Specify a tooltip for the field, the maximum number of characters the field can store, and other attributes as needed. +13. Click **OK** to close the dialog box. +14. Click **Save** to apply the changes. + +![Property Validation tab in Directory Manager portal settings](./images/servlet_image_5c02509b695c.png) +![Add new schema attribute dialog in Directory Manager](./images/servlet_image_2a6f33988aed.png) + +### Profile Validation in the Portal + +Directory Manager provides multiple alerts and reminder notifications to prompt users to validate their profiles by a certain date. The **My Profile** card on the portal dashboard changes color to indicate the warning level. + +1. Launch the Directory Manager portal. +2. Click the **My Profile** card on the dashboard to open the **Validate Profile Properties** window. +3. Update the attributes the administrator has exposed for profile validation. In the default portal template, you can: + - Update office information, such as address and contact numbers. + - Specify or change your primary manager. + - Transfer your direct reports to another manager. + - Terminate your direct reports. +4. After verifying and updating the information, click the **Validate Now** button. + +![Validate Profile Properties window in Directory Manager portal](./images/servlet_image_488a33f61b88.png) + +### Grant an Extension Period to Expired Users + +Directory Manager expires users who do not validate their profiles within the required time frame, disabling their accounts in the directory. Expired users can request the administrator or Helpdesk to temporarily unlock their accounts and grant an extension period. If users do not validate their profile information within the extension period, Directory Manager expires them again and notifies their managers by email. To reactivate these accounts, managers must send a request to Helpdesk. + +1. Log in to the Directory Manager portal. +2. Click **Users** in the left pane and select **My Direct Reports**. +3. Click the **Disabled Users** tab. +4. Select an expired user and click **Extend** on the toolbar. The user's account is temporarily unlocked for the duration specified in profile validation configurations. See Step 1 for configuration details. + +![Disabled Users tab and Extend option in Directory Manager portal](./images/servlet_image_b50d7c6bf441.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/gather-debug-logs-for-v10.md b/docs/kb/directorymanager/gather-debug-logs-for-v10.md new file mode 100644 index 0000000000..75e6eb5bca --- /dev/null +++ b/docs/kb/directorymanager/gather-debug-logs-for-v10.md @@ -0,0 +1,122 @@ +--- +description: >- + Instructions to enable Debug mode in Netwrix Directory Manager v10 and collect + log files from services, portals, and components for troubleshooting. +keywords: + - debug logs + - Netwrix Directory Manager + - GroupID 10 + - log collection + - Self-Service Portal + - Password Center + - IIS + - Elasticsearch + - replication +products: + - directory-manager +sidebar_label: Gather Debug Logs for v10 +tags: [] +title: "Gather Debug Logs for v10" +knowledge_article_id: kA0Qk0000001dtlKAA +--- + +# Gather Debug Logs for v10 + +## Applies To +Netwrix Directory Manager 10 + +## Overview +This article provides guidance for enabling Debug mode in Netwrix Directory Manager applications and collecting log files for troubleshooting purposes. The article outlines how to adjust logging levels and gather logs from various components. + +## Instructions + +### Enable Debug Mode for Identity Store +1. Open the **Netwrix Directory Manager Console** and navigate to the **Identity Stores** node. +2. Open the properties of the Identity Store where the issue is occurring. +3. In the Properties window, navigate to the **Configurations** tab then click on **Log Settings**. +4. Change **File Logging** from **Error** to **Debug**. +5. Click **Apply**, then **OK** to save the changes. +6. After enabling Debug mode, reproduce the issue, then continue with the steps below to dump the logs. + +### Dump Log Files to a Specific Location +1. Right-click **Netwrix Directory Manager [connected domain name]** in the left pane and select **Diagnostics > Logs Dump**. +2. The **Logs Dump** dialog box appears. +3. Select the Directory Manager version from the drop-down list. +4. If you select an uninstalled version, an error will be displayed. +5. In the **Dump logs of** area, select the desired modules or event types: + - **Event Viewer:** Expands the **Event Logs** list. Select the required logs maintained by Windows Event Viewer. + - **IIS:** Expands the **Websites** list. Select the websites to include in the dump. +6. Click **Dump**. +7. In the **Choose dump file name** dialog box, specify a name, select the save location, and click **Save**. +8. The logs are saved as a ZIP file in the chosen location. + +### Manually Collect Logs by Service +You can manually collect logs from the following locations. `X` refers to the installation drive of Netwrix Directory Manager. + +- **Data Service** + `X:\Program Files\Imanami\GroupID 10.0\GroupIDDataService\Log` + File: `GroupID10-DataService` + +- **Security Service** + `X:\Program Files\Imanami\GroupID 10.0\GroupIDSecurityService\Log` + File: `GroupID10-STS` + +- **Replication Logs** + `C:\Users\[ServiceAccount]\AppData\Local\Temp` + File: `GroupID 10 Replication.log` + +- **Self-Service Portal Logs** + 1. In the Netwrix Directory Manager Console, go to **Self-service > Portals > [Portal name] > Server**. + 2. In **Server Settings**, go to the **Support** tab and change **File Logging** from **Error** to **Debug**. + 3. Click the floppy disk icon in the top-right corner to save. + 4. Edit `web.config` in `X:\Program Files\Imanami\GroupID 10.0\SelfService\Inetpub\[Portal Name]\Web` and ensure: + - `` + - `` + 5. Save the `web.config` file. + + Log location: `X:\Program Files\Imanami\GroupID 10.0\SelfService\Inetpub\[Portal Name]\log` + File: `GroupID10-SSP` + +- **Password Center User Portal Logs** + Follow the same steps as the Self-Service Portal to enable Debug mode. + + `X:\Program Files\Imanami\GroupID 10.0\PasswordCenter\Inetpub\[Portal Name]\log` + File: `GroupID10-PasswordCenter` + +- **Directory Manager Management Console Logs** + `C:\Users\[LoggedInUser]\AppData\Local\Temp` + File: `GroupID10` + +- **Email Service Logs** + `C:\Windows\Temp\~GroupID10-EmailService` + +- **Management Shell Logs** + `C:\Windows\Temp\~GroupID10-Management.Log` + +- **Upgrade Summary Logs** + `C:\Windows\Temp\~GroupID10_Upgrade.Log` + +- **Password Center Helpdesk Portal Logs** + `X:\Program Files\Imanami\GroupID 10.0\PasswordCenter\Helpdesk\Inetpub\[Portal Name]\log` + File: `GroupID10-HelpDesk` + +- **Task Scheduler Logs** + `C:\Users\[ScheduleAccount]\AppData\Local\Temp` + File: `GroupID10-TaskScheduler` + +- **Reporting Logs** + `C:\Windows\Temp\~GroupID10-Reporting.Log` + +- **Synchronize Logs** + `C:\Windows\Temp\~GroupID10-Synchronize.Log` + Job file logs: + `C:\ProgramData\Imanami\GroupID 10.0\Synchronize\Jobs\[Job Name]\JobRun_xxx_xxxx_xxx.dtmlog` + +- **Configuration Tool Logs** + `C:\Users\[User]\AppData\Local\Temp` + File: `GroupIDConfigurationTool10` + +- **Elasticsearch Logs** + `C:\Program Files\Imanami\GroupID 10.0\ElasticSearch\elasticsearch-6.2.4\logs` + +Once logs have been collected, compress and send the full logs folder as a ZIP file. diff --git a/docs/kb/directorymanager/gather-debug-logs-for-v11.md b/docs/kb/directorymanager/gather-debug-logs-for-v11.md new file mode 100644 index 0000000000..f2f75a08d5 --- /dev/null +++ b/docs/kb/directorymanager/gather-debug-logs-for-v11.md @@ -0,0 +1,181 @@ +--- +description: >- + Shows how to enable Debug logging for Netwrix Directory Manager v11 components + and collect logs using the Admin Center portal or by locating log files on + disk. +keywords: + - Netwrix Directory Manager + - debug logs + - Admin Center + - GroupID + - elasticsearch + - log dump + - Data Service + - Scheduler Service +products: + - directory-manager +sidebar_label: Gather Debug Logs for v11 +tags: [] +title: "Gather Debug Logs for v11" +knowledge_article_id: kA0Qk0000001dvNKAQ +--- + +# Gather Debug Logs for v11 + +## Applies To +Netwrix Directory Manager 11 + +## Overview +By default, Netwrix Directory Manager application logs are set to **Error** mode for logging. To capture detailed logs, you must manually set each application to **Debug** mode before collecting the logs. + +Netwrix Directory Manager logging levels are configured per application, so you must enable Debug mode for each relevant component individually. + +This article covers the steps to: +- Dump log files to a specific location from the Admin Center portal +- Enable Debug mode for individual applications including: + - Admin Center + - Data Service + - Security Service + - Application Portal + - Email Service + - Scheduler Service + - Configuration Tool + - Elasticsearch + +## Instructions +Follow the steps in the sections below to enable Debug logging for individual applications and collect the relevant logs. + +### Enable Debug for Admin Center Logs +1. Log in to the Admin Center for the Identity Store where the issue is occurring. +2. Navigate to **Applications** then click on the **Admin Center** application. +3. Open the Admin Center application settings by clicking the three-dot icon on the application. +4. In the application settings, click **Deployment**. +5. In the Deployment settings, click on **Logging**. +6. Under **File Logging**, change **Log Events** to **Debug** and save. + +Alternatively, you can manually capture this log from the following location: + +```text +X:\Program Files\Imanami\GroupID 11.0\AdminCenter\Inetpub\AdminCenter\Web\Logs +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Locate the file named GroupID11-AdminCenter. + +### Enable Debug for Data Service Logs +1. Log in to the Admin Center for the Identity Store where the issue is occurring. +2. Navigate to **Applications** then click on the **Data Service** application. +3. Open the Data Service application settings by clicking the three-dot icon on the application. +4. In the application settings, click **Deployment**. +5. In the Deployment settings, click on **Logging**. +6. Under **File Logging**, change **Log Events** to **Debug** and save. + +Alternatively, you can manually capture this log from the following location: + +```text +X:\Program Files\Imanami\GroupID 11.0\GroupIDDataService\Inetpub\GroupIDDataService\Web\Logs +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Locate the file named GroupID11-GroupID Data Service. + +### Enable Debug for Security Service Logs +1. Log in to the Admin Center for the Identity Store where the issue is occurring. +2. Navigate to **Applications** then click on the **Security Service** application. +3. Open the Security Service application settings by clicking the three-dot icon on the application. +4. In the application settings, click **Deployment**. +5. In the Deployment settings, click on **Logging**. +6. Under **File Logging**, change **Log Events** to **Debug** and save. + +Alternatively, you can manually capture this log from the following location: + +```text +X:\Program Files\Imanami\GroupID 11.0\GroupIDSecurityService\Inetpub\GroupIDSecurityService\Web\Logs +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Locate the file named GroupID11-SecurityService. + +### Enable Debug for Application Portal Logs +1. Log in to the Admin Center for the Identity Store where the issue is occurring. +2. Navigate to **Applications** then click on the **Application Portal** application. +3. Open the Application Portal application settings by clicking the three-dot icon on the application. +4. In the application settings, click **Deployment**. +5. In the Deployment settings, click on **Logging**. +6. Under **File Logging**, change **Log Events** to **Debug** and save. + +Alternatively, you can manually capture this log from the following location: + +```text +X:\Program Files\Imanami\GroupID 11.0\GroupIDPortal\Inetpub\[Application portal for which the logging level is changed]\Web\Logs +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Locate the file named GroupID11-GroupID Portal. + +### Enable Debug for Email Service Logs +1. Log in to the Admin Center for the Identity Store where the issue is occurring. +2. Navigate to **Applications** then click on the **Email Service** application. +3. Open the Email Service application settings by clicking the three-dot icon on the application. +4. In the application settings, click **Deployment**. +5. In the Deployment settings, click on **Logging**. +6. Under **File Logging**, change **Log Events** to **Debug** and save. + +Alternatively, you can manually capture this log from the following location: + +```text +X:\Program Files\Imanami\GroupID 11.0\EmailService\Inetpub\GroupIDEmailService\Web\Logs +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Locate the file named GroupID11-Email Service. + +### Enable Debug for Scheduler Service Logs +1. Log in to the Admin Center for the Identity Store where the issue is occurring. +2. Navigate to **Applications** then click on the **Scheduler Service** application. +3. Open the Scheduler Service application settings by clicking the three-dot icon on the application. +4. In the application settings, click **Deployment**. +5. In the Deployment settings, click on **Logging**. +6. Under **File Logging**, change **Log Events** to **Debug** and save. + +Alternatively, you can manually capture this log from the following location: + +```text +X:\Program Files\Imanami\GroupID 11.0\GroupIDSchedulerService\Inetpub\GroupIDSchedulerService\Web\Logs +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Locate the file named GroupID11-Scheduler Service. + +### Replication Logs +The Replication Service runs in Debug mode by default, so no changes are required. You can capture the logs directly from the following location: + +```text +X:\Program Files\Imanami\GroupID 11.0\ReplicationService\Inetpub\GroupIDReplicationService\Web\Logs +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Locate the file named GroupID11-Replication Service. + +### Configuration Tool logs +You can manually capture the Configuration Tool logs from the following location: + +```text +X:\ProgramData\Imanami\GroupID 11.0\Configuration Tool +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Locate the file named GroupIDConfigurationTool11. + +### Elasticsearch Logs +You can manually capture the Elasticsearch logs from the following location: + +```text +X:\Program Files\Imanami\GroupID 11.0\elasticsearch\elasticsearch-8.0.0\logs +``` + +> **NOTE:** X refers to the installation directory of Netwrix Directory Manager. Compress the entire Logs folder. + +### Dump Log Files To a Specific Location +You can use the Logs Dump feature to collect and dump your required logs to a specific location. + +1. Log on to the Netwrix Directory Manager Admin Center portal. +2. Once you have set the chosen applications to **Debug mode**, you must replicate the issue for the logs to capture. +3. Once the issue has been reproduced, click the settings **Gear** icon on the Dashboard of the Admin Center portal. +4. In Netwrix Directory Manager settings, click **Logs**. +5. In the **Dump logs of** area, select the check boxes for the Netwrix Directory Manager modules or event sources you want to include. + - If you select **Event Viewer**, the **Event Logs** list becomes available. Expand the list and select the logs you want to capture. These correspond to logs maintained by Windows Event Viewer. + - If you select **IIS**, the **Websites** list becomes available. Expand it and select the websites for which you want to collect logs. +6. Click **Download**. Netwrix Directory Manager will generate a zip file with the selected application log files and download it to your web browser Downloads folder. diff --git a/docs/kb/directorymanager/generate-a-report-of-all-groups-in-the-domain.md b/docs/kb/directorymanager/generate-a-report-of-all-groups-in-the-domain.md new file mode 100644 index 0000000000..693d7dc9d2 --- /dev/null +++ b/docs/kb/directorymanager/generate-a-report-of-all-groups-in-the-domain.md @@ -0,0 +1,63 @@ +--- +description: >- + Use the reporting feature in Netwrix Directory Manager to generate a list of + all groups in your domain, customize the report, and export it in PDF, Excel, + or HTML formats. +keywords: + - groups report + - all groups + - Netwrix Directory Manager + - LDAP filter + - report export + - report schedule + - Dashboard + - Group Reports +products: + - directory-manager +sidebar_label: Generate a Report of All Groups in the Domain +tags: [] +title: "Generate a Report of All Groups in the Domain" +knowledge_article_id: kA0Qk0000002DnZKAU +--- + +# Generate a Report of All Groups in the Domain + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +Use the reporting feature in Netwrix Directory Manager to create a list of all groups in your domain. You can customize the report title, apply filters, choose which fields to include, and export the results in PDF, Excel, or HTML format. + +## Instructions + +### Steps to Generate a Report of All Groups + +1. Open the Netwrix Directory Manager portal and go to the **Reports** options. + ![Reports options in Directory Manager portal](images/ka0Qk000000EMWv_0EMQk00000BX3X5.png) +2. Select **Group Reports** > **All Groups in the Domain**. +3. Click **Create Report**. This launches the **Create Report** wizard. + ![Create Report wizard in Directory Manager](images/ka0Qk000000EMWv_0EMQk00000BX9nl.png) +4. On the first page, enter a custom title for your report in the **Report Name** box. The default title is **All Groups in Domain**. +5. Click **Browse** to open the **Select Container** dialog box and select the required source container. The default selection is the Global Catalog. +6. Select the **Include sub-folders** check box to include sub-folders for the selected container in the report. +7. In the **Filter Criteria** section, modify the default LDAP filter as required. This filter is used to select items from the container to display in the report. To add additional filters, click **Add More Filters**. +8. Click **Next**. + ![Filter Criteria section in Create Report wizard](images/ka0Qk000000EMWv_0EMQk00000BXA77.png) +9. The **Fields** section displays the fields that will be included in the report. You can add or remove fields from the list, and you can move fields to change their order. +10. From the **Sort By** drop-down list, select the field by which you want to sort the results in the report. +11. From the **Schedule** drop-down list, select the schedule for the report. If you select a schedule, the report will run automatically at the specified time. +12. Click **Finish**. + ![Report results in Directory Manager](images/ka0Qk000000EMWv_0EMQk00000BXAK1.png) +13. The report is displayed based on the settings you configured in the portal. The report includes the following information: + - Connected identity store name + - Selected container + - Number of records fetched + - Date the report was created + - Filter applied while creating the report + - List of report results + + > **NOTE:** The report is listed on the template's page. You can create multiple reports from the same template. +14. To download the report, click **Download** and select the format for the report (PDF, Excel, or HTML). +15. You can also pin the report to the **Dashboard** by clicking **Pin Report**. diff --git a/docs/kb/directorymanager/generate_a_report_on_disabled_users_along_with_distribution_list_memberships.md b/docs/kb/directorymanager/generate_a_report_on_disabled_users_along_with_distribution_list_memberships.md new file mode 100644 index 0000000000..6ab759539f --- /dev/null +++ b/docs/kb/directorymanager/generate_a_report_on_disabled_users_along_with_distribution_list_memberships.md @@ -0,0 +1,58 @@ +--- +description: >- + This article explains how to generate a report on disabled users along with their distribution list memberships using Netwrix Directory Manager. +keywords: + - Directory Manager + - disabled users + - distribution list memberships +sidebar_label: Generate Report on Disabled Users +tags: [] +title: "Generate a Report on Disabled Users Along With Distribution List Memberships" +knowledge_article_id: kA0Qk0000002R7NKAU +products: + - directory-manager +--- + +# Generate a Report on Disabled Users Along With Distribution List Memberships + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to generate reports on disabled users along with their distribution list (DL) memberships. The Reports module is a free tool for running reports on Active Directory and Microsoft Exchange/Office 365. This article explains how to generate this report using the Reports portal. + +## Instructions + +### Generate a Report on Disabled Users and Their DL Memberships + +1. In the Directory Manager portal, select **Reports** from the left navigation bar. The Reports portal will open in a new browser tab. + ![Reports portal in Directory Manager](./images/servlet_image_451a4261ce2f.png) + +2. Click the **User Reports** button on the navigation bar. + +3. In the Users category, type **Users multiple DL memberships** in the search bar. + ![Searching for Users multiple DL memberships report](./images/servlet_image_c303f69db518.png) + +4. Click the report when it appears in the search results. A new window will open. + +5. Click **Create Report** to start the report creation wizard. + ![Create Report wizard in Directory Manager](./images/servlet_image_3adeec70e526.png) + +6. On the first page, provide a name for the report, then choose the search scope within the directory and provide a filter criterion. By default, the wizard searches the Global Catalog. To limit the scope to a particular container: + 1. Click **Browse** to launch the **Select Container** dialog box and select the required source container. + 2. Select the **Include sub-containers** check box to include sub-containers in the report. + 3. In the **Filter Criteria** box, modify the default LDAP filter. The default filter generates a list of all users in the domain along with their group memberships. + 4. Add the filters **UserAccountControl BitAnd 2** and **GroupType Is Not 2147483648** to fetch a list of all disabled users within the specified container, along with their DL memberships. + ![Filter criteria for disabled users and DL memberships](./images/servlet_image_761bfdbbeba6.png) + +7. Click **Next**. + ![Next step in report wizard](./images/servlet_image_504b5dea921c.png) + +8. The **Report Fields** page displays the fields that will be included in the report. To add more fields, click **Add**. To remove a field, select it and click the **Cross** button. You can change the order of fields using the double bar buttons. + +9. Click **Finish** to generate the report. + +10. The report will be generated. You can download the report in your desired format or pin the report to the Reports portal Dashboard. + ![Generated report on disabled users and DL memberships](./images/servlet_image_9a4475fa8080.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/generate_a_report_on_enabled_users_without_managers.md b/docs/kb/directorymanager/generate_a_report_on_enabled_users_without_managers.md new file mode 100644 index 0000000000..f93e208221 --- /dev/null +++ b/docs/kb/directorymanager/generate_a_report_on_enabled_users_without_managers.md @@ -0,0 +1,54 @@ +--- +description: >- + This article provides step-by-step instructions on generating a report for enabled users without managers in Netwrix Directory Manager. +keywords: + - Netwrix Directory Manager + - enabled users report + - Active Directory +sidebar_label: Generate Report on Enabled Users +tags: [] +title: "Generate a Report on Enabled Users Without Managers" +knowledge_article_id: kA0Qk0000002R5lKAE +products: + - directory-manager +--- + +# Generate a Report on Enabled Users Without Managers + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to generate reports on enabled users who do not have a manager in the domain. The Reports module is a free tool for running reports on Active Directory and Microsoft Exchange/Office 365. This article explains how to generate this report using the Reports portal. + +## Instructions + +### Generate a Report on Enabled Users Without Managers + +1. In the Directory Manager portal, select **Reports** from the left navigation bar. The Reports portal will open in a new browser tab. + ![Reports portal in Directory Manager](./images/servlet_image_b4288b973d3e.png) + +2. Click the **User Reports** button on the navigation bar. + +3. In the Users category, type **Enabled Users** in the search bar. + +4. Select the first report template in the list. + ![Selecting Enabled Users report template](./images/servlet_image_73a87e888ba6.png) + +5. Click **Create Report** to start the report creation wizard. + ![Create Report wizard in Directory Manager](./images/servlet_image_50ec1f1005eb.png) + +6. On the first page, provide a friendly name for the report, then choose the search scope within the directory and provide a filter criterion. By default, the wizard searches the Global Catalog. To limit the scope to a particular container: + 1. Click **Browse** to launch the **Select Container** dialog box and select the required source container. + 2. Select the **Include sub-containers** check box to include sub-containers in the report. + 3. In the **Filter Criteria** box, modify the default LDAP filter. The default filter generates a list of all users in the domain. + 4. Add a new clause, **manager Not Present**, to fetch a list of all enabled users without managers. + ![Filter criteria for enabled users without managers](./images/servlet_image_d7588ec323eb.png) + +7. Click **Next**. + +8. The **Report Fields** page displays the fields that will be included in the report. To add more fields, click **Add**. To remove a field, select it and click the **Cross** button. You can change the order of fields using the double bar buttons. + ![Report Fields page in Directory Manager](./images/servlet_image_79ee3f35bad1.png) + +9. Click **Finish** to generate the report. + +10. The report will be generated. You can download the report in your desired format or pin the report to the Reports portal Dashboard. + ![Generated report on enabled users without managers](./images/servlet_image_c1786baac3a4.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/generate_a_report_on_enabled_users_without_managers_along_with_distribution_list_memberships.md b/docs/kb/directorymanager/generate_a_report_on_enabled_users_without_managers_along_with_distribution_list_memberships.md new file mode 100644 index 0000000000..ee13ddb232 --- /dev/null +++ b/docs/kb/directorymanager/generate_a_report_on_enabled_users_without_managers_along_with_distribution_list_memberships.md @@ -0,0 +1,58 @@ +--- +description: >- + This article explains how to generate a report on enabled users who do not have a manager, along with their distribution list memberships using Netwrix Directory Manager. +keywords: + - Netwrix Directory Manager + - report generation + - Active Directory +sidebar_label: Generate Report on Users Without Managers +tags: [] +title: "Generate a Report on Enabled Users Without Managers Along with Distribution List Memberships" +knowledge_article_id: kA0Qk0000002R8zKAE +products: + - directory-manager +--- + +# Generate a Report on Enabled Users Without Managers Along with Distribution List Memberships + +## Applies To + +Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to generate reports on enabled users who do not have a manager, along with their distribution list (DL) memberships. The Reports module is a free tool for running reports on Active Directory and Microsoft Exchange/Office 365. This article explains how to generate this report using the Reports portal. + +## Instructions + +### Generate a Report on Enabled Users Without Managers and Their DL Memberships + +1. In the Directory Manager portal, select **Reports** from the left navigation bar. The Reports portal will open in a new browser tab. + ![Reports portal in Directory Manager](./images/servlet_image_7e38294b686d.png) + +2. Click the **User Reports** button on the navigation bar. + +3. In the Users category, type **Users multiple DL memberships** in the search bar. + ![Searching for Users multiple DL memberships report](./images/servlet_image_84e4d97f9492.png) + +4. Click the report when it appears in the search results. A new window will open. + +5. Click **Create Report** to start the report creation wizard. + ![Create Report wizard in Directory Manager](./images/servlet_image_ed2e03f398de.png) + +6. On the first page, provide a name for the report then choose the search scope within the directory and provide a filter criterion. By default, the wizard searches the Global Catalog. To limit the scope to a particular container: + 1. Click **Browse** to launch the **Select Container** dialog box and select the required source container. + 2. Select the **Include sub-containers** check box to include sub-containers in the report. + 3. In the **Filter Criteria** box, modify the default LDAP filter. The default filter generates a list of all users in the domain along with their group memberships. + 4. Add the filter **manager Not Present** to fetch a list of all enabled users without managers, along with DL memberships. + ![Filter criteria for enabled users without managers](./images/servlet_image_6278e144466d.png) + +7. Click **Next**. + ![Next step in report wizard](./images/servlet_image_e3be8f49fd6c.png) + +8. The **Edit Report Fields** page displays the fields that will be included in the report. To add more fields, click **Add**. To remove a field, select it and click **Remove**. You can change the order of fields using the double bar buttons. + +9. Click **Finish** to generate the report. + +10. The report will be generated. You can download the report in your desired format or pin the report to the Reports portal Dashboard. + ![Generated report on enabled users without managers and DL memberships](./images/servlet_image_0244ce7a37b7.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/generate_a_report_on_groups_without_members_or_owners.md b/docs/kb/directorymanager/generate_a_report_on_groups_without_members_or_owners.md new file mode 100644 index 0000000000..e46541cec1 --- /dev/null +++ b/docs/kb/directorymanager/generate_a_report_on_groups_without_members_or_owners.md @@ -0,0 +1,64 @@ +--- +description: >- + This article provides step-by-step instructions for generating a report on groups without members or owners in Netwrix Directory Manager. +keywords: + - Netwrix Directory Manager + - report generation + - Active Directory +sidebar_label: Generate Report on Groups +tags: [] +title: "Generate a Report on Groups Without Members or Owners" +knowledge_article_id: kA0Qk0000002R49KAE +products: + - directory-manager +--- + +# Generate a Report on Groups Without Members or Owners + +## Applies To + +Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to generate reports on groups that have no members and no owners or additional owners. The Reports module is a free tool for running reports on Active Directory and Microsoft Exchange/Office 365. This article explains how to generate this report using the Reports portal. + +## Instructions + +### Generate a Report on Groups Without Members or Owners + +1. In the Directory Manager portal, select **Reports** from the left navigation bar. The Reports portal will open in a new browser tab. + + ![Reports portal in Directory Manager](./images/servlet_image_01ac88513b47.png) + +2. Click the **Group Reports** button on the navigation bar. + +3. In the Groups category, type **Groups with no members** in the search bar. + +4. Select the first report template in the list. + + ![Selecting Groups with no members report template](./images/servlet_image_06aa583234f5.png) + +5. Click **Create Report** to start the report creation wizard. + + ![Create Report wizard in Directory Manager](./images/servlet_image_60f272e79bda.png) + +6. The report creation wizard prompts you to enter a name for the report. Choose the search scope within the directory and provide a filter criterion. By default, the wizard searches the Global Catalog. To limit the scope to a particular container: + 1. Click **Browse** to launch the **Select Container** dialog box and select the required source container. + 2. Select the **Include sub-containers** check box to include sub-containers in the report. + 3. In the **Filter Criteria** box, modify the default LDAP filter. The default filter generates a list of all groups in the domain. + 4. Add new clauses, **XAdditionalOwner Not Present** and **member Not Present**, to fetch a list of all groups without members and without owners or additional owners. + + ![Filter criteria for groups with no members and no owners](./images/servlet_image_369723a124a0.png) + +7. Click **Next**. + +8. The **Report Fields** page displays the fields that will be included in the report. To add more fields, click **Add**. To remove a field, select it and click the **X**. You can change the order of fields using the two lined icon. + + ![Report Fields page in Directory Manager](./images/servlet_image_c76c90a0473d.png) + +9. Click **Finish** to generate the report. + +10. The report will be generated. You can download the report in your desired format or pin the report to the Reports portal Dashboard. + + ![Generated report on groups with no members and no owners](./images/servlet_image_64c36725b5ca.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/generating-a-report-on-users-who-never-logged-on.md b/docs/kb/directorymanager/generating-a-report-on-users-who-never-logged-on.md new file mode 100644 index 0000000000..5f29c15005 --- /dev/null +++ b/docs/kb/directorymanager/generating-a-report-on-users-who-never-logged-on.md @@ -0,0 +1,77 @@ +--- +description: >- + Step-by-step instructions to generate a report of Active Directory users who + have never logged on using the Netwrix Directory Manager Reports module. +keywords: + - users who never logged on + - inactive accounts + - Netwrix Directory Manager + - Active Directory report + - audit + - report generation + - lastLogonTimeStamp + - user reports +products: + - directory-manager +sidebar_label: Generating a Report on Users Who Never Logged On +tags: [] +title: "Generating a Report on Users Who Never Logged On" +knowledge_article_id: kA0Qk0000002CczKAE +--- + +# Generating a Report on Users Who Never Logged On + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article provides step-by-step instructions for generating a report on users who have never logged on using the Netwrix Directory Manager Reports module. This report is useful for auditing, cleaning up unused accounts, or ensuring compliance. + +## Instructions +1. Navigate to the **Application Portal** and click **Reports**. + ![Reports section in the Application Portal](images/ka0Qk000000Dtxx_0EMQk00000BSNt0.png) + +2. In the new tab that opens, click **User Reports**. + ![User Reports section](images/ka0Qk000000Dtxx_0EMQk00000BSOST.png) + +3. Sort the reports by clicking the **Title** column. Locate the report titled **Users Who Never Logged On** on the second page and click it. + ![Sorting and selecting the Users Who Never Logged On report](images/ka0Qk000000Dtxx_0EMQk00000BSOU5.png) + +4. Click **Create Report**. + ![Create Report button](images/ka0Qk000000Dtxx_0EMQk00000BSOQr.png) + +5. On the **Create Report** page, configure the following settings: + - **Report Name:** Enter a descriptive name, such as "Users Who Never Logged On."" + - **Container:** Select a specific container in Active Directory by clicking **Browse** to open the directory tree. + - **Include Subfolders:** Enable this option to include all sub-containers within the selected directory. + - **Filter Criteria:** + - `objectCategory` – Starts With – `cn=Person`: Ensures only user objects classified as **Person** are included. + - `objectClass` – Is Exactly – `user`: Ensures the report only includes user objects. + - `lastLogonTimeStamp` – Not Present: Captures accounts that have never logged in. + + Use the **Add More Filters** option for additional criteria. + ![Create Report configuration page](images/ka0Qk000000Dtxx_0EMQk00000BSLmM.png) + +6. Customize the report output by selecting the fields to display: + - Use the **Add Field** button to add or remove fields. + - Available fields include: + - `cn (Common Name)` – Displayed as **Name** + - `company` – Displayed as **Company** + - `department` – Displayed as **Department** + - Adjust the **Search Type** (for example, Text) for data display preferences. + - Rearrange fields using the **Move** icon or remove them using the **X** button under **Actions**. + +7. Set the **Sort By** field to `cn` (Common Name) for sorting results. + +8. Optionally, schedule the report generation by selecting a predefined job from the dropdown menu in the **Scheduled Job** section. + +9. Click **Finish** to complete the report generation process. + ![Finish button to complete report generation](images/ka0Qk000000Dtxx_0EMQk00000BSKYY.png) + +## Viewing and Managing the Report +After clicking **Finish**, the report results will display all users who have never logged into their accounts. +![Report results showing users who never logged on](images/ka0Qk000000Dtxx_0EMQk00000BSLMa.png) + +Additional actions you can perform include: +- Pin Report: Pin the report for quick access on the dashboard. +- Download: Export the report in formats such as HTML, MS Excel, or PDF. diff --git a/docs/kb/directorymanager/graph-api-permissions-required-for-directory-manager-v11-application-in-entra-id.md b/docs/kb/directorymanager/graph-api-permissions-required-for-directory-manager-v11-application-in-entra-id.md new file mode 100644 index 0000000000..285bfdf397 --- /dev/null +++ b/docs/kb/directorymanager/graph-api-permissions-required-for-directory-manager-v11-application-in-entra-id.md @@ -0,0 +1,111 @@ +--- +description: >- + Lists the Microsoft Graph API application permissions required for Netwrix + Directory Manager v11 in Microsoft Entra ID and maps each permission to the + Netwrix Directory Manager functionality it enables. +keywords: + - Graph API + - Entra ID + - permissions + - Netwrix Directory Manager + - Microsoft Graph + - Teams + - SharePoint + - Exchange + - roles +products: + - directory-manager +sidebar_label: Graph API Permissions Required for Directory Manag +tags: [] +title: >- + Graph API Permissions Required for Netwrix Directory Manager V11 Application + in Entra ID +knowledge_article_id: kA0Qk0000002jPFKAY +--- + +# Graph API Permissions Required for Netwrix Directory Manager V11 Application in Entra ID + +## Applies to +Netwrix Directory Manager 11 + +## Question +What is the list of Microsoft Graph API application permissions required for the Netwrix Directory Manager in Entra ID? What is the mapping of each permission to the specific Netwrix Directory Manager functionality it enables? + +## Answer +Here is the list of all the Microsoft Graph API application permissions required for the Netwrix Directory Manager in Entra ID: + +### Microsoft Teams / Channels + +| Graph API Permission | Netwrix Directory Manager Feature | +|---|---| +| `Channel.Create` | Add Channel under Team Properties on DM Portal | +| `Channel.Delete.All` | Remove any channel under Team Properties on the DM Portal | +| `Channel.ReadBasic.All` | Retrieve Channel's Name, Description, and Privacy under Team Properties across the tenant on DM Portal | +| `ChannelMember.Read.All` | Retrieve the list of members in any Channel under Team Properties across the tenant on the DM Portal | +| `ChannelMember.ReadWrite.All` | Retrieve, Add, Update, and Remove members in/from any Channel under Team Properties across the tenant on DM Portal | + +### Directory and Group Management + +| Graph API Permission | Netwrix Directory Manager Feature | +|---|---| +| `Directory.Read.All` | Retrieve users, groups, roles, and directory settings across the tenant on DM Portal | +| `Directory.ReadWrite.All` | Retrieve and manage/modify users, groups, roles, and directory settings across the tenant on DM Portal | +| `Group.Create` | Create any type of group on DM Portal | +| `Group.Read.All` | Retrieve the properties and memberships of all groups across the tenant on DM Portal | +| `Group.ReadWrite.All` | Retrieve, create, update, and delete groups, manage group members and owners across the tenant on DM Portal | +| `GroupMember.Read.All` | Retrieve the group members and owners of all groups across the tenant on DM Portal | +| `GroupMember.ReadWrite.All` | Retrieve, add, update, and remove members and owners in/from any group on DM Portal | + +### Microsoft 365 Mail Access + +| Graph API Permission | Netwrix Directory Manager Feature | +|---|---| +| `Mail.Read` | Read the signed-in user's mail including subject, body, and attachments from Microsoft 365 (Outlook) mailboxes | +| `Mail.ReadBasic` | Read the signed-in user's mail including subject, from, to, cc, and received date from Microsoft 365 (Outlook) mailboxes | +| `Mail.ReadBasic.All` | Read all users' mail across the tenant including subject, from, to, cc, and received date from Microsoft 365 (Outlook) mailboxes | +| `Mail.ReadWrite` | Read and modify (edit, move, delete) emails in your mailbox from Microsoft 365 (Outlook) mailboxes | +| `Mail.Send` | Send emails as the signed-in user or on behalf of any user from Microsoft 365 (Outlook) mailboxes | + +### User Management + +| Graph API Permission | Netwrix Directory Manager Feature | +|---|---| +| `User.Read.All` | Retrieve all users' profile data across the tenant under User Profiles on DM Portal | +| `User.ReadBasic.All` | Retrieve all basic attributes of user profiles across the tenant under User Profiles on DM Portal | +| `User.ReadWrite.All` | Retrieve, create, update, and delete users across the tenant on DM Portal | +| `User.Invite.All` | Invite users from another Microsoft Entra ID tenant to the membership of any group in your domain | +| `User.DeleteRestore.All` | Delete users from DM Portal and access deleted items endpoints | +| `User.EnableDisableAccount.All` | Enable/disable accounts of all users from User Properties on DM Portal | +| `User.RevokeSessions.All` | Force sign-out users after password reset or role change on DM Portal | +| `User.ManageIdentities.All` | Retrieve, update, and delete identities that are associated with a user's account under Linked Mode of DM Portal | +| `User.Export.All` | Export user profile data from DM Portal | +| `User-PasswordProfile.ReadWrite.All` | Manage user's password profiles, change and reset password of all users on DM Portal | +| `User-Phone.ReadWrite.All` | Retrieve and update mobile phone of all users under User Properties on DM Portal | + +### Role Management + +| Graph API Permission | Netwrix Directory Manager Feature | +|---|---| +| `RoleManagement.Read.All` | Retrieve assigned roles of all users under Directory Role tab of User Properties across the tenant on DM Portal | +| `RoleManagement.Read.CloudPC` | Retrieve assigned roles of all users under Directory Role tab of User Properties across the tenant on DM Portal specific to Cloud PC (Windows 365) | +| `RoleManagement.Read.Directory` | Retrieve Microsoft Entra directory roles e.g. Global Administrator under Directory Role tab of User Properties across the tenant on DM Portal | +| `RoleManagement.Read.Exchange` | Retrieve assigned roles of all users across Exchange Online | +| `RoleManagement.ReadWrite.CloudPC` | Retrieve, add, and remove assignments of roles of all users under Directory Role tab of User Properties across the tenant on DM Portal specific to Cloud PC (Windows 365) | +| `RoleManagement.ReadWrite.Directory` | Retrieve, add, and remove assignments of roles of all users under Directory Role tab of User Properties across the tenant on DM Portal | +| `RoleManagement.ReadWrite.Exchange` | Retrieve, add, and remove assignments of roles of all users across Exchange Online | + +### Exchange Online (Application Permissions) + +| Exchange Permission | Netwrix Directory Manager Feature | +|---|---| +| `Exchange.ManageAsApp` | Retrieve, create, modify mailboxes, manage mailbox permissions on DM Portal or through PowerShell | + +### SharePoint Delegated Permissions + +| SharePoint Permission | Netwrix Directory Manager Feature | +|---|---| +| `AllSites.FullControl` | Access to all SharePoint Sites across the tenant, manage site settings and permissions from Entitlement Portal and Entitlement Section of Microsoft Entra ID Identity Store on Admin Portal | +| `AllSites.Manage` | Create/delete sites, manage site users and groups on Entitlement Portal | +| `AllSites.Read` | Retrieve the content of all SharePoint sites across the tenant under Entitlement Section of Microsoft Entra ID Identity Store on Admin Portal | +| `AllSites.Write` | Add, edit, and delete documents, list items, and pages of all sites across the tenant | + diff --git a/docs/kb/directorymanager/hide-distribution-lists-from-end-users-in-portal.md b/docs/kb/directorymanager/hide-distribution-lists-from-end-users-in-portal.md new file mode 100644 index 0000000000..f0b3c6568b --- /dev/null +++ b/docs/kb/directorymanager/hide-distribution-lists-from-end-users-in-portal.md @@ -0,0 +1,46 @@ +--- +description: >- + Learn how to prevent end users from viewing distribution lists in the Netwrix + Directory Manager self-service portal by excluding specific sAMAccountType + values in the user security role LDAP filter. +keywords: + - distribution lists + - sAMAccountType + - LDAP filter + - Netwrix Directory Manager + - security role + - portal + - distribution groups + - Active Directory +products: + - directory-manager +sidebar_label: Hide Distribution Lists from End Users in Portal +tags: [] +title: "Hide Distribution Lists from End Users in Portal" +knowledge_article_id: kA0Qk0000002IDlKAM +--- + +# Hide Distribution Lists from End Users in Portal + +## Applies To +Netwrix Directory Manager 10 and above + +## Overview +In some environments, it may be necessary to prevent end users from viewing distribution lists in the Netwrix Directory Manager self-service portal. This can be accomplished by configuring LDAP filter criteria in the user security role. By excluding specific `sAMAccountType` values associated with distribution groups, you can ensure that these groups are not displayed to users in the portal. + +## Instructions + +### Hide Distribution Lists from End Users +1. In the Netwrix Directory Manager Management Console, open the properties of your identity store. +2. Click the **Security Roles** tab and edit the **User** security role. +3. Click the **Policies** tab then navigate to **Search**. +4. In the LDAP filter, apply the criteria below to exclude distribution lists. Use the **AND** operator between these two criteria. + - `sAMAccountType is Not 536870913` + - `sAMAccountType is Not 268435457` + +5. Save the settings in the security roles. +6. Sign out of the Netwrix Directory Manager portal and sign in again with an account that is part of the user security role to verify the change. + +![LDAP filter settings in Netwrix Directory Manager security role](images/ka0Qk000000EYmb_0EMQk00000BoN3A.png) + +> **NOTE:** For Universal and Global distribution groups, the `sAMAccountType` value is **268435457**. For Domain local distribution groups, the value is **536870913**. diff --git a/docs/kb/directorymanager/hide-reports-entitlements-and-synchronize-tabs-in-the-user-portal.md b/docs/kb/directorymanager/hide-reports-entitlements-and-synchronize-tabs-in-the-user-portal.md new file mode 100644 index 0000000000..6a01853cce --- /dev/null +++ b/docs/kb/directorymanager/hide-reports-entitlements-and-synchronize-tabs-in-the-user-portal.md @@ -0,0 +1,57 @@ +--- +description: >- + Show how to hide the Synchronize, Reports, and Entitlements tabs in the + Netwrix Directory Manager User Portal by configuring access levels in the + Admin Center. +keywords: + - directory manager + - user portal + - navigation bar + - entitlements + - reports + - synchronize + - access level + - admin center + - portal settings +products: + - directory-manager +sidebar_label: 'Hide Reports, Entitlements, and Synchronize Tabs i' +tags: [] +title: 'Hide Reports, Entitlements, and Synchronize Tabs in the User Portal' +knowledge_article_id: kA0Qk0000002F2zKAE +--- + +# Hide Reports, Entitlements, and Synchronize Tabs in the User Portal + +## Applies To +Netwrix Directory Manager 11 + +## Overview +By default, the **Synchronize**, **Reports**, and **Entitlements** tabs appear on the navigation bar in the Netwrix Directory Manager User Portal. You can control which users see these tabs by adjusting their access level settings. Restricting access ensures that only users with the appropriate roles can view or use these options. + +![Navigation bar in Directory Manager User Portal showing Synchronize, Reports, and Entitlements tabs](images/ka0Qk000000EMez_0EMQk00000BbHoM.png) + +## Instructions + +### Hide the Reports, Entitlements, and Synchronize Tabs +1. Go to the **Admin Center**. +2. Navigate to **Applications**. +3. Open the **Settings** for the portal you want to apply the changes to. + ![Portal settings in Directory Manager Admin Center](images/ka0Qk000000EMez_0EMQk00000BbBHX.png) +4. Go to **Design Settings** and expand **Identity Store**. +5. Select **Navigation Bar**. +6. Click the **Dropdown List** and select **External Links**. + ![External Links dropdown in Navigation Bar settings](images/ka0Qk000000EMez_0EMQk00000BbIFm.png) +7. Edit **Entitlements**. +8. In the **Access Level** list, select a security role: + - The **Entitlements** link will be visible to users of this role and any roles with a higher priority. + - To hide the link from all users, select **Never**. + - To allow only **Administrators** to see it, select **Administrator** (users in roles below Administrator will not have access). + ![Access Level settings for Entitlements tab](images/ka0Qk000000EMez_0EMQk00000BbH6o.png) +9. Click **OK** to save the changes. +10. Log in to the **Netwrix Directory Manager Portal** to verify the changes. + ![Portal view after hiding tabs](images/ka0Qk000000EMez_0EMQk00000BbJN7.png) +11. Repeat these steps for the **Reports** and **Synchronize** tabs. Edit each tab individually and set the **Access Level** as required. +12. Once configured, users without the required access level will no longer see the **Reports**, **Entitlements**, and **Synchronize** tabs in the portal. + +![Portal navigation bar with hidden tabs](images/ka0Qk000000EMez_0EMQk00000BbJYP.png) diff --git a/docs/kb/directorymanager/how-to-add-message-approvers-in-group-properties-in-groupid-portal.md b/docs/kb/directorymanager/how-to-add-message-approvers-in-group-properties-in-groupid-portal.md new file mode 100644 index 0000000000..ff113bb38d --- /dev/null +++ b/docs/kb/directorymanager/how-to-add-message-approvers-in-group-properties-in-groupid-portal.md @@ -0,0 +1,115 @@ +--- +description: >- + Shows how to customize the Netwrix Directory Manager portal to display message + approvers (moderators) for distribution lists by using Exchange message + moderation attributes in Active Directory. +keywords: + - message approvers + - distribution list + - message moderation + - Exchange + - msExchEnableModeration + - mxExchModeratedByLink + - Netwrix Directory Manager + - portal customization +products: + - directory-manager +sidebar_label: 'How To Add Message Approvers in Group Properties in Netwrix Directory Manager Portal' +tags: [] +title: >- + How To Add Message Approvers in Group Properties in Netwrix Directory Manager + Portal +knowledge_article_id: kA0Qk0000000HyXKAU +--- + +# How To Add Message Approvers in Group Properties in Netwrix Directory Manager Portal + +## Applies To: + +Netwrix Directory Manager 11 + +## Business Scenario: + +We have set up message approvers/moderators for various distribution lists in our Microsoft Exchange and we would like to view these settings in our Netwrix Directory Manager portal. Is there a way to customize the Netwrix Directory Manager portal to show such settings? + +## Solution: + +To enable Netwrix Directory Manager portal customization for displaying Message Approvers for Distribution Lists using Microsoft Exchange-based Active Directory attributes, you can utilize the following Active Directory attributes associated with Message Moderation for On-Premises MS Exchange: + +- **msExchEnableModeration** + This attribute is used in Microsoft Exchange to enable or disable message moderation for a specific distribution group. When this attribute is set to true, it indicates that messages sent to the distribution group will be subject to moderation, which means they will need approval from a moderator before being delivered to the group members. + +- **msExchModeratedByLink** + This attribute is used to associate a distribution list or security group that contains the list of moderators for a moderated recipient. When this attribute is configured, it links the moderated recipient to the specified distribution list or security group, allowing the members of that group to act as moderators for the recipient. + +- **msExchBypassModerationLink** + This attribute is used to associate a distribution list or security group that contains the list of senders who can bypass the moderation process for a moderated recipient. When this attribute is set, it links the moderated recipient to the specified distribution list or security group, allowing the members of that group to send messages that bypass the moderation process. + +By leveraging these attributes, you can create a customized view in the Netwrix Directory Manager portal that shows the appropriate Message Approvers for the Distribution Lists. This customization enables you to manage message moderation effectively and efficiently within your organization's Exchange environment. + +## Steps: + +Follow the below-provided instructions to customize the portal: + +1. In the **Netwrix Directory Manager Admin Center Portal**, select **Self-Service** **GroupID Portals** **[required portal]** **Triple Dot button** **Settings**. + + ![User-added image](images/ka0Qk000000D2Dh_0EMQk000001gaph.png) + +2. Under the **Design Settings** tab, select the **Identity Store** you want to customize in the portal. + +3. On the **Properties** tab, select **Group** from the **Select Directory Object** list. + +4. Select **Advanced** in the **Name** list and click **Edit**. + + ![User-added image](images/ka0Qk000000D2Dh_0EMQk000001garJ.png) + +5. On the **Edit Design Category** dialog box, click **Add Field**. + + ![User-added image](images/ka0Qk000000D2Dh_0EMQk000001gasv.png) + +6. Select the `mxExchEnableModeration` attribute in the **Field** list, enter the display name as **Is Moderator Enabled** and set the display type to **Check**. + + ![User-added image](images/ka0Qk000000D2Dh_0EMQk000001gauX.png) + +7. Click **Add** on the dialog boxes and then click **Add Field** again on the **Edit Design Category**. + +8. Select the `mxExchModeratedByLink` attribute in the **Field** list, enter the display name as **Moderators**, and set the display type to **DNs**. + + ![User-added image](images/ka0Qk000000D2Dh_0EMQk000001gaxl.png) + +9. Click **Add** on the dialog boxes and then click **Add Fields** again on the **Edit Design Category**. + +10. Select the `mxExchBypassModerationLink` attribute in the **Field** list, enter the display name as **Bypass Moderators**, and set the display type to **DNs**. + + ![User-added image](images/ka0Qk000000D2Dh_0EMQk000001gazN.png) + +11. Click **Add** on the dialog boxes and then click the **Save** button to save the settings. + +12. Launch the **Netwrix Directory Manager** portal. You should be able to see the newly added attributes in the **Group’s Properties** under the **Advanced** tab. + + ![User-added image](images/ka0Qk000000D2Dh_0EMQk000001gb0z.png) + +## Reference: + +- Admin Center — Applications — Customize Properties Pages — v11.0 + /docs/directory-manager/11.0/groupid/admin-guidecenter/portal/design + +## Related Articles: + +- Walkthrough Search Policy - Define Scope and Filter Results + /docs/kb/directory-manager/walkthrough_search_policy_-_define_scope_and_filter_results + +- How To Enforce Users to Create Groups in a Specific OU + /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou + +- How To Import Members to a Group Using Self-Service Import Wizard + /docs/kb/directory-manager/how_to_import_members_to_a_group_using_self-service_import_wizard + +- How to Trigger a workflow When a User Сreates a Group + /docs/kb/directory-manager/how_to_trigger_a_workflow_when_a_user_сreates_a_group + +- Best Practices for Controlling Changes to Group Membership + /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou + +- Best Practices for Preventing Accidental Data Leakage + /docs/kb/directory-manager/best_practices_for_preventing_accidental_data_leakage diff --git a/docs/kb/directorymanager/how-to-allow-users-to-create-specific-objects-in-user-portal.md b/docs/kb/directorymanager/how-to-allow-users-to-create-specific-objects-in-user-portal.md new file mode 100644 index 0000000000..dbaccfcfcd --- /dev/null +++ b/docs/kb/directorymanager/how-to-allow-users-to-create-specific-objects-in-user-portal.md @@ -0,0 +1,59 @@ +--- +description: >- + Shows how to configure a security role in Netwrix Directory Manager 11 to + allow users to create only group and contact object types through the User + portal. Follow the steps to modify the role permissions and prevent creation + of other object types. +keywords: + - Netwrix Directory Manager + - security role + - user portal + - create objects + - groups + - contacts + - identity store + - permissions +products: + - directory-manager +sidebar_label: How to Allow Users to Create Specific Objects in U +tags: [] +title: "How to Allow Users to Create Specific Objects in User Portal" +knowledge_article_id: kA0Qk0000002CebKAE +--- + +# How to Allow Users to Create Specific Objects in User Portal + +## Applies To: +Netwrix Directory Manager 11 + +## Overview +This article provides instructions for configuring a security role in Netwrix Directory Manager 11 to allow users to create only *group* and *contact* object types through the User portal. By modifying the role’s permissions, you can prevent users from creating other object types, such as users and mailboxes, to align with your organization’s security and management policies. + +## Instructions +To grant or deny permission to create specific objects in the Netwrix Directory Manager User portal, follow these steps: + +1. Open the Netwrix Directory Manager Admin Portal at `https://servername/AdminCenter/`. Navigate to **Identity Stores**. Under an identity store's name, click the three dots (**...**) to edit it. + + ![Identity Stores list with edit option highlighted in Directory Manager Admin Portal](images/ka0Qk000000CuJN_0EMQk00000BSXU9.png) + +2. In the identity store's properties, click the **Security Roles** tab. Select the role you want to modify and click **Edit**. + + ![Security Roles tab and Edit button in Directory Manager Admin Portal](images/ka0Qk000000CuJN_0EMQk00000BSXPJ.png) + +3. On the **Role Properties** page, click the **Permissions** tab. + + ![Permissions tab in Role Properties in Directory Manager Admin Portal](images/ka0Qk000000CuJN_0EMQk00000BSXNh.png) + +4. The **Create** permissions for the User portal are shown in the following images: + + ![Create permissions for object types in Directory Manager User portal](images/ka0Qk000000CuJN_0EMQk00000BSXQv.png) + + ![Additional create permissions for object types in Directory Manager User portal](images/ka0Qk000000CuJN_0EMQk00000BSXVl.png) + +5. Select the **Allow** option for **Group** and **Contact** object types to permit creation. Select the **Deny** option for all other object types to restrict creation. + +6. Click **OK** to save your changes. + +When you allow the role to create *groups* and *contacts* using the portal, the result will look like this: + +![User portal showing only group and contact creation options](images/ka0Qk000000CuJN_0EMQk00000BSXSX.png) diff --git a/docs/kb/directorymanager/how-to-allow-users-to-only-create-distribution-groups.md b/docs/kb/directorymanager/how-to-allow-users-to-only-create-distribution-groups.md new file mode 100644 index 0000000000..d27facdd64 --- /dev/null +++ b/docs/kb/directorymanager/how-to-allow-users-to-only-create-distribution-groups.md @@ -0,0 +1,68 @@ +--- +description: >- + Shows how to configure the Netwrix Directory Manager portal so end users can + only create distribution groups while administrators can create both + distribution and security groups. +keywords: + - group creation + - distribution groups + - security groups + - Netwrix Directory Manager + - NDM Admin Center + - portal settings + - custom display types +products: + - directory-manager +sidebar_label: How To Allow users to only create distribution gro +tags: [] +title: "How To Allow users to only create distribution groups" +knowledge_article_id: kA0Qk0000002Z3JKAU +--- + +# How To Allow users to only create distribution groups + +## Applies To: +**Netwrix Directory Manager 11** + +## Business Use Case: +You want end users to be able to create distribution groups only, and not be able to create security groups. + +## More Information: +By default, users can create both distribution and security groups using the Netwrix Directory Manager (NDM) portal. In this article, you will configure the portal so end users can only create distribution groups, while people in the **Administrator** role can still create both distribution and security groups. + +## Steps: +1. In the NDM Admin Center, select **Applications >** Under **Netwrix Directory Manager Portal**, select the **three dots** button on your portal > Click **Settings**. + ![NDM Admin Center - Portal Settings](images/ka0Qk000000EECn_0EMQk00000CtNBZ.png) + +2. On the **Server Settings** tab, under **Design Settings**, select your identity store. + +3. Click the **Create Object** tab > Under **Select Directory Object**, select **Group**. In the **Name** list, select **General** and click **Edit**. + ![Create Object - Group General](images/ka0Qk000000EECn_0EMQk00000CtNDB.png) + +4. On the **Edit Category** dialog box, select **Group Type** in the **Fields** area and click **Edit**. + ![Edit Category - Group Type](images/ka0Qk000000EECn_0EMQk00000CtN9x.png) + +5. On the **Edit Field** dialog box, click **Advanced options**. + +6. Make sure that under **Default Value**, nothing is selected. If there is already a value, clear it out. + ![Edit Field - Advanced Options and Default Value](images/ka0Qk000000EECn_0EMQk00000CtN8L.png) + +7. Also, make sure that the checkbox named **Is Read Only** is unchecked / not selected > Click **OK** > Scroll down and **Save** your changes. + +8. Again, in the NDM Admin Center, select **Applications >** Under **Netwrix Directory Manager Portal**, select the **three dots** button on your portal > Click **Settings**. + +9. On the **Server Settings** tab, under **Design Settings**, select your portal. + +10. Select **Custom Display Types** > Then under **Custom Display Types**, select **groupType** from the list and click the **Edit** button. + ![Custom Display Types - groupType](images/ka0Qk000000EECn_0EMQk00000CtNEn.png) + +11. A new dialog box named **Edit Radio Display Type** will open. + ![Edit Radio Display Type dialog](images/ka0Qk000000EECn_0EMQk00000CtNGP.png) + +12. Under the **Edit Radio Display Type** dialog box, edit the option named **Security** > Change its **Visibility** to **Administrator** > Then edit the option named **Distribution** and make sure its **Visibility** is set to **User** (this will be the default value here). + ![Edit Radio Display Type - Visibility Settings](images/ka0Qk000000EECn_0EMQk00000CtLOI.png) + +13. If you see any other option in this mini window besides **Security** and **Distribution**, edit them and set their **Visibility** to **Never**. Scroll down and **Save** your changes. + +## Expected Results: +After these changes, when an end user tries to create a new group, they will only be able to create a distribution group. When an administrator tries to create a group, they will be able to create both distribution and security groups. diff --git a/docs/kb/directorymanager/how-to-apply-real-time-data-validation.md b/docs/kb/directorymanager/how-to-apply-real-time-data-validation.md new file mode 100644 index 0000000000..43fc97dff2 --- /dev/null +++ b/docs/kb/directorymanager/how-to-apply-real-time-data-validation.md @@ -0,0 +1,56 @@ +--- +description: >- + Shows how to configure real-time data validation for portal fields in Netwrix + Directory Manager, including default values, regular expressions, uniqueness + checks, and external validation. +keywords: + - real-time validation + - regular expression + - portal fields + - unique value + - Netwrix Directory Manager + - external validation + - data validation +products: + - directory-manager +visibility: public +sidebar_label: How to Apply Real-time Data Validation +tags: [] +title: "How to Apply Real-time Data Validation" +knowledge_article_id: kA0Qk0000002KYvKAM +--- + +# How to Apply Real-time Data Validation + +## Applies To +Netwrix Directory Manager 11 + +## Overview +Netwrix Directory Manager (formerly GroupID) supports real-time data validation in portal fields. In traditional systems, users only see validation errors after completing all data entry and clicking **Save**. This process can be frustrating, as users must revisit and correct errors after filling out multiple pages. With Netwrix Directory Manager, the portal validates each field as users enter data, providing immediate feedback and allowing users to correct errors on the spot. This real-time validation improves accuracy and streamlines the data entry process. + +Netwrix Directory Manager validates data according to rules for uniqueness and syntax, displaying a message as soon as a user enters invalid data. As an administrator, you can add input fields to a portal and apply the following checks: + +- Specify a default value for a field. +- Use a regular expression to validate the data entered in a field. +- Require users to enter a unique value for a field. + +## Instructions +1. In the Netwrix Directory Manager Management Console, select **Applications > Netwrix Directory Manager Portals**. +2. Open the settings for the desired portal. +3. Go to the Design settings of your identity store to apply real-time data validation. +4. On the **Custom Display Types** tab, click **Add (+)** to create a new display type. +5. Enter a name for the display type in the **Name** box. +6. From the **Type** list, select *Textbox* and click **OK**. + +![Creating a textbox display type with real-time validation in Netwrix Directory Manager](images/ka0Qk000000FE97_0EMQk00000BxDMI.png) + +7. Enter a value in the **Default Value** box to set it as the default for the text box. Users can modify this value in the portal. +8. In the **Regular Expression** box, type a regular expression to validate data entered in the text box. Leave this box blank if you do not want to apply a validation rule. +9. In the **Error Message** box, type the text to display when a user enters data that does not conform to the regular expression. +10. Click **Test** to check if the regular expression is valid. In the **Regular Expression Example** box, type an example that satisfies the regular expression and click **Test**. +11. To require users to enter a unique value for the field, select the **Unique** check box. Netwrix Directory Manager checks for uniqueness in the directory or an external data source. The portal prevents users from proceeding unless they provide a unique value. You can also use an external data source, such as an Excel file, to validate uniqueness in real time. Select the **External Validation URL** check box and enter the API URL in the box below. +12. Click **OK** to close the **Text Display Type** dialog box. +13. On the toolbar, click **Save**. + +## Applying the Textbox Display Type to a Portal Field +Apply the textbox display type to a field, such as the *group name* field in the group creation wizard. When a user enters a group name, the portal validates it according to the regular expression and checks for uniqueness in the directory or external data source. The portal displays an error message in real time if the entry does not pass these checks. diff --git a/docs/kb/directorymanager/how-to-change-a-user-s-membership-type.md b/docs/kb/directorymanager/how-to-change-a-user-s-membership-type.md new file mode 100644 index 0000000000..6dc9774103 --- /dev/null +++ b/docs/kb/directorymanager/how-to-change-a-user-s-membership-type.md @@ -0,0 +1,50 @@ +--- +description: >- + Step-by-step instructions for changing a user's membership type in Netwrix + Directory Manager, including how to assign temporary membership with automatic + removal after a specified period. +keywords: + - membership + - temporary membership + - group membership + - Active Directory + - Netwrix Directory Manager + - membership lifecycle + - Addition Pending + - Removal Pending + - Temporary Removed +products: + - directory-manager +sidebar_label: How to Change a User's Membership Type +tags: [] +title: How to Change a User's Membership Type +knowledge_article_id: kA0Qk0000002MNpKAM +--- + +# How to Change a User's Membership Type + +## Overview + +This article explains how to change a user's membership type in Netwrix Directory Manager, including how to assign temporary membership with automatic removal after a specified period. + +Netwrix Directory Manager allows you to add users to Active Directory groups as temporary members and specify start and end dates for their membership. The Membership Life Cycle job runs in the background to add or remove temporary group members on the specified dates. This enables scenarios such as granting external users access for a limited time without affecting permanent group members. + +## Membership Types + +| Membership Type | Description | +| --- | --- | +| Perpetual | The object is a permanent member of the group. | +| Temporary Member | The object is a member of the group for the period specified in the **Beginning** and **Ending** fields. At the end of the period, the object is removed from group membership. | +| Addition Pending | The object will become a temporary member of the group for a future period. Use the **Beginning** and **Ending** fields to set the period. Before the beginning date, the membership type is displayed as "Addition Pending." On the beginning date, the membership type changes to "Temporary Member." **Example:** If you add Smith as a temporary member to Group A for May 20–30, Smith appears as "Addition Pending" until May 20. On May 20, Smith becomes a "Temporary Member." After May 30, Smith is removed from the group. | +| Removal Pending | The object will be temporarily removed from group membership for a future period. Use the **Beginning** and **Ending** fields to set the period. Before the beginning date, the membership type is "Removal Pending." On the beginning date, the membership type changes to "Temporary Removed." **Example:** If you remove Smith from Group A for May 20–30, Smith appears as "Removal Pending" until May 20. On May 20, Smith's membership type changes to "Temporary Removed." After May 30, Smith is added back as a permanent member. | +| Temporary Removed | The object is temporarily removed from group membership for the specified period. At the end of the period, the object is added back as a permanent member. | + +## Instructions + +1. In the Directory Manager Portal, search for the group whose member's membership type you want to change. +2. Select the group on the **Search Results** page and click **Properties** on the toolbar. The **Members** tab in group properties lists the group members. +3. To change a member's membership type, click anywhere in the respective row to make it editable. Select **Temporary Member** from the **Membership** column then specify the membership period using the **Beginning** and **Ending** fields. Other membership options are described in the table above. + +![Editing membership type and period for a group member in Directory Manager](images/ka0Qk000000FGZ7_0EMQk00000C65MH.png) + +4. Save the changes. diff --git a/docs/kb/directorymanager/how-to-change-the-user-session-timeout-for-portals.md b/docs/kb/directorymanager/how-to-change-the-user-session-timeout-for-portals.md new file mode 100644 index 0000000000..535b0f31c3 --- /dev/null +++ b/docs/kb/directorymanager/how-to-change-the-user-session-timeout-for-portals.md @@ -0,0 +1,51 @@ +--- +description: >- + Instructions to change the session timeout for Self-Service and Password + Center portals by editing the web.config file. Includes file locations and the + exact appSettings key to modify. +keywords: + - session timeout + - web.config + - sessiontimeout + - Netwrix Directory Manager + - Self-Service portal + - Password Center + - portal settings +products: + - directory-manager +sidebar_label: How to Change the User Session Timeout for Portals +tags: [] +title: "How to Change the User Session Timeout for Portals" +knowledge_article_id: kA0Qk0000002Bk9KAE +--- + +# How to Change the User Session Timeout for Portals + +## Applies To +- Netwrix Directory Manager 10 – Self-Service and Password Center portals + +## Overview +By default, a session in the Self-Service or Password Center portal ends after 20 minutes of inactivity. When this occurs, users are redirected to the **Login** page and must re-enter their credentials to continue. You can adjust the session timeout value to balance convenience and security. Increasing the timeout makes it easier for users to stay logged in, but may reduce security. Decreasing the timeout enhances security, but may require users to log in more frequently. + +## Instructions +You can change the `sessiontimeout` value key in the `web.config` file of a portal. If you have multiple portals, remember to change the value in each portal's respective `web.config` file. + +The file is available at the following locations for the respective portals: + +### Self-Service Portal +- `C:\Program Files\Imanami\\SelfService\Inetpub\\Web` + +### Password Center User Portal +- `C:\Program Files\Imanami\\PasswordCenter\Inetpub\\Web` + +### Password Center HelpDesk Portal +- `C:\Program Files\Imanami\\PasswordCenter\HelpDesk\Inetpub\\Web` + +1. Open the `web.config` file with a text editor. +2. Search for `` and look for the following line: + ```xml + + ``` +3. Set the value in minutes as needed. If the key does not exist, add the line and save the changes. + +![web.config file showing sessiontimeout key under appSettings section](images/ka0Qk000000CsUT_0EMQk00000BP4Jp.png) diff --git a/docs/kb/directorymanager/how-to-copy-the-design-of-portal-via-sql-query.md b/docs/kb/directorymanager/how-to-copy-the-design-of-portal-via-sql-query.md new file mode 100644 index 0000000000..68445a3319 --- /dev/null +++ b/docs/kb/directorymanager/how-to-copy-the-design-of-portal-via-sql-query.md @@ -0,0 +1,128 @@ +--- +description: >- + Shows how to copy a portal design between environments using SQL queries. + Covers copying within the same server and database, between different + databases on the same server, and between different SQL servers using linked + servers. +keywords: + - portal design + - SQL + - PortalDesigns + - linked server + - Netwrix Directory Manager + - SSPR + - SQL Server Management Studio + - copy design +products: + - directory-manager +sidebar_label: How to Copy the Design of Portal via SQL Query +tags: [] +title: "How to Copy the Design of Portal via SQL Query" +knowledge_article_id: kA0Qk000000161lKAA +--- + +# How to Copy the Design of Portal via SQL Query + +## Overview + +This article provides step-by-step instructions for copying a portal design between environments using SQL queries. The process covers scenarios for the same SQL server and database, different databases on the same server, and different SQL servers. + +## Instructions + +### Copy the Design Within the Same SQL Server and Database + +1. Go to the database used with the test server. +2. Select the database and create a new query. + ![SQL Server Management Studio new query window with database selected](images/ka0Qk000000DSzN_0EMQk000004n9O2.png) +3. Enter the following query: + +```sql +DECLARE @fromClient AS int = n +DECLARE @fromStore AS int = n +DECLARE @toClient AS int = n +DECLARE @tostore AS int = n + +UPDATE [SSPR].[PortalDesigns] +SET Design = (SELECT Design FROM [SSPR].[PortalDesigns] WHERE ClientId = @fromClient AND IdentityStoreId = @fromStore) +WHERE ClientId = @toClient AND IdentityStoreId = @tostore +``` + +4. In `@fromClient`, enter the Client ID of the portal you want to copy. For example, to copy the design of Portal 1, use Client ID 11. + ![PortalDesigns table showing Client ID and Identity Store ID values](images/ka0Qk000000DSzN_0EMQk000004nLdh.png) +5. In `@fromStore`, enter the Identity Store ID. For example, use 2. + ![Identity Store ID value in PortalDesigns table](images/ka0Qk000000DSzN_0EMQk000004nH3t.png) +6. In `@toClient` and `@toStore`, enter the Client ID and Identity Store ID for the target portal. For example, Client ID 13 and Store ID 2. +7. Run the query. +8. The following screenshot shows the executed query: + ![Screenshot of executed SQL query](images/ka0Qk000000DSzN_0EMQk000004nLfJ.png) + +### Copy the Design with the Same SQL Server and Different Databases + +Environment: Test instance configured with **SQLTestServer-DB1**, production instance configured with **SQLTestServer-DB2**. + +1. Go to SQL Server and create a new query. +2. Enter the following query: + +```sql +DECLARE @fromClient AS int = n +DECLARE @fromStore AS int = n +DECLARE @toClient AS int = n +DECLARE @tostore AS int = n + +UPDATE [toDB].[SSPR].[PortalDesigns] +SET Design = (SELECT Design FROM [fromDB].[SSPR].[PortalDesigns] WHERE ClientId = @fromClient AND IdentityStoreId = @fromStore) +WHERE ClientId = @toClient AND IdentityStoreId = @tostore +``` + +3. In `@fromClient`, `@fromStore`, `@toClient`, and `@toStore`, enter the appropriate Client ID and Store ID values as described above. +4. In `[toDB]`, enter the database name of the production portal. + ![Screenshot of SQL query for copying design between databases](images/ka0Qk000000DSzN_0EMQk000004nLgv.png) +5. In `[fromDB]`, enter the database name of the test portal. +6. Run the query. +7. The following screenshot shows the executed query: + ![Screenshot of executed SQL query for different databases](images/ka0Qk000000DSzN_0EMQk000004nLiX.png) + +### Copy the Design with Different SQL Servers and Databases + +Environment: Test server configured with **DB1**, production server configured with **DB2**. + +1. On the test server, connect to the SQL Server instance where you want to create the linked server. +2. In Object Explorer, go to **Server Objects** and click **Linked Servers**. +3. Create a new linked server. +4. In the **New Linked Server** window, enter the name of the server you want to link. +5. Select **Server type** as **SQL Server**. + ![Linked server properties window](images/ka0Qk000000DSzN_0EMQk000004nIXn.png) +6. Select **Security** from the left pane, choose the appropriate login option, and enter the server credentials. +7. Click **OK**. The linked server will appear in the list. + ![Linked server security settings](images/ka0Qk000000DSzN_0EMQk000004nIXo.png) + +![Linked server shown in SQL Server Management Studio](images/ka0Qk000000DSzN_0EMQk000004nIXp.png) + +8. Go to the Netwrix Directory Manager portal of the test server and make the required changes to the portal design. +9. Return to SQL Server. +10. Right-click the server and select **New Query**. + ![SQL Server Management Studio new query window for linked server](images/ka0Qk000000DSzN_0EMQk000004nIXq.png) +11. Enter the following query: + +```sql +DECLARE @fromClient AS int = n +DECLARE @fromStore AS int = n +DECLARE @toClient AS int = n +DECLARE @tostore AS int = n + +UPDATE [toSourceServer].[toDB].[SSPR].[PortalDesigns] +SET Design = ( + SELECT Design FROM [fromSourceServer].[fromDB].[SSPR].[PortalDesigns] + WHERE ClientId = @fromClient AND IdentityStoreId = @fromStore +) +WHERE ClientId = @toClient AND IdentityStoreId = @tostore +``` + +12. In `@fromClient`, `@fromStore`, `@toClient`, and `@toStore`, enter the appropriate Client ID and Store ID values as described above. +13. In `[toSourceServer]`, enter the server name of the production server. + ![Linked server name entry in SQL query](images/ka0Qk000000DSzN_0EMQk000004nIXr.png) +14. In `[fromSourceServer]`, enter the server name of the test server. +15. In `[fromDB]` and `[toDB]`, enter the database names as described above. +16. Execute the query. + +![Screenshot of executed SQL query for linked server](images/ka0Qk000000DSzN_0EMQk000004nIXs.png) diff --git a/docs/kb/directorymanager/how-to-delegate-password-reset-privileges-in-self-service-portal.md b/docs/kb/directorymanager/how-to-delegate-password-reset-privileges-in-self-service-portal.md new file mode 100644 index 0000000000..28b84f8011 --- /dev/null +++ b/docs/kb/directorymanager/how-to-delegate-password-reset-privileges-in-self-service-portal.md @@ -0,0 +1,43 @@ +--- +description: >- + Shows how to delegate the password reset privilege to non-administrators in + the Netwrix Directory Manager Self-Service portal by assigning an access level + to a security role. +keywords: + - Netwrix Directory Manager + - password reset + - self-service portal + - delegate + - security role + - access level + - admin center + - Reset Password +products: + - directory-manager +sidebar_label: How to Delegate Password Reset Privileges in Self- +tags: [] +title: "How to Delegate Password Reset Privileges in Self-Service Portal" +knowledge_article_id: kA0Qk0000002AhdKAE +--- + +# How to Delegate Password Reset Privileges in Self-Service Portal + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article explains how to delegate the password reset function to users in the Netwrix Directory Manager Self-Service portal. By default, only administrators have this privilege, but you can assign it to any security role as needed. + +## Instructions +1. Access the **Netwrix Directory Manager Admin Center** at `https://servername/AdminCenter/dashboard`. +2. Select **Applications > Portal Name > Settings**. +3. Select **Design Settings** and then select **Identity Store**. +4. Click the **Navigation bar** tab. +5. In the **Tab** list, select *Users* and click **Edit**. +6. On the **Edit Tab** dialog box, select **Reset Password** in the **Links** section and click **Edit**. + ![Edit Tab dialog with Reset Password link highlighted](images/ka0Qk000000DtrV_0EMQk00000BSBJx.png) +7. From the **Access Level** list on the **Edit Link** dialog box, select a security role. This role and any roles with a higher priority value can reset the passwords of other users through the Self-Service portal. +8. Click **OK** to close the dialog boxes and then save the changes. + +## Impact on the Self-Service Portal +In the Self-Service portal, the **Reset Password** node will be visible to the selected role and to roles with a higher priority value. diff --git a/docs/kb/directorymanager/how-to-display-nested-group-ownership-in-the-my-groups-page.md b/docs/kb/directorymanager/how-to-display-nested-group-ownership-in-the-my-groups-page.md new file mode 100644 index 0000000000..6158fa1575 --- /dev/null +++ b/docs/kb/directorymanager/how-to-display-nested-group-ownership-in-the-my-groups-page.md @@ -0,0 +1,45 @@ +--- +description: >- + Show how to enable nested (transitive) group ownership on the My Groups page + in Netwrix Directory Manager 11 so members of owner groups see owned groups + via nested membership. +keywords: + - nested group ownership + - My Groups + - Self-Service Portal + - transitive ownership + - Netwrix Directory Manager + - Active Directory + - Admin Center + - Advanced Settings + - Display Nested Ownership +products: + - directory-manager +sidebar_label: How to Display Nested Group Ownership in the My Gr +tags: [] +title: "How to Display Nested Group Ownership in the My Groups Page" +knowledge_article_id: kA0Qk0000002EN3KAM +--- + +# How to Display Nested Group Ownership in the My Groups Page + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article explains how to display nested (transitive) group ownership on the **My Groups** page in Netwrix Directory Manager 11. By default, nested ownership is not shown in the Self-Service Portal, but you can enable this feature using an advanced setting. + +Some groups in Active Directory are owned by a security group. You may want members of the owner group to see their owned groups on the **My Groups** page. For example, if User A is a member of Group A, and Group A is the owner of Group B, then User A is considered the owner of Group B through nested (transitive) ownership. + +## Instructions +1. In the Directory Manager Admin Center, select **Applications**. Under **Directory Manager Portal**, select the **three dots** button for your portal, then click **Settings**. + + ![Directory Manager Admin Center with Settings option highlighted under Directory Manager Portal](images/ka0Qk000000Dxjp_0EMQk00000BYF1V.png) + +2. On the **Server Settings** tab, click **Advanced Settings**. Select **Listings Display**, then enable the **Display Nested Ownership** option. + + ![Advanced Settings in Server Settings tab with Display Nested Ownership option enabled](images/ka0Qk000000Dxjp_0EMQk00000BYEzt.png) + +3. Scroll to the bottom of the page and click **Save** to apply your changes. + + ![Save button at the bottom of the settings page in Directory Manager Admin Center](images/ka0Qk000000Dxjp_0EMQk00000BYEyH.png) diff --git a/docs/kb/directorymanager/how-to-enforce-group-type-as-distribution-or-security-v10.md b/docs/kb/directorymanager/how-to-enforce-group-type-as-distribution-or-security-v10.md new file mode 100644 index 0000000000..e2e6936687 --- /dev/null +++ b/docs/kb/directorymanager/how-to-enforce-group-type-as-distribution-or-security-v10.md @@ -0,0 +1,49 @@ +--- +description: >- + Shows how you can enforce the Group Type as `Distribution` in the Self-Service + portal of Netwrix Directory Manager by customizing the Create Group wizard and + field visibility settings. +keywords: + - directory-manager + - group type + - distribution group + - self-service portal + - create wizard + - visibility role + - Admin Center + - portal settings +products: + - directory-manager +sidebar_label: How to Enforce Group Type as Distribution or Secur +tags: [] +title: "How to Enforce Group Type as Distribution or Security v10" +knowledge_article_id: kA0Qk00000015vJKAQ +--- + +# How to Enforce Group Type as Distribution or Security v10 + +## Applies To +- Netwrix Directory Manager 10 + +## Overview +This article explains how you can enforce the Group Type as `Distribution` in the Self-Service portal of Netwrix Directory Manager. Netwrix Directory Manager allows you to configure object creation settings, including customizing the Create wizard, defining default values, and setting visibility rules based on user roles. By customizing the Create Group wizard, you can restrict users to creating only distribution groups, ensuring consistent group types across the directory. + +## Instructions +1. In the Directory Manager Admin Center, go to **Applications** > **Directory Manager Portals** and locate the required portal. +2. Once you have chosen the required portal, click the three-dot icon on the portal then click **Settings**. + ![Steps 1-2](images/ka0Qk000000DusP_0EMQk00000C19C1.png) +3. Under **Application Settings**, select an identity store from the **Design Settings** section. + ![Step 3](images/ka0Qk000000DusP_0EMQk00000C13Mk.png) +4. Click the **Create Object** tab. +5. In the **Select Directory Object** list, choose **Group**. +6. In the **Name** list, select **General** and click **Edit**. +7. In the **Edit Category** dialog box, select **Group Type** from the Fields list and click **Edit**. +8. In the **Edit Field** dialog box, click **Advanced Options**. +9. From the **Default Value** dropdown, select `Distribution`. +10. To restrict changes to this setting, do one of the following: + - Select the **Is Read Only** checkbox. + - Or set the **Visibility Role** to `Never`. +11. To enforce the setting for a specific role (for example, `Role C`), set the visibility level to a role with a higher priority than `Role C`. Roles with equal or lower priority will not be able to change the group type. +12. Click **OK** to close the dialog boxes and save your changes. + +After saving your changes, the Group Type field will default to `Distribution` in the Self-Service portal, and users will not be able to change it. This ensures that all newly created groups are distribution lists only. diff --git a/docs/kb/directorymanager/how-to-enforce-group-type-as-distribution-or-security-v11.md b/docs/kb/directorymanager/how-to-enforce-group-type-as-distribution-or-security-v11.md new file mode 100644 index 0000000000..1d23d09fa7 --- /dev/null +++ b/docs/kb/directorymanager/how-to-enforce-group-type-as-distribution-or-security-v11.md @@ -0,0 +1,56 @@ +--- +description: >- + Use Netwrix Directory Manager to force the Create Group wizard to set the + Group Type to `Distribution`, ensuring users can create distribution lists + only. This article shows how to customize the Create Object form, set a + default value, and restrict editing by role. +keywords: + - directory manager + - group type + - distribution + - create group + - self-service portal + - design settings + - role visibility + - read only +products: + - directory-manager +sidebar_label: How to Enforce Group Type as Distribution or Secur +tags: [] +title: "How to Enforce Group Type as Distribution or Security v11" +knowledge_article_id: kA0Qk0000002CQ5KAM +--- + +# How to Enforce Group Type as Distribution or Security v11 + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article explains how to restrict users to creating distribution groups only in the Self-Service portal of Netwrix Directory Manager. By customizing the Create Group wizard, you can enforce the group type as **Group Type** = `Distribution`, ensuring that all new groups are created as distribution lists. + +Netwrix Directory Manager allows you to customize the Create wizard for directory objects, including which fields are displayed, which are required, and which are editable. You can also set default values and control field visibility based on user roles. + +## Instructions +1. Access the **Directory Manager Admin Center** at https://Servername/AdminCenter/dashboard. +2. Go to **Applications**, select your **Portal Name**, then click **Settings > Design Settings**. +3. Select the identity store you want to customize. +4. Click the **Create Object** tab. +5. In the **Select Directory Object** list, select *Group*. +6. In the **Name** list, select *General* and click **Edit**. +7. In the **Edit Category** dialog box, select **Group Type** in the **Fields** area and click **Edit**. +8. In the **Edit Field** dialog box, click **Advanced Options**. +9. In the **Default Value** list, select `Distribution` to set it as the default group type. +10. To prevent users from changing the default selection, do one of the following: + - Select the **Is Read Only** checkbox. + - Or set the **Visibility Role** to `Never`. + + ![Set Group Type as Distribution and restrict editing](images/ka0Qk000000Duu1_0EMQk00000BS90Q.png) + +11. To enforce the `Distribution` group type for a specific role (for example, Role C), set the visibility level to a role with a higher priority than Role C. Only users with the selected role or higher can modify the group type. Users with Role C or lower will not be able to change the default selection. +12. Click **OK** to close the dialog boxes and save your changes. + +## Expected Results +In the Create Group wizard in the Directory Manager portal, the **Group Type** field will be set to `Distribution` by default. Users will not be able to change the group type, so all new groups will be created as distribution lists only. + +![Create Group wizard with Group Type set to Distribution](images/ka0Qk000000Duu1_0EMQk00000BS31S.png) diff --git a/docs/kb/directorymanager/how-to-enforce-users-to-create-groups-in-a-specific-ou.md b/docs/kb/directorymanager/how-to-enforce-users-to-create-groups-in-a-specific-ou.md new file mode 100644 index 0000000000..fcf084949e --- /dev/null +++ b/docs/kb/directorymanager/how-to-enforce-users-to-create-groups-in-a-specific-ou.md @@ -0,0 +1,70 @@ +--- +description: >- + Shows how to restrict role members so they can create groups only within a + specified OU by using Netwrix Directory Manager’s New Object policy in the + Admin Center. +keywords: + - Netwrix Directory Manager + - New Object policy + - OU + - groups + - security role + - Identity Stores + - Admin Center + - group creation +products: + - directory-manager +sidebar_label: How To Enforce Users to Create Groups in a Specifi +tags: [] +title: "How To Enforce Users to Create Groups in a Specific OU" +knowledge_article_id: kA0Qk0000000HiPKAU +--- + +# How To Enforce Users to Create Groups in a Specific OU + +## Applies To: +Netwrix Directory Manager 11 + +## Business Requirement: +Using the Netwrix Directory Manager portal, users can create groups in any OU in the directory. Is there a way to limit users to create groups in a specific OU? + +## Solution: +In Netwrix Directory Manager, you can apply policies to security roles, so that role members can use Netwrix Directory Manager in keeping with the policy restrictions. + +Netwrix Directory Manager’s **New Object** policy enables you to restrict role members to create new groups in a specific OU only. + +## Steps: +1. In the Netwrix Directory Manager Admin Center portal, click the **Identity Stores** tab. +2. On the **Identity Stores** tab, click on the **Triple Dot** button and then click **Edit** to open its properties. +3. On the **Security Roles** tab, select the security role you would like to apply the **New Object** policy to (for example, **User**). +4. On the **Policies** tab, click **New Object** in the left pane. +5. Select **Groups** and click **Add**. +6. On the **Select Container** dialog box, select the container in which role members can create groups (this will be the default OU when creating groups). + + The selected OU appears below the **Groups** option. + + ![User-added image](images/ka0Qk000000Dg4f_0EMQk000001f3Kk.png) + + ![User-added image](images/ka0Qk000000Dg4f_0EMQk000001f68v.png) +7. Click **OK**. +8. Click **Update Security Role** and then **Save**. + +Now when members of the security role try to create groups, they will be created in the default OU that you specified in the **New Object** policy. + +## Reference: +- Admin Center — Security Roles — New Object Policy for Security Roles — v11.0 + /docs/directory-manager/11.0/groupid/admin-guidecenter/securityrole/policy + +## Related Articles: +- Walkthrough Search Policy - Define Scope and Filter Results + /docs/kb/directory-manager/walkthrough_search_policy_-_define_scope_and_filter_results +- How To Import Members to a Group Using Self-Service Import Wizard + /docs/kb/directory-manager/how_to_import_members_to_a_group_using_self-service_import_wizard +- How to Trigger a workflow When a User Сreates a Group + /docs/kb/directory-manager/how_to_trigger_a_workflow_when_a_user_сreates_a_group +- How To Add Message Approvers in Group Properties in Self-Service + /docs/kb/directory-manager/how_to_add_message_approvers_in_group_properties_in_groupid_portal +- Best Practices for Controlling Changes to Group Membership + /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou +- Best Practices for Preventing Accidental Data Leakage + /docs/kb/directory-manager/best_practices_for_preventing_accidental_data_leakage diff --git a/docs/kb/directorymanager/how-to-generate-a-report-on-all-groups-with-report-to-originator-set-to-false-or-true.md b/docs/kb/directorymanager/how-to-generate-a-report-on-all-groups-with-report-to-originator-set-to-false-or-true.md new file mode 100644 index 0000000000..8cb8fc9ecd --- /dev/null +++ b/docs/kb/directorymanager/how-to-generate-a-report-on-all-groups-with-report-to-originator-set-to-false-or-true.md @@ -0,0 +1,91 @@ +--- +description: >- + Shows how to generate reports that list all distribution groups with the + Report To Originator attribute set to false or true using the Reports module + in Netwrix Directory Manager. +keywords: + - directory manager + - group reports + - reportToOriginator + - delivery report + - Active Directory + - LDAP + - Netwrix Directory Manager + - Reports +products: + - directory-manager +sidebar_label: 'How to Generate a Report on All Groups with Report to Originator Set to False or True' +tags: [] +title: >- + How to Generate a Report on All Groups with Report to Originator Set to False + or True +knowledge_article_id: kA0Qk0000002KdlKAE +--- + +# How to Generate a Report on All Groups with Report to Originator Set to False or True + +## Applies To +Netwrix Directory Manager – [Reports ⸱ Imanami 🖽](https://www.imanami.com/reports/) + +## Overview +Netwrix Directory Manager (formerly GroupID) allows you to generate reports on all groups with the **Report To Originator** attribute set to either **false** or **true**. The `reportToOriginator` parameter determines whether a delivery report is sent to the user (originator) who sends an email to a distribution group. This article explains how to generate these reports using the **Reports** module. The **Reports** module is a free tool for running reports on Active Directory and Microsoft Exchange/Office 365. + +> **NOTE:** The values of `reportToManager` and `reportToOriginator` cannot both be set to `$true` at the same time. If one is set to `$true`, the other must be set to `$false`; otherwise, all delivery status messages will be suppressed. + +## Instructions + +### Generate a Report for All Groups with Report to Originator Set to False +1. Open the Netwrix Directory Manager Portal and go to the **Reports** options. +2. Select **Group Reports** > **All groups with report to originator set to False**. + ![Group Reports section in Directory Manager Reports module](images/ka0Qk000000FXID_0EMQk00000BxOMY.png) +3. Click **Create Report** to launch the **Create Report** wizard. +4. On the first page, specify a custom title for your report in the **Report Name** box if desired. The default title is **All Groups with Report to Originator Set to False**. + ![Create Report wizard in Directory Manager](images/ka0Qk000000FXID_0EMQk00000BxQsz.png) +5. Click **Browse** to open the **Select Container** dialog box and select the required source container. The default selection is the **Global Catalog**. +6. Select the **Include sub containers** check box to include sub-containers for the selected container. +7. In the **Filter Criteria** section, modify the default LDAP filter as required. To add additional filters, click **Add More Filters**. +8. Click **Next**. +9. In the **Fields** section, add or remove fields as needed and adjust their order. + ![Fields section in Create Report wizard](images/ka0Qk000000FXID_0EMQk00000BxIu1.png) +10. From the **Sort By** drop-down list, select the field by which to sort the report results. +11. From the **Schedule** drop-down list, select a schedule for the report if desired. The report will run automatically at the specified time. +12. Click **Finish**. +13. The report is generated and displayed. The report includes: + - Connected identity store name + - Selected container + - Number of records fetched + - Date the report was created + - Filter applied + - List of report results + ![Sample report output in Directory Manager](images/ka0Qk000000FXID_0EMQk00000BxR5t.png) +14. The report is listed in the template's page. You can create multiple reports from the same template. +15. To download the report, click **Download** and select the format (PDF, Excel, or HTML). +16. You can also pin the report to the Dashboard by clicking **Pin Report**. + +### Generate a Report for All Groups with Report to Originator Set to True +1. Open the Netwrix Directory Manager Portal and go to the **Reports** options. +2. Select **Group Reports** > **All groups with report to originator set to True**. + ![Group Reports section for report to originator set to True](images/ka0Qk000000FXID_0EMQk00000BxHL4.png) +3. Click **Create Report** to launch the **Create Report** wizard. +4. On the first page, specify a custom title for your report in the **Report Name** box if desired. The default title is **All Groups with Report to Originator Set to True**. + ![Create Report wizard for report to originator set to True](images/ka0Qk000000FXID_0EMQk00000BxMhJ.png) +5. Click **Browse** to open the **Select Container** dialog box and select the required source container. The default selection is the **Global Catalog**. +6. Select the **Include sub containers** check box to include sub-containers for the selected container. +7. In the **Filter Criteria** section, modify the default LDAP filter as required. To add additional filters, click **Add More Filters**. +8. Click **Next**. +9. In the **Fields** section, add or remove fields as needed and adjust their order. + ![Fields section in Create Report wizard for report to originator set to True](images/ka0Qk000000FXID_0EMQk00000BxMpN.png) +10. From the **Sort By** drop-down list, select the field by which to sort the report results. +11. From the **Schedule** drop-down list, select a schedule for the report if desired. The report will run automatically at the specified time. +12. Click **Finish**. +13. The report is generated and displayed. The report includes: + - Connected identity store name + - Selected container + - Number of records fetched + - Date the report was created + - Filter applied + - List of report results + ![Sample report output for report to originator set to True](images/ka0Qk000000FXID_0EMQk00000BxMuD.png) +14. The report is listed in the template's page. You can create multiple reports from the same template. +15. To download the report, click **Download** and select the format (PDF, Excel, or HTML). +16. You can also pin the report to the Dashboard by clicking **Pin Report**. diff --git a/docs/kb/directorymanager/how-to-identify-groups-without-owners.md b/docs/kb/directorymanager/how-to-identify-groups-without-owners.md new file mode 100644 index 0000000000..7c7cdda613 --- /dev/null +++ b/docs/kb/directorymanager/how-to-identify-groups-without-owners.md @@ -0,0 +1,51 @@ +--- +description: >- + This article shows how to use the Reports module in Netwrix Directory Manager + 11 to identify groups that lack a primary owner, additional owners, or any + owners. +keywords: + - Netwrix Directory Manager + - groups + - owners + - reports + - LDAP + - Group Reports + - Groups with no owner + - Groups without additional owners +products: + - directory-manager +sidebar_label: How to Identify Groups Without Owners +tags: [] +title: "How to Identify Groups Without Owners" +knowledge_article_id: kA0Qk0000002CjRKAU +--- + +# How to Identify Groups Without Owners + +## Overview + +This article shows how to use the Reports module in Netwrix Directory Manager 11 to identify groups that lack a primary owner, additional owners, or any owners. + +## Instructions + +1. In the Directory Manager application portal, click the **Reports** tab on the left side of the dashboard page. + + ![Directory Manager application portal with Reports tab highlighted on the dashboard](images/ka0Qk000000Dxof_0EMQk00000BSZAz.png) + +2. When the Reports module opens, click the **Group Reports** tab on the left side of the page. + + ![Group Reports tab selected in the Reports module](images/ka0Qk000000Dxof_0EMQk00000BSZ69.png) + +3. To find groups without a primary owner, run the report titled **Groups with no owner**. + + ![Groups with no owner report selected in Group Reports](images/ka0Qk000000Dxof_0EMQk00000BSZ9N.png) + +4. To find groups without additional owners, run the report titled **Groups without additional owners**. + + ![Groups without additional owners report selected in Group Reports](images/ka0Qk000000Dxof_0EMQk00000BSZ7l.png) + +5. To find groups without both primary and additional owners, run either of the above reports. In the **Report Generation** wizard, replace the LDAP query with your custom query as needed. + + ![Report Generation wizard with LDAP query field](images/ka0Qk000000Dxof_0EMQk00000BSXh5.png) + +6. Complete the wizard. The generated report will show groups that do not have a primary owner or additional owners. diff --git a/docs/kb/directorymanager/how-to-import-members-to-a-group-using-self-service-import-wizard.md b/docs/kb/directorymanager/how-to-import-members-to-a-group-using-self-service-import-wizard.md new file mode 100644 index 0000000000..c340e0c5b7 --- /dev/null +++ b/docs/kb/directorymanager/how-to-import-members-to-a-group-using-self-service-import-wizard.md @@ -0,0 +1,99 @@ +--- +description: >- + Shows how to import members to a group from an external data source using the + Netwrix Directory Manager self-service Import Group Membership wizard. +keywords: + - import members + - group membership + - CSV import + - Active Directory + - Import Wizard + - Netwrix Directory Manager + - self-service + - data source + - membership lifecycle +products: + - directory-manager +sidebar_label: How To Import Members to a Group Using Self-Servic +tags: [] +title: "How To Import Members to a Group Using Self-Service Import Wizard" +knowledge_article_id: kA0Qk0000000HthKAE +--- + +# How To Import Members to a Group Using Self-Service Import Wizard + +## Applies To: +Netwrix Directory Manager 11 + +## Business Scenario: +You want to import members to a group from an external data source using the Netwrix Directory Manager portal. + +## More Information: +To import the membership for a group from an external data source, such as a CSV, TXT, XLSX, XLS, or XML file, Netwrix Directory Manager offers the Import Group Membership wizard. The members you are looking to import must exist in Active Directory and can be resolved using a unique identifier. This is different from a database group where the connection to the external data source is persistent. A use case for a database group is when you have sensitive information in your database that you do not want to bring into your Active Directory, but you still want to build a criterion based on the information. + +## Steps: +You must specify an external data source; the Import Group Membership wizard gets the list of members from it and imports them from the Active Directory into the group. For example, you have a list of Employee-IDs in a text file, and you want to add all Active Directory users with matched IDs to the membership of the group. + +The process to import members is discussed in these steps: + +1. Launch the Netwrix Directory Manager portal and search for the Group you would like to import members into. +2. Navigate to the **Members** tab and click on the **Import** button to launch the Import Wizard. + + ![User-added image](images/ka0Qk000000Dfzp_0EMQk000001fbhN.png) + +3. On the **Membership Lifecycle** page, specify whether the imported members will remain in the group permanently or temporarily. Provide the following information and click **Next**. + + Select the Import member perpetually option to import the membership for the group permanently. + + OR + + Select the Import Members temporarily option to import the membership for the group temporarily. In case of temporary membership, select the membership duration from the Duration list: + + - **7 Days**: to import the membership for 7 days starting today. + - **30 Days** to import the membership for 30 days starting today. + - **90 Days** to import the membership for 90 days starting today. + - **Custom** to import the membership for the period indicated in the From and To boxes. + + Members are added to the group on the date in the From box. + + ![User-added image](images/ka0Qk000000Dfzp_0EMQk000001fbkb.png) + +4. On the **Data Source** page, select and configure the data source that contains the objects to import to the group. You can choose between a **Local File** such as TXT, CSV, XLS, XLSX, and XML or an **External Data Source** such as SQL DB, ODBC, SCIM providers, etc. + + ![User-added image](images/ka0Qk000000Dfzp_0EMQk000001fYTO.png) + + - For an **External Data Source**, provide LDAP Criteria and an External Source in the Query Designer. + + ![User-added image](images/ka0Qk000000Dfzp_0EMQk000001fbpR.png) + + Click on the **Query Designer** button and provide the Data Source from where you would like to import the Membership. + + ![User-added image](images/ka0Qk000000Dfzp_0EMQk000001fc5Z.png) + + - For the **Local File**, simply upload the relevant file. + + ![User-added image](images/ka0Qk000000Dfzp_0EMQk000001fc8n.png) + +5. Click **Next**. + ![User-added image](images/ka0Qk000000Dfzp_0EMQk000001fcDd.png) + +6. On the **Import Options** step, select the search option and map the data source fields to the corresponding Active Directory fields. The wizard matches the values of the mapped fields to determine the objects to import. + +7. On the **Map Field** step, provide the following: + + - From the **Source** field list, select the name of the field in the external data source to map to its equivalent Active Directory field. + - From the **Destination** field list, select the name of the Active Directory field to map to the selected source field. The wizard imports memberships where values for both fields match. + +8. Click **Next** to preview the objects returned for adding as group members. + + ![User-added image](images/ka0Qk000000Dfzp_0EMQk000001fVfD.png) + +9. Click **Finish**. + +### Related Articles: +- [Walkthrough Search Policy - Define Scope and Filter Results](/docs/kb/directorymanager/walkthrough-search-policy-define-scope-and-filter-results) +- [How To Enforce Users to Create Groups in a Specific OU](/docs/kb/directorymanager/how-to-enforce-users-to-create-groups-in-a-specific-ou.md) +- How to Trigger a workflow When a User Сreates a Group +- [How To Add Message Approvers in Group Properties in Self-Service](/docs/kb/directorymanager/how-to-add-message-approvers-in-group-properties-in-groupid-portal.md) +- [Best Practices for Controlling Changes to Group Membership](/docs/kb/directorymanager/how-to-enforce-users-to-create-groups-in-a-specific-ou.md) +- [Best Practices for Preventing Accidental Data Leakage](/docs/kb/directorymanager/best-practices-for-preventing-accidental-data-leakage.md) diff --git a/docs/kb/directorymanager/how-to-limit-searchable-object-types-in-user-portals.md b/docs/kb/directorymanager/how-to-limit-searchable-object-types-in-user-portals.md new file mode 100644 index 0000000000..4191e1e0c8 --- /dev/null +++ b/docs/kb/directorymanager/how-to-limit-searchable-object-types-in-user-portals.md @@ -0,0 +1,50 @@ +--- +description: >- + Learn how to configure the Netwrix Directory Manager portal so the Find dialog + searches only user objects. This article shows where to change the Portal & + Search setting to disable Contacts and Groups. +keywords: + - directory manager + - user portal + - find dialog + - search + - object types + - users + - contacts + - groups + - portal settings +products: + - directory-manager +sidebar_label: How to Limit Searchable Object Types in User Porta +tags: [] +title: "How to Limit Searchable Object Types in User Portals" +knowledge_article_id: kA0Qk0000002EQHKA2 +--- + +# How to Limit Searchable Object Types in User Portals + +## Applies To: +Netwrix Directory Manager 11 + +## Overview +By default, the **Find** dialog box in Netwrix Directory Manager 11 portals allows users to search for all object types, including users, contacts, and groups. You can configure the portal settings to restrict the **Find** dialog box so that users can search only for user objects. This article explains how to update the settings to limit search results to user objects only. + +## Instructions +1. In the **Netwrix Directory Manager Admin Center**, go to **Applications**. For the application or portal where you want to implement this setting, click the three dots (**...**) and select **Settings**. + + ![Applications page in Netwrix Directory Manager Admin Center with settings option highlighted](images/ka0Qk000000CzVx_0EMQk00000BYFKr.png) + +2. On the next page, click **Advanced Settings**. Under the **Portal & Search** tab on the right, find the option named **Find Dialogue / Look For**. Uncheck **Groups** and **Contacts** to limit searches to user objects only. + + ![Advanced Settings with Find Dialogue / Look For options in Netwrix Directory Manager](images/ka0Qk000000CzVx_0EMQk00000BYFJF.png) + +3. Scroll down and click the **Save** button to apply your changes. + +## Impact +Before making this change, the **Find** dialog box allows searches for *Users*, *Contacts*, and *Groups*: + +![Find dialog box showing all object types: Users, Contacts, and Groups](images/ka0Qk000000CzVx_0EMQk00000BYFMT.png) + +After updating the settings to allow only **Users**, the **Find** dialog box will display only the *User* object type in searches: + +![Find dialog box showing only User object type](images/ka0Qk000000CzVx_0EMQk00000BYFHd.png) diff --git a/docs/kb/directorymanager/how-to-limit-users-to-search-only-for-user-objects.md b/docs/kb/directorymanager/how-to-limit-users-to-search-only-for-user-objects.md new file mode 100644 index 0000000000..8340eb061d --- /dev/null +++ b/docs/kb/directorymanager/how-to-limit-users-to-search-only-for-user-objects.md @@ -0,0 +1,50 @@ +--- +description: >- + Shows how to configure Netwrix Directory Manager so users can search only for + User objects in the User portal's Find dialog box. +keywords: + - Netwrix Directory Manager + - Find dialog + - user portal + - search settings + - portal settings + - advanced settings + - user objects +products: + - directory-manager +visibility: public +sidebar_label: How to Limit Users to Search Only for User Objects +tags: [] +title: "How to Limit Users to Search Only for User Objects" +knowledge_article_id: kA0Qk0000002NOjKAM +--- + +# How to Limit Users to Search Only for User Objects + +## Overview + +This article explains how to configure Netwrix Directory Manager so that users can search only for User objects in the User portal's **Find** dialog box. + +By default, the **Find** dialog box allows users to search for all object types, including users, contacts, and groups. You can restrict this feature to specific object types by adjusting the portal settings. + +## Instructions + +1. In the **Directory Manager Admin Center**, go to **Applications**. Locate the desired application/portal and click the three-dot icon to select **Settings**. + + ![Accessing application settings in Netwrix Directory Manager Admin Center](images/ka0Qk000000FGyv_0EMQk00000CAMWb.png) + +2. Click **Advanced Settings**. Under the **Portal & Search** tab on the right, locate the **Find Dialogue / Look For** option. Uncheck **Groups** and **Contacts** to limit searches to User objects only. + + ![Configuring Find Dialogue object types in Advanced Settings](images/ka0Qk000000FGyv_0EMQk00000CAMYD.png) + +3. Scroll down and click **Save** to apply your changes. + +## Result + +By default, the **Find** dialog box allows searches for *Users*, *Contacts*, and *Groups*. + +![Default Find dialog box showing all object types](images/ka0Qk000000FGyv_0EMQk00000CAMUz.png) + +After applying the configuration, the **Find** dialog box will display only the **User** object type in searches. + +![Find dialog box limited to User object type](images/ka0Qk000000FGyv_0EMQk00000CALUk.png) diff --git a/docs/kb/directorymanager/how-to-modify-expiring-group-email-template.md b/docs/kb/directorymanager/how-to-modify-expiring-group-email-template.md new file mode 100644 index 0000000000..d5fe5433ff --- /dev/null +++ b/docs/kb/directorymanager/how-to-modify-expiring-group-email-template.md @@ -0,0 +1,47 @@ +--- +description: >- + Shows how to edit the static text in the group expiry notification email for + Netwrix Directory Manager 11 so you can include custom messages about + distribution lists, security groups, or other impacts. +keywords: + - Netwrix Directory Manager + - GLMExpiredNotify + - notification editor + - expiring group email + - group lifecycle + - email template + - distribution list + - security group + - notification +products: + - directory-manager +sidebar_label: How To Modify Expiring Group Email Template +tags: [] +title: "How To Modify Expiring Group Email Template" +knowledge_article_id: kA0Qk0000002IQfKAM +--- + +# How To Modify Expiring Group Email Template + +## Applies To +Netwrix Directory Manager 11 + +## Overview +By default, the Group Lifecycle notification email in Netwrix Directory Manager 11 only explains the consequence of not renewing distribution lists. You can customize the email body to include additional information, such as the impact of not renewing security groups or any other custom text. This article explains how to edit the static text in the group expiry notification email. + +## Instructions +1. In the Netwrix Directory Manager Admin Center, select **Notifications** then **Notification Editor**. + ![Notification Editor in Directory Manager Admin Center](images/ka0Qk000000D8m9_0EMQk00000BpGZ3.png) + +2. On the next page, you will see a list of all notifications in Netwrix Directory Manager. Search for the notification named `GLMExpiredNotify`. Under **Actions**, click **Edit**. + ![List of notifications with Edit option in Directory Manager](images/ka0Qk000000D8m9_0EMQk00000BpGXR.png) + +3. Select the **Source Code** tab and go to line 44. This line contains the consequence of not renewing a group. Edit the text as needed to include your custom message. + ![Source Code tab with editable email body in Directory Manager](images/ka0Qk000000D8m9_0EMQk00000BpGaf.png) + +4. After making your changes, go to the **Interactive** tab to preview the results in a clean, easy-to-read format. + ![Interactive tab showing email preview in Directory Manager](images/ka0Qk000000D8m9_0EMQk00000BpGcH.png) + +5. If you are satisfied with the output, return to the **Source Code** tab and click **Save**. Confirm your changes by clicking **Save** again. + ![Save button in Source Code tab in Directory Manager](images/ka0Qk000000D8m9_0EMQk00000BpCs2.png) + ![Confirmation of saved changes in Directory Manager](images/ka0Qk000000D8m9_0EMQk00000BpGdt.png) diff --git a/docs/kb/directorymanager/how-to-notify-objects-when-a-profile-is-modified.md b/docs/kb/directorymanager/how-to-notify-objects-when-a-profile-is-modified.md new file mode 100644 index 0000000000..76a957cde4 --- /dev/null +++ b/docs/kb/directorymanager/how-to-notify-objects-when-a-profile-is-modified.md @@ -0,0 +1,57 @@ +--- +description: >- + Shows how to enable the Object being modified notification in Netwrix + Directory Manager 11 so groups, users, or contacts receive an email when their + profile is changed. +keywords: + - Netwrix Directory Manager + - Directory Manager 11 + - identity store + - notifications + - email notification + - Object being modified + - profile modification +products: + - directory-manager +sidebar_label: How to Notify Objects When a Profile is Modified +tags: [] +title: "How to Notify Objects When a Profile is Modified" +knowledge_article_id: kA0Qk0000002IP3KAM +--- + +# How to Notify Objects When a Profile is Modified + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +You can configure Netwrix Directory Manager 11 to automatically send an email notification to a group, user, or contact whenever their profile is modified through the portal. To enable this feature, update the notification settings in the identity store. + +When the **Object being modified** option is enabled, the following occurs: + +- For a group, group members are notified of changes. +- For a user or contact, the individual is notified about changes to their profile. + +Notifications are generated for events such as group renewal, expiry policy changes, membership changes, property or attribute modifications, and updates made by scheduled jobs. + +> **NOTE:** An SMTP server must be configured for the identity store for notifications to be sent. + +## Instructions + +1. In Netwrix Directory Manager Admin Center, select **Identity Stores**. For your identity store, click the three dots (**...**) and select **Edit**. + ![Identity Stores list with edit option highlighted in Directory Manager Admin Center](images/ka0Qk000000D8kX_0EMQk00000BpFwM.png) +2. On the next page, click **Configurations**. + ![Configurations button in Directory Manager Admin Center](images/ka0Qk000000D8kX_0EMQk00000BpG9G.png) +3. Click **Notifications**. + ![Notifications button in Directory Manager Admin Center](images/ka0Qk000000D8kX_0EMQk00000BpGCT.png) +4. Under the **Also Notify** option, select the checkbox for **Object being modified**. + ![Also Notify option with Object being modified checkbox selected](images/ka0Qk000000D8kX_0EMQk00000BpG9H.png) +5. Scroll down and click the **Save** button. + +## Impact + +For example, if an administrator changes the **Notes** field of a user account in Active Directory, the user whose account was modified will receive an email notification about the change. + +![Sample email notification sent to user after profile modification in Directory Manager](images/ka0Qk000000D8kX_0EMQk00000BpGAr.png) diff --git a/docs/kb/directorymanager/how-to-prepare-for-installation.md b/docs/kb/directorymanager/how-to-prepare-for-installation.md new file mode 100644 index 0000000000..bee9e5e6d6 --- /dev/null +++ b/docs/kb/directorymanager/how-to-prepare-for-installation.md @@ -0,0 +1,68 @@ +--- +description: >- + Explains considerations and required steps when installing a new Netwrix + Directory Manager server or adding an additional server to an existing + infrastructure, including prerequisites and configuration notes. +keywords: + - Netwrix Directory Manager + - installation + - prerequisites + - .NET Framework + - Java 8 + - ODBC + - Elastic + - IIS + - certificate + - NDM +products: + - directory-manager +sidebar_label: How to Prepare for Installation +tags: [] +title: "How to Prepare for Installation" +knowledge_article_id: kA0Qk00000024dpKAA +--- + +# How to Prepare for Installation + +## Applies To + +Netwrix Directory Manager 10 + +## Overview + +This article explains the considerations and required steps when installing a new Netwrix Directory Manager (formerly GroupID) server in a new environment or adding an additional server to an existing infrastructure. + +## Instructions + +### Install Netwrix Directory Manager on a New Server + +1. Add the service account to the local administrator's group on the server then grant it full control over the Netwrix Directory Manager installation directory. + +> **NOTE:** The installation directory is `X:\Program Files\Imanami\GroupID 10.0`. By default, `X` is `C`, but it may be another drive if you selected a different location during installation. + +2. Install Netwrix Directory Manager 10, which includes .NET Framework 4.7.2 as a prerequisite. Do not upgrade the .NET Framework version to 4.8. +3. Ensure Java 8 Update 171 is installed. Do not upgrade Java from version 8 to any other version. +4. Ensure that the drive you are installing Netwrix Directory Manager on always has more than 20 percent free disk space. +5. After installing Netwrix Directory Manager and completing the configuration tool, remove or rename the Netwrix Directory Manager zip files. +6. After all steps above are complete, replace the generic security service certificate with a new, unique certificate by following the process described in the advisory below. + +[Security Advisory ADV-2025-004 ⸱ Netwrix 🡥](https://security.netwrix.com/Advisories/ADV-2025-004) + +7. After following Step 5, please follow the steps given below in the Advisory 2025-013 to apply IP restrictions on the NDM site in IIS:- + +[Security Advisory ADV-2025-013](https://community.netwrix.com/t/adv-2025-013-hard-coded-password-in-netwrix-directory-manager-formerly-imanami-groupid-v10-and-earlier/13945) + +### Adding a Netwrix Directory Manager Server to an Existing Infrastructure + +In addition to the steps above, consider the following points when adding another Netwrix Directory Manager server to an existing infrastructure: + +- If you are using Automate or Synchronize modules, create the same ODBC connections on the new server as on your existing server(s), if needed. +- If you already have or will have more than two Netwrix Directory Manager servers as part of the same cluster, adjust the number of replicas for Elastic with assistance from the support team. +- Apply all Netwrix Directory Manager patches that are already applied on the existing server(s) to the new server. +- If preferred domain controllers are being used, add them to the new server as well. +- Ensure the HTTPS port and alias for the Netwrix Directory Manager site are the same as those on the existing server. + +## Related Articles + +- [Security Advisory ADV-2025-004 ⸱ Netwrix 🡥](https://security.netwrix.com/Advisories/ADV-2025-004) +- [Security Advisory ADV-2025-013](https://community.netwrix.com/t/adv-2025-013-hard-coded-password-in-netwrix-directory-manager-formerly-imanami-groupid-v10-and-earlier/13945) diff --git a/docs/kb/directorymanager/how-to-replace-logo-on-landing-page.md b/docs/kb/directorymanager/how-to-replace-logo-on-landing-page.md new file mode 100644 index 0000000000..2197f1305d --- /dev/null +++ b/docs/kb/directorymanager/how-to-replace-logo-on-landing-page.md @@ -0,0 +1,65 @@ +--- +description: >- + Shows how to replace the logo and landing page image for Netwrix Directory + Manager portal by replacing specific image files in the portal Content\Images + directory. +keywords: + - Netwrix Directory Manager + - logo + - landing page + - GroupID + - portal + - replace image + - Imanami + - Content Images +products: + - directory-manager +sidebar_label: How to Replace Logo on Landing Page +tags: [] +title: "How to Replace Logo on Landing Page" +knowledge_article_id: kA0Qk00000015wvKAA +--- + +# How to Replace Logo on Landing Page + +## Applies To + +Netwrix Directory Manager 11 – Directory Manager Portal + +## Question + +Can you replace the logo and picture on the landing page of the Netwrix Directory Manager portal? + +![Directory Manager portal landing page with default logo and image](images/ka0Qk000000De4T_0EMQk00000BO0Jt.png) + +## Answer + +Yes, you are able to replace the logo and picture. This can be acheived by following the steps below. + +### Replace the Logo + +1. Go to the following directory: + `C:\Program Files\Imanami\GroupID 11.0\GroupIDPortal\Inetpub\Select your portal\Web\wwwroot\Content\Images` +2. Replace the file named `imanami-logos-master-1@3x.webp`. + **IMPORTANT:** The new file must have the same name, size, and extension as the original. + +![Directory showing imanami-logos-master-1@3x.webp file](images/ka0Qk000000De4T_0EMQk00000BNz9K.png) + +> **IMPORTANT:** Take a backup of the original file before replacing it. + +### Replace the Landing Page Image + +1. Go to the following directory: + `C:\Program Files\Imanami\GroupID 11.0\GroupIDPortal\Inetpub\Select your portal\Web\wwwroot\Content\Images` +2. Replace the file named `groupid-3x.webp`. + **IMPORTANT:** The new file must have the same name, size, and extension as the original. + +![Directory showing groupid-3x.webp file](images/ka0Qk000000De4T_0EMQk00000BO3JN.png) + +> **IMPORTANT:** Take a backup of the original file before replacing it. + +### Verify the Changes + +1. Open the landing page of the Directory Manager portal in incognito mode to verify that the logo and image have been updated. + +![Directory Manager portal landing page with updated logo and image](images/ka0Qk000000De4T_0EMQk00000BNzAx.png) diff --git a/docs/kb/directorymanager/how-to-replace-logo-on-sign-in-page.md b/docs/kb/directorymanager/how-to-replace-logo-on-sign-in-page.md new file mode 100644 index 0000000000..96d0b1d8a8 --- /dev/null +++ b/docs/kb/directorymanager/how-to-replace-logo-on-sign-in-page.md @@ -0,0 +1,40 @@ +--- +description: >- + Shows how to replace the logo on the Netwrix Directory Manager sign-in page by + replacing the image file in the product folder. +keywords: + - logo + - sign-in + - vector-smart-object.png + - Directory Manager + - GroupID + - images + - Netwrix +products: + - directory-manager +sidebar_label: How to Replace Logo on Sign-in Page +tags: [] +title: "How to Replace Logo on Sign-in Page" +knowledge_article_id: kA0Qk00000015yXKAQ +--- + +# How to Replace Logo on Sign-in Page + +## Question + +Can you replace the logo on the sign-in page of the Netwrix Directory Manager (formerly Netwrix GroupID) portal? + +![Sign-in Page Screenshot](images/ka0Qk000000DGa1_0EMQk000004nK9l.png) + +## Answer + +Yes, this can be done by replacing the image file in the Netwrix Directory Manager 11 folder. Follow the steps below to complete this: + +1. Navigate to `C:\Program Files\Imanami\GroupID 11.0\GroupIDSecurityService\Inetpub\GroupIDSecurityService\Web\wwwroot\Content\Images` +2. Replace the image file named `vector-smart-object.png`, ensuring the file name, size, and extension remain the same. + +![Replacement Image Screenshot](images/ka0Qk000000DGa1_0EMQk000004nK9m.png) + +> **NOTE:** Take a backup of the original file. + +![Final Result Screenshot](images/ka0Qk000000DGa1_0EMQk000004nK9n.png) diff --git a/docs/kb/directorymanager/how-to-replace-the-password-center-portal-logo.md b/docs/kb/directorymanager/how-to-replace-the-password-center-portal-logo.md new file mode 100644 index 0000000000..e78caab65f --- /dev/null +++ b/docs/kb/directorymanager/how-to-replace-the-password-center-portal-logo.md @@ -0,0 +1,51 @@ +--- +description: >- + Shows how to replace the Password Center portal logo in Netwrix Directory + Manager by replacing the PCFullLogoTransaprent.svg file in the portal content + folder. +keywords: + - password center + - logo + - SVG + - Netwrix Directory Manager + - GroupID + - portal + - PCFullLogoTransaprent + - replace logo + - instructions +products: + - directory-manager +sidebar_label: How to Replace the Password Center Portal Logo +tags: [] +title: "How to Replace the Password Center Portal Logo" +knowledge_article_id: kA0Qk00000025GXKAY +--- + +# How to Replace the Password Center Portal Logo + +## Applies To +Netwrix Directory Manager 11.1 – Directory Manager Portal + +## Question +Can you replace the logo on the Password Center portal in Netwrix Directory Manager (formerly GroupID)? + +![Password Center portal with default logo](images/ka0Qk000000CapJ_0EMQk00000Az6M6.png) + +## Answer +Yes, you can replace the Password Center logo. Follow the steps below. + +### Replace the Logo on the Password Center Portal +1. Go to the following directory: + `C:\Program Files\Imanami\GroupID 11.0\GroupIDPortal\Inetpub\\Web\wwwroot\Content\Images\vector` +2. Locate the file named `PCFullLogoTransaprent.svg`. This file is used to render the logo on the portal. + + ![Directory showing PCFullLogoTransaprent.svg file](images/ka0Qk000000CapJ_0EMQk00000AzEMr.png) + +3. Convert your logo to the `.svg` format and copy it to the same directory. +4. Rename the existing `PCFullLogoTransaprent.svg` file to `PCFullLogoTransaprentbackup.svg` for backup purposes. +5. Rename your new logo file to `PCFullLogoTransaprent.svg`. +6. Open the Password Center portal in incognito mode to verify that the new logo appears. + +![Password Center portal with updated logo](images/ka0Qk000000CapJ_0EMQk00000Az8kU.png) + +> **NOTE:** Adjust the dimensions of your logo as needed to fit the portal layout. diff --git a/docs/kb/directorymanager/how-to-replace-the-security-service-certificate.md b/docs/kb/directorymanager/how-to-replace-the-security-service-certificate.md new file mode 100644 index 0000000000..a56ca7abff --- /dev/null +++ b/docs/kb/directorymanager/how-to-replace-the-security-service-certificate.md @@ -0,0 +1,136 @@ +--- +description: >- + Step-by-step instructions to replace the Netwrix Directory Manager Security + Service SSL certificate that expires on January 15, 2025, including patch + download, certificate replacement, scheduled job updates, and an automation + PowerShell script. +keywords: + - Netwrix Directory Manager + - security service + - certificate replacement + - SSL + - scheduled jobs + - IISRESET + - PowerShell + - 370874 +products: + - directory-manager +sidebar_label: How to Replace the Security Service Certificate +tags: [] +title: "How to Replace the Security Service Certificate" +knowledge_article_id: kA0Qk0000001rWvKAI +--- + +# How to Replace the Security Service Certificate + +## Applies To + +Netwrix Directory Manager 10SR2 + +## Overview + +The Netwrix Directory Manager Security Service relies on an SSL certificate to function properly. This certificate, which expires on January 15, 2025, is essential for secure operations such as user authentication, authorization, and encryption of data between clients and the SQL Server database. This article provides step-by-step instructions for replacing the certificate when it expires. + +## Instructions + +### Replace the Security Service Certificate + +Follow the steps below to replace the Security Service certificate: + +1. Open the **Directory Manager Updates** tool then click on **Settings**. +2. Select Version as `10.2` and download patch #`370874`, but DO NOT apply it yet. +3. If you do not have the Directory Manager Updates tool, you can download it from https://www.netwrix.com/my_products.html. + +![](images/ka0Qk000000DSRV_0EMQk00000A0EV5.png) + +![](images/ka0Qk000000DSRV_0EMQk00000A2mh7.png) + +![](images/ka0Qk000000DSRV_0EMQk00000A0P5V.png) + +4. Once downloaded, navigate to the patch download folder. Rename the file `370874.gpb` to `370874.zip`. +5. Once renamed, right-click the zip file and click **Properties**. In the **General** tab, uncheck **Unblock** and apply the changes. + +![](images/ka0Qk000000DSRV_0EMQk00000A0IX3.png) + +6. After the zip file is unblocked, extract the contents of the ZIP file to access the utility. Run the `GroupIDSecurityServiceCertificateUpdate.exe` as an **Administrator**. + +![](images/ka0Qk000000DSRV_0EMQk00000A0ISD.png) + +7. Verify that the **DataService** path and **Service Account** are correct. +8. Enter the information for the **Service Account** (e.g., Domain\Account_Name). +9. Click **Replace Security Service**. This action assigns the necessary permissions to the new certificate, replaces the existing one, and updates the thumbprints across all integrated applications. + +![](images/ka0Qk000000DSRV_0EMQk00000A0ITp.png) + +10. Perform an `IISRESET` by launching Windows PowerShell/Command Prompt as an Administrator and typing `IISRESET`. +11. Verify the expiry date for the Security Service certificate by launching **IIS Manager Home** then clicking **Server Certificates**. The new expiration date should show **1/13/2045**. + +![](images/ka0Qk000000DSRV_0EMQk00000A0IYf.png) + +### Update or Recreate Scheduled Jobs + +Once the Directory Manager Security Service Certificate has been updated, you have two options for handling scheduled jobs. + +- Recreate Existing Schedules (Recommended): Existing schedules will need to be recreated to ensure proper functionality after the certificate update. New schedules created after the certificate update will not require any changes. +- Update Existing Schedules (Advanced): If you prefer to update the existing schedules instead of recreating them, follow the steps below: + +1. Create a backup of the Directory Manager Scheduled Job task files located at `\Program Files\Imanami\GroupID 10.0\Schedules`. +2. Create a new scheduled job in the Directory Manager Management Console. Any job type is acceptable, but the SmartGroup Update Job is recommended. + +![](images/ka0Qk000000DSRV_0EMQk00000A2A0j.png) + +3. Navigate to `\Program Files\Imanami\GroupID 10.0\Schedules` and open the newly created task file. Sort by **Modified Date** to identify it. +4. Open the task file in Notepad. +5. Click at the beginning of the first line and press **CTRL + F**. +6. Search for `<#!#>`. On the second occurrence, copy everything afterward to the end of the file. + +![](images/ka0Qk000000DSRV_0EMQk00000A25Yw.png) + +![](images/ka0Qk000000DSRV_0EMQk00000A21Os.png) + +7. Open another Notepad file and save the copied information. You will use this in the next step. +8. Open each remaining task file in the same directory and replace the content after the second occurrence of `<#!#>` with the copied token. +9. Save and close each updated task file. +10. Open each schedule in the Directory Manager Management Console and reauthenticate. + +### Automating Steps (3–9) Using PowerShell + +Instead of manually completing steps 3–9, you can use the PowerShell script below to automate the process. This script extracts the token from the most recently modified task file and applies it to all other task files in the directory. + +```powershell +# Define the folder containing the schedule files +$folderPath = "C:\Program Files\Imanami\GroupID 10.0\Schedules" + +# Get the list of task files, sorted by Last Write Time (newest first) +$txtFiles = Get-ChildItem -Path $folderPath -Filter "*.txt" | Sort-Object LastWriteTime -Descending + +# Get the content of the newest task file +$latestFile = $txtFiles[0] +$latestContent = Get-Content -Path $latestFile.FullName -Raw + +# Split content to locate the token +$splitContent = $latestContent -split "<#!#>" + +# Verify token structure +if ($splitContent.Count -ge 3) { + $replacementContent = $splitContent[2] +} else { + Write-Host "The latest file does not contain two '<#!#>' markers." + exit +} + +# Apply the token to other task files +foreach ($file in $txtFiles[1..($txtFiles.Count - 1)]) { + $content = Get-Content -Path $file.FullName -Raw + $parts = $content -split "<#!#>" + if ($parts.Count -ge 3) { + $newContent = $parts[0] + "<#!#>" + $parts[1] + "<#!#>" + $replacementContent + Set-Content -Path $file.FullName -Value $newContent -NoNewline + Write-Host "Updated file: $($file.Name)" + } else { + Write-Host "Skipped file (less than two '<#!#>' markers): $($file.Name)" + } +} +``` + +> **NOTE:** In a primary–secondary server environment, the above process must be implemented first on the primary server and then on the secondary servers. diff --git a/docs/kb/directorymanager/how-to-set-semi-private-as-the-default-security-type-in-v10.md b/docs/kb/directorymanager/how-to-set-semi-private-as-the-default-security-type-in-v10.md new file mode 100644 index 0000000000..268926639f --- /dev/null +++ b/docs/kb/directorymanager/how-to-set-semi-private-as-the-default-security-type-in-v10.md @@ -0,0 +1,59 @@ +--- +description: >- + Shows how to set "Semi-Private" as the default security type in Netwrix + Directory Manager 10 Self-Service so users see it by default or so you can + enforce or hide it per role. +keywords: + - semi-private + - security type + - create group + - self-service + - netwrix directory manager + - default value + - visibility role + - is read-only + - group creation +products: + - directory-manager +sidebar_label: 'How to Set ''Semi-Private'' as the Default Security ' +tags: [] +title: How to Set 'Semi-Private' as the Default Security Type in v10 +knowledge_article_id: kA0Qk0000002BgvKAE +--- + +# How to Set 'Semi-Private' as the Default Security Type in v10 + +## Applies To + +Netwrix Directory Manager 10 – Self-Service + +## Overview + +By default, users can select from multiple security types when creating a group in the Self-Service portal. You may want to set `Semi Private: Owner Must Approve` as the default security type in the **Create Group** wizard, while still allowing users to choose another option or enforce the default for all users. + +## Instructions + +1. In the Directory Manager Management Console, navigate to **Self-Service > Portals > [Required portal] > Designs > [Required identity store]**. +2. On the **Create Object** tab, select **Group** from the **Select Directory Object** drop-down list. +3. In the **Name** list, select **General** and click **Edit**. +4. In the **Edit Design Category** dialog box, select **Security** and click **Edit**. + + ![Edit Design Category dialog box with Security field selected](images/ka0Qk000000CsRF_0EMQk00000BP1x3.png) + +5. In the **Edit Field** dialog box, click the **Advanced options** link. + + ![Edit Field dialog box with Advanced options link](images/ka0Qk000000CsRF_0EMQk00000BP23V.png) + +6. Select `Semi Private: Owner Must Approve` from the **Default Value** drop-down list. + + ![Default Value drop-down list with Semi Private selected](images/ka0Qk000000CsRF_0EMQk00000BP21t.png) + +7. Optional: To enforce the semi-private security type, select the **Is Read-Only** check box. This will disable the **Security** drop-down list in the **Create Group** wizard, displaying only the default value. + + ![Is Read-Only check box selected in Edit Field dialog box](images/ka0Qk000000CsRF_0EMQk00000BP1yf.png) + +8. Optional: To hide the **Security** drop-down list from a specific role, select the desired role (such as **Administrator** or **Helpdesk**) from the **Visibility Role** drop-down list. The **Security** drop-down list will be visible to users of the selected role and roles with a higher priority value, and hidden from all roles with a lower priority value. + + ![Visibility Role drop-down list in Edit Field dialog box](images/ka0Qk000000CsRF_0EMQk00000BP20H.png) + +9. Click **OK** to close the dialog boxes and save your changes. diff --git a/docs/kb/directorymanager/how-to-set-semi-private-as-the-default-security-type-in-v11.md b/docs/kb/directorymanager/how-to-set-semi-private-as-the-default-security-type-in-v11.md new file mode 100644 index 0000000000..110098088a --- /dev/null +++ b/docs/kb/directorymanager/how-to-set-semi-private-as-the-default-security-type-in-v11.md @@ -0,0 +1,62 @@ +--- +description: >- + Shows how to set the default group security type to Semi_Private in the + Netwrix Directory Manager 11 user portal and how to enforce or control its + visibility by role. +keywords: + - Netwrix Directory Manager + - group security + - semi-private + - Create Group + - default value + - Admin Portal + - Design Settings + - Visibility Role +products: + - directory-manager +sidebar_label: 'How to Set ''Semi-Private'' as the Default Security ' +tags: [] +title: How to Set 'Semi-Private' as the Default Security Type in v11 +knowledge_article_id: kA0Qk0000002BiXKAU +--- + +# How to Set 'Semi-Private' as the Default Security Type in v11 + +## Applies To +Netwrix Directory Manager 11 + +## Overview +By default, users can choose from several security types when creating a group in the Netwrix Directory Manager 11 user portal. You can configure the portal to set *semi-private* as the default security type in the **Create Group** wizard. You also have the option to allow users to select a different security type or to enforce the default for all users. + +## Instructions +1. Open the Directory Manager Admin Portal at `https://servername/AdminCenter/`. Navigate to **Applications**, select your desired portal, and click the three dots (**...**) to edit it. + ![Applications page in Netwrix Directory Manager Admin Portal with edit option highlighted](images/ka0Qk000000CsSr_0EMQk00000BP3cH.png) + +2. Click **Settings**. + ![Settings option in Netwrix Directory Manager Admin Portal](images/ka0Qk000000CsSr_0EMQk00000BP3fV.png) + +3. Under **Design Settings**, click your identity store’s name. + ![Design Settings section in Netwrix Directory Manager Admin Portal](images/ka0Qk000000CsSr_0EMQk00000BP3af.png) + +4. On the **Create Object** tab, select **Group** from the **Select Directory Object** drop-down list. + ![Create Object tab with Group selected](images/ka0Qk000000CsSr_0EMQk00000BP3dt.png) + +5. In the **Name** list, select *General* and click **Edit**. + +6. In the **Edit Design Category** dialog box, select **Security** and click **Edit**. + ![Edit Design Category dialog box with Security field selected](images/ka0Qk000000CsSr_0EMQk00000BP3kL.png) + +7. In the **Edit Field** dialog box, click the **Advanced options** link. + ![Edit Field dialog box with Advanced options link](images/ka0Qk000000CsSr_0EMQk00000BP3lx.png) + +8. Select `Semi_Private` from the **Default Value** drop-down list. + ![Default Value drop-down list with Semi_Private selected](images/ka0Qk000000CsSr_0EMQk00000BP3nZ.png) + +9. Optional: To enforce the semi-private security type, select the **Is Read-Only** check box. This action disables the **Security** drop-down list in the **Create Group** wizard and displays only the default value. + ![Is Read-Only check box selected in Edit Field dialog box](images/ka0Qk000000CsSr_0EMQk00000BP3ij.png) + ![Create Group wizard with Security drop-down list disabled](images/ka0Qk000000CsSr_0EMQk00000BP3qn.png) + +10. Optional: To hide the **Security** drop-down list from a specific role, select the desired role (such as **Administrator** or **Helpdesk**) from the **Visibility Role** drop-down list. The **Security** drop-down list is visible to users of the selected role and to roles with a higher priority value, but hidden from all roles with a lower priority value. + ![Visibility Role drop-down list in Edit Field dialog box](images/ka0Qk000000CsSr_0EMQk00000BP3pB.png) + +11. Click **OK** to close the dialog boxes then save your changes. diff --git a/docs/kb/directorymanager/how-to-trigger-a-workflow-when-a-user-creates-a-group.md b/docs/kb/directorymanager/how-to-trigger-a-workflow-when-a-user-creates-a-group.md new file mode 100644 index 0000000000..859a36f57b --- /dev/null +++ b/docs/kb/directorymanager/how-to-trigger-a-workflow-when-a-user-creates-a-group.md @@ -0,0 +1,75 @@ +--- +description: >- + This article explains how to configure a workflow approval process for group + creation in Netwrix Directory Manager so that groups created via the + Self-Service portal require approver approval before being committed to Active + Directory. +keywords: + - Netwrix Directory Manager + - workflow + - group creation + - approval + - Self-Service + - identity store + - approver + - filters +products: + - directory-manager +sidebar_label: How to Trigger a Workflow When a User Creates a Gr +tags: [] +title: "How to Trigger a Workflow When a User Creates a Group" +knowledge_article_id: kA0Qk0000002FhJKAU +--- + +# How to Trigger a Workflow When a User Creates a Group + +## Applies To + +Netwrix Directory Manager 11 or above + +## Overview + +This article explains how to implement a workflow approval process for group creation using Netwrix Directory Manager (formerly GroupID). By configuring workflow routes, you can ensure that all new groups created via the Self-Service portal are subject to approval before being committed to Active Directory. + +The workflow route consists of the following components: + +- The object the workflow applies to (e.g., group) +- The event that initiates the workflow (e.g., create) +- A filter condition that defines when the workflow is triggered (e.g., user role) +- The approver(s) responsible for reviewing and approving the request + +If the workflow conditions are met, a request is generated and sent to the approvers. Once approved, the group creation takes effect in Active Directory. + +> **NOTE:** You must configure notifications for an identity store for workflows to work. + +## Instructions + +1. In the **Netwrix Directory Manager Admin Center**, click the **Identity Stores** node from the Navigation Bar. +2. On the **Identity Stores** tab, click the three-dot icon and click the **Edit** button of an identity store to open its properties. + ![Identity Store Edit Screenshot](images/ka0Qk000000DGYP_0EMQk00000BdOqX.png) +3. Click the **Workflow** tab. + ![Workflow Tab Screenshot](images/ka0Qk000000DGYP_0EMQk00000BdOs9.png) +4. Click **Add Workflow**. +5. In the **Object(s)** list, select *Group*. +6. Enter a name for the workflow in the **Name** box. For example, `Group Creation`. +7. In the **Events** drop-down list, select *Create*. +8. Make sure the **Enabled** check box is selected for the workflow to apply. +9. Select the **Enable mail approval** check box to enable the approver to approve or deny a workflow request from within the workflow email notification. +10. The **Enable approver acceleration** check box applies if approver acceleration has been enabled for the identity store. To exempt this workflow route from approver acceleration, clear this check box. +11. In the **Description** box, enter a brief description of the workflow. For example, `This workflow tracks creation of groups by people from User Security Role.` +12. In the **Portal URL** drop-down list, select a Self-Service portal URL to include in the workflow email notifications. The URL would redirect the recipients to the portal for acting on the respective request, such as approve or deny it. + ![Add Workflow Screenshot](images/ka0Qk000000DGYP_0EMQk00000BdOtl.png) +13. Use the **Filters** area to define a condition that must be met for the workflow to trigger. Leave the filter blank to apply the workflow to all users. If a condition is set and not met, the workflow will not initiate. For example, the following filter targets users in the User security role: + + | Field | Condition | Value | + |---|---|---| + | Role | Equals | `User` | + + With this filter, when a user from the User role creates a group via the Self-Service portal, the workflow is triggered and the changes are held for approval. Users outside this role can create groups without triggering the workflow. +14. In the **Approvers** area, click **Add**. + ![Add Approver Screenshot](images/ka0Qk000000DGYP_0EMQk00000BdOov.png) +15. Select the user or group responsible for approving requests generated by this workflow. For best results, assign an administrator or helpdesk member rather than group owners. +16. Click **OK** to save the approver configuration. +17. Click **OK** on the **Workflow Route** dialog box and then on the **Workflow** tab to finalize the configuration. + +Once these steps are complete, this configuration ensures that group creation requests submitted via Netwrix Directory Manager by User security role members are subject to approval before being finalized. diff --git a/docs/kb/directorymanager/how-to-uninstall-directory-manager.md b/docs/kb/directorymanager/how-to-uninstall-directory-manager.md new file mode 100644 index 0000000000..a85f0c27a3 --- /dev/null +++ b/docs/kb/directorymanager/how-to-uninstall-directory-manager.md @@ -0,0 +1,111 @@ +--- +description: >- + This article explains how to uninstall previous versions of Netwrix Directory + Manager to upgrade to the latest version and how to completely remove Netwrix + Directory Manager from a machine. +keywords: + - uninstall + - Netwrix Directory Manager + - Directory Manager + - GroupID + - Imanami + - IIS + - registry + - DLL + - application pool +products: + - directory-manager +sidebar_label: How to Uninstall Directory Manager +tags: [] +title: "How to Uninstall Directory Manager" +knowledge_article_id: kA0Qk00000015orKAA +--- + +# How to Uninstall Directory Manager + +## Overview + +This article explains how to uninstall previous versions of Netwrix Directory Manager (formerly GroupID) to upgrade to the latest version. It also provides instructions for completely removing Directory Manager from your machine. + +## Instructions + +The steps below guide you through uninstalling Netwrix Directory Manager for an upgrade and completely removing it from your machine. + +> **NOTE:** Before you uninstall Directory Manager, ensure that the logged-in user is a member of the local Administrators group on the machine. Make sure the Directory Manager portal is fully closed before you begin the uninstall process. + +### Uninstall Netwrix Directory Manager to Upgrade to a Newer Version + +1. Double-click the **setup.exe** file in the Directory Manager installation package to launch the Directory Manager Installer. + ![Directory Manager Installer main screen with Uninstall Directory Manager option](images/ka0Qk0000006YdJ_0EMQk000004nD8J.png) +2. Click **Uninstall Directory Manager** to remove the application files via **Programs & Features** in Control Panel. +3. Proceed with the upgrade to the newer version of Directory Manager. +4. Click the **Install Directory Manager** link on the Directory Manager Installer to install the latest version. +5. After installation, run the Upgrade wizard to make earlier version data compatible with the new version. + +### Completely Uninstall Directory Manager from the Machine + +1. Click **Uninstall Directory Manager** on the Directory Manager Installer to uninstall the application files from your computer. +2. Remove the following components to ensure complete uninstallation: + - Directory Manager installation directory + - Other relevant directories + - Directory Manager DLLs + - Registry keys + - Services files + - Directory Manager application pool + - Directory Manager certificates + +### Remove the Directory Manager Installation Directory + +1. On the Directory Manager machine, navigate to `X:\Program Files\Imanami` (where X represents the installation drive). +2. Delete the directory named **Directory Manager [version]** (for example, Directory Manager 11). + +### Remove Other Relevant Directories + +1. On the Directory Manager machine, right-click the Windows button and select **Run**. +2. When the dialog box populates, type `%ALLUSERSPROFILE%\Imanami` and press Enter. +3. From the location referenced in the command, delete the **Directory Manager** folder. + +### Remove Directory Manager DLLs + +1. On the Directory Manager machine, navigate to `C:\Windows`. +2. Search for all DLL files with names starting with **Netwrix**. You can find the files by typing `Netwrix*.dll` in the Windows Explorer Search box. +3. Delete these files. + +### Remove Registry Keys + +1. On the Directory Manager machine, open **Registry Editor**. +2. Delete the following registry key (for Directory Manager 11.0): + +```text +HKEY_LOCAL_MACHINE\SOFTWARE\Imanami\GroupID\Version 11.0 +``` + +### Remove Directory Manager Services Files + +1. On the Directory Manager machine, navigate to `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files`. +2. Delete the **root** folder. + +### Remove Portal Files + +1. Open the Internet Information Services (IIS) console by typing `inetmgr` in the Windows **Run** dialog box. +2. Under the **GroupIDSite** node in the console tree, locate the portals you have created using the portal names. +3. Delete each portal by right-clicking it and selecting **Remove** from the shortcut menu. +4. After removing the portals, navigate to `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files`. +5. Delete each portal folder one by one. + +### Remove the Directory Manager Application Pool + +1. Open the Internet Information Services (IIS) console by typing `inetmgr` in the Windows **Run** dialog box. +2. Expand the **\** node in the console tree and click **Application Pools**. +3. On the Application Pools page, delete **Directory Manager App Pool 11** and all other pools that start with **GroupID11_GroupIDSite11** prefixes. + ![IIS Application Pools page with Directory Manager App Pool 11 selected](images/ka0Qk0000006YdJ_0EMQk000004nD8S.png) + +### Remove Directory Manager Certificates + +1. Open the Internet Information Services (IIS) console by typing `inetmgr` in the Windows **Run** dialog box. +2. Click the **\** node in the console tree. On the **Features View** tab, select **Server Certificates** in the **IIS** section. +3. Delete these certificates bound to **GroupIDSite** (the site deploying Directory Manager Data Service): + - GroupIDSecurityService + - Netwrix Directory Manager Certificate + +> **NOTE:** Do not remove these certificates if another Directory Manager version is installed on the machine. diff --git a/docs/kb/directorymanager/how-to-view-roles-assigned-to-a-user-v10.md b/docs/kb/directorymanager/how-to-view-roles-assigned-to-a-user-v10.md new file mode 100644 index 0000000000..2e8bd1ff57 --- /dev/null +++ b/docs/kb/directorymanager/how-to-view-roles-assigned-to-a-user-v10.md @@ -0,0 +1,51 @@ +--- +description: >- + Shows how to view a user’s assigned security roles in an identity store for + any Netwrix Directory Manager client. Covers Management Console steps to find + a user’s role per client or portal. +keywords: + - Netwrix Directory Manager + - roles + - security roles + - identity store + - Management Console + - find user + - client role + - Self-Service +products: + - directory-manager +sidebar_label: How to View Roles Assigned to a User v10 +tags: [] +title: "How to View Roles Assigned to a User v10" +knowledge_article_id: kA0Qk0000002C1tKAE +--- + +# How to View Roles Assigned to a User v10 + +## Applies To +Netwrix Directory Manager 10 + +## Overview +Netwrix Directory Manager allows you to assign security roles to users in an identity store, controlling their access and permissions. Knowing which roles are assigned to each user is important for effective access management and security. + +This article explains how to quickly view a user's assigned security roles in an identity store for any Netwrix Directory Manager client. + +### Directory Manager Clients +You can check a user's security role assignment for the following Netwrix Directory Manager clients: + +- Automate +- Management Shell +- Netwrix Directory Manager Mobile app +- All Self-Service and Password Centre portals created using Netwrix Directory Manager + +## Instructions +1. In the Netwrix Directory Manager Management Console, click the **Identity Stores** node. +2. On the **Identity Stores** tab, double-click an identity store to open its properties. +3. On the **Security Roles** tab, click **Get Security Roles** to view the roles assigned to a user in the selected Netwrix Directory Manager client. + ![Security Roles tab in Identity Store properties](images/ka0Qk000000Du9F_0EMQk00000BQXBk.png) +4. Click the **Find User** button to specify the user you want to check the role for. +5. The **Find** dialog box is displayed, where you can search for and select the required user. You can use the **Delete** icon to remove the selected user and specify another one. + ![Find dialog box for selecting a user](images/ka0Qk000000Du9F_0EMQk00000BQZYT.png) +6. In the **Client Name** list, select a Netwrix Directory Manager client to view the user’s role for that client. To see the user’s role in a specific portal, select the relevant Self-Service portal. To view the user’s highest privileged role in Netwrix Directory Manager, select `None`. + ![Client Name list for selecting Directory Manager client](images/ka0Qk000000Du9F_0EMQk00000BQZmz.png) +7. Click the **Get Role** button. The **Applied Role** area shows the user role for the selected client along with role priority. For `None`, the highest privileged role of the user is displayed, regardless of any client. diff --git a/docs/kb/directorymanager/how-to-view-roles-assigned-to-a-user-v11.md b/docs/kb/directorymanager/how-to-view-roles-assigned-to-a-user-v11.md new file mode 100644 index 0000000000..c66bf95495 --- /dev/null +++ b/docs/kb/directorymanager/how-to-view-roles-assigned-to-a-user-v11.md @@ -0,0 +1,60 @@ +--- +description: >- + Shows how to view the security roles assigned to a user in an identity store + within Netwrix Directory Manager, including steps to check roles for deployed + clients and view the user's highest privileged role. +keywords: + - Netwrix Directory Manager + - security roles + - identity store + - user roles + - admin center + - Check Security Roles + - roles priority + - Helpdesk + - Administrator + - User +products: + - directory-manager +sidebar_label: How to View Roles Assigned to a User v11 +tags: [] +title: "How to View Roles Assigned to a User v11" +knowledge_article_id: kA0Qk00000015qTKAQ +--- + +# How to View Roles Assigned to a User v11 + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article explains how to view the security roles assigned to a user in an identity store within Netwrix Directory Manager. Security roles control the access and permissions users have across different Netwrix Directory Manager clients, such as portals, the admin center, and mobile apps. Understanding role assignments helps you verify user privileges and troubleshoot permission-related issues. + +Netwrix Directory Manager includes built-in roles such as: + +- **Administrator:** Full permissions in the identity store. +- **Helpdesk:** Can reset passwords and unlock accounts (not available for Microsoft Entra ID stores). +- **User:** Can manage groups, update directory profiles, and handle direct reports. + +These roles can be customized or extended with additional custom roles as needed. + +> **NOTE:** Roles are only shown for deployed clients. For example, if the mobile app is not deployed for the selected identity store, it will not appear in the **Client name** list. + +## Instructions +1. Log in to the **Netwrix Directory Admin Center**. +2. Click **Identity Stores** in the left pane. +3. Click the three-dot icon next to the relevant identity store and select **Edit**. + ![Three-dot icon and Edit option for identity store](images/ka0Qk000000Du7d_0EMQk00000BN8mX.png) +4. Click **Security Roles** under the **Settings** section. + ![Security Roles option in identity store settings](images/ka0Qk000000Du7d_0EMQk00000BN8pl.png) +5. Click **Check Security Roles** and the dialog box opens. + ![Check Security Roles button in Security Roles section](images/ka0Qk000000Du7d_0EMQk00000BN8ub.png) +6. From the **Client name** drop-down list, select one of the following Netwrix Directory Manager clients: + - Select a deployed client (e.g., portal) to view the user's role in that client. + - Select **None** to view the user's highest privileged role across the entire identity store. + ![Client name drop-down and user search in Check Security Roles dialog](images/ka0Qk000000Du7d_0EMQk00000BN8zR.png) +7. Search for a user using one of the following methods: + - Enter a search string and press **Enter** to filter users by username. + - Click **Advanced** to search by additional fields such as name, department, company, or email. Click **Search** and select the desired user. +8. Once a user is selected, their highest-ranked role for the chosen client is displayed, including the role’s priority number. +9. Click **Close** to exit the dialog box. diff --git a/docs/kb/directorymanager/how_to_add_attributes_to_the_export_list_in_the_application_portal.md b/docs/kb/directorymanager/how_to_add_attributes_to_the_export_list_in_the_application_portal.md new file mode 100644 index 0000000000..26c3fa3f27 --- /dev/null +++ b/docs/kb/directorymanager/how_to_add_attributes_to_the_export_list_in_the_application_portal.md @@ -0,0 +1,47 @@ +--- +description: >- + This article explains how to add additional attributes to the exportable fields in the Application portal of Netwrix Directory Manager. +keywords: + - export attributes + - Application portal + - Netwrix Directory Manager +sidebar_label: Add Attributes to Export List +tags: [] +title: "How to Add Attributes to the Export List in the Application Portal" +knowledge_article_id: kA0Qk0000002NQLKA2 +products: + - directory-manager +--- + +# How to Add Attributes to the Export List in the Application Portal + +## Overview + +This article explains how to add additional attributes to the list of exportable fields in the Export option of the Application portal in **Netwrix Directory Manager** (formerly GroupID). By default, only a standard set of attributes is available for export. You can customize this list to include other attributes, such as **Common Name (CN)**. + +To add more attributes to the Export list, you must update the portal's design settings. + +![Default export attributes in the Application portal](./images/servlet_image_fcd2d3f5505b.png) + +## Instructions + +1. Log in to the **Directory Manager Admin** portal and navigate to the **Applications** tab. + + ![Applications tab in the Admin portal](./images/servlet_image_4a2ca5fd6383.png) + +2. Open the settings for the application where you want to add the attribute, and click the identity store name. + + ![Selecting the identity store in application settings](./images/servlet_image_05a15540dbe3.png) + ![Identity store settings page](./images/servlet_image_6be283cbacf3.png) + +3. Navigate to the **Import/Export** tab. + + ![Import/Export tab in identity store settings](./images/servlet_image_b3b231c5084a.png) + +4. Click the **(+)** button. Select the field you want to add and provide a display name for it. + + ![Adding a new attribute to the export list](./images/servlet_image_e3c8f74e9668.png) + +5. Save your changes. The new field will now be available in the Export wizard of the Application portal. + + ![New attribute visible in the Export wizard](./images/servlet_image_8105d4d50a18.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_add_attributes_to_the_export_list_in_the_portal.md b/docs/kb/directorymanager/how_to_add_attributes_to_the_export_list_in_the_portal.md new file mode 100644 index 0000000000..9194706052 --- /dev/null +++ b/docs/kb/directorymanager/how_to_add_attributes_to_the_export_list_in_the_portal.md @@ -0,0 +1,39 @@ +--- +description: >- + This article explains how to add additional attributes to the exportable fields in the Netwrix Directory Manager Portal. +keywords: + - Directory Manager + - export attributes + - customization +sidebar_label: Add Attributes to Export List +tags: [] +title: "How to Add Attributes to the Export List in the Portal" +knowledge_article_id: kA0Qk0000002bczKAA +products: + - directory-manager +--- + +# How to Add Attributes to the Export List in the Portal + +## Overview + +This article explains how to add additional attributes to the list of exportable fields in the Export option of the **Netwrix Directory Manager** (formerly **GroupID**) Portal. By default, only a standard set of attributes is available for export. You can customize the portal design to include other attributes, such as **Common Name (CN)**, in the export list. + +> **NOTE:** Before making any changes to your environment, create a backup, snapshot, or checkpoint of the Directory Manager server. + +![Default export attributes in Directory Manager Portal](./images/servlet_image_7d1f6155fe29.png) + +## Instructions + +1. In **Directory Manager Admin Center**, go to **Application** from the navigation bar and click the three-dot icon for the portal you want to customize. +2. Click the **Settings** button. A new page will appear. + ![Portal settings in Directory Manager Admin Center](./images/servlet_image_4f1e1f462fa9.png) +3. Select the **Identity Store** you want to customize the design for. +4. Click **Import/Export**, then click the **+** icon to add a new attribute field. + ![Add new attribute in Import/Export](./images/servlet_image_00836791c183.png) +5. On the **Import/Export Attribute** dialog, select an attribute from the **Schema Attribute** dropdown and provide a name. + ![Import/Export Attribute dialog](./images/servlet_image_fbce595e5d1b.png) +6. After making changes, click **Save**. +7. Refresh or relaunch the Directory Manager Portal. In the **Members** tab of any group, when you export the list of members, the newly added attribute will appear in the list of attributes to export. + +![Export list with added attribute](./images/servlet_image_f34d9d36e6d5.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_collect_and_compress_logs_in_v11.md b/docs/kb/directorymanager/how_to_collect_and_compress_logs_in_v11.md new file mode 100644 index 0000000000..2916323910 --- /dev/null +++ b/docs/kb/directorymanager/how_to_collect_and_compress_logs_in_v11.md @@ -0,0 +1,214 @@ +--- +description: >- + This article provides a step-by-step guide on how to collect and compress logs from Netwrix Directory Manager, including relevant service logs and Elasticsearch logs. +keywords: + - Netwrix Directory Manager + - log collection + - PowerShell script +sidebar_label: Collect and Compress Logs +tags: [] +title: "How to Collect and Compress Logs in V11" +knowledge_article_id: kA0Qk0000002o5ZKAQ +products: + - directory-manager +--- + +# How to Collect and Compress Logs in V11 + +## Overview + +To help troubleshoot issues, follow this procedure to collect all relevant **Netwrix Directory Manager** (formerly **GroupID**) logs from your machine, including: + +- Non-portal service logs (**AdminCenter**, **EmailService**, **DataService**, **Scheduler**, **Security**, **Replication**). +- All **Directory Manager Portal** logs (auto-discovered). +- Complete **Elasticsearch** logs folders under `...\elasticsearch\*` (version-agnostic; copies all file types: .log, .json, .zip, .gz, .tar, etc.). +- Additional **ProgramData** folders you specify. + +> **NOTE:** Netwrix Directory Manager is used as the product name in this article. The product is historically known as **GroupID**; the folder and log names in the script retain the original "GroupID" names to preserve accuracy for file paths and registry keys." + +The script preserves the folder structure and compresses all files into a single, timestamped ZIP file named with the machine’s hostname to streamline handoff in support cases. + +## Instructions + +### Variables to Prepare + +- **$extraDataFolders** — Additional **ProgramData** folders to include, should be left to default unless changed manually: + +```powershell +@( + "C:\ProgramData\Imanami\GroupID 11.0\Configuration Tool", + "C:\ProgramData\Imanami\GroupID 11.0\Upgrade Tool" +) +``` + +- **$tempLogDir** — Staging directory for collected logs (e.g., `C:\Temp\GroupID_Collected_Logs`). + +The script automatically discovers any logs directory under `...\elasticsearch\*` beneath **$rootPath**, e.g. `C:\Program Files\Imanami\GroupID 11.0\elasticsearch\elasticsearch-8.0.0\logs`. + +### PowerShell Script + +```powershell +# --- Discover GroupID install path from Registry (Version 11.0) --- +function Get-GroupIDRootPath { + $subkey = "SOFTWARE\Imanami\GroupID\Version 11.0" + $views = @( + [Microsoft.Win32.RegistryView]::Registry64, + [Microsoft.Win32.RegistryView]::Registry32 + ) + + foreach ($view in $views) { + try { + $base = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $view) + $key = $base.OpenSubKey($subkey) + if ($key) { + $val = $key.GetValue("Path", $null) + if ($val) { + # Normalize: remove trailing backslash + return ($val.TrimEnd('\')) + } + } + } catch { } + } + return $null +} + +$rootPath = Get-GroupIDRootPath +if (-not $rootPath) { + Write-Warning "GroupID install path not found in registry. Falling back to default." + $rootPath = "C:\Program Files\Imanami\GroupID 11.0" +} + +# --- Settings you may customize --- +$extraDataFolders = @( + "C:\ProgramData\Imanami\GroupID 11.0\Configuration Tool", + "C:\ProgramData\Imanami\GroupID 11.0\Upgrade Tool" +) +$tempLogDir = "C:\Temp\GroupID_Collected_Logs" + +# Fresh staging directory +if (Test-Path $tempLogDir) { Remove-Item -Path $tempLogDir -Recurse -Force } +New-Item -Path $tempLogDir -ItemType Directory | Out-Null + +# Non-Portal log subdirectories (relative to $rootPath) +$nonPortalLogFolders = @( + "AdminCenter\Inetpub\AdminCenter\Web\Logs", + "EmailService\Inetpub\GroupIDEmailService\Web\Logs", + "GroupIDDataService\Inetpub\GroupIDDataService\Web\Logs", + "GroupIDSchedulerService\Inetpub\GroupIDSchedulerService\Web\Logs", + "GroupIDSecurityService\Inetpub\GroupIDSecurityService\Web\Logs", + "ReplicationService\Inetpub\GroupIDReplicationService\Web\Logs" +) + +# Copy *.log from non-portal folders +foreach ($subfolder in $nonPortalLogFolders) { + $sourceFolder = Join-Path $rootPath $subfolder + if (Test-Path $sourceFolder) { + $folderName = Split-Path $subfolder -Leaf + $destFolder = Join-Path $tempLogDir $folderName + New-Item -Path $destFolder -ItemType Directory -Force | Out-Null + Get-ChildItem -Path $sourceFolder -Filter *.log -File -ErrorAction SilentlyContinue | ForEach-Object { + Copy-Item -Path $_.FullName -Destination $destFolder -Force -ErrorAction SilentlyContinue + } + } +} + +# Portal logs: auto-discover portals under GroupIDPortal\Inetpub +$portalRoot = Join-Path $rootPath "GroupIDPortal\Inetpub" +if (Test-Path $portalRoot) { + Get-ChildItem -Path $portalRoot -Directory -ErrorAction SilentlyContinue | ForEach-Object { + $portalName = $_.Name + $logsFolder = Join-Path $_.FullName "Web\Logs" + if (Test-Path $logsFolder) { + $destFolder = Join-Path $tempLogDir ("Portal_" + $portalName) + New-Item -Path $destFolder -ItemType Directory -Force | Out-Null + Get-ChildItem -Path $logsFolder -Filter *.log -File -ErrorAction SilentlyContinue | ForEach-Object { + Copy-Item -Path $_.FullName -Destination $destFolder -Force -ErrorAction SilentlyContinue + } + } + } +} + +# Copy Additional ProgramData Folders (all contents) +foreach ($extraFolder in $extraDataFolders) { + if (Test-Path $extraFolder) { + $folderName = Split-Path $extraFolder -Leaf + $destFolder = Join-Path $tempLogDir $folderName + Copy-Item -Path $extraFolder -Destination $destFolder -Recurse -Force -ErrorAction SilentlyContinue + } +} + +# Collect Elasticsearch logs (entire folders; any file type) +$esDumpRoot = Join-Path $tempLogDir "ElasticsearchLogs" +New-Item -Path $esDumpRoot -ItemType Directory -Force | Out-Null + +try { + if (Test-Path $rootPath) { + $esRoots = Get-ChildItem -Path $rootPath -Directory -Recurse -ErrorAction SilentlyContinue | + Where-Object { $_.Name -like 'elasticsearch*' } + + foreach ($esRoot in $esRoots) { + $logsDirs = Get-ChildItem -Path $esRoot.FullName -Directory -Recurse -ErrorAction SilentlyContinue | + Where-Object { $_.Name -eq 'logs' } + + foreach ($ld in $logsDirs) { + $instanceName = Split-Path $ld.Parent.FullName -Leaf + if ([string]::IsNullOrWhiteSpace($instanceName)) { $instanceName = "elasticsearch_logs" } + + $destInstanceRoot = Join-Path $esDumpRoot $instanceName + New-Item -Path $destInstanceRoot -ItemType Directory -Force | Out-Null + + # Preserve entire logs directory (includes .log, .json, .zip, .gz, .tar, etc.) + Copy-Item -Path $ld.FullName -Destination $destInstanceRoot -Recurse -Force -ErrorAction SilentlyContinue + } + } + } +} +catch { + Write-Warning "Failed to collect Elasticsearch logs: $($_.Exception.Message)" +} + +# Create timestamped ZIP with hostname +$timestamp = Get-Date -Format "yyyyMMdd_HHmmss" +$hostname = $env:COMPUTERNAME +$zipPath = "C:\Temp\GroupID_Logs_${hostname}_$timestamp.zip" +Compress-Archive -Path "$tempLogDir\*" -DestinationPath $zipPath -Force + +Write-Output "Logs compressed to $zipPath" +``` + +### Result + +- Non-portal logs: All *.log files under standard **GroupID** service log paths are copied into corresponding subfolders in **$tempLogDir** (e.g., **AdminCenter**, **GroupIDDataService**, etc.). +- Portal logs: Each portal instance under `GroupIDPortal\Inetpub` becomes a folder like `Portal_` containing its *.log files. +- Elasticsearch logs: A top-level folder `ElasticsearchLogs\\logs\...` is created under **$tempLogDir** for each discovered instance. The entire logs directory is copied, preserving structure and including all file types (.log, .json, .zip, .gz, .tar, etc.). +- Extra data folders: Every path in **$extraDataFolders** is copied recursively with structure preserved. +- ZIP output: A single archive is created at `C:\Temp\GroupID_Logs__.zip` and the script prints the full path. + +### Additional Information + +- Uses `-Force` to overwrite existing files when staging and compressing. +- Preserves structure for Elasticsearch and extra data folders to retain context for troubleshooting. +- Hostname and timestamp in the ZIP name prevent collisions and identify the source system. +- `-ErrorAction SilentlyContinue` avoids noisy output in restricted environments while still completing the collection. + +### Uploading Logs + +1. Log in to [Netwrix Support Portal](https://www.netwrix.com/support?utm_source=chatgpt.com). +2. Navigate to **My Tickets** and locate your ticket number. +3. Click **Add Attachments** and upload the ZIP file that was created at `C:\Temp\GroupID_Logs__.zip`. + +For additional resources or information, visit the [Technical Support Resource Hub](https://www.netwrix.com/support?utm_source=chatgpt.com). + +### Troubleshooting Tips + +- **Access denied:** Run PowerShell as Administrator to ensure access to **Program Files** and **ProgramData** paths. +- **Long paths / locked files:** If compression fails, re-run after services are stopped or consider excluding very large archives temporarily. +- **Different install root:** If **GroupID** is installed elsewhere, update **$rootPath** accordingly—the Elasticsearch discovery remains version-agnostic. + +### Security & Privacy of Customer Data + +Customer data provided to **Netwrix** through the customer support portal is **encrypted in transit and at rest**. + +**Netwrix** follows a security framework such as **NIST-800-53** and requires all devices that handle confidential information be encrypted and maintain up-to-date security solutions per the Information Security policies. + +Customer-provided data is retained no longer than **30 days post ticket closure**. \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_configure_custom_fine-grained_permissions_for_entra_id_group_management.md b/docs/kb/directorymanager/how_to_configure_custom_fine-grained_permissions_for_entra_id_group_management.md new file mode 100644 index 0000000000..799f556436 --- /dev/null +++ b/docs/kb/directorymanager/how_to_configure_custom_fine-grained_permissions_for_entra_id_group_management.md @@ -0,0 +1,63 @@ +--- +description: >- + This article explains how to configure custom, fine-grained permissions for group and distribution list management in Entra ID when integrating with Netwrix Directory Manager. +keywords: + - Entra ID + - fine-grained permissions + - Netwrix Directory Manager + - RBAC roles + - Exchange Online +sidebar_label: Configure Custom Permissions +tags: [] +title: "How to Configure Custom Fine-Grained Permissions for Entra ID Group Management" +knowledge_article_id: kA0Qk0000002y4vKAA +products: + - directorymanager +--- + +# How to Configure Custom Fine-Grained Permissions for Entra ID Group Management + +## Overview + +This article explains how to configure custom, fine-grained permissions for group and distribution list management in Entra ID (formerly Azure AD) when integrating with Netwrix Directory Manager. By creating custom RBAC roles and assigning only the necessary permissions, you can minimize security exposure and avoid granting broad administrative rights. + +## Instructions + +1. **Identify Required Permissions** + - For basic group and distribution list management, the following Microsoft Graph and Exchange Online permissions are required: + - **Directory.Read.All**: Allows reading users, groups, and directory information. + - **Group.ReadWrite.All**: Allows creating, modifying, and managing groups and group memberships. + - **Exchange.ManageAsApp**: Enables secure app-only access to Exchange Online for managing distribution lists and mail settings. + - > **NOTE:** The **Exchange Administrator** role is not required for basic group management and can be replaced with custom RBAC roles for more granular control. + +2. **Create Custom Exchange Online RBAC Roles** + - Use Exchange Online PowerShell to create custom roles with only the required cmdlets for your use case. + - **Example: Custom Role for Distribution Group Management (NDM_DL_Role)** + - Base role: Distribution Groups + - Recommended cmdlets to include: + - `Get-Group` + - `Add-DistributionGroupMember` + - `Get-DistributionGroupMember` + - `New-DistributionGroup` + - `Remove-DistributionGroup` + - `Remove-DistributionGroupMember` + - `Update-DistributionGroupMember` + - `Set-DistributionGroup` + - `Get-DistributionGroup` + - **Example: Custom Read-Only Role (NDM_Read_Role)** + - Base role: Mail Recipients + - Recommended cmdlets to include: + - `Get-Mailbox` + - `Get-User` + - `Get-Recipient` + +3. **Assign Custom Roles to the Application Service Principal** + - Assign the custom RBAC roles directly to your Netwrix Directory Manager application service principal in Exchange Online. + - Scope each role to specific groups as needed to further restrict access. + +4. **Review and Adjust as Needed** + - If your use cases expand (e.g., Teams channel management, mailbox permission changes), update the custom roles to include additional cmdlets as required. + +> **NOTE:** **Exchange.ManageAsApp** is required for app-only authentication to Exchange Online, but does not grant any rights until a role is attached. The actual permissions are determined by the RBAC roles you assign. + +> **IMPORTANT:** Always review the permissions included in each custom role to ensure you are granting only what is necessary for your operational needs. \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_create_an_orphan_group_update_schedule.md b/docs/kb/directorymanager/how_to_create_an_orphan_group_update_schedule.md new file mode 100644 index 0000000000..44eeffeb37 --- /dev/null +++ b/docs/kb/directorymanager/how_to_create_an_orphan_group_update_schedule.md @@ -0,0 +1,46 @@ +--- +description: >- + This article explains how to create and schedule an Orphan Group Update job in Netwrix Directory Manager to automatically assign a primary owner to groups that do not have one. +keywords: + - Orphan Group Update + - Netwrix Directory Manager + - Active Directory +sidebar_label: Create Orphan Group Update Schedule +tags: [] +title: "How to Create an Orphan Group Update Schedule" +knowledge_article_id: kA0Qk0000002LoLKAU +products: + - directory-manager +--- + +# How to Create an Orphan Group Update Schedule + +## Overview + +This article explains how to create and schedule an Orphan Group Update job in **Netwrix Directory Manager** (formerly **GroupID**) to automatically assign a primary owner to groups that do not have one. + +Groups may lose their primary owner if the owner is removed manually or if the owner's Active Directory account is deleted. These groups, known as orphan groups, have no primary owner but retain at least one additional owner. The Orphan Group Update job promotes the first additional owner (user, contact, or security group) to primary owner and sends a notification to the promoted owner. If a security group is promoted, all members of that group receive the notification. This process ensures that orphan groups are automatically assigned a new primary owner. + +## Instructions + +1. In the **Directory Manager Admin Center**, select **Identity Stores**. +2. On your target identity store, click the three-dot icon to edit it. + + ![Editing an identity store in GroupID Admin Center](./images/servlet_image_f8caf3dfb1cd.png) + +3. Scroll down on the next page and select **Schedules**. +4. Click **Add Schedule** and select **Orphan Group Update Job**. + + ![Adding an Orphan Group Update Job schedule](./images/servlet_image_726f9a6cd53c.png) + +5. Under **Schedule Name**, enter a unique name for the schedule. +6. In **Targets**, click **Add Container** and select the organizational unit (OU) where the job should run. +7. In the **Portal URL** drop-down list, select a Directory Manager portal URL to include in notifications. Users will be redirected to this portal to perform any necessary actions. +8. In the **Scheduler Service Name** drop-down list, select the Scheduler service responsible for triggering this schedule. The number of services displayed depends on the number of Elasticsearch clusters in the environment. +9. In the **Triggers** area, click **Add Triggers** to specify a triggering criterion for the schedule. +10. In the **Authentication** area, click **Add Authentication** to specify an account for running the schedule in the identity store. +11. Click **Create Schedule**. + + ![Configuring schedule details for Orphan Group Update Job](./images/servlet_image_10e331322e68.png) + +12. When the schedule runs, it searches for groups in the specified OU that do not have a primary owner but have additional owners and promotes the first additional owner to primary owner. \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_customize_notifications.md b/docs/kb/directorymanager/how_to_customize_notifications.md new file mode 100644 index 0000000000..8a4d85b9cf --- /dev/null +++ b/docs/kb/directorymanager/how_to_customize_notifications.md @@ -0,0 +1,49 @@ +--- +description: >- + This article explains how to customize notification templates in Netwrix Directory Manager, including modifying logos, subject lines, and message content. +keywords: + - notification templates + - Netwrix Directory Manager + - customize notifications +sidebar_label: Customize Notifications +tags: [] +title: "How to Customize Notifications" +knowledge_article_id: kA0Qk0000002NRxKAM +products: + - directory-manager +--- + +# How to Customize Notifications + +## Overview + +This article explains how to customize notification templates in **Netwrix Directory Manager** (formerly GroupID). **Directory Manager** generates notifications for events such as group management, workflows, and profile validation. These notifications are sent to administrators, object owners, and other specified recipients. + +Email notification templates are predefined and can be customized for the following elements: + +- Logo +- Subject line +- Message content and formatting + +## Instructions + +1. Log in to the **Directory Manager Admin** portal and click **Notification Editor**. The editor displays a list of all notifications generated by **Directory Manager**. + + ![Notification Editor in Directory Manager Admin portal](./images/servlet_image_ec5344a64c08.png) + +2. Select an event from the **Category** list to view related notifications. You can also enter a search string and click **Search** to filter notification names. + +3. Double-click a notification template to open it for editing. + +4. Click the **HTML** or **Source** tiles in the ribbon to edit the template in the WYSIWYG or HTML editor. + +5. Customize the template as needed: + + - Change the logo: Remove the current logo and insert a new one. + - Change the subject line: Click the **Title** tile. In the **Edit Title** dialog box, update the subject line and click **OK**. + - Format the notification content: Use formatting options to apply heading styles, change font and size, adjust alignment, and more. + - Modify the notification content: Edit the message as needed. You can replace tags with other relevant tags. Tags display attribute values in the notification and are formatted as ` %ATTRIBUTE_NAME% `. For example, ` %TARGETOBJECT_DisplayName% ` displays the display name of the target object, and ` %REQUESTOR_mail% ` shows the requestor's email address. Click the **Dictionary** tile to view available tags. + +6. Click **Save** to apply your changes. + + ![Editing and saving a notification template in Directory Manager](./images/servlet_image_db2c962d57bb.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_display_common_name_instead_of_display_name_in_the_member_of_tab.md b/docs/kb/directorymanager/how_to_display_common_name_instead_of_display_name_in_the_member_of_tab.md new file mode 100644 index 0000000000..a92fbbd718 --- /dev/null +++ b/docs/kb/directorymanager/how_to_display_common_name_instead_of_display_name_in_the_member_of_tab.md @@ -0,0 +1,47 @@ +--- +description: >- + This article provides step-by-step instructions on how to display the Common Name (CN) instead of the Display Name in the Member Of tab within the Directory Manager portal. +keywords: + - Directory Manager + - Common Name + - Display Name +sidebar_label: Display Common Name in Member Of Tab +tags: [] +title: "How to Display Common Name Instead of Display Name in the Member Of Tab" +knowledge_article_id: kA0Qk0000002bWXKAY +products: + - directory-manager +--- + +# How to Display Common Name Instead of Display Name in the Member Of Tab + +## Applies To + +Directory Manager 11 + +## Overview + +In the Directory Manager portal, the **Member Of** tab shows the **Display Name** of the groups a user is a member of. This can cause sorting issues if some groups do not have the **DisplayName** attribute populated. You can resolve this issue by displaying the **Common Name (CN)** instead of **DisplayName** in the **Member Of** tab. + +> **NOTE:** Before making any changes to your environment, create a backup, snapshot, or checkpoint of the Directory Manager server. + +## Instructions + +1. In **Directory Manager Admin Center**, go to **Application** from the navigation bar and click the three-dot icon for the portal you want to customize. +2. Click the **Settings** button. A new page will appear. +3. Select the **Identity Store** you want to customize the design for. +4. Navigate to **Custom Display Types** and look for **userMembersOfGrid**. + + ![Custom Display Types - userMembersOfGrid](./images/servlet_image_6436205e3d96.png) + +5. Click the pencil icon to **Edit**. The **Edit Grid Display Type** window will appear. +6. Select **WEB_Display_Name** from the list under **Fields** and click **Edit**. The **Grid Column** window will appear. + + ![Edit Grid Column for Display Name](./images/servlet_image_7007481a5d12.png) + +7. Select **CN** in the **Field** dropdown box and provide a suitable name in the **Display Name** textbox. Click **OK**. + + ![Set CN as Display Name in Grid Column](./images/servlet_image_1736a7d682a3.png) + +8. After making changes, click **Save**. +9. Relaunch the Directory Manager Portal. In the **Member Of** tab of any user, you can now sort the list of groups alphabetically by **Common Name (CN)**, even if the **Display Name** is not available. \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_generate_a_report_on_groups_without_members_and_with_owners.md b/docs/kb/directorymanager/how_to_generate_a_report_on_groups_without_members_and_with_owners.md new file mode 100644 index 0000000000..945c43976f --- /dev/null +++ b/docs/kb/directorymanager/how_to_generate_a_report_on_groups_without_members_and_with_owners.md @@ -0,0 +1,64 @@ +--- +description: >- + This article explains how to generate a report in Netwrix Directory Manager to view all groups that have no members but at least one owner or additional owner. +keywords: + - Netwrix Directory Manager + - report generation + - Active Directory +sidebar_label: Generate Report on Groups Without Members +tags: [] +title: "How to Generate a Report on Groups Without Members and with Owners" +knowledge_article_id: kA0Qk0000002bY9KAI +products: + - directory-manager +--- + +# How to Generate a Report on Groups Without Members and with Owners + +## Applies To + +Directory Manager 11 + +## Overview + +This article explains how to generate a report in **Netwrix Directory Manager** (formerly GroupID) to view all groups that have no members but at least one owner or additional owner. The **Directory Manager Reports** module is a free reporting tool designed to run reports on Active Directory and Microsoft Exchange/Office 365. + +## Instructions + +1. In the **Directory Manager** portal, select **Reports** from the left navigation bar. The Reports portal will open in a new browser tab. + + ![Reports portal in Directory Manager](./images/servlet_image_d0599b0659d9.png) + +2. Click the **Group Reports** button on the navigation bar. + +3. In the Groups category, type **Groups with no members** in the search bar. + +4. Select the first report template in the list. + + ![Selecting Groups with no members report template](./images/servlet_image_4fe9472d99b5.png) + +5. Click **Create Report** to initiate the report creation wizard. + + ![Create Report wizard in Directory Manager](./images/servlet_image_f6521717eb4e.png) + +6. On the first page, enter a name for the report, select the search scope within the directory, and specify a filter criterion. By default, the wizard searches the Global Catalog. + + To limit the scope to a particular container: + 1. Click **Browse** to launch the **Select Container** dialog box and select the required source container. + 2. Select the **Include sub-containers** checkbox if you want to include its sub-containers when reporting. + 3. In the **Filter Criteria** box, modify the default LDAP filter. The default filter generates a list of all users in the domain along with their group memberships. + 4. Add new clauses, **XAdditionalOwner Present** and **Member Not Present**, with an **OR** condition between **XAdditionalOwner** and **ManagedBy** clauses to fetch a list of all groups without members but at least one owner or additional owner. + + ![Filter criteria for groups with no members but at least one owner](./images/servlet_image_1eb116ff6215.png) + +7. Click **Next**. + +8. The **Report Fields** page displays the fields that will be included in the report. To add more fields, click **Add**. To remove a field, select it and click the **X** icon. You can change the order of these fields by using the double bar buttons. + + ![Report Fields page in Directory Manager](./images/servlet_image_a3ec24f5f973.png) + +9. Click **Finish**. + +10. The report will be generated. You can download the report in your desired format or pin the report to the Reports portal Dashboard. + + ![Generated report on groups with no members but at least one owner](./images/servlet_image_016adaeb1887.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_generate_a_report_on_mail-enabled_groups.md b/docs/kb/directorymanager/how_to_generate_a_report_on_mail-enabled_groups.md new file mode 100644 index 0000000000..b74950319a --- /dev/null +++ b/docs/kb/directorymanager/how_to_generate_a_report_on_mail-enabled_groups.md @@ -0,0 +1,59 @@ +--- +description: >- + This article explains how to generate a report in Netwrix Directory Manager to view all mail-enabled groups and the time they were last used. +keywords: + - report generation + - mail-enabled groups + - Netwrix Directory Manager +sidebar_label: Generate Report on Mail-Enabled Groups +tags: [] +title: "How to Generate a Report on Mail-Enabled Groups" +knowledge_article_id: kA0Qk0000002bZlKAI +products: + - directory-manager +--- + +# How to Generate a Report on Mail-Enabled Groups + +## Overview + +This article explains how to generate a report in **Netwrix Directory Manager** (formerly GroupID) to view all mail-enabled groups and the time they were last used. The Directory Manager Reports module is a free reporting tool designed to run reports on Active Directory and Microsoft Exchange/Office 365. + +## Instructions + +1. In the **Directory Manager** portal, select **Reports** from the left navigation bar. The Reports portal will open in a new browser tab. + + ![Reports portal in Directory Manager](./images/servlet_image_e903c0799efe.png) + +2. Click the **Group Reports** button on the navigation bar. + +3. In the Groups category, type **Mail-enabled groups and the time they were last used (Exchange)** in the search bar. + +4. Select the first report template in the list. + + ![Selecting mail-enabled groups report template](./images/servlet_image_b00de8ab7e53.png) + +5. Click **Create Report** to initiate the report creation wizard. + + ![Create Report wizard in Directory Manager](./images/servlet_image_e9f53029c2da.png) + +6. On the first page, enter a name for the report, select the search scope within the directory, and specify a filter criterion. By default, the wizard searches the Global Catalog. + + To limit the scope to a particular container: + 1. Click **Browse** to launch the **Select Container** dialog box and select the required source container. + 2. Select the **Include sub-containers** checkbox if you want to include its sub-containers when reporting. + 3. In the **Filter Criteria** box, modify the default LDAP filter. The default filter generates a list of all mail-enabled groups along with the time they were last used. + + ![Filter criteria for mail-enabled groups and last used time](./images/servlet_image_fe3a35826be4.png) + +7. Click **Next**. + +8. The **Report Fields** page displays the fields that will be included in the report. To add more fields, click **Add**. To remove a field, select it and click the **X** icon. You can change the order of these fields by using the double bar icons. + + ![Report Fields page in Directory Manager](./images/servlet_image_9ff27edc1467.png) + +9. Click **Finish**. + +10. The report will be generated. You can download the report in your desired format or pin the report to the Reports portal Dashboard. + + ![Generated report on mail-enabled groups and last used time](./images/servlet_image_9f107e1beec8.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_limit_the_scope_of_a_smartgroup_query_to_specific_ous.md b/docs/kb/directorymanager/how_to_limit_the_scope_of_a_smartgroup_query_to_specific_ous.md new file mode 100644 index 0000000000..288ed0ac63 --- /dev/null +++ b/docs/kb/directorymanager/how_to_limit_the_scope_of_a_smartgroup_query_to_specific_ous.md @@ -0,0 +1,46 @@ +--- +description: >- + This article explains how to limit the scope of a SmartGroup query to specific organizational units (OUs) in Netwrix Directory Manager. +keywords: + - SmartGroup + - Directory Manager + - organizational units +sidebar_label: Limit SmartGroup Query Scope +tags: [] +title: "How to Limit the Scope of a SmartGroup Query to Specific OUs" +knowledge_article_id: kA0Qk0000002bbNKAQ +products: + - directory-manager +--- + +# How to Limit the Scope of a SmartGroup Query to Specific OUs + +## Overview + +This article explains how to limit the scope of a SmartGroup query to specific organizational units (OUs) in Netwrix Directory Manager (formerly GroupID). You can use the **Start in** option in the SmartGroup query designer to restrict the search scope to selected OUs. + +## Instructions + +1. Log in to the **Directory Manager Portal** with an account that has administrative rights. +2. Click **Groups** and then **All Groups**. +3. Click the **SmartGroups** tab and open the SmartGroup properties for which you want to restrict the query scope. + + ![SmartGroup properties in Directory Manager](./images/servlet_image_15ff42326dc1.png) + +4. In the SmartGroup Properties, click the **SmartGroup** tab. +5. Click **Query Designer**. The Query Designer window will appear. + + ![Query Designer window](./images/servlet_image_13f57e9fa2ba.png) + +6. Click the **Browse** button for **Start in**. A new window with the list of all OUs in Active Directory will appear. + + ![Browse for Start in OU](./images/servlet_image_b8596528bf6f.png) + +7. Select the desired OUs to which you want to limit the scope of the query. + + ![Select OUs for query scope](./images/servlet_image_2deec5a8b27b.png) + +8. Click **OK** after selecting the desired OUs. +9. Click **Preview** to verify the results. +10. After verifying that **Preview** provides the correct result, click **OK**. +11. Click **Save**. \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_remove_spaces_from_attributes_when_creating_dynasties.md b/docs/kb/directorymanager/how_to_remove_spaces_from_attributes_when_creating_dynasties.md new file mode 100644 index 0000000000..1ca79780bd --- /dev/null +++ b/docs/kb/directorymanager/how_to_remove_spaces_from_attributes_when_creating_dynasties.md @@ -0,0 +1,39 @@ +--- +description: >- + This article provides step-by-step instructions on how to remove spaces from attributes when creating dynasties in Netwrix Directory Manager. +keywords: + - Netwrix Directory Manager + - remove spaces + - custom script +sidebar_label: Remove Spaces from Attributes +tags: [] +title: "How to Remove Spaces from Attributes When Creating Dynasties" +knowledge_article_id: kA0Qk0000002bgDKAQ +products: + - directory-manager +--- + +# How to Remove Spaces from Attributes When Creating Dynasties + +## Applies To + +Directory Manager 11 + +## Overview + +You can remove spaces (or other special characters) from group names when creating dynasties in **Netwrix Directory Manager** (formerly GroupID) by using a custom script for the relevant attribute (such as **Department**). This ensures that leaf dynasty names do not include spaces from the source attribute. + +> **NOTE:** Before making any changes to your environment, create a backup, snapshot, or checkpoint of the Directory Manager server. + +## Instructions + +1. Log in to the **Directory Manager Portal** and navigate to the **Parent Dynasty Properties** for which you want to make the changes. +2. Once the Parent Dynasty properties are open, click the **Dynasty Options** tab. +3. In the **Attributes** field, select the attribute for which you want to omit the spaces. +4. Click the **Edit** button. A new window will appear. + ![Edit attribute in Dynasty Options](./images/servlet_image_8d7ae7d88783.png) +5. Click the **Edit Script** button. The script editor will open. + ![Open script editor for attribute](./images/servlet_image_51f97ae10a3e.png) +6. Edit the script as shown in the picture below and click **Build**. + ![Script to remove spaces from attribute](./images/servlet_image_bf59e4f45fbe.png) +7. Manually update the Parent Dynasty and verify the changes in the group names. \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_run_replication_for_a_specific_object_type.md b/docs/kb/directorymanager/how_to_run_replication_for_a_specific_object_type.md new file mode 100644 index 0000000000..8ac3be7c40 --- /dev/null +++ b/docs/kb/directorymanager/how_to_run_replication_for_a_specific_object_type.md @@ -0,0 +1,58 @@ +--- +description: >- + This article explains how to force a full replication from scratch in Netwrix Directory Manager if the server has been unavailable for more than an hour. +keywords: + - Netwrix Directory Manager + - full replication + - Active Directory +sidebar_label: Run Replication for Specific Object Type +tags: [] +title: "How to Run Replication for a Specific Object Type" +knowledge_article_id: kA0Qk0000002qKHKAY +products: + - directory-manager +--- + +# How to Run Replication for a Specific Object Type + +## Applies To + +Directory Manager 11 + +## Overview + +This article explains how to force a full replication from scratch in **Netwrix Directory Manager** (formerly GroupID) if the server has been unavailable for more than an hour. A full replication resynchronizes all Active Directory objects without deleting existing data. + +When you create a new identity store, **Netwrix Directory Manager** replicates all Active Directory objects (users, groups, organizational units) during the first cycle. After that, it performs only delta replications. If the server is down for an extended period—for example, due to Windows updates, network issues, or planned maintenance—some changes may be missed. In that case, run a full replication as described below. + +> **NOTE:** This process does not delete existing data. It only forces **Directory Manager** to replicate objects again, so you can safely perform this activity on production servers. + +## Prerequisites + +- Access to the SQL database used by **Netwrix Directory Manager**. +- Permissions to edit the **SVC.IdentityStoreReplication** table. + +## Instructions + +1. Open the SQL database that **Directory Manager** uses and go to the table named **SVC.IdentityStoreReplication**. +2. Right-click the table and select **Edit Top 200 Rows**. + + ![SQL Server Management Studio showing Edit Top 200 Rows option for the SVC.IdentityStoreReplication table](./images/servlet_image_8d96cfd05aa6.png) + +3. Expand the column named **TimeStamps**. The content will look similar to the following: + + ![TimeStamps column with values for multiple object types](./images/servlet_image_20358dd58f8b.png) + +4. The **TimeStamps** column contains a long string of values. To force replication for users, find the entry labeled **User** and change its value to **0**. In the example above, the **User** entry shows a long number before modification. + +5. After replacing the value with **0**, the entry should look similar to the following: + + ![TimeStamps column after User value replaced with 0](./images/servlet_image_f0713f2e8798.png) + +6. If you want to replicate other object types from scratch, repeat this process for each relevant value. + +7. Once finished, click **Save All**. + + ![SQL Server Management Studio showing Save All button highlighted](./images/servlet_image_7ef0789252e7.png) + +8. Go to the **Admin Panel** of **Directory Manager**. Navigate to the **Replication** node and click **Force Replicate Now**. Wait for the replication to complete. \ No newline at end of file diff --git "a/docs/kb/directorymanager/how_to_trigger_a_workflow_when_a_user_\321\201reates_a_group.md" "b/docs/kb/directorymanager/how_to_trigger_a_workflow_when_a_user_\321\201reates_a_group.md" new file mode 100644 index 0000000000..dae2f4743f --- /dev/null +++ "b/docs/kb/directorymanager/how_to_trigger_a_workflow_when_a_user_\321\201reates_a_group.md" @@ -0,0 +1,93 @@ +--- +description: >- + This article provides step-by-step instructions on how to trigger a workflow when a user creates a group in Directory Manager, ensuring an approval process is in place. +keywords: + - workflow + - group creation + - Directory Manager +sidebar_label: Trigger Workflow for Group Creation +tags: [] +title: "How to Trigger a Workflow When a User Creates a Group" +knowledge_article_id: kA0Qk0000000HwvKAE +products: + - directory-manager +--- + +# How to Trigger a Workflow When a User Creates a Group + +## Applies To + +- Directory Manager 11 + +## Business Scenario + +While delegating directory group creation to end users reduces Helpdesk load, it is always necessary to have some approval or monitoring process on the creation of new groups by end users. Is there a way to set up a workflow approval process for group creation? + +## Solution + +A workflow route can be defined for an identity store to track any new group creation and send out approval requests to concerned approvers. When a user creates a group via **Directory Manager Self-Service**, it will trigger the workflow and an approval request will be generated. In this way, group creation, which would subsequently take effect in Active Directory, is immediately brought to notice. A workflow route to control group creation involves: + +- The object (group) the workflow applies to +- The event (create) +- The filter (security role) to specify a condition that must be met for the workflow to trigger +- The approver(s) to send the workflow request for approval + +This implies that when a user meeting a certain workflow triggering condition creates a group via the self-service portal, a workflow request is sent to the approver(s). Changes are applied after the request is approved. + +> **IMPORTANT:** You must configure notifications for an identity store for workflows to work. + +## Steps + +1. In the **Directory Manager Admin Center** portal, click the **Identity Stores** node. +2. Click on the **Triple Dot** button on the identity store and then click on **Edit** to open its properties. +3. Click the **Workflow** tab. + + ![Workflow Tab in Directory Manager](./images/servlet_image_a379d546d249.png) + +4. Click **Add Workflow**. A new window will appear. + + ![Add Workflow Window](./images/servlet_image_18e10f2b3bb5.png) + +5. Make sure the **Enabled** check box is selected for the workflow to apply. +6. In the **Object(s)** list, select *Group*. +7. Enter a name for the workflow in the **Name** box—for example, *Group Creation*. +8. In the **Events** drop-down list, select *Create*. +9. Select the **Enable mail approval** check box to enable the approver to approve or deny a workflow request from within the workflow email notification. +10. The **Enable approver acceleration** check box applies if approver acceleration has been enabled for the identity store. To exempt this workflow route from approver acceleration, clear this check box. +11. In the **Description** box, enter a brief description of the workflow. For example, *This workflow tracks the creation of groups by people from the User Security Role*. +12. In the **Portal URL** drop-down list, select a **Self-Service portal URL** to include in the workflow email notifications. The URL would redirect the recipients to the portal for acting on the respective request, such as approve or deny it. +13. Use the Filters area to specify a criterion that must be met for the workflow to trigger. In other words, when this filter criterion is not met, the workflow will not trigger. Do not apply a filter if you want the workflow to apply to all users. + + For example, if you apply the following filter: + + | Field | Condition | Value | + |-------|-----------|-------| + | Role | Equals | User | + + It implies that when a user from the User security role creates a group via the Self-Service portal, the change isn’t effective immediately and this workflow gets triggered. When a person from any other security role creates a group, it won’t trigger the workflow. + +14. The final step is to add a workflow approver: + + - Click **Add Approvers** in the **Approvers** area. + + ![Add Approvers](./images/servlet_image_db963bd15765.png) + + - Select the user/group to approve the requests generated for this workflow. It is safer to specify an administrator/helpdesk as the approver rather than the group owners. + - Click **Add**. + +15. Click **OK** on the **Workflow Route** dialog box and then on the **Workflow** tab. + +Now, any group creation made through **GroupID** by users from the User security role will trigger a workflow request. + +## Reference + +Admin Center — Workflows — Overview — v11.0 + +### Related Articles + +- [Walkthrough Search Policy - Define Scope and Filter Results](/docs/kb/directorymanager/walkthrough-search-policy-define-scope-and-filter-results). +- [How To Enforce Users to Create Groups in a Specific OU](/docs/kb/directorymanager/how-to-enforce-users-to-create-groups-in-a-specific-ou). +- [How To Import Members to a Group Using Self-Service Import Wizard](/docs/kb/directorymanager/how-to-import-members-to-a-group-using-self-service-import-wizard). +- [How To Add Message Approvers in Group Properties in Self-Service](/docs/kb/directorymanager/how-to-add-message-approvers-in-group-properties-in-groupid-portal). +- [Best Practices for Controlling Changes to Group Membership](/docs/kb/directorymanager/how-to-enforce-users-to-create-groups-in-a-specific-ou). +- [Best Practices for Preventing Accidental Data Leakage](/docs/kb/directorymanager/best-practices-for-preventing-accidental-data-leakage). \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_update_the_service_account_password_in_v10.md b/docs/kb/directorymanager/how_to_update_the_service_account_password_in_v10.md new file mode 100644 index 0000000000..c68513ad20 --- /dev/null +++ b/docs/kb/directorymanager/how_to_update_the_service_account_password_in_v10.md @@ -0,0 +1,91 @@ +--- +description: >- + This article provides a step-by-step guide on how to update the password for the GroupID service account in Netwrix Directory Manager, ensuring all relevant components are properly configured. +keywords: + - GroupID + - service account + - password reset + - Netwrix Directory Manager + - configuration +sidebar_label: Update GroupID Service Account Password +tags: [] +title: "How to Update the Service Account Password in V10" +knowledge_article_id: kA0Qk0000002whRKAQ +products: + - directory-manager +--- + +# How to Update the Service Account Password in V10 + +## Related Queries + +- "Password reset for the GroupID service account" +- "I need to reset the password for the GroupID service account. Could you provide a comprehensive list of all the locations where the new password must be updated after the reset? Additionally, please let me know if there are any other steps I should take to ensure everything is properly validated after the password change." + +## Overview + +Resetting the password for the GroupID service account in **Netwrix Directory Manager** (formerly **GroupID**) 10 SR2 requires updating the credentials in multiple locations to ensure uninterrupted operation of all GroupID services. This article provides a step-by-step guide to updating the password across all relevant components and validating the configuration. + +## Instructions + +1. Use **Active Directory Users and Computers** to reset the password for the GroupID service account. +2. Identify all GroupID components using the service account: + - **GroupID Data Service** + - **GroupID Mobile Service** + - **GroupID Security Service** + - **GroupID Services** + - **GroupID Insights** + - **GroupID Password Center** + - **GroupID Self Service** +3. Before re-running the Configuration Tool, rename the following ZIP files to `*.old.zip`: + - `C:\Program Files\Imanami\GroupID 10.0\GroupIDDataService\DataServiceZip.zip` + - `C:\Program Files\Imanami\GroupID 10.0\GroupIDMobileService\GroupIDMobileServiceZip.zip` + - `C:\Program Files\Imanami\GroupID 10.0\GroupIDSecurityService\SecurityServiceZip.zip` + - `C:\Program Files\Imanami\GroupID 10.0\GroupIDServices\GroupIDServicesZip.zip` + - `C:\Program Files\Imanami\GroupID 10.0\Insights\Insights.zip` + - `C:\Program Files\Imanami\GroupID 10.0\PasswordCenter\PasswordCenterZip.zip` + - `C:\Program Files\Imanami\GroupID 10.0\SelfService\SelfServiceZip.zip` +4. You can use the following PowerShell script to automate the previous step: + + ```powershell + $locations = @( + "C:\Program Files\Imanami\GroupID 10.0\GroupIDDataService\DataServiceZip.zip", + "C:\Program Files\Imanami\GroupID 10.0\GroupIDMobileService\GroupIDMobileServiceZip.zip", + "C:\Program Files\Imanami\GroupID 10.0\GroupIDSecurityService\SecurityServiceZip.zip", + "C:\Program Files\Imanami\GroupID 10.0\GroupIDServices\GroupIDServicesZip.zip", + "C:\Program Files\Imanami\GroupID 10.0\Insights\Insights.zip", + "C:\Program Files\Imanami\GroupID 10.0\PasswordCenter\PasswordCenterZip.zip", + "C:\Program Files\Imanami\GroupID 10.0\SelfService\SelfServiceZip.zip" + ) + foreach ($location in $locations) { + if (Test-Path $location) { + $newName = $location -replace '\.zip$', 'old.zip' + Rename-Item -Path $location -NewName $newName -Force + } else { + Write-Host "File not found: $location" + } + } + ``` + +5. In **IIS Manager**, remove the GroupID site and its application pool to ensure a clean reconfiguration. +6. Delete all files from `C:\Windows\Microsoft.NET\Framework64\v4.x\Temporary ASP.NET Files\`. +7. Launch the GroupID Configuration Tool with administrative privileges. +8. Update the service account credentials wherever prompted. +9. Apply and save the configuration. +10. If you encounter errors such as “Failed to save the Security Service Configuration,” ensure all previous steps are complete and try again. +11. Use the **Signing Key Utility** to generate a new SSL certificate for GroupID if prompted: + - [Download the Signing Key Utility](https://releases.netwrix.com/products/groupid/10.0/groupid-V10-Signing-Key-Utility-10.0.0.zip) + - [Signing Key Utility Documentation](/docs/directorymanager/) +12. To update the password in the identity store properties, open the **GroupID MMC**. +13. Navigate to the **Identity Stores** tab from the left pane. +14. Open the properties of the on-prem **AD Identity Store**. +15. Update the password of the service account. +16. Ensure all GroupID services are running. +17. Verify that web interfaces and scheduled tasks are operational. +18. Check event logs and application logs for errors. + +> **IMPORTANT:** Failure to update the password in all required locations may result in service outages or authentication errors. Always run the Configuration Tool as Administrator and validate all services after making changes. + +## Related Articles + +- [GroupID 10.0 Signing Key Utility Documentation](/docs/directorymanager/) \ No newline at end of file diff --git a/docs/kb/directorymanager/how_to_view_a_list_of_objects_owned_by_a_user_in_the_portal.md b/docs/kb/directorymanager/how_to_view_a_list_of_objects_owned_by_a_user_in_the_portal.md new file mode 100644 index 0000000000..fc973c2e66 --- /dev/null +++ b/docs/kb/directorymanager/how_to_view_a_list_of_objects_owned_by_a_user_in_the_portal.md @@ -0,0 +1,57 @@ +--- +description: >- + This article explains how to view all groups owned by a specific user in the Netwrix Directory Manager portal by configuring the user properties. +keywords: + - Directory Manager + - user properties + - managedObjects +sidebar_label: View Objects Owned by User +tags: [] +title: "How to View a List of Objects Owned by a User in the Portal" +knowledge_article_id: kA0Qk0000002R0vKAE +products: + - directory-manager +--- + +# How to View a List of Objects Owned by a User in the Portal + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to view all groups owned by a specific user in the portal. By adding a new field mapped to the **managedObjects** attribute in the user properties, you can display a list of groups that a user owns. This article explains how to configure the portal to show this information. + +> **NOTE:** Before making any changes to your environment, it is highly recommended to create a backup, snapshot, or checkpoint of the Directory Manager server. + +The default properties page for users does not display owned groups: + +![Default user properties page in Directory Manager portal](./images/servlet_image_dfe447cf1c8d.png) + +## Instructions + +### Add the Owned Objects Field to User Properties + +1. In the **Directory Manager Admin Center**, go to the **Applications** tab in the left navigation bar. +2. Click the three-dot icon for the portal you want to modify, then click **Settings**. + + ![Accessing portal settings in Directory Manager Admin Center](./images/servlet_image_4c6b4d284195.png) + +3. In the portal settings, click the identity store name under **Design Settings** for which you want to make design changes. + + ![Selecting identity store under Design Settings](./images/servlet_image_7513da8840d6.png) + +4. Click the **Properties** button and select **User** from the **Select Directory Object** drop-down list. +5. Click the **Plus** button to create a new category on the User Properties page. + + ![Adding a new category to User Properties](./images/servlet_image_bea9d9e7e94f.png) + +6. Provide a name for the new category and click **Add Field**. + + ![Adding a field to the new category](./images/servlet_image_b130add9b1b8.png) + +7. Select **managedObjects** from the **Field** drop-down list, then provide a display name for the new field and select **Display Type** as **MultiValue**. + + ![Configuring managedObjects field as MultiValue](./images/servlet_image_578dd5e5f5df.png) + +8. Click **OK** to save the changes. +9. Refresh or relaunch the Directory Manager Portal. In the properties of any user, you will now see a new tab (for example, **Owned Objects**) listing all groups owned by the user. + + ![Owned Objects tab in User Properties showing groups owned by the user](./images/servlet_image_a5bc912f4356.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/identify-similar-groups-in-the-directory.md b/docs/kb/directorymanager/identify-similar-groups-in-the-directory.md new file mode 100644 index 0000000000..89599250da --- /dev/null +++ b/docs/kb/directorymanager/identify-similar-groups-in-the-directory.md @@ -0,0 +1,54 @@ +--- +description: >- + Learn how to find and view groups that are similar or duplicate in Netwrix + Directory Manager by comparing group type and membership. The article explains + how to use the product UI to view similarity details and interpret similarity + rankings. +keywords: + - Netwrix Directory Manager + - similar groups + - duplicate groups + - group membership + - group type + - self-service portal + - directory cleanup +products: + - directory-manager +visibility: public +sidebar_label: Identify Similar Groups in the Directory +tags: [] +title: "Identify Similar Groups in the Directory" +knowledge_article_id: kA0Qk0000002DlxKAE +--- + +# Identify Similar Groups in the Directory + +## Applies To +Netwrix Directory Manager 11 + +## Overview +As your organization grows, your directory may contain multiple groups that serve the same or similar purposes. These duplicate or overlapping groups can create unnecessary complexity and make directory management more difficult. Identifying similar groups helps you reduce redundancy and maintain a clean, well-organized directory. + +## Instructions +Netwrix Directory Manager enables you to compare groups for similarity based on the following criteria: + +- Group type +- Membership + +For example, if you have a distribution group (Group A) with three members (A1, A2, and A3), Directory Manager compares the membership of all distribution groups in the directory to find those with the same members as Group A. The Self-Service portal displays these similar groups. The more members two groups share, the stronger the similarity match. + +### Steps to View Similar Groups +1. Log in to the Directory Manager application. +2. Click **Groups** in the left pane. +3. On the **My Groups** page, click the display name of a group to view which groups in the directory are similar to it. +4. On the group properties page, click the **Similar Groups** tab. +5. Directory Manager displays up to six groups that are most similar to the selected group. Similarity is determined by both **group type** and **membership**. + +> **NOTE:** Netwrix Directory Manager only displays up to six similar groups, even if more exist in the directory. The similarity ranking is based on group type and the number of shared members. + +![Similar Groups tab in Directory Manager group properties page](images/ka0Qk000000EMTh_0EMQk00000BWvT4.png) + +6. Click a bar for a group to view similarity details. +7. The **Similarity Details** dialog box displays the common type and common members that both groups have. + +![Similarity Details dialog box showing common type and members](images/ka0Qk000000EMTh_0EMQk00000BX24j.png) diff --git a/docs/kb/directorymanager/images/ka0Qk0000001Q0T_0EMQk000002TgcF.png b/docs/kb/directorymanager/images/ka0Qk0000001Q0T_0EMQk000002TgcF.png new file mode 100644 index 0000000000..55f481d560 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000001Q0T_0EMQk000002TgcF.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICn.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICn.png new file mode 100644 index 0000000000..1a8b24792e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICn.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICo.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICo.png new file mode 100644 index 0000000000..f5aa37709c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICo.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICp.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICp.png new file mode 100644 index 0000000000..905578051d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICq.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICq.png new file mode 100644 index 0000000000..ad320f2fc3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICq.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICr.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICr.png new file mode 100644 index 0000000000..b3bc3287e5 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICs.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICs.png new file mode 100644 index 0000000000..d12ab47c0f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICs.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICt.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICt.png new file mode 100644 index 0000000000..c0fc97bac1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICu.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICu.png new file mode 100644 index 0000000000..ef29e7185b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICu.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICv.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICv.png new file mode 100644 index 0000000000..9b316bd1e4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICw.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICw.png new file mode 100644 index 0000000000..27dcc6f93d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICw.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICx.png b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICx.png new file mode 100644 index 0000000000..db0efb6908 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000004nIH_0EMQk000004nICx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000006YdJ_0EMQk000004nD8J.png b/docs/kb/directorymanager/images/ka0Qk0000006YdJ_0EMQk000004nD8J.png new file mode 100644 index 0000000000..1f3a6c0e58 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000006YdJ_0EMQk000004nD8J.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk0000006YdJ_0EMQk000004nD8S.png b/docs/kb/directorymanager/images/ka0Qk0000006YdJ_0EMQk000004nD8S.png new file mode 100644 index 0000000000..8bd26a897a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk0000006YdJ_0EMQk000004nD8S.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAfKI.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAfKI.png new file mode 100644 index 0000000000..775707e2d0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAfKI.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAfow.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAfow.png new file mode 100644 index 0000000000..91136c569c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAfow.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAgZi.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAgZi.png new file mode 100644 index 0000000000..f991d7e57d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAgZi.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAkS2.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAkS2.png new file mode 100644 index 0000000000..2c7396efe9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAkS2.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl4j.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl4j.png new file mode 100644 index 0000000000..92551ae39d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl4j.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl7x.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl7x.png new file mode 100644 index 0000000000..5faded096a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl7x.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl9Z.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl9Z.png new file mode 100644 index 0000000000..7b9489d3db Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAl9Z.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlBB.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlBB.png new file mode 100644 index 0000000000..b2b4db9050 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlBB.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlEP.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlEP.png new file mode 100644 index 0000000000..e972396ff5 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlEP.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlO5.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlO5.png new file mode 100644 index 0000000000..2f170a62f0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlO5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlUX.png b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlUX.png new file mode 100644 index 0000000000..eb7a39e4a4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Bt1B_0EMQk00000AAlUX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000Az6M6.png b/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000Az6M6.png new file mode 100644 index 0000000000..76ced973bd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000Az6M6.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000Az8kU.png b/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000Az8kU.png new file mode 100644 index 0000000000..055df177d7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000Az8kU.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000AzEMr.png b/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000AzEMr.png new file mode 100644 index 0000000000..df3709aefc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CapJ_0EMQk00000AzEMr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP1x3.png b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP1x3.png new file mode 100644 index 0000000000..78f525be1d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP1x3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP1yf.png b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP1yf.png new file mode 100644 index 0000000000..4ed7ac5bbf Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP1yf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP20H.png b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP20H.png new file mode 100644 index 0000000000..9269a4607b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP20H.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP21t.png b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP21t.png new file mode 100644 index 0000000000..e0a689595f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP21t.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP23V.png b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP23V.png new file mode 100644 index 0000000000..5ec3c34158 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsRF_0EMQk00000BP23V.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3af.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3af.png new file mode 100644 index 0000000000..ed4ab80ac5 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3af.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3cH.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3cH.png new file mode 100644 index 0000000000..f7504aae63 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3cH.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3dt.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3dt.png new file mode 100644 index 0000000000..effb9f9ff8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3dt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3fV.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3fV.png new file mode 100644 index 0000000000..4ef4086cc0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3fV.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3ij.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3ij.png new file mode 100644 index 0000000000..abeea803a1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3ij.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3kL.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3kL.png new file mode 100644 index 0000000000..3d6a7bd0dc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3kL.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3lx.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3lx.png new file mode 100644 index 0000000000..8d7dd1e3cd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3lx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3nZ.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3nZ.png new file mode 100644 index 0000000000..b34e9db6f8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3nZ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3pB.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3pB.png new file mode 100644 index 0000000000..5d2fc9429c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3pB.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3qn.png b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3qn.png new file mode 100644 index 0000000000..78a296aae6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsSr_0EMQk00000BP3qn.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CsUT_0EMQk00000BP4Jp.png b/docs/kb/directorymanager/images/ka0Qk000000CsUT_0EMQk00000BP4Jp.png new file mode 100644 index 0000000000..09e992dfc8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CsUT_0EMQk00000BP4Jp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQXA7.png b/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQXA7.png new file mode 100644 index 0000000000..2f5d986bcf Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQXA7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQYMJ.png b/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQYMJ.png new file mode 100644 index 0000000000..680507fc5e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQYMJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQZgZ.png b/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQZgZ.png new file mode 100644 index 0000000000..cfbea6a1bc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CtIT_0EMQk00000BQZgZ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXNh.png b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXNh.png new file mode 100644 index 0000000000..45a1160ae3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXNh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXPJ.png b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXPJ.png new file mode 100644 index 0000000000..25a4406565 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXPJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXQv.png b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXQv.png new file mode 100644 index 0000000000..0532f51d59 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXQv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXSX.png b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXSX.png new file mode 100644 index 0000000000..5562e7c39f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXSX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXU9.png b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXU9.png new file mode 100644 index 0000000000..925152e3b1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXU9.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXVl.png b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXVl.png new file mode 100644 index 0000000000..f98f39a29e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CuJN_0EMQk00000BSXVl.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFHd.png b/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFHd.png new file mode 100644 index 0000000000..4cccddd642 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFHd.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFJF.png b/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFJF.png new file mode 100644 index 0000000000..59091d41ff Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFJF.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFKr.png b/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFKr.png new file mode 100644 index 0000000000..4e1e6b783d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFKr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFMT.png b/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFMT.png new file mode 100644 index 0000000000..e1e5390ecc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000CzVx_0EMQk00000BYFMT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gaph.png b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gaph.png new file mode 100644 index 0000000000..76fedeeafd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gaph.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001garJ.png b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001garJ.png new file mode 100644 index 0000000000..efccc666a0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001garJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gasv.png b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gasv.png new file mode 100644 index 0000000000..6415d48f4f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gasv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gauX.png b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gauX.png new file mode 100644 index 0000000000..9af76a3950 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gauX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gaxl.png b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gaxl.png new file mode 100644 index 0000000000..b00be24924 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gaxl.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gazN.png b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gazN.png new file mode 100644 index 0000000000..f33142e729 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gazN.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gb0z.png b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gb0z.png new file mode 100644 index 0000000000..f6f5778310 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D2Dh_0EMQk000001gb0z.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFmf.png b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFmf.png new file mode 100644 index 0000000000..6557ea33a4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFmf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFoH.png b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFoH.png new file mode 100644 index 0000000000..0365524cc8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFoH.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFpt.png b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFpt.png new file mode 100644 index 0000000000..37e28d89a8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFpt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFrV.png b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFrV.png new file mode 100644 index 0000000000..16615d7162 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFrV.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFt7.png b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFt7.png new file mode 100644 index 0000000000..488eb63cd8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFt7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFuj.png b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFuj.png new file mode 100644 index 0000000000..b4ee0b777c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8iv_0EMQk00000BpFuj.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpFwM.png b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpFwM.png new file mode 100644 index 0000000000..30c48874a7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpFwM.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpG9G.png b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpG9G.png new file mode 100644 index 0000000000..b90a859f5c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpG9G.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpG9H.png b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpG9H.png new file mode 100644 index 0000000000..e640deeb80 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpG9H.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpGAr.png b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpGAr.png new file mode 100644 index 0000000000..390c57dff9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpGAr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpGCT.png b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpGCT.png new file mode 100644 index 0000000000..0bdabc2aef Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8kX_0EMQk00000BpGCT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpCs2.png b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpCs2.png new file mode 100644 index 0000000000..e6d4f967ba Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpCs2.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGXR.png b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGXR.png new file mode 100644 index 0000000000..e92b3ed717 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGXR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGZ3.png b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGZ3.png new file mode 100644 index 0000000000..d85943ce91 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGZ3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGaf.png b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGaf.png new file mode 100644 index 0000000000..c6a6b6b259 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGaf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGcH.png b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGcH.png new file mode 100644 index 0000000000..20287e8718 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGcH.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGdt.png b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGdt.png new file mode 100644 index 0000000000..90cc0eb026 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000D8m9_0EMQk00000BpGdt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOov.png b/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOov.png new file mode 100644 index 0000000000..57a4fe1a32 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOov.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOqX.png b/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOqX.png new file mode 100644 index 0000000000..07041eeead Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOqX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOs9.png b/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOs9.png new file mode 100644 index 0000000000..1050b17a47 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOs9.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOtl.png b/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOtl.png new file mode 100644 index 0000000000..ffbd3ab6f7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DGYP_0EMQk00000BdOtl.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9l.png b/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9l.png new file mode 100644 index 0000000000..a0ec28c07e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9l.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9m.png b/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9m.png new file mode 100644 index 0000000000..741341e187 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9m.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9n.png b/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9n.png new file mode 100644 index 0000000000..f8e0a34e01 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DGa1_0EMQk000004nK9n.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DKlh_0EMQk00000C5cIh.png b/docs/kb/directorymanager/images/ka0Qk000000DKlh_0EMQk00000C5cIh.png new file mode 100644 index 0000000000..815ed0bc10 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DKlh_0EMQk00000C5cIh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DS6X_0EMQk000004nFgL.png b/docs/kb/directorymanager/images/ka0Qk000000DS6X_0EMQk000004nFgL.png new file mode 100644 index 0000000000..c391451e2f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DS6X_0EMQk000004nFgL.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DS6X_0EMQk000004nFgM.png b/docs/kb/directorymanager/images/ka0Qk000000DS6X_0EMQk000004nFgM.png new file mode 100644 index 0000000000..0edda869f1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DS6X_0EMQk000004nFgM.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1GiC.png b/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1GiC.png new file mode 100644 index 0000000000..5b46fdd365 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1GiC.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1NoU.png b/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1NoU.png new file mode 100644 index 0000000000..c6794797e4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1NoU.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1Nq7.png b/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1Nq7.png new file mode 100644 index 0000000000..86f3c2f466 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSHp_0EMQk00000C1Nq7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk000004nGNu.png b/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk000004nGNu.png new file mode 100644 index 0000000000..1282ffceb3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk000004nGNu.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk00000C1KQo.png b/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk00000C1KQo.png new file mode 100644 index 0000000000..249cedc081 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk00000C1KQo.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk00000C1M61.png b/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk00000C1M61.png new file mode 100644 index 0000000000..eb10b118bc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSL3_0EMQk00000C1M61.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSOH_0EMQk000004nEE1.png b/docs/kb/directorymanager/images/ka0Qk000000DSOH_0EMQk000004nEE1.png new file mode 100644 index 0000000000..5fe1be1d8a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSOH_0EMQk000004nEE1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSPt_0EMQk00000C0zmA.png b/docs/kb/directorymanager/images/ka0Qk000000DSPt_0EMQk00000C0zmA.png new file mode 100644 index 0000000000..0a2e20394c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSPt_0EMQk00000C0zmA.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSPt_0EMQk00000C15Bd.png b/docs/kb/directorymanager/images/ka0Qk000000DSPt_0EMQk00000C15Bd.png new file mode 100644 index 0000000000..13ce9df189 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSPt_0EMQk00000C15Bd.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0EV5.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0EV5.png new file mode 100644 index 0000000000..242d22fe05 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0EV5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0ISD.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0ISD.png new file mode 100644 index 0000000000..7685f2ebcd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0ISD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0ITp.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0ITp.png new file mode 100644 index 0000000000..5f77beb2c1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0ITp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0IX3.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0IX3.png new file mode 100644 index 0000000000..bae496a07a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0IX3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0IYf.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0IYf.png new file mode 100644 index 0000000000..d683f5486d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0IYf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0P5V.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0P5V.png new file mode 100644 index 0000000000..735999e123 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A0P5V.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A21Os.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A21Os.png new file mode 100644 index 0000000000..a09dd55757 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A21Os.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A25Yw.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A25Yw.png new file mode 100644 index 0000000000..7ac8af49cb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A25Yw.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A2A0j.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A2A0j.png new file mode 100644 index 0000000000..43fd80f7ee Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A2A0j.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A2mh7.png b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A2mh7.png new file mode 100644 index 0000000000..5c349be0a2 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSRV_0EMQk00000A2mh7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004n9O2.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004n9O2.png new file mode 100644 index 0000000000..a9259537ba Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004n9O2.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nH3t.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nH3t.png new file mode 100644 index 0000000000..e25c77c207 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nH3t.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXn.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXn.png new file mode 100644 index 0000000000..b54bcd85dc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXn.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXo.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXo.png new file mode 100644 index 0000000000..999a4c8efb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXo.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXp.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXp.png new file mode 100644 index 0000000000..8c774a2e44 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXq.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXq.png new file mode 100644 index 0000000000..cd370cb4aa Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXq.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXr.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXr.png new file mode 100644 index 0000000000..03163a7251 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXs.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXs.png new file mode 100644 index 0000000000..b214eecd3e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nIXs.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLdh.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLdh.png new file mode 100644 index 0000000000..65564ef687 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLdh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLfJ.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLfJ.png new file mode 100644 index 0000000000..bdcd2371a7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLfJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLgv.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLgv.png new file mode 100644 index 0000000000..c221635aa7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLgv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLiX.png b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLiX.png new file mode 100644 index 0000000000..fd1d2af945 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DSzN_0EMQk000004nLiX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009t4Na.png b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009t4Na.png new file mode 100644 index 0000000000..6ccff299e8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009t4Na.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009t78Z.png b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009t78Z.png new file mode 100644 index 0000000000..90ee187862 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009t78Z.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEI7.png b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEI7.png new file mode 100644 index 0000000000..30c536ddd9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEI7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tETN.png b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tETN.png new file mode 100644 index 0000000000..8a0ca8ac4c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tETN.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEUz.png b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEUz.png new file mode 100644 index 0000000000..5edda72f71 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEUz.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEWb.png b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEWb.png new file mode 100644 index 0000000000..020254a00d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEWb.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEYD.png b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEYD.png new file mode 100644 index 0000000000..3e3a318dfe Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUI2_0EMQk000009tEYD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iR.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iR.png new file mode 100644 index 0000000000..887adf52ed Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iS.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iS.png new file mode 100644 index 0000000000..3881b5e8c8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iS.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iT.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iT.png new file mode 100644 index 0000000000..79d6eb5be2 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iU.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iU.png new file mode 100644 index 0000000000..da3e2ef90c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iU.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iV.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iV.png new file mode 100644 index 0000000000..c5ae393d11 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iV.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iW.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iW.png new file mode 100644 index 0000000000..911e88d309 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iW.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iX.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iX.png new file mode 100644 index 0000000000..e16d0d5372 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iY.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iY.png new file mode 100644 index 0000000000..d81838e630 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iY.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iZ.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iZ.png new file mode 100644 index 0000000000..04acf49630 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3iZ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ia.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ia.png new file mode 100644 index 0000000000..ea56d0c8d4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ia.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ib.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ib.png new file mode 100644 index 0000000000..2991a70680 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ib.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ic.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ic.png new file mode 100644 index 0000000000..62d3858f20 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ic.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3id.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3id.png new file mode 100644 index 0000000000..1915868ca0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3id.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ie.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ie.png new file mode 100644 index 0000000000..4062940762 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3ie.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3if.png b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3if.png new file mode 100644 index 0000000000..2c31ae51f5 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DUWX_0EMQk000004n3if.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BNz9K.png b/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BNz9K.png new file mode 100644 index 0000000000..3d8720875e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BNz9K.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BNzAx.png b/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BNzAx.png new file mode 100644 index 0000000000..83d4acd655 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BNzAx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BO0Jt.png b/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BO0Jt.png new file mode 100644 index 0000000000..58ab7cf22d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BO0Jt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BO3JN.png b/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BO3JN.png new file mode 100644 index 0000000000..ea9bc26603 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000De4T_0EMQk00000BO3JN.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fVfD.png b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fVfD.png new file mode 100644 index 0000000000..12d80ac2b1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fVfD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fYTO.png b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fYTO.png new file mode 100644 index 0000000000..5d6ed28ab7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fYTO.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbhN.png b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbhN.png new file mode 100644 index 0000000000..7320093c02 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbhN.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbkb.png b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbkb.png new file mode 100644 index 0000000000..a8382d4688 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbkb.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbpR.png b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbpR.png new file mode 100644 index 0000000000..bd3902c216 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fbpR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fc5Z.png b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fc5Z.png new file mode 100644 index 0000000000..d86ae28288 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fc5Z.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fc8n.png b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fc8n.png new file mode 100644 index 0000000000..0914169a34 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fc8n.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fcDd.png b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fcDd.png new file mode 100644 index 0000000000..b3e35a3d0b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dfzp_0EMQk000001fcDd.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001eu1K.png b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001eu1K.png new file mode 100644 index 0000000000..2ac470a975 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001eu1K.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001evqG.png b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001evqG.png new file mode 100644 index 0000000000..11ca3d452e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001evqG.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001exAU.png b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001exAU.png new file mode 100644 index 0000000000..4b13c70865 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001exAU.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001ezDu.png b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001ezDu.png new file mode 100644 index 0000000000..70c1c8b601 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001ezDu.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001ezqc.png b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001ezqc.png new file mode 100644 index 0000000000..578a56fe49 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001ezqc.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f0gD.png b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f0gD.png new file mode 100644 index 0000000000..56a8225e20 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f0gD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f0pt.png b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f0pt.png new file mode 100644 index 0000000000..db8bbd91ff Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f0pt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f1KX.png b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f1KX.png new file mode 100644 index 0000000000..537b617bf7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg1R_0EMQk000001f1KX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaRV.png b/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaRV.png new file mode 100644 index 0000000000..a37dba8211 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaRV.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaT7.png b/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaT7.png new file mode 100644 index 0000000000..ab18271dbd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaT7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaUj.png b/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaUj.png new file mode 100644 index 0000000000..acaabd9601 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg33_0EMQk000001gaUj.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg4f_0EMQk000001f3Kk.png b/docs/kb/directorymanager/images/ka0Qk000000Dg4f_0EMQk000001f3Kk.png new file mode 100644 index 0000000000..e63267f8a1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg4f_0EMQk000001f3Kk.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg4f_0EMQk000001f68v.png b/docs/kb/directorymanager/images/ka0Qk000000Dg4f_0EMQk000001f68v.png new file mode 100644 index 0000000000..123db38f08 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg4f_0EMQk000001f68v.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOqr.png b/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOqr.png new file mode 100644 index 0000000000..38e859b1a1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOqr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOsT.png b/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOsT.png new file mode 100644 index 0000000000..bc824ba693 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOsT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOu5.png b/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOu5.png new file mode 100644 index 0000000000..60064aee33 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dg6H_0EMQk000001iOu5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DtrV_0EMQk00000BSBJx.png b/docs/kb/directorymanager/images/ka0Qk000000DtrV_0EMQk00000BSBJx.png new file mode 100644 index 0000000000..c411a0441d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DtrV_0EMQk00000BSBJx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSKYY.png b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSKYY.png new file mode 100644 index 0000000000..337819672e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSKYY.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSLMa.png b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSLMa.png new file mode 100644 index 0000000000..512f452424 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSLMa.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSLmM.png b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSLmM.png new file mode 100644 index 0000000000..988daabf06 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSLmM.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSNt0.png b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSNt0.png new file mode 100644 index 0000000000..dd304e9d89 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSNt0.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOQr.png b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOQr.png new file mode 100644 index 0000000000..2bd6b54978 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOQr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOST.png b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOST.png new file mode 100644 index 0000000000..1b61d85625 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOST.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOU5.png b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOU5.png new file mode 100644 index 0000000000..653eb3ecdd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dtxx_0EMQk00000BSOU5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BRwsy.png b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BRwsy.png new file mode 100644 index 0000000000..08d4307bcc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BRwsy.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS48q.png b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS48q.png new file mode 100644 index 0000000000..0e79152a38 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS48q.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS4Gs.png b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS4Gs.png new file mode 100644 index 0000000000..981234bfba Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS4Gs.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS5BL.png b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS5BL.png new file mode 100644 index 0000000000..507c338933 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS5BL.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS8nW.png b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS8nW.png new file mode 100644 index 0000000000..723cd5e4ad Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS8nW.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS9zh.png b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS9zh.png new file mode 100644 index 0000000000..70655f7eaf Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du4P_0EMQk00000BS9zh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8mX.png b/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8mX.png new file mode 100644 index 0000000000..63ea8b973e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8mX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8pl.png b/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8pl.png new file mode 100644 index 0000000000..3ec88f8bc5 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8pl.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8ub.png b/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8ub.png new file mode 100644 index 0000000000..f8527c15f3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8ub.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8zR.png b/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8zR.png new file mode 100644 index 0000000000..58085207e6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du7d_0EMQk00000BN8zR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQXBk.png b/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQXBk.png new file mode 100644 index 0000000000..497edf7e42 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQXBk.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQZYT.png b/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQZYT.png new file mode 100644 index 0000000000..68f02c4b98 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQZYT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQZmz.png b/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQZmz.png new file mode 100644 index 0000000000..a74ab321c4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Du9F_0EMQk00000BQZmz.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZ9rj.png b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZ9rj.png new file mode 100644 index 0000000000..27345ce344 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZ9rj.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZFvX.png b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZFvX.png new file mode 100644 index 0000000000..73936a07f2 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZFvX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZUPv.png b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZUPv.png new file mode 100644 index 0000000000..6379d1ab2c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZUPv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZbJK.png b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZbJK.png new file mode 100644 index 0000000000..4f2c0748f8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZbJK.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZdBR.png b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZdBR.png new file mode 100644 index 0000000000..a5686efa51 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DunZ_0EMQk00000BZdBR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DusP_0EMQk00000C13Mk.png b/docs/kb/directorymanager/images/ka0Qk000000DusP_0EMQk00000C13Mk.png new file mode 100644 index 0000000000..026acae5fb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DusP_0EMQk00000C13Mk.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DusP_0EMQk00000C19C1.png b/docs/kb/directorymanager/images/ka0Qk000000DusP_0EMQk00000C19C1.png new file mode 100644 index 0000000000..516ce5b7f4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DusP_0EMQk00000C19C1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Duu1_0EMQk00000BS31S.png b/docs/kb/directorymanager/images/ka0Qk000000Duu1_0EMQk00000BS31S.png new file mode 100644 index 0000000000..e9ecadf9b3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Duu1_0EMQk00000BS31S.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Duu1_0EMQk00000BS90Q.png b/docs/kb/directorymanager/images/ka0Qk000000Duu1_0EMQk00000BS90Q.png new file mode 100644 index 0000000000..8ef26d945a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Duu1_0EMQk00000BS90Q.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dv0T_0EMQk00000BSBWr.png b/docs/kb/directorymanager/images/ka0Qk000000Dv0T_0EMQk00000BSBWr.png new file mode 100644 index 0000000000..fe97dcc21f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dv0T_0EMQk00000BSBWr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvA9_0EMQk00000BSFdi.png b/docs/kb/directorymanager/images/ka0Qk000000DvA9_0EMQk00000BSFdi.png new file mode 100644 index 0000000000..0185d97d6f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvA9_0EMQk00000BSFdi.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvA9_0EMQk00000BSG3V.png b/docs/kb/directorymanager/images/ka0Qk000000DvA9_0EMQk00000BSG3V.png new file mode 100644 index 0000000000..d474fbae84 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvA9_0EMQk00000BSG3V.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvID_0EMQk00000BSOM1.png b/docs/kb/directorymanager/images/ka0Qk000000DvID_0EMQk00000BSOM1.png new file mode 100644 index 0000000000..54f3fba904 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvID_0EMQk00000BSOM1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvQH_0EMQk00000BSXab.png b/docs/kb/directorymanager/images/ka0Qk000000DvQH_0EMQk00000BSXab.png new file mode 100644 index 0000000000..4e1e6b783d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvQH_0EMQk00000BSXab.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvQH_0EMQk00000BSXfR.png b/docs/kb/directorymanager/images/ka0Qk000000DvQH_0EMQk00000BSXfR.png new file mode 100644 index 0000000000..f95dfe1d7c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvQH_0EMQk00000BSXfR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br2be.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br2be.png new file mode 100644 index 0000000000..a776d55755 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br2be.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3B7.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3B7.png new file mode 100644 index 0000000000..c45adccee4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3B7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Cj.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Cj.png new file mode 100644 index 0000000000..9d59f6dd42 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Cj.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3EL.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3EL.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3EL.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Fx.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Fx.png new file mode 100644 index 0000000000..df276014e4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Fx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3JB.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3JB.png new file mode 100644 index 0000000000..c45adccee4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3JB.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3MP.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3MP.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3MP.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3O1.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3O1.png new file mode 100644 index 0000000000..d2ba74e87c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3O1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Pd.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Pd.png new file mode 100644 index 0000000000..7c5c5e7f29 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Pd.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3RF.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3RF.png new file mode 100644 index 0000000000..d553f482f7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3RF.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Sr.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Sr.png new file mode 100644 index 0000000000..e76ff941c8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3Sr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3UT.png b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3UT.png new file mode 100644 index 0000000000..2c0fc1f682 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvYL_0EMQk00000Br3UT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSWjO.png b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSWjO.png new file mode 100644 index 0000000000..ad2542a95c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSWjO.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYlB.png b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYlB.png new file mode 100644 index 0000000000..c67eae54e5 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYlB.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYmn.png b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYmn.png new file mode 100644 index 0000000000..7a7860a355 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYmn.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYoP.png b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYoP.png new file mode 100644 index 0000000000..4a4ab243d7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYoP.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYq1.png b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYq1.png new file mode 100644 index 0000000000..e17e72c2c3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYq1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYrd.png b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYrd.png new file mode 100644 index 0000000000..fc889e5dc4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYrd.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYtF.png b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYtF.png new file mode 100644 index 0000000000..92ea6699a8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYtF.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYwT.png b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYwT.png new file mode 100644 index 0000000000..7ef8126024 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000DvbZ_0EMQk00000BSYwT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYEyH.png b/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYEyH.png new file mode 100644 index 0000000000..0b3d2dd9e4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYEyH.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYEzt.png b/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYEzt.png new file mode 100644 index 0000000000..a096c50233 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYEzt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYF1V.png b/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYF1V.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dxjp_0EMQk00000BYF1V.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSXh5.png b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSXh5.png new file mode 100644 index 0000000000..1a290ea833 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSXh5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ69.png b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ69.png new file mode 100644 index 0000000000..b7c53fe8d2 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ69.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ7l.png b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ7l.png new file mode 100644 index 0000000000..00eb834648 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ7l.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ9N.png b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ9N.png new file mode 100644 index 0000000000..12fc4ec60d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZ9N.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZAz.png b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZAz.png new file mode 100644 index 0000000000..26b2ee881a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000Dxof_0EMQk00000BSZAz.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdDrv.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdDrv.png new file mode 100644 index 0000000000..bf3048f58d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdDrv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdNHn.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdNHn.png new file mode 100644 index 0000000000..eaa70eed62 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdNHn.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPHx.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPHx.png new file mode 100644 index 0000000000..a78d8822d6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPHx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPJZ.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPJZ.png new file mode 100644 index 0000000000..e889684fb8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPJZ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPLB.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPLB.png new file mode 100644 index 0000000000..1121d1974c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPLB.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPMn.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPMn.png new file mode 100644 index 0000000000..95b6e00528 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPMn.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPOP.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPOP.png new file mode 100644 index 0000000000..7b1105e7b4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPOP.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPQ1.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPQ1.png new file mode 100644 index 0000000000..c3737b2cb0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPQ1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPRd.png b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPRd.png new file mode 100644 index 0000000000..dfd0bc5a0a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000E76T_0EMQk00000BdPRd.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtLOI.png b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtLOI.png new file mode 100644 index 0000000000..7c09bc1797 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtLOI.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtN8L.png b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtN8L.png new file mode 100644 index 0000000000..049c2fc43c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtN8L.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtN9x.png b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtN9x.png new file mode 100644 index 0000000000..0a8c14a6c4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtN9x.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNBZ.png b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNBZ.png new file mode 100644 index 0000000000..cd89b5d3e6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNBZ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNDB.png b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNDB.png new file mode 100644 index 0000000000..2ed5f41e30 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNDB.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNEn.png b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNEn.png new file mode 100644 index 0000000000..f6a09fc320 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNEn.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNGP.png b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNGP.png new file mode 100644 index 0000000000..de74e3cd4f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EECn_0EMQk00000CtNGP.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMTh_0EMQk00000BWvT4.png b/docs/kb/directorymanager/images/ka0Qk000000EMTh_0EMQk00000BWvT4.png new file mode 100644 index 0000000000..298a0360cb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMTh_0EMQk00000BWvT4.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMTh_0EMQk00000BX24j.png b/docs/kb/directorymanager/images/ka0Qk000000EMTh_0EMQk00000BX24j.png new file mode 100644 index 0000000000..8295fe8bf7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMTh_0EMQk00000BX24j.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BX3X5.png b/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BX3X5.png new file mode 100644 index 0000000000..b29c4085a9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BX3X5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BX9nl.png b/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BX9nl.png new file mode 100644 index 0000000000..12613720d3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BX9nl.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BXA77.png b/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BXA77.png new file mode 100644 index 0000000000..c28c344071 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BXA77.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BXAK1.png b/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BXAK1.png new file mode 100644 index 0000000000..c6571f44b6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMWv_0EMQk00000BXAK1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZenT.png b/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZenT.png new file mode 100644 index 0000000000..a5686efa51 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZenT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZfd5.png b/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZfd5.png new file mode 100644 index 0000000000..8a747b5461 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZfd5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZgCY.png b/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZgCY.png new file mode 100644 index 0000000000..20f979b05d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZgCY.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZgUI.png b/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZgUI.png new file mode 100644 index 0000000000..4ac3652ec4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMa9_0EMQk00000BZgUI.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMbl_0EMQk00000Ba629.png b/docs/kb/directorymanager/images/ka0Qk000000EMbl_0EMQk00000Ba629.png new file mode 100644 index 0000000000..9750538d4b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMbl_0EMQk00000Ba629.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMbl_0EMQk00000Ba65N.png b/docs/kb/directorymanager/images/ka0Qk000000EMbl_0EMQk00000Ba65N.png new file mode 100644 index 0000000000..ece3ffb2ec Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMbl_0EMQk00000Ba65N.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6Gf.png b/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6Gf.png new file mode 100644 index 0000000000..a2c5aa1a09 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6Gf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6IH.png b/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6IH.png new file mode 100644 index 0000000000..a919ec142e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6IH.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6Jt.png b/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6Jt.png new file mode 100644 index 0000000000..f6f549d659 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMdN_0EMQk00000Ba6Jt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbBHX.png b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbBHX.png new file mode 100644 index 0000000000..93db8a6da2 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbBHX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbH6o.png b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbH6o.png new file mode 100644 index 0000000000..7b31f489f4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbH6o.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbHoM.png b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbHoM.png new file mode 100644 index 0000000000..607205ba07 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbHoM.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbIFm.png b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbIFm.png new file mode 100644 index 0000000000..bee3098a1b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbIFm.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbJN7.png b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbJN7.png new file mode 100644 index 0000000000..d2fba5490b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbJN7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbJYP.png b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbJYP.png new file mode 100644 index 0000000000..6df40fa226 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EMez_0EMQk00000BbJYP.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EPRZ_0EMQk00000BbINr.png b/docs/kb/directorymanager/images/ka0Qk000000EPRZ_0EMQk00000BbINr.png new file mode 100644 index 0000000000..d293da20d8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EPRZ_0EMQk00000BbINr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EPRZ_0EMQk00000BbJji.png b/docs/kb/directorymanager/images/ka0Qk000000EPRZ_0EMQk00000BbJji.png new file mode 100644 index 0000000000..e5e80a54cb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EPRZ_0EMQk00000BbJji.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EWo1_0EMQk00000Bh5ni.png b/docs/kb/directorymanager/images/ka0Qk000000EWo1_0EMQk00000Bh5ni.png new file mode 100644 index 0000000000..4ee4fb8047 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EWo1_0EMQk00000Bh5ni.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EWsr_0EMQk00000Bo2pu.png b/docs/kb/directorymanager/images/ka0Qk000000EWsr_0EMQk00000Bo2pu.png new file mode 100644 index 0000000000..51e28b5f4a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EWsr_0EMQk00000Bo2pu.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EWsr_0EMQk00000BoBA3.png b/docs/kb/directorymanager/images/ka0Qk000000EWsr_0EMQk00000BoBA3.png new file mode 100644 index 0000000000..7c38ffb5e6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EWsr_0EMQk00000BoBA3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EWuT_0EMQk00000BoNUY.png b/docs/kb/directorymanager/images/ka0Qk000000EWuT_0EMQk00000BoNUY.png new file mode 100644 index 0000000000..82726a5588 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EWuT_0EMQk00000BoNUY.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYmb_0EMQk00000BoN3A.png b/docs/kb/directorymanager/images/ka0Qk000000EYmb_0EMQk00000BoN3A.png new file mode 100644 index 0000000000..0070e410d7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYmb_0EMQk00000BoN3A.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDEb.png b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDEb.png new file mode 100644 index 0000000000..790ac29a2c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDEb.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDGD.png b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDGD.png new file mode 100644 index 0000000000..b214a5952c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDGD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDHp.png b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDHp.png new file mode 100644 index 0000000000..f6f549d659 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDHp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDJR.png b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDJR.png new file mode 100644 index 0000000000..842d9c36bd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDJR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDL3.png b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDL3.png new file mode 100644 index 0000000000..b214a5952c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYoD_0EMQk00000BpDL3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYrR_0EMQk00000BpDcn.png b/docs/kb/directorymanager/images/ka0Qk000000EYrR_0EMQk00000BpDcn.png new file mode 100644 index 0000000000..18055d8abb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYrR_0EMQk00000BpDcn.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYrR_0EMQk00000BpDeP.png b/docs/kb/directorymanager/images/ka0Qk000000EYrR_0EMQk00000BpDeP.png new file mode 100644 index 0000000000..f8295e4aa0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYrR_0EMQk00000BpDeP.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYwH_0EMQk00000BpBfq.png b/docs/kb/directorymanager/images/ka0Qk000000EYwH_0EMQk00000BpBfq.png new file mode 100644 index 0000000000..0e53e43907 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYwH_0EMQk00000BpBfq.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EYwH_0EMQk00000BpDrJ.png b/docs/kb/directorymanager/images/ka0Qk000000EYwH_0EMQk00000BpDrJ.png new file mode 100644 index 0000000000..1c475ee17e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EYwH_0EMQk00000BpDrJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZ2j_0EMQk00000BoBWe.png b/docs/kb/directorymanager/images/ka0Qk000000EZ2j_0EMQk00000BoBWe.png new file mode 100644 index 0000000000..55492b93bd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZ2j_0EMQk00000BoBWe.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr0z.png b/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr0z.png new file mode 100644 index 0000000000..19fdc8f59f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr0z.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr2b.png b/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr2b.png new file mode 100644 index 0000000000..62325fc62e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr2b.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr4D.png b/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr4D.png new file mode 100644 index 0000000000..8dd266aa73 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr4D.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr5p.png b/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr5p.png new file mode 100644 index 0000000000..788afef0c9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZ4L_0EMQk00000Bsr5p.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZ5x_0EMQk00000Bu2Dh.png b/docs/kb/directorymanager/images/ka0Qk000000EZ5x_0EMQk00000Bu2Dh.png new file mode 100644 index 0000000000..f19735f1bc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZ5x_0EMQk00000Bu2Dh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZ7Z_0EMQk00000BuCxp.png b/docs/kb/directorymanager/images/ka0Qk000000EZ7Z_0EMQk00000BuCxp.png new file mode 100644 index 0000000000..8a501f91b0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZ7Z_0EMQk00000BuCxp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZCP_0EMQk00000BuMNh.png b/docs/kb/directorymanager/images/ka0Qk000000EZCP_0EMQk00000BuMNh.png new file mode 100644 index 0000000000..1b96729425 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZCP_0EMQk00000BuMNh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZCP_0EMQk00000BuMPJ.png b/docs/kb/directorymanager/images/ka0Qk000000EZCP_0EMQk00000BuMPJ.png new file mode 100644 index 0000000000..3a3311735a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZCP_0EMQk00000BuMPJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMYz.png b/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMYz.png new file mode 100644 index 0000000000..14cb1bf0c2 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMYz.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMab.png b/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMab.png new file mode 100644 index 0000000000..52330d2101 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMab.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMcD.png b/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMcD.png new file mode 100644 index 0000000000..25a627afd3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMcD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMdp.png b/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMdp.png new file mode 100644 index 0000000000..690239b960 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZFd_0EMQk00000BuMdp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000EZIr_0EMQk00000BuNWf.png b/docs/kb/directorymanager/images/ka0Qk000000EZIr_0EMQk00000BuNWf.png new file mode 100644 index 0000000000..a6ce7c4df1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000EZIr_0EMQk00000BuNWf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngEj.png b/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngEj.png new file mode 100644 index 0000000000..20b7f8fc22 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngEj.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngGL.png b/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngGL.png new file mode 100644 index 0000000000..d794e7f540 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngGL.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngHx.png b/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngHx.png new file mode 100644 index 0000000000..4dcac30049 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngHx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngJZ.png b/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngJZ.png new file mode 100644 index 0000000000..0a526d7f39 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000F7h7_0EMQk00000DngJZ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FE97_0EMQk00000BxDMI.png b/docs/kb/directorymanager/images/ka0Qk000000FE97_0EMQk00000BxDMI.png new file mode 100644 index 0000000000..e16a8330cd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FE97_0EMQk00000BxDMI.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R1Z.png b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R1Z.png new file mode 100644 index 0000000000..18798442e1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R1Z.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R3B.png b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R3B.png new file mode 100644 index 0000000000..faa9f49b03 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R3B.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R4n.png b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R4n.png new file mode 100644 index 0000000000..3add277963 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R4n.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R6P.png b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R6P.png new file mode 100644 index 0000000000..c0d5553944 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R6P.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R81.png b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R81.png new file mode 100644 index 0000000000..ee93e14019 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R81.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R9d.png b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R9d.png new file mode 100644 index 0000000000..d4bcfc0ed6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3R9d.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3RBF.png b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3RBF.png new file mode 100644 index 0000000000..2bc9c2d730 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEHB_0EMQk00000C3RBF.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfMD.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfMD.png new file mode 100644 index 0000000000..f0977c36cd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfMD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfNp.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfNp.png new file mode 100644 index 0000000000..a2a14f8be3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfNp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfPR.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfPR.png new file mode 100644 index 0000000000..c9841dcb62 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfPR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfR3.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfR3.png new file mode 100644 index 0000000000..69569553a2 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfR3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfSf.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfSf.png new file mode 100644 index 0000000000..e2c5d72151 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfSf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfUH.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfUH.png new file mode 100644 index 0000000000..0266219080 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfUH.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfVt.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfVt.png new file mode 100644 index 0000000000..6de35d3dc4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfVt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfXV.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfXV.png new file mode 100644 index 0000000000..c94558d7ba Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfXV.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfZ7.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfZ7.png new file mode 100644 index 0000000000..734f56a854 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000DxfZ7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000Dxfaj.png b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000Dxfaj.png new file mode 100644 index 0000000000..be782508b7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FEaX_0EMQk00000Dxfaj.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RET.png b/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RET.png new file mode 100644 index 0000000000..8167eb3c35 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RET.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RG5.png b/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RG5.png new file mode 100644 index 0000000000..46918936d8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RG5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RHh.png b/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RHh.png new file mode 100644 index 0000000000..d78a0b38d7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGSf_0EMQk00000C3RHh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGVt_0EMQk00000C3SdZ.png b/docs/kb/directorymanager/images/ka0Qk000000FGVt_0EMQk00000C3SdZ.png new file mode 100644 index 0000000000..cf77a18dc6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGVt_0EMQk00000C3SdZ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGVt_0EMQk00000C3SfB.png b/docs/kb/directorymanager/images/ka0Qk000000FGVt_0EMQk00000C3SfB.png new file mode 100644 index 0000000000..3f9e965bbf Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGVt_0EMQk00000C3SfB.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGZ7_0EMQk00000C65MH.png b/docs/kb/directorymanager/images/ka0Qk000000FGZ7_0EMQk00000C65MH.png new file mode 100644 index 0000000000..0762390a88 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGZ7_0EMQk00000C65MH.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAKTC.png b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAKTC.png new file mode 100644 index 0000000000..78c7d6aa98 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAKTC.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAM6o.png b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAM6o.png new file mode 100644 index 0000000000..104085b024 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAM6o.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMJh.png b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMJh.png new file mode 100644 index 0000000000..fd2e88f51b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMJh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMLJ.png b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMLJ.png new file mode 100644 index 0000000000..95fd9ee857 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMLJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMMv.png b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMMv.png new file mode 100644 index 0000000000..0e25ecbf48 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMMv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMQ9.png b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMQ9.png new file mode 100644 index 0000000000..faa351afc8 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMQ9.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMRl.png b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMRl.png new file mode 100644 index 0000000000..a7ac318322 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMRl.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMTN.png b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMTN.png new file mode 100644 index 0000000000..ace6348d4d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGaj_0EMQk00000CAMTN.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CALUk.png b/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CALUk.png new file mode 100644 index 0000000000..4cccddd642 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CALUk.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMUz.png b/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMUz.png new file mode 100644 index 0000000000..e1e5390ecc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMUz.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMWb.png b/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMWb.png new file mode 100644 index 0000000000..4e1e6b783d Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMWb.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMYD.png b/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMYD.png new file mode 100644 index 0000000000..59091d41ff Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FGyv_0EMQk00000CAMYD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CANdy.png b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CANdy.png new file mode 100644 index 0000000000..22743ea2bc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CANdy.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAP1R.png b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAP1R.png new file mode 100644 index 0000000000..c6e8f76226 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAP1R.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPFx.png b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPFx.png new file mode 100644 index 0000000000..ab5e14fb66 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPFx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPPd.png b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPPd.png new file mode 100644 index 0000000000..45ca96a4a1 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPPd.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPRF.png b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPRF.png new file mode 100644 index 0000000000..6ed3810378 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPRF.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPUT.png b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPUT.png new file mode 100644 index 0000000000..0d3b01e957 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPUT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPXh.png b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPXh.png new file mode 100644 index 0000000000..0f726777d7 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH0X_0EMQk00000CAPXh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH29_0EMQk00000CAPnp.png b/docs/kb/directorymanager/images/ka0Qk000000FH29_0EMQk00000CAPnp.png new file mode 100644 index 0000000000..2992e0dd93 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH29_0EMQk00000CAPnp.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FH29_0EMQk00000CAPr3.png b/docs/kb/directorymanager/images/ka0Qk000000FH29_0EMQk00000CAPr3.png new file mode 100644 index 0000000000..e97edf04cc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FH29_0EMQk00000CAPr3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CF5F2.png b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CF5F2.png new file mode 100644 index 0000000000..049af317df Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CF5F2.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFDqr.png b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFDqr.png new file mode 100644 index 0000000000..292d8b37ea Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFDqr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFFMR.png b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFFMR.png new file mode 100644 index 0000000000..cb8a8bd2e9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFFMR.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFGrx.png b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFGrx.png new file mode 100644 index 0000000000..5d3bd0319a Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFGrx.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFHeM.png b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFHeM.png new file mode 100644 index 0000000000..937e7c61cd Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFHeM.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFJt3.png b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFJt3.png new file mode 100644 index 0000000000..88f5a86654 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWsP_0EMQk00000CFJt3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFJt4.png b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFJt4.png new file mode 100644 index 0000000000..e193d287c2 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFJt4.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFKxE.png b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFKxE.png new file mode 100644 index 0000000000..2154b72125 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFKxE.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFMJ4.png b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFMJ4.png new file mode 100644 index 0000000000..01dd3b51d5 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFMJ4.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFMhH.png b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFMhH.png new file mode 100644 index 0000000000..78e157750c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFMhH.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFXMX.png b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFXMX.png new file mode 100644 index 0000000000..6544961ce3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFXMX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFXrB.png b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFXrB.png new file mode 100644 index 0000000000..c8653b0bad Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWu1_0EMQk00000CFXrB.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLapa.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLapa.png new file mode 100644 index 0000000000..355659268b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLapa.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbk1.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbk1.png new file mode 100644 index 0000000000..c45adccee4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbk1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbld.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbld.png new file mode 100644 index 0000000000..60a2f8fb01 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbld.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbnG.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbnG.png new file mode 100644 index 0000000000..fa5142a5aa Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbnG.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbor.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbor.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbor.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbqT.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbqT.png new file mode 100644 index 0000000000..5399279b15 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbqT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbs5.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbs5.png new file mode 100644 index 0000000000..e7dcf5ba63 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbs5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbth.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbth.png new file mode 100644 index 0000000000..521d963112 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbth.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbvJ.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbvJ.png new file mode 100644 index 0000000000..1a86b5b443 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbvJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbwv.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbwv.png new file mode 100644 index 0000000000..ff29859e8e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbwv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbyX.png b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbyX.png new file mode 100644 index 0000000000..78d85fed7b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FWvd_0EMQk00000CLbyX.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMSQA.png b/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMSQA.png new file mode 100644 index 0000000000..34cd7b62a0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMSQA.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMbrd.png b/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMbrd.png new file mode 100644 index 0000000000..deb89d8234 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMbrd.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMby5.png b/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMby5.png new file mode 100644 index 0000000000..8c42954d29 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FX3h_0EMQk00000CMby5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FX8X_0EMQk00000CMgGD.png b/docs/kb/directorymanager/images/ka0Qk000000FX8X_0EMQk00000CMgGD.png new file mode 100644 index 0000000000..c14e72d574 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FX8X_0EMQk00000CMgGD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FX8X_0EMQk00000CMhAf.png b/docs/kb/directorymanager/images/ka0Qk000000FX8X_0EMQk00000CMhAf.png new file mode 100644 index 0000000000..90a8275d30 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FX8X_0EMQk00000CMhAf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXDN_0EMQk00000CMxfF.png b/docs/kb/directorymanager/images/ka0Qk000000FXDN_0EMQk00000CMxfF.png new file mode 100644 index 0000000000..68af3f0a46 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXDN_0EMQk00000CMxfF.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXDN_0EMQk00000CMxk5.png b/docs/kb/directorymanager/images/ka0Qk000000FXDN_0EMQk00000CMxk5.png new file mode 100644 index 0000000000..45386f922c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXDN_0EMQk00000CMxk5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxHL4.png b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxHL4.png new file mode 100644 index 0000000000..b29c4085a9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxHL4.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxIu1.png b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxIu1.png new file mode 100644 index 0000000000..78b41545d3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxIu1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMhJ.png b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMhJ.png new file mode 100644 index 0000000000..58dd68b329 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMhJ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMpN.png b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMpN.png new file mode 100644 index 0000000000..0a083420d3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMpN.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMuD.png b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMuD.png new file mode 100644 index 0000000000..9b1393d19f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxMuD.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxOMY.png b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxOMY.png new file mode 100644 index 0000000000..b29c4085a9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxOMY.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxQsz.png b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxQsz.png new file mode 100644 index 0000000000..f582148a0b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxQsz.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxR5t.png b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxR5t.png new file mode 100644 index 0000000000..17535f4dd0 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FXID_0EMQk00000BxR5t.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXDVr.png b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXDVr.png new file mode 100644 index 0000000000..f25a50df4e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXDVr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXERv.png b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXERv.png new file mode 100644 index 0000000000..32dd7b2d09 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXERv.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXJRa.png b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXJRa.png new file mode 100644 index 0000000000..07c5a2a5b9 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXJRa.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXJoA.png b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXJoA.png new file mode 100644 index 0000000000..448b7313e6 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXJoA.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXMm1.png b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXMm1.png new file mode 100644 index 0000000000..fd84e6a02c Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXMm1.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXOhQ.png b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXOhQ.png new file mode 100644 index 0000000000..15aafd7477 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FYxR_0EMQk00000CXOhQ.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR6ws.png b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR6ws.png new file mode 100644 index 0000000000..8215ffbbe3 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR6ws.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR7bC.png b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR7bC.png new file mode 100644 index 0000000000..5a9e50f320 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR7bC.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR7mU.png b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR7mU.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR7mU.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8Dt.png b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8Dt.png new file mode 100644 index 0000000000..c45adccee4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8Dt.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8Du.png b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8Du.png new file mode 100644 index 0000000000..e75e3bb73e Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8Du.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8FV.png b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8FV.png new file mode 100644 index 0000000000..254c52a803 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8FV.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8H7.png b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8H7.png new file mode 100644 index 0000000000..50af85774f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ0f_0EMQk00000CR8H7.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPAWk.png b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPAWk.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPAWk.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB4c.png b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB4c.png new file mode 100644 index 0000000000..56f571f5cf Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB4c.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB7p.png b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB7p.png new file mode 100644 index 0000000000..d8b685f425 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB7p.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB9R.png b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB9R.png new file mode 100644 index 0000000000..799aa07d56 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPB9R.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPBB3.png b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPBB3.png new file mode 100644 index 0000000000..77d5ffed16 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPBB3.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPBCf.png b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPBCf.png new file mode 100644 index 0000000000..f67de93530 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ2H_0EMQk00000CPBCf.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPAba.png b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPAba.png new file mode 100644 index 0000000000..cea8c0b123 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPAba.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPAzl.png b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPAzl.png new file mode 100644 index 0000000000..799aa07d56 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPAzl.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB1N.png b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB1N.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB1N.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB2z.png b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB2z.png new file mode 100644 index 0000000000..0799bccf84 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB2z.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB4b.png b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB4b.png new file mode 100644 index 0000000000..d3084a81fc Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB4b.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB6D.png b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB6D.png new file mode 100644 index 0000000000..d8b685f425 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZ3t_0EMQk00000CPB6D.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAlF.png b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAlF.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAlF.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAmr.png b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAmr.png new file mode 100644 index 0000000000..6ad6167a2b Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAmr.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAoT.png b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAoT.png new file mode 100644 index 0000000000..4f9e782ec4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAoT.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAq5.png b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAq5.png new file mode 100644 index 0000000000..df6072fb71 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAq5.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPArh.png b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPArh.png new file mode 100644 index 0000000000..6d92fcb593 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPArh.png differ diff --git a/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAtJ.png b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAtJ.png new file mode 100644 index 0000000000..28e78439e4 Binary files /dev/null and b/docs/kb/directorymanager/images/ka0Qk000000FZNF_0EMQk00000CPAtJ.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_00836791c183.png b/docs/kb/directorymanager/images/servlet_image_00836791c183.png new file mode 100644 index 0000000000..d9dbddcc7f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_00836791c183.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_016adaeb1887.png b/docs/kb/directorymanager/images/servlet_image_016adaeb1887.png new file mode 100644 index 0000000000..370becb960 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_016adaeb1887.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_018060635225.png b/docs/kb/directorymanager/images/servlet_image_018060635225.png new file mode 100644 index 0000000000..73d9386bf6 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_018060635225.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_01944865d03d.png b/docs/kb/directorymanager/images/servlet_image_01944865d03d.png new file mode 100644 index 0000000000..c9841dcb62 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_01944865d03d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_01ac88513b47.png b/docs/kb/directorymanager/images/servlet_image_01ac88513b47.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_01ac88513b47.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_0244ce7a37b7.png b/docs/kb/directorymanager/images/servlet_image_0244ce7a37b7.png new file mode 100644 index 0000000000..f67de93530 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_0244ce7a37b7.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_030611c3b553.png b/docs/kb/directorymanager/images/servlet_image_030611c3b553.png new file mode 100644 index 0000000000..d4bcfc0ed6 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_030611c3b553.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_05a15540dbe3.png b/docs/kb/directorymanager/images/servlet_image_05a15540dbe3.png new file mode 100644 index 0000000000..45ca96a4a1 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_05a15540dbe3.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_05bf02c09996.png b/docs/kb/directorymanager/images/servlet_image_05bf02c09996.png new file mode 100644 index 0000000000..d96efc3164 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_05bf02c09996.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_06aa583234f5.png b/docs/kb/directorymanager/images/servlet_image_06aa583234f5.png new file mode 100644 index 0000000000..4ada9f9ef3 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_06aa583234f5.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_0945c0342a68.png b/docs/kb/directorymanager/images/servlet_image_0945c0342a68.png new file mode 100644 index 0000000000..34cd7b62a0 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_0945c0342a68.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_10e331322e68.png b/docs/kb/directorymanager/images/servlet_image_10e331322e68.png new file mode 100644 index 0000000000..8167eb3c35 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_10e331322e68.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_122aab207b28.png b/docs/kb/directorymanager/images/servlet_image_122aab207b28.png new file mode 100644 index 0000000000..e1818aec4e Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_122aab207b28.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_135aec2587e8.png b/docs/kb/directorymanager/images/servlet_image_135aec2587e8.png new file mode 100644 index 0000000000..50af85774f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_135aec2587e8.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_13f57e9fa2ba.png b/docs/kb/directorymanager/images/servlet_image_13f57e9fa2ba.png new file mode 100644 index 0000000000..129325fdf2 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_13f57e9fa2ba.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_15e29be6b499.png b/docs/kb/directorymanager/images/servlet_image_15e29be6b499.png new file mode 100644 index 0000000000..734f56a854 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_15e29be6b499.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_15ff42326dc1.png b/docs/kb/directorymanager/images/servlet_image_15ff42326dc1.png new file mode 100644 index 0000000000..119c293e17 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_15ff42326dc1.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_1736a7d682a3.png b/docs/kb/directorymanager/images/servlet_image_1736a7d682a3.png new file mode 100644 index 0000000000..6b8f62bc6c Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_1736a7d682a3.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_17dfc113b856.png b/docs/kb/directorymanager/images/servlet_image_17dfc113b856.png new file mode 100644 index 0000000000..0266219080 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_17dfc113b856.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_18e10f2b3bb5.png b/docs/kb/directorymanager/images/servlet_image_18e10f2b3bb5.png new file mode 100644 index 0000000000..ab18271dbd Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_18e10f2b3bb5.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_19079df456f0.png b/docs/kb/directorymanager/images/servlet_image_19079df456f0.png new file mode 100644 index 0000000000..41b6ffa282 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_19079df456f0.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_1a6e50068bb6.png b/docs/kb/directorymanager/images/servlet_image_1a6e50068bb6.png new file mode 100644 index 0000000000..fd2e88f51b Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_1a6e50068bb6.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_1e1d75e54dc3.png b/docs/kb/directorymanager/images/servlet_image_1e1d75e54dc3.png new file mode 100644 index 0000000000..3fa7a43555 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_1e1d75e54dc3.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_1eb116ff6215.png b/docs/kb/directorymanager/images/servlet_image_1eb116ff6215.png new file mode 100644 index 0000000000..9e948779d2 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_1eb116ff6215.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_20358dd58f8b.png b/docs/kb/directorymanager/images/servlet_image_20358dd58f8b.png new file mode 100644 index 0000000000..d794e7f540 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_20358dd58f8b.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_21d548cd380a.png b/docs/kb/directorymanager/images/servlet_image_21d548cd380a.png new file mode 100644 index 0000000000..78c7d6aa98 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_21d548cd380a.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_25e6aebec8f5.png b/docs/kb/directorymanager/images/servlet_image_25e6aebec8f5.png new file mode 100644 index 0000000000..7b82fddf91 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_25e6aebec8f5.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_295917ddc060.png b/docs/kb/directorymanager/images/servlet_image_295917ddc060.png new file mode 100644 index 0000000000..bd052471aa Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_295917ddc060.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_2a6f33988aed.png b/docs/kb/directorymanager/images/servlet_image_2a6f33988aed.png new file mode 100644 index 0000000000..cb8a8bd2e9 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_2a6f33988aed.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_2b77f7b59d6c.png b/docs/kb/directorymanager/images/servlet_image_2b77f7b59d6c.png new file mode 100644 index 0000000000..e841c34ec5 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_2b77f7b59d6c.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_2c7093a91eb6.png b/docs/kb/directorymanager/images/servlet_image_2c7093a91eb6.png new file mode 100644 index 0000000000..cd426b7d00 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_2c7093a91eb6.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_2d039145ce56.png b/docs/kb/directorymanager/images/servlet_image_2d039145ce56.png new file mode 100644 index 0000000000..292d8b37ea Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_2d039145ce56.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_2deec5a8b27b.png b/docs/kb/directorymanager/images/servlet_image_2deec5a8b27b.png new file mode 100644 index 0000000000..4acbe382d7 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_2deec5a8b27b.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_300ae206ce3f.png b/docs/kb/directorymanager/images/servlet_image_300ae206ce3f.png new file mode 100644 index 0000000000..1e19f087c2 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_300ae206ce3f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_3044fdaa3692.png b/docs/kb/directorymanager/images/servlet_image_3044fdaa3692.png new file mode 100644 index 0000000000..7b4c0fd7b8 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_3044fdaa3692.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_3296dd82de6d.png b/docs/kb/directorymanager/images/servlet_image_3296dd82de6d.png new file mode 100644 index 0000000000..e75e3bb73e Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_3296dd82de6d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_354ef396a169.png b/docs/kb/directorymanager/images/servlet_image_354ef396a169.png new file mode 100644 index 0000000000..e7dcf5ba63 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_354ef396a169.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_369723a124a0.png b/docs/kb/directorymanager/images/servlet_image_369723a124a0.png new file mode 100644 index 0000000000..9e753cbe6a Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_369723a124a0.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_36b8c524e094.png b/docs/kb/directorymanager/images/servlet_image_36b8c524e094.png new file mode 100644 index 0000000000..4e9572ba04 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_36b8c524e094.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_3adeec70e526.png b/docs/kb/directorymanager/images/servlet_image_3adeec70e526.png new file mode 100644 index 0000000000..d8b685f425 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_3adeec70e526.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_3de32358d4ee.png b/docs/kb/directorymanager/images/servlet_image_3de32358d4ee.png new file mode 100644 index 0000000000..69569553a2 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_3de32358d4ee.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_43757b5dda2e.png b/docs/kb/directorymanager/images/servlet_image_43757b5dda2e.png new file mode 100644 index 0000000000..a7ac318322 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_43757b5dda2e.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_451a4261ce2f.png b/docs/kb/directorymanager/images/servlet_image_451a4261ce2f.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_451a4261ce2f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_4739340f8812.png b/docs/kb/directorymanager/images/servlet_image_4739340f8812.png new file mode 100644 index 0000000000..faa351afc8 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_4739340f8812.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_488a33f61b88.png b/docs/kb/directorymanager/images/servlet_image_488a33f61b88.png new file mode 100644 index 0000000000..937e7c61cd Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_488a33f61b88.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_4909739e6c29.png b/docs/kb/directorymanager/images/servlet_image_4909739e6c29.png new file mode 100644 index 0000000000..104085b024 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_4909739e6c29.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_49eb4179d182.png b/docs/kb/directorymanager/images/servlet_image_49eb4179d182.png new file mode 100644 index 0000000000..7409e3f340 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_49eb4179d182.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_4a2ca5fd6383.png b/docs/kb/directorymanager/images/servlet_image_4a2ca5fd6383.png new file mode 100644 index 0000000000..ab5e14fb66 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_4a2ca5fd6383.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_4ab58c61f5f2.png b/docs/kb/directorymanager/images/servlet_image_4ab58c61f5f2.png new file mode 100644 index 0000000000..46e920935d Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_4ab58c61f5f2.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_4c6b4d284195.png b/docs/kb/directorymanager/images/servlet_image_4c6b4d284195.png new file mode 100644 index 0000000000..50a5d20f88 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_4c6b4d284195.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_4f1e1f462fa9.png b/docs/kb/directorymanager/images/servlet_image_4f1e1f462fa9.png new file mode 100644 index 0000000000..eaa70eed62 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_4f1e1f462fa9.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_4fe9472d99b5.png b/docs/kb/directorymanager/images/servlet_image_4fe9472d99b5.png new file mode 100644 index 0000000000..4ada9f9ef3 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_4fe9472d99b5.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_4fff323ed49a.png b/docs/kb/directorymanager/images/servlet_image_4fff323ed49a.png new file mode 100644 index 0000000000..815ed0bc10 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_4fff323ed49a.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_500ece5f2fd0.png b/docs/kb/directorymanager/images/servlet_image_500ece5f2fd0.png new file mode 100644 index 0000000000..5c084e5ea6 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_500ece5f2fd0.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_502dc35f432d.png b/docs/kb/directorymanager/images/servlet_image_502dc35f432d.png new file mode 100644 index 0000000000..60a2f8fb01 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_502dc35f432d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_504b5dea921c.png b/docs/kb/directorymanager/images/servlet_image_504b5dea921c.png new file mode 100644 index 0000000000..0799bccf84 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_504b5dea921c.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_50ec1f1005eb.png b/docs/kb/directorymanager/images/servlet_image_50ec1f1005eb.png new file mode 100644 index 0000000000..4f9e782ec4 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_50ec1f1005eb.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_51f97ae10a3e.png b/docs/kb/directorymanager/images/servlet_image_51f97ae10a3e.png new file mode 100644 index 0000000000..54277ffc94 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_51f97ae10a3e.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_578dd5e5f5df.png b/docs/kb/directorymanager/images/servlet_image_578dd5e5f5df.png new file mode 100644 index 0000000000..7dd7998e4b Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_578dd5e5f5df.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_5a9e2c271111.png b/docs/kb/directorymanager/images/servlet_image_5a9e2c271111.png new file mode 100644 index 0000000000..deb89d8234 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_5a9e2c271111.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_5b375f305cc3.png b/docs/kb/directorymanager/images/servlet_image_5b375f305cc3.png new file mode 100644 index 0000000000..78d85fed7b Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_5b375f305cc3.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_5bbc9191a63e.png b/docs/kb/directorymanager/images/servlet_image_5bbc9191a63e.png new file mode 100644 index 0000000000..93d436b5a4 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_5bbc9191a63e.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_5c02509b695c.png b/docs/kb/directorymanager/images/servlet_image_5c02509b695c.png new file mode 100644 index 0000000000..5d3bd0319a Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_5c02509b695c.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_60f272e79bda.png b/docs/kb/directorymanager/images/servlet_image_60f272e79bda.png new file mode 100644 index 0000000000..5c6eb7c989 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_60f272e79bda.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_61b3d2b9e09a.png b/docs/kb/directorymanager/images/servlet_image_61b3d2b9e09a.png new file mode 100644 index 0000000000..c45adccee4 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_61b3d2b9e09a.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_6278e144466d.png b/docs/kb/directorymanager/images/servlet_image_6278e144466d.png new file mode 100644 index 0000000000..77d5ffed16 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_6278e144466d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_6436205e3d96.png b/docs/kb/directorymanager/images/servlet_image_6436205e3d96.png new file mode 100644 index 0000000000..87d8c4cb8c Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_6436205e3d96.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_64c36725b5ca.png b/docs/kb/directorymanager/images/servlet_image_64c36725b5ca.png new file mode 100644 index 0000000000..6f5a4ee347 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_64c36725b5ca.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_64daa26f7e8f.png b/docs/kb/directorymanager/images/servlet_image_64daa26f7e8f.png new file mode 100644 index 0000000000..489bf6b9a1 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_64daa26f7e8f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_677f21527b05.png b/docs/kb/directorymanager/images/servlet_image_677f21527b05.png new file mode 100644 index 0000000000..0e25ecbf48 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_677f21527b05.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_67916a8d7c9f.png b/docs/kb/directorymanager/images/servlet_image_67916a8d7c9f.png new file mode 100644 index 0000000000..18798442e1 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_67916a8d7c9f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_68bd3ffb42de.png b/docs/kb/directorymanager/images/servlet_image_68bd3ffb42de.png new file mode 100644 index 0000000000..521d963112 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_68bd3ffb42de.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_6be283cbacf3.png b/docs/kb/directorymanager/images/servlet_image_6be283cbacf3.png new file mode 100644 index 0000000000..6ed3810378 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_6be283cbacf3.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_6e6ebdcead10.png b/docs/kb/directorymanager/images/servlet_image_6e6ebdcead10.png new file mode 100644 index 0000000000..355659268b Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_6e6ebdcead10.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7007481a5d12.png b/docs/kb/directorymanager/images/servlet_image_7007481a5d12.png new file mode 100644 index 0000000000..559f87cf45 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7007481a5d12.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_726f9a6cd53c.png b/docs/kb/directorymanager/images/servlet_image_726f9a6cd53c.png new file mode 100644 index 0000000000..46918936d8 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_726f9a6cd53c.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_73a87e888ba6.png b/docs/kb/directorymanager/images/servlet_image_73a87e888ba6.png new file mode 100644 index 0000000000..28e78439e4 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_73a87e888ba6.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7513da8840d6.png b/docs/kb/directorymanager/images/servlet_image_7513da8840d6.png new file mode 100644 index 0000000000..489bf6b9a1 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7513da8840d6.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_761bfdbbeba6.png b/docs/kb/directorymanager/images/servlet_image_761bfdbbeba6.png new file mode 100644 index 0000000000..cea8c0b123 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_761bfdbbeba6.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_796ef8c36739.png b/docs/kb/directorymanager/images/servlet_image_796ef8c36739.png new file mode 100644 index 0000000000..254c52a803 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_796ef8c36739.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_79ee3f35bad1.png b/docs/kb/directorymanager/images/servlet_image_79ee3f35bad1.png new file mode 100644 index 0000000000..df6072fb71 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_79ee3f35bad1.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7bd539394c44.png b/docs/kb/directorymanager/images/servlet_image_7bd539394c44.png new file mode 100644 index 0000000000..6de35d3dc4 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7bd539394c44.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7bf69f003296.png b/docs/kb/directorymanager/images/servlet_image_7bf69f003296.png new file mode 100644 index 0000000000..2bc9c2d730 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7bf69f003296.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7d1f6155fe29.png b/docs/kb/directorymanager/images/servlet_image_7d1f6155fe29.png new file mode 100644 index 0000000000..d610b2e263 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7d1f6155fe29.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7dc3b3aa07c2.png b/docs/kb/directorymanager/images/servlet_image_7dc3b3aa07c2.png new file mode 100644 index 0000000000..f25a50df4e Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7dc3b3aa07c2.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7e38294b686d.png b/docs/kb/directorymanager/images/servlet_image_7e38294b686d.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7e38294b686d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7e87b556674f.png b/docs/kb/directorymanager/images/servlet_image_7e87b556674f.png new file mode 100644 index 0000000000..ee93e14019 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7e87b556674f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7ea6e2461c60.png b/docs/kb/directorymanager/images/servlet_image_7ea6e2461c60.png new file mode 100644 index 0000000000..18e706580e Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7ea6e2461c60.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_7ef0789252e7.png b/docs/kb/directorymanager/images/servlet_image_7ef0789252e7.png new file mode 100644 index 0000000000..0a526d7f39 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_7ef0789252e7.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_8105d4d50a18.png b/docs/kb/directorymanager/images/servlet_image_8105d4d50a18.png new file mode 100644 index 0000000000..0f726777d7 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_8105d4d50a18.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_838afdd9728e.png b/docs/kb/directorymanager/images/servlet_image_838afdd9728e.png new file mode 100644 index 0000000000..e2c5d72151 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_838afdd9728e.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_8426237cde8a.png b/docs/kb/directorymanager/images/servlet_image_8426237cde8a.png new file mode 100644 index 0000000000..73bec0c67a Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_8426237cde8a.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_84e4d97f9492.png b/docs/kb/directorymanager/images/servlet_image_84e4d97f9492.png new file mode 100644 index 0000000000..799aa07d56 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_84e4d97f9492.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_891532e4d16b.png b/docs/kb/directorymanager/images/servlet_image_891532e4d16b.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_891532e4d16b.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_8bb1521513c5.png b/docs/kb/directorymanager/images/servlet_image_8bb1521513c5.png new file mode 100644 index 0000000000..fa5142a5aa Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_8bb1521513c5.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_8d67195abd0f.png b/docs/kb/directorymanager/images/servlet_image_8d67195abd0f.png new file mode 100644 index 0000000000..a60e0af55c Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_8d67195abd0f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_8d7ae7d88783.png b/docs/kb/directorymanager/images/servlet_image_8d7ae7d88783.png new file mode 100644 index 0000000000..6f95bbe9cf Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_8d7ae7d88783.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_8d96cfd05aa6.png b/docs/kb/directorymanager/images/servlet_image_8d96cfd05aa6.png new file mode 100644 index 0000000000..4dcac30049 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_8d96cfd05aa6.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_8fb082a3afc1.png b/docs/kb/directorymanager/images/servlet_image_8fb082a3afc1.png new file mode 100644 index 0000000000..d3d8084233 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_8fb082a3afc1.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_9047bdcaeea4.png b/docs/kb/directorymanager/images/servlet_image_9047bdcaeea4.png new file mode 100644 index 0000000000..2fac20b0f2 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_9047bdcaeea4.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_91b42553a485.png b/docs/kb/directorymanager/images/servlet_image_91b42553a485.png new file mode 100644 index 0000000000..049af317df Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_91b42553a485.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_940193d7017a.png b/docs/kb/directorymanager/images/servlet_image_940193d7017a.png new file mode 100644 index 0000000000..be782508b7 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_940193d7017a.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_965115af01f6.png b/docs/kb/directorymanager/images/servlet_image_965115af01f6.png new file mode 100644 index 0000000000..3add277963 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_965115af01f6.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_96e97acfbe1a.png b/docs/kb/directorymanager/images/servlet_image_96e97acfbe1a.png new file mode 100644 index 0000000000..ace6348d4d Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_96e97acfbe1a.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_99702efd2852.png b/docs/kb/directorymanager/images/servlet_image_99702efd2852.png new file mode 100644 index 0000000000..32dd7b2d09 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_99702efd2852.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_9a4475fa8080.png b/docs/kb/directorymanager/images/servlet_image_9a4475fa8080.png new file mode 100644 index 0000000000..d3084a81fc Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_9a4475fa8080.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_9e904c20e782.png b/docs/kb/directorymanager/images/servlet_image_9e904c20e782.png new file mode 100644 index 0000000000..5399279b15 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_9e904c20e782.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_9f107e1beec8.png b/docs/kb/directorymanager/images/servlet_image_9f107e1beec8.png new file mode 100644 index 0000000000..7ca581494b Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_9f107e1beec8.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_9ff27edc1467.png b/docs/kb/directorymanager/images/servlet_image_9ff27edc1467.png new file mode 100644 index 0000000000..7cd727a426 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_9ff27edc1467.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_a1edb8bd189c.png b/docs/kb/directorymanager/images/servlet_image_a1edb8bd189c.png new file mode 100644 index 0000000000..95fd9ee857 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_a1edb8bd189c.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_a379d546d249.png b/docs/kb/directorymanager/images/servlet_image_a379d546d249.png new file mode 100644 index 0000000000..a37dba8211 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_a379d546d249.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_a3ec24f5f973.png b/docs/kb/directorymanager/images/servlet_image_a3ec24f5f973.png new file mode 100644 index 0000000000..fc92b62414 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_a3ec24f5f973.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_a56a10d1994f.png b/docs/kb/directorymanager/images/servlet_image_a56a10d1994f.png new file mode 100644 index 0000000000..c45adccee4 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_a56a10d1994f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_a5bc912f4356.png b/docs/kb/directorymanager/images/servlet_image_a5bc912f4356.png new file mode 100644 index 0000000000..ccda712bf4 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_a5bc912f4356.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_a71427568143.png b/docs/kb/directorymanager/images/servlet_image_a71427568143.png new file mode 100644 index 0000000000..e89b3c5d2c Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_a71427568143.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_a71488556914.png b/docs/kb/directorymanager/images/servlet_image_a71488556914.png new file mode 100644 index 0000000000..448b7313e6 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_a71488556914.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_a910fcc95e21.png b/docs/kb/directorymanager/images/servlet_image_a910fcc95e21.png new file mode 100644 index 0000000000..5a9e50f320 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_a910fcc95e21.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_ab6741dc126d.png b/docs/kb/directorymanager/images/servlet_image_ab6741dc126d.png new file mode 100644 index 0000000000..2a7820463c Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_ab6741dc126d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_abc59d241180.png b/docs/kb/directorymanager/images/servlet_image_abc59d241180.png new file mode 100644 index 0000000000..7c80898383 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_abc59d241180.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_adda9f41da45.png b/docs/kb/directorymanager/images/servlet_image_adda9f41da45.png new file mode 100644 index 0000000000..faa9f49b03 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_adda9f41da45.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_afa10e0d547c.png b/docs/kb/directorymanager/images/servlet_image_afa10e0d547c.png new file mode 100644 index 0000000000..a2a14f8be3 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_afa10e0d547c.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b00de8ab7e53.png b/docs/kb/directorymanager/images/servlet_image_b00de8ab7e53.png new file mode 100644 index 0000000000..8db24e8f8d Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b00de8ab7e53.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b130add9b1b8.png b/docs/kb/directorymanager/images/servlet_image_b130add9b1b8.png new file mode 100644 index 0000000000..0f476814bc Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b130add9b1b8.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b2185e961102.png b/docs/kb/directorymanager/images/servlet_image_b2185e961102.png new file mode 100644 index 0000000000..c0d5553944 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b2185e961102.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b39297dbcafb.png b/docs/kb/directorymanager/images/servlet_image_b39297dbcafb.png new file mode 100644 index 0000000000..3bddaf1595 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b39297dbcafb.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b3b231c5084a.png b/docs/kb/directorymanager/images/servlet_image_b3b231c5084a.png new file mode 100644 index 0000000000..22743ea2bc Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b3b231c5084a.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b4288b973d3e.png b/docs/kb/directorymanager/images/servlet_image_b4288b973d3e.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b4288b973d3e.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b50d7c6bf441.png b/docs/kb/directorymanager/images/servlet_image_b50d7c6bf441.png new file mode 100644 index 0000000000..88f5a86654 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b50d7c6bf441.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b53acb02887b.png b/docs/kb/directorymanager/images/servlet_image_b53acb02887b.png new file mode 100644 index 0000000000..96885a78cc Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b53acb02887b.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b6a9390d6813.png b/docs/kb/directorymanager/images/servlet_image_b6a9390d6813.png new file mode 100644 index 0000000000..459ff08513 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b6a9390d6813.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b6c33ded2ece.png b/docs/kb/directorymanager/images/servlet_image_b6c33ded2ece.png new file mode 100644 index 0000000000..1a86b5b443 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b6c33ded2ece.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b71a7e7e6175.png b/docs/kb/directorymanager/images/servlet_image_b71a7e7e6175.png new file mode 100644 index 0000000000..1cf15a7234 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b71a7e7e6175.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b77e450ac65f.png b/docs/kb/directorymanager/images/servlet_image_b77e450ac65f.png new file mode 100644 index 0000000000..fd84e6a02c Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b77e450ac65f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_b8596528bf6f.png b/docs/kb/directorymanager/images/servlet_image_b8596528bf6f.png new file mode 100644 index 0000000000..87d057f7aa Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_b8596528bf6f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_bdbdf11e3bd5.png b/docs/kb/directorymanager/images/servlet_image_bdbdf11e3bd5.png new file mode 100644 index 0000000000..07c5a2a5b9 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_bdbdf11e3bd5.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_be23d68c0d2d.png b/docs/kb/directorymanager/images/servlet_image_be23d68c0d2d.png new file mode 100644 index 0000000000..f0977c36cd Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_be23d68c0d2d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_bea9d9e7e94f.png b/docs/kb/directorymanager/images/servlet_image_bea9d9e7e94f.png new file mode 100644 index 0000000000..27a29fd54f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_bea9d9e7e94f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_bf59e4f45fbe.png b/docs/kb/directorymanager/images/servlet_image_bf59e4f45fbe.png new file mode 100644 index 0000000000..90dc440dfd Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_bf59e4f45fbe.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_c081b14fe448.png b/docs/kb/directorymanager/images/servlet_image_c081b14fe448.png new file mode 100644 index 0000000000..50a5d20f88 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_c081b14fe448.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_c1786baac3a4.png b/docs/kb/directorymanager/images/servlet_image_c1786baac3a4.png new file mode 100644 index 0000000000..6d92fcb593 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_c1786baac3a4.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_c303f69db518.png b/docs/kb/directorymanager/images/servlet_image_c303f69db518.png new file mode 100644 index 0000000000..799aa07d56 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_c303f69db518.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_c404394cf047.png b/docs/kb/directorymanager/images/servlet_image_c404394cf047.png new file mode 100644 index 0000000000..46b2500d6f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_c404394cf047.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_c6499369f442.png b/docs/kb/directorymanager/images/servlet_image_c6499369f442.png new file mode 100644 index 0000000000..ce670badf3 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_c6499369f442.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_c76c90a0473d.png b/docs/kb/directorymanager/images/servlet_image_c76c90a0473d.png new file mode 100644 index 0000000000..8a19824fcc Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_c76c90a0473d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_c8b480052254.png b/docs/kb/directorymanager/images/servlet_image_c8b480052254.png new file mode 100644 index 0000000000..8215ffbbe3 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_c8b480052254.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_ce789c2367af.png b/docs/kb/directorymanager/images/servlet_image_ce789c2367af.png new file mode 100644 index 0000000000..bc1970c733 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_ce789c2367af.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_d0599b0659d9.png b/docs/kb/directorymanager/images/servlet_image_d0599b0659d9.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_d0599b0659d9.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_d426e93f625f.png b/docs/kb/directorymanager/images/servlet_image_d426e93f625f.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_d426e93f625f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_d7588ec323eb.png b/docs/kb/directorymanager/images/servlet_image_d7588ec323eb.png new file mode 100644 index 0000000000..6ad6167a2b Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_d7588ec323eb.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_d9dc4fb1bb54.png b/docs/kb/directorymanager/images/servlet_image_d9dc4fb1bb54.png new file mode 100644 index 0000000000..bb59b37e60 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_d9dc4fb1bb54.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_db2c962d57bb.png b/docs/kb/directorymanager/images/servlet_image_db2c962d57bb.png new file mode 100644 index 0000000000..e97edf04cc Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_db2c962d57bb.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_db963bd15765.png b/docs/kb/directorymanager/images/servlet_image_db963bd15765.png new file mode 100644 index 0000000000..acaabd9601 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_db963bd15765.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_dfe447cf1c8d.png b/docs/kb/directorymanager/images/servlet_image_dfe447cf1c8d.png new file mode 100644 index 0000000000..2f99964537 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_dfe447cf1c8d.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_e19f8454e124.png b/docs/kb/directorymanager/images/servlet_image_e19f8454e124.png new file mode 100644 index 0000000000..a86f7aece6 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_e19f8454e124.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_e31014343ee8.png b/docs/kb/directorymanager/images/servlet_image_e31014343ee8.png new file mode 100644 index 0000000000..c3c88de16f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_e31014343ee8.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_e3be8f49fd6c.png b/docs/kb/directorymanager/images/servlet_image_e3be8f49fd6c.png new file mode 100644 index 0000000000..56f571f5cf Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_e3be8f49fd6c.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_e3c8f74e9668.png b/docs/kb/directorymanager/images/servlet_image_e3c8f74e9668.png new file mode 100644 index 0000000000..0d3b01e957 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_e3c8f74e9668.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_e903c0799efe.png b/docs/kb/directorymanager/images/servlet_image_e903c0799efe.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_e903c0799efe.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_e9f53029c2da.png b/docs/kb/directorymanager/images/servlet_image_e9f53029c2da.png new file mode 100644 index 0000000000..3928bdcb14 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_e9f53029c2da.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_eaba61cfe7f3.png b/docs/kb/directorymanager/images/servlet_image_eaba61cfe7f3.png new file mode 100644 index 0000000000..dad21c0cce Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_eaba61cfe7f3.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_ec5344a64c08.png b/docs/kb/directorymanager/images/servlet_image_ec5344a64c08.png new file mode 100644 index 0000000000..2992e0dd93 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_ec5344a64c08.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_ed2e03f398de.png b/docs/kb/directorymanager/images/servlet_image_ed2e03f398de.png new file mode 100644 index 0000000000..d8b685f425 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_ed2e03f398de.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_ee5a12572184.png b/docs/kb/directorymanager/images/servlet_image_ee5a12572184.png new file mode 100644 index 0000000000..f02996be4b Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_ee5a12572184.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_f0713f2e8798.png b/docs/kb/directorymanager/images/servlet_image_f0713f2e8798.png new file mode 100644 index 0000000000..20b7f8fc22 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_f0713f2e8798.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_f33ddc126856.png b/docs/kb/directorymanager/images/servlet_image_f33ddc126856.png new file mode 100644 index 0000000000..8c42954d29 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_f33ddc126856.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_f34d9d36e6d5.png b/docs/kb/directorymanager/images/servlet_image_f34d9d36e6d5.png new file mode 100644 index 0000000000..934645aae1 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_f34d9d36e6d5.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_f5da28b187d5.png b/docs/kb/directorymanager/images/servlet_image_f5da28b187d5.png new file mode 100644 index 0000000000..bfd2622ca8 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_f5da28b187d5.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_f6521717eb4e.png b/docs/kb/directorymanager/images/servlet_image_f6521717eb4e.png new file mode 100644 index 0000000000..5c6eb7c989 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_f6521717eb4e.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_f80fc6a9eeb4.png b/docs/kb/directorymanager/images/servlet_image_f80fc6a9eeb4.png new file mode 100644 index 0000000000..9c34c4b687 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_f80fc6a9eeb4.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_f8caf3dfb1cd.png b/docs/kb/directorymanager/images/servlet_image_f8caf3dfb1cd.png new file mode 100644 index 0000000000..d78a0b38d7 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_f8caf3dfb1cd.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_f94cfcef3b0f.png b/docs/kb/directorymanager/images/servlet_image_f94cfcef3b0f.png new file mode 100644 index 0000000000..ff29859e8e Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_f94cfcef3b0f.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_fa32d45335a0.png b/docs/kb/directorymanager/images/servlet_image_fa32d45335a0.png new file mode 100644 index 0000000000..15aafd7477 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_fa32d45335a0.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_fa88114e05d0.png b/docs/kb/directorymanager/images/servlet_image_fa88114e05d0.png new file mode 100644 index 0000000000..e209a3af8d Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_fa88114e05d0.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_fbce595e5d1b.png b/docs/kb/directorymanager/images/servlet_image_fbce595e5d1b.png new file mode 100644 index 0000000000..44f1775d99 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_fbce595e5d1b.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_fcd2d3f5505b.png b/docs/kb/directorymanager/images/servlet_image_fcd2d3f5505b.png new file mode 100644 index 0000000000..c6e8f76226 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_fcd2d3f5505b.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_fe3a35826be4.png b/docs/kb/directorymanager/images/servlet_image_fe3a35826be4.png new file mode 100644 index 0000000000..d09bdf18a2 Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_fe3a35826be4.png differ diff --git a/docs/kb/directorymanager/images/servlet_image_fea3fbed856a.png b/docs/kb/directorymanager/images/servlet_image_fea3fbed856a.png new file mode 100644 index 0000000000..c94558d7ba Binary files /dev/null and b/docs/kb/directorymanager/images/servlet_image_fea3fbed856a.png differ diff --git a/docs/kb/directorymanager/increase_the_idle_timeout_duration_in_v11.md b/docs/kb/directorymanager/increase_the_idle_timeout_duration_in_v11.md new file mode 100644 index 0000000000..98917e155c --- /dev/null +++ b/docs/kb/directorymanager/increase_the_idle_timeout_duration_in_v11.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains how to update the session timeout settings for Netwrix Directory Manager Portal and Directory Manager Security Service by modifying the timeout parameter in the relevant appsettings.json files. +keywords: + - timeout settings + - Netwrix Directory Manager + - appsettings.json +sidebar_label: Increase Idle Timeout Duration +tags: [] +title: "Increase the Idle Timeout Duration in V11" +knowledge_article_id: kA0Qk0000002JjJKAU +products: + - directory-manager +--- + +# Increase the Idle Timeout Duration in V11 + +## Related Queries + +- "In order to update the portal timeout settings, change/update the timeout values in the following files:" +- "How to change Directory Manager portal timeout" + +## Overview + +This article explains how to update the session timeout settings for **Netwrix Directory Manager** (formerly **GroupID**) Portal and **Directory Manager Security Service** by modifying the `timeout` parameter in the relevant `appsettings.json` files. An IIS reset is required for the changes to take effect. + +## Instructions + +1. Open the following file in a text editor: + `X:\Program Files\Imanami\GroupID 11.0\GroupIDSecurityService\Inetpub\GroupIDSecurityService\Web\appsettings.json` + +2. Locate the **timeout** parameter. + +3. The value is in **seconds**. The default is **1200** (20 minutes). + +4. Update the value as needed. + +5. Open the following file in a text editor: + `X:\Program Files\Imanami\GroupID 11.0\GroupIDPortal\Inetpub\GroupIDPortal\Web\appsettings.json` + +6. Locate the **timeout** parameter. + +7. The value is in **minutes**. The default is **20**. + +8. Update the value as needed. + +9. After saving your changes, perform an IIS reset to apply the new timeout settings. + +> **IMPORTANT:** Always back up the `appsettings.json` files before making any changes. +> Here the X denotes the installation drive of **Directory Manager**. The timeout values in the two files use different units (seconds and minutes). Ensure you set the correct value in each file. \ No newline at end of file diff --git a/docs/kb/directorymanager/invoke-management-shell-from-powershell-7-in-v11.md b/docs/kb/directorymanager/invoke-management-shell-from-powershell-7-in-v11.md new file mode 100644 index 0000000000..6722e6d021 --- /dev/null +++ b/docs/kb/directorymanager/invoke-management-shell-from-powershell-7-in-v11.md @@ -0,0 +1,68 @@ +--- +description: >- + Shows how to remotely invoke the Management Shell from PowerShell 7 for + Netwrix Directory Manager v11 by establishing a remote session, importing + modules, and connecting to an Identity Store using credentials. +keywords: + - powershell7 + - management shell + - remote session + - netwrix directory manager + - identity store + - Connect-IdentityStore + - Import-PSSession + - New-PSSession +products: + - directory-manager +sidebar_label: Invoke Management Shell from PowerShell 7 in v11 +tags: [] +title: "Invoke Management Shell from PowerShell 7 in v11" +knowledge_article_id: kA0Qk00000015QfKAI +--- + +# Invoke Management Shell from PowerShell 7 in v11 + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article explains how to remotely invoke the Management Shell from PowerShell 7 in Netwrix Directory Manager version 11. It covers the process of establishing a remote session, importing the necessary modules, and connecting to an Identity Store using credentials. This method allows you to run Netwrix Directory Manager cmdlets in PowerShell 7 without directly signing into the Netwrix Directory Manager server. + +## Instructions +Follow the steps below to remotely connect to the Management Shell: + +1. Open **PowerShell 7** as an Administrator. +2. Enter the following cmdlet and update the placeholders with the correct values: + +- `DOMAIN\USERNAME` – Replace with the domain and username of your account. +- `USER-PASSWORD` – Replace with your actual password (in plain text). +- `YOUR MACHINE NAME HERE` – Replace with the name of the Directory Manager server. +- `IDENTITYSTOREID HERE` – Replace with the appropriate Identity Store ID. + +```powershell +$username = "DOMAIN\USERNAME" +$pass = ConvertTo-SecureString "USER-PASSWORD" -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential ($username, $pass) +$s = New-PSSession -ComputerName "YOUR MACHINE NAME HERE" -Credential $Cred -ConfigurationName PowerShell.7 + +Invoke-Command -Session $s -ScriptBlock { + $srcu = [reflection.assembly]::LoadFrom('C:\Program Files\PowerShell\7\System.Windows.Forms.dll') + $OnAssemblyResolve = [System.ResolveEventHandler] { + param($sender, $e) + if ($e.Name -like "System.Windows.Forms, Version=*") { + return $srcu + } + return $null + } + [System.AppDomain]::CurrentDomain.add_AssemblyResolve($OnAssemblyResolve) + $reg = Get-ItemProperty -Path HKLM:SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\Imanami.Groups.Management.PowerShell.Admin11 + $appbase = $reg.ApplicationBase + Import-Module -Name "$appbase\GroupIDManagementShell\bin\Imanami.GroupID.Management.dll" + Set-ModulePath -ModulePath "$appbase\GroupIDManagementShell\bin" +} + +Import-PSSession -Session $s -Type cmdlet -AllowClobber +Connect-IdentityStore -mode "2" -IdentityStoreID "IDENTITYSTOREID HERE" -Credential $Cred +``` + +3. Once the script completes, a remote session will be established. This allows you to run Netwrix Directory Manager cmdlets in PowerShell 7 without logging directly into the Netwrix Directory Manager server. diff --git a/docs/kb/directorymanager/limit-users-to-create-new-objects-in-specified-containers.md b/docs/kb/directorymanager/limit-users-to-create-new-objects-in-specified-containers.md new file mode 100644 index 0000000000..a6f0624068 --- /dev/null +++ b/docs/kb/directorymanager/limit-users-to-create-new-objects-in-specified-containers.md @@ -0,0 +1,71 @@ +--- +description: >- + Shows how to limit users so they can create new directory objects only in + specified containers by applying the New Object policy to security roles in + Netwrix Directory Manager. Includes steps for configuring the policy and + expected results in Automate and Self-Service portals. +keywords: + - Netwrix Directory Manager + - New Object policy + - security roles + - containers + - organizational units + - create objects + - Automate + - Self-Service + - groups + - contacts +products: + - directory-manager +sidebar_label: Limit Users to Create New Objects in Specified Con +tags: [] +title: "Limit Users to Create New Objects in Specified Containers" +knowledge_article_id: kA0Qk0000002Jo9KAE +--- + +# Limit Users to Create New Objects in Specified Containers + +## Overview + +This article explains how to limit users to creating new objects only in specified containers in Netwrix Directory Manager. By applying the **New Object** policy to security roles, you can restrict where users are allowed to create groups, mailboxes, and other directory objects. + +## Instructions + +1. In the Directory Manager Management Console, click the **Identity Stores** node. +2. On the **Identity Stores** tab, double-click the required identity store to open its properties. +3. On the **Security Roles** tab, select a role to manage its policies and click **Edit**. +4. On the properties page, click the **Policies** tab then click **New Object** in the left pane. +5. Choose one of the following options: + + - **Limit role members to create objects only in their own containers:** + 1. Select the **Users can create objects only in their own containers** check box. + 2. The **Select Container** option will be disabled when role members create new objects. + + - **Specify a container for an object type:** + 1. Select the object type you want to specify a container for. The arrow for the selected object will point downward. + 2. Click **Add**. + 3. In the **Select Container** dialog box, select one or more containers where role members can create the selected object type. If the selected container is a parent, child containers are automatically selected; you can unselect child containers if needed. Role members will only see the selected containers when creating new objects and can choose the desired container. + 4. Click **OK**. + +6. Click **Apply** and then **OK** on the **New Object** page. + +![New Object policy configuration in Directory Manager](images/ka0Qk000000EZFd_0EMQk00000BuMdp.png) + +> **NOTE:** Removing all containers for an object type means the New Object policy no longer applies to that object type, and users can create the object in any OU in the identity store. + +## Expected Results + +With the New Object policy applied, role members can create new objects only in the specified containers. + +### In Automate + +- On the **Group Options** page of the **New Group** wizard, users can view and select only the specified OUs for new group creation. + ![OU selection in Automate New Group wizard](images/ka0Qk000000EZFd_0EMQk00000BuMYz.png) + +### In the Self-Service portal + +- On the **General** page of the **Create Group** wizard, users can view and select only the specified OUs for new group creation. + ![OU selection in Self-Service Create Group wizard](images/ka0Qk000000EZFd_0EMQk00000BuMab.png) + +- On the **Account** page of the **Create Contact** wizard, users can view and select only the specified OUs for new contact creation. + ![OU selection in Self-Service Create Contact wizard](images/ka0Qk000000EZFd_0EMQk00000BuMcD.png) diff --git a/docs/kb/directorymanager/linking-directory-manager-processes-with-microsoft-flow.md b/docs/kb/directorymanager/linking-directory-manager-processes-with-microsoft-flow.md new file mode 100644 index 0000000000..4d894e0ff5 --- /dev/null +++ b/docs/kb/directorymanager/linking-directory-manager-processes-with-microsoft-flow.md @@ -0,0 +1,69 @@ +--- +description: >- + Show how to trigger operations in Netwrix Directory Manager from Microsoft + Flow by creating a custom connector, retrieving client credentials, and + importing the GroupIDConnector.swagger.json file. +keywords: + - Netwrix Directory Manager + - Microsoft Flow + - custom connector + - GroupIDConnector.swagger.json + - client id + - client secret + - identity store + - automation +products: + - directory-manager +visibility: public +sidebar_label: Linking Directory Manager Processes with Microsoft +tags: [] +title: "Linking Directory Manager Processes with Microsoft" +knowledge_article_id: kA0Qk00000015k1KAA +--- + +# Linking Directory Manager Processes with Microsoft + +## Overview + +This article explains how you can trigger operations in Netwrix Directory Manager from Microsoft Flow (MS Flow). By linking Directory Manager operations to MS Flow, you can automate tasks and simplify business functions, ensuring they execute in a set order without manual intervention. + +Netwrix Directory Manager supports moving groups between organizational units (OUs) or domains within the identity store. By linking the **Disable_User_Accounts** flow in MS Flow to the **Move a Group to a Different Container** function in Directory Manager, groups with disabled owners can be automatically moved to a specified container when the flow runs. + +To achieve this, define a custom connector in MS Flow and use it within the **Disable_User_Accounts** flow. This connector enables the following operations in Directory Manager: + +- Create a user +- Create a group +- Expire a group +- Update a Smart Group or Dynasty +- Move a group to a different container +- Renew a group + +Once linked, the configured operation triggers automatically when the flow runs. + +## Instructions + +### Step 1: Create a Custom Connector in Microsoft Flow + +Refer to the official Microsoft documentation to create a custom connector in MS Flow: [Create a Custom Connector from Scratch ⸱ Microsoft](https://docs.microsoft.com/en-us/connectors/custom-connectors/define-blank). + +During setup, you must enter the **Client ID** and **Client Secret** and import the `GroupIDConnector.swagger.json` file. + +![Security page showing fields for Client ID and Client Secret](images/ka0Qk000000DS6X_0EMQk000004nFgL.png) + +### Step 2: Retrieve the Client ID, Secret, and Swagger File + +1. In Directory Manager Management Console, click the **Identity Stores** node. +2. On the **Identity Stores** tab, double-click the identity store you want to link to MS Flow. +3. On the **Workflow** tab in identity store properties, click the **MS Flow** link. + +![Workflow tab showing Microsoft Flow link](images/ka0Qk000000DS6X_0EMQk000004nFgM.png) + +4. Click the copy button next to **MS Flow Client ID** to copy the client ID to the clipboard, then paste the ID in the **Client ID** box in MS Flow. +5. Click the copy button next to **MS Flow Client Secret** to copy the client secret (password) to the clipboard, then paste this password in the **Client Secret** box in MS Flow. +6. In addition, import the `GroupIDConnector.swagger.json` file from the Directory Manager installation directory, located at: + + ` [Directory Manager installation directory]\Imanami\GroupID 11.0\Automate\GroupIDConnector\` + + > **NOTE:** The default path is `C:\Program Files\Imanami\GroupID 11.0\Automate\GroupIDConnector\`. This path may vary depending on your environment. + +7. Complete the process to create the connector in MS Flow. diff --git a/docs/kb/directorymanager/manage-elastic-repository-on-a-separate-instance-with-v11.md b/docs/kb/directorymanager/manage-elastic-repository-on-a-separate-instance-with-v11.md new file mode 100644 index 0000000000..848e5308e3 --- /dev/null +++ b/docs/kb/directorymanager/manage-elastic-repository-on-a-separate-instance-with-v11.md @@ -0,0 +1,68 @@ +--- +description: >- + Shows how to install and configure Elasticsearch on a separate machine for use + with Netwrix Directory Manager 11, including installing it as a Windows + service and configuring the product to use the external instance. +keywords: + - elasticsearch + - elastic repository + - Netwrix Directory Manager + - GroupID + - install Elasticsearch + - elasticsearch-service + - elasticsearch-reset-password + - Windows service +products: + - directory-manager +sidebar_label: Manage Elastic Repository on a Separate Instance w +tags: [] +title: "Manage Elastic Repository on a Separate Instance with V11" +knowledge_article_id: kA0Qk00000015nFKAQ +--- + +# Manage Elastic Repository on a Separate Instance with V11 + +## Applies To +Netwrix Directory Manager 11 + +## Question +Is it possible to manage the Elastic repository on a separate instance in Netwrix Directory Manager (formerly GroupID) 11? + +## Answer +Yes, this is possible. To improve performance and manageability, you can install and configure Elasticsearch on a separate machine for use with Netwrix Directory Manager 11. Follow the steps below to complete the setup. + +### Prerequisites +- Ensure that **Java 11 or higher** is installed. You can verify this by running `java -version` in Command Prompt (CMD). +- If you're installing Elasticsearch version 8.12 or later, Java installation is not required. +- Install a separate box for Elasticsearch for elastic repository management. + +### Instructions +1. Install Elasticsearch on a separate machine by downloading the latest version from the official website. +2. Extract the package and open CMD. +3. Navigate to the `bin` directory and run `elasticsearch.bat`. + ![Steps 1-3 in CMD](images/ka0Qk000000DSPt_0EMQk00000C0zmA.png) +4. Take note of the **username** and **password** provided upon successful installation. You may keep the password provided, but if you would like to reset the password, run the command below: + +```bat +bin/elasticsearch-reset-password -u elastic +``` + +5. Access Elasticsearch via browser to confirm it is running. + +> **NOTE:** If you run `elasticsearch.bat` in CMD without installing it as a service, Elasticsearch will stop running when the CMD window is closed. To keep it running independently, follow the next steps to install Elasticsearch as a Windows service. + +1. To install Elasticsearch as a Windows service, run: + +```bat +elasticsearch-service.bat install +``` + +in CMD. Let the installation complete. +2. Open `services.msc`, find **elasticsearch-service-x64**, set **Startup Type** to **Automatic**, and start the service. +3. Verify Elasticsearch is running by navigating to the service URL in your browser. +4. On the Netwrix Directory Manager server, open the **Netwrix Directory Manager Configuration Tool**. When prompted, select **I will install and manage Elastic myself**. +5. Enter the **URL** and **credentials** for the separate Elasticsearch machine. + ![GroupID Config Tool](images/ka0Qk000000DSPt_0EMQk00000C15Bd.png) +6. Complete the remaining configuration steps to finalize the setup. + +Once completed, Netwrix Directory Manager 11 will be successfully configured to use an external Elasticsearch instance for its repository. diff --git a/docs/kb/directorymanager/notify-logged-in-users-about-changes-made-to-directory-objects.md b/docs/kb/directorymanager/notify-logged-in-users-about-changes-made-to-directory-objects.md new file mode 100644 index 0000000000..98ebec5d44 --- /dev/null +++ b/docs/kb/directorymanager/notify-logged-in-users-about-changes-made-to-directory-objects.md @@ -0,0 +1,54 @@ +--- +description: >- + Shows how to enable email notifications in Netwrix Directory Manager 11 so + logged-in users receive emails for changes they make to directory objects via + the user portal. +keywords: + - Netwrix Directory Manager + - notifications + - email notification + - identity store + - user portal + - logged-in users + - directory objects + - mail-enabled users +products: + - directory-manager +sidebar_label: Notify Logged-In Users About Changes Made to Direc +tags: [] +title: "Notify Logged-In Users About Changes Made to Directory Objects" +knowledge_article_id: kA0Qk0000002INRKA2 +--- + +# Notify Logged-In Users About Changes Made to Directory Objects + +## Applies To +Netwrix Directory Manager 11 + +## Overview +You can configure Netwrix Directory Manager 11 (formerly GroupID) to send users an email notification whenever they make changes to directory objects through the user portal. To enable this feature, update the notification settings in the identity store. + +## Instructions +1. In Directory Manager Admin Center, click the **Identity Stores** node. +2. For your identity store, click the three dots (**...**) button and select **Edit**. + ![Identity Stores list with edit option highlighted in Directory Manager Admin Center](images/ka0Qk000000D8iv_0EMQk00000BpFrV.png) +3. On the next page, click the **Configurations** button. + ![Configurations button in Directory Manager Admin Center](images/ka0Qk000000D8iv_0EMQk00000BpFoH.png) +4. Click the **Notifications** button. + ![Notifications button in Directory Manager Admin Center](images/ka0Qk000000D8iv_0EMQk00000BpFmf.png) +5. Under the **Also Notify** option, select the checkbox labeled **Logged in users for their actions**. + ![Also Notify option with Logged in users for their actions checkbox selected](images/ka0Qk000000D8iv_0EMQk00000BpFuj.png) +6. Scroll down and click the **Save** button. + +With this notification setting enabled, email notifications will be sent to the logged-in user for changes they make to directory objects using the portal. + +> **NOTE:** This setting applies to mail-enabled users only. + +## Impact +In the example below, an end user changes the **Description** field of a group. + +![User editing the Description field of a group in Directory Manager user portal](images/ka0Qk000000D8iv_0EMQk00000BpFt7.png) + +The user will receive an email notification for the changes they made. + +![Sample email notification sent to user after making changes in Directory Manager user portal](images/ka0Qk000000D8iv_0EMQk00000BpFpt.png) diff --git a/docs/kb/directorymanager/office-365-service-account-requirements-for-identity-store-configuration.md b/docs/kb/directorymanager/office-365-service-account-requirements-for-identity-store-configuration.md new file mode 100644 index 0000000000..4c198df3a3 --- /dev/null +++ b/docs/kb/directorymanager/office-365-service-account-requirements-for-identity-store-configuration.md @@ -0,0 +1,37 @@ +--- +description: >- + Lists the service account permission requirements to configure Office 365 as a + messaging provider for Netwrix Directory Manager Identity Store. Covers the + required administrator roles and their capabilities. +keywords: + - Office 365 + - service account + - identity store + - messaging provider + - Netwrix Directory Manager + - Global Administrator + - Exchange Administrator + - User Administrator +products: + - directory-manager +sidebar_label: Office 365 Service Account Requirements for Identi +tags: [] +title: "Office 365 Service Account Requirements for Identity Store Configuration" +knowledge_article_id: kA0Qk0000002JeTKAU +--- + +# Office 365 Service Account Requirements for Identity Store Configuration + +## Overview + +This article contains the service account requirements for configuring Office 365 as a messaging provider in Netwrix Directory Manager Identity Store. Netwrix Directory Manager enables you to create an identity store on an identity provider and perform group and user management tasks, such as creating groups, scheduling group updates, expiring groups, creating users and mailboxes, and managing user directory profiles. + +If you want to use Office 365 as a messaging provider for creating mail-enabled objects, Netwrix Directory Manager provides a built-in feature to help you set up Office 365 as a messaging provider. + +## Instructions + +A service account with one of the following permission configurations is required to connect to Office 365. + +- **Global Administrator** +- **Exchange Administrator:** Can manage all aspects of the Exchange product. +- **User Administrators:** (User Account Administrator) Can manage all aspects of users and groups, including resetting passwords for limited administrators. diff --git a/docs/kb/directorymanager/phoneid-authentication-option-discontinued.md b/docs/kb/directorymanager/phoneid-authentication-option-discontinued.md new file mode 100644 index 0000000000..82ca82c95f --- /dev/null +++ b/docs/kb/directorymanager/phoneid-authentication-option-discontinued.md @@ -0,0 +1,89 @@ +--- +description: >- + Imanami PhoneID service is deprecated as of January 31, 2025. This article + explains the impact on Netwrix Directory Manager, recommended replacement + options using FIDO2/WebAuthn passkeys, and step-by-step enrollment guidance + (including YubiKey support). +keywords: + - Imanami PhoneID + - PhoneID deprecated + - passkey + - WebAuthn + - YubiKey + - Netwrix Directory Manager + - FIDO2 + - enrollment +products: + - directory-manager +visibility: public +sidebar_label: PhoneID Authentication Option Discontinued +tags: [] +title: "PhoneID Authentication Option Discontinued" +knowledge_article_id: kA0Qk0000001tC9KAI +--- + +# PhoneID Authentication Option Discontinued + +Netwrix Directory Manager - Imanami PhoneID Authentication Option Discontinued + +## What is happening with Imanami PhoneID? + +On January 31, 2025, the Imanami PhoneID service will be deprecated. At that time, the following activities using PhoneID will no longer function. An example of activities impacted: + +- Requests to authenticate an identity using an already enrolled phone with this application will fail. +- Enrollment requests from the PhoneID mobile application will fail to send SMS notifications. +- Netwrix Directory Manager deployments will fail to register as a client to the PhoneID service. + +## What will happen in the future? + +As Netwrix Directory Manager will no longer support the Imanami PhoneID service, the user interface for enrollment and selection as an authentication service will be removed from the admin and user experiences with the release of Netwrix Directory Manager version 11.1. + +## What are the viable replacement options available? + +Netwrix recommends using Netwrix Directory Manager in conjunction with a FIDO2-based passkey token, utilizing Netwrix Directory Manager's support for WebAuthn. Below is an example of how to achieve this: + +1. Enable YubiKey support in the configuration, even if you do not plan on using YubiKey hardware tokens. + + ![A screenshot of a computerDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAgZi.png) + + ![A screenshot of a phoneDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAfKI.png) + + ![A screenshot of a phoneDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAfow.png) + + ![A screenshot of a computer screenDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAl4j.png) + +2. From the user portal, users should enroll their account and select YubiKey from the available options. + + ![A screenshot of a phoneDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAkS2.png) + + ![A screenshot of a computer screenDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAl7x.png) + +3. Give your passkey-enabled device an appropriate name. + + ![A screenshot of a computerDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAl9Z.png) + +4. You will be prompted to choose a location to save your passkey. + + ![A screenshot of a computerDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAlBB.png) + +5. You will receive a notification on your device or be prompted to insert a USB token, depending on the chosen method. + + ![A screenshot of a computer error messageDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAlEP.png) + +6. If using a mobile phone, you should be prompted to create a key for the web portal enrollment. + + ![A screenshot of a phoneDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAlO5.png) + +7. After completion, you will receive confirmation on both the mobile device and the portal. + + ![A white sign with black textDescription automatically generated](images/ka0Qk000000Bt1B_0EMQk00000AAlUX.png) + +## What is a Passkey, and why do we recommend using it? + +According to the FIDO Alliance, passkeys are a replacement for passwords that provide a faster, easier, and more secure user login experience. Passkey-based user authentication is immune to phishing risks because it does not rely on a shared secret, as traditional passwords do. + +Technically, a passkey is a discoverable FIDO credential linked to a user account and a specific website or application. As a FIDO credential, a passkey consists of a key pair that employs standard public key cryptography to verify a user's identity without sharing any secrets. This method aligns with WebAuthn authentication. + +A passkey is associated with both a user account and a website running Netwrix Directory Manager. When a new passkey is created, it is automatically linked to the user ID and the Relying Party ID — in the case of a website hosting Netwrix Directory Manager. + +Passkeys are discoverable, meaning they can be automatically detected and utilized by clients for user authentication. When a user initiates the authentication process, the authenticator does not need to know the user's ID. Instead, it uses the Relying Party ID to locate the correct passkey for authenticating against that website. This process eliminates the need for the user to enter their user ID and ensures that a malicious actor cannot trick them into signing in to a fraudulent website. diff --git a/docs/kb/directorymanager/remove-the-displayname-requirement-for-groups-created-in-active-directory.md b/docs/kb/directorymanager/remove-the-displayname-requirement-for-groups-created-in-active-directory.md new file mode 100644 index 0000000000..4397f8ef16 --- /dev/null +++ b/docs/kb/directorymanager/remove-the-displayname-requirement-for-groups-created-in-active-directory.md @@ -0,0 +1,63 @@ +--- +description: >- + Make the displayName attribute optional in the Self‑Service Portal so you can + save changes to groups that were created directly in Active Directory without + a displayName. +keywords: + - displayName + - Active Directory + - groups + - Self-Service Portal + - Netwrix Directory Manager + - design settings + - Smart Groups +products: + - directory-manager +sidebar_label: Remove the DisplayName Requirement for Groups Crea +tags: [] +title: "Remove the DisplayName Requirement for Groups Created in Active Directory" +knowledge_article_id: kA0Qk0000002ChpKAE +--- + +# Remove the DisplayName Requirement for Groups Created in Active Directory + +## Applies To +- Netwrix Directory Manager 11 + +## Overview +When you integrate Netwrix Directory Manager with an existing Active Directory environment, some groups may have been created directly in Active Directory. These groups might not have the **displayName** attribute populated, since it is not required by Active Directory. + +Netwrix Directory Manager, however, requires the **displayName** attribute because it uses this value to populate other fields, such as Alias and CN. If you try to save changes to one of these groups in the **Self‑Service Portal (SSP)** and **displayName** is missing, you will receive an error. You cannot save changes until **displayName** is populated or the requirement is removed. + +This article describes a workaround that allows you to save changes to these groups by making the **displayName** attribute optional in the portal design. + +![Error message displayed in Self-Service Portal when displayName is missing](images/ka0Qk000000DvbZ_0EMQk00000BSYlB.png) ![Error details dialog showing missing displayName attribute](images/ka0Qk000000DvbZ_0EMQk00000BSWjO.png) + +## Instructions +1. In the Netwrix Directory Manager Admin Center, go to the **Applications** tab. Open the settings for the application where you want to remove the **displayName** requirement by clicking the **Settings** button (top right corner of the application card). + + ![Open application settings in Directory Manager Admin Center](images/ka0Qk000000DvbZ_0EMQk00000BSYmn.png) + +2. Under **Design Settings**, click the domain name. + + ![Select domain under Design Settings](images/ka0Qk000000DvbZ_0EMQk00000BSYoP.png) + +3. Go to the **Properties** tab and set the **Directory Object** to **Groups**. + + ![Set Directory Object to Groups](images/ka0Qk000000DvbZ_0EMQk00000BSYq1.png) + +4. Edit the **General** field by clicking the pencil icon. + + ![Edit General field](images/ka0Qk000000DvbZ_0EMQk00000BSYrd.png) + +5. Edit the **DisplayName** field by clicking the pencil icon in the Design category window. + + ![Edit DisplayName field](images/ka0Qk000000DvbZ_0EMQk00000BSYtF.png) + +6. Expand **Advanced Options** and uncheck the **Is Required** box. + + ![Uncheck Is Required for DisplayName](images/ka0Qk000000DvbZ_0EMQk00000BSYwT.png) + +7. Click all **OK** buttons to save your changes, then log in to your portal. You should now be able to save changes to a group even if the **displayName** attribute is not populated. + +8. To apply this change to Smart Groups, set the **Directory Object** to **SmartGroup** in step 3 then complete the remainder of the steps. diff --git a/docs/kb/directorymanager/remove_the_delete_option_from_the_portal.md b/docs/kb/directorymanager/remove_the_delete_option_from_the_portal.md new file mode 100644 index 0000000000..ba722f8082 --- /dev/null +++ b/docs/kb/directorymanager/remove_the_delete_option_from_the_portal.md @@ -0,0 +1,44 @@ +--- +description: >- + This article explains how to remove or hide the Delete option from the Netwrix Directory Manager portal for non-administrative users to prevent accidental deletion of critical groups. +keywords: + - Directory Manager + - Delete option + - user permissions +sidebar_label: Remove Delete Option +tags: [] +title: "Remove the Delete Option from the Portal" +knowledge_article_id: kA0Qk0000002QzJKAU +products: + - directory-manager +--- + +# Remove the Delete Option from the Portal + +## Applies To + +Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to control which users can delete groups in the portal. To prevent accidental deletion of critical groups, you can restrict the Delete option so that only administrators have permission to delete groups. This article explains how to remove or hide the Delete option from the portal for non-administrative users. + +## Instructions + +### Restrict the Delete Option in the Directory Manager Portal + +1. In the **Directory Manager Admin Center**, go to the **Applications** tab in the left navigation bar. +2. Click the three-dot icon for the portal you want to modify, then click **Settings**. + ![Accessing portal settings in Directory Manager Admin Center](./images/servlet_image_c081b14fe448.png) +3. In the portal settings, click the identity store name under **Design Settings** for which you want to make design changes. + ![Selecting identity store under Design Settings](./images/servlet_image_64daa26f7e8f.png) +4. Click the **Toolbars** button and select **Groups** from the **Select Toolbar Type** drop-down list. +5. Select **Delete** from the list for the selected toolbar and click the **Pencil** icon to edit. + ![Editing Delete option in Groups toolbar](./images/servlet_image_b53acb02887b.png) +6. In the new window, locate the **Visibility Role** drop-down list and change the value from **Users** to **Administrator**. When **Users** is selected, the button is visible to all roles with a higher priority than Users. To hide the Delete button from everyone, select **Never**. + ![Setting Visibility Role for Delete option](./images/servlet_image_5bbc9191a63e.png) +7. After making changes, click the **Save** icon in the Designs tab to save your changes. + ![Saving design changes in Directory Manager](./images/servlet_image_2c7093a91eb6.png) +8. Refresh or relaunch the Directory Manager Portal and verify by opening the properties of any group. The Delete option will no longer be available in the toolbar for non-administrative users. + +To hide the Delete option from the **Group Search** or **My Groups** toolbars, select the **Groups Search** toolbar type in step 4 and repeat steps 5 to 7. \ No newline at end of file diff --git a/docs/kb/directorymanager/replicating-custom-ad-attributes-to-elasticsearch.md b/docs/kb/directorymanager/replicating-custom-ad-attributes-to-elasticsearch.md new file mode 100644 index 0000000000..5ac9f062f4 --- /dev/null +++ b/docs/kb/directorymanager/replicating-custom-ad-attributes-to-elasticsearch.md @@ -0,0 +1,51 @@ +--- +description: >- + Shows how to add a custom Active Directory attribute and configure Netwrix + Directory Manager 10 to replicate it to the Elasticsearch repository, + including forcing a full user replication via the registry. +keywords: + - Active Directory + - Elasticsearch + - replication + - custom attribute + - Netwrix Directory Manager + - Schema Replication + - registry + - Replicate Now +products: + - directory-manager +sidebar_label: Replicating Custom AD Attributes to Elasticsearch +tags: [] +title: "Replicating Custom AD Attributes to Elasticsearch" +knowledge_article_id: kA0Qk0000002C57KAE +--- + +# Replicating Custom AD Attributes to Elasticsearch + +## Applies To +Netwrix Directory Manager 10 + +## Overview +Netwrix Directory Manager 10 allows you to replicate custom Active Directory (AD) attributes to the Elasticsearch repository. This article provides instructions for adding a custom attribute to the AD schema and configuring Netwrix Directory Manager to include it in replication. + +## Instructions +1. Create the custom attribute in the Active Directory schema. For example, to add `campusName` for users, define the attribute in the AD schema and assign it to user objects. Once completed, the attribute will appear in the attribute list for users in AD. + +2. On the Netwrix Directory Manager machine, open **Task Scheduler** and run the task named **Schema Replication**. + ![Task Scheduler with Schema Replication task highlighted](images/ka0Qk000000CtIT_0EMQk00000BQYMJ.png) + +3. After the **Schema Replication** task completes, open the Netwrix Directory Manager Management Console and click the **Identity Stores** node. + +4. On the **Identity Stores** tab, double-click the required identity store to open its properties. + +5. On the **Replication** tab, add the custom attribute you created. + ![Replication tab in Identity Store properties with custom attribute added](images/ka0Qk000000CtIT_0EMQk00000BQZgZ.png) + +6. Once complete, open **Services** and restart the **Elasticsearch** service and the **Netwrix Replication** service. + +7. Open `regedit.msc` and navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Imanami\GroupID\Version 10.0\Replication`. + +8. Expand the **Replication** registry key to view your identity stores. Select your domain’s identity store, and in the `users` value, delete the existing value data. Click **OK** to save your changes. This action forces a full replication of user objects, ensuring the new attribute is included in Elasticsearch. + ![Registry editor showing Replication key and users value](images/ka0Qk000000CtIT_0EMQk00000BQXA7.png) + +9. In the Netwrix Directory Manager Management Console, go to the **Replication** tab for the identity store and click **Replicate Now** in the Replication Service area. This starts users-only replication for your domain. Once complete, your custom attribute will be included in Elasticsearch. diff --git a/docs/kb/directorymanager/require-unique-group-display-names-in-portal.md b/docs/kb/directorymanager/require-unique-group-display-names-in-portal.md new file mode 100644 index 0000000000..2a4ca1405d --- /dev/null +++ b/docs/kb/directorymanager/require-unique-group-display-names-in-portal.md @@ -0,0 +1,48 @@ +--- +description: >- + Explains how to configure Netwrix Directory Manager to require unique group + `displayName` values in the Application portal so users cannot create groups + with duplicate display names. +keywords: + - Netwrix Directory Manager + - unique display name + - displayName + - group display names + - portal settings + - Admin Center + - UniqueText + - Self-Service portal +products: + - directory-manager +sidebar_label: Require Unique Group Display Names in Portal +tags: [] +title: "Require Unique Group Display Names in Portal" +knowledge_article_id: kA0Qk0000002IIbKAM +--- + +# Require Unique Group Display Names in Portal + +## Applies To +Netwrix Directory Manager 11 + +## Overview +To prevent duplicate group names, you can configure Netwrix Directory Manager to require that each group’s `displayName` attribute is unique. Directory Manager contains a setting in the Application portal that enforces this uniqueness. When enabled, users will not be able to create a new group if the display name matches an existing group. This article explains how to configure this setting in the portal to require unique group display names. + +## Instructions + +### Configure the Portal to Require Unique Group Display Names +1. In the Netwrix Directory Manager Admin Center, navigate to **Applications > [Your Portal] > Settings**. + ![Portal settings in Directory Manager Admin Center](images/ka0Qk000000EYoD_0EMQk00000BpDHp.png) +2. Click the identity store name under the **Design Settings** section. + ![Identity store selection in Design Settings](images/ka0Qk000000EYoD_0EMQk00000BpDEb.png) +3. On the **Properties** tab, select **Group** as the directory object then select **General** and click **Edit**. + ![Editing group properties in Directory Manager](images/ka0Qk000000EYoD_0EMQk00000BpDGD.png) +4. In the **Edit Design Category** box, select **Display name** and click **Edit**. + ![Edit Design Category dialog in Directory Manager](images/ka0Qk000000EYoD_0EMQk00000BpDL3.png) +5. In the **Edit Field** dialog box, ensure `displayName` is selected in the **Field** box. For **Display Type**, select `UniqueText`. + ![Edit Field dialog in Directory Manager](images/ka0Qk000000EYoD_0EMQk00000BpDJR.png) +6. Click **OK** then click **Save** in the outer window. +7. If you want to apply this setting to Smart Groups, select **Smart Group** as the directory object in step 3 and repeat the same steps. +8. After this configuration, when a user tries to create a group from the Self-Service portal with a display name that already exists, the portal will not allow it. + +> **NOTE:** If you have multiple portals, you must configure the unique display name setting separately for each portal. diff --git a/docs/kb/directorymanager/restrict-users-from-accessing-the-admin-portal.md b/docs/kb/directorymanager/restrict-users-from-accessing-the-admin-portal.md new file mode 100644 index 0000000000..6b82855104 --- /dev/null +++ b/docs/kb/directorymanager/restrict-users-from-accessing-the-admin-portal.md @@ -0,0 +1,42 @@ +--- +description: >- + Shows how to restrict end users from accessing the Netwrix Directory Manager + Admin Center by modifying a security role’s Identity Store criteria. +keywords: + - Netwrix Directory Manager + - Admin Center + - Admin Portal + - restrict access + - security role + - Identity Store + - Add Criteria + - Show Advanced +products: + - directory-manager +sidebar_label: Restrict Users from Accessing the Admin Portal +tags: [] +title: "Restrict Users from Accessing the Admin Portal" +knowledge_article_id: kA0Qk00000018A1KAI +--- + +# Restrict Users from Accessing the Admin Portal + +## Question +Is it possible to restrict end users from accessing the Netwrix Directory Manager Admin Portal/Center? + +## Answer +Yes, you can limit access to the Admin Portal/Center. To prevent end users from accessing the Admin Center and reduce the risk of unauthorized access, follow the steps below: + +1. Log in to the **Netwrix Directory Manager Admin Center** and navigate to the **Identity Store** tab. +2. Open the settings for the Identity Store and go to the **Security Roles** section. +3. Edit the security role for which you want to restrict access. +4. Click the **Add Criteria** button then the **Show Advanced** button to display advanced filtering options. +5. Click **Add Criteria** again and configure the following: + +| Field | Condition | Value | +|-------------|-----------|-------| +| Client Name | is not | `Admin Center` | + +6. Click **Save** 3 times to apply your changes. + +After completing these steps, users assigned to that security role will no longer be able to access the Admin Center. diff --git a/docs/kb/directorymanager/restrict_users_from_creating_contacts_with_target_addresses_of_trusted_inbound_domains.md b/docs/kb/directorymanager/restrict_users_from_creating_contacts_with_target_addresses_of_trusted_inbound_domains.md new file mode 100644 index 0000000000..181faadb9f --- /dev/null +++ b/docs/kb/directorymanager/restrict_users_from_creating_contacts_with_target_addresses_of_trusted_inbound_domains.md @@ -0,0 +1,58 @@ +--- +description: >- + This article explains how to restrict users from creating contacts with target addresses belonging to specific trusted inbound domains in Netwrix Directory Manager. +keywords: + - Directory Manager + - contact creation + - trusted inbound domains +sidebar_label: Restrict Users from Creating Contacts +tags: [] +title: "Restrict Users from Creating Contacts with Target Addresses of Trusted Inbound Domains" +knowledge_article_id: kA0Qk0000002lMDKAY +products: + - directory-manager +--- + +# Restrict Users from Creating Contacts with Target Addresses of Trusted Inbound Domains + +## Overview + +This article explains how to restrict users from creating contacts with target addresses belonging to specific trusted inbound domains in Netwrix Directory Manager (formerly GroupID). This is achieved by creating a custom display type with a regular expression to enforce the restriction. + +## Instructions + +1. Log in to the admin center of Directory Manager 11 and click **Applications**. +2. Go to the settings of your application portal and click **Design settings**. +3. Click the **Custom Display Type** tab and create a new custom display type. +4. For the new custom display type, set the type as **Textbox** and set the default value to empty. +5. In the regular expression field, use the following pattern: + + ```plaintext + ^(?!.*@(?:mytest2\.com|mytest3\.com|mytest4\.com|mytest5\.com|mytest6\.com|mytest7\.com)$)([a-zA-Z0-9_\-\.]+)@((\[[0-9]+\.[0-9]+\.[0-9]+\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]+|[0-9]+)(\]?)$ + ``` + +6. You can also set an error message, for example, "Please use the correct target address". + + ![Custom display type configuration with regex restriction](./images/servlet_image_eaba61cfe7f3.png) + +7. Save the settings for the custom display type. +8. While in the design node of the application portal, click the **Create Object** tab. +9. On the **Create Object** tab, click the drop-down for **Select Directory Object** and select **Contact**. + + ![Selecting Contact object in Create Object tab](./images/servlet_image_500ece5f2fd0.png) + +10. Edit the **Exchange** category. + + ![Editing Exchange category](./images/servlet_image_e19f8454e124.png) + +11. In the Edit Design category of Exchange, edit **EmailAddress**. +12. Change the display type for **EmailAddress**. + + ![Setting EmailAddress field to custom display type](./images/servlet_image_a71427568143.png) + +13. Save the changes in the design node. +14. Reset IIS and refresh your application portal. Now when you create a contact, the new contact cannot be created with any of the specified target addresses. + + ![Validation error when using restricted target address](./images/servlet_image_49eb4179d182.png) + +> **NOTE:** Contact Name can be any name for the newly created contact. \ No newline at end of file diff --git a/docs/kb/directorymanager/restricting-expiration-policy-options-by-role.md b/docs/kb/directorymanager/restricting-expiration-policy-options-by-role.md new file mode 100644 index 0000000000..1fde6e9102 --- /dev/null +++ b/docs/kb/directorymanager/restricting-expiration-policy-options-by-role.md @@ -0,0 +1,96 @@ +--- +description: >- + Shows how to restrict which Expiration Policy options are visible or make the + Expiration Policy field read-only or hidden for specific roles in the Netwrix + Directory Manager portal. +keywords: + - expiration policy + - roles + - Netwrix Directory Manager + - portal settings + - lstExpirationPolicy + - read-only + - design settings + - Admin Center +products: + - directory-manager +sidebar_label: Restricting Expiration Policy Options by Role +tags: [] +title: "Restricting Expiration Policy Options by Role" +knowledge_article_id: kA0Qk0000002Is5KAE +--- + +# Restricting Expiration Policy Options by Role + +## Applies To +Netwrix Directory Manager 11 + +## Overview +By default, all expiration policy options are available in the **Expiration Policy** drop-down list for group properties in Netwrix Directory Manager 11. You can customize which options are visible or make the drop-down list read-only or hidden for specific roles. This article explains how to configure these settings in the portal. + +## Instructions + +### Show Specific Options in the Expiration Policy List +1. In Netwrix Directory Manager Admin Center, go to **Applications**. Under **Directory Manager Portal**, click the three dots (**...**) next to your portal and select **Settings**. + + ![Applications page in Directory Manager Admin Center with settings option highlighted](images/ka0Qk000000DvYL_0EMQk00000Br3EL.png) + +2. On the **Server Settings** tab, under **Design Settings**, select your portal. + + ![Design Settings section in Directory Manager Admin Center](images/ka0Qk000000DvYL_0EMQk00000Br3B7.png) + +3. On the **Custom Display Types** tab, select `lstExpirationPolicy` and click **Edit**. + + ![Custom Display Types tab with lstExpirationPolicy selected](images/ka0Qk000000DvYL_0EMQk00000Br3Fx.png) + +4. In the **Edit Dropdown List Display Type** window, select a value in the **Values** area and click **Edit**. The **Values** area displays all values defined for the Expiration Policy drop-down list. + + ![Edit Dropdown List Display Type window in Directory Manager](images/ka0Qk000000DvYL_0EMQk00000Br2be.png) + +5. In the **Combo Value** dialog box, select a visibility level for the value: + - Select a role to make the value visible to users of that role and roles with a higher priority value. + - Select `Never` to hide the value from all users. + + ![Combo Value dialog box for setting visibility in Directory Manager](images/ka0Qk000000DvYL_0EMQk00000Br3Cj.png) + +6. Click **OK** to close the **Combo Value** and **Edit Design Type** dialog boxes. Then click the **Save** icon at the bottom to save your changes. + +You can set the visibility level for all required values in the **Expiration Policy** drop-down list. + +By default, or if no visibility settings are configured, all expiry options are available in the **Expiration Policy** drop-down list: + +![Expiration Policy drop-down list showing all options](images/ka0Qk000000DvYL_0EMQk00000Br3Sr.png) + +After applying visibility settings, only the selected values will be available. For example, if you set `Never` for all but two values, only those two will appear in the list: + +![Expiration Policy drop-down list showing limited options](images/ka0Qk000000DvYL_0EMQk00000Br3RF.png) + +> **NOTE:** You can also completely hide the **Expiration Policy** drop-down list or make it read-only. + +### Make the Expiration Policy Drop-Down List Read-Only +1. In Netwrix Directory Manager Admin Center, go to **Applications**. Under **Directory Manager Portal**, click the three dots (**...**) next to your portal and select **Settings**. + + ![Applications page in Directory Manager Admin Center with settings option highlighted](images/ka0Qk000000DvYL_0EMQk00000Br3MP.png) + +2. On the **Server Settings** tab, under **Design Settings**, select your portal. + + ![Design Settings section in Directory Manager Admin Center](images/ka0Qk000000DvYL_0EMQk00000Br3JB.png) + +3. On the **Properties** tab, select `Group` in the **Select Directory Object** list. Then select the **General** option and click **Edit**. + + ![Properties tab with Group selected in Directory Manager](images/ka0Qk000000DvYL_0EMQk00000Br3O1.png) + +4. In the **Edit Design Category** dialog box, select the **Expiration Policy** option in the **Fields** section and click **Edit**. + + ![Edit Design Category dialog box with Expiration Policy field selected](images/ka0Qk000000DvYL_0EMQk00000Br3UT.png) + +5. In the **Edit Field** dialog box, select a role in the **Access Role** list. The access level determines whether a user can change the value in the **Expiration Policy** drop-down list. + - Select a role to allow users of that role and roles with a higher priority value to change the value. + - Select `Never` to make the **Expiration Policy** drop-down list read-only for all users. + - Alternatively, select the **Is Read Only** check box to disable the list for all users, so they can view its value but cannot change it. + +6. Click **OK** to close the **Edit Field** and **Edit Design Category** dialog boxes. Then click the **Save** icon at the bottom of the page. + +The disabled **Expiration Policy** drop-down list will be displayed in the portal as shown below. The **Expiration Date** field is also read-only and displays the group's expiry date, as calculated based on the expiry policy. + +![Expiration Policy drop-down list and Expiration Date field shown as read-only](images/ka0Qk000000DvYL_0EMQk00000Br3Pd.png) diff --git a/docs/kb/directorymanager/retrieve_the_history_corresponding_to_a_specific_timestamp_from_the_sql_database_in_v10.md b/docs/kb/directorymanager/retrieve_the_history_corresponding_to_a_specific_timestamp_from_the_sql_database_in_v10.md new file mode 100644 index 0000000000..f012fe0211 --- /dev/null +++ b/docs/kb/directorymanager/retrieve_the_history_corresponding_to_a_specific_timestamp_from_the_sql_database_in_v10.md @@ -0,0 +1,78 @@ +--- +description: >- + This article explains how to retrieve a list of all modifications made by Netwrix Directory Manager between January 1, 2024, and December 31, 2024, by running a SQL query against the Directory Manager database. +keywords: + - SQL query + - Directory Manager + - historical changes +sidebar_label: Retrieve History from SQL Database +tags: [] +title: "Retrieve the History Corresponding to a Specific Timestamp from the SQL Database in v10" +knowledge_article_id: kA0Qk0000002MKbKAM +products: + - directory-manager +--- + +# Retrieve the History Corresponding to a Specific Timestamp from the SQL Database in v10 + +## Overview + +This article explains how to retrieve a list of all modifications made by **Netwrix Directory Manager** (formerly **GroupID**) between January 1, 2024, and December 31, 2024, by running a SQL query against the Directory Manager database. This process allows you to view historical changes for auditing or troubleshooting purposes. + +## Instructions + +### Retrieve History for a Specific Date Range Using SQL + +1. Open **SQL Management Studio**, right-click the Directory Manager database, and select **New Query**. +2. Paste the following SQL query into the query window: + + ```sql + Select id, + IdentityStoreID, + JSON_Value(JsonData,'$.EventID') as EventID, + JSON_Value(JsonData,'$.IdentityStoreID') as IdentityStoreID, + JSON_Value(JsonData,'$.ObjectGUID') as ObjectGUID, + JSON_Value(JsonData,'$.ObjectClass') as ObjectClass, + JSON_Value(JsonData,'$.ObjectName') as ObjectName, + JSON_Value(JsonData,'$.AttributeName') as AttributeName, + JSON_Value(JsonData,'$.Action') as Action, + ActionName, + JSON_Value(JsonData,'$.DateTimeDetected') as DateTimeDetected, + JSON_Value(JsonData,'$.DateTimeLogged') as DateTimeLogged, + JSON_Value(JsonData,'$.UserAccount') as UserAccount, + JSON_Value(JsonData,'$.MachineName') as MachineName, + JSON_Value(JsonData,'$.ClientMachineName') as ClientMachineName, + JSON_Value(JsonData,'$.UserDN') as UserDN, + JSON_Value(JsonData,'$.UserGUID') as UserGUID, + JSON_Value(JsonData,'$.NewValue') as NewValue, + JSON_Value(JsonData,'$.NewValueResolved') as NewValueResolved, + JSON_Value(JsonData,'$.OldValue') as OldValue, + JSON_Value(JsonData,'$.OldValueResolved') as OldValueResolved, + JSON_Value(JsonData,'$.NewMembers') as NewMembers, + JSON_Value(JsonData,'$.OldMembers') as OldMembers, + JSON_Value(JsonData,'$.Comments') as Comments, + JSON_Value(JsonData,'$.ChangeMadeBy') as ChangeMadeBy, + SVC.Client.Name, + JSON_Value(JsonData,'$.RequestedAction') as RequestedAction, + JSON_Value(JsonData,'$.WorkflowRequester') as WorkflowRequester, + JSON_Value(JsonData,'$.WorkflowRequesterGUID') as WorkflowRequesterGUID, + JSON_Query(JsonData,'$.HistoryDetails') as HistoryDetails, + JSON_Value(JsonData,'$.DisplayName') as DisplayName, + JSON_Value(JsonData,'$.HistoryObjectAttributes') as HistoryObjectAttributes, + JSON_Value(JsonData,'$.DescriptiveData') as DescriptiveData, + JSON_Value(JsonData,'$.HasDetails') as HasDetails, + JSON_Value(JsonData,'$.listOfAttributes') as listOfAttributes, + JSON_Value(JsonData,'$.UserDisplayName') as UserDisplayName, + JSON_Value(JsonData,'$.TicDateTime') as TicDateTime, + JSON_Value(JsonData,'$.ClientType') as ClientType, + JSON_Value(JsonData,'$.NewImageValue') as NewImageValue, + JSON_Value(JsonData,'$.OldImageValue') as OldImageValue + from svc.BackUpHistory, Event.Action, SVC.Client + where ActionID = JSON_Value(JsonData,'$.Action') + AND Secret = JSON_Value(JsonData,'$.ChangeMadeBy') + AND cast(JSON_Value(JsonData,'$.DateTimeLogged') as date) BETWEEN '2024-01-1' AND '2024-12-31'; + ``` + +3. Execute the query to retrieve all history events between January 1, 2024, and December 31, 2024. + +![Query results showing history events in SQL Management Studio](./images/servlet_image_4fff323ed49a.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/search-history-by-specific-user-through-password-center-helpdesk-portal-returns-no-results.md b/docs/kb/directorymanager/search-history-by-specific-user-through-password-center-helpdesk-portal-returns-no-results.md new file mode 100644 index 0000000000..005ed5afb6 --- /dev/null +++ b/docs/kb/directorymanager/search-history-by-specific-user-through-password-center-helpdesk-portal-returns-no-results.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains how to resolve an issue where searching the History for a specific + user in the Netwrix Password Reset Helpdesk Portal returns no results. +keywords: + - Netwrix Password Reset + - Helpdesk Portal + - History + - Performed By + - End User + - user search + - User Name + - audit +products: + - directory-manager +sidebar_label: Search History by Specific User Through Password C +tags: [] +title: "Search History by Specific User Through Password C No Results" +knowledge_article_id: kA0Qk0000000N1RKAU +--- + +# Search History by Specific User Through Password C No Results + +## Symptom + +This article addresses the issue you encounter when you attempt to search for the history of a specific user through the Netwrix Password Reset Helpdesk Portal. The **History** feature of the portal enables Helpdesk users to audit and analyze the functions performed by end users. + +In the **History** section of the Netwrix Password Reset Helpdesk Portal, when you search for the history of any individual user, no records are displayed. + +## Cause + +The default setting for the **Performed By** field is `Any` instead of `End User`. + +## Resolution + +1. Select `End User` in the **Performed By** field. +2. Search for the user by typing their display name in the **User Name** field. + +![User-added image](images/ka0Qk0000001Q0T_0EMQk000002TgcF.png) diff --git a/docs/kb/directorymanager/set_delivery_restrictions_on_dynasty_groups.md b/docs/kb/directorymanager/set_delivery_restrictions_on_dynasty_groups.md new file mode 100644 index 0000000000..885c89811c --- /dev/null +++ b/docs/kb/directorymanager/set_delivery_restrictions_on_dynasty_groups.md @@ -0,0 +1,56 @@ +--- +description: >- + This article provides step-by-step instructions on setting delivery restrictions on Dynasty groups in Netwrix Directory Manager. +keywords: + - delivery restrictions + - Dynasty groups + - Netwrix Directory Manager +sidebar_label: Set Delivery Restrictions +tags: [] +title: "Set Delivery Restrictions on Dynasty Groups" +knowledge_article_id: kA0Qk0000002QknKAE +products: + - directory-manager +--- + +# Set Delivery Restrictions on Dynasty Groups + +## Applies To + +Directory Manager 11 + +## Overview + +Netwrix Directory Manager (formerly GroupID) allows you to set delivery restrictions on Dynasty groups, which are Smart Groups that create and manage other Smart Groups using directory information. Dynasties help manage large distribution lists by creating hierarchical group structures. You can restrict or allow specific users or groups to send emails to a Dynasty by configuring delivery restrictions in the group properties. + +## Instructions + +### Prerequisite Settings to Enable + +1. On the Dynasty **Properties**, click the **Dynasty Options** tab. +2. In **Dynasty Options**, make sure the **Always Inherit** option is selected. + + ![Always Inherit option in Dynasty Options tab](./images/servlet_image_7ea6e2461c60.png) + +3. Go to the Admin Center and open the settings of the identity store. +4. Click the **Configurations** tab, then click the **Dynasties** tab. +5. Make sure **authOrig** and **unauthOrig** are present under **Selected Attributes**. These attributes control authentication and are required to apply restrictions or rules to Dynasties. + + ![Selected Attributes for Dynasties in Directory Manager](./images/servlet_image_122aab207b28.png) + +### Set Delivery Restrictions on a Dynasty Group + +1. In the Directory Manager application, expand **Groups > All Groups > Dynasties**. + + ![Dynasties section in Directory Manager](./images/servlet_image_3044fdaa3692.png) + +2. Select the Dynasty group you want to set delivery restrictions for (for example, "Direct Reports of Abbey.Crawford") and go to its **Properties**. +3. Click the **Delivery Restriction** tab. You will see three types of filters that control who can and cannot send email messages to the group: + - Quick Filter (default filter) + - Accept Messages (to allow all or specific users/groups to send emails to the Dynasty) + - Reject Messages (to restrict specific users/groups from sending emails to the Dynasty) +4. In the **Accept Messages** section, click **Add** and add any user or group who should be allowed to send emails to the Dynasty. + + ![Accept Messages filter in Delivery Restriction tab](./images/servlet_image_ce789c2367af.png) + +5. After adding the user or group, click **Save**. \ No newline at end of file diff --git a/docs/kb/directorymanager/setting-expiration-policy-for-groups-in-bulk-using-management-shell.md b/docs/kb/directorymanager/setting-expiration-policy-for-groups-in-bulk-using-management-shell.md new file mode 100644 index 0000000000..fc98adc946 --- /dev/null +++ b/docs/kb/directorymanager/setting-expiration-policy-for-groups-in-bulk-using-management-shell.md @@ -0,0 +1,57 @@ +--- +description: >- + Shows how to use the Netwrix Directory Manager Management Shell to set a group + expiration policy in bulk by exporting groups to CSV and applying the policy + with cmdlets. +keywords: + - Netwrix Directory Manager + - group expiration + - bulk + - Management Shell + - PowerShell + - Export-CSV + - Set-Group + - expiration policy +products: + - directory-manager +sidebar_label: Setting Expiration Policy for Groups in Bulk Using +tags: [] +title: "Setting Expiration Policy for Groups in Bulk Using Management Shell" +knowledge_article_id: kA0Qk0000002FkXKAU +--- + +# Setting Expiration Policy for Groups in Bulk Using Management Shell + +## Applies To +Netwrix Directory Manager 11 + +## Overview +This article explains how to use the Netwrix Directory Manager Management Shell to set the expiration policy for groups in bulk. Follow the steps below to complete this task. + +> **NOTE:** Before making any changes to your environment, create a backup or snapshot of the Netwrix Directory Manager server. Additionally, test the provided method on a small number of groups first. Once confirmed successful, apply it to the remaining groups in bulk. + +## Instructions +1. Launch the **Netwrix Directory Manager Management Shell**. + +2. Use the following cmdlet to export the Common Names of all groups for which you want to apply the bulk expiration policy into a CSV file: + +```powershell +Get-group | Select CN | Export-csv "PATH TO EXPORT FILE" -NoTypeInformation +``` + +3. To limit the export to a specific organizational unit (OU), use the following cmdlet instead: + +```powershell +Get-group -SearchContainer "DISTINGUISH_NAME OF THE OU" | Select CN | Export-CSV "PATH TO EXPORT FILE" -NoTypeInformation +``` + +4. Import the data from the exported CSV file and apply the expiration policy using the following cmdlet: + +```powershell +$Data = Import-CSV "PATH OF THE EXPORTED FILE" +Foreach($d in $data) {Set-Group -Identity $d.Cn -ExpirationPolicy "120" -ExtendGroupLife} +``` + +The value `120` represents the number of days before expiration and can be adjusted as needed. + +> **NOTE:** For additional assistance, contact Netwrix Technical Support. diff --git a/docs/kb/directorymanager/shorten_the_dynasty_naming_convention_for_child_dynasties.md b/docs/kb/directorymanager/shorten_the_dynasty_naming_convention_for_child_dynasties.md new file mode 100644 index 0000000000..5bd7862450 --- /dev/null +++ b/docs/kb/directorymanager/shorten_the_dynasty_naming_convention_for_child_dynasties.md @@ -0,0 +1,120 @@ +--- +description: >- + This article explains how to use a CSV file and custom scripts in Netwrix Directory Manager to shorten the naming convention for child dynasties. +keywords: + - Directory Manager + - CSV file + - naming convention + - child dynasties + - custom scripts +sidebar_label: Shorten Dynasty Naming Convention +tags: [] +title: "Shorten the Dynasty Naming Convention for Child Dynasties" +knowledge_article_id: kA0Qk0000002frtKAA +products: + - directory-manager +--- + +# Shorten the Dynasty Naming Convention for Child Dynasties + +## Applies To + +Directory Manager 10 + +## Overview + +This article explains how to use a CSV file and custom scripts in **Netwrix Directory Manager** (formerly GroupID) to shorten the naming convention for child dynasties. + +## Instructions + +1. Create a CSV file with a column for full department names and another column for their corresponding shortened forms. + + ![CSV file with full and short department names](./images/servlet_image_300ae206ce3f.png) + +2. Name the columns exactly as `Column1` and `Column2` if there is only one attribute. For multiple attributes, add additional pairs of columns (e.g., `Column3`/`Column4` for job title). + +3. Place the CSV file at a convenient location on the Directory Manager server. + +4. Create your required dynasty using the dynasty creation wizard. The dynasties will be created with the original attribute values. + +5. After creation, open the properties of the parent dynasty and navigate to the **Directory Manager** tab, then click **Modify**. + + ![Modify parent dynasty in GroupID tab](./images/servlet_image_b6a9390d6813.png) + +6. In the query designer window, navigate to the **Smart script** tab and click **Edit script**. + + ![Edit script in Smart script tab](./images/servlet_image_4ab58c61f5f2.png) + +7. In the Group script editor, click **Tools** and **Add reference**. + + ![Add reference in script editor](./images/servlet_image_b39297dbcafb.png) + +8. In the Add Reference window, click **Browse** and select **Imanami.Automate.ExcelTool.dll** from `C:\Program Files\Imanami\GroupID 10.0\Automate\PowerTools`. + + ![Selecting ExcelTool.dll](./images/servlet_image_36b8c524e094.png) + +9. Click **Open** and ensure the file appears as selected in the Add Reference window. + + ![ExcelTool.dll selected in Add Reference window](./images/servlet_image_2b77f7b59d6c.png) + +10. Click **OK**. In the Script editor window, replace the code between line 28 and 33 with the following: + + ```vb + #Region " User-definable code " + public tblData = new System.Data.DataTable + Sub ATM_Startup(ByVal atmsource As Object, ByVal args As EventArgs) Handles ATM.Startup + ' User-definable script goes here ----------------- + tblData = ExcelTool.ImportWorkSheet("C:\new.csv", 0) + ' ------------------------------------------------- + End Sub + ``` + + ![Script editor with code for importing CSV](./images/servlet_image_25e6aebec8f5.png) + + > **NOTE:** Replace `C:\new.csv` with the actual path to your CSV file. + +11. Click **Compile script** under the Build button at the top. Ensure compilation completes without errors. + + ![Successful script compilation](./images/servlet_image_8fb082a3afc1.png) + +12. Exit the Script editor and save changes. + +13. Click **Preview** in the query designer to verify members. + +14. Click **OK** and update the Parent dynasty. Commit changes if prompted. + + ![Preview and update Parent dynasty](./images/servlet_image_8d67195abd0f.png) + +15. To make the CSV file readable for Directory Manager, navigate to the properties of the Parent dynasty and click on the **Directory Manager** tab. + +16. Click **Options**. In the options window, click **Edit script**. + + ![Edit script in Dynasty options](./images/servlet_image_1e1d75e54dc3.png) + +17. The Dynasty option script editor should open and point to the first group by attribute. + +18. Uncomment Line 7 by removing the single quote. Remove the code from line 11 onward and paste the following code: + + ```vb + 'Warning: Do not alter method name + Function GroupByFilter(Byval value as string) As string + dim rows = tblData.Select("Column1 like '" & value & "'") + if rows.Length > 0 then + return rows(0)("Column2") + else + Return value + end if + End Function + ``` + + ![GroupByFilter function in script editor](./images/servlet_image_c6499369f442.png) + + > **NOTE:** If you are using multiple group by attributes, update the column names in the code for each attribute as needed. For example, for a title attribute, use `Column5` and `Column6` as appropriate. + +19. Click **Compile script** at the top and ensure it compiles without errors. + + ![Successful compilation of Dynasty option script](./images/servlet_image_e31014343ee8.png) + +20. Exit the script editor, apply changes, and update the Parent dynasty. The child dynasties should now use the shortened names from the CSV. To add more departments, update the CSV file as needed. + + ![Child dynasties with shortened names](./images/servlet_image_ee5a12572184.png) \ No newline at end of file diff --git a/docs/kb/directorymanager/triggering-microsoft-flow-from-directory-manager-workflows.md b/docs/kb/directorymanager/triggering-microsoft-flow-from-directory-manager-workflows.md new file mode 100644 index 0000000000..bc3c4d2c64 --- /dev/null +++ b/docs/kb/directorymanager/triggering-microsoft-flow-from-directory-manager-workflows.md @@ -0,0 +1,69 @@ +--- +description: >- + Shows how to trigger a Microsoft Flow (MS Flow) from Netwrix Directory Manager + workflows to automate user provisioning and grant SharePoint access based on + department; when the MS Flow is approved the linked Directory Manager workflow + is approved automatically. +keywords: + - Microsoft Flow + - MS Flow + - Netwrix Directory Manager + - SharePoint + - workflow + - user provisioning + - Self-Service + - Azure + - request URL +products: + - directory-manager +sidebar_label: Triggering Microsoft Flow from Directory Manager W +tags: [] +title: "Triggering Microsoft Flow from Directory Manager Workflows" +knowledge_article_id: kA0Qk00000015ldKAA +--- + +# Triggering Microsoft Flow from Directory Manager Workflows + +## Overview + +This article explains how to trigger a Microsoft Flow (MS Flow) from Netwrix Directory Manager (formerly GroupID). The goal is to automate user provisioning by linking user creation in Directory Manager to a corresponding SharePoint site access flow based on department information. + +By integrating Directory Manager workflows with MS Flow, you ensure that when a user is created and assigned a department, a flow automatically triggers to grant them access to their department’s SharePoint site. When the MS Flow is approved, the linked Directory Manager workflow is also approved automatically. + +## Prerequisites + +The Directory Manager application in Azure must have the following permissions for MS Flow: + +![Directory Manager Azure permissions screenshot](images/ka0Qk000000DSL3_0EMQk000004nGNu.png) + +## Instructions + +Follow the steps below to link a MS Flow to a Directory Manager Workflow: + +1. In Netwrix Directory Manager Management Console, go to the **Identity Stores** node. +2. Double-click the required identity store to open its properties. +3. On the **Workflow** tab, click **Microsoft Flow** and configure the following: + - **Org Code:** The unique name for the MS Flow environment. + - **Region:** The location of your MS Flow environment. + - **Directory Manager Server:** The name or IP of your Directory Manager server. + - **ClientID:** The application ID of the Directory Manager app registered in Azure. +4. Click **OK** to save changes. +5. Log into the MS Flow portal and open the flow you want to link. +6. Generate a request URL for the MS Flow. + ![Generate request URL screenshot](images/ka0Qk000000DSL3_0EMQk00000C1KQo.png) +7. In the Directory Manager Console, go back to the **Workflow** tab of the identity store properties. +8. Select the workflow to link (e.g., **Create User**) and click **Edit**. +9. In the **Edit Workflow Route** dialog box, paste the MS Flow request URL into the **Microsoft Flow Request URL** field. +10. Click **Authenticate** and provide identity store credentials. + ![Authenticate screenshot](images/ka0Qk000000DSL3_0EMQk00000C1M61.png) + +> **NOTE:** To quickly define a flow in MS Flow, click **Create Temp** to create a basic template and connect it. + +11. Click **OK** to finalize the link between the Directory Manager workflow and MS Flow. + +Now, when a user is created in Directory Manager Self-Service and assigned a department, it will trigger the Create User workflow. That workflow will trigger the MS Flow to grant access to the department’s SharePoint site. Approval of the MS Flow will automatically approve the Directory Manager workflow. + +## Validation Checklist + +- Confirm on the Self-Service portal that the user has been created. +- Navigate to SharePoint and verify that the user has access to the appropriate department site. diff --git a/docs/kb/directorymanager/unable-to-sort-groups-by-displayname.md b/docs/kb/directorymanager/unable-to-sort-groups-by-displayname.md new file mode 100644 index 0000000000..d6d0d71be1 --- /dev/null +++ b/docs/kb/directorymanager/unable-to-sort-groups-by-displayname.md @@ -0,0 +1,45 @@ +--- +description: >- + When you sort the My Groups listing by Display Name in Netwrix Directory + Manager 11, groups that lack the Display Name attribute can prevent correct + alphabetical sorting. This article explains the causes and steps to populate + Display Name so the portal sorts correctly. +keywords: + - Display Name + - groups + - sort + - Netwrix Directory Manager + - Active Directory + - My Groups + - Common Name + - attribute + - bulk update +products: + - directory-manager +sidebar_label: Unable to Sort Groups by DisplayName +tags: [] +title: "Unable to Sort Groups by DisplayName" +knowledge_article_id: kA0Qk0000002IC9KAM +--- + +# Unable to Sort Groups by DisplayName + +## Applies To +Netwrix Directory Manager 11 + +## Symptom +When you attempt to sort the **My Groups** listing in Netwrix Directory Manager (formerly GroupID) by the **Display Name** attribute, the groups do not sort in ascending (alphabetical) order as expected. The screen may display a “Loading” message, but the system fails to sort the listing. + +![Group listing in Directory Manager portal with Display Name column sorted in ascending order](images/ka0Qk000000EZ2j_0EMQk00000BoBWe.png) + +## Causes +- The **Display Name** attribute is not mandatory for groups created directly in Active Directory, so some groups may not have this attribute populated. +- When you sort by **Display Name** in Netwrix Directory Manager, the portal treats missing display names as null values and uses the **Common Name** instead. This can result in incorrect or failed sorting. +- Groups created using Netwrix Directory Manager always have a **Display Name** because it is a required attribute. + +## Resolutions +1. Verify which groups are missing the **Display Name** attribute by checking the attribute editor in Active Directory. +2. Populate the **Display Name** attribute for all groups that are missing it. +3. After all groups have a **Display Name**, the Netwrix Directory Manager portal will sort group listings correctly by this attribute. + +> **NOTE:** You may use bulk editing tools or scripts to update the **Display Name** attribute for multiple groups in Active Directory if needed. diff --git a/docs/kb/directorymanager/uninstall-or-fully-remove-directory-manager.md b/docs/kb/directorymanager/uninstall-or-fully-remove-directory-manager.md new file mode 100644 index 0000000000..9bc8156639 --- /dev/null +++ b/docs/kb/directorymanager/uninstall-or-fully-remove-directory-manager.md @@ -0,0 +1,121 @@ +--- +description: >- + This article explains how to uninstall Netwrix Directory Manager 9 or above, + either to upgrade to a newer version or to completely remove all components + from a machine. +keywords: + - Netwrix Directory Manager + - GroupID + - uninstall + - remove + - Imanami + - IIS + - registry + - DLL + - application pool +products: + - directory-manager +sidebar_label: Uninstall or Fully Remove Directory Manager +tags: [] +title: "Uninstall or Fully Remove Directory Manager" +knowledge_article_id: kA0Qk0000002JrNKAU +--- + +# Uninstall or Fully Remove Directory Manager + +## Applies To + +Netwrix Directory Manager 9 or above + +## Overview + +This article explains how to uninstall Netwrix Directory Manager (formerly GroupID) either to upgrade to a newer version or to completely remove all components from a machine. + +## Instructions + +> **NOTE:** Before you uninstall Netwrix Directory Manager, ensure the logged-in user is a member of the local Administrators group on the machine. Make sure Netwrix Directory Manager is fully closed before you begin the uninstall process. + +### Uninstall Directory Manager to Upgrade to a Newer Version + +1. Double-click the **`setup.exe`** file in the Directory Manager installation package to launch the installer. + ![Directory Manager installer main screen](images/ka0Qk000000EZIr_0EMQk00000BuNWf.png) +2. Click **Uninstall Directory Manager**. This removes the application files from **Programs & Features** in the **Control Panel**. + +### Upgrade to a newer version + +1. Click the **Install Directory Manager** link on the installer to install the latest version. +2. After installation, run the Upgrade wizard to make data from the earlier version compatible with the new version. + +### Completely Uninstall Directory Manager from the Machine + +1. Click **Uninstall Directory Manager** on the installer to remove the application files from your computer. +2. Remove the following components to completely uninstall Directory Manager: + +- [Directory Manager installation directory](#remove-the-directory-manager-installation-directory) +- [Other relevant directories](#remove-other-relevant-directories) +- [Directory Manager DLLs](#remove-directory-manager-dlls) +- [Registry keys](#remove-registry-keys) +- [Services files](#remove-directory-manager-services-files) +- [Self-Service and Password Center portal files](#remove-portal-files) +- [Directory Manager application pool](#remove-the-directory-manager-application-pool) +- [Directory Manager certificates](#remove-directory-manager-certificates) + +### Remove the Directory Manager Installation Directory + +1. Go to `X:\Program Files\Imanami` (where X is the installation drive). +2. Delete the directory named **GroupID [version]** (for example, GroupID 9.0). + +### Remove Other Relevant Directories + +1. On the Windows **Run** dialog box, type ` %ALLUSERSPROFILE%\Imanami`. +2. From the referenced location, delete the GroupID folder. + +### Remove Directory Manager DLLs + +1. Go to `C:\Windows`. +2. Search for all DLL files starting with **Imanami** (use `Imanami*.dll` in Windows Explorer). +3. Delete these files. + +### Remove Registry Keys + +1. Open the **Registry Editor** by typing `regedit` in the Windows **Run** dialog box. +2. Delete the following registry keys (for GroupID 9): + +- `HKEY_CURRENT_USER\Software\Imanami\GroupID\Version 9.0` +- `HKEY_LOCAL_MACHINE\Software\Imanami\GroupID\Version 9.0` + +### Remove Directory Manager Services Files + +To remove Directory Manager Data Service and Security Service files: + +1. Go to `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files`. +2. Delete the **groupiddataservice** and **groupidsecurityservice** folders. + +### Remove Portal Files + +To remove Directory Manager Self-Service and Password Center portal files: + +1. Open the Internet Information Services (IIS) console by typing `inetmgr` in the Windows **Run** dialog box. +2. Under the **GroupIDSite** node, locate the portals created using the Self-Service or Password Center module. +3. Delete each portal by right-clicking and selecting **Remove**. +4. After removing the portals, go to `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files`. +5. Delete each portal folder. + +> **NOTE:** If you have installed Password Center Client and want to uninstall it, refer to the Directory Manager Password Center Client Configuration Guide. + +### Remove the Directory Manager Application Pool + +1. Open the IIS console by typing `inetmgr` in the Windows **Run** dialog box. +2. Expand the `\` node and click **Application Pools**. +3. On the Application Pools page, delete **GroupID App Pool**. + +### Remove Directory Manager Certificates + +1. Open the IIS console by typing `inetmgr` in the Windows **Run** dialog box. +2. Click the `\` node. On the **Features View** tab, select **Server Certificates** in the **IIS** section. +3. Delete these certificates bound to **GroupIDSite** (the site deploying Directory Manager Data Service): + +- GroupIDSecurityService +- Imanami GroupID Certificate + +> **NOTE:** Do not remove these certificates if another Directory Manager version is installed on the machine. diff --git a/docs/kb/directorymanager/update-support-email-address-for-contact-link.md b/docs/kb/directorymanager/update-support-email-address-for-contact-link.md new file mode 100644 index 0000000000..6224ee147e --- /dev/null +++ b/docs/kb/directorymanager/update-support-email-address-for-contact-link.md @@ -0,0 +1,41 @@ +--- +description: >- + Shows how to change the support email address used by the Contact link in the + Netwrix Directory Manager portal so users can route portal inquiries to your + local IT team. +keywords: + - support email + - contact link + - Directory Manager + - portal + - admin center + - helpdesk + - support address +products: + - directory-manager +sidebar_label: Update Support Email Address for Contact Link +tags: [] +title: "Update Support Email Address for Contact Link" +knowledge_article_id: kA0Qk0000002EmrKAE +--- + +# Update Support Email Address for Contact Link + +## Applies To +Netwrix Directory Manager 11 + +## Overview +The Netwrix Directory Manager application portal includes a **Contact** link at the bottom of each page. This link opens your default email application with a pre-filled support email address, allowing users to contact the admin or helpdesk for inquiries, support requests, or feedback. You may need to change this email address so users can contact your local IT team for portal-related issues. + +![Contact link at the bottom of Directory Manager portal page](images/ka0Qk000000EMdN_0EMQk00000Ba6Gf.png) + +## Instructions + +### Change the Support Email Address for the Contact Link +1. In the Directory Manager Admin Center, select **Application** > your required portal > **Settings**. + ![Portal settings in Directory Manager Admin Center](images/ka0Qk000000EMdN_0EMQk00000Ba6Jt.png) +2. Click the **Directory Manager Support** tab. +3. In the **Support group/administrator's email address** box, enter the email address for the group, user, or contact who will respond to requests or inquiries from portal users. + ![Support group/administrator's email address field in Directory Manager](images/ka0Qk000000EMdN_0EMQk00000Ba6IH.png) +4. Click **Save**. +5. Click the **Contact** link in the portal to verify that your specified email address appears in the 'To' box of your default email application. diff --git a/docs/kb/directorymanager/use_synchronize_to_deprovision_user_accounts_in_active_directory.md b/docs/kb/directorymanager/use_synchronize_to_deprovision_user_accounts_in_active_directory.md new file mode 100644 index 0000000000..a5f9d94792 --- /dev/null +++ b/docs/kb/directorymanager/use_synchronize_to_deprovision_user_accounts_in_active_directory.md @@ -0,0 +1,67 @@ +--- +description: >- + This article explains how to use Netwrix Directory Manager Synchronize to automatically deprovision user accounts in Active Directory when an employee's status is updated to Termed in the HR database. +keywords: + - Active Directory + - user accounts + - deprovisioning + - Netwrix Directory Manager + - Synchronize +sidebar_label: Use Synchronize to Deprovision User Accounts +tags: [] +title: "Use Synchronize to Deprovision User Accounts in Active Directory" +knowledge_article_id: kA0Qk0000002bLFKAY +products: + - directory-manager +--- + +# Use Synchronize to Deprovision User Accounts in Active Directory + +## Related Queries + +- "Use Directory Manager Synchronize to deprovision user accounts in Active Directory" +- "Is there any way to deprovision user accounts in Active Directory while stamping them with a time and date when they are disabled?" + +## Overview + +This article explains how to use **Netwrix Directory Manager** (formerly GroupID) **Synchronize** to automatically deprovision user accounts in **Active Directory** when an employee's status is updated to **Termed** in the HR database. The process also stamps the account with the date and time of deprovisioning in the **Description** field for audit and tracking purposes. + +## Instructions + +1. Open the **Synchronize** portal. +2. In the left pane, click the **Create New** button and select **Job**. +3. On the **Job Template** page, provide job details, select the **Blank Job** option, and click **Next**. +4. Select your source provider, then select **Active Directory** as the destination provider and click **Next**. +5. In the **Sync Object Options** section: + - Select the required object type (for example, **User**). + - Select the attribute that will serve as the primary key (for example, **EmployeeID**). + - Select **Description** and **Disable Account** (pseudo-attribute) as destination fields. + + ![Sync Object Options section with object type, primary key, Description, and Disable Account fields selected](./images/servlet_image_d9dc4fb1bb54.png) + +6. On the **Map Fields** page, apply the following transformations: + - Set the destination field for **Description** to **Static** and enter: + ```plaintext + Disabled by GroupID %Now% + ``` + ![Map Fields page showing Description field set to Static with value 'Disabled by GroupID %Now%'](./images/servlet_image_b71a7e7e6175.png) + - Set the destination field for **Disable Account** to **Static** and enter: + ```plaintext + True + ``` + ![Map Fields page showing Disable Account field set to Static with value 'True'](./images/servlet_image_ab6741dc126d.png) + +7. Click **Next**, then use the **Advanced** option to filter user accounts in the HR database where **EmploymentStatus** is + ```plaintext + Termed + ``` + + ![Advanced filter option for EmploymentStatus set to 'Termed' in HR database](./images/servlet_image_8426237cde8a.png) + + ![Preview of filtered user accounts with EmploymentStatus 'Termed'](./images/servlet_image_fa88114e05d0.png) + +8. Complete the job wizard, then preview the job to verify the expected results. + + ![Job preview showing deprovisioned user accounts with Description and Disable Account fields updated](./images/servlet_image_295917ddc060.png) + +> **NOTE:** The **Disable Account** pseudo-attribute is available in **Synchronize** and accepts `True` or `False` as values. The `%Now%` variable in the **Description** field will insert the current date and time when the job runs. \ No newline at end of file diff --git a/docs/kb/directorymanager/view-and-manage-your-group-memberships.md b/docs/kb/directorymanager/view-and-manage-your-group-memberships.md new file mode 100644 index 0000000000..d99674a2ff --- /dev/null +++ b/docs/kb/directorymanager/view-and-manage-your-group-memberships.md @@ -0,0 +1,43 @@ +--- +description: >- + Shows end users how to view and manage their group memberships through the + Netwrix Directory Manager portal, including how to view group properties and + perform actions based on assigned permissions. +keywords: + - group memberships + - Netwrix Directory Manager + - My Groups + - My Memberships + - Active Directory + - distribution lists + - security groups + - portal +products: + - directory-manager +sidebar_label: View and Manage Your Group Memberships +tags: [] +title: "View and Manage Your Group Memberships" +knowledge_article_id: kA0Qk0000002IAXKA2 +--- + +# View and Manage Your Group Memberships + +## Applies To + +Netwrix Directory Manager 11 + +## Overview + +End users typically do not have direct access to directory services, such as Active Directory, to review their group memberships. Netwrix Directory Manager provides a portal that allows users to view all directory groups—including distribution lists and security groups—of which they are members. Through the portal, users can review group properties, determine their current access, and manage their memberships according to their assigned permissions. + +## Instructions + +### View and Manage Your Group Memberships + +1. Log in to the Netwrix Directory Manager portal. +2. In the left pane, click **Groups > My Groups** then select the **My Memberships** tab. + +![My](images/servlet_image_761bfdbbeba6.png) + +3. This page lists all groups that the logged-in user is a member of. Click the display name of a group to view its properties. +4. The actions you can perform for a group depend on your rights and privileges in Netwrix Directory Manager. For example, your rights determine whether you can edit group properties or leave the group. diff --git a/docs/kb/directorymanager/viewing-and-managing-licenses.md b/docs/kb/directorymanager/viewing-and-managing-licenses.md new file mode 100644 index 0000000000..d12eb85f0d --- /dev/null +++ b/docs/kb/directorymanager/viewing-and-managing-licenses.md @@ -0,0 +1,76 @@ +--- +description: >- + Provides details of the licensing model for Netwrix Directory Manager, + including license types, how to enter and view license information, and steps + to upgrade an evaluation license. +keywords: + - Netwrix Directory Manager + - licensing + - license key + - evaluation license + - module license + - license upgrade + - Configuration Tool + - Admin Center +products: + - directory-manager +sidebar_label: Viewing and Managing Licenses +tags: [] +title: "Viewing and Managing Licenses" +knowledge_article_id: kA0Qk00000015s5KAA +--- + +# Viewing and Managing Licenses + +## Overview + +This article outlines the licensing model for Netwrix Directory Manager, including license types, activation methods, and upgrade paths. + +### License Types + +- **Evaluation License:** Grants access to all modules for 30 days in a test environment. The **Reports** module is free and does not require a license. +- **Module License:** Grants access to specific modules. Available licenses for Netwrix Directory Manager 11 include: + - Automate Upgrade + - Complete + - Group Management + - Password Center Upgrade + - Password Management + - Self-Service Upgrade + - Suite Upgrade + - Synchronize Upgrade + - User Management + + **NOTE:** If any of the licenses above are applied, the **Reports** module is automatically included at no cost. +- **Full (Complete) License:** Provides unrestricted access to all modules. An evaluation license can be upgraded to a full license. + +## Instructions + +### Entering License Information + +1. During installation, on the **License** page of the Configuration Tool, enter a valid license number and license key. + ![Config Tool](images/ka0Qk000000DSHp_0EMQk00000C1NoU.png) +2. If the **Next** button remains disabled, retype your entry for accuracy. +3. If using module-based licensing, enter any one module license during setup. +4. To add more licenses later: + - Launch the **Netwrix Directory Manager Configuration Tool V11** from the Windows Start menu. + - Proceed to the **License** page and enter additional license information. + +### Upgrading from an Evaluation License + +1. Contact Netwrix Sales to obtain a full or module license number and key. +2. In the **Netwrix Directory Manager Admin Center**, click the **Settings** node. + ![Settings](images/ka0Qk000000DSHp_0EMQk00000C1GiC.png) +3. In the **Licensing Settings** dialog box, click **Edit**. +4. Enter the new license number and key provided by Netwrix. + ![Edit in License Settings](images/ka0Qk000000DSHp_0EMQk00000C1Nq7.png) +5. Click **Update** and relaunch Netwrix Directory Manager. + +### Viewing License Information + +On the **License** page in the Configuration Tool, you can view: + +- **Status:** Valid or expired. +- **Number:** The license number you entered. +- **Key:** The license key associated with the number. +- **Licenses:** Number of machines the license covers. +- **Module:** The licensed module(s). "All" appears if using a full license." diff --git a/docs/kb/directorymanager/walkthrough-search-policy-define-scope-and-filter-results.md b/docs/kb/directorymanager/walkthrough-search-policy-define-scope-and-filter-results.md new file mode 100644 index 0000000000..f79eb4b6e7 --- /dev/null +++ b/docs/kb/directorymanager/walkthrough-search-policy-define-scope-and-filter-results.md @@ -0,0 +1,115 @@ +--- +description: >- + Shows how to configure the Search Policy for security roles in Netwrix + Directory Manager to restrict search scope to a specific OU and filter results + by Active Directory attributes. +keywords: + - directory manager + - search policy + - LDAP filter + - OU + - Active Directory + - security roles + - search scope + - filters +products: + - directory-manager +sidebar_label: Walkthrough Search Policy - Define Scope and Filte +tags: [] +title: "Walkthrough Search Policy - Define Scope and Filter Results" +knowledge_article_id: kA0Qk0000000HQfKAM +--- + +# Walkthrough Search Policy - Define Scope and Filter Results + +## Applies To: +Netwrix Directory Manager 11 + +## Business Requirement: +Set Netwrix Directory Manager search in such a way that AD objects (e.g., *Groups, Users, Contacts*) can only be searched within a specific OU and filtered based on Active Directory attributes. + +## Solution: +This business requirement can be achieved by configuring the Search Policy for security roles in an identity store. + +## More Information: +Use the Search policy to: + +- Limit the search scope to a particular container for role members. +- Designate an LDAP criterion that uses AD attributes to add a search filter. + +Let's assume you specify a container and set the LDAP filter to (`Country=United States*`). When a role member performs a search, Netwrix Directory Manager looks up the container and displays objects that have the `United States` as a value for the `Country` attribute. + +Now consider these scenarios: + +- If you only specify a container, a search performed by role members returns all matching objects residing in that container. +- If you only specify an LDAP filter, a search performed by role members displays only those objects with the Country attribute set to the United States from all containers in the identity store. + +By default, or in the absence of this policy, any search performed by role members returns objects from all containers in the identity store. + +## Apply the Search Policy: +1. In Netwrix Directory Manager Admin Center, click the **Identity Stores** node. +2. On the **Identity Stores** tab, click on the **Triple Dot** button, and then click on the **Edit** button to go to the properties of the required identity store. + + ![User-added image](images/ka0Qk000000Dg1R_0EMQk000001eu1K.png) + +3. On the **Security Roles** tab, select a role to define a search policy for it, and click **Edit**. + + ![User-added image](images/ka0Qk000000Dg1R_0EMQk000001f0gD.png) + +4. On the **Role Properties** page, click the **Policies** tab and then click **Search** in the left pane. + + ![User-added image](images/ka0Qk000000Dg1R_0EMQk000001ezqc.png) + +5. Click the **Plus** button and select a container. A search performed by role members would return objects that reside in this container. + + ![User-added image](images/ka0Qk000000Dg1R_0EMQk000001f0pt.png) + +### Choose a Search Filter: +When you apply an LDAP filter, a search performed by role members only shows objects that match the specified criterion. + +1. In the **Filter** area on the **Search** page, click on **+Add Filter**, and select a schema attribute from the drop-down list (for example, `Company`). +2. Select an operator from the second drop-down list (for example, *Is Exactly*). +3. Enter a value concerning the selected schema attribute in the third box. + + ![User-added image](images/ka0Qk000000Dg1R_0EMQk000001ezDu.png) + +You can define multiple queries by clicking on the **+Add More Filters** and using the **AND** or **OR** operator to group all rows that make up a query. + +A down arrow appears in the applied operator's icon. Click it to display the context menu with the following options: + +- **Select Group** to select all rows that make up the query. +- **Ungroup** to remove the operator and ungroup the rows. +- **Change** to change the AND operator to OR and vice versa. +- **Add Clause** to add a new row for specifying an additional clause for the query. +- **Delete** to delete the query with all its rows. + +## Some Useful Examples: +- To limit searches to mail-enabled distribution groups and all users: + + ![User-added image](images/ka0Qk000000Dg1R_0EMQk000001exAU.png) + +- Limit searches to all global security groups and all users: + + ![User-added image](images/ka0Qk000000Dg1R_0EMQk000001evqG.png) + +- Limit searches to mail-enabled groups and mail-enabled users: + + ![User-added image](images/ka0Qk000000Dg1R_0EMQk000001f1KX.png) + +## Reference: +Admin Center — Security Roles — Search Policy for Security Roles — v11.0 +/docs/directory-manager/11.0/groupid/admin-guidecenter/securityrole/policy + +### Related Articles: +- How To Enforce Users to Create Groups in a Specific OU. + /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou +- How To Import Members to a Group Using Self-Service Import Wizard. + /docs/kb/directory-manager/how_to_import_members_to_a_group_using_self-service_import_wizard +- How to Trigger a workflow When a User Сreates a Group. + /docs/kb/directory-manager/how_to_trigger_a_workflow_when_a_user_сreates_a_group +- How To Add Message Approvers in Group Properties in Self-Service. + /docs/kb/directory-manager/how_to_add_message_approvers_in_group_properties_in_groupid_portal +- Best Practices for Controlling Changes to Group Membership. + /docs/kb/directory-manager/how_to_enforce_users_to_create_groups_in_a_specific_ou +- Best Practices for Preventing Accidental Data Leakage. + /docs/kb/directory-manager/best_practices_for_preventing_accidental_data_leakage diff --git a/docs/kb/endpointpolicymanager/_category_.json b/docs/kb/endpointpolicymanager/_category_.json new file mode 100644 index 0000000000..bd0adf85a3 --- /dev/null +++ b/docs/kb/endpointpolicymanager/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Knowledge Base Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/endpointpolicymanager/administration/_category_.json b/docs/kb/endpointpolicymanager/administration/_category_.json new file mode 100644 index 0000000000..5a15299434 --- /dev/null +++ b/docs/kb/endpointpolicymanager/administration/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Administration", + "position": 8, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/endpointpolicymanager/administration/index.md b/docs/kb/endpointpolicymanager/administration/index.md new file mode 100644 index 0000000000..5c7b3b49d7 --- /dev/null +++ b/docs/kb/endpointpolicymanager/administration/index.md @@ -0,0 +1,16 @@ +--- +title: "Administration" +description: System administration and maintenance" +--- + +# Administration + +System administration and maintenance + +## Categories + +### [Elasticsearch](./elasticsearch/) +Manage Elasticsearch and replication + +### [Database](./database/) +Database management and queries diff --git a/docs/kb/endpointpolicymanager/configuration/_category_.json b/docs/kb/endpointpolicymanager/configuration/_category_.json new file mode 100644 index 0000000000..231704b45b --- /dev/null +++ b/docs/kb/endpointpolicymanager/configuration/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Configuration", + "position": 2, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/endpointpolicymanager/configuration/index.md b/docs/kb/endpointpolicymanager/configuration/index.md new file mode 100644 index 0000000000..b51ca88858 --- /dev/null +++ b/docs/kb/endpointpolicymanager/configuration/index.md @@ -0,0 +1,29 @@ +--- +title: "Configuration" +description: Articles about configuring various product features" +--- + +# Configuration + +Articles about configuring various product features + +## Articles in This Section + +- [Configuring Policypak To Run Programs With Elevated Privileges Via Privilege Secure](./configuring-policypak-to-run-programs-with-elevated-privileges-via-privilege-secure) +- [Configuring Policypak To Run Programs With Elevated Privileges Via Privilege Secure](./configuring-policypak-to-run-programs-with-elevated-privileges-via-privilege-secure) + +## Categories + +### [Authentication & Security](./authentication/) +Configure authentication and security settings + +### [Portal Configuration](./portal/) +Customize portal appearance and behavior + +### [Email & Notifications](./notifications/) +Set up email notifications and templates + +## Related Documentation + +Configuration Guide +Admin Center diff --git a/docs/kb/endpointpolicymanager/configuring-policypak-to-run-programs-with-elevated-privileges-via-privilege-secure.md b/docs/kb/endpointpolicymanager/configuring-policypak-to-run-programs-with-elevated-privileges-via-privilege-secure.md new file mode 100644 index 0000000000..4fb75ce496 --- /dev/null +++ b/docs/kb/endpointpolicymanager/configuring-policypak-to-run-programs-with-elevated-privileges-via-privilege-secure.md @@ -0,0 +1,49 @@ +--- +description: >- + This article describes how to configure Netwrix Endpoint Policy Manager to + integrate with Netwrix Privilege Secure so users can launch a specified + program with on-demand elevated privileges. The example uses dbeaver.exe but + you can configure any executable. +keywords: + - Netwrix Endpoint Policy Manager + - Netwrix Privilege Secure + - SbPAM + - elevated privileges + - GPO + - ADMX + - dbeaver + - executable policy + - launch policy +products: + - endpoint-policy-manager +sidebar_label: Configuring PolicyPak to Run Programs with Elevate +tags: [] +title: >- + Configuring Netwrix Endpoint Policy Manager to Run Programs with Elevated + Privileges via Privilege Secure +knowledge_article_id: kA04u000000PoLbCAK +--- + +# Configuring Netwrix Endpoint Policy Manager to Run Programs with Elevated Privileges via Privilege Secure + +## Summary + +This article outlines the process of configuring Netwrix Endpoint Policy Manager to integrate with Netwrix Privilege Secure. This integration allows Endpoint Policy Manager to be granted on-demand privilege elevation when launching a specified program from a server or workstation. It is assumed that Endpoint Policy Manager is already installed and configured. In this example we will configure the integration with `dbeaver.exe`, but the configured program can be anything. + +Additionally, the Netwrix Endpoint Policy Manager documentation offers two video demos that outline the NPS/Endpoint Policy Manager integration: https://kb.policypak.com/kb/section/429/ + +## Instructions + +1. On the Endpoint Policy Manager server, locate the Endpoint Policy Manager installer’s zip archive. This archive will contain a directory with the following name: + +``` +\PolicyPak ADMX (Troubleshooting)\PolicyDefinitions\ +``` + +2. Reference this PolicyPak video to decide how you want to implement the ADMX settings: https://kb.policypak.com/kb/article/505-troubleshooting-with-admx-files/ + +3. Create a domain-based GPO (`GPMC.MSC`) or a local Group Policy (`GPEDIT.MSC`), and ensure the endpoint machine(s) will be addressed. Navigate to the **Bypass SbPAM server SSL certificate verification** setting under the indicated path: + +![image.png](./images/ka04u00000116HU_0EM4u000007ci9R.png) + +12. You should now be able to launch the indicated program with elevated privileges by right-clicking and selecting the Netwrix Endpoint Policy Manager context menu entry. diff --git a/docs/kb/endpointpolicymanager/disabling_optional_connected_experiences_in_office_365_apps.md b/docs/kb/endpointpolicymanager/disabling_optional_connected_experiences_in_office_365_apps.md new file mode 100644 index 0000000000..447110225e --- /dev/null +++ b/docs/kb/endpointpolicymanager/disabling_optional_connected_experiences_in_office_365_apps.md @@ -0,0 +1,64 @@ +--- +description: >- + This article explains how to disable the Optional Connected Experiences feature in Office 365 apps such as Word and Excel using registry settings or PowerShell scripts. +keywords: + - Office 365 + - Optional Connected Experiences + - registry settings + - PowerShell + - Endpoint Policy Manager +sidebar_label: Disabling Optional Connected Experiences +tags: [] +title: "Disabling Optional Connected Experiences in Office 365 Apps" +knowledge_article_id: kA0Qk0000002WyHKAU +products: + - endpoint-policy-manager +--- + +# Disabling Optional Connected Experiences in Office 365 Apps + +## Related Queries + +- "How can I configure a policy to automatically uncheck the option for optional connected experiences in Office 365 apps?" +- "Disable Optional Connected Experiences in O365 apps" + +## Overview + +This article explains how to disable the **Optional Connected Experiences** feature in Office 365 apps such as Word and Excel by using registry settings or PowerShell scripts. This setting is located under **App** > **File** > **Options** > **Trust Center Settings** > **Privacy Options**. + +## Instructions + +### Using Registry Settings + +To disable the **Optional Connected Experiences** feature, you can manually set the required registry keys: + +```plaintext +Windows Registry Editor Version 5.00 + +[HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\privacy] +"disconnectedstate"=dword:00000002 +``` + +> **IMPORTANT:** Always test registry changes on a small number of machines before deploying them widely. + +### Using a PowerShell Script + +Alternatively, you can use the following PowerShell script to set the registry keys: + +```powershell +if((Test-Path -LiteralPath "HKCU:\Software\Policies\Microsoft\office\16.0\common\privacy") -ne $true) { + New-Item "HKCU:\Software\Policies\Microsoft\office\16.0\common\privacy" -force -ea SilentlyContinue +}; +New-ItemProperty -LiteralPath 'HKCU:\Software\Policies\Microsoft\office\16.0\common\privacy' -Name 'disconnectedstate' -Value 2 -PropertyType DWord -Force -ea SilentlyContinue; +``` + +> **NOTE:** Ensure the **`disconnectedstate`** value is set to **`2`** to properly disable the feature. + +### Using Endpoint Policy Manager + +If you are using **Netwrix Endpoint Policy Manager**, you can deploy the above PowerShell script as a policy using the **Scripts & Triggers** component. Refer to [How to create a shortcut under the Public Desktop using Endpoint Policy Scripts Manager](/docs/endpointpolicymanager/) to see an example of how to run PowerShell scripts via Scripts & Triggers Manager. + +## Related Links + +- [How to create a shortcut under the Public Desktop using Endpoint Policy Scripts Manager](/docs/endpointpolicymanager/) +- [Policy Setting for Optional Connected Experiences ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/microsoft-365-apps/privacy/manage-privacy-controls#policy-setting-for-optional-connected-experiences) \ No newline at end of file diff --git a/docs/kb/endpointpolicymanager/group-management/_category_.json b/docs/kb/endpointpolicymanager/group-management/_category_.json new file mode 100644 index 0000000000..17dae6c71a --- /dev/null +++ b/docs/kb/endpointpolicymanager/group-management/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Group Management", + "position": 3, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/endpointpolicymanager/group-management/index.md b/docs/kb/endpointpolicymanager/group-management/index.md new file mode 100644 index 0000000000..b969222824 --- /dev/null +++ b/docs/kb/endpointpolicymanager/group-management/index.md @@ -0,0 +1,24 @@ +--- +title: "Group Management" +description: Managing groups, smart groups, and dynasties" +--- + +# Group Management + +Managing groups, smart groups, and dynasties + +## Categories + +### [Smart Groups](./smart-groups/) +Configure and manage smart groups + +### [Dynasties](./dynasties/) +Set up and maintain group dynasties + +### [Group Policies](./policies/) +Group governance and compliance policies + +## Related Documentation + +Group Management Guide +Group APIs diff --git a/docs/kb/endpointpolicymanager/images/ka04u00000116HU_0EM4u000007ci9R.png b/docs/kb/endpointpolicymanager/images/ka04u00000116HU_0EM4u000007ci9R.png new file mode 100644 index 0000000000..338249c38f Binary files /dev/null and b/docs/kb/endpointpolicymanager/images/ka04u00000116HU_0EM4u000007ci9R.png differ diff --git a/docs/kb/endpointpolicymanager/index.md b/docs/kb/endpointpolicymanager/index.md new file mode 100644 index 0000000000..170684998f --- /dev/null +++ b/docs/kb/endpointpolicymanager/index.md @@ -0,0 +1,51 @@ +--- +title: "Knowledge Base" +description: Browse our knowledge base articles by category" +--- + +# Knowledge Base + +Welcome to the knowledge base. Browse articles by category below. + +## Categories + +### [Installation & Setup](./installation/) +Articles about installing, uninstalling, and setting up the product + +### [Configuration](./configuration/) +Articles about configuring various product features + +### [Group Management](./group-management/) +Managing groups, smart groups, and dynasties + +### [User Management](./user-management/) +Managing users and user profiles + +### [Reports & Analytics](./reporting/) +Generate reports and export data + +### [Troubleshooting](./troubleshooting/) +Resolve common issues and errors + +### [Integration](./integration/) +Integrate with external services and APIs + +### [Administration](./administration/) +System administration and maintenance + +### [Best Practices](./best-practices/) +Recommended practices and how-to guides + +## Quick Links + +- [Installation & Setup](./installation/) +- [Troubleshooting Guide](./troubleshooting/) +- [Best Practices](./best-practices/) +- [Integration Guide](./integration/) + +## Need Help? + +If you can't find what you're looking for, please: +1. Use the search function above +2. Check the main documentation +3. Contact [support](https://www.netwrix.com/support.html) diff --git a/docs/kb/endpointpolicymanager/integration/_category_.json b/docs/kb/endpointpolicymanager/integration/_category_.json new file mode 100644 index 0000000000..0808fc705a --- /dev/null +++ b/docs/kb/endpointpolicymanager/integration/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Integration", + "position": 7, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/endpointpolicymanager/integration/index.md b/docs/kb/endpointpolicymanager/integration/index.md new file mode 100644 index 0000000000..79cb68325b --- /dev/null +++ b/docs/kb/endpointpolicymanager/integration/index.md @@ -0,0 +1,21 @@ +--- +title: "Integration" +description: Integrate with external services and APIs" +--- + +# Integration + +Integrate with external services and APIs + +## Categories + +### [Microsoft Services](./microsoft/) +Microsoft Entra ID, Graph API, and Office 365 + +### [Workflows & Automation](./workflows/) +Workflow automation and triggers + +## Related Documentation + +APIs Reference +Microsoft Entra ID Configuration diff --git a/docs/kb/endpointpolicymanager/troubleshooting/_category_.json b/docs/kb/endpointpolicymanager/troubleshooting/_category_.json new file mode 100644 index 0000000000..229fa3fd02 --- /dev/null +++ b/docs/kb/endpointpolicymanager/troubleshooting/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting", + "position": 6, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/endpointpolicymanager/troubleshooting/index.md b/docs/kb/endpointpolicymanager/troubleshooting/index.md new file mode 100644 index 0000000000..6c6ef76077 --- /dev/null +++ b/docs/kb/endpointpolicymanager/troubleshooting/index.md @@ -0,0 +1,21 @@ +--- +title: "Troubleshooting" +description: Resolve common issues and errors" +--- + +# Troubleshooting + +Resolve common issues and errors + +## Categories + +### [Logs & Debugging](./logs/) +Working with logs and debugging + +### [Common Issues](./common-issues/) +Solutions for common problems + +## Related Documentation + +Installation Guide +Requirements diff --git a/docs/kb/endpointprotector/_category_.json b/docs/kb/endpointprotector/_category_.json new file mode 100644 index 0000000000..31ba0aed9c --- /dev/null +++ b/docs/kb/endpointprotector/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Troubleshooting Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/endpointprotector/activating_the_mail_add-in_for_domain_allowlist_in_outlook_classic_for_windows.md b/docs/kb/endpointprotector/activating_the_mail_add-in_for_domain_allowlist_in_outlook_classic_for_windows.md new file mode 100644 index 0000000000..5b65c2a615 --- /dev/null +++ b/docs/kb/endpointprotector/activating_the_mail_add-in_for_domain_allowlist_in_outlook_classic_for_windows.md @@ -0,0 +1,42 @@ +--- +description: >- + This article explains how to activate the Endpoint Protector (EPP) Mail Add-in in Outlook Classic for Windows, which is required to use the Domain Allowlist feature for email. +keywords: + - Endpoint Protector + - Mail Add-in + - Domain Allowlist +sidebar_label: Activating EPP Mail Add-in +tags: [] +title: "Activating the Mail Add-in for Domain Allowlist in Outlook Classic for Windows" +knowledge_article_id: kA0Qk0000002B6LKAU +products: + - endpoint-protector +--- + +# Activating the Mail Add-in for Domain Allowlist in Outlook Classic for Windows + +## Overview + +This article explains how to activate the Endpoint Protector (EPP) Mail Add-in in Outlook Classic for Windows, which is required to use the Domain Allowlist feature for email. The add-in must be enabled for the allowlist to function correctly with Outlook. + +## Instructions + +1. In the EPP Console, ensure the Mail Add-in is included when downloading the client. + + ![EPP Mail Add-in included in client download](./images/servlet_image_5271b231d0a2.png) + +2. To verify that the EPP Mail Add-in is present in the list of active add-ins, open Outlook and navigate to **Outlook Options** > **Add-ins** > **Active Add-ins**. + +3. If the add-in is not active, activate it and restart Outlook to apply the new settings. + +4. To use the Domain Allowlist, ensure the email domains are added under **Denylists and Allowlists** > **Allowlists** > **Email Domain**. + +5. To verify that the email domains are selected in the relevant Content Aware Policy, navigate to the policy and edit. + +6. Expand the **Policy Allowlists** section. + +7. Go to **Email Domain** and select the appropriate email domain dictionary. + +8. Save the policy. + +> **NOTE:** On non-Windows endpoints, Deep Packet Inspection must be enabled to use the Email Domain Allowlist. \ No newline at end of file diff --git a/docs/kb/endpointprotector/ad_admins_not_able_to_log_in.md b/docs/kb/endpointprotector/ad_admins_not_able_to_log_in.md new file mode 100644 index 0000000000..b11cb50b1b --- /dev/null +++ b/docs/kb/endpointprotector/ad_admins_not_able_to_log_in.md @@ -0,0 +1,28 @@ +--- +description: >- + This article explains how to resolve issues where Active Directory (AD) administrators are unable to log in after setting up AD Authentication and importing new admin accounts in Endpoint Protector. +keywords: + - Active Directory + - AD Authentication + - Endpoint Protector +sidebar_label: AD Admin Login Issues +tags: [] +title: "AD Admins Not Able to Log In" +knowledge_article_id: kA0Qk0000002B31KAE +products: + - endpointprotector +--- + +# AD Admins Not Able to Log In + +## Overview + +This article explains how to resolve issues where Active Directory (AD) administrators are unable to log in after setting up **AD Authentication** and importing new admin accounts in Endpoint Protector. + +## Instructions + +1. Log in to the Endpoint Protector server with a non-AD admin account. + +2. Navigate to **System Configuration** > **System Security** to ensure they match the configuration shown below. + + ![Password settings in System Security section of Endpoint Protector](./images/servlet_image_40736f16d061.png) \ No newline at end of file diff --git a/docs/kb/endpointprotector/add_an_ssl_certificate.md b/docs/kb/endpointprotector/add_an_ssl_certificate.md new file mode 100644 index 0000000000..5731884f29 --- /dev/null +++ b/docs/kb/endpointprotector/add_an_ssl_certificate.md @@ -0,0 +1,32 @@ +--- +description: >- + This article provides step-by-step instructions on how to add an SSL certificate to Endpoint Protector. +keywords: + - SSL certificate + - Endpoint Protector + - server maintenance +sidebar_label: Add SSL Certificate +tags: [] +title: "How to Add an SSL Certificate to Endpoint Protector" +knowledge_article_id: kA0Qk0000002B6wKAE +products: + - endpoint-protector +--- + +# How to Add an SSL Certificate to Endpoint Protector + +## Overview + +This article provides guidance on adding an SSL certificate to Endpoint Protector. An SSL certificate must be generated either on your side or by using a third-party application. + +## Instructions + +Follow the steps below to add an SSL certificate to Endpoint Protector: + +1. In the Endpoint Protector Console, navigate to **Appliance > Server Maintenance**. + ![Server Maintenance section in the UI](./images/servlet_image_9e6a518233f7.png) + +2. Once a `.pem` SSL certificate is generated (`certificate.pem` and `certificate.key`), paste their contents into the self-signing certificate fields and save the changes. + > **NOTE:** When copying the certificate and key, ensure you select the **BEGIN** and **END** lines. + +3. Allow 5–10 minutes for the changes to apply, then close and re-open the console completely. \ No newline at end of file diff --git a/docs/kb/endpointprotector/adv-2024-002_remote_code_execution_vulnerabilities_in_cososys_endpoint_protector.html b/docs/kb/endpointprotector/adv-2024-002_remote_code_execution_vulnerabilities_in_cososys_endpoint_protector.html new file mode 100644 index 0000000000..f446f93a4a --- /dev/null +++ b/docs/kb/endpointprotector/adv-2024-002_remote_code_execution_vulnerabilities_in_cososys_endpoint_protector.html @@ -0,0 +1,42 @@ +--- +title: "ADV-2024-002: Remote Code Execution Vulnerabilities in CoSoSys Endpoint Protector" +products: + - endpoint-protector +knowledge_article_id: "kA0Qk0000001E5lKAE" +--- + +# ADV-2024-002: Remote Code Execution Vulnerabilities in CoSoSys Endpoint Protector + +

Published: June 27, 2024

+ +

Executive Summary

+ +

Four vulnerabilities were discovered by a third-party security research team affecting CoSoSys Endpoint Protector and CoSoSys Unify. By exploiting these vulnerabilities, an attacker may be able to gain remote code execution on the Endpoint Protector and Unify server or agent, or to bypass data-loss prevention policy enforcement.

+ +

Acknowledgements

+ +

We thank Sangjun Song and Junwoo Byun from Theori for their coordinated disclosure of the vulnerabilities and their effort and partnership in improving the security of our products.

+ +

Vulnerability

+ +
TitleAffected ComponentAffected VersionsCVSS 4.0 ScoreCVSS 3.1 Score (Base / Temporal)Description
Insufficient input validation in file upload (CVE-2024-36072)CoSoSys Endpoint Protector
CoSoSys Unify		<= 5.9.3.0
<= 7.0.6		10.010.0 / 9.0A remote code execution vulnerability exists in the logging component of the Endpoint Protector and Unify server application which allows an unauthenticated remote attacker to send a malicious request, resulting in the ability to execute system commands with root privileges.
Insufficient input validation in shadow function (CVE-2024-36073)CoSoSys Endpoint Protector
CoSoSys Unify		<= 5.9.3.0
<= 7.0.6		8.59.1 / 8.2A remote code execution vulnerability exists in the shadowing component of the Endpoint Protector and Unify agent which allows an attacker with administrative access to the Endpoint Protector or Unify server to overwrite sensitive configuration and subsequently execute system commands with SYSTEM/root privileges on a chosen client endpoint.
Insufficient validation of third-party resource acquisition (CVE-2024-36074)CoSoSys Endpoint Protector
CoSoSys Unify		<= 5.9.3.0
<= 7.0.6		7.37.2 / 6.5A remote code execution vulnerability exists in the Endpoint Protector and Unify agent in the way that the EasyLock dependency is acquired from the server. An attacker with administrative access to the Endpoint Protector or Unify server can cause a client to acquire and execute a malicious file resulting in remote code execution.
Insufficient input validation in application configuration (CVE-2024-36075)CoSoSys Endpoint Protector
CoSoSys Unify		<= 5.9.3.0
<= 7.0.6		7.28.0 / 7.2The CoSoSys Endpoint Protector and Unify agent is susceptible to an arbitrary code execution vulnerability due to the way an archive obtained from the Endpoint Protector or Unify server is extracted on the endpoint. An attacker who is able to modify the archive on the server could obtain remote code execution as an administrator on an endpoint.
+ +

Exploitability

+ +

Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.

+ +
TitlePublicly known?Exploit available?Actively exploited?
Insufficient input validation in file upload (CVE-2024-36072)YesNoNo
Insufficient input validation in shadow function (CVE-2024-36073)YesNoNo
Insufficient validation of third-party resource acquisition (CVE-2024-36074)YesNoNo
Insufficient input validation in application configuration (CVE-2024-36075)YesNoNo
+ +

Solution

+ +

CoSoSys, now part of Netwrix, customers, prospects, and partners should review the complete security advisory for instructions on applying relevant hotfixes.

+ +

Revisions

+ +

Updates to this advisory may be made as necessary. Information about each change will be published in the table below.

+ +
RevisionDateDescription
1June 27, 2024First published
+ +

Disclaimer

+ +

The information and materials included in or linked to this Security Advisory are provided on an "as-is" basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.

\ No newline at end of file diff --git a/docs/kb/endpointprotector/allowing-chatgpt-access-via-deep-packet-inspection-allowlist.md b/docs/kb/endpointprotector/allowing-chatgpt-access-via-deep-packet-inspection-allowlist.md new file mode 100644 index 0000000000..aea831b408 --- /dev/null +++ b/docs/kb/endpointprotector/allowing-chatgpt-access-via-deep-packet-inspection-allowlist.md @@ -0,0 +1,39 @@ +--- +description: >- + Instructions to configure Endpoint Protector to allow ChatGPT by adding the + `openai.com` domain to a Deep Packet Inspection (DPI) allowlist and including + it in a Content Aware Policy. +keywords: + - chatgpt + - deep packet inspection + - DPI + - allowlist + - openai + - endpoint protector + - content aware policy + - denylists + - allowlists +products: + - endpoint-protector +sidebar_label: Allowing ChatGPT Access via Deep Packet Inspection +tags: [] +title: "Allowing ChatGPT Access via Deep Packet Inspection Allowlist" +knowledge_article_id: kA0Qk0000002B6PKAU +--- + +# Allowing ChatGPT Access via Deep Packet Inspection Allowlist + +## Overview + +This article explains how to configure Endpoint Protector to allow access to ChatGPT by adding the `openai.com` domain to a Deep Packet Inspection (DPI) allowlist. In environments where DPI is enabled, web-based AI services like ChatGPT may be blocked by default because security policies restrict access to certain domains. + +## Instructions + +1. In the Endpoint Protector Console, navigate to **Denylists and Allowlists** > **Allowlists** > **Deep Packet Inspection**. +2. Create a new allowlist dictionary for allowed domains and add the domain using wildcards: + `*openai.com*` +3. Once the allowlist dictionary is created, include it in the relevant Content Aware Policy. +4. Edit the Content Aware Policy. +5. Expand the **Policy Allowlist** section. +6. Navigate to **Deep Packet Inspection** and select the dictionary you created. +7. Save the policy. diff --git a/docs/kb/endpointprotector/are_ios_devices_recognized_when_connected_to_a_windows_pc.md b/docs/kb/endpointprotector/are_ios_devices_recognized_when_connected_to_a_windows_pc.md new file mode 100644 index 0000000000..e18e15290f --- /dev/null +++ b/docs/kb/endpointprotector/are_ios_devices_recognized_when_connected_to_a_windows_pc.md @@ -0,0 +1,24 @@ +--- +description: >- + This article addresses whether Endpoint Protector recognizes iOS devices when connected to a Windows PC. +keywords: + - Endpoint Protector + - iOS devices + - Windows PC +sidebar_label: iOS Device Recognition +tags: [] +title: "Are iOS Devices Recognized When Connected to a Windows PC?" +knowledge_article_id: kA0Qk0000002B9HKAU +products: + - endpoint-protector +--- + +# Are iOS Devices Recognized When Connected to a Windows PC? + +## Question + +Will Endpoint Protector recognize my iPhone, iPad, or iPod Touch when connected to a Windows PC? + +## Answer + +Yes, **Endpoint Protector** individually recognizes iPhones, iPads, and iPod Touch devices, each as its own device category. If iDevices are allowed by your policy, you will be able to access them through **iTunes**. If they are not allowed, **Endpoint Protector** will block access to these devices. \ No newline at end of file diff --git a/docs/kb/endpointprotector/block-file-transfers-to-or-from-network-shares.md b/docs/kb/endpointprotector/block-file-transfers-to-or-from-network-shares.md new file mode 100644 index 0000000000..e2ccc30710 --- /dev/null +++ b/docs/kb/endpointprotector/block-file-transfers-to-or-from-network-shares.md @@ -0,0 +1,39 @@ +--- +description: >- + Explains how to block file transfers to or from network shares by configuring + the Content Aware Protection policy. Includes step-by-step instructions and + examples for specifying network share paths. +keywords: + - network share + - denylist + - Content Aware Protection + - file transfer + - UNC path + - Endpoint Protector + - block file transfer + - denylist file location +products: + - endpoint-protector +sidebar_label: Block File Transfers to or from Network Shares +tags: [] +title: "Block File Transfers to or from Network Shares" +knowledge_article_id: kA0Qk0000002B6oKAE +--- + +# Block File Transfers to or from Network Shares + +## Overview + +This article explains how to block file transfers to or from network shares using the Content Aware Protection policy. + +## Instructions + +1. Ensure that **Network Share** is selected in the Content Aware Protection policy. +2. Navigate to **Denylists and Allowlists > Denylists**. +3. Select the **File Location** tab. +4. Click the **Add** button. +5. In the **Content** text box, add the network share path without the two leading backslashes (`\`): + - This is correct and will block file transfers: `192.168.10.10\test` + - This is incorrect and will not block file transfers: `\192.168.10.10\test` +6. In the **Groups** or **Computers** section, select the computers or groups that the denylist should be applied to. +7. Save the changes. diff --git a/docs/kb/endpointprotector/blocking-easylock-folder-access-on-machines-without-the-endpoint-protector-agent.md b/docs/kb/endpointprotector/blocking-easylock-folder-access-on-machines-without-the-endpoint-protector-agent.md new file mode 100644 index 0000000000..ef196efc1c --- /dev/null +++ b/docs/kb/endpointprotector/blocking-easylock-folder-access-on-machines-without-the-endpoint-protector-agent.md @@ -0,0 +1,33 @@ +--- +description: This article explains how you can prevent access to EasyLock-protected + folders from machines that do not have the Endpoint Protector agent installed, ensuring + only endpoints with the agent can open EasyLock folders. +keywords: + - EasyLock + - Endpoint Protector + - agent + - device control + - EasyLock settings + - client presence + - access control + - endpoint protection +products: + - endpoint-protector +sidebar_label: Blocking EasyLock Folder Access on Machines... +tags: [] +title: "Blocking EasyLock Folder Access on Machines Without the Endpoint Protector Agent" +knowledge_article_id: kA0Qk0000002B6iKAE +--- + +# Blocking EasyLock Folder Access on Machines Without the Endpoint Protector Agent + +## Overview + +This article explains how you can prevent access to EasyLock-protected folders from machines where the Endpoint Protector agent is not installed. Enabling this setting ensures that only endpoints with the agent present can open EasyLock folders. + +## Instructions + +1. Go to **Device Control** > **Global Settings** > **EasyLock Settings**. +2. Enable the **Endpoint Protector Client presence required** option. +3. Save the changes. + ![Endpoint](images/servlet_image_3f1c3b331cfe.png) diff --git a/docs/kb/endpointprotector/can-content-aware-protection-detect-sensitive-content-in-archived-files.md b/docs/kb/endpointprotector/can-content-aware-protection-detect-sensitive-content-in-archived-files.md new file mode 100644 index 0000000000..8927abd6af --- /dev/null +++ b/docs/kb/endpointprotector/can-content-aware-protection-detect-sensitive-content-in-archived-files.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains whether Netwrix Endpoint Protector's Content Aware Protection can + detect sensitive content inside archived files and how password protection + affects scanning. +keywords: + - endpoint protector + - content aware + - archives + - password protected + - sensitive data + - credit card + - social security + - file type filter + - data leak +products: + - endpoint-protector +visibility: public +sidebar_label: Can Content Aware Protection Detect Sensitive Cont +tags: [] +title: "Can Content Aware Protection Detect Sensitive Content in Archived Files?" +knowledge_article_id: kA0Qk0000002BNeKAM +--- + +# Can Content Aware Protection Detect Sensitive Content in Archived Files? + +## Question +Will Netwrix Endpoint Protector's Content Aware Protection detect and block documents containing sensitive information, such as credit card numbers or Social Security numbers, when they are transferred as archives? + +## Answer +Netwrix Endpoint Protector's Content Aware agent will detect and block documents with sensitive content only if the archives are not password protected. If an archive is password protected, the agent cannot scan its contents. + +> **NOTE:** To help prevent leaks of sensitive data through archives, use the file type filter and select all archive types. diff --git a/docs/kb/endpointprotector/can-endpoint-protector-block-internal-card-readers-on-mac.md b/docs/kb/endpointprotector/can-endpoint-protector-block-internal-card-readers-on-mac.md new file mode 100644 index 0000000000..2c53e0006e --- /dev/null +++ b/docs/kb/endpointprotector/can-endpoint-protector-block-internal-card-readers-on-mac.md @@ -0,0 +1,34 @@ +--- +description: >- + Yes. Endpoint Protector can block internal card readers on Mac by treating + them as the USB Storage Device device class; set the class rights to Deny to + block the reader. +keywords: + - endpoint protector + - Mac + - card reader + - internal card reader + - USB Storage Device + - block + - deny + - allow + - DLP +products: + - endpoint-protector +sidebar_label: Can Endpoint Protector Block Internal Card Readers +tags: [] +title: "Can Endpoint Protector Block Internal Card Readers on Mac?" +knowledge_article_id: kA0Qk0000002BCfKAM +--- + +# Can Endpoint Protector Block Internal Card Readers on Mac? + +## Question +Is it possible to block an internal card reader on Mac with Endpoint Protector? + +## Answer +Yes, Endpoint Protector can block internal card readers on Mac computers. In the Endpoint Protector interface, a card reader is recognized as a **USB Storage Device**. + +If the rights for the **USB Storage Device** class are set to **Allow**, internal card readers will also be allowed, and users will be able to access information from inserted cards. + +If the rights for the **USB Storage Device** class are set to **Deny**, the internal card reader will be blocked. diff --git a/docs/kb/endpointprotector/can-optical-character-recognition-be-enabled-for-file-inspection.md b/docs/kb/endpointprotector/can-optical-character-recognition-be-enabled-for-file-inspection.md new file mode 100644 index 0000000000..1a4bf87792 --- /dev/null +++ b/docs/kb/endpointprotector/can-optical-character-recognition-be-enabled-for-file-inspection.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains how to enable Optical Character Recognition (OCR) for file content + inspection in Netwrix Endpoint Protector and lists supported file types and + where to enable the setting. +keywords: + - OCR + - optical character recognition + - file inspection + - Endpoint Protector + - MIME Type Allowlists + - image files + - JPEG + - TIFF +products: + - endpoint-protector +sidebar_label: Can Optical Character Recognition Be Enabled for F +tags: [] +title: "Can Optical Character Recognition Be Enabled for File Inspection?" +knowledge_article_id: kA0Qk0000002BDzKAM +--- + +# Can Optical Character Recognition Be Enabled for File Inspection? + +## Question +Can you enable Optical Character Recognition (OCR) for file content inspection? + +## Answer +Yes, OCR is the process that converts an image of text into a machine-readable text format. This feature is available for **Windows**, **macOS**, and **Linux** machines. + +You can enable OCR at the global, computer, user, or group level from the following location in the Endpoint Protector console: + +![OCR enablement settings page in the EPP console](images/ka0Qk000000DzFN_0EMQk00000C8zgv.png) + +Once enabled, the Endpoint Protector client can inspect the content of **JPEG**, **PNG**, **GIF**, **BMP**, and **TIFF** file types. Enabling this option will also update the global MIME Type Allowlists. diff --git a/docs/kb/endpointprotector/can-the-easylock-app-be-opened-without-the-endpoint-protector-agent-installed.md b/docs/kb/endpointprotector/can-the-easylock-app-be-opened-without-the-endpoint-protector-agent-installed.md new file mode 100644 index 0000000000..634ca16e31 --- /dev/null +++ b/docs/kb/endpointprotector/can-the-easylock-app-be-opened-without-the-endpoint-protector-agent-installed.md @@ -0,0 +1,32 @@ +--- +description: >- + Explains how to configure whether the EasyLock app requires the Netwrix + Endpoint Protector agent to be installed before it can be opened and where to + change the setting. +keywords: + - EasyLock + - Netwrix Endpoint Protector + - Endpoint Protector + - Device Control + - EasyLock Settings + - Endpoint Protector Client presence required + - agent presence +products: + - endpoint-protector +sidebar_label: Can the EasyLock App Be Opened Without the Endpoin +tags: [] +title: "Can the EasyLock App Be Opened Without the Endpoint Protector Agent Installed?" +knowledge_article_id: kA0Qk0000002B2bKAE +--- + +# Can the EasyLock App Be Opened Without the Endpoint Protector Agent Installed? + +## Question +Can the EasyLock app be opened on a computer without the Netwrix Endpoint Protector agent installed? + +## Answer +Yes, you can configure whether EasyLock can be opened only when the Netwrix Endpoint Protector agent is present or if it can be opened freely on any computer. + +To configure this option, navigate to **Device Control** > **Global Settings** > **EasyLock Settings** and toggle the switch next to **Endpoint Protector Client presence required**. + +![Endpoint Protector Client presence required setting in EasyLock Settings](./images/ka0Qk000000EaBh_0EMQk00000CD9g6.png) diff --git a/docs/kb/endpointprotector/can-you-block-an-internal-card-reader-on-mac.md b/docs/kb/endpointprotector/can-you-block-an-internal-card-reader-on-mac.md new file mode 100644 index 0000000000..96090129e8 --- /dev/null +++ b/docs/kb/endpointprotector/can-you-block-an-internal-card-reader-on-mac.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains how to block an internal card reader on a Mac using Netwrix Endpoint + Protector (EPP) and how user remediation affects inserted SD cards. +keywords: + - internal card reader + - Mac + - SD card + - Netwrix Endpoint Protector + - EPP + - block device + - user remediation + - device control +products: + - endpoint-protector +sidebar_label: Can You Block an Internal Card Reader on Mac? +tags: [] +title: "Can You Block an Internal Card Reader on Mac?" +knowledge_article_id: kA0Qk0000002BHKKA2 +--- + +# Can You Block an Internal Card Reader on Mac? + +## Question +Is it possible to block an internal card reader on Mac with Netwrix Endpoint Protector (EPP)? + +## Answer +Yes, you can block internal card readers on Mac computers using Netwrix Endpoint Protector (EPP). The rights apply to the card reader itself, not to the inserted SD card. For example, if you set **Deny** rights to the internal card reader class, any inserted SD cards will be blocked. + +If user remediation is active, every SD card you insert into the internal card reader will be allowed. diff --git a/docs/kb/endpointprotector/check_the_client_version_installed_on_your_computer.md b/docs/kb/endpointprotector/check_the_client_version_installed_on_your_computer.md new file mode 100644 index 0000000000..ea336b82b2 --- /dev/null +++ b/docs/kb/endpointprotector/check_the_client_version_installed_on_your_computer.md @@ -0,0 +1,30 @@ +--- +description: >- + This article explains how to check the version of the client installed on your computer, either directly from your computer or through the management console. +keywords: + - client version + - management console + - Endpoint Protector +sidebar_label: Check Client Version +tags: [] +title: "Check the Client Version Installed on Your Computer" +knowledge_article_id: kA0Qk0000002BAuKAM +products: + - endpoint-protector +--- + +# Check the Client Version Installed on Your Computer + +## Overview + +This article explains how to check the version of the client installed on your computer. You can view the version directly from your computer or through the management console. + +## Instructions + +You can use either of the following options to check the installed client version: + +1. Click the client icon in the system tray to view the installed version directly on your computer. + ![Client icon in system tray showing installed version](./images/servlet_image_e95427bb0c8e.png) + +2. Open the **Endpoint Protector Management Console** and go to **Device Control > Computers**. Check the **Client Version** column to see the version installed on each computer. + ![Endpoint Protector Management Console showing Client Version](./images/servlet_image_01861a9421d2.png) \ No newline at end of file diff --git a/docs/kb/endpointprotector/client-modes-overview.md b/docs/kb/endpointprotector/client-modes-overview.md new file mode 100644 index 0000000000..ee78f451b1 --- /dev/null +++ b/docs/kb/endpointprotector/client-modes-overview.md @@ -0,0 +1,90 @@ +--- +description: >- + Describes the six client modes in Netwrix Endpoint Protector, their behavior, + and recommendations for when to use each mode. Explains differences between + Normal, Transparent, Stealth, Panic, Hidden Icon, and Silent modes and links + to additional documentation. +keywords: + - endpoint protector + - client modes + - Transparent mode + - Stealth mode + - Panic mode + - Hidden Icon + - Silent mode + - Device Control + - Content Aware Protection +products: + - endpoint-protector +sidebar_label: Client Modes Overview +tags: [] +title: "Client Modes Overview" +knowledge_article_id: kA0Qk0000002BCRKA2 +--- + +# Client Modes Overview + +## Overview + +The Netwrix Endpoint Protector Client offers several modes that define its behavior on an end user's system. There are six modes available, and you can change them at any time by a Netwrix Endpoint Protector administrator. The summary below describes each mode and its key characteristics. + +## Client Modes + +1. **Normal:** The default and recommended setting. Normal mode does not apply to Content Aware Protection; all other client modes, except Silent mode, are specific to Device Control. + + > **NOTE:** If Normal mode does not suit your needs, consider using Hidden Icon or Silent modes as alternatives. + +2. **Transparent:** Blocks all devices while keeping users unaware of restrictions or the presence of the Netwrix Endpoint Protector Client. Does not apply to Content Aware Protection. + - **System tray icon** is not displayed. + - **System tray notifications** are not displayed. + - All devices are blocked, except: + - Keyboards (blocked when a third is connected or after 48 hours). + - Wi-Fi connections (not blocked). + - Bluetooth devices (remain operational). + - USB modems (not blocked). + - Administrator receives alerts for all activities. + +3. **Stealth:** Discreetly monitors users and computers with a focus on Device Control and file tracing. Does not apply to Content Aware Protection. + + > **NOTE:** All activity is allowed, so there are no disruptions to daily user activities. + + - **System tray icon** is not displayed. + - **System tray notifications** are not displayed. + - All activity is allowed, regardless of authorization. + - File shadowing and file tracing are enabled to monitor all user activity. + - Administrator receives alerts for all activities. + +4. **Panic:** Should be used in extreme situations when malicious intent or activity is detected. Does not apply to Content Aware Protection. + + > **RECOMMENDED:** Use this mode for selected users, groups, or computers only, as it will block all devices and generate a high volume of logs. + + - **System tray icon** is displayed. + - **System tray notifications** are displayed. + - All devices are blocked, except: + - Keyboards (blocked when a third is connected or after 48 hours). + - Wi-Fi connections (not blocked). + - Bluetooth devices (remain operational). + - USB modems (not blocked). + - File shadowing and file tracing are enabled to monitor all user activity. + - Administrator receives alerts when computers enter or exit Panic mode. + +5. **Hidden Icon:** Similar to Normal mode, but the Netwrix Endpoint Protector Client is not visible to the user. Does not apply to Content Aware Protection. + - **System tray icon** is not displayed. + - **System tray notifications** are not displayed. + - All rights and settings are applied as configured. + +6. **Silent:** Similar to Normal mode, but pop-up notifications are not visible to the user. + - **System tray icon** is displayed. + - **System tray notifications** are not displayed. + - All rights and settings are applied as configured. + +For more information about Modes, please refer to this documentation: Netwrix Endpoint Protector Client Modes Documentation + +## Recommendations + +- Modes 1-3 cover most typical use cases. +- Contact the support department before setting agents to Transparent, Stealth, or Panic modes, as these are intended for very specific situations. + +## Related Links + +- Netwrix Endpoint Protector Client Modes Documentation diff --git a/docs/kb/endpointprotector/client_integrity_fail_events.md b/docs/kb/endpointprotector/client_integrity_fail_events.md new file mode 100644 index 0000000000..c0998374e5 --- /dev/null +++ b/docs/kb/endpointprotector/client_integrity_fail_events.md @@ -0,0 +1,32 @@ +--- +description: >- + This article explains the meaning of client integrity fail events and outlines their potential causes. +keywords: + - client integrity fail + - Endpoint Protector + - event causes +sidebar_label: Client Integrity Fail Events +tags: [] +title: "Client Integrity Fail Events" +knowledge_article_id: kA0Qk0000002B4GKAU +products: + - endpoint-protector +--- + +# Client Integrity Fail Events + +## Question + +What do client integrity fail events mean? + +## Answer + +A client integrity fail event indicates that the Endpoint Protector client has encountered an issue that affects its integrity or operation. This type of event can have multiple causes, including: + +- Full disk access is required but not granted. +- The certificate was not imported into Keychain. +- The user did not allow the network extension. +- An installation file is missing. +- Bluetooth permissions were not granted. + +To see more information about what caused a client integrity fail event, navigate to the **Endpoint Protector console > Reports and Analysis > Logs Reports**. Enable the **File Name** and **File Type** columns from the **Show/Hide columns** section. \ No newline at end of file diff --git a/docs/kb/endpointprotector/configure-session-timeout-in-the-administration-interface.md b/docs/kb/endpointprotector/configure-session-timeout-in-the-administration-interface.md new file mode 100644 index 0000000000..b0437c4503 --- /dev/null +++ b/docs/kb/endpointprotector/configure-session-timeout-in-the-administration-interface.md @@ -0,0 +1,35 @@ +--- +description: >- + Shows how to configure the session timeout for the Management User Interface + in Endpoint Protector. In versions before `5.7.0.0` the timeout is fixed at + `15 minutes`; in `5.7.0.0` and later you can set the timeout to any value + between `5` and `60` minutes. +keywords: + - endpoint protector + - session timeout + - Management User Interface + - Session Settings + - System Configuration + - Administration Interface + - timeout + - 5-60 minutes +products: + - endpoint-protector +sidebar_label: Configure Session Timeout in the Administration In +tags: [] +title: "Configure Session Timeout in the Administration Interface" +knowledge_article_id: kA0Qk0000002B7WKAU +--- + +# Configure Session Timeout in the Administration Interface + +## Overview + +This article explains how to configure the session timeout for the Management User Interface in Endpoint Protector. In earlier versions, the timeout is fixed at `15 minutes`. In version `5.7.0.0` and later, you can set the timeout to any value from `5` to `60` minutes. + +## Instructions + +1. Navigate to **System Configuration > System Settings** in the Administration Interface. +2. Scroll down to the **Session Settings** section. +3. Set the **Session Timeout (min)** to a value between `5` and `60`. +4. Click **Save** to apply the changes. diff --git a/docs/kb/endpointprotector/configure-session-timeout-settings-for-the-administration-interface.md b/docs/kb/endpointprotector/configure-session-timeout-settings-for-the-administration-interface.md new file mode 100644 index 0000000000..c2e46f6a2b --- /dev/null +++ b/docs/kb/endpointprotector/configure-session-timeout-settings-for-the-administration-interface.md @@ -0,0 +1,41 @@ +--- +description: >- + Configure session timeout settings for the Netwrix Endpoint Protector + administration interface to control how long user sessions remain active and + to set the timeout warning behavior for inactive sessions. +keywords: + - session timeout + - Netwrix Endpoint Protector + - administration interface + - session settings + - timeout counter + - management console + - security + - idle logout +products: + - endpoint-protector +sidebar_label: Configure Session Timeout Settings for the Adminis +tags: [] +title: "Configure Session Timeout Settings for the Administration Interface" +knowledge_article_id: kA0Qk0000002BDxKAM +--- + +# Configure Session Timeout Settings for the Administration Interface + +## Overview + +Netwrix Endpoint Protector Server includes a session timeout feature for the Administration Interface to enhance security. You can configure session timeout settings to control how long a user session remains active during periods of inactivity. These settings help protect the management console from unauthorized access due to unattended sessions and complement other system security features, such as role-based access controls. + +## Instructions + +1. Go to **System Configuration** > **System Settings** > **Session Settings** in the Netwrix Endpoint Protector Management Console. + ![Session Settings in System Configuration of Endpoint Protector](./images/ka0Qk000000ESnd_0EMQk00000C7Bfn.png) + +2. Modify the session timeout settings as needed: + - **Session Timeout**: Set the amount of time (between `5` and `60` minutes) a user can be inactive before the session expires. + - **Timeout Counter**: Set the countdown duration (between `5` seconds and one minute less than the Session Timeout) for the session timeout warning. + +> **NOTE:** If **Session Timeout** is set to `5` minutes and **Timeout Counter** is set to `60` seconds, after `4` minutes of inactivity a pop-up window will notify you that you will be logged out in `60` seconds. + +3. If no activity occurs during the countdown, Netwrix Endpoint Protector displays a message indicating the session will expire. You can choose to log out or continue your session, which resets the session timeout interval. + ![Session expiration warning in Endpoint Protector Management Console](./images/ka0Qk000000ESnd_0EMQk00000C7LTp.png) diff --git a/docs/kb/endpointprotector/configure_content_aware_policy_priorities.md b/docs/kb/endpointprotector/configure_content_aware_policy_priorities.md new file mode 100644 index 0000000000..0cb36d8aa8 --- /dev/null +++ b/docs/kb/endpointprotector/configure_content_aware_policy_priorities.md @@ -0,0 +1,36 @@ +--- +description: >- + This article explains how to configure priorities for content aware policies in Endpoint Protector, ensuring the correct enforcement of rules for sensitive content detection. +keywords: + - content aware policies + - Endpoint Protector + - file transfer management +sidebar_label: Configure Content Aware Policy Priorities +tags: [] +title: "Configure Content Aware Policy Priorities" +knowledge_article_id: kA0Qk0000002B4DKAU +products: + - endpointprotector +--- + +# Configure Content Aware Policy Priorities + +## Overview + +This article explains how to configure priorities for **content aware policies** (CAP) in Endpoint Protector. Content Aware Policies are sets of rules for sensitive content detection that enforce file transfer management on selected entities such as users, computers, groups, or departments. Prioritizing these policies helps determine which policy is enforced when multiple policies apply to the same file transfer event. + +## Instructions + +1. In the Endpoint Protector console, navigate to **Content Aware Protection** > **Content Aware Policies**. + +2. To change the priority of a policy, use the left and right arrows to move the policy in the list: + - The leftmost policy has the highest priority (Priority 1). + - The rightmost policy has the lowest priority. + - Click the left arrow to increase a policy's priority. + - Click the right arrow to decrease a policy's priority. + +3. You can also edit policy priority by double-clicking on a policy listed in the Priority column. + +> **NOTE:** One or more Content Aware Policies can be enforced on the same computer, user, group, or department. To avoid conflicts between applied rules, use prioritization to determine which policy is enforced when there is a conflict. In the current Endpoint Protector implementation, there is no guarantee in which order **Block** CAP policies will trigger. Policies are evaluated simultaneously (not sequentially) against a file. When a conflict is encountered (for example, one policy only reports a PII and another blocks the PII), Endpoint Protector will apply the policy with the higher priority. + +You can find more information in the [Policy Configuration and Application](/docs/endpointprotector/5.9.4.2/admin/contentawareprotection/cappolicies) documentation. \ No newline at end of file diff --git a/docs/kb/endpointprotector/configuring-rights-for-outside-hours-and-outside-network.md b/docs/kb/endpointprotector/configuring-rights-for-outside-hours-and-outside-network.md new file mode 100644 index 0000000000..7882313730 --- /dev/null +++ b/docs/kb/endpointprotector/configuring-rights-for-outside-hours-and-outside-network.md @@ -0,0 +1,37 @@ +--- +description: >- + Step-by-step instructions to configure rights for Outside Hours and Outside + Network in Netwrix Endpoint Protector, including how to enable policies, set + working hours, define DNS settings, and configure fallback rights. +keywords: + - Outside Hours + - Outside Network + - Netwrix Endpoint Protector + - device control + - fallback policies + - DNS + - Content Aware Policies + - working hours +products: + - endpoint-protector +sidebar_label: Configuring Rights for Outside Hours and Outside N +tags: [] +title: "Configuring Rights for Outside Hours and Outside Network" +knowledge_article_id: kA0Qk0000002B6ZKAU +--- + +# Configuring Rights for Outside Hours and Outside Network + +## Overview +This article explains how you configure rights for Outside Hours and Outside Network in Netwrix Endpoint Protector. These settings allow you to define different device and content access rights based on time and network conditions. + +## Instructions +1. In the Netwrix Endpoint Protector Console, navigate to **Device Control** and select your configuration level: + - Global: **Global Settings** > **Outside Hours and Outside Network**. + - Computer, User, or Group: **Computer**/**User**/**Group Settings** > **Manage Settings**. +2. To configure the **Outside Hours policies**, enable the **Outside Hours** setting, then set the **Working Days**, **Business Hours Start Time**, and **End Time**. +3. To configure **Outside Network policies**, enable the **Outside Network** setting, then add the **DNS Fully Qualified Domain Name** and **DNS IP Addresses**. +4. Set fallback device type rights as needed by configuring fallback rights globally, or per group, user, or computer. +5. For **Content Aware Policies**, select the **Outside Network** and **Outside Hours** policy types as required. + +> **IMPORTANT:** When triggered, fallback policies supersede the standard device rights. For fallback policies, **Outside Network Policies** take precedence over **Outside Hours Policies**. diff --git a/docs/kb/endpointprotector/content-aware-policy-configuration.md b/docs/kb/endpointprotector/content-aware-policy-configuration.md new file mode 100644 index 0000000000..4de0842bba --- /dev/null +++ b/docs/kb/endpointprotector/content-aware-policy-configuration.md @@ -0,0 +1,78 @@ +--- +description: >- + Explains how to create and configure Content Aware Policies to detect + sensitive content, set thresholds, and control data exit points across + operating systems. +keywords: + - content aware + - policy + - data protection + - thresholds + - exit points + - file transfers + - DPI + - clipboard + - OneDrive + - printers +products: + - endpoint-protector +sidebar_label: Content Aware Policy Configuration +tags: [] +title: "Content Aware Policy Configuration" +knowledge_article_id: kA0Qk0000002BCYKA2 +--- + +# Content Aware Policy Configuration + +## Overview + +Content Aware Policies are rules for sensitive content detection that manage file transfers for users, computers, groups, or departments. You can create, edit, or delete policies, or apply predefined policies to address your organization’s data protection needs. Policies can be prioritized, and multiple policies can be enforced on the same entity. + +> **NOTE:** Content Aware Policies also apply to the File Allowlist. All files previously allowed will now be inspected for sensitive content and, depending on the policy configuration, either reported, blocked, or allowed. + +## Policy Information and Configuration + +When creating a Content Aware Policy, provide the following information: + +- **OS Type:** Select the operating system (Windows, macOS, or Linux). +- **Policy Name:** Enter a name for the policy. +- **Policy Description:** Enter a description for the policy. +- **Policy Action:** Choose one of the following: + - **Block & Report** – Deny and report sensitive content transfers. + - **Report only** – Allow transfers but report sensitive content. + - **Block only** – Deny transfers without reporting. + - **Block and Remediate** – Deny transfers but allow user remediation with justification. +- **Policy Type:** Standard, Outside Hours, or Outside Network. +- **Policy Template:** Select or create a custom notification template. +- **Policy Status:** Enable to activate the policy. +- **Client Notifications:** Enable to send notifications to clients. +- **Global Thresholds:** Enable or disable global thresholding. +- **Threat Threshold:** Set the maximum allowed content violations for a file transfer. +- **File Size Threshold:** Set the file size (in MB) for blocking or reporting transfers. + +> **NOTE:** If a File Size Threshold is set, it applies to the entire policy, regardless of file types or custom content. The value must be a positive, whole number. For best results, start with the **Report only** action to monitor data use without interrupting activity. To enforce Outside Hours or Outside Network options, enable the setting on the specific device after saving the policy. + +## Thresholds and Use Cases + +- **Regular Threshold:** Applies to individual content types (e.g., blocks four or more SSNs). +- **Global Threshold:** Applies to combined threats (e.g., blocks four or more threats of different types). +- **Best Practice:** Place **Block & Report** policies with thresholds at higher priority than **Report Only** policies. + +## Policy Exit Points + +Policy Exit Points allow you to monitor and control the transfer of sensitive data across various platforms and channels: + +- **Applications:** Web browsers, email clients, instant messaging, cloud/file sharing, social media, and others. +- **Storage Devices:** Monitor transfers to custom classes or all storage devices. For Windows, file transfers are monitored both to and from removable media. +- **Clipboard:** Monitor content captured through copy, cut, and paste operations. Applies to confidential content defined in the policy. Copy operations are always monitored; paste restrictions can be extended to specific applications. +- **Additional Exit Points:** Network shares, thin clients, print screen, and printers. + +> **NOTE:** When printers are enabled as an exit point, also enable the **Advanced Printer** and **MTP Scanning** options in Settings (Global, Groups, Computers, etc.). + +## Limitations and Special Cases + +- **Universal Windows Platform applications** (e.g., Windows 10 Mail) run in isolated environments, limiting add-on use and blocking by Content Aware policies. +- **Linux:** Paste functionality is limited to Xorg GNOME sessions. On Wayland, content blocking occurs during copy operations. Snap-based applications may affect file event detection. +- **Adobe Flash:** Select Adobe Flash Player from the Web Browser category to block sites using Adobe Flash Active X. +- **OneDrive for Business:** Enable Deep Packet Inspection (DPI) to distinguish from OneDrive. +- **Block CD/DVD Burning:** Available only for Windows, for both built-in and third-party burning features. diff --git a/docs/kb/endpointprotector/content_aware_protection_tab_missing.md b/docs/kb/endpointprotector/content_aware_protection_tab_missing.md new file mode 100644 index 0000000000..a7d7fc7b69 --- /dev/null +++ b/docs/kb/endpointprotector/content_aware_protection_tab_missing.md @@ -0,0 +1,31 @@ +--- +description: >- + This article explains why the Content Aware Protection (CAP) tab may be missing from the Endpoint Protector Console and provides troubleshooting steps. +keywords: + - Content Aware Protection + - Endpoint Protector + - CAP tab +sidebar_label: CAP Tab Missing +tags: [] +title: "Content Aware Protection Tab Missing" +knowledge_article_id: kA0Qk0000002B70KAE +products: + - endpoint-protector +--- + +# Content Aware Protection Tab Missing + +## Question + +Why is the Content Aware Protection (CAP) tab missing from the Endpoint Protector Console? + +## Answer + +The CAP tab will be absent from the console if the machine or user is not assigned to any CAP policies. + +If the machine or user is assigned to at least one CAP policy but the CAP tab is still missing from the console, verify that the client can communicate with the server. For example, check the **Last Seen** field in the server user interface under **Device Control > Computers**. + +You can also check the client connection status from the agent's **Settings** tab by pressing the following keyboard shortcuts: + +- On Windows: **CTRL + ALT + I** +- On macOS: **Command + Option + I** \ No newline at end of file diff --git a/docs/kb/endpointprotector/create_a_system_backup_v2.md b/docs/kb/endpointprotector/create_a_system_backup_v2.md new file mode 100644 index 0000000000..b5c9221d7f --- /dev/null +++ b/docs/kb/endpointprotector/create_a_system_backup_v2.md @@ -0,0 +1,33 @@ +--- +description: >- + This article outlines the steps to create a backup of all settings, rights, policies, and integrations for disaster recovery or migration purposes. +keywords: + - system backup + - disaster recovery + - migration +sidebar_label: Create a System Backup +tags: [] +title: "Create a System Backup V2" +knowledge_article_id: kA0Qk0000002B6gKAE +products: + - endpoint-protector +--- + +# Create a System Backup V2 + +## Overview + +This article outlines how to create a backup of all settings, rights, policies, and integrations. Creating a system backup is recommended for disaster recovery or when migrating to a new appliance. + +## Instructions + +1. Open the **Endpoint Protector Console** and navigate to **System Maintenance > System Backup V2**. +2. Click **Create** to begin the backup process. +3. Enter a backup name and a description for the backup, then click **Save**. +4. After saving, a pop-up will display the backup key. Record and take note of this key because it is required for importing the backup. +5. The backup will appear in the list and begin running. Once complete, download the backup locally for safekeeping. + +## Related Links + +- [System Backup V2](/docs/endpointprotector/5.9.4.2/admin/systemmaintenance/backup) +- [How to Perform a Backup Restore](/docs/kb/endpointprotector/how_to_perform_a_backup_restore) \ No newline at end of file diff --git a/docs/kb/endpointprotector/create_exceptions_for_specific_file_extensions.md b/docs/kb/endpointprotector/create_exceptions_for_specific_file_extensions.md new file mode 100644 index 0000000000..1604db9715 --- /dev/null +++ b/docs/kb/endpointprotector/create_exceptions_for_specific_file_extensions.md @@ -0,0 +1,28 @@ +--- +description: >- + This article explains how to exclude specific file extensions from being traced, scanned, or shadowed in Endpoint Protector. +keywords: + - Endpoint Protector + - file extensions + - Device Control +sidebar_label: Create Exceptions for File Extensions +tags: [] +title: "Create Exceptions for Specific File Extensions" +knowledge_article_id: kA0Qk0000002B7FKAU +products: + - endpoint-protector +--- + +# Create Exceptions for Specific File Extensions + +## Overview + +This article explains how to exclude specific file extensions from being traced, scanned, or shadowed in Endpoint Protector. Creating exceptions for certain file types can help you manage which files are monitored by **Device Control** policies. + +## Instructions + +1. In the **Endpoint Protector Management Console**, go to **Device Control** > **Global Settings**. +2. Locate the **File Tracing and Shadowing** section. +3. For each action (tracing, scanning, or shadowing), find the **Exclude Extensions** field. +4. Enter the file extensions you want to exclude (for example, `.mp3;.exe;`) in the respective field. +5. Click **Save** to apply the changes. \ No newline at end of file diff --git a/docs/kb/endpointprotector/creating-ediscovery-policies-and-scans.md b/docs/kb/endpointprotector/creating-ediscovery-policies-and-scans.md new file mode 100644 index 0000000000..964983555c --- /dev/null +++ b/docs/kb/endpointprotector/creating-ediscovery-policies-and-scans.md @@ -0,0 +1,44 @@ +--- +description: >- + This article explains how to create custom eDiscovery policies and manage + scans in Netwrix Endpoint Protector, including how to define scan types, + configure scan intervals, and review scan results. +keywords: + - eDiscovery + - policies + - scans + - Netwrix Endpoint Protector + - agents + - scan interval + - manual scanning + - automatic scanning + - clean scan + - incremental scan +products: + - endpoint-protector +sidebar_label: Creating eDiscovery Policies and Scans +tags: [] +title: "Creating eDiscovery Policies and Scans" +knowledge_article_id: kA0Qk0000002BCiKAM +--- + +# Creating eDiscovery Policies and Scans + +## Overview + +This article explains how to create custom eDiscovery policies and manage scans in Netwrix Endpoint Protector. You can define scan types, configure scan intervals, and review scan results using the eDiscovery module. + +## Instructions + +1. In the Netwrix Endpoint Protector Console, navigate to **eDiscovery** > **Policies and Scans** and click the **Create Custom Policy** button. + ![Create Custom Policy button in eDiscovery Policies and Scans](./images/ka0Qk000000Eb9N_0EMQk00000CAPJB.png) + +2. Choose the OS type, provide a policy name, select items of focus and click **Save**. + +3. After agents are deployed, a section for defined scans will appear under **Policies and Scans**. + +4. Select a defined scan to configure scanning options: + - Choose **Manual Scanning** or **Automatic Scanning**. If **Automatic Scanning** is selected, configure the scan interval in the window that appears. + - Select either a **clean scan** for a full assessment or an **incremental scan** which is recommended after an initial clean scan. + +5. When scan results are available, choose the **Action** to **Inspect found items** or navigate to the **Scan Results and Actions** section within the eDiscovery expansion tree in the Management Console. diff --git a/docs/kb/endpointprotector/deploy-the-client-on-macos-through-intune-with-full-disk-access.md b/docs/kb/endpointprotector/deploy-the-client-on-macos-through-intune-with-full-disk-access.md new file mode 100644 index 0000000000..08361d60c8 --- /dev/null +++ b/docs/kb/endpointprotector/deploy-the-client-on-macos-through-intune-with-full-disk-access.md @@ -0,0 +1,40 @@ +--- +description: >- + This article explains how to deploy the Netwrix Endpoint Protector client on + macOS using Intune and how to configure full disk access for the client. +keywords: + - macOS + - Intune + - full disk access + - Netwrix Endpoint Protector + - system extension + - device restrictions + - privacy preferences + - MDM +products: + - endpoint-protector +sidebar_label: Deploy the Client on macOS Through Intune With Ful +tags: [] +title: "Deploy the Client on macOS Through Intune With Full Disk Access" +knowledge_article_id: kA0Qk0000002B2oKAE +--- + +# Deploy the Client on macOS Through Intune With Full Disk Access + +## Overview + +This article explains how to deploy the Netwrix Endpoint Protector client on macOS using Intune and configure full disk access for the client. + +## Instructions + +1. Refer to the official Intune documentation to ensure you are familiar with the deployment procedures and requirements. +2. Follow the steps in this documentation to deploy the client on macOS through Intune and enable full disk access: + + Deploying the Client on macOS Using Intune – Netwrix Help Center 🤝 + +3. To add the system extension in Intune, perform the following steps: + + I. Select **Devices** > **macOS** > **Configuration profiles** > **Create profile**. + II. Select the profile type as **Templates** and choose **Device restrictions** as the template name. + III. Complete the basics and go to configuration settings. + IV. Select **Privacy preferences** to configure full disk access. diff --git a/docs/kb/endpointprotector/deploy_clients_via_group_policy.md b/docs/kb/endpointprotector/deploy_clients_via_group_policy.md new file mode 100644 index 0000000000..8d5442a3a7 --- /dev/null +++ b/docs/kb/endpointprotector/deploy_clients_via_group_policy.md @@ -0,0 +1,79 @@ +--- +description: >- + This article explains how to deploy Endpoint Protector client software to Windows computers using Active Directory Group Policy Objects (GPO). +keywords: + - Endpoint Protector + - Group Policy + - deployment +sidebar_label: Deploy Clients via GPO +tags: [] +title: "Deploy Clients via Group Policy" +knowledge_article_id: kA0Qk0000002B6KKAU +products: + - endpoint-protector +--- + +# Deploy Clients via Group Policy + +## Overview + +This article explains how to deploy Endpoint Protector client software to Windows computers using Active Directory Group Policy Objects (GPO). The Endpoint Protector client is provided as a Microsoft Installer (`.msi`) file, available in both 32-bit and 64-bit versions. You will create separate GPOs for each installer and use Windows Management Instrumentation (WMI) filters to target the correct operating system architecture. This method allows for automated, large-scale deployment across your organization. + +## Instructions + +### Prepare the Endpoint Protector Client Installers + +1. Obtain both the 32-bit and 64-bit Endpoint Protector client `.msi` installer files. +2. Place each installer in a network share that is accessible by all target computers in your Active Directory environment. + +### Create WMI Filters for OS Architecture + +1. Open the **Group Policy Management** console. +2. Expand **Domains** and your domain tree. +3. Right-click **WMI Filters** and select **New**. +4. In the New WMI Filter window, create two filters: + - **32-bit Operating System:** + ```sql + Select * from Win32_Processor where AddressWidth = '32' + ``` + - **64-bit Operating System:** + ```sql + Select * from Win32_Processor where AddressWidth = '64' + ``` +5. Optionally, add additional queries to target specific operating systems or computer types. For example: + - **Windows 10 Workstation:** + ```sql + SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10%" AND ProductType="1" + ``` + - **Windows Server 2019:** + ```sql + SELECT * FROM Win32_OperatingSystem WHERE BuildNumber >= 17763 AND (ProductType="3" OR ProductType="2") + ``` + +### Create Deployment GPOs + +1. In the **Group Policy Management** console, right-click **Group Policy Objects** and select **New**. +2. Name the first GPO (for example, **Endpoint Protector 32-bit**). +3. Right-click the new GPO and select **Edit**. +4. Expand **Computer Configuration** > **Software Settings**. +5. Right-click **Software Installation** and select **New** > **Package**. +6. Browse to the appropriate `.msi` file on your network share and select it. +7. Repeat these steps to create a second GPO for the 64-bit installer (for example, **Endpoint Protector 64-bit**). + +> **NOTE:** The `.msi` files must be located in a shared folder accessible by all target computers. + +### Link WMI Filters to GPOs + +1. In the **Group Policy Management** console, select the **Endpoint Protector 32-bit** GPO. +2. In the **WMI Filtering** section, select the 32-bit Windows filter you created earlier. +3. Repeat this process for the **Endpoint Protector 64-bit** GPO, selecting the 64-bit Windows filter. + +### Link GPOs to OUs + +1. Right-click the target OU and select **Link an Existing GPO**. +2. Select the **Endpoint Protector 32-bit** GPO and click **OK**. +3. Repeat for the **Endpoint Protector 64-bit** GPO. + +> **NOTE:** The new policies will be applied only after the target computers are rebooted. + +For more information, see the [Endpoint Protector User Manual](/docs/endpointprotector/5.9.4.2/admin/overview). \ No newline at end of file diff --git a/docs/kb/endpointprotector/deploying-endpoint-protector-agents.md b/docs/kb/endpointprotector/deploying-endpoint-protector-agents.md new file mode 100644 index 0000000000..3e70aa0d5f --- /dev/null +++ b/docs/kb/endpointprotector/deploying-endpoint-protector-agents.md @@ -0,0 +1,39 @@ +--- +description: >- + This article explains how to deploy Endpoint Protector agents to endpoint + systems and provides platform-specific steps, including macOS Full Disk Access + configuration. +keywords: + - endpoint protector + - agent deployment + - client software + - macOS Full Disk Access + - Windows add-ons + - management console + - blocking policy +products: + - endpoint-protector +sidebar_label: Deploying Endpoint Protector Agents +tags: [] +title: "Deploying Endpoint Protector Agents" +knowledge_article_id: kA0Qk0000002BCeKAM +--- + +# Deploying Endpoint Protector Agents + +## Overview + +This article explains how to deploy Endpoint Protector agents to endpoint systems. You should deploy agents before modifying policies to perform blocking. This approach allows you to identify any system variables that may require allowances and gives you an opportunity for end-user feedback. + +## Instructions + +1. Retrieve the Endpoint Protector Client package(s) from the Endpoint Protector Management Console under **System Configuration** > **Client Software**. + ![Client Software section in Endpoint Protector Management Console](./images/ka0Qk000000ESMD_0EMQk00000C8gT0.png) + +2. For Windows, select the add-ons that align with your blocking strategy. You can choose any combination of add-ons, or none at all. + +3. Download the package and begin deployment using your preferred deployment tool. + +4. For macOS installations, provide Full Disk Access after installation: + I. Navigate to **System Preferences** > **Security & Privacy** > **Privacy** tab > **Full Disk Access**. + II. Locate the **Endpoint Protector Client**, check the application, and save the changes. diff --git a/docs/kb/endpointprotector/destination_details_tab_is_missing_in_the_reports_and_analysis_section.md b/docs/kb/endpointprotector/destination_details_tab_is_missing_in_the_reports_and_analysis_section.md new file mode 100644 index 0000000000..24880b68a8 --- /dev/null +++ b/docs/kb/endpointprotector/destination_details_tab_is_missing_in_the_reports_and_analysis_section.md @@ -0,0 +1,34 @@ +--- +description: >- + This article explains why the Destination Details tab may be missing in the Reports and Analysis section of the Endpoint Protector Console and how to resolve the issue. +keywords: + - Destination Details tab + - Reports and Analysis + - Endpoint Protector Console +sidebar_label: Missing Destination Details Tab +tags: [] +title: "Destination Details Tab Is Missing in the Reports and Analysis Section" +knowledge_article_id: kA0Qk0000002B4HKAU +products: + - endpoint-protector +--- + +# Destination Details Tab Is Missing in the Reports and Analysis Section + +## Question + +Why is the Destination Details tab missing in the Reports and Analysis section? + +## Answer + +The **Destination Details** tab, which lists the website where a monitored file was uploaded, may be missing from the **Reports and Analysis** section in the **Endpoint Protector Console**. + +![Missing Destination Details tab](./images/servlet_image_1a8a53e40ad6.png) + +If the **Destination Details** tab is missing, enable the **Reporting V2** setting in **System Configuration** > **System Settings**. + +![Enable Reporting V2 setting](./images/servlet_image_055f8013da42.png) + +After enabling **Reporting V2**, the **Destination Details** field will be selectable and viewable in the Reports and Analysis section. + +> **NOTE:** The **Reporting V2** setting should always be enabled, as it provides enhanced features compared to Reporting V1. \ No newline at end of file diff --git a/docs/kb/endpointprotector/determine-the-recommended-number-of-endpoints-for-file-tracing-and-file-shadowing.md b/docs/kb/endpointprotector/determine-the-recommended-number-of-endpoints-for-file-tracing-and-file-shadowing.md new file mode 100644 index 0000000000..98d39645cf --- /dev/null +++ b/docs/kb/endpointprotector/determine-the-recommended-number-of-endpoints-for-file-tracing-and-file-shadowing.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains the recommended number of endpoints for enabling File Tracing and + File Shadowing and how to avoid appliance performance issues caused by + excessive log data. +keywords: + - File Tracing + - File Shadowing + - endpoints + - appliance performance + - endpoint capacity + - logs + - Netwrix Help Center +products: + - endpoint-protector +sidebar_label: "Determine the Recommended Number of Endpoints for File Tracing and File Shadowing" +tags: [] +title: "Determine the Recommended Number of Endpoints for File Tracing and File Shadowing" +knowledge_article_id: kA0Qk0000002BCVKA2 +--- + +# Determine the Recommended Number of Endpoints for File Tracing and File Shadowing + +## Question +How many computers can you enable File Tracing and File Shadowing for? + +## Answer +The maximum number of endpoints for which you can enable File Tracing and File Shadowing is not limited in the Administration Interface. However, enabling this feature for too many endpoints can significantly impact appliance performance due to the volume of logs generated. + +- You should enable File Tracing and File Shadowing for up to `15%` of your appliance’s total endpoint capacity to maintain optimal performance. +- Enabling these features for more than `15%` of endpoints, or for all endpoints, may cause your appliance to slow down or become unresponsive due to excessive log data. +- You can further optimize performance by adjusting settings such as the maximum file size for File Tracing and File Shadowing. + +If you have questions about optimizing this feature or experience performance issues, contact Netwrix Technical Support by opening a support ticket on the [Netwrix Help Center](https://www.netwrix.com/support.html). diff --git a/docs/kb/endpointprotector/device-control-sections-overview.md b/docs/kb/endpointprotector/device-control-sections-overview.md new file mode 100644 index 0000000000..a2550259d9 --- /dev/null +++ b/docs/kb/endpointprotector/device-control-sections-overview.md @@ -0,0 +1,48 @@ +--- +description: >- + Describes the sections within the Device Control module of Netwrix Endpoint + Protector and explains how to manage devices, computers, users, groups, global + settings, and custom device classes. +keywords: + - device control + - Netwrix Endpoint Protector + - device management + - global settings + - custom classes + - computers + - users + - groups + - device inventory +products: + - endpoint-protector +sidebar_label: Device Control Sections Overview +tags: [] +title: "Device Control Sections Overview" +knowledge_article_id: kA0Qk0000002BCbKAM +--- + +# Device Control Sections Overview + +## Overview + +The Device Control module in Netwrix Endpoint Protector is organized into several sections, each providing specific management and monitoring capabilities for devices, computers, users, and groups within your environment. + +## Device Control Sections + +1. **Dashboard:** Offers an overview with graphics and charts related to Netwrix Endpoint Protector entities. You can select the start and end date for the data using the top-right calendars and view data in real time. + +2. **Devices:** View, sort, and export device lists in Excel, PDF, or CSV format. Use the **Actions** column to edit, manage rights, view device history, or delete a specific device. + +3. **Computers:** Filter, create, uninstall, or delete computers. Use the **Choose action** option to create a settings report, export a list of computers, or schedule an export. + +4. **Users:** Manage all users in the system. Users are defined as end-users logged on to computers with the Netwrix Endpoint Protector Client installed. New users are automatically added to the database for management. + +5. **Groups:** Manage all groups in the system. Grouping computers and users allows administrators to manage rights or settings for these entities more efficiently. + +6. **Global Rights:** Manage system-wide rights and settings that apply globally to all Netwrix Endpoint Protector entities. + +7. **Global Settings:** Apply settings globally to all Netwrix Endpoint Protector entities. + - If no granular settings are defined for a computer and it does not belong to a group, it will inherit these global settings. + - If the computer belongs to a group, it will inherit that group’s settings. + +8. **Custom Classes:** Create new classes of devices for easier management. This feature is especially useful for devices from the same vendor or product (same VID and/or PID). diff --git a/docs/kb/endpointprotector/does-endpoint-protector-inspect-content-sent-through-thunderbird.md b/docs/kb/endpointprotector/does-endpoint-protector-inspect-content-sent-through-thunderbird.md new file mode 100644 index 0000000000..f282ed140d --- /dev/null +++ b/docs/kb/endpointprotector/does-endpoint-protector-inspect-content-sent-through-thunderbird.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains whether Endpoint Protector can inspect email content sent through + Thunderbird and how Thunderbird version affects inspection capabilities. +keywords: + - endpoint-protector + - Thunderbird + - content inspection + - attachments + - Content Aware Protection + - email clients + - add-ons + - version 38.0 +products: + - endpoint-protector +sidebar_label: Does Endpoint Protector Inspect Content Sent Throu +tags: [] +title: "Does Endpoint Protector Inspect Content Sent Through Thunderbird?" +knowledge_article_id: kA0Qk0000002BCdKAM +--- + +# Does Endpoint Protector Inspect Content Sent Through Thunderbird? + +## Question +Does Endpoint Protector inspect content sent through Thunderbird? + +## Answer +For Thunderbird version `38.0` and earlier, you can inspect all email content, including the body, subject, sender, recipients, and attachments. For Thunderbird versions later than `38.0`, you can inspect file attachments only. + +Using the Content Aware Protection module, you can inspect content sent through various email clients, such as Outlook and Thunderbird. You can scan the email body, subject, sender, recipients, and create a file shadow of the body content, where supported. This functionality relies in part on email client add-ons. + +Thunderbird changed its add-on implementation policy after version `38.0`. As a result, you can only filter attachments in newer Thunderbird versions. + +> **NOTE:** To use the full content inspection features with Thunderbird, do not update beyond version `38.0`. diff --git a/docs/kb/endpointprotector/does_the_uninstall_attempt_event_confirm_agent_removal_from_the_client_machine.md b/docs/kb/endpointprotector/does_the_uninstall_attempt_event_confirm_agent_removal_from_the_client_machine.md new file mode 100644 index 0000000000..9bddd2a1eb --- /dev/null +++ b/docs/kb/endpointprotector/does_the_uninstall_attempt_event_confirm_agent_removal_from_the_client_machine.md @@ -0,0 +1,26 @@ +--- +description: >- + This article addresses whether the "Uninstall Attempt" event confirms the removal of the agent from the client machine. +keywords: + - Uninstall Attempt + - agent removal + - Endpoint Protector Server +products: + - endpoint-protector +sidebar_label: Uninstall Attempt Event Confirmation +tags: [] +title: Does the "Uninstall Attempt" Event Confirm Agent Removal from the Client Machine? +knowledge_article_id: kA0Qk0000002B2kKAE +--- + +# Does the "Uninstall Attempt" Event Confirm Agent Removal from the Client Machine? + +## Question + +Does the **Uninstall Attempt** event confirm that the agent was removed from the client machine? + +## Answer + +No, the **Uninstall Attempt** event does not confirm successful agent removal. There is no confirmation of the final result of an attempted agent removal because if the removal is successful, the agent is no longer present to communicate back to the Endpoint Protector Server. + +> **NOTE:** If the agent still "PINGs" the server after an **Uninstall Attempt** event, this indicates that the agent removal process failed. \ No newline at end of file diff --git a/docs/kb/endpointprotector/download-the-intune-mdm-deployment-guide.md b/docs/kb/endpointprotector/download-the-intune-mdm-deployment-guide.md new file mode 100644 index 0000000000..c5adcb4946 --- /dev/null +++ b/docs/kb/endpointprotector/download-the-intune-mdm-deployment-guide.md @@ -0,0 +1,38 @@ +--- +description: >- + Find and download the Intune MDM deployment guide for deploying Endpoint + Protector with Microsoft Intune. The guide provides detailed instructions and + a downloadable PDF. +keywords: + - Intune + - MDM + - deployment guide + - Endpoint Protector + - download + - PDF + - Netwrix Help Center + - Intune MDM +products: + - endpoint-protector +sidebar_label: Download the Intune MDM Deployment Guide +tags: [] +title: "Download the Intune MDM Deployment Guide" +knowledge_article_id: kA0Qk0000002B7QKAU +--- + +# Download the Intune MDM Deployment Guide + +## Question +Where can you download the Intune MDM deployment guide? + +## Answer +For detailed instructions on deploying with Intune MDM, refer to the following guide: + +Intune MDM Deployment Guide – Netwrix Help Center ✍🏽 + +To save the guide, follow these steps: + +1. Click the link above. +2. Click the **Save PDF** button on the right-hand side. + + diff --git a/docs/kb/endpointprotector/dpi-certificate-not-available-in-the-browser.md b/docs/kb/endpointprotector/dpi-certificate-not-available-in-the-browser.md new file mode 100644 index 0000000000..0f79404ecc --- /dev/null +++ b/docs/kb/endpointprotector/dpi-certificate-not-available-in-the-browser.md @@ -0,0 +1,39 @@ +--- +description: >- + The DPI certificate may not appear in the browser when no Content Aware + Policies (CAP) are applied. This article explains the cause and shows how to + configure CAP so the DPI certificate is deployed to monitored browsers and + applications. +keywords: + - DPI + - DPI certificate + - browser + - Content Aware Policies + - CAP + - Netwrix Endpoint Protector + - Device Control + - Content Aware Protection +products: + - endpoint-protector +sidebar_label: DPI Certificate Not Available in the Browser +tags: [] +title: "DPI Certificate Not Available in the Browser" +knowledge_article_id: kA0Qk0000002B60KAE +--- + +# DPI Certificate Not Available in the Browser + +## Symptom +The Deep Packet Inspection (DPI) certificate is not available in the web browser, even though DPI is enabled on the computer and no errors are reported. + +## Cause +This issue occurs when there are no Content Aware Policies (CAP) applied to the computer. The DPI certificate is only deployed and used if CAP policies are configured to monitor browsers or other applications controlled by DPI. + +## Resolution +1. Open the **Netwrix Endpoint Protector** management console. +2. In the left-side pane under **Device Control**, navigate to the **Content Aware Protection** section. +3. Review and configure your Content Aware Policies (CAP) as needed. + +For detailed information and step-by-step instructions on configuring Content Aware Policies (CAP), refer to the following documentation: + +- Configuring Content Aware Policies (CAP) diff --git a/docs/kb/endpointprotector/enable-deep-packet-inspection-for-instant-messaging-applications.md b/docs/kb/endpointprotector/enable-deep-packet-inspection-for-instant-messaging-applications.md new file mode 100644 index 0000000000..d2a56661f0 --- /dev/null +++ b/docs/kb/endpointprotector/enable-deep-packet-inspection-for-instant-messaging-applications.md @@ -0,0 +1,64 @@ +--- +description: >- + Learn how to enable Deep Packet Inspection (DPI) and configure text inspection + for instant messaging applications in Netwrix Endpoint Protector. +keywords: + - deep packet inspection + - DPI + - instant messaging + - text inspection + - Netwrix Endpoint Protector + - content aware protection + - Teams + - Slack +products: + - endpoint-protector +sidebar_label: Enable Deep Packet Inspection for Instant Messagin +tags: [] +title: "Enable Deep Packet Inspection for Instant Messaging Applications" +knowledge_article_id: kA0Qk0000002B2uKAE +--- + +# Enable Deep Packet Inspection for Instant Messaging Applications + +## Overview + +The Netwrix Endpoint Protector (EPP) Client can inspect text written in instant messaging applications by using Deep Packet Inspection (DPI). This article explains how to enable DPI and configure text inspection for supported instant messaging applications. + +## Instructions + +### Enable DPI Globally + +1. Go to **Device Control > Global Settings**. +2. Enable **Deep Packet Inspection**. +3. Save the setting. + +![Global Settings page with Deep Packet Inspection option highlighted](images/ka0Qk000000DzDl_0EMQk00000BuWJp.png) + +### Enable Text Inspection + +1. Go to **Content Aware Protection > Deep Packet Inspection**. +2. Enable **Text inspection**. +3. Save the setting. + +![Deep Packet Inspection settings with Text inspection enabled](images/ka0Qk000000DzDl_0EMQk00000BuWDN.png) + +### Enable DPI for Instant Messaging Applications + +1. Go to **Content Aware Protection > Deep Packet Inspection**. +2. Scroll to **Deep Packet Inspection Applications**. +3. Filter for the instant messaging applications you want to use with text inspection. Supported apps include Teams, Skype, Slack, Mattermost, and Google Chat. +4. Click the **Actions** button and select **Enable DPI** for each application. + +![Deep Packet Inspection Applications list with Enable DPI action](images/ka0Qk000000DzDl_0EMQk00000BuWGb.png) + +> **NOTE:** You must enable DPI for each application on every operating system where the EPP Client is installed (Windows, macOS, Linux). + +### Configure Content Aware Policies for Instant Messaging Applications + +1. Go to **Content Aware Protection > Content Aware Policies**. +2. Create or edit a policy. +3. Select the instant messaging applications you want to monitor. +4. Save the policy. + +![Content Aware Policies configuration with instant messaging apps selected](images/ka0Qk000000DzDl_0EMQk00000BuWID.png) diff --git a/docs/kb/endpointprotector/enable-sensitive-data-protection.md b/docs/kb/endpointprotector/enable-sensitive-data-protection.md new file mode 100644 index 0000000000..678d8f83ea --- /dev/null +++ b/docs/kb/endpointprotector/enable-sensitive-data-protection.md @@ -0,0 +1,42 @@ +--- +description: >- + Learn how to enable Sensitive Data Protection on the Netwrix Endpoint + Protector (EPP) Server by setting an additional security password to protect + sensitive sections of the server. +keywords: + - sensitive data protection + - security password + - Endpoint Protector + - EPP + - system security + - reports protection + - system maintenance +products: + - endpoint-protector +sidebar_label: Enable Sensitive Data Protection +tags: [] +title: "Enable Sensitive Data Protection" +knowledge_article_id: kA0Qk0000002B5uKAE +--- + +# Enable Sensitive Data Protection + +## Overview + +This article explains how to enable sensitive data protection on the Netwrix Endpoint Protector (EPP) Server by setting a security password. This feature provides additional security for sensitive sections of the Netwrix Endpoint Protector (EPP). + +The security password protects the following sections of Netwrix Endpoint Protector (EPP): + +- **Reports and Analysis:** Logs Report, File Tracing, Content Aware Report, Admin Actions, Published Computers, Published Users, Published Devices, Statistics. +- **System Maintenance:** File Maintenance, System Backup. + +## Instructions + +Follow the steps below to complete this process: + +1. On the Netwrix Endpoint Protector (EPP) Server, navigate to **System Configuration** > **System Security**. +2. Under the section **Additional Security Password for Sensitive Data Protection**, enter a strong password in the **New Password** field. +3. Re-enter the chosen password in the **New Password (confirm)** field. +4. Click **Save** to apply the changes. + +![Screenshot showing the Additional Security Password for Sensitive Data Protection settings in Netwrix Endpoint Protector Server](./images/ka0Qk000000E7ZV_0EMQk00000C52IP.png) diff --git a/docs/kb/endpointprotector/enable_easylock_updates_and_file_shadowing_for_removable_drives.md b/docs/kb/endpointprotector/enable_easylock_updates_and_file_shadowing_for_removable_drives.md new file mode 100644 index 0000000000..1bf416b6ae --- /dev/null +++ b/docs/kb/endpointprotector/enable_easylock_updates_and_file_shadowing_for_removable_drives.md @@ -0,0 +1,34 @@ +--- +description: >- + This article explains how to enable EasyLock application updates and file shadowing for removable drives using the Endpoint Protector web console. +keywords: + - EasyLock + - Endpoint Protector + - file shadowing +sidebar_label: Enable EasyLock Updates +tags: [] +title: "Enable EasyLock Updates and File Shadowing for Removable Drives" +knowledge_article_id: kA0Qk0000002B11KAE +products: + - endpoint-protector +--- + +# Enable EasyLock Updates and File Shadowing for Removable Drives + +## Overview + +This article explains how to enable EasyLock application updates and file shadowing for removable drives using the Endpoint Protector web console. + +## Instructions + +### Enabling EasyLock Application Updates + +1. Open the **Endpoint Protector** web console. +2. Navigate to **Enforced Encryption** > **EasyLock**. +3. Under **Settings**, locate and enable the **Update** option. + +### Enabling File Shadowing for Removable Drives + +1. In the **Endpoint Protector** web console, navigate to **Device Control** > **Global Settings**. +2. Under **File Tracing and Shadowing**, enable both **File Tracing** and **File Shadowing**. +3. Go to **Enforced Encryption** > **EasyLock** and enable the **File Tracing** option. \ No newline at end of file diff --git a/docs/kb/endpointprotector/enable_full_disk_access_when_deploying_on_macos_using_kandji.md b/docs/kb/endpointprotector/enable_full_disk_access_when_deploying_on_macos_using_kandji.md new file mode 100644 index 0000000000..6550d6c404 --- /dev/null +++ b/docs/kb/endpointprotector/enable_full_disk_access_when_deploying_on_macos_using_kandji.md @@ -0,0 +1,32 @@ +--- +description: >- + This article explains how to resolve the issue where Full Disk Access is not enabled for Endpoint Protector after deploying the client on macOS using Kandji. +keywords: + - Full Disk Access + - Endpoint Protector + - Kandji +sidebar_label: Enable Full Disk Access on macOS +tags: [] +title: "Enable Full Disk Access When Deploying on macOS Using Kandji" +knowledge_article_id: kA0Qk0000002B16KAE +products: + - endpoint-protector +--- + +# Enable Full Disk Access When Deploying on macOS Using Kandji + +## Overview + +This article explains how to resolve the issue where Full Disk Access is not enabled for Endpoint Protector after deploying the client on macOS using Kandji. Incorrect configuration in the privacy settings, specifically in the Identifier and code requirements, can cause this issue. + +## Instructions + +1. After deploying Endpoint Protector through Kandji, check if Full Disk Access has been granted to Endpoint Protector on the target device. +2. If Full Disk Access is not granted, open Kandji and navigate to the **Privacy Settings** section for your Endpoint Protector deployment. +3. Review the configuration for the **Identifier** and **Code Requirements** fields. +4. Remove the identifier from the **Code Requirements** field. +5. Ensure that the code requirements match the deployment guide provided by Endpoint Protector. +6. Save your changes in Kandji. +7. Verify on the target device that Full Disk Access is now granted to Endpoint Protector. + +> **NOTE:** Deployment guides for other mobile device management (MDM) solutions are applicable to this deployment. For detailed instructions, refer to the [JAMF Deployment Guide](/docs/endpointprotector/5.9.4.2/install/agent/jamf/overview). \ No newline at end of file diff --git a/docs/kb/endpointprotector/enable_two-factor_authentication_for_system_admins_with_google_authenticator_app.md b/docs/kb/endpointprotector/enable_two-factor_authentication_for_system_admins_with_google_authenticator_app.md new file mode 100644 index 0000000000..4d20cb97d5 --- /dev/null +++ b/docs/kb/endpointprotector/enable_two-factor_authentication_for_system_admins_with_google_authenticator_app.md @@ -0,0 +1,33 @@ +--- +description: >- + This article explains how to enable two-factor authentication (2FA) for system administrators using the Google Authenticator App in Endpoint Protector to enhance account security. +keywords: + - two-factor authentication + - Google Authenticator + - Endpoint Protector +sidebar_label: Enable 2FA for System Admins +tags: [] +title: "Enable Two-Factor Authentication for System Admins with Google Authenticator App" +knowledge_article_id: kA0Qk0000002B34KAE +products: + - endpoint-protector +--- + +# Enable Two-Factor Authentication for System Admins with Google Authenticator App + +## Overview + +This article explains how to enable two-factor authentication (2FA) for system administrators with the Google Authenticator App in Endpoint Protector to enhance account security. + +## Instructions + +1. Navigate to **System Configuration > System Administrators** in Endpoint Protector. +2. Find the system administrator and toggle the switch labeled **Two Factor Authenticator** to **On**. + +![Two Factor Authenticator toggle for system administrator in Endpoint Protector](./images/servlet_image_618265510504.png) + +3. Scan the **QR Code** with the **Google Authenticator app** or enter the provided code into the app to configure the authenticator app. +4. Enter the authentication code from the app into the **Google 2FA Validation** field in Endpoint Protector after importing the account. +5. Click **Validate** and then **Save** the changes for the system administrator. +6. Confirm the changes by locating the **Two-Factor Authentication activated successfully!** notification. The **2FA** column displays **Yes** to verify that the system administrator has two-factor authentication enabled. +7. Log out and log back in with the system administrator account for which you enabled two-factor authentication. After you enter the password, Endpoint Protector prompts for the authentication code before granting access to the server interface. \ No newline at end of file diff --git a/docs/kb/endpointprotector/enabling-advanced-printer-and-mtp-scanning.md b/docs/kb/endpointprotector/enabling-advanced-printer-and-mtp-scanning.md new file mode 100644 index 0000000000..34aae443e5 --- /dev/null +++ b/docs/kb/endpointprotector/enabling-advanced-printer-and-mtp-scanning.md @@ -0,0 +1,39 @@ +--- +description: >- + Shows how to enable Advanced Printer and MTP Scanning in Netwrix Endpoint + Protector to improve Printer and MTP content-aware file tracing and shadowing, + reducing false positives for browser and application file transfers. +keywords: + - Advanced Printer and MTP Scanning + - File Tracing + - File Shadowing + - Netwrix Endpoint Protector + - MTP + - printers + - file transfers + - clients +products: + - endpoint-protector +visibility: public +sidebar_label: Enabling Advanced Printer and MTP Scanning +tags: [] +title: "Enabling Advanced Printer and MTP Scanning" +knowledge_article_id: kA0Qk0000002AxvKAE +--- + +# Enabling Advanced Printer and MTP Scanning + +## Overview + +Netwrix Endpoint Protector includes an improved method for Printer and MTP Content Aware Protection; File Tracing and File Shadowing has been added. This enhancement increases accuracy and reduces false positives for file transfers via browsers (Internet Explorer, Firefox, Chrome) and other applications. + +## Instructions + +1. In the Netwrix Endpoint Protector Console, navigate to **Device Control** > **Global Settings**, **Groups**, or **Computers** > **Manage Settings** > **File Tracing and Shadowing**. +2. Toggle the switch to enable **Advanced Printer and MTP Scanning**. +3. Click **Save** within the **File Tracing and Shadowing** section. + ![File Tracing and Shadowing settings with Advanced Printer and MTP Scanning option enabled](images/ka0Qk000000DsH7_0EMQk00000CB1Rh.png) +4. Save your changes and ensure the updated settings are deployed to Netwrix Endpoint Protector Clients by waiting for the clients to update their policies. +5. Restart the machines protected by Netwrix Endpoint Protector. + +> **NOTE:** This feature is only available for Windows. A computer restart is required each time this feature is enabled or disabled. diff --git a/docs/kb/endpointprotector/enabling-deep-packet-inspection-and-intercepting-vpn-traffic-on-macos-clients.md b/docs/kb/endpointprotector/enabling-deep-packet-inspection-and-intercepting-vpn-traffic-on-macos-clients.md new file mode 100644 index 0000000000..035c657eb2 --- /dev/null +++ b/docs/kb/endpointprotector/enabling-deep-packet-inspection-and-intercepting-vpn-traffic-on-macos-clients.md @@ -0,0 +1,64 @@ +--- +description: >- + Describes how to enable Deep Packet Inspection and intercept VPN traffic on + macOS clients with Netwrix Endpoint Protector. Includes steps to install the + DPI certificate, allow the system extension, and configure VPN interception + settings. +keywords: + - deep packet inspection + - DPI + - VPN + - macOS + - Netwrix Endpoint Protector + - certificate + - Keychain Access + - system extension + - proxy configuration +products: + - endpoint-protector +sidebar_label: Enabling Deep Packet Inspection and Intercepting V +tags: [] +title: "Enabling Deep Packet Inspection and Intercepting VPN Traffic on macOS Clients" +knowledge_article_id: kA0Qk0000002BCQKA2 +--- + +# Enabling Deep Packet Inspection and Intercepting VPN Traffic on macOS Clients + +## Overview +This article describes how to enable Deep Packet Inspection and intercept VPN traffic on macOS clients. These instructions apply to Netwrix Endpoint Protector Server version 5.3.0.5 and later, and Netwrix Endpoint Protector Client version 2.2.1.5 and later. Ensure that you have installed the Netwrix Endpoint Protector Client and created the desired Content Aware Policy before proceeding. + +## Instructions +1. Open the **Netwrix Endpoint Protector Server** interface. In the **Device Control** section, select **User**, **Computer**, **Group**, or **Global Settings**. Click **Manage Settings**, then select **Netwrix Endpoint Protector Client** and enable **Deep Packet Inspection**. + ![Deep Packet Inspection settings in Netwrix Endpoint Protector Server interface](./images/ka0Qk000000EPcr_0EMQk00000C8gO9.png) + +2. Navigate to **System Configuration** > **System Settings** > **Deep Packet Inspection Certificate**. Download the CA certificate. + ![Download CA Certificate from Deep Packet Inspection Certificate section](./images/ka0Qk000000EPcr_0EMQk00000C8ekY.png) + +3. Open the **Keychain Access** application on your macOS device. In the sidebar, select **System**. + +4. Extract the contents of the downloaded `ClientCerts` file. + +5. Locate the `cacert.pem` file. Drag and drop it into **Keychain Access** under **System**. + +6. Find the newly added certificate, which displays an “x” icon. Double-click the certificate. + +7. In the **Trust** section, set **When using this certificate** to **Always Trust**. + +8. Click **Save** to apply your changes. + +9. In the **Netwrix Endpoint Protector** interface, enable **Intercept VPN Traffic**. When prompted, select one of the following behaviors for when the network extension is disabled: + - **Temporary Disable Deep Packet Inspection**: Temporarily disables Deep Packet Inspection. + - **Block Internet Access**: Blocks Internet access until the user approves the Netwrix Endpoint Protector Proxy Configuration. The user can allow it after restarting the computer. + - **Repeat VPN Notification**: Will repeat the network extension notification so that it can be allowed by the user. (This requires user interaction.) + +10. Click **Save** to confirm your settings. + +11. When prompted, review the pop-up message indicating that a system extension is blocked and must be allowed. + +12. Open **System Preferences**, then navigate to **Security and Privacy** > **General** and allow the Netwrix Endpoint Protector Client extension. + +13. When prompted, approve the Netwrix Endpoint Protector Proxy Configuration. + +14. Confirm that **Intercept VPN Traffic** is enabled. + +15. Disconnect and reconnect to the VPN to ensure all settings take effect in the Netwrix Endpoint Protector Client. diff --git a/docs/kb/endpointprotector/enabling-user-remediation-in-content-aware-protection-policies.md b/docs/kb/endpointprotector/enabling-user-remediation-in-content-aware-protection-policies.md new file mode 100644 index 0000000000..c51bc622cd --- /dev/null +++ b/docs/kb/endpointprotector/enabling-user-remediation-in-content-aware-protection-policies.md @@ -0,0 +1,34 @@ +--- +description: >- + Shows how to enable User Remediation in Content Aware Protection policies so + end users can justify or remediate blocked actions when a policy triggers in + Netwrix Endpoint Protector. +keywords: + - user remediation + - content aware protection + - Netwrix Endpoint Protector + - block and remediate + - policy action + - data loss prevention + - endpoint remediation +products: + - endpoint-protector +sidebar_label: Enabling User Remediation in Content Aware Protect +tags: [] +title: "Enabling User Remediation in Content Aware Protection Policies" +knowledge_article_id: kA0Qk0000002BCLKA2 +--- + +# Enabling User Remediation in Content Aware Protection Policies + +## Overview + +User Remediation allows end users to justify or remediate blocked actions when a Content Aware Protection policy is triggered. It is recommended to enable User Remediation after configuring a blocking policy for Content Aware Protection in Netwrix Endpoint Protector. + +## Instructions + +1. In the Netwrix Endpoint Protector Console, navigate to the **Content Aware Protection Policy** where you want to enable User Remediation. +2. Edit the policy and locate the **Policy Action** field. +3. Select **Block and Remediate** from the available actions. + ![Block and Remediate option in Content Aware Protection Policy](./images/ka0Qk000000FKT3_0EMQk00000CAP34.png) +4. Click **Save** to confirm the changes. This will enable the User Remediation feature the next time the endpoint connects to the Netwrix Endpoint Protector Server. diff --git a/docs/kb/endpointprotector/error-cannot-execute-command-an-error-occurred.md b/docs/kb/endpointprotector/error-cannot-execute-command-an-error-occurred.md new file mode 100644 index 0000000000..a5620f7c9a --- /dev/null +++ b/docs/kb/endpointprotector/error-cannot-execute-command-an-error-occurred.md @@ -0,0 +1,32 @@ +--- +description: >- + This article explains why the notification "Cannot execute command! An error + occurred!" appears in the Endpoint Protector Server UI and how to resolve it. +keywords: + - Endpoint Protector + - session timeout + - UI error + - Cannot execute command + - server UI + - notification + - troubleshooting +products: + - endpoint-protector +sidebar_label: 'Error: "Cannot execute command! An error occurred!"' +tags: [] +title: 'Error: "Cannot execute command! An error occurred!"' +knowledge_article_id: kA0Qk0000002B73KAE +--- + +# Error: "Cannot execute command! An error occurred!" + +## Question +Why is the notification "Cannot execute command! An error occurred!" populating on the Endpoint Protector Server UI? + +## Answer +This notification appears because the **Endpoint Protector Server UI** session timed out, causing the operation to fail. + +To resolve this issue, refresh the server webpage and try to perform the same UI operation again. + +1. Refresh the server webpage. +2. Try to perform the same UI operation again. diff --git a/docs/kb/endpointprotector/error-computers-displayed-as-unlicensed-under-list-of-computers.md b/docs/kb/endpointprotector/error-computers-displayed-as-unlicensed-under-list-of-computers.md new file mode 100644 index 0000000000..4b4e64338c --- /dev/null +++ b/docs/kb/endpointprotector/error-computers-displayed-as-unlicensed-under-list-of-computers.md @@ -0,0 +1,46 @@ +--- +description: >- + Shows how to troubleshoot computers that appear as "Unlicensed" in the List of + Computers by verifying licenses, updating policies, checking client-server + connections, and reassigning licences or reinstalling clients. +keywords: + - endpoint protector + - unlicensed + - licenses + - EPP client + - release licenses + - update policies + - client connection + - reinstall +products: + - endpoint-protector +sidebar_label: 'Error: Computers Displayed as "Unlicensed" Under List of Computers' +tags: [] +title: 'Error: Computers Displayed as "Unlicensed" Under List of Computers' +knowledge_article_id: kA0Qk0000002B6HKAU +--- + +# Error: Computers Displayed as "Unlicensed" Under List of Computers + +## Symptom +Computers are displayed as "Unlicensed" under the List of Computers. + +## Cause +This issue may be due to insufficient licenses, incorrect client-server configurations, or issues with client deployment. + +## Resolutions +1. Verify Licenses + - Navigate to the **Netwrix Endpoint Protector Server (EPP) > System Configuration > System Licensing** and check if there are sufficient licenses available. + +2. Update Policies + - On the affected computer, click **Update Policies Now** and observe if the Netwrix Endpoint Protector Client (EPP Client) icon blinks a few times. + +3. Check Client Connection + - Ensure the Netwrix Endpoint Protector Client is correctly configured to connect with the Netwrix Endpoint Protector Server: + - Navigate to the **Settings** tab and press `CTRL + ALT + I`. + - Verify that the Server IP and Port are correct. + +4. Possible Solutions + - Restart the computer if the EPP Client was recently deployed. + - If restarting does not resolve the issue, reinstall the Netwrix Endpoint Protector Client on that machine. + - If the issue persists, proceed to **Netwrix Endpoint Protector Server (EPP) > System Configuration > System Licensing > View Licenses** and use **Release Licenses** for the affected machines or all machines. This will prompt the EPP Server to reconnect with clients, reassign licenses, and generate a new set of certificates for them. diff --git a/docs/kb/endpointprotector/error-failed-to-initiate-usb-device.md b/docs/kb/endpointprotector/error-failed-to-initiate-usb-device.md new file mode 100644 index 0000000000..5bb013db42 --- /dev/null +++ b/docs/kb/endpointprotector/error-failed-to-initiate-usb-device.md @@ -0,0 +1,32 @@ +--- +description: >- + Explains why macOS shows "Failed to initiate USB device" when launching + EasyLock from Finder with read-only access enforced, and how to launch + EasyLock using the Netwrix Endpoint Protector Client or Notifier. +keywords: + - Failed to initiate USB device + - EasyLock + - macOS + - read-only + - TD1+ + - Netwrix Endpoint Protector + - USB + - Finder + - Notifier +products: + - endpoint-protector +sidebar_label: "Error: Failed to Initiate USB device" +tags: [] +title: 'Error: Failed to Initiate USB device' +knowledge_article_id: kA0Qk0000002BCHKA2 +--- + +# Error: Failed to Initiate USB device + +## Question +Why does the error message "Failed to initiate USB device" appear when attempting to start EasyLock from **Finder** with read-only access enforced on macOS? + +## Answer +You see this error on macOS when the **Allow Access if TD1+, otherwise Read Only** right is applied. Due to operating system limitations, you cannot launch applications from a device when read-only access is enforced. As a result, when you start EasyLock from **Finder**, you see the "Failed to initiate USB device" error. + +To launch EasyLock, use the **Netwrix Endpoint Protector Client** or **Notifier** and click the **mini USB icon**. This method allows Netwrix Endpoint Protector to grant the necessary access for EasyLock to run on the USB device. diff --git a/docs/kb/endpointprotector/error-secure-connection-failed-invalid-certificate-error-in-mozilla-firefox.md b/docs/kb/endpointprotector/error-secure-connection-failed-invalid-certificate-error-in-mozilla-firefox.md new file mode 100644 index 0000000000..07033fcb9b --- /dev/null +++ b/docs/kb/endpointprotector/error-secure-connection-failed-invalid-certificate-error-in-mozilla-firefox.md @@ -0,0 +1,39 @@ +--- +description: >- + Describes how to fix the "Secure Connection Failed (Invalid Certificate)" + error in Mozilla Firefox when accessing Endpoint Protector by removing + certificate entries related to the appliance. Explains certificate-related + changes and provides steps to resolve the issue. +keywords: + - Endpoint Protector + - Mozilla Firefox + - certificate error + - Secure Connection Failed + - invalid certificate + - browser certificates + - fix +products: + - endpoint-protector +visibility: public +sidebar_label: "Error: Secure Connection Failed (Invalid Certificate) Error in Mozilla Firefox" +tags: [] +title: 'Error: Secure Connection Failed (Invalid Certificate) Error in Mozilla Firefox' +knowledge_article_id: kA0Qk0000002BCUKA2 +--- + +# Error: Secure Connection Failed (Invalid Certificate) Error in Mozilla Firefox + +## Question + +Why do I get a "Secure Connection Failed (Invalid Certificate)" error in Mozilla Firefox when accessing Endpoint Protector? + +## Answer + +In an earlier Endpoint Protector version, additional security measures have been implemented. These changes may cause certificate-related issues with the security features in the Mozilla Firefox browser, resulting in a "Secure Connection Failed (Invalid Certificate)" error. Endpoint Protector remains accessible and fully functional in other browsers, such as Chrome or Safari. + +To resolve this issue and continue using Mozilla Firefox to access the Endpoint Protector appliance, follow the steps below: + +1. Open the Mozilla Firefox browser. +2. Navigate to **Options** > **Advanced** > **Certificates** > **View Certificates**. +3. Delete all entries related to the Endpoint Protector Server IP address located in the **Servers**, **Authorities**, and **Others** tabs. +4. Close and reopen Mozilla Firefox. diff --git a/docs/kb/endpointprotector/error_devices_not_visible_in_list_of_devices.md b/docs/kb/endpointprotector/error_devices_not_visible_in_list_of_devices.md new file mode 100644 index 0000000000..972fb25af1 --- /dev/null +++ b/docs/kb/endpointprotector/error_devices_not_visible_in_list_of_devices.md @@ -0,0 +1,38 @@ +--- +description: >- + This article addresses the issue of new devices not appearing in the List of Devices on a protected computer and provides troubleshooting steps to resolve the problem. +keywords: + - devices not visible + - Endpoint Protector + - EPP Client +sidebar_label: Devices Not Visible +tags: [] +title: "Error: Devices Not Visible in List of Devices" +knowledge_article_id: kA0Qk0000002B6eKAE +products: + - endpoint-protector +--- + +# Error: Devices Not Visible in List of Devices + +## Symptom + +New devices connected to a protected computer are not visible in the system's **List of Devices**. + +## Cause + +This issue may occur if the **Endpoint Protector (EPP) Client** is not communicating with the **EPP Server**, or if the device has not been properly recognized or registered by the system. + +## Resolutions + +1. **Verify the device status:** + 1. Open the **EPP Client** notifier by double-clicking the **EPP Client** icon in the task bar. + 2. Check if the **EPP Client** is communicating with the **EPP Server** by reviewing the **Last Server Connection** status. + 3. On the **Settings** tab, press **Ctrl** + **Alt** + **I** (Windows) or **Command** + **Option** + **I** (macOS). Confirm that **YES** appears next to **Connected**. + 4. Check if the device is visible under the **Device Control** tab in the **EPP Client**. + +2. **Unplug the device and restart the computer.** After the restart, reconnect the device to the computer and update **EPP Client** policies. + +3. **Manually create a new device** by providing the device parameters and information under **List of Devices**: + 1. Navigate to **Device Control** > **Devices** > **Create**. + 2. Save the newly added device and retest. \ No newline at end of file diff --git a/docs/kb/endpointprotector/error_server_user_interface_only_accessible_with_safari_on_vm-hosted_servers.md b/docs/kb/endpointprotector/error_server_user_interface_only_accessible_with_safari_on_vm-hosted_servers.md new file mode 100644 index 0000000000..87cc2cdeff --- /dev/null +++ b/docs/kb/endpointprotector/error_server_user_interface_only_accessible_with_safari_on_vm-hosted_servers.md @@ -0,0 +1,29 @@ +--- +description: >- + This article explains how to resolve an issue where the Endpoint Protector Server user interface (UI) is only accessible using the Safari web browser when the server is hosted on a virtual machine (VM). +keywords: + - Endpoint Protector + - server user interface + - virtual machine +sidebar_label: Server UI Access Issue +tags: [] +title: "Error: Server User Interface Only Accessible with Safari on VM-Hosted Servers" +knowledge_article_id: kA0Qk0000002B2dKAE +products: + - endpoint-protector +--- + +# Error: Server User Interface Only Accessible with Safari on VM-Hosted Servers + +## Overview + +This article explains how to resolve an issue where the Endpoint Protector Server user interface (UI) is only accessible using the Safari web browser when the server is hosted on a virtual machine (VM). + +## Instructions + +1. Access the VM where the Endpoint Protector server is hosted. +2. Validate the networking settings are configured correctly. For detailed guidance, see the [Endpoint Protector Setup Wizard – Network Settings](/docs/endpointprotector/5.9.4.2/install/setupwizard) documentation. +3. Ensure that the gateway is configured and added. +4. Save the settings. + +After completing these steps, the Endpoint Protector UI should be accessible from any browser. \ No newline at end of file diff --git a/docs/kb/endpointprotector/export-event-logs-from-reports-and-analysis.md b/docs/kb/endpointprotector/export-event-logs-from-reports-and-analysis.md new file mode 100644 index 0000000000..3caa2e1d8e --- /dev/null +++ b/docs/kb/endpointprotector/export-event-logs-from-reports-and-analysis.md @@ -0,0 +1,37 @@ +--- +description: >- + Learn how to export selected event logs from the Reports and Analysis section + in Endpoint Protector for further analysis or record-keeping. +keywords: + - endpoint protector + - export + - event logs + - reports and analysis + - csv + - xlsx + - logs + - troubleshooting +products: + - endpoint-protector +sidebar_label: Export Event Logs from Reports and Analysis +tags: [] +title: "Export Event Logs from Reports and Analysis" +knowledge_article_id: kA0Qk0000002B13KAE +--- + +# Export Event Logs from Reports and Analysis + +## Overview + +This article explains how to export selected event logs from the **Reports and Analysis** section in Endpoint Protector. You can filter for specific events and export the results for further analysis or record-keeping. + +## Instructions + +1. On the Endpoint Protector server, navigate to **Reports and Analysis**. +2. Apply a filter for the desired event logs. + ![Applying filter for Blocked events in Reports and Analysis](./images/ka0Qk000000Ea6r_0EMQk00000CAcMt.png) +3. Click the **Create Export** button at the bottom of the list to generate an export file. +4. Download the generated `.csv` or `.xlsx` file from **View Export List**. + ![View Export List in Reports and Analysis](./images/ka0Qk000000Ea6r_0EMQk00000CAkDx.png) +5. Access and review the exported file as needed. + ![Example of exported event log file](./images/ka0Qk000000Ea6r_0EMQk00000CAivK.png) diff --git a/docs/kb/endpointprotector/file-shadow-format-for-documents-sent-to-printers.md b/docs/kb/endpointprotector/file-shadow-format-for-documents-sent-to-printers.md new file mode 100644 index 0000000000..b1ac44cf2e --- /dev/null +++ b/docs/kb/endpointprotector/file-shadow-format-for-documents-sent-to-printers.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains the file shadow formats Endpoint Protector saves for printed + documents when Advanced Printer and MTP Scanning is enabled, including the + default ` .txt ` representation and possible original-format ` .pdf ` files. +keywords: + - endpoint protector + - file shadow + - printer + - advanced printer and MTP scanning + - .txt + - .pdf + - content aware protection + - device control policies +products: + - endpoint-protector +visibility: public +sidebar_label: File Shadow Format for Documents Sent to Printers +tags: [] +title: "File Shadow Format for Documents Sent to Printers" +knowledge_article_id: kA0Qk0000002B98KAE +--- + +# File Shadow Format for Documents Sent to Printers + +## Question +What is the file shadow format for documents sent to printers? + +## Answer +When you enable the **Advanced Printer and MTP Scanning** feature, Endpoint Protector typically saves file shadows of printed documents in ` .txt ` format. This is due to the variety of ways documents can be printed and the need to provide a textual representation for inspection of confidential data as defined in **Content Aware Protection** and **Device Control Policies**. In some cases, the transferred file may be saved in its original format, such as ` .pdf `. diff --git a/docs/kb/endpointprotector/global-rights-option-not-displayed-when-easylock-role-is-assigned-to-administrator.md b/docs/kb/endpointprotector/global-rights-option-not-displayed-when-easylock-role-is-assigned-to-administrator.md new file mode 100644 index 0000000000..435b595fd7 --- /dev/null +++ b/docs/kb/endpointprotector/global-rights-option-not-displayed-when-easylock-role-is-assigned-to-administrator.md @@ -0,0 +1,54 @@ +--- +description: >- + When an Easylock administrator role is assigned to an administrator group, the + Global rights option does not appear in the Device Control submenu. This + article explains the cause, confirms that this is expected behavior, and + provides steps to reproduce and options to request a change. +keywords: + - endpoint protector + - easylock + - global rights + - device control + - department + - system administrators + - enforced encryption + - USB + - access model +products: + - endpoint-protector +sidebar_label: Global Rights Option Not Displayed When Easylock R +tags: [] +title: "Global Rights Option Not Displayed When Easylock Role Is Assigned to Administrator" +knowledge_article_id: kA0Qk0000002j7VKAQ +--- + +# Global Rights Option Not Displayed When Easylock Role Is Assigned to Administrator + +## Symptom + +When an Easylock administrator role is assigned to an administrator group, the **Global rights** option does not appear in the **Device Control** submenu. + +## Cause + +This behavior is not a bug. It is the result of a feature request implemented in 2020 called **Add department for EL**. When an Easylock role is assigned to an administrator, the **Global rights** option is intentionally not displayed in the **Device Control** submenu. + +For additional context, administrators assigned to one department can access and perform actions on USB devices that belong to another department within the Easylock module. This behavior is inconsistent with other modules, such as **Report Logs** or **OTP**, where department-based access restrictions are enforced. + +## Resolution + +This is expected behavior by design. No action is required unless you want to change the current access model. If you need department-based access restrictions to be enforced in the Easylock module, contact Netwrix Support to submit a feature request. + +### Steps to Reproduce + +1. Log in to the Endpoint Protector console as the root administrator and use a client from your current department. +2. Connect a USB device and manually deploy Easylock on it. +3. Navigate to **System Configuration** > **System Departments** and create a new department. +4. Go to **System Configuration** > **System Administrators** and create a new admin under the newly created department with no AD authentication, but with rights extended from the Easylock administration group. +5. Log in to the Endpoint Protector console with the new admin. +6. Navigate to **Enforced Encryption** > **Easylock**. +7. Download a manually deployed Easylock from a device in your chosen department. +8. Send a message to a connected device from your chosen department. + +### Expected Result + +Access to devices and actions from other departments should be restricted unless explicitly extended, following the same behavior as in other modules (for example, **Report Logs** or **OTP**). diff --git a/docs/kb/endpointprotector/greyed-out-computer-in-the-client-software-upgrade.md b/docs/kb/endpointprotector/greyed-out-computer-in-the-client-software-upgrade.md new file mode 100644 index 0000000000..5fa60687ec --- /dev/null +++ b/docs/kb/endpointprotector/greyed-out-computer-in-the-client-software-upgrade.md @@ -0,0 +1,41 @@ +--- +description: >- + The affected computer appears greyed out and cannot be selected in the Netwrix + Endpoint Protector client software upgrade interface because it is already + assigned to another active upgrade job. This article explains how to identify + and resolve the issue so you can select the computer for a new upgrade job. +keywords: + - endpoint protector + - client upgrade + - software upgrade + - greyed out + - upgrade job + - troubleshooting + - agent update + - client software + - upgrade interface +products: + - endpoint-protector +sidebar_label: Greyed Out Computer in the Client Software Upgrade +tags: [] +title: "Greyed Out Computer in the Client Software Upgrade" +knowledge_article_id: kA0Qk0000002B5pKAE +--- + +# Greyed Out Computer in the Client Software Upgrade + +## Symptom + +The affected computer is displayed as greyed out and cannot be selected in the Netwrix Endpoint Protector client software upgrade or update interface. + +![Example](images/servlet_image_3f1c3b331cfe.png) + +## Cause + +This happens when the computer is already assigned to another active upgrade job in the system. + +## Resolution + +1. Review the list of existing upgrade jobs in the client software upgrade interface and identify any jobs that include the affected computer. +2. Remove or complete any active or pending upgrade jobs that contain the computer. +3. Create a new upgrade job and verify that the computer is now available for selection. diff --git a/docs/kb/endpointprotector/how-does-the-file-size-threshold-apply-to-uploads.md b/docs/kb/endpointprotector/how-does-the-file-size-threshold-apply-to-uploads.md new file mode 100644 index 0000000000..e27686210e --- /dev/null +++ b/docs/kb/endpointprotector/how-does-the-file-size-threshold-apply-to-uploads.md @@ -0,0 +1,38 @@ +--- +description: >- + Explains how the File Size Threshold controls individual file uploads in + Netwrix Endpoint Protector's Content Aware Policies and how it affects + multi-file uploads. +keywords: + - file size threshold + - upload limit + - content aware policies + - Netwrix Endpoint Protector + - multi-file upload + - DLP + - CAP + - file size +products: + - endpoint-protector +visibility: public +sidebar_label: How Does the File Size Threshold Apply to Uploads? +tags: [] +title: "How Does the File Size Threshold Apply to Uploads?" +knowledge_article_id: kA0Qk0000002BE0KAM +--- + +# How Does the File Size Threshold Apply to Uploads? + +## Question +How does the File Size Threshold apply to uploads? + +## Answer +The **File Size Threshold** setting limits uploads at the individual file level, not at the aggregate level. This approach provides more granular control when multiple files are uploaded through web-facing applications. + +To activate this option, do the following: +1. Go to **Content Aware Protection** > **Content Aware Policies**. +2. Select your CAP policy and enable the **File Size Threshold** option. + +![File Size Threshold option in Content Aware Policies settings](./images/ka0Qk000000ESKb_0EMQk00000C8iL7.png) + +> **NOTE:** If a File Size Threshold is set, it applies to the entire policy, regardless of which file types or custom contents are selected. The value must be a positive, whole number. For example, if the File Size Threshold is set to `1024 MB`, any file smaller than `1 GB` can be uploaded. If ten `200 MB` files are uploaded, all will be accepted. However, if one of the ten files is `1.5 GB`, the upload attempt will be blocked. diff --git a/docs/kb/endpointprotector/how-the-file-size-threshold-applies-to-uploads.md b/docs/kb/endpointprotector/how-the-file-size-threshold-applies-to-uploads.md new file mode 100644 index 0000000000..e3766b7315 --- /dev/null +++ b/docs/kb/endpointprotector/how-the-file-size-threshold-applies-to-uploads.md @@ -0,0 +1,30 @@ +--- +description: >- + Explains how the File size threshold setting limits uploads per individual + file rather than by aggregate, with an example showing allowed and blocked + uploads. +keywords: + - file size threshold + - upload limits + - file uploads + - endpoint protector + - per-file limit + - upload block + - web-facing applications +products: + - endpoint-protector +sidebar_label: How the File Size Threshold Applies to Uploads +tags: [] +title: "How the File Size Threshold Applies to Uploads" +knowledge_article_id: kA0Qk0000002Ay2KAE +--- + +# How the File Size Threshold Applies to Uploads + +## Question +How does the file size threshold apply to uploads? + +## Answer +The **File size threshold** setting is designed to limit uploads at the individual file level, rather than at the aggregate level. By managing limits at the individual level, you gain more granularity when multiple files are uploaded through web-facing applications. + +For example, if the file size threshold is set to `1024 MB`, any file smaller than `1 GB` is acceptable. If you upload ten files, each `200 MB`, there will be no restriction. However, if one of the ten files is `1.5 GB`, the upload attempt for that file will be blocked. diff --git a/docs/kb/endpointprotector/how-to-back-up-data-from-a-usb-drive-when-experiencing-easylock-issues.md b/docs/kb/endpointprotector/how-to-back-up-data-from-a-usb-drive-when-experiencing-easylock-issues.md new file mode 100644 index 0000000000..1ea7551be8 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-back-up-data-from-a-usb-drive-when-experiencing-easylock-issues.md @@ -0,0 +1,39 @@ +--- +description: >- + If you are experiencing issues with Easylock, back up the data on your USB + drive using these step-by-step procedures to secure your files and restore + access. +keywords: + - Easylock + - USB backup + - USB drive + - backup procedure + - Enforce Encryption + - Manual Deployment + - Easylock.exe + - data recovery +products: + - endpoint-protector +visibility: public +sidebar_label: How to Back Up Data from a USB Drive When Experien +tags: [] +title: "How to Back Up Data from a USB Drive When Experiencing Easylock Issues" +knowledge_article_id: kA0Qk0000002B2sKAE +--- + +# How to Back Up Data from a USB Drive When Experiencing Easylock Issues + +## Overview + +If you are experiencing problems with Easylock, you can attempt to back up your data by following the step-by-step instructions below. These procedures are designed to help you secure your data and maintain access should issues arise. + +## Instructions + +1. Enable write access on the USB drive. +2. Copy all files from the root directory of the USB drive to a local folder as a backup. +3. Open the **Enforce Encryption** section, select **Manual Deployment**, and choose your USB device. +4. Download the Easylock software package. +5. Extract the Easylock client files to your local computer. +6. Replace the `Easylock.exe` file on the USB drive with the extracted version. + +After completing these steps, you may be able to restore access to Easylock and secure your data. diff --git a/docs/kb/endpointprotector/how-to-block-whatsapp-application-from-launching.md b/docs/kb/endpointprotector/how-to-block-whatsapp-application-from-launching.md new file mode 100644 index 0000000000..080915f108 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-block-whatsapp-application-from-launching.md @@ -0,0 +1,50 @@ +--- +description: >- + Learn how to block the WhatsApp application from launching on Windows and + macOS by configuring an Applications Denylist in the Content Aware Protection + policy of Netwrix Endpoint Protector. +keywords: + - WhatsApp block + - Applications Denylist + - Content Aware Protection + - Netwrix Endpoint Protector + - WhatsApp.exe + - WhatsAppDesktop + - block application + - denylist +products: + - endpoint-protector +sidebar_label: How to Block WhatsApp Application from Launching +tags: [] +title: "How to Block WhatsApp Application from Launching" +knowledge_article_id: kA0Qk0000002B12KAE +--- + +# How to Block WhatsApp Application from Launching + +## Overview + +This article explains how to block and prevent the WhatsApp application from opening on Windows and macOS computers by configuring an **Applications Denylist** in the Content Aware Protection policy of **Netwrix Endpoint Protector**. + +## Instructions + +1. Navigate to the **Applications Denylist** configuration page. +2. For Windows operating systems: + 1. In the **Application & CLI Command** box, enter `WhatsApp.exe`. + 2. In the **Parameters** box, enter `*`. + 3. Click **Add to Content**. + 4. Verify that `WhatsApp.exe *` appears in the **List of Application & CLI Command** box on the right. + ![Applications Denylist configuration for WhatsApp.exe on Windows](images/ka0Qk000000Dzor_0EMQk00000CAfxR.png) +3. For macOS operating systems: + 1. In the **Application & CLI Command** box, enter `WhatsAppDesktop`. + 2. In the **Parameters** box, enter `*`. + 3. Click **Add to Content**. + 4. Verify that `WhatsAppDesktop *` appears in the **List of Application & CLI Command** box on the right. + ![Applications Denylist configuration for WhatsAppDesktop on macOS](images/ka0Qk000000Dzor_0EMQk00000CAfxR.png) +4. Select all entries by checking their checkboxes, then click **Generate**. +5. The final result should display the denylist entries as shown below. + ![Final Applications Denylist with WhatsApp entries](images/ka0Qk000000Dzor_0EMQk00000CAag4.png) +6. Under **Policy Denylists** > **Applications** in the Content Aware Protection policy, select the application list you created. +7. Save the policy and update the policies on the endpoint computers. Ensure you assign the policy to the target computers. + ![Assigning the Applications Denylist policy to target computers](images/ka0Qk000000Dzor_0EMQk00000CAgof.png) +8. Attempt to open the WhatsApp Desktop application to confirm it is blocked. diff --git a/docs/kb/endpointprotector/how-to-charge-an-iphone-on-a-computer-controlled-by-endpoint-protector.md b/docs/kb/endpointprotector/how-to-charge-an-iphone-on-a-computer-controlled-by-endpoint-protector.md new file mode 100644 index 0000000000..8b46e0fa65 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-charge-an-iphone-on-a-computer-controlled-by-endpoint-protector.md @@ -0,0 +1,29 @@ +--- +description: >- + Explains whether you can charge an iPhone on a computer managed by Netwrix + Endpoint Protector and which device permissions allow charging. +keywords: + - iphone + - charging + - endpoint protector + - netwrix endpoint protector + - device control + - usb charging + - device rights + - deny access but allow charging +products: + - endpoint-protector +visibility: public +sidebar_label: How to Charge an iPhone on a Computer Controlled b +tags: [] +title: "How to Charge an iPhone on a Computer Controlled by Netwrix Endpoint Protector" +knowledge_article_id: kA0Qk0000002BHNKA2 +--- + +# How to Charge an iPhone on a Computer Controlled by Netwrix Endpoint Protector + +## Question +Can you charge an iPhone on a computer controlled by Netwrix Endpoint Protector? + +## Answer +You can charge your iPhone on a computer with Netwrix Endpoint Protector installed if you have either **Allow access** or **Deny access but allow charging** rights assigned to the device. diff --git a/docs/kb/endpointprotector/how-to-check-the-client-to-server-connection-status.md b/docs/kb/endpointprotector/how-to-check-the-client-to-server-connection-status.md new file mode 100644 index 0000000000..43af4e8d72 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-check-the-client-to-server-connection-status.md @@ -0,0 +1,44 @@ +--- +description: >- + Use this article to verify the connection between the Netwrix Endpoint + Protector Client and the server. It explains how to view the last connection + time, server IP and port, connection status, and when policies were last + received. +keywords: + - Netwrix Endpoint Protector + - client connection + - server connection + - connection status + - last connection time + - server IP + - port + - policies +products: + - endpoint-protector +sidebar_label: How to Check the Client-to-Server Connection Statu +tags: [] +title: "How to Check the Client-to-Server Connection Status" +knowledge_article_id: kA0Qk0000002B14KAE +--- + +# How to Check the Client-to-Server Connection Status + +## Overview + +This article explains how to check the connection status between the Netwrix Endpoint Protector Client and the server. You can verify if the client is communicating with the Netwrix Endpoint Protector server and view details such as the last connection time, server IP and port, and the last time policies were received. + +## Instructions + +1. Open the **Netwrix Endpoint Protector Client** on the endpoint computer. +2. Go to the **Settings** tab. +3. Press the following key combination, depending on your operating system: + - Windows: `Control + Alt + I` + - macOS: `Option + Command + I` + - Linux: `Control + Alt + I` +4. If the client is communicating with the server, the following information will be displayed in the bottom right corner: + - The time and date of the last server connection + - The server IP and port + - The connection status + - The time and date when the policies were last received + + ![Netwrix Endpoint Protector Client Settings tab showing server connection status details](images/ka0Qk000000Dzs5_0EMQk00000CAOoZ.png) diff --git a/docs/kb/endpointprotector/how-to-check-the-history-and-email-status-of-alerts.md b/docs/kb/endpointprotector/how-to-check-the-history-and-email-status-of-alerts.md new file mode 100644 index 0000000000..42873dc092 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-check-the-history-and-email-status-of-alerts.md @@ -0,0 +1,37 @@ +--- +description: >- + Use these steps to check alert history, view log and alert details, and verify + whether an email was successfully sent from the Netwrix Endpoint Protector + Server. +keywords: + - alerts + - alert history + - email status + - log details + - Netwrix Endpoint Protector + - Device Control + - Content Aware + - EasyLock +products: + - endpoint-protector +sidebar_label: How to Check the History and Email Status of Alert +tags: [] +title: "How to Check the History and Email Status of Alerts" +knowledge_article_id: kA0Qk0000002B15KAE +--- + +# How to Check the History and Email Status of Alerts + +## Overview + +This article explains how to check the alert history, log details, and the status of emails generated for specific alerts. You can use these steps to verify whether an email was successfully sent from the Netwrix Endpoint Protector Server. + +## Instructions + +1. Navigate to the desired alert category, such as **System Alerts**, **Device Control Alerts**, **Content Aware Alerts**, or **EasyLock Alerts**. +2. Click **View History** to see the list of generated alerts. The alerts are listed under **Alerts History**. Each alert listed in **Alerts History** is also sent via email. + ![Alerts History page showing list of generated alerts](images/ka0Qk000000Dzth_0EMQk00000CJ9iD.png) +3. In the **Actions** column for the desired alert, click the three-line menu, and then click **View**. + ![Actions column with View option highlighted](images/ka0Qk000000Dzth_0EMQk00000CJ1Co.png) +4. The **Log Details** and **Alert Details** will be displayed, along with the **E-mail Status**. Here, you can see if the email was sent successfully from the Netwrix Endpoint Protector Server. + ![Log Details and E-mail Status section showing email delivery status](images/ka0Qk000000Dzth_0EMQk00000CJA4n.png) diff --git a/docs/kb/endpointprotector/how-to-collect-extended-deep-packet-inspection-logs-for-mac-os.md b/docs/kb/endpointprotector/how-to-collect-extended-deep-packet-inspection-logs-for-mac-os.md new file mode 100644 index 0000000000..9699701c7f --- /dev/null +++ b/docs/kb/endpointprotector/how-to-collect-extended-deep-packet-inspection-logs-for-mac-os.md @@ -0,0 +1,47 @@ +--- +description: >- + This article explains how to collect extended Deep Packet Inspection (DPI) + logs on MacOS to assist with troubleshooting and support requests. Use the + provided script to generate a tar archive that you can attach to your support + ticket. +keywords: + - DPI + - deep packet inspection + - macOS + - Endpoint Protector + - epp_collect_dpi_tool + - epp_dpi_logs.tar + - support + - logs + - troubleshooting +products: + - endpoint-protector +sidebar_label: How to Collect Extended Deep Packet Inspection Log +tags: [] +title: "How to Collect Extended Deep Packet Inspection Logs for Mac OS" +knowledge_article_id: kA0Qk0000002B2nKAE +--- + +# How to Collect Extended Deep Packet Inspection Logs for Mac OS + +## Overview + +This article explains how to collect extended Deep Packet Inspection (DPI) logs on MacOS to assist with troubleshooting and support requests. + +## Instructions + +Follow the steps below to collect the DPI logs: + +1. Download and extract the following zip file: + [epp_collect_dpi_tool.zip ⸱ Netwrix Endpoint Protector 🡥](https://download.endpointprotector.com/Support_files/epp_collect_dpi_tool.zip) + +2. Open a terminal and run the following commands: + +```bash +sudo chmod 0777 ./epp_collect_dpi_info_mac.sh +sudo ./epp_collect_dpi_info_mac.sh +``` + +3. The log file `epp_dpi_logs.tar` will generate on your desktop. + +4. Once collected, attach the `epp_dpi_logs.tar` file to your support ticket related to this issue. diff --git a/docs/kb/endpointprotector/how-to-collect-extended-deep-packet-inspection-logs-for-windows.md b/docs/kb/endpointprotector/how-to-collect-extended-deep-packet-inspection-logs-for-windows.md new file mode 100644 index 0000000000..683ceadd7c --- /dev/null +++ b/docs/kb/endpointprotector/how-to-collect-extended-deep-packet-inspection-logs-for-windows.md @@ -0,0 +1,40 @@ +--- +description: >- + Instructions to collect extended Deep Packet Inspection (DPI) logs on Windows + for Netwrix Endpoint Protector using the official DPI log collection tool. +keywords: + - DPI + - Deep Packet Inspection + - logs + - Endpoint Protector + - Windows + - epp_collect_dpi_info.bat + - collect + - troubleshooting + - support +products: + - endpoint-protector +sidebar_label: How to Collect Extended Deep Packet Inspection Log +tags: [] +title: "How to Collect Extended Deep Packet Inspection Logs for Windows" +knowledge_article_id: kA0Qk0000002B74KAE +--- + +# How to Collect Extended Deep Packet Inspection Logs for Windows + +## Question +How can you collect extended Deep Packet Inspection (DPI) logs for Windows? + +## Answer +Follow the steps below to collect extended Deep Packet Inspection logs for Windows: + +1. Download the DPI log collection tool: + https://download.endpointprotector.com/Support_files/epp_collect_dpi_tool.zip + +2. Copy the `epp_collect_dpi_info.bat` script file to the computer where you are experiencing DPI issues and run it as Administrator. + +3. Wait until the script finishes executing. + +4. When the script completes, a Windows Explorer window will open showing the collected files. + +5. Archive the logs as a `.zip` file and attach them to your support ticket or thread regarding the issue. diff --git a/docs/kb/endpointprotector/how-to-configure-deny-access-but-allow-charging-for-ios-devices.md b/docs/kb/endpointprotector/how-to-configure-deny-access-but-allow-charging-for-ios-devices.md new file mode 100644 index 0000000000..1843545e2f --- /dev/null +++ b/docs/kb/endpointprotector/how-to-configure-deny-access-but-allow-charging-for-ios-devices.md @@ -0,0 +1,37 @@ +--- +description: >- + Use the Deny Access but Allow Charging right to allow iOS devices to charge + while access is denied. This article shows where to configure this setting in + the Netwrix Endpoint Protector Console and provides important notes about its + behavior. +keywords: + - deny access + - allow charging + - iOS + - Netwrix Endpoint Protector + - device types + - Windows + - macOS + - native sync +products: + - endpoint-protector +sidebar_label: How to Configure Deny Access but Allow Charging fo +tags: [] +title: "How to Configure Deny Access but Allow Charging for iOS Devices" +knowledge_article_id: kA0Qk0000002BHDKA2 +--- + +# How to Configure Deny Access but Allow Charging for iOS Devices + +## Overview + +The **Deny Access** right typically prevents iOS devices from charging. To address this, the **Deny Access but Allow Charging** right was introduced. This setting allows iOS devices to charge while access is denied. This feature is currently available for Windows and macOS. + +## Instructions + +1. In the **Netwrix Endpoint Protector Console**, navigate to the **Global**, **Computer**, **User**, or **Group** level settings. +2. Locate the **Deny Access but Allow Charging** option under **Device Types**. + ![Deny Access but Allow Charging option under Device Types in Netwrix Endpoint Protector](./images/ka0Qk000000ESsT_0EMQk00000C77qh.png) +3. Select **Deny Access but Allow Charging** for the desired iOS devices. + +> **NOTE:** This right prevents native sync, a common process for all iOS devices. Setting **Deny Access but Allow Charging** for any iPhone, iPad, or iPod can affect other iOS devices in Netwrix Endpoint Protector. Applying this right to a device type (for example, iPhones) may also apply it to other device types (such as iPads or iPods), regardless of the rights set on those devices. For granular control (Groups, Computers, Devices, etc.), ensure this right is set for a specific device and not for an entire device type. diff --git a/docs/kb/endpointprotector/how-to-configure-user-remediation-for-device-control.md b/docs/kb/endpointprotector/how-to-configure-user-remediation-for-device-control.md new file mode 100644 index 0000000000..b7b963e6fb --- /dev/null +++ b/docs/kb/endpointprotector/how-to-configure-user-remediation-for-device-control.md @@ -0,0 +1,59 @@ +--- +description: >- + This article explains how to configure user remediation for Device Control in + Netwrix Endpoint Protector, including global, group, and device-level + settings. It also shows how to configure remediation pop-ups, justifications, + and device-specific rights. +keywords: + - Netwrix Endpoint Protector + - user remediation + - device control + - remediation pop-up + - justification list + - device rights + - client UI +products: + - endpoint-protector +sidebar_label: How to Configure User Remediation for Device Contr +tags: [] +title: "How to Configure User Remediation for Device Contr" +knowledge_article_id: kA0Qk0000002B2pKAE +--- + +# How to Configure User Remediation for Device Control + +## Overview + +This article explains how to configure user remediation for Device Control in Netwrix Endpoint Protector (EPP). Remediation can be set globally, at the group level, or at the computer/user level. You can also select specific devices for which remediation should be active. + +## Instructions + +### Enable User Remediation Globally + +1. In the Netwrix Endpoint Protector console, navigate to **System Parameters** > **User Remediation**, and set **Enable User Remediation** for **Device Control** to **On**. + + +### Configure User Remediation Settings (Optional) + +1. On the **User Remediation** page, you can: + - Add a custom logo and URL. + - Require end users to use their credentials for remediation. + - Modify the default and maximum time interval for remediation requests. +2. Under **Justification List**, review, add, edit, delete, disable, or enable justifications for remediation. + +### Set Device-Specific Rights and Notifications + +1. Go to **Device Control** > **Rights**. + - To set global rights, select **Global Rights**. + - To set rights for a specific group, computer, or user, select the appropriate target. + Set **User Remediation** to **On** for the desired devices. + +2. Go to **Device Control** > **Settings**. + - To configure global settings, select **Global Settings**. + - To configure settings for a specific group, computer, or user, select the appropriate target. + Enable the **User Remediation Pop-up**. +3. Optional: Enable the **Enforce User Remediation Pop-up** setting. When this is enabled, end users cannot disable **User Remediation Pop-up** notifications. + +> **NOTE:** If the **User Remediation Pop-up** is set to **OFF**, end users can still self-remediate from the client UI using the dedicated button. + + diff --git a/docs/kb/endpointprotector/how-to-deploy-the-windows-endpoint-protector-agent.md b/docs/kb/endpointprotector/how-to-deploy-the-windows-endpoint-protector-agent.md new file mode 100644 index 0000000000..5cec0304ad --- /dev/null +++ b/docs/kb/endpointprotector/how-to-deploy-the-windows-endpoint-protector-agent.md @@ -0,0 +1,140 @@ +--- +description: >- + Describes how to deploy the Netwrix Endpoint Protector Windows agent manually, + silently, or via Group Policy, including installer filenames, MSI properties, + and example commands. +keywords: + - Netwrix Endpoint Protector + - agent deployment + - MSI + - silent install + - Group Policy + - WSIP + - PROXYSETTINGSRBGPROP + - DEPT_CODE +products: + - endpoint-protector +sidebar_label: How to Deploy the Windows Endpoint Protector Agent +tags: [] +title: "How to Deploy the Windows Endpoint Protector Agent" +knowledge_article_id: kA0Qk0000001FTFKA2 +--- + +# How to Deploy the Windows Endpoint Protector Agent + +## Manual Installation + +If installing the Netwrix Endpoint Protector Agent on a small number of clients or for testing, the agent can simply be installed by downloading the MSI Package from the Netwrix Endpoint Protector Console and executed. When downloaded from the console, the installer will have a name that follows the below convention, where `\` is replaced with the agent version and `\` is replaced with the Netwrix Endpoint Protector server IP or URL: + +`EPPClientSetup.._x86_64_[a=].msi` + +Example installer: + +`EPPClientSetup.6.2.2.1006_x86_64_[a=10.0.0.86].msi` + +Note: This does not apply to the Netwrix Endpoint Protector Hotfix, as agents were not included in the server patch. To download the agents, please go to the security advisory located at https://security.netwrix.com/Advisories/ADV-2024-002 and download the required agent(s). + +## Silent Installation + +You can install the Netwrix Endpoint Protector Windows agent silently by using `msiexec` and specifying the options required for your environment. + +## Examples + +In all the below examples, replace `EPPClient.msi` with the name of the MSI being used. + +### Basic Installation + +To install the Netwrix Endpoint Protector Agent with the defaults and the EPP server located at `192.168.1.50`, use the following: + +```batch +msiexec /i "C:\EPPClient.msi" /qn WSIP=192.168.1.50 +``` + +### Installation with Non-Default Department + +Use the same as the basic installation and specify your department code using the `DEPT_CODE` property: + +```batch +msiexec /i "C:\EPPClient.msi" /qn WSIP=192.168.1.50 DEPT_CODE=depfin +``` + +### Installation with Agent-Specific Proxy Settings + +To install the agent with a proxy that doesn’t require authentication, use the `PROXYSETTINGSRBGPROP`, `PROXYIP`, and `PROXYPORT` options along with the basic installation. The following will set the agent's proxy to `10.0.0.10:8080`: + +```batch +msiexec /i "C:\EPPClient.msi" WSIP=192.168.1.50 PROXYSETTINGSRBGPROP=ManualProxy PROXYIP=10.0.0.10 PROXYPORT=8080 +``` + +Advanced Installations customers requiring further options should see the Appendix for the full list of properties that can be specified. + +## Deploying the Agent via Group Policy + +Deploying the agent via Group Policy requires editing the MSI either directly or via an MSI transform file to be created and the specific properties updated in the transform. To do this, follow the instructions below: + +1. Download the Orca MSI (or your preferred MSI editing software; these instructions use Orca). + 1. Orca can be installed from the Windows SDK and selecting the MSI options. + + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lsoU.png) + +2. Right-click on the `EPPClientSetup` MSI and select **Edit with Orca**. + + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lrve.png) + +3. Click on **Transform** > **New Transform**. +4. Add the required properties to the Property Table. + 1. Find and open the Property table. + 2. Right click in the table and select **Add Row**. + 3. In the popup box, input **WSIP** as the property, and then add your Netwrix Endpoint Protector Server IP Address or FQDN as the value. + 4. Click **Ok**. + 5. Optional: If there are more properties that need changing or adding, such as not using the default department code, refer to the Appendix for the list of properties and change them all in the Properties table. + + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005ls6y.png) + + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lxoA.png) + +5. Generate the Transform. + 1. Click on **Transform**. + 2. Click on **Generate Transform**. + 3. In the open box, save your transform. + 4. Ensure the packages are placed on a network share that is accessible to all clients that need to install it. + + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3Ov.png) + +6. Deploy the MSI with the Transform file via Group Policy. + 1. Open Group Policy Management Console. + 2. Find or create a new group policy for the deployment. + 3. Right click on the group policy object and select **Edit…** + 4. Expand **Computer Configuration** / **Policies** / **Software Settings**. + 5. Right-click **Software Installation** and select **New** > **Package**. + 6. Select the Advanced option on the Deploy Software dialog box. + 7. Browse to the network share where the installer and transform were placed in step 5. + 8. Select the `EPPClientSetup` MSI file and click **Open**. + 9. In the new window, select the **Modifications** tab. + 10. Click **Add** and browse to your saved transform file on the network share. + 11. Select the transform file and click **Ok**. + 12. Click **Ok**. + + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3VN.png) + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lwId.png) + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3gf.png) + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m13n.png) + ![image.png](images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lzGU.png) + +## Appendix + +A full list of properties that can be specified in the installer can be found in this table. + +| Property | Example Values | Description | +|---|---|---| +| **WSIP** | `EPPServer.domain.local` | The name or IP address of your Netwrix Endpoint Protector Server. If this is not specified, then the value of `[a=XXX]` from the name of the installer is used for new installations. For existing installations, the registry is used. | +| **WSPORT** | `443` | The port on which the Netwrix Endpoint Protector Server is listening for agents. Default value: 443 | +| **DEPT_CODE** | `Defdep` | The department code to assign the computers. Default value: defep | +| **PROXYSETTINGSRBGPROP** | `SystemProxy` | Whether to use the System settings for proxy or to use the agent's own proxy configuration. Default: SystemProxy Allowed values: ManualProxy, SystemProxy | +| **PROXYIP** | `192.168.1.200` | The IP Address of the proxy server. This is only used when **PROXYSETTINGSRBGPROP** is set to ManualProxy. | +| **PROXYPORT** | `8080` | The port to use for the proxy server. This is only used when **PROXYSETTINGSRBGPROP** is set to ManualProxy. | +| **AUTHCHECKBOXPROP** | `1` | Enable this to use Authentication on the proxy. Allowed values: 0 (Disabled), 1 (Enabled) | +| **AUTHUSER** | `ProxyUser` | The username for the user that will authenticate to the proxy. | +| **AUTHPASSWORD** | `P@ssw0rd123` | The password for the user that will authenticate to the proxy. | +| **INSTALL_NOTES_EXT** | `1` | Installs the Lotus Notes Add-on. Default value: 1 (Install) Allowed values: 1 (Install), 0 (Don't install) | +| **INSTALL_OUTLOOK_EXT** | `1` | Installs the Outlook Add-on. Default value: 1 (Install) Allowed values: 1 (Install), 0 (Don't install) | diff --git a/docs/kb/endpointprotector/how-to-generate-a-memory-dump.md b/docs/kb/endpointprotector/how-to-generate-a-memory-dump.md new file mode 100644 index 0000000000..d6f99739fc --- /dev/null +++ b/docs/kb/endpointprotector/how-to-generate-a-memory-dump.md @@ -0,0 +1,41 @@ +--- +description: >- + This article explains how to configure your system to generate a memory dump + file after a system crash. It shows the Windows settings you must set to + collect kernel or complete memory dumps. +keywords: + - memory dump + - crash dump + - kernel memory dump + - complete memory dump + - Startup and Recovery + - Windows troubleshooting + - dump file + - system crash + - debugging +products: + - endpoint-protector +sidebar_label: How to Generate a Memory Dump +tags: [] +title: "How to Generate a Memory Dump" +knowledge_article_id: kA0Qk0000002B6RKAU +--- + +# How to Generate a Memory Dump + +## Overview + +This article explains how to configure your system to generate a memory dump file after a system crash. + +## Instructions + +1. On the affected computer, open the **Control Panel**. +2. Navigate to **System and Security** > **System**. +3. Select **Advanced system settings**. +4. Go to the **Advanced** tab. +5. In the **Startup and Recovery** area, select **Settings**. +6. Under **Writing Debugging Information**, select either **Kernel memory dump** or **Complete memory dump**. +7. Click **OK** to save your changes. +8. Restart the computer. + +After a crash occurs, you can access the memory dump file at the default path or configure a specific path to collect the generated logs. diff --git a/docs/kb/endpointprotector/how-to-identify-and-remove-duplicate-computers.md b/docs/kb/endpointprotector/how-to-identify-and-remove-duplicate-computers.md new file mode 100644 index 0000000000..ddd4625624 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-identify-and-remove-duplicate-computers.md @@ -0,0 +1,36 @@ +--- +description: >- + Learn how to identify and remove duplicate computers in Netwrix Endpoint + Protector to free up licenses. This article walks you through filtering for + duplicates and deleting unwanted entries. +keywords: + - endpoint-protector + - duplicate-computers + - licenses + - device-control + - computers + - filtering + - remove-duplicates + - offline +products: + - endpoint-protector +visibility: public +sidebar_label: How to Identify and Remove Duplicate Computers +tags: [] +title: "How to Identify and Remove Duplicate Computers" +knowledge_article_id: kA0Qk0000002B5xKAE +--- + +# How to Identify and Remove Duplicate Computers + +## Overview + +This article explains how to identify and remove duplicate computers in Netwrix Endpoint Protector. Duplicate endpoints can occupy additional licenses, removing them helps free up licenses for other systems. + +## Instructions + +1. In the Netwrix Endpoint Protector Console, navigate to the **Device Control** menu and select **Computers**. +2. In the Filters section, select **Duplicates** > **Yes** > **Apply**. + ![Filtering for duplicate computers in Netwrix Endpoint Protector](./images/ka0Qk000000ETN7_0EMQk00000C91kL.png) +3. Review the list of duplicate computers. You can further filter for **Licensed** and **Offline** computers. +4. Delete the unwanted duplicate entries to release the associated licenses. diff --git a/docs/kb/endpointprotector/how-to-install-client-without-user-interaction.md b/docs/kb/endpointprotector/how-to-install-client-without-user-interaction.md new file mode 100644 index 0000000000..8d513f7732 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-install-client-without-user-interaction.md @@ -0,0 +1,37 @@ +--- +description: >- + Learn how to install the Netwrix Endpoint Protector client silently from the + command line without user interaction or a system restart. +keywords: + - endpoint protector + - Netwrix Endpoint Protector + - silent install + - msiexec + - MSI + - client installation + - /qn + - /norestart +products: + - endpoint-protector +sidebar_label: How to Install Client Without User Interaction +tags: [] +title: "How to Install Client Without User Interaction" +knowledge_article_id: kA0Qk0000002Ay3KAE +--- + +# How to Install Client Without User Interaction + +## Question +Can you install the Netwrix Endpoint Protector client, without user interaction? + +## Answer +Yes, you can install the Netwrix Endpoint Protector client via the command line interface with administrative privileges. This method installs the client without user interaction and does not require a system restart. + +Run the following command: + +```batch +msiexec /i "C:\Users\eppuser1\Desktop\EPP Client\EPPClientSetup.6.2.4.2000_x86_64_[a=192.168.43.115].msi" /norestart /qn /l*v "C:\EPP_inst.log" +``` + +- ` /qn` performs a silent installation. +- ` /norestart` prevents a computer restart after installation is complete. diff --git a/docs/kb/endpointprotector/how-to-install-the-client-on-macos-monterey.md b/docs/kb/endpointprotector/how-to-install-the-client-on-macos-monterey.md new file mode 100644 index 0000000000..3cc1dd4430 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-install-the-client-on-macos-monterey.md @@ -0,0 +1,45 @@ +--- +description: >- + Instructions to install the Netwrix Endpoint Protector (EPP) Client on macOS + Monterey, including required Full Disk Access and Accessibility permissions. +keywords: + - Netwrix Endpoint Protector + - macOS Monterey + - EPP Client + - Full Disk Access + - Accessibility + - EasyLock + - macOS installation + - client deployment +products: + - endpoint-protector +sidebar_label: How to Install the Client on macOS Monterey +tags: [] +title: "How to Install the Client on macOS Monterey" +knowledge_article_id: kA0Qk0000002BCJKA2 +--- + +# How to Install the Client on macOS Monterey + +## Question + +Can you install the Netwrix Endpoint Protector (EPP) Client on macOS Monterey? + +## Answer + +Yes, it is possible to install the Netwrix Endpoint Protector (EPP) Client on macOS Monterey. Follow the steps below to complete this process: + +1. Install the Netwrix Endpoint Protector Client using the standard installation process. +2. Go to the **Apple Menu** > **System Preferences**. +3. Select **Security & Privacy**. +4. Click the **Privacy** tab. +5. In the sidebar, select **Full Disk Access**. +6. Click the lock icon and enter the administrator password to make changes. +7. Add **Netwrix Endpoint Protector** to the list of applications with Full Disk Access. +8. Select **Accessibility** in the sidebar. +9. Check **EPP Notifier** to grant accessibility permissions. + +## Additional Information + +- If you are using EasyLock for USB encryption, add **EasyLock** to the **Files and Folders** section in **Security & Privacy**. +- These steps are suitable for evaluating the product or installing it on a small number of Mac devices. For larger deployments, use third-party tools for mass installation. diff --git a/docs/kb/endpointprotector/how-to-monitor-webmail-for-gmail-outlook-and-yahoo.md b/docs/kb/endpointprotector/how-to-monitor-webmail-for-gmail-outlook-and-yahoo.md new file mode 100644 index 0000000000..ea88306dcf --- /dev/null +++ b/docs/kb/endpointprotector/how-to-monitor-webmail-for-gmail-outlook-and-yahoo.md @@ -0,0 +1,36 @@ +--- +description: >- + Shows you how to enable the Monitor webmail setting in Netwrix Endpoint + Protector so the product can scan subject and body fields for Gmail, Outlook, + and Yahoo webmail accessed through browsers. +keywords: + - monitor webmail + - Gmail + - Outlook + - Yahoo + - deep packet inspection + - content aware protection + - webmail scanning + - endpoint protector +products: + - endpoint-protector +sidebar_label: "How to Monitor Webmail for Gmail, Outlook, and Yahoo" +tags: [] +title: 'How to Monitor Webmail for Gmail, Outlook, and Yahoo' +knowledge_article_id: kA0Qk0000002Ay4KAE +--- + +# How to Monitor Webmail for Gmail, Outlook, and Yahoo + +## Overview + +This article explains how you can enable the **Monitor webmail** setting in Netwrix Endpoint Protector, which allows subject and body scanning for Gmail, Outlook, and Yahoo webmail in browsers. + +## Instructions + +1. Navigate to **Content Aware Protection** > **Deep Packet Inspection**. +2. Toggle the switch to enable the **Monitor webmail** setting. + +When you enable this setting, it allows monitoring of the subject and body fields for Gmail, Outlook, and Yahoo webmail accessed through browsers. + +![Deep Packet Inspection settings page with Monitor webmail option highlighted](images/ka0Qk000000Drsv_0EMQk00000CB41O.png) diff --git a/docs/kb/endpointprotector/how-to-set-access-rights-for-an-iphone.md b/docs/kb/endpointprotector/how-to-set-access-rights-for-an-iphone.md new file mode 100644 index 0000000000..138905d73f --- /dev/null +++ b/docs/kb/endpointprotector/how-to-set-access-rights-for-an-iphone.md @@ -0,0 +1,33 @@ +--- +description: >- + Explains why the Read Only access right is unavailable for iPhone devices and + lists the supported access rights you can assign. +keywords: + - iPhone + - access rights + - Read Only + - Allow + - Deny + - charging + - endpoint protector + - mobile device management +products: + - endpoint-protector +visibility: public +sidebar_label: How to Set Access Rights for an iPhone +tags: [] +title: "How to Set Access Rights for an iPhone" +knowledge_article_id: kA0Qk0000002BHIKA2 +--- + +# How to Set Access Rights for an iPhone + +## Question +Why are **Read Only** rights not available for iPhone? + +## Answer +iPhones do not support the **Read Only** setting. You must set the device to one of the following rights: + +- **Allow** (for full access) +- **Deny** (for no access) +- **Deny access but allow charging** diff --git a/docs/kb/endpointprotector/how-to-set-an-uninstall-protection-password.md b/docs/kb/endpointprotector/how-to-set-an-uninstall-protection-password.md new file mode 100644 index 0000000000..4834df29f6 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-set-an-uninstall-protection-password.md @@ -0,0 +1,37 @@ +--- +description: >- + This article explains how to configure an uninstall protection password in + Netwrix Endpoint Protector so that only authorized users can remove the client + from managed devices. +keywords: + - uninstall protection + - uninstall password + - Netwrix Endpoint Protector + - client uninstall + - endpoint security + - client management +products: + - endpoint-protector +visibility: public +sidebar_label: How to Set an Uninstall Protection Password +tags: [] +title: "How to Set an Uninstall Protection Password" +knowledge_article_id: kA0Qk0000002B2mKAE +--- + +# How to Set an Uninstall Protection Password + +## Overview + +This article explains how to configure an uninstall protection password in Netwrix Endpoint Protector. Enabling this setting ensures that only authorized users can remove the client from managed devices. + +## Instructions + +Follow the steps below to configure these settings: + +1. Access the **Netwrix Endpoint Protector Console**. +2. Navigate to **System Configuration** > **System Security**. +3. Enter the desired password in the designated field. + +4. Save the changes. +5. After Netwrix Endpoint Protector clients update their settings, users will be required to enter this password to uninstall the client. diff --git a/docs/kb/endpointprotector/how-to-set-fqdn-in-server-certificate-subject.md b/docs/kb/endpointprotector/how-to-set-fqdn-in-server-certificate-subject.md new file mode 100644 index 0000000000..b604c8f83f --- /dev/null +++ b/docs/kb/endpointprotector/how-to-set-fqdn-in-server-certificate-subject.md @@ -0,0 +1,50 @@ +--- +description: >- + Shows how to configure the server certificate subject to use the Fully + Qualified Domain Name (FQDN) and how to regenerate the server certificate + stack so the new subject takes effect. +keywords: + - FQDN + - server certificate + - certificate regeneration + - DPI certificate + - MacOS + - Endpoint Protector + - certificate stack + - regenerate +products: + - endpoint-protector +sidebar_label: How to Set FQDN in Server Certificate Subject +tags: [] +title: "How to Set FQDN in Server Certificate Subject" +knowledge_article_id: kA0Qk0000002BB7KAM +--- + +# How to Set FQDN in Server Certificate Subject + +## Question + +Can you set the Fully Qualified Domain Name (FQDN) in the server certificate subject? + +## Answer + +Yes, this is possible. Follow these steps to set the FQDN in the server certificate subject: + +1. Go to **System Configuration > System Settings > Server Certificate Stack**. +2. Turn ON **Use FQDN in subject** (or **Generate Custom Server Certificate** if applicable). +3. Enter the desired FQDN in the appropriate field. +4. At the bottom of the page, click **Save** to apply the changes. +5. Verify that a confirmation message appears at the top of the page indicating the changes have been saved. +6. Click the **Regenerate** button in the **Regenerate Server Certificate Stack** section. +7. When prompted by the pop-up window, select **Yes** to confirm regeneration. +8. A green banner will appear at the top of the screen stating that the server certificate will be regenerated in a few minutes. You will be logged out from the user interface and will need to log in again. +9. Wait a few minutes until the certificate is regenerated. + +![Server Certificate Stack configuration page with FQDN field highlighted](images/ka0Qk000000Dynx_0EMQk00000CKudS.png) + +### Important Notes + +- If you are using FQDN in the subject and a self-signed certificate, you must reimport the self-signed certificate after regenerating the server certificate stack. +- If the server certificate is regenerated, the DPI certificate will also be regenerated. The new DPI certificate must be reimported on all Mac machines. +- MacOS users must proceed with caution when performing these steps. If you regenerate the server certificate stack and do not upload the new DPI certificate, Mac machines may lose internet access. +- If you are still experiencing issues, please reach out to [Netwrix Support](https://www.netwrix.com/support.html). diff --git a/docs/kb/endpointprotector/how-to-update-endpoint-protector-or-unify-server.md b/docs/kb/endpointprotector/how-to-update-endpoint-protector-or-unify-server.md new file mode 100644 index 0000000000..4ef3b088e5 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-update-endpoint-protector-or-unify-server.md @@ -0,0 +1,87 @@ +--- +description: >- + Instructions to find the current version and update Netwrix Endpoint Protector + or Unify Server using Live Update or the Offline Patch Uploader, and how to + verify applied updates. +keywords: + - Netwrix Endpoint Protector + - Unify + - update + - live update + - offline patch + - software update + - server version + - patch uploader +products: + - general +sidebar_label: How to Update Endpoint Protector or Unify Server +tags: [] +title: "How to Update Endpoint Protector or Unify Server" +knowledge_article_id: kA0Qk0000001EfFKAU +--- + +# How to Update Netwrix Endpoint Protector or Unify Server + +## Finding the Current Version + +Customers not using the live update server will need to know their version number to ensure the correct patch is installed. + +To find the version of the Netwrix Endpoint Protector server, follow the below steps: + +1. Navigate to the web interface of the console. +2. Log in. +3. View the bottom right of the screen to find the version information. + +![Netwrix Endpoint Protector version number](./images/ka0Qk0000004M3Z_0EMQk000005fb5Z.png) + +To find the version of the Unify server, follow the below steps: + +1. Log in to the Unify web console. +2. Check the top left for the version information. + +![Unify version number](./images/ka0Qk0000004M3Z_0EMQk000005fOGR.png) + +## Updating with Live Update + +Live Update is the recommended way to patch the Netwrix Endpoint Protector server. It uses the server's internet connection to check for and download updates for the Netwrix Endpoint Protector server. More information on the Live Update feature can be found here. If internet access is restricted on the Netwrix Endpoint Protector appliance, then follow the instructions for offline update. + +To install the latest updates with Live Update, follow the below steps: + +1. Log in to the Netwrix Endpoint Protector Web Console using an administrative account. +2. Under the **Dashboard** heading, select **Live Update.** +3. Click on **Check Now** to check for updates. +4. Check the box on the update(s) to be installed. +5. Select **Apply Updates.** + +![How to check Live Update](./images/ka0Qk0000004M3Z_0EMQk000005fTch.png) + +![How to configure Live Update](./images/ka0Qk0000004M3Z_0EMQk000005fbGr.png) + +## Updating Using the Offline Patch Uploader + +The offline patch uploader is the mechanism used to perform offline updates of the Netwrix Endpoint Protector server when no internet connection is available from the Netwrix Endpoint Protector server itself. + +To apply an offline update, follow the below steps: + +1. Download the offline patch. +2. Log in to the Netwrix Endpoint Protector Web Console using an administrative account. +3. Under the **Dashboard** heading, select **Live Update.** +4. Click on **Offline Patch Uploader.** +5. Browse to the downloaded update and select it. +6. Click **Ok.** +7. Wait for the system to apply the update. + +![The button to activate offline patching](./images/ka0Qk0000004M3Z_0EMQk000005fbNJ.png) + +## Verifying an Update Installed + +To verify an update was applied to the Netwrix Endpoint Protector server, follow the below instructions: + +1. Log in to the Netwrix Endpoint Protector web console using an administrative account. +2. Under the **Dashboard** heading, select **Live Update.** +3. Click on **View Applied EPP Software Updates.** +4. Look through the applied updates to see if the update was installed. + +![The button to open the view of all updates](./images/ka0Qk0000004M3Z_0EMQk000005fbTl.png) + +![The list of all updates](./images/ka0Qk0000004M3Z_0EMQk000005fbWz.png) diff --git a/docs/kb/endpointprotector/how-to-use-easylock-without-endpoint-protector-software.md b/docs/kb/endpointprotector/how-to-use-easylock-without-endpoint-protector-software.md new file mode 100644 index 0000000000..958cdf13f7 --- /dev/null +++ b/docs/kb/endpointprotector/how-to-use-easylock-without-endpoint-protector-software.md @@ -0,0 +1,36 @@ +--- +description: >- + Explains how EasyLock behaves on a computer that does not have Netwrix + Endpoint Protector or its client software, and how you can access encrypted + data using a password and AES-256 encryption. +keywords: + - EasyLock + - Endpoint Protector + - EPP + - AES-256 + - encryption + - removable storage + - password + - encrypted data + - client software +products: + - endpoint-protector +sidebar_label: How to Use EasyLock Without Endpoint Protector Sof +tags: [] +title: "How to Use EasyLock Without Endpoint Protector Software" +knowledge_article_id: kA0Qk0000002AxwKAE +--- + +# How to Use EasyLock Without Endpoint Protector Software + +## Question + +How does the EasyLock software behave on a computer without Netwrix Endpoint Protector or its client software? + +## Answer + +When the EasyLock software is used on a computer without Netwrix Endpoint Protector or its client software, you can still launch it manually from the storage device and access your encrypted data by entering your password. + +After you open EasyLock, the application will prompt you for a password. Any data you copy into the application will be encrypted using 256-bit AES software encryption. Only users with the correct password can access the encrypted data. + +![EasyLock password prompt on launch](images/ka0Qk000000DeHN_0EMQk00000CJ50H.png) diff --git a/docs/kb/endpointprotector/how-to-view-all-ediscovery-scan-results-when-the-number-exceeds-the-10-000-record-limit.md b/docs/kb/endpointprotector/how-to-view-all-ediscovery-scan-results-when-the-number-exceeds-the-10-000-record-limit.md new file mode 100644 index 0000000000..64ef82cbda --- /dev/null +++ b/docs/kb/endpointprotector/how-to-view-all-ediscovery-scan-results-when-the-number-exceeds-the-10-000-record-limit.md @@ -0,0 +1,45 @@ +--- +description: >- + Netwrix Endpoint Protector limits report displays to 10,000 entries; this + article explains how you can view all eDiscovery scan results when the results + exceed that limit by using filters or creating an audit log backup. +keywords: + - eDiscovery + - Netwrix Endpoint Protector + - audit log backup + - filters + - '10,000 limit' + - CSV + - Scan Results and Actions + - EPP + - scan results +products: + - endpoint-protector +sidebar_label: 'How to View All eDiscovery Scan Results When the Number Exceeds the 10,000 Record Limit' +tags: [] +title: >- + How to View All eDiscovery Scan Results When the Number Exceeds the 10,000 + Record Limit +knowledge_article_id: kA0Qk0000002B30KAE +--- + +# How to View All eDiscovery Scan Results When the Number Exceeds the 10,000 Record Limit + +## Overview + +Netwrix Endpoint Protector allows a maximum of `10,000` entries to be displayed for each report. If the number of scan results exceeds this limit, you can still access all results using the methods below. + +## Instructions + +### Use filters to narrow down scan results + +1. Apply filters in the report view to reduce the number of displayed entries and locate specific results within the `10,000`-entry limit. + +### Create an Audit Log Backup for eDiscovery logs + +1. Go to **System Maintenance > Audit Log Backup**. +2. In the **Make Backup** section, select **Audit eDiscovery Log Backup**. +3. Check the option **Keep backed up logs** to preserve the scan results on the Netwrix Endpoint Protector (EPP) console. +4. Click **Start**. An archived CSV report with all results will be generated within a few minutes. + +As long as the eDiscovery logs are kept on the server, you can still perform actions, such as encrypting, decrypting, or deleting on target, on any identified items. To do this, go to the **Scan Results and Actions** page and use filters to locate the specific item. diff --git a/docs/kb/endpointprotector/how_easylock_software_works_with_the_endpoint_protector_server_and_client_software.md b/docs/kb/endpointprotector/how_easylock_software_works_with_the_endpoint_protector_server_and_client_software.md new file mode 100644 index 0000000000..7ed011955e --- /dev/null +++ b/docs/kb/endpointprotector/how_easylock_software_works_with_the_endpoint_protector_server_and_client_software.md @@ -0,0 +1,33 @@ +--- +description: >- + This article explains how EasyLock software integrates with the Endpoint Protector Server and Client software, detailing the steps to configure and use it effectively. +keywords: + - EasyLock + - Endpoint Protector + - Trusted Device +sidebar_label: How EasyLock Works with EPP +tags: [] +title: "How EasyLock Software Works with the Endpoint Protector Server and Client Software" +knowledge_article_id: kA0Qk0000002BE3KAM +products: + - endpoint-protector +--- + +# How EasyLock Software Works with the Endpoint Protector Server and Client Software + +## Question + +How does the EasyLock software work with the Endpoint Protector (EPP) Server and Client software? + +## Answer + +EasyLock, when installed on a USB storage device, designates the device as a **Trusted Device Level 1**. The EPP appliance must be configured to recognize this status by enabling the appropriate access right. All file transfers are then managed securely through EasyLock’s vault. If the device is granted general access, it can function as a standard USB device. + +Follow the steps below to complete this process: + +1. Install EasyLock on a USB storage device. +2. Once EasyLock is installed, the device is turned into a **Trusted Device Level 1 (TD1)**. +3. Configure the EPP appliance with the **Allow Access if device is TD Level 1** setting so that the appliance is made aware of the device status. + ![EPP appliance configuration screen showing Allow Access if device is TD Level 1 option](./images/servlet_image_2f2abfe498d8.png) +4. All file transfers on the device are managed through EasyLock's vault software, ensuring secure data handling. +5. Optional: You can allow regular device usage. If the EasyLock device has the **Allow Access** right, it can be used like a regular device. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_add_a_new_entry_to_the_justification_list.md b/docs/kb/endpointprotector/how_to_add_a_new_entry_to_the_justification_list.md new file mode 100644 index 0000000000..784efceee8 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_add_a_new_entry_to_the_justification_list.md @@ -0,0 +1,48 @@ +--- +description: >- + This article explains how to add a new entry to the Justification List in Endpoint Protector (EPP) and apply it to a Content Aware Protection policy for user remediation. +keywords: + - Justification List + - Endpoint Protector + - Content Aware Protection +sidebar_label: Add Entry to Justification List +tags: [] +title: "How to Add a New Entry to the Justification List" +knowledge_article_id: kA0Qk0000002B2lKAE +products: + - endpoint-protector +--- + +# How to Add a New Entry to the Justification List + +## Overview + +This article explains how to add a new entry to the Justification List in Endpoint Protector (EPP) and apply it to a Content Aware Protection policy for user remediation. + +## Instructions + +1. In the Endpoint Protector Console, navigate to **System Parameters** > **User Remediation**. + ![User Remediation section in System Parameters menu in Endpoint Protector](./images/servlet_image_263da6ad1bf4.png) + +2. Create a **Justification** list that will appear to the end user when an explanation is required to remediate a file: + - Click the **ADD** button. + - On the **Justification** tab, add a question (for example, "Why is the Print Screen required?"). + - Change the status to **Enable** and set the reason to **Yes**. + - Click **Save**. + +3. After saving the Justification list, navigate to the top of the console and select the **Content Aware Protection** menu. + +4. Create a policy to apply user remediation: + - Select the operating system (OS) and enter a name for the policy. + - At the policy action button, select **Block and Remediate** from the drop-down menu. + - In the **Policy Exit** points, check the box for **Print Screen**. + - Scroll down to **Policy Entities** and select the departments, groups, computers, or users to which you want to apply the policy. + - Click **Save** at the bottom of the page. + +5. On an endpoint where the policy is applied, open the EPP client and update the policies. + +6. To test the policy, attempt to use the print screen function. The client should display a prompt as shown below: + ![User prompt when using Screenshot function in Endpoint Protector client](./images/servlet_image_72f774ab3bed.png) + +7. If the user clicks the **Self-Remediate** button, a new window will appear prompting them to fill in the reason for the action. + ![Justification entry window for self-remediation in Endpoint Protector client](./images/servlet_image_cc8577ae8f6b.png) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_add_specific_devices_to_the_allow_list.md b/docs/kb/endpointprotector/how_to_add_specific_devices_to_the_allow_list.md new file mode 100644 index 0000000000..56bfb7c699 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_add_specific_devices_to_the_allow_list.md @@ -0,0 +1,36 @@ +--- +description: >- + This article explains how to add specific devices to the allow list using the web console interface. +keywords: + - allow list + - device control + - endpoint protector +sidebar_label: Add Devices to Allow List +tags: [] +title: "How to Add Specific Devices to the Allow List" +knowledge_article_id: kA0Qk0000002B4JKAU +products: + - endpoint-protector +--- + +# How to Add Specific Devices to the Allow List + +## Overview + +This article explains how to add specific devices to the allow list using the web console interface. + +## Instructions + +1. Open the **Endpoint Protector** web console and navigate to the **Device Control** menu. +2. Select the **Global Rights** sub-menu. +3. Scroll to the bottom of the page and click the **Add** button. + ![Add button in Global Rights section](./images/servlet_image_97c005a48040.png) +4. In the new window that appears, add the specific device to the allow list. + ![Add device to allow list window](./images/servlet_image_5843306691b5.png) +5. Fill in the requested details for your device and click **Next**. You will be prompted to add the device as a new device. + ![Add new device details](./images/servlet_image_18cc5d89ac43.png) +6. After filling in the device details, click **Save** and you should see the entry in the Allow list. + +## Related Links + +- [Set Rights for a Specific Device](/docs/kb/endpointprotector/set-rights-for-a-specific-device) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_apply_an_offline_patch_or_upgrade.md b/docs/kb/endpointprotector/how_to_apply_an_offline_patch_or_upgrade.md new file mode 100644 index 0000000000..c525a6dffa --- /dev/null +++ b/docs/kb/endpointprotector/how_to_apply_an_offline_patch_or_upgrade.md @@ -0,0 +1,57 @@ +--- +description: >- + This article explains how to apply an offline patch or upgrade to Endpoint Protector (EPP) when the appliance does not have direct internet access or when you need to control the timing and process of software updates. +keywords: + - offline patch + - Endpoint Protector + - software upgrade +sidebar_label: Apply Offline Patch +tags: [] +title: "How to Apply an Offline Patch or Upgrade" +knowledge_article_id: kA0Qk0000002B7MKAU +products: + - endpoint-protector +--- + +# How to Apply an Offline Patch or Upgrade + +## Overview + +This article explains how to apply an offline patch or upgrade to **Endpoint Protector** (EPP) when the appliance does not have direct internet access or when you need to control the timing and process of software updates. The instructions include preparing your environment, safely applying the patch, and verifying the update. + +To stay informed about future version releases, visit the [Netwrix Community Endpoint Protector](https://community.netwrix.com/c/products/endpoint-protector/22) page and click the **Subscribe** button. + +## Instructions + +### Prepare for the Upgrade + +- Before applying any update, create a snapshot of your **Endpoint Protector Appliance** virtual machine (VM, AWS, Azure, or GCP) as a best practice. +- Confirm your current EPP server version. You can find the version in the lower right corner of the console interface. + +### Obtain the Offline Patch + +- **Download from the Console** + 1. In the **Endpoint Protector** console, navigate to the **Announcements** section and select the latest **Endpoint Protector** version release. + 2. On the release page, locate the banner labeled **Download Netwrix Endpoint Protector x.x.x.x here!** and double-click to download the offline upgrade installation package to your local directory. + +- **Request from Netwrix Technical Support** + 1. Open a support ticket and provide your current server version and the version you want to upgrade to. + 2. Netwrix Technical Support will provide you with the necessary offline patch files for the upgrade. + +### Apply the Offline Patch + +1. Open a web browser and access the **Endpoint Protector** console's web interface. +2. Log in with an account that has administrator privileges. +3. Navigate to **Dashboard** > **Live Update** > **Offline Patch Uploader**. + ![Offline Patch Uploader option in EPP Software Update section](./images/servlet_image_06bccc2709d5.png) +4. Select **Choose File**. Browse for the downloaded or provided offline patch file and click **Upload Patch**. + ![Upload Patch button in Offline Patch Uploader](./images/servlet_image_c1cc54905886.png) +5. Wait for a green confirmation message stating **Patch applied successfully!** to appear above the Offline Patch Uploader section. + ![Patch applied successfully banner in Offline Patch Uploader](./images/servlet_image_6bd0b54ef795.png) +6. Remain on the page and monitor the upgrade progress at **Dashboard** > **Live Update**. The progress bar should reach 100%, usually within 5–10 minutes, depending on your database size. + ![Upgrade progress bar in Live Update section](./images/servlet_image_65b2f6cd5406.png) +7. After the upgrade completes, refresh your browser and verify the updated server version in the bottom right corner of the console interface. + ![Endpoint Protector version number in the console interface](./images/servlet_image_138e8d943c1b.png) +8. If you need to apply additional offline patches, repeat steps 4–7. Offline patches are incremental, like the Live Update functionality. You must apply them one at a time to correctly upgrade the server and avoid issues. + +> **NOTE:** There may be a delay between a new general availability (GA) release and the availability of an offline patch for the new server version. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_apply_security_backend_updates.md b/docs/kb/endpointprotector/how_to_apply_security_backend_updates.md new file mode 100644 index 0000000000..cae44225ec --- /dev/null +++ b/docs/kb/endpointprotector/how_to_apply_security_backend_updates.md @@ -0,0 +1,39 @@ +--- +description: >- + This article explains how to use the Security Backend Updates section in Endpoint Protector to check for and apply security updates. +keywords: + - security updates + - Endpoint Protector + - system backup +sidebar_label: Apply Security Backend Updates +tags: [] +title: "How to Apply Security Backend Updates" +knowledge_article_id: kA0Qk0000002B2zKAE +products: + - endpoint-protector +--- + +# How to Apply Security Backend Updates + +## Overview + +This article explains how to use the Security Backend Updates section in **Endpoint Protector** to check for and apply security updates. You can view information on recent updates, see a list of available updates, and apply updates as needed. + +> **IMPORTANT:** Security update options are only available for customer-hosted instances (for example, AWS, Google Cloud, etc.), except for Operating System and Kernel upgrades. Updates are not tested beforehand but are pulled from the official Linux repository. + +### Prerequisites + +- Test the updates in a test environment first. +- Capture a virtual machine snapshot. +- Make a system backup from **System Maintenance** in the **System Backup v2** section. + +## Instructions + +1. In the **Endpoint Protector** console, navigate to **Dashboard** > **Live update**. +2. Select one of the available security update types and click **Check Updates**: + - **Security**: Updates all security-related packages (Critical and High). + - **Other**: Downloads and applies any update available to third-party libraries, kernel, OS packages, and MySQL database. + - **All Updates**: Downloads and applies Informational and Optional/Unclassified updates. +3. If updates are available, click **Apply Updates**. + +> **IMPORTANT:** Some updates may automatically restart the **Endpoint Protector** server or other sub-services in the background. If updates do not apply, create a ticket in the Support Portal for further investigation. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_block_source_code_using_ocr.md b/docs/kb/endpointprotector/how_to_block_source_code_using_ocr.md new file mode 100644 index 0000000000..824aa548e4 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_block_source_code_using_ocr.md @@ -0,0 +1,45 @@ +--- +description: >- + This article explains how to block source code in images by enabling Optical Character Recognition (OCR) and configuring a Content Aware Protection policy. +keywords: + - Optical Character Recognition + - Content Aware Protection + - source code +sidebar_label: Block Source Code Using OCR +tags: [] +title: "How to Block Source Code Using OCR" +knowledge_article_id: kA0Qk0000002oAPKAY +products: + - endpoint-protector +--- + +# How to Block Source Code Using OCR + +## Overview + +This article explains how to block source code in images by enabling Optical Character Recognition (OCR) and configuring a Content Aware Protection policy. Use these steps to prevent the transfer or upload of images containing source code. + +## Instructions + +### Enabling OCR + +Follow these steps to enable OCR to allow the system to detect source code in images: + +1. In **Endpoint Protector**, navigate to **Device Control > Global Settings**. +2. Enable the OCR option. +3. Click **Save** to apply the settings. + +![OCR option in Global Settings](./images/servlet_image_8da7245d9529.png) + +### Creating a Content Aware Protection Policy for Source Code + +Follow these steps to create a custom policy to block or report source code detected in images: + +1. In **Endpoint Protector**, navigate to **Content Aware Protection**. +2. Select the operating system type, enter a policy name, and choose the action and type for the policy. +3. Choose all relevant exit points. +4. Select only the relevant source code types. + ![Selecting source code types in Content Aware Protection policy](./images/servlet_image_089dc363ae67.png) +5. Select the computers and/or users to which the policy should apply. +6. Click **Save** to create the policy. +7. The system will now block or report source code found in transferred or uploaded images according to the policy settings. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_block_specific_ip_addresses_from_accessing_the_console.md b/docs/kb/endpointprotector/how_to_block_specific_ip_addresses_from_accessing_the_console.md new file mode 100644 index 0000000000..115636414b --- /dev/null +++ b/docs/kb/endpointprotector/how_to_block_specific_ip_addresses_from_accessing_the_console.md @@ -0,0 +1,33 @@ +--- +description: >- + This article provides step-by-step instructions on how to block specific IP addresses from accessing the console by configuring login IP restrictions for the administrator account. +keywords: + - IP address blocking + - console access + - login IP restrictions +sidebar_label: Block Specific IP Addresses +tags: [] +title: "How to Block Specific IP Addresses from Accessing the Console" +knowledge_article_id: kA0Qk0000002B78KAE +products: + - endpoint-protector +--- + +# How to Block Specific IP Addresses from Accessing the Console + +## Overview + +This article provides step-by-step instructions on how to block specific IP addresses from accessing the console by configuring login IP restrictions for the administrator account. + +## Instructions + +To block specific IP addresses from accessing the console, configure login IP restrictions for the administrator account by following these steps: + +1. In the **Endpoint Protector Management Console**, go to **System Configuration** > **System Administrators**. +2. Right-click the administrator account you want to restrict and select **Edit**. +3. Turn on **Enforce login IP restrictions**. + + ![Dialog box for enforcing login IP restrictions with the option enabled](./images/servlet_image_1e592ef62413.png) + +4. Enter the IP addresses from which the user is not allowed to log in. +5. Click **Save** to apply the changes. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_control_idevices_on_endpoint_protector_for_mac.md b/docs/kb/endpointprotector/how_to_control_idevices_on_endpoint_protector_for_mac.md new file mode 100644 index 0000000000..c6fe2e7cec --- /dev/null +++ b/docs/kb/endpointprotector/how_to_control_idevices_on_endpoint_protector_for_mac.md @@ -0,0 +1,30 @@ +--- +description: >- + This article provides step-by-step instructions on how to control iDevices such as iPhones, iPads, and iPods Touch within Endpoint Protector on Mac computers. +keywords: + - iDevices + - Endpoint Protector + - Mac +sidebar_label: Control iDevices on Endpoint Protector +tags: [] +title: "How to Control iDevices on Endpoint Protector for Mac" +knowledge_article_id: kA0Qk0000002B7eKAE +products: + - endpoint-protector +--- + +# How to Control iDevices on Endpoint Protector for Mac + +## Overview + +On Mac computers, iDevices such as iPhones, iPads, and iPods Touch can be controlled separately within Endpoint Protector. + +## Instructions + +Follow these steps to configure settings for devices: + +1. In the Endpoint Protector Console, navigate to **Device Control > Global Rights**. +2. Alternatively, set the device rights at the group, computer, or user level. +3. Ensure these settings align with your requirements for managing iPhones, iPads, and iPods Touch. + +![Device Control Global Rights configuration for iDevices on Mac in Endpoint Protector](./images/servlet_image_d669c51c8b7d.png) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_deploy_the_client_using_sccm_or_msiexec.md b/docs/kb/endpointprotector/how_to_deploy_the_client_using_sccm_or_msiexec.md new file mode 100644 index 0000000000..5d78671af3 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_deploy_the_client_using_sccm_or_msiexec.md @@ -0,0 +1,42 @@ +--- +description: >- + This article explains how to deploy the Endpoint Protector client to Windows endpoints using Microsoft System Center Configuration Manager (SCCM) or the msiexec command-line tool. +keywords: + - Endpoint Protector + - SCCM + - msiexec +sidebar_label: Deploy Client Using SCCM +tags: [] +title: "How to Deploy the Client Using SCCM or msiexec" +knowledge_article_id: kA0Qk0000002B7IKAU +products: + - endpoint-protector +--- + +# How to Deploy the Client Using SCCM or msiexec + +## Overview + +This article explains how to deploy the Endpoint Protector client to Windows endpoints using Microsoft System Center Configuration Manager (SCCM) or the `msiexec` command-line tool. It provides the required command syntax, examples for both IP address and Fully Qualified Domain Name (FQDN) configurations, and important notes for a successful deployment. + +## Instructions + +1. Use the following command structure: + + ```plaintext + msiexec.exe /i "msiPath" WSIP="EPP_server_IP" WSPORT="443" /qn /norestart + ``` + + - Replace `“msiPath”` with the full path to the Endpoint Protector client MSI installer. + - Replace `“EPP_server_IP”` with the IP address or FQDN of the Endpoint Protector server the client will connect to. + + > **NOTE:** `/norestart` is optional. + +2. If you are using a Fully Qualified Domain Name (FQDN), adapt the template as follows: + + ```plaintext + msiexec.exe /i "EPPClientSetup.5.6.1.1_x86_64.msi" /qn /l*v "c:\temp\EPP_inst.log" WSIP="mycompany.endpointprotector.server.com" WSPORT="443" + ``` + + - Replace `“EPPClientSetup.5.6.1.1_x86_64.msi”` with the name of your installer. If the installer name contains an IP, remove the IP from the name. + - Replace `“mycompany.endpointprotector.server.com”` with the IP address or FQDN of your Endpoint Protector server. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_display_the_destination_url_in_content_aware_reports.md b/docs/kb/endpointprotector/how_to_display_the_destination_url_in_content_aware_reports.md new file mode 100644 index 0000000000..91c607bd33 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_display_the_destination_url_in_content_aware_reports.md @@ -0,0 +1,30 @@ +--- +description: >- + This article explains how to display the Destination URL in Content Aware Reports in Endpoint Protector. +keywords: + - Endpoint Protector + - Content Aware Reports + - Destination URL +sidebar_label: Display Destination URL in Reports +tags: [] +title: "How to Display the Destination URL in Content Aware Reports" +knowledge_article_id: kA0Qk0000002B66KAE +products: + - endpoint-protector +--- + +# How to Display the Destination URL in Content Aware Reports + +## Overview + +This article explains how to display the **Destination URL** in Content Aware Reports in Endpoint Protector. Starting with Endpoint Protector Server version 5700, **Reporting V2** must be enabled to access this feature. + +## Instructions + +1. To enable **Reporting V2**, navigate to the **Endpoint Protector Management Console** > **System Configuration** > **System Settings**. +2. Enable the **Reporting V2** option. +3. Navigate to **Reports and Analysis** > **Content Aware Reports**. +4. Click the **Show/Hide Columns** button. +5. Select the **Destination** column to display the Destination URL in the report. + +![Show/Hide Columns option in Content Aware Reports](./images/servlet_image_744e12be3cff.png) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_export_the_list_of_computers,_users,_or_devices.md b/docs/kb/endpointprotector/how_to_export_the_list_of_computers,_users,_or_devices.md new file mode 100644 index 0000000000..6ba8d89b1c --- /dev/null +++ b/docs/kb/endpointprotector/how_to_export_the_list_of_computers,_users,_or_devices.md @@ -0,0 +1,45 @@ +--- +description: >- + This article explains how to export the list of computers, users, or devices from the console, including both manual and scheduled export options. +keywords: + - export + - computers + - users + - devices + - Endpoint Protector +sidebar_label: Exporting Lists +tags: [] +title: "How to Export the List of Computers, Users, or Devices" +knowledge_article_id: kA0Qk0000002B6lKAE +products: + - endpoint-protector +--- + +# How to Export the List of Computers, Users, or Devices + +## Overview + +This article explains how to export the list of computers, users, or devices from the console. You can perform a manual export or schedule an export, and the exported lists are accessible from the **Exported Entities** section. + +## Instructions + +### Manual Export + +1. Open the Endpoint Protector console and navigate to the **Device Control** section. +2. Select **Computers**, **Users**, or **Devices**. +3. Click **Choose action** and select **Export list of**... + ![Export list action in Device Control](./images/servlet_image_df060b1c08ad.png) +4. A banner appears at the top of the page indicating where the export file can be found. +5. On the **List of exports** page, navigate to **System Maintenance** > **Exported Entities**. +6. In the **Actions** menu, you can download or delete the exported list. + +### Scheduled Export + +1. Open the Endpoint Protector console and navigate to the **Device Control** section. +2. Select **Computers**, **Users**, or **Devices**. +3. Click **Choose action** and select **Schedule export list**. + ![Schedule export action in Device Control](./images/servlet_image_7abe59223977.png) +4. Select the **frequency** and **start date** for the export. Click **Schedule**. +5. A banner appears at the top of the page confirming that the export has been scheduled. +6. On the **List of exports** page, navigate to **System Maintenance** > **Exported Entities**. +7. In the **Actions** menu, you can download or delete the exported list. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_find_the_cososys_team_id_and_bundle_id_for_client_deployment_on_macos.md b/docs/kb/endpointprotector/how_to_find_the_cososys_team_id_and_bundle_id_for_client_deployment_on_macos.md new file mode 100644 index 0000000000..f51c6fbdae --- /dev/null +++ b/docs/kb/endpointprotector/how_to_find_the_cososys_team_id_and_bundle_id_for_client_deployment_on_macos.md @@ -0,0 +1,34 @@ +--- +description: >- + This article provides guidance on locating the CoSoSys Team ID and Bundle ID necessary for deploying the Endpoint Protector Client on macOS. +keywords: + - CoSoSys + - Team ID + - Bundle ID + - Endpoint Protector + - macOS +sidebar_label: Find CoSoSys Team ID and Bundle ID +tags: [] +title: "How to Find the CoSoSys Team ID and Bundle ID for Client Deployment on macOS" +knowledge_article_id: kA0Qk0000002B7kKAE +products: + - endpoint-protector +--- + +# How to Find the CoSoSys Team ID and Bundle ID for Client Deployment on macOS + +## Question + +Where can the CoSoSys Team ID and Bundle ID for deploying the Endpoint Protector Client on macOS be located? + +## Answer + +When using third-party solutions to deploy the Endpoint Protector Client on macOS, you might be prompted for the Team ID and the Bundle IDs. + +Although there are several ways to retrieve them from the system, the information is provided below for convenience: + +- **Endpoint Protector Client Team ID:** TV3T7A76P4 +- **Endpoint Protector Client Bundle IDs:** + - `com.cososys.driver.EPPDeviceController` + - `com.cososys.eppclient.eppkauth` + - `com.cososys.kext.EPPUsbHelper` \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_handle_the_111.33.33.111_ip_address_on_the_server.md b/docs/kb/endpointprotector/how_to_handle_the_111.33.33.111_ip_address_on_the_server.md new file mode 100644 index 0000000000..e8a2297d0d --- /dev/null +++ b/docs/kb/endpointprotector/how_to_handle_the_111.33.33.111_ip_address_on_the_server.md @@ -0,0 +1,37 @@ +--- +description: >- + This article explains the purpose and handling of the 111.33.33.111 IP address configured on the Endpoint Protector (EPP) server, along with important considerations for firewall and routing settings. +keywords: + - IP address + - Endpoint Protector + - firewall settings +sidebar_label: Handle 111.33.33.111 IP Address +tags: [] +title: "How to Handle the 111.33.33.111 IP Address on the Server" +knowledge_article_id: kA0Qk0000002B4EKAU +products: + - endpoint-protector +--- + +# How to Handle the 111.33.33.111 IP Address on the Server + +## Overview + +This article explains the purpose and handling of the **111.33.33.111** IP address configured on the Endpoint Protector (EPP) server, as well as important considerations for firewall and routing settings. + +## Instructions + +- The IP address **111.33.33.111** is used for internal routing on the EPP server. Do not block this IP address, as doing so may affect server functionality. +- If the IP address is blocked in the firewall or by other means, a new IP address will be assigned via NAT. The EPP server may continue to work temporarily, but after a reboot, the user interface will not be accessible until the original IP is restored. + +### Technical Background + +- Duplicate IP addresses on the public internet are prevented by the Border Gateway Protocol (BGP) and the assignment of unique IP addresses by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs). +- **IP Address Allocation:** IANA and RIRs allocate unique IP address blocks to organizations. Assigning a static public IP address to a device does not guarantee internet reachability. +- **BGP (Border Gateway Protocol):** BGP is the primary routing protocol on the internet. Routers use BGP to determine the best path to reach a particular IP address, relying on unique Autonomous System Numbers (ASNs) to distinguish networks. +- Internet Service Providers (ISPs) use BGP to exchange routing information. BGP routes are advertised based on IP prefixes associated with each ASN. +- Duplicate IP addresses can cause conflicts in BGP, and routers will not accept conflicting route advertisements. BGP routers are configured to filter and validate route announcements to prevent propagation of conflicting information. + +### Example Scenario + +If you manually configure a different IP address instead of **111.33.33.111** (for example, **8.8.8.8** or **216.58.194.174**), the EPP server will not be able to receive or intercept traffic intended for the legitimate owners of those IP addresses. BGP will drop such traffic, and any attempt to spoof those IPs will fail. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_increase_the_200_entries_display_limitation.md b/docs/kb/endpointprotector/how_to_increase_the_200_entries_display_limitation.md new file mode 100644 index 0000000000..df0e52ddbb --- /dev/null +++ b/docs/kb/endpointprotector/how_to_increase_the_200_entries_display_limitation.md @@ -0,0 +1,29 @@ +--- +description: >- + This article explains how to increase the maximum number of records displayed in report searches in Endpoint Protector. +keywords: + - Endpoint Protector + - display limit + - report searches +sidebar_label: Increase Display Limit +tags: [] +title: "How to Increase the 200 Entries Display Limitation" +knowledge_article_id: kA0Qk0000002B76KAE +products: + - endpoint-protector +--- + +# How to Increase the 200 Entries Display Limitation + +## Overview + +The default limit of 200 entries is set to improve Endpoint Protector server performance. This article explains how to increase the maximum number of records shown in report searches. + +## Instructions + +To increase the display limit, follow these steps: + +1. Log in to the **Endpoint Protector** console. +2. Navigate to **Device Control** > **Global Settings** > **Maximum no. of records returned in a report search**. +3. Increase this limit to your desired amount. + ![Maximum number of records returned in a report search setting in Endpoint Protector](./images/servlet_image_1ec78e31c389.png) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_locate_and_change_the_default_credentials_for_the_console.md b/docs/kb/endpointprotector/how_to_locate_and_change_the_default_credentials_for_the_console.md new file mode 100644 index 0000000000..c0f6ac69c1 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_locate_and_change_the_default_credentials_for_the_console.md @@ -0,0 +1,38 @@ +--- +description: >- + This article explains the default credentials for the Endpoint Protector Reporting and Administration Tool and how to change them after initial setup. +keywords: + - Endpoint Protector + - default credentials + - security +sidebar_label: Change Default Credentials +tags: [] +title: "How to Locate and Change the Default Credentials for the Console" +knowledge_article_id: kA0Qk0000002B6cKAE +products: + - endpoint-protector +--- + +# How to Locate and Change the Default Credentials for the Console + +## Overview + +This article explains the default credentials for the Endpoint Protector Reporting and Administration Tool and how to change them after initial setup. + +## Instructions + +1. The default username and password for the Endpoint Protector Reporting and Administration Tool are: + - **Username:** `root` + - **Password:** `epp2011` + + > **IMPORTANT:** Change the default username and password immediately after system setup to maintain security. + +2. To modify the credentials, navigate to **System Configuration**. + +3. Select **System Administrators**. + +4. Edit the **root** administrator account. + +5. Update the username and password as needed. + +6. Click **Save** to apply the changes. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_manually_activate_debugging_logs_on_windows.md b/docs/kb/endpointprotector/how_to_manually_activate_debugging_logs_on_windows.md new file mode 100644 index 0000000000..682eedf3ff --- /dev/null +++ b/docs/kb/endpointprotector/how_to_manually_activate_debugging_logs_on_windows.md @@ -0,0 +1,31 @@ +--- +description: >- + This article provides step-by-step instructions for manually activating debugging logs on Windows for the Endpoint Protector Client. +keywords: + - debugging logs + - Endpoint Protector + - Windows +sidebar_label: Activate Debugging Logs +tags: [] +title: "How to Manually Activate Debugging Logs on Windows" +knowledge_article_id: kA0Qk0000002B7PKAU +products: + - endpoint-protector +--- + +# How to Manually Activate Debugging Logs on Windows + +## Overview + +If you are experiencing issues with the **Endpoint Protector Client** and cannot use the [UI Debug option](/docs/endpointprotector/5.9.4.2/admin/devicecontrol/globalsettings) or the SupportTool, you can manually activate debugging logs on Windows. Follow the instructions below to enable logging for troubleshooting purposes. + +## Instructions + +1. Open the **Command Prompt** as an administrator. +2. Navigate to the root of your **C:** drive. +3. Create the following log files in the root of the **C:** drive: + - `eppclient.log` + - `eppsslsplit.log` +4. Restart the Endpoint Protector process as an admin using **Services.msc**. +5. After completing these steps, reproduce the issue while debugging logs are active. Log information will be captured in the created files. +6. Share the log files with Netwrix Technical Support for further investigation. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_manually_generate_logs_for_mac_endpoint_protector_agents_via_terminal.md b/docs/kb/endpointprotector/how_to_manually_generate_logs_for_mac_endpoint_protector_agents_via_terminal.md new file mode 100644 index 0000000000..3fc3f38aee --- /dev/null +++ b/docs/kb/endpointprotector/how_to_manually_generate_logs_for_mac_endpoint_protector_agents_via_terminal.md @@ -0,0 +1,44 @@ +--- +description: >- + This article explains how to generate the log file and DPI log file for the Endpoint Protector (EPP) Mac Client using terminal commands. +keywords: + - Endpoint Protector + - Mac Client + - log generation +sidebar_label: Generate Logs for Mac EPP +tags: [] +title: "How to Manually Generate Logs for Mac Endpoint Protector Agents via Terminal" +knowledge_article_id: kA0Qk0000002B6VKAU +products: + - endpoint-protector +--- + +# How to Manually Generate Logs for Mac Endpoint Protector Agents via Terminal + +## Overview + +This article explains how to generate the log file and DPI log file for the Endpoint Protector (EPP) Mac Client using terminal commands. + +## Instructions + +Follow the steps below to complete this process: + +1. Terminate the EPP Client: + ```bash + sudo /bin/launchctl unload /Library/LaunchDaemons/com.cososys.eppclient.launchdaemon.plist + ``` + +2. Create the EPP Client log file: + ```bash + sudo touch /private/var/log/eppclient.log + ``` + +3. Create the DPI log file: + ```bash + sudo touch /private/var/log/eppsslsplit.log + ``` + +4. Restart the EPP Client: + ```bash + sudo /bin/launchctl load /Library/LaunchDaemons/com.cososys.eppclient.launchdaemon.plist + ``` \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_manually_uninstall_the_agent.md b/docs/kb/endpointprotector/how_to_manually_uninstall_the_agent.md new file mode 100644 index 0000000000..5cb15448d7 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_manually_uninstall_the_agent.md @@ -0,0 +1,48 @@ +--- +description: >- + This article provides step-by-step instructions for manually uninstalling the agent on various operating systems. +keywords: + - uninstall agent + - Windows + - macOS + - Linux + - Endpoint Protector +sidebar_label: Manually Uninstall the Agent +tags: [] +title: "How to Manually Uninstall the Agent" +knowledge_article_id: kA0Qk0000002B6xKAE +products: + - endpoint-protector +--- + +# How to Manually Uninstall the Agent + +## Overview + +This article provides step-by-step instructions for manually uninstalling the agent on various operating systems. + +## Instructions + +These steps vary depending on your OS. Follow the steps below based on your machine to complete this process: + +### Windows + +1. Navigate to **Control Panel**. +2. Select **Programs and Features**. +3. Select the agent from the list. +4. Select **Change (Uninstall)**. + +### macOS + +1. In the client installer package, locate the file named **remove-epp**. +2. Run this file in **Terminal**. + +### Linux + +1. In the client installer package, locate the file named **uninstall.sh**. +2. Run this file from the terminal (for example, `bash uninstall.sh`). + +You can also trigger an agent uninstall from the Endpoint Protector Console. + +1. Navigate to **Device Control > Computers**. +2. Select the computers then click the **Uninstall** button at the bottom of the page. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_perform_a_backup_restore.md b/docs/kb/endpointprotector/how_to_perform_a_backup_restore.md new file mode 100644 index 0000000000..f0f06ac316 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_perform_a_backup_restore.md @@ -0,0 +1,53 @@ +--- +description: >- + This article provides step-by-step instructions for performing a backup restore for Endpoint Protector, ensuring data security and system integrity. +keywords: + - backup restore + - Endpoint Protector + - data security +sidebar_label: Backup Restore +tags: [] +title: "How to Perform a Backup Restore" +knowledge_article_id: kA0Qk0000002BAfKAM +products: + - endpoint-protector +--- + +# How to Perform a Backup Restore + +## Overview + +Performing a backup restore for Endpoint Protector is essential for maintaining data security and system integrity, especially when using the eDiscovery module. This article outlines the steps and considerations for a successful backup and restore process. + +## Instructions + +### Backup Process + +1. On the Endpoint Protector Server, navigate to **System Maintenance** > **System Backup v2** > **System Backup Information**. +2. Click **Create** to access System Backup Information. +3. Provide a name and a brief description for the backup. +4. Click **Save** to initiate the backup process. +5. When prompted, securely store the System Backup Key displayed in the pop-up window. This key is required for importing and restoring the backup. +6. Confirm that you have saved the System Backup Key by selecting **Yes, I saved the System Backup Key**. +7. The system backup (excluding logs) will be created and listed in the **List of System Backups**. You can view, download, or delete the backup as needed. + +### Restore Process + +> **NOTE:** Before restoring, use the Audit Log Backup feature because logs will not be retained. Download any previous system backups, as only the backup you import and restore will remain. + +1. On the Endpoint Protector Server, navigate to **System Maintenance** > **System Backup v2** > **System Backup Information**. +2. Click **Import and Restore (Migrate)**. +3. From **Import**, choose **File...** and select the System Backup v2 file saved during the backup process. +4. Enter the System Backup Key in the provided field. +5. Click **Import** to begin the restore process. +6. Monitor the status in the **List of System Backups**. The status will display as "Generating" in red letters for the backup in progress. +7. When prompted, log back into the Endpoint Protector Console. +8. If necessary, use the Audit Log Backup feature to restore logs. +9. For eDiscovery module users: After restoring the backup, use the **re-read rights and settings for all computers** feature (**Dashboard** > **System Status** > **System Functionality**). This ensures accurate correlation between previously discovered items and actions (such as Encrypt, Decrypt, Delete, etc.) that can be performed on these files. + +By following these steps, you can successfully perform a backup and restore for Endpoint Protector, ensuring data accuracy and integrity throughout the process. + +## Related Links + +- [System Backup V2](/docs/endpointprotector/5.9.4.2/admin/systemmaintenance/backup) +- [Create a System Backup V2](/docs/kb/endpointprotector/create_a_system_backup_v2) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_reassign_a_valid_enforced_encryption_license_to_a_usb_storage_device.md b/docs/kb/endpointprotector/how_to_reassign_a_valid_enforced_encryption_license_to_a_usb_storage_device.md new file mode 100644 index 0000000000..58ef918358 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_reassign_a_valid_enforced_encryption_license_to_a_usb_storage_device.md @@ -0,0 +1,33 @@ +--- +description: >- + This article provides step-by-step instructions on how to reassign a valid Enforced Encryption license from the server to a USB storage device. +keywords: + - Enforced Encryption + - EasyLock + - USB storage device +sidebar_label: Reassign Enforced Encryption License +tags: [] +title: "How to Reassign a Valid Enforced Encryption License to a USB Storage Device" +knowledge_article_id: kA0Qk0000002B7BKAU +products: + - endpoint-protector +--- + +# How to Reassign a Valid Enforced Encryption License to a USB Storage Device + +## Overview + +This article provides step-by-step instructions on how to reassign a valid Enforced Encryption (EasyLock) license from the server to a USB storage device. + +## Instructions + +Follow these steps to reassign a valid license to a USB storage device: + +1. To configure the USB device, navigate to **Device Control > Devices** in Endpoint Protector. +2. Right-click the device and select **Manage Rights**. Ensure the USB storage device is accessible and set the device to **Allow**. Alternatively, connect the USB storage device to a computer that does not have the client installed. +3. Navigate to the hidden folder **.EasyLock Settings** on the USB device and delete the file named **cs14c7el.data**. +4. Delete the executable file **EasyLock.exe** from the root of the USB storage device. +5. Download the EasyLock utility executable from [this link](https://download.endpointprotector.com/Support_files/EasyLock_util.zip). +6. Extract **EasyLock_util.exe** to the root of the USB storage device and run it. +7. Download the EasyLock package from the server and copy it to the root of the USB storage device. Extract all files and overwrite existing files. +8. Open **EasyLock.exe** from the USB storage device and enter the password. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_remotely_activate_and_collect_client_logs_from_the_server_interface.md b/docs/kb/endpointprotector/how_to_remotely_activate_and_collect_client_logs_from_the_server_interface.md new file mode 100644 index 0000000000..055e7fbb86 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_remotely_activate_and_collect_client_logs_from_the_server_interface.md @@ -0,0 +1,51 @@ +--- +description: >- + This article explains how to remotely enable debug logging on an endpoint machine and collect client logs from the server interface, without requiring input or knowledge from the endpoint user. +keywords: + - debug logging + - client logs + - endpoint management +sidebar_label: Remotely Activate and Collect Client Logs +tags: [] +title: "How to Remotely Activate and Collect Client Logs from the Server Interface" +knowledge_article_id: kA0Qk0000002B2cKAE +products: + - endpoint-protector +--- + +# How to Remotely Activate and Collect Client Logs from the Server Interface + +## Overview + +This article explains how to remotely enable debug logging on an endpoint machine and collect client logs from the server interface, without requiring input or knowledge from the endpoint user. + +## Instructions + +1. In the **Endpoint Protector Console**, navigate to **Device Control > Computers**, then select the target computer and click **Manage Settings**. + ![Manage Settings in Device Control > Computers](./images/servlet_image_8cfbf5692849.png) + +2. Scroll down to **Debug Logging**, then click the **Set Log Level** drop-down menu and select **Debug**. + ![Set Log Level to Debug](./images/servlet_image_5840481544b9.png) + +3. After selecting **Debug**, click **Save** and wait for the green notification confirming that the changes have been saved. + ![Changes have been saved notification](./images/servlet_image_baa2795f8fd3.png) + +4. On the computer, refresh the policies and reproduce the issue. + +5. Return to the computer listed under **Device Control > Computers** and click **Collect diagnostics**. + ![Collect diagnostics option](./images/servlet_image_60b30f91932d.png) + ![Diagnostics collection in progress](./images/servlet_image_96e38073d295.png) + +6. Logs will be sent to the server under **Reports and Analysis > Logs Report**. + ![Logs Report section](./images/servlet_image_9aa4123f77f5.png) + +7. Navigate to **Reports and Analysis > Logs Report**. + +8. Expand the filters. Click the **Event** drop-down menu, then select **Artifact Received** and click **Apply**. + ![Filter for Artifact Received event](./images/servlet_image_3f1c3b331cfe.png) + +9. Under the events, the uploaded artifact or client logs will be listed and available for download by the system administrator. + > **NOTE:** The artifact may not be available for immediate download and may display a "File not found" error. It can take 20–30 minutes before the file is ready to download." + ![Artifact or client logs available for download](./images/servlet_image_823648e31f8f.png) + +10. Once the client logs are downloaded, submit them to the support team as needed. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_resolve_reports_and_analysis_logs_not_loading.md b/docs/kb/endpointprotector/how_to_resolve_reports_and_analysis_logs_not_loading.md new file mode 100644 index 0000000000..3f85686b46 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_resolve_reports_and_analysis_logs_not_loading.md @@ -0,0 +1,29 @@ +--- +description: >- + This article provides step-by-step instructions to resolve issues with the Reports and Analysis logs not loading in Endpoint Protector by adjusting display settings. +keywords: + - Reports and Analysis + - Endpoint Protector + - display settings +sidebar_label: Resolve Reports and Analysis Logs +tags: [] +title: "How to Resolve Reports and Analysis Logs Not Loading" +knowledge_article_id: kA0Qk0000002B2rKAE +products: + - endpoint-protector +--- + +# How to Resolve Reports and Analysis Logs Not Loading + +## Overview + +When the **Reports and Analysis** logs section does not load, you can resolve the issue by adjusting the display settings in the server interface. This problem often occurs when the number of records per report page is set to **All** or to a very high value, which can prevent the logs from displaying properly. By selecting a lower value for the number of records per page, you ensure that the logs load efficiently and the section displays as expected. + +## Instructions + +1. Navigate to **Device Control > Global Settings** in Endpoint Protector. +2. Scroll to the bottom of the page and locate **Display Settings**. +3. Check the **No. of records per report page** setting. If it is set to **All** or a high value, select a lower value between 10 and 100. +4. Click **Save** to apply the changes. +5. Return to the **Reports and Analysis** logs section and verify that the logs now display correctly. +6. You can find the **Reports and Analysis** logs section in the Endpoint Protector user interface. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_select_multiple_computers_and_users_within_groups.md b/docs/kb/endpointprotector/how_to_select_multiple_computers_and_users_within_groups.md new file mode 100644 index 0000000000..3ced25b73c --- /dev/null +++ b/docs/kb/endpointprotector/how_to_select_multiple_computers_and_users_within_groups.md @@ -0,0 +1,31 @@ +--- +description: >- + This article explains how to select multiple computers and users within a group using the multi-selection feature in the Endpoint Protector console. +keywords: + - multi-selection + - Endpoint Protector + - group management +sidebar_label: Select Multiple Computers and Users +tags: [] +title: "How to Select Multiple Computers and Users Within Groups" +knowledge_article_id: kA0Qk0000002B6FKAU +products: + - endpoint-protector +--- + +# How to Select Multiple Computers and Users Within Groups + +## Overview + +This article explains how to select multiple computers and users within a group using the multi-selection feature. This method allows system administrators to select several computers or users at once, without scrolling and selecting each entity individually. + +## Instructions + +1. In the Endpoint Protector console, navigate to **Device Control** > **Groups**. +2. Create a new group or open an existing group in **Edit mode**. +3. To select multiple computers/users, copy and paste the desired list of computers/users in the highlighted box on the right-hand side of the **Group Information** page. + + ![Paste list of computers into left box for multiselection](./images/servlet_image_b9e7bd968d5d.png) + +4. Click **Select all matched Items** to select all computers listed in the left box. +5. Selected computers are highlighted with blue check marks, and a green notification on the right side of the page shows how many items were matched. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_set_up_active_directory_administrator_synchronization.md b/docs/kb/endpointprotector/how_to_set_up_active_directory_administrator_synchronization.md new file mode 100644 index 0000000000..113fc5aace --- /dev/null +++ b/docs/kb/endpointprotector/how_to_set_up_active_directory_administrator_synchronization.md @@ -0,0 +1,34 @@ +--- +description: >- + This article explains how to synchronize Active Directory (AD) administrator accounts using the AD Authentication feature, allowing for efficient management of administrator accounts. +keywords: + - Active Directory + - administrator synchronization + - AD Authentication +sidebar_label: Set Up AD Administrator Synchronization +tags: [] +title: "How to Set Up Active Directory Administrator Synchronization" +knowledge_article_id: kA0Qk0000002B77KAE +products: + - endpoint-protector +--- + +# How to Set Up Active Directory Administrator Synchronization + +## Overview + +This article explains how to synchronize Active Directory (AD) administrator accounts using the AD Authentication feature. Synchronizing AD administrators allows you to import and manage administrator accounts efficiently. + +## Instructions + +Follow these steps to set up AD administrator synchronization: + +1. Log in to the **Endpoint Protector** web console and go to **System Configuration > System Settings**. In the **Active Directory Authentication** section, fill in the required fields. +2. Ensure the **Enable Active Directory Authentication** feature is turned on. +3. Select the connection type based on your AD server settings. +4. Enter the IP address and port used by the server. +5. In the **Domain Name** field, add the domain controller without an OU (for example, `DC=domain,DC=local` for "domain.local"). +6. Enter the account suffix used by the administrator directory (for example, `@domain.local`). In some cases, you must include the domain before the username (for example, `DOMAIN\User`). +7. The AD Administrators Group can contain any other groups of users except for primary groups, which Microsoft restricts from this action. Only users in this AD group will be synced and imported as Super Administrators. You can create additional administrators with different access control levels manually from the **System Administrators** section. +8. Click **Save** to apply the changes. A banner at the top of the page will confirm success. +9. Return to the **Active Directory Authentication** section and test the connection. After confirming the connection works, click **Sync AD Administrators** to import the administrator accounts. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_set_up_e-mail_alerts.md b/docs/kb/endpointprotector/how_to_set_up_e-mail_alerts.md new file mode 100644 index 0000000000..fed7209d78 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_set_up_e-mail_alerts.md @@ -0,0 +1,38 @@ +--- +description: >- + This article explains how to configure e-mail alerts in Endpoint Protector, including setting up the e-mail server and creating alerts for various system events. +keywords: + - e-mail alerts + - Endpoint Protector + - system events +sidebar_label: Set Up E-mail Alerts +tags: [] +title: "How to Set Up E-mail Alerts" +knowledge_article_id: kA0Qk0000002B6UKAU +products: + - endpoint-protector +--- + +# How to Set Up E-mail Alerts + +## Overview + +E-mail alerts in **Endpoint Protector** allow you to send specific logs and notifications to administrator e-mail addresses. This article explains how to configure the e-mail server settings and create alerts for various system events. + +## Instructions + +1. To configure the e-mail server settings, navigate to the **Endpoint Protector Console** > **System Configuration** > **System Settings**. +2. Select the **E-mail Type**. +3. Enter the **Hostname** and **SMTP port**. +4. Check **Require SMTP Authentication**, then enter the e-mail address and password. +5. Select the **Encryption type** based on the port selected. +6. To test the configuration, check **Send test email to my account**. A test e-mail will be sent to the administrator when the settings are saved. +7. By default, the no-reply e-mail address is [noreply@endpointprotector.com](mailto:noreply@endpointprotector.com). You can change this to a custom address by switching the no-reply e-mail address from Default to Custom. +8. Create e-mail alerts by navigating to **Alerts** and selecting the desired alert type: + - **System Alerts**: for system events (e.g., server disk space, licenses, password expiration). + - **Device Control Alerts**: for device control events (e.g., device connected/disconnected, file copy, uninstall attempt). + - **Content Aware Alerts**: for content aware protection events (e.g., content threat detected, content threat blocked). + - **EasyLock Alerts**: for EasyLock events (e.g., change user password, password login exceeded, password login failure). +9. Click **Create**. +10. Select the **Event**, then enter the **Alert name** and select the **Administrator** who should receive the alert. +11. Click **Save**. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_set_up_external_storage.md b/docs/kb/endpointprotector/how_to_set_up_external_storage.md new file mode 100644 index 0000000000..da01f55ba2 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_set_up_external_storage.md @@ -0,0 +1,28 @@ +--- +description: >- + This article outlines how to configure external storage to conserve hard drive space on the server by directing shadows and backups to a remote location. +keywords: + - external storage + - server performance + - storage management +sidebar_label: Set Up External Storage +tags: [] +title: "How to Set Up External Storage" +knowledge_article_id: kA0Qk0000002B7LKAU +products: + - endpoint-protector +--- + +# How to Set Up External Storage + +## Overview + +This article outlines how to configure external storage to conserve hard drive space on the server. By setting up external storage, you can direct shadows and backups to a remote location, helping to optimize server performance and storage management. + +## Instructions + +1. In the **Endpoint Protector Console**, navigate to **System Maintenance > External Storage**. +2. Select your desired **Storage Type** and complete the required fields. +3. Save your settings. +4. Wait a few minutes, then use the **Test** button to verify that the server can log into the external storage and copy or create files. +5. Successful access is confirmed by the creation of three folders and a .txt file in the external storage location. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_set_up_smtp_with_gmail.md b/docs/kb/endpointprotector/how_to_set_up_smtp_with_gmail.md new file mode 100644 index 0000000000..52d9d7c14d --- /dev/null +++ b/docs/kb/endpointprotector/how_to_set_up_smtp_with_gmail.md @@ -0,0 +1,57 @@ +--- +description: >- + This article explains how to configure SMTP settings in Endpoint Protector to use Gmail as your email provider, including required configuration values, steps for generating an app password, and instructions for sending a test email. +keywords: + - SMTP + - Gmail + - Endpoint Protector +sidebar_label: Set Up SMTP With Gmail +tags: [] +title: "How to Set Up SMTP With Gmail" +knowledge_article_id: kA0Qk0000002B4LKAU +products: + - endpoint-protector +--- + +# How to Set Up SMTP With Gmail + +## Overview + +This article explains how to configure SMTP settings in **Endpoint Protector** to use **Gmail** as your email provider. It includes the required configuration values, steps for generating an app password, and instructions for sending a test email. + +## Instructions + +### Configure SMTP Settings + +1. Open the **Endpoint Protector Web Console**. +2. Go to **System Configuration** > **System Settings**. +3. In the **Email Server Settings** section, select **SMTP** from the **Email Type** field. +4. Fill in the fields as follows: + - **Email Type:** SMTP + - **Hostname:** smtp.gmail.com + - **SMTP Port:** 587 + - **Require SMTP Authentication:** Enabled + - **Username:** Enter your Gmail email address + - **Password:** Enter the app password generated in your Google Account (see steps below) + - **Encryption Type:** TLS + - **Send test email to my account:** Enabled + - **No-reply email address:** Default + + ![SMTP configuration for Gmail in Endpoint Protector](./images/servlet_image_e9d389c827d7.png) + +5. To use a custom no-reply email address, select **Custom** and enter your preferred email address, or leave the default. + +> **IMPORTANT:** When using Gmail as your SMTP provider, you must use an app password instead of your account password. + +### Configure App Password + +1. Navigate to your [Google Account – App Passwords](https://security.google.com/settings/security/apppasswords). +2. Select **Security**. +3. Under the **Signing in to Google** section, select **2-Step Verification**. +4. At the bottom of the page, select **App passwords**. +5. Enter a name that corresponds with where you will use the app password. +6. Select **Generate**. +7. Follow the on-screen instructions to enter the app password. The app password is the 16-character code generated on your device. +8. Select **Done**. +9. Once all fields are complete, click **Save**. +10. Select **Send test email to my account** and click **Save** again. If the configuration is correct, a green banner will confirm that a test email was sent. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_stage_the_endpoint_protector_server.md b/docs/kb/endpointprotector/how_to_stage_the_endpoint_protector_server.md new file mode 100644 index 0000000000..c5f6e8aaee --- /dev/null +++ b/docs/kb/endpointprotector/how_to_stage_the_endpoint_protector_server.md @@ -0,0 +1,40 @@ +--- +description: >- + This article explains how to stage the Endpoint Protector Server before deploying the Endpoint Protector agent to endpoint systems. +keywords: + - Endpoint Protector + - server staging + - deployment +sidebar_label: Stage Endpoint Protector Server +tags: [] +title: "How to Stage the Endpoint Protector Server" +knowledge_article_id: kA0Qk0000002BAkKAM +products: + - endpoint-protector +--- + +# How to Stage the Endpoint Protector Server + +## Overview + +This article explains how to stage the Endpoint Protector Server before deploying the Endpoint Protector agent to endpoint systems. The server is where you configure all endpoint controls and behaviors. + +## Instructions + +Follow the steps below to complete this process: + +1. Choose a server management option: + - **Customer-Managed**: You can install the server either on-premises or in a hosted cloud environment. + - **Provider-Managed**: An instance of Endpoint Protector can be provisioned in an isolated cloud environment. For more details about the Provider-Managed option, contact your Netwrix Account Manager. + +2. Review deployment manuals: For detailed information about each deployment option, refer to the following resources: [Endpoint Protector Deployment Resources](/docs/endpointprotector/). + +3. Obtain and install a license key: To use the Endpoint Protector Server in a production environment, you must have a license key. After purchasing Endpoint Protector with the necessary module(s), your Account Manager will assign a license that can be installed within the Endpoint Protector Management Console. + +4. Access and configure the Management Console: Instructions for accessing and configuring the Management Console are available in the manuals referenced above. + +> **NOTE:** You must have a valid license key to use the Endpoint Protector Server in a production environment. + +## Related Links + +- [Endpoint Protector Deployment Resources](/docs/endpointprotector/) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_update_to_macos_12_(monterey)_while_using_endpoint_protector_client_and_deep_packet_inspectio.md b/docs/kb/endpointprotector/how_to_update_to_macos_12_(monterey)_while_using_endpoint_protector_client_and_deep_packet_inspectio.md new file mode 100644 index 0000000000..f56955531e --- /dev/null +++ b/docs/kb/endpointprotector/how_to_update_to_macos_12_(monterey)_while_using_endpoint_protector_client_and_deep_packet_inspectio.md @@ -0,0 +1,42 @@ +--- +description: >- + This article explains how to update to macOS 12 (Monterey) while using the Endpoint Protector client and Deep Packet Inspection, ensuring compatibility and proper certificate configuration. +keywords: + - macOS 12 + - Endpoint Protector + - Deep Packet Inspection +sidebar_label: Update to macOS 12 +tags: [] +title: "How to Update to macOS 12 (Monterey) While Using Endpoint Protector Client and Deep Packet Inspection" +knowledge_article_id: kA0Qk0000002B9UKAU +products: + - endpoint-protector +--- + +# How to Update to macOS 12 (Monterey) While Using Endpoint Protector Client and Deep Packet Inspection + +## Overview + +This article explains how to update to macOS 12 (Monterey) when using the Endpoint Protector client and Deep Packet Inspection. Follow these steps to ensure compatibility and proper certificate configuration. + +## Instructions + +1. Update the Endpoint Protector server to the latest version. +2. On the Endpoint Protector Server, navigate to **System Settings** > **Server Certificate Stack** > **Regenerate Server Certificate Stack** and click **Regenerate** to regenerate the server and client CA certificate. +3. To download the new CA certificate, navigate to **System Configuration** > **System Settings** > **Deep Packet Inspection Certificate**. +4. Toggle the option and confirm by selecting **Yes** in the pop-up window. +5. Click **Download Client CA Certificate**. The **ClientCerts** file will download to your local directory. +6. On your macOS device, open the **Keychain Access** application and go to **System**. +7. Unzip the downloaded **ClientCerts** file. +8. Select the **cacert.pem** file and move it into **System** in **Keychain Access**. + + ![Dragging cacert.pem into System in Keychain Access on macOS](./images/servlet_image_7fc401abe1e3.png) + +9. Double-click the newly added certificate. In the **Trust** section, select **Always Trust**. + + ![Setting certificate to Always Trust in Keychain Access](./images/servlet_image_910151bbafe1.png) + +10. Save the changes. +11. Update the macOS Endpoint Protector client to the latest version. +12. Restart the computer. +13. Update to macOS 12 (Monterey). \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_upgrade_when_apply_updates_button_is_grayed_out.md b/docs/kb/endpointprotector/how_to_upgrade_when_apply_updates_button_is_grayed_out.md new file mode 100644 index 0000000000..11eb59ca73 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_upgrade_when_apply_updates_button_is_grayed_out.md @@ -0,0 +1,46 @@ +--- +description: >- + This article explains how to upgrade from Endpoint Protector Server v5.8.0.0 to v5.8.1.0 when the Apply Updates button is grayed out after selecting available Endpoint Protector (EPP) software updates. +keywords: + - Endpoint Protector + - software updates + - upgrade process +products: + - endpoint-protector +sidebar_label: Upgrade When Apply Updates Button Is Grayed Out +tags: [] +title: How to Upgrade When "Apply Updates" Button Is Grayed Out +knowledge_article_id: kA0Qk0000002BDvKAM +--- + +# How to Upgrade When "Apply Updates" Button Is Grayed Out + +## Overview + +This article explains how to upgrade from Endpoint Protector Server v5.8.0.0 to v5.8.1.0 when the **Apply Updates** button is grayed out after selecting available Endpoint Protector (EPP) software updates. + +## Instructions + +1. Select the available EPP software updates. If the **Apply Updates** button is grayed out, continue with the following steps. + ![Apply Updates button grayed out in Endpoint Protector update screen](https://www.endpointprotector.com//images/img/support/endpoint-protector-apply-updates-screenshot1.png) + +2. Uncheck the checkbox next to the patch update. + ![Unchecking the patch update checkbox](https://www.endpointprotector.com//images/img/support/endpoint-protector-apply-updates-screenshot2.png) + +3. Check the box again to activate the patch update. + ![Re-checking the patch update checkbox](https://www.endpointprotector.com//images/img/support/endpoint-protector-apply-updates-screenshot3.png) + +4. Click the checkbox directly to activate the **Apply Updates** button. + +5. If you are a hosted customer, use the **Apply All EPP Software Updates** button. + +6. Click **Apply Updates** to begin the download. + ![Apply Updates button enabled in Endpoint Protector update screen](https://www.endpointprotector.com//images/img/support/endpoint-protector-apply-updates-screenshot4.png) + +7. Refresh the page. The new version of the server will be displayed in the bottom right corner. + +> **NOTE:** Starting with version 5.9.4.2, all older Endpoint Protector servers can be upgraded with a cumulative patch. + +## Related Links + +- [5.9.4.2 Cumulative Upgrade Patch for Endpoint Protector Server 5.7.0.0 – 5.9.4.1 ⸱ Netwrix Community 🡥](https://community.netwrix.com/t/5-9-4-2-cumulative-upgrade-patch-for-endpoint-protector-server-5-7-0-0-5-9-4-1/9321) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_use_the_content_detection_summary.md b/docs/kb/endpointprotector/how_to_use_the_content_detection_summary.md new file mode 100644 index 0000000000..d6164461a1 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_use_the_content_detection_summary.md @@ -0,0 +1,54 @@ +--- +description: >- + This article explains how to use the Content Detection Summary section in Endpoint Protector (EPP) to manage content detection rules effectively. +keywords: + - Content Detection Summary + - Endpoint Protector + - Content Aware Policy +sidebar_label: Use Content Detection Summary +tags: [] +title: "How to Use the Content Detection Summary" +knowledge_article_id: kA0Qk0000002BFWKA2 +products: + - endpointprotector +--- + +# How to Use the Content Detection Summary + +## Overview + +This article explains how to use the **Content Detection Summary** section in **Endpoint Protector** (EPP). The **Content Detection Summary** displays all predefined content, custom content, regular expressions, and HIPAA items that were checked in the **Content Aware Policy**. + +Customers with a Premium license can edit the policy and combine multiple criteria (predefined content, custom content, regular expressions, and HIPAA) using the **AND** operator in addition to the **OR** operator. + +You can apply the content detection rule only to specific files. Files selected in the **Restrict Content Detection** section cannot be checked in the **Policy Denylist > File Type** section and vice versa. + +## Instructions + +Follow the steps below to complete this process: + +1. Add a Premium license to your EPP Server. +2. Create the **Content Aware Policy** by navigating to the **Content Aware Policies** section in the EPP Console. +3. Select the content types: **Predefined Content**, **Custom Content**, **Regular Expression**, or **HIPAA**. +4. Navigate to the **Content Detection Summary** section and click **Edit**. + ![Content Detection Summary section with Edit button highlighted](https://www.endpointprotector.com//images/img/support/endpoint-protector-how-to-use-content-detection-summary-1.png) +5. Define the **Content Detection Rule** by using the **Add ()** or **Add item** button. + ![Defining Content Detection Rule with Add and Add Item buttons](https://www.endpointprotector.com//images/img/support/endpoint-protector-how-to-use-content-detection-summary-4.png) +6. From the main **OR** defined operation, delete **Confidential Dictionary** and **HIPAA**. + ![Deleting items from OR operation in Content Detection Summary](https://www.endpointprotector.com//images/img/support/endpoint-protector-how-to-use-content-detection-summary-6.png) +7. Review the rule behavior; **HIPAA** items will be blocked only when combined with an item from the **Confidential Dictionary** or vice versa. For the rest of the **Credit Cards** checked in the policy, nothing changes; they will be blocked as usual. +8. Save the changes in the **Content Detection Summary** section. + ![Saving changes in Content Detection Summary](https://www.endpointprotector.com//images/img/support/endpoint-protector-how-to-use-content-detection-summary-5.png) +9. Optional: Limit content detection to specific file types by selecting the desired file types from the **Restrict Content Detection** section. + ![Restrict Content Detection section with file types selected](https://www.endpointprotector.com//images/img/support/endpoint-protector-how-to-use-content-detection-summary-2.png) +10. Save the **Content Aware Policy**. + +### Known Limitations When Using Content Detection Summary with AND Operator + +- If a contextual detection rule is defined for a **Predefined Content**, **Custom Content**, **Regular Expression**, or **HIPAA** item that is included in an operation with at least one **AND** operator, the contextual detection rule will be ignored. +- For **Content Aware Policies** that include at least one **AND** operator, no **Threat Threshold** can be set. +- If the **Content Aware Protection** policy includes at least one **AND** operator and also has a **File Size Threshold** set, the policy will only apply if the size threshold is met. + +## Related Links + +- [Endpoint Protector Deployment Resources](/docs/endpointprotector/) \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_view_a_scanner_in_the_controlled_device_list.md b/docs/kb/endpointprotector/how_to_view_a_scanner_in_the_controlled_device_list.md new file mode 100644 index 0000000000..1fa85b2427 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_view_a_scanner_in_the_controlled_device_list.md @@ -0,0 +1,29 @@ +--- +description: >- + This article explains how to locate your scanner in the controlled device list within the Endpoint Protector Console. +keywords: + - scanner + - controlled device list + - Endpoint Protector +sidebar_label: View Scanner in Controlled Device List +tags: [] +title: "How to View a Scanner in the Controlled Device List" +knowledge_article_id: kA0Qk0000002BAxKAM +products: + - endpoint-protector +--- + +# How to View a Scanner in the Controlled Device List + +## Overview + +This article explains how to locate your scanner in the controlled device list. Use the management interface to view and manage all devices, including scanners, that are monitored by the system. + +## Instructions + +Follow these steps to find your scanner in the controlled device list: + +1. Log in to the **Endpoint Protector Console** using your credentials. +2. Click **Device Control** in the sidebar menu to expand its options. +3. Select **Devices** from the expanded Device Control menu. The **List of Devices** page displays all controlled devices. +4. Use the search or filter options in the device list to locate your scanner among the managed devices. \ No newline at end of file diff --git a/docs/kb/endpointprotector/how_to_whitelist_a_device_for_global_access.md b/docs/kb/endpointprotector/how_to_whitelist_a_device_for_global_access.md new file mode 100644 index 0000000000..fc52943666 --- /dev/null +++ b/docs/kb/endpointprotector/how_to_whitelist_a_device_for_global_access.md @@ -0,0 +1,68 @@ +--- +description: >- + This article explains how to globally whitelist a specific device in Endpoint Protector (EPP) by creating a custom class. You will learn how to identify devices using attributes and configure access permissions. +keywords: + - whitelisting + - Endpoint Protector + - device management +sidebar_label: Whitelisting a Device +tags: [] +title: "How to Whitelist a Device for Global Access" +knowledge_article_id: kA0Qk0000002BB8KAM +products: + - endpoint-protector +--- + +# How to Whitelist a Device for Global Access + +## Overview + +This article explains how to globally whitelist a specific device in **Endpoint Protector** (EPP) by creating a custom class. You will learn how to identify devices using attributes such as Device Type, Device Class (VID, PID), or Serial Number, and configure access permissions to allow the device across all endpoints. + +## Instructions + +Follow the steps below to complete this process: + +1. To access Custom Classes, navigate to **EPP Console** > **Device Control** > **Custom Classes** and click **Create**. +2. To configure the Custom Class, provide a name for your custom class and ensure the **Custom Class Status** is set to **ON**. +3. Add Device to Custom Class by clicking **Add** in the **Custom Class Device List**. +4. The Device Wizard window will populate. You must select a **Device Type** from the list provided, which includes the following devices: + - Unknown Device + - USB Storage Device + - Internal CD or DVD RW + - Internal Card Reader + - Internal Floppy Drive + - Local Printers + - Network Printers + - Windows Portable Device (Media Transfer Protocol) + - Digital Camera + - BlackBerry + - iPhone + - iPad + - Bluetooth (with subcategories like Radio, Keyboard, Mouse, Smartphone, Headphones) + - iPod + - VM USB Device + - Serial ATA Controller + - WiFi + - FireWire Bus + - Serial Port + - PCMCIA Device + - Card Reader Device (MTD, SCSI) + - ZIP Drive + - Teensy Board + - Thunderbolt + - Infrared Dongle + - Parallel Port (LPT) + - Thin Client Storage (RDP Storage) + - Additional Keyboard + - USB Modem + - Android Smartphone (Media Transfer Protocol) + - Chip Card Device + - Audio Device +5. For each device selected, choose **Allow Access** or **Deny Access**. +6. Choose the method for adding the device, then select **Next**. +7. To finalize the setup of the Device Wizard, follow the steps below for the device that applies: + - **Existing Device (Wizard):** Use the checkbox to select one or more device types, then click **Save**. + - **New Device (VID, PID, Serial Number):** Enter the VID, PID, Serial Number, and Description, then press **Save**. + - **Device Serial Number Range:** Enter the VID, PID, first serial number in range, last serial number in range, and Description, then press **Save**. + - **Bulk List of Devices:** Choose enrollment options, then insert/import content and press **Save**. \ No newline at end of file diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fOGR.png b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fOGR.png new file mode 100644 index 0000000000..84f0790873 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fOGR.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fTch.png b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fTch.png new file mode 100644 index 0000000000..e7c5955ff4 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fTch.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fb5Z.png b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fb5Z.png new file mode 100644 index 0000000000..7e0446b1ff Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fb5Z.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbGr.png b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbGr.png new file mode 100644 index 0000000000..a5beedb0eb Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbGr.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbNJ.png b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbNJ.png new file mode 100644 index 0000000000..2270de63d3 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbNJ.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbTl.png b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbTl.png new file mode 100644 index 0000000000..232922bdde Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbTl.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbWz.png b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbWz.png new file mode 100644 index 0000000000..962729a47b Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004M3Z_0EMQk000005fbWz.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lrve.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lrve.png new file mode 100644 index 0000000000..93c97438bc Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lrve.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005ls6y.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005ls6y.png new file mode 100644 index 0000000000..d29e5a9ef0 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005ls6y.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lsoU.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lsoU.png new file mode 100644 index 0000000000..64e2fb5fdd Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lsoU.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lwId.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lwId.png new file mode 100644 index 0000000000..834381c202 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lwId.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lxoA.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lxoA.png new file mode 100644 index 0000000000..0c72788941 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lxoA.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lzGU.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lzGU.png new file mode 100644 index 0000000000..fb56aa3503 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005lzGU.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m13n.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m13n.png new file mode 100644 index 0000000000..549eceda3d Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m13n.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3Ov.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3Ov.png new file mode 100644 index 0000000000..b14fb53585 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3Ov.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3VN.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3VN.png new file mode 100644 index 0000000000..93112b3319 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3VN.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3gf.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3gf.png new file mode 100644 index 0000000000..2b4cc89290 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_00N0g000004CA0p_0EMQk000005m3gf.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lrve.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lrve.png new file mode 100644 index 0000000000..93c97438bc Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lrve.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005ls6y.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005ls6y.png new file mode 100644 index 0000000000..d29e5a9ef0 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005ls6y.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lsoU.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lsoU.png new file mode 100644 index 0000000000..64e2fb5fdd Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lsoU.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lwId.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lwId.png new file mode 100644 index 0000000000..834381c202 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lwId.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lxoA.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lxoA.png new file mode 100644 index 0000000000..0c72788941 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lxoA.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lzGU.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lzGU.png new file mode 100644 index 0000000000..fb56aa3503 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005lzGU.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m13n.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m13n.png new file mode 100644 index 0000000000..549eceda3d Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m13n.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3Ov.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3Ov.png new file mode 100644 index 0000000000..b14fb53585 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3Ov.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3VN.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3VN.png new file mode 100644 index 0000000000..93112b3319 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3VN.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3gf.png b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3gf.png new file mode 100644 index 0000000000..2b4cc89290 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk0000004Rkn_0EMQk000005m3gf.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000DeHN_0EMQk00000CJ50H.png b/docs/kb/endpointprotector/images/ka0Qk000000DeHN_0EMQk00000CJ50H.png new file mode 100644 index 0000000000..fc440d1492 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000DeHN_0EMQk00000CJ50H.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dein_0EMQk00000CV0zJ.png b/docs/kb/endpointprotector/images/ka0Qk000000Dein_0EMQk00000CV0zJ.png new file mode 100644 index 0000000000..9d1b1a8de2 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dein_0EMQk00000CV0zJ.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Drsv_0EMQk00000CB41O.png b/docs/kb/endpointprotector/images/ka0Qk000000Drsv_0EMQk00000CB41O.png new file mode 100644 index 0000000000..cb035e0ecc Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Drsv_0EMQk00000CB41O.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000DsH7_0EMQk00000CB1Rh.png b/docs/kb/endpointprotector/images/ka0Qk000000DsH7_0EMQk00000CB1Rh.png new file mode 100644 index 0000000000..afb2043a48 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000DsH7_0EMQk00000CB1Rh.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dynx_0EMQk00000CKudS.png b/docs/kb/endpointprotector/images/ka0Qk000000Dynx_0EMQk00000CKudS.png new file mode 100644 index 0000000000..158c4dce59 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dynx_0EMQk00000CKudS.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWDN.png b/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWDN.png new file mode 100644 index 0000000000..0458c70630 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWDN.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWGb.png b/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWGb.png new file mode 100644 index 0000000000..a9ee4e51e3 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWGb.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWID.png b/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWID.png new file mode 100644 index 0000000000..a2a0d16211 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWID.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWJp.png b/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWJp.png new file mode 100644 index 0000000000..c27d4fdf51 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000DzDl_0EMQk00000BuWJp.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000DzFN_0EMQk00000C8zgv.png b/docs/kb/endpointprotector/images/ka0Qk000000DzFN_0EMQk00000C8zgv.png new file mode 100644 index 0000000000..9dda23d5d9 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000DzFN_0EMQk00000C8zgv.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000DzNR_0EMQk00000BmNLl.png b/docs/kb/endpointprotector/images/ka0Qk000000DzNR_0EMQk00000BmNLl.png new file mode 100644 index 0000000000..1c161c55f3 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000DzNR_0EMQk00000BmNLl.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAag4.png b/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAag4.png new file mode 100644 index 0000000000..2ad545156c Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAag4.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAfxR.png b/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAfxR.png new file mode 100644 index 0000000000..f63aea590f Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAfxR.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAgof.png b/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAgof.png new file mode 100644 index 0000000000..9facb3d30b Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dzor_0EMQk00000CAgof.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dzs5_0EMQk00000CAOoZ.png b/docs/kb/endpointprotector/images/ka0Qk000000Dzs5_0EMQk00000CAOoZ.png new file mode 100644 index 0000000000..026ecb0d42 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dzs5_0EMQk00000CAOoZ.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJ1Co.png b/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJ1Co.png new file mode 100644 index 0000000000..dd25eada8a Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJ1Co.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJ9iD.png b/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJ9iD.png new file mode 100644 index 0000000000..02674292ce Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJ9iD.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJA4n.png b/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJA4n.png new file mode 100644 index 0000000000..946bfc80b5 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Dzth_0EMQk00000CJA4n.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000E5mD_0EMQk00000CnKbO.png b/docs/kb/endpointprotector/images/ka0Qk000000E5mD_0EMQk00000CnKbO.png new file mode 100644 index 0000000000..5a62c73a0c Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000E5mD_0EMQk00000CnKbO.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000E7Pp_0EMQk00000C51uD.png b/docs/kb/endpointprotector/images/ka0Qk000000E7Pp_0EMQk00000C51uD.png new file mode 100644 index 0000000000..d4b9901865 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000E7Pp_0EMQk00000C51uD.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000E7ZV_0EMQk00000C52IP.png b/docs/kb/endpointprotector/images/ka0Qk000000E7ZV_0EMQk00000C52IP.png new file mode 100644 index 0000000000..54a78ea8be Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000E7ZV_0EMQk00000C52IP.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000E7fx_0EMQk00000C51as.png b/docs/kb/endpointprotector/images/ka0Qk000000E7fx_0EMQk00000C51as.png new file mode 100644 index 0000000000..1ffac6bf79 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000E7fx_0EMQk00000C51as.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000E7fx_0EMQk00000C51pO.png b/docs/kb/endpointprotector/images/ka0Qk000000E7fx_0EMQk00000C51pO.png new file mode 100644 index 0000000000..82afafbb34 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000E7fx_0EMQk00000C51pO.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000EPcr_0EMQk00000C8ekY.png b/docs/kb/endpointprotector/images/ka0Qk000000EPcr_0EMQk00000C8ekY.png new file mode 100644 index 0000000000..148be668a8 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000EPcr_0EMQk00000C8ekY.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000EPcr_0EMQk00000C8gO9.png b/docs/kb/endpointprotector/images/ka0Qk000000EPcr_0EMQk00000C8gO9.png new file mode 100644 index 0000000000..33793b5e8e Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000EPcr_0EMQk00000C8gO9.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ES65_0EMQk00000C528j.png b/docs/kb/endpointprotector/images/ka0Qk000000ES65_0EMQk00000C528j.png new file mode 100644 index 0000000000..1314e6f13a Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ES65_0EMQk00000C528j.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ES65_0EMQk00000C52DZ.png b/docs/kb/endpointprotector/images/ka0Qk000000ES65_0EMQk00000C52DZ.png new file mode 100644 index 0000000000..1ecf3c99ef Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ES65_0EMQk00000C52DZ.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ES7h_0EMQk00000Cp0a9.png b/docs/kb/endpointprotector/images/ka0Qk000000ES7h_0EMQk00000Cp0a9.png new file mode 100644 index 0000000000..49ae15d127 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ES7h_0EMQk00000Cp0a9.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ES7h_0EMQk00000Cp0ez.png b/docs/kb/endpointprotector/images/ka0Qk000000ES7h_0EMQk00000Cp0ez.png new file mode 100644 index 0000000000..778fed8468 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ES7h_0EMQk00000Cp0ez.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ESKb_0EMQk00000C8iL7.png b/docs/kb/endpointprotector/images/ka0Qk000000ESKb_0EMQk00000C8iL7.png new file mode 100644 index 0000000000..d50323b900 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ESKb_0EMQk00000C8iL7.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ESMD_0EMQk00000C8gT0.png b/docs/kb/endpointprotector/images/ka0Qk000000ESMD_0EMQk00000C8gT0.png new file mode 100644 index 0000000000..0eb8423e90 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ESMD_0EMQk00000C8gT0.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ESkP_0EMQk00000C7Jbh.png b/docs/kb/endpointprotector/images/ka0Qk000000ESkP_0EMQk00000C7Jbh.png new file mode 100644 index 0000000000..0ba0b0c9e0 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ESkP_0EMQk00000C7Jbh.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ESnd_0EMQk00000C7Bfn.png b/docs/kb/endpointprotector/images/ka0Qk000000ESnd_0EMQk00000C7Bfn.png new file mode 100644 index 0000000000..f3ffd7fdb0 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ESnd_0EMQk00000C7Bfn.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ESnd_0EMQk00000C7LTp.png b/docs/kb/endpointprotector/images/ka0Qk000000ESnd_0EMQk00000C7LTp.png new file mode 100644 index 0000000000..f8d3f0c819 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ESnd_0EMQk00000C7LTp.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ESsT_0EMQk00000C77qh.png b/docs/kb/endpointprotector/images/ka0Qk000000ESsT_0EMQk00000C77qh.png new file mode 100644 index 0000000000..60f09cb123 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ESsT_0EMQk00000C77qh.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ETF3_0EMQk00000C8rLD.png b/docs/kb/endpointprotector/images/ka0Qk000000ETF3_0EMQk00000C8rLD.png new file mode 100644 index 0000000000..35c69dce60 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ETF3_0EMQk00000C8rLD.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ETF3_0EMQk00000C8rxt.png b/docs/kb/endpointprotector/images/ka0Qk000000ETF3_0EMQk00000C8rxt.png new file mode 100644 index 0000000000..9c2361be96 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ETF3_0EMQk00000C8rxt.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ETJt_0EMQk00000C8uB1.png b/docs/kb/endpointprotector/images/ka0Qk000000ETJt_0EMQk00000C8uB1.png new file mode 100644 index 0000000000..2438debfe9 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ETJt_0EMQk00000C8uB1.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ETJt_0EMQk00000C8uNt.png b/docs/kb/endpointprotector/images/ka0Qk000000ETJt_0EMQk00000C8uNt.png new file mode 100644 index 0000000000..683cb328c7 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ETJt_0EMQk00000C8uNt.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000ETN7_0EMQk00000C91kL.png b/docs/kb/endpointprotector/images/ka0Qk000000ETN7_0EMQk00000C91kL.png new file mode 100644 index 0000000000..5073765e9e Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000ETN7_0EMQk00000C91kL.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAcMt.png b/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAcMt.png new file mode 100644 index 0000000000..193be0fb2e Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAcMt.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAivK.png b/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAivK.png new file mode 100644 index 0000000000..0ac205abe0 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAivK.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAkDx.png b/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAkDx.png new file mode 100644 index 0000000000..4c8eaa5f77 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Ea6r_0EMQk00000CAkDx.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000EaBh_0EMQk00000CD9g6.png b/docs/kb/endpointprotector/images/ka0Qk000000EaBh_0EMQk00000CD9g6.png new file mode 100644 index 0000000000..deeafda765 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000EaBh_0EMQk00000CD9g6.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000EaoP_0EMQk00000BmIKT.png b/docs/kb/endpointprotector/images/ka0Qk000000EaoP_0EMQk00000BmIKT.png new file mode 100644 index 0000000000..3f07ec0e90 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000EaoP_0EMQk00000BmIKT.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOF3.png b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOF3.png new file mode 100644 index 0000000000..d9dc827380 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOF3.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOGf.png b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOGf.png new file mode 100644 index 0000000000..bb1e7408a5 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOGf.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOIH.png b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOIH.png new file mode 100644 index 0000000000..f14bc14c48 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOIH.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOJt.png b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOJt.png new file mode 100644 index 0000000000..328f335a21 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAOJt.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAON7.png b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAON7.png new file mode 100644 index 0000000000..715c2b47ef Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Eb4X_0EMQk00000CAON7.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000Eb9N_0EMQk00000CAPJB.png b/docs/kb/endpointprotector/images/ka0Qk000000Eb9N_0EMQk00000CAPJB.png new file mode 100644 index 0000000000..5bb5f5cbcb Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000Eb9N_0EMQk00000CAPJB.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000EbSj_0EMQk00000CAaeP.png b/docs/kb/endpointprotector/images/ka0Qk000000EbSj_0EMQk00000CAaeP.png new file mode 100644 index 0000000000..024ef89690 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000EbSj_0EMQk00000CAaeP.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000EbSj_0EMQk00000CAmm2.png b/docs/kb/endpointprotector/images/ka0Qk000000EbSj_0EMQk00000CAmm2.png new file mode 100644 index 0000000000..57b1505a37 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000EbSj_0EMQk00000CAmm2.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000EcJx_0EMQk00000C91kM.png b/docs/kb/endpointprotector/images/ka0Qk000000EcJx_0EMQk00000C91kM.png new file mode 100644 index 0000000000..0cfa4a93ac Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000EcJx_0EMQk00000C91kM.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000CAOoY.png b/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000CAOoY.png new file mode 100644 index 0000000000..134490a92a Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000CAOoY.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000CAPiz.png b/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000CAPiz.png new file mode 100644 index 0000000000..52f67110b4 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000CAPiz.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000DgyY9.png b/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000DgyY9.png new file mode 100644 index 0000000000..721864904b Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000FAYX_0EMQk00000DgyY9.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000FAdN_0EMQk00000Dgxc5.png b/docs/kb/endpointprotector/images/ka0Qk000000FAdN_0EMQk00000Dgxc5.png new file mode 100644 index 0000000000..1c9e350b73 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000FAdN_0EMQk00000Dgxc5.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000FFRl_0EMQk00000C7FeY.png b/docs/kb/endpointprotector/images/ka0Qk000000FFRl_0EMQk00000C7FeY.png new file mode 100644 index 0000000000..d67276b3fd Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000FFRl_0EMQk00000C7FeY.png differ diff --git a/docs/kb/endpointprotector/images/ka0Qk000000FKT3_0EMQk00000CAP34.png b/docs/kb/endpointprotector/images/ka0Qk000000FKT3_0EMQk00000CAP34.png new file mode 100644 index 0000000000..8bc58fcdc9 Binary files /dev/null and b/docs/kb/endpointprotector/images/ka0Qk000000FKT3_0EMQk00000CAP34.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_01861a9421d2.png b/docs/kb/endpointprotector/images/servlet_image_01861a9421d2.png new file mode 100644 index 0000000000..f6b8ffea2a Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_01861a9421d2.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_055f8013da42.png b/docs/kb/endpointprotector/images/servlet_image_055f8013da42.png new file mode 100644 index 0000000000..baa25045b3 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_055f8013da42.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_06bccc2709d5.png b/docs/kb/endpointprotector/images/servlet_image_06bccc2709d5.png new file mode 100644 index 0000000000..2270de63d3 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_06bccc2709d5.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_089dc363ae67.png b/docs/kb/endpointprotector/images/servlet_image_089dc363ae67.png new file mode 100644 index 0000000000..5ca71f3ab3 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_089dc363ae67.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_13588715e752.png b/docs/kb/endpointprotector/images/servlet_image_13588715e752.png new file mode 100644 index 0000000000..5314ad62b0 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_13588715e752.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_138e8d943c1b.png b/docs/kb/endpointprotector/images/servlet_image_138e8d943c1b.png new file mode 100644 index 0000000000..46606c5301 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_138e8d943c1b.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_18cc5d89ac43.png b/docs/kb/endpointprotector/images/servlet_image_18cc5d89ac43.png new file mode 100644 index 0000000000..8d220596e6 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_18cc5d89ac43.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_1a8a53e40ad6.png b/docs/kb/endpointprotector/images/servlet_image_1a8a53e40ad6.png new file mode 100644 index 0000000000..7c4687e28b Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_1a8a53e40ad6.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_1e592ef62413.png b/docs/kb/endpointprotector/images/servlet_image_1e592ef62413.png new file mode 100644 index 0000000000..6029b6aca5 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_1e592ef62413.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_1ec78e31c389.png b/docs/kb/endpointprotector/images/servlet_image_1ec78e31c389.png new file mode 100644 index 0000000000..2cc34f00f3 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_1ec78e31c389.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_263da6ad1bf4.png b/docs/kb/endpointprotector/images/servlet_image_263da6ad1bf4.png new file mode 100644 index 0000000000..a7c6708047 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_263da6ad1bf4.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_2ab25cdeee54.png b/docs/kb/endpointprotector/images/servlet_image_2ab25cdeee54.png new file mode 100644 index 0000000000..7b172d58c0 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_2ab25cdeee54.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_2f2abfe498d8.png b/docs/kb/endpointprotector/images/servlet_image_2f2abfe498d8.png new file mode 100644 index 0000000000..687c7be480 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_2f2abfe498d8.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_3f1c3b331cfe.png b/docs/kb/endpointprotector/images/servlet_image_3f1c3b331cfe.png new file mode 100644 index 0000000000..ac39f4e815 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_3f1c3b331cfe.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_40736f16d061.png b/docs/kb/endpointprotector/images/servlet_image_40736f16d061.png new file mode 100644 index 0000000000..da0b4f7c1c Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_40736f16d061.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_5271b231d0a2.png b/docs/kb/endpointprotector/images/servlet_image_5271b231d0a2.png new file mode 100644 index 0000000000..e68a52bd1d Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_5271b231d0a2.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_5840481544b9.png b/docs/kb/endpointprotector/images/servlet_image_5840481544b9.png new file mode 100644 index 0000000000..5c411d53e9 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_5840481544b9.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_5843306691b5.png b/docs/kb/endpointprotector/images/servlet_image_5843306691b5.png new file mode 100644 index 0000000000..a39738e713 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_5843306691b5.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_60b30f91932d.png b/docs/kb/endpointprotector/images/servlet_image_60b30f91932d.png new file mode 100644 index 0000000000..9f98689200 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_60b30f91932d.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_618265510504.png b/docs/kb/endpointprotector/images/servlet_image_618265510504.png new file mode 100644 index 0000000000..1fec050b91 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_618265510504.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_65b2f6cd5406.png b/docs/kb/endpointprotector/images/servlet_image_65b2f6cd5406.png new file mode 100644 index 0000000000..a97cb40c2b Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_65b2f6cd5406.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_6bd0b54ef795.png b/docs/kb/endpointprotector/images/servlet_image_6bd0b54ef795.png new file mode 100644 index 0000000000..fc1e0bd287 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_6bd0b54ef795.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_72f774ab3bed.png b/docs/kb/endpointprotector/images/servlet_image_72f774ab3bed.png new file mode 100644 index 0000000000..9b4005efdd Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_72f774ab3bed.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_744e12be3cff.png b/docs/kb/endpointprotector/images/servlet_image_744e12be3cff.png new file mode 100644 index 0000000000..636fa5190f Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_744e12be3cff.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_7abe59223977.png b/docs/kb/endpointprotector/images/servlet_image_7abe59223977.png new file mode 100644 index 0000000000..7bea5493ed Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_7abe59223977.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_7fc401abe1e3.png b/docs/kb/endpointprotector/images/servlet_image_7fc401abe1e3.png new file mode 100644 index 0000000000..2db6348a3a Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_7fc401abe1e3.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_823648e31f8f.png b/docs/kb/endpointprotector/images/servlet_image_823648e31f8f.png new file mode 100644 index 0000000000..767440e438 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_823648e31f8f.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_8cfbf5692849.png b/docs/kb/endpointprotector/images/servlet_image_8cfbf5692849.png new file mode 100644 index 0000000000..d714075180 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_8cfbf5692849.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_8da7245d9529.png b/docs/kb/endpointprotector/images/servlet_image_8da7245d9529.png new file mode 100644 index 0000000000..008c567c43 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_8da7245d9529.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_910151bbafe1.png b/docs/kb/endpointprotector/images/servlet_image_910151bbafe1.png new file mode 100644 index 0000000000..250f16e7e6 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_910151bbafe1.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_96e38073d295.png b/docs/kb/endpointprotector/images/servlet_image_96e38073d295.png new file mode 100644 index 0000000000..f40f20afc3 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_96e38073d295.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_97c005a48040.png b/docs/kb/endpointprotector/images/servlet_image_97c005a48040.png new file mode 100644 index 0000000000..4c26cd339c Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_97c005a48040.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_9aa4123f77f5.png b/docs/kb/endpointprotector/images/servlet_image_9aa4123f77f5.png new file mode 100644 index 0000000000..49a8a18072 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_9aa4123f77f5.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_9e6a518233f7.png b/docs/kb/endpointprotector/images/servlet_image_9e6a518233f7.png new file mode 100644 index 0000000000..300ccbd78b Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_9e6a518233f7.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_a0bcad6af822.png b/docs/kb/endpointprotector/images/servlet_image_a0bcad6af822.png new file mode 100644 index 0000000000..5a62c73a0c Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_a0bcad6af822.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_b9e7bd968d5d.png b/docs/kb/endpointprotector/images/servlet_image_b9e7bd968d5d.png new file mode 100644 index 0000000000..f5b94d4059 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_b9e7bd968d5d.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_baa2795f8fd3.png b/docs/kb/endpointprotector/images/servlet_image_baa2795f8fd3.png new file mode 100644 index 0000000000..5d0ae71adb Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_baa2795f8fd3.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_bd860b27c3ec.png b/docs/kb/endpointprotector/images/servlet_image_bd860b27c3ec.png new file mode 100644 index 0000000000..da0b4f7c1c Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_bd860b27c3ec.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_c1cc54905886.png b/docs/kb/endpointprotector/images/servlet_image_c1cc54905886.png new file mode 100644 index 0000000000..7bf5f8f1cf Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_c1cc54905886.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_cc8577ae8f6b.png b/docs/kb/endpointprotector/images/servlet_image_cc8577ae8f6b.png new file mode 100644 index 0000000000..993a5b36cf Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_cc8577ae8f6b.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_d1e926f5d4e6.png b/docs/kb/endpointprotector/images/servlet_image_d1e926f5d4e6.png new file mode 100644 index 0000000000..4bd6d7f9c2 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_d1e926f5d4e6.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_d669c51c8b7d.png b/docs/kb/endpointprotector/images/servlet_image_d669c51c8b7d.png new file mode 100644 index 0000000000..78c0f0c86b Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_d669c51c8b7d.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_df060b1c08ad.png b/docs/kb/endpointprotector/images/servlet_image_df060b1c08ad.png new file mode 100644 index 0000000000..7bea5493ed Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_df060b1c08ad.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_e95427bb0c8e.png b/docs/kb/endpointprotector/images/servlet_image_e95427bb0c8e.png new file mode 100644 index 0000000000..4fb0aa96bd Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_e95427bb0c8e.png differ diff --git a/docs/kb/endpointprotector/images/servlet_image_e9d389c827d7.png b/docs/kb/endpointprotector/images/servlet_image_e9d389c827d7.png new file mode 100644 index 0000000000..b910b3fe24 Binary files /dev/null and b/docs/kb/endpointprotector/images/servlet_image_e9d389c827d7.png differ diff --git a/docs/kb/endpointprotector/impact-of-spectre-and-meltdown-on-endpoint-protector-deployments.md b/docs/kb/endpointprotector/impact-of-spectre-and-meltdown-on-endpoint-protector-deployments.md new file mode 100644 index 0000000000..c433d35f48 --- /dev/null +++ b/docs/kb/endpointprotector/impact-of-spectre-and-meltdown-on-endpoint-protector-deployments.md @@ -0,0 +1,43 @@ +--- +description: >- + Explains how the Spectre and Meltdown processor vulnerabilities affect Netwrix + Endpoint Protector deployments and provides guidance for appliances, virtual + appliances, and endpoints. +keywords: + - Spectre + - Meltdown + - CVE-2017-5753 + - CVE-2017-5754 + - Ubuntu + - VMware ESXi + - patches + - Endpoint Protector + - hypervisor +products: + - endpoint-protector +visibility: public +sidebar_label: Impact of Spectre and Meltdown on Endpoint Protect +tags: [] +title: "Impact of Spectre and Meltdown on Endpoint Protector Deployments" +knowledge_article_id: kA0Qk0000002B93KAE +--- + +# Impact of Spectre and Meltdown on Endpoint Protector Deployments + +## Overview + +Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) are processor vulnerabilities that can be exploited by malicious applications running locally on affected systems. As of February 9, 2018, there have been no reported cases of these vulnerabilities being exploited in the wild. + +As a Netwrix Endpoint Protector user, you may be indirectly affected by Spectre and Meltdown. The Netwrix Endpoint Protector server typically runs as a Virtual Appliance or as a Hardware Appliance. + +## Instructions + +- Netwrix Endpoint Protector Hardware Appliance: Contact Netwrix Support to apply the latest patches to the Ubuntu operating system. +- Netwrix Endpoint Protector Virtual Appliance: Patch your hypervisor (such as VMware ESXi) to address these vulnerabilities. +- Endpoints running the Netwrix Endpoint Protector Agent/Client: Follow the update procedures provided by your operating system vendor to address these vulnerabilities. + +Operating systems like Ubuntu have released and continue to release patches to address these vulnerabilities. For more information on how Ubuntu is addressing Spectre and Meltdown, see: + +Meltdown, Spectre and Ubuntu: What You Need to Know ⸱ Ubuntu — https://ubuntu.com/blog/meltdown-spectre-and-ubuntu-what-you-need-to-know + +New Netwrix Endpoint Protector Hardware Appliances ship with the latest patches. For older appliances, please contact Netwrix Support for assistance. diff --git a/docs/kb/endpointprotector/install-globalsign-and-digicert-root-certificates-on-windows.md b/docs/kb/endpointprotector/install-globalsign-and-digicert-root-certificates-on-windows.md new file mode 100644 index 0000000000..cd7008c8ad --- /dev/null +++ b/docs/kb/endpointprotector/install-globalsign-and-digicert-root-certificates-on-windows.md @@ -0,0 +1,55 @@ +--- +description: >- + Shows how to install GlobalSign and DigiCert root certificates on Windows to + resolve digital signature errors when installing the Netwrix Endpoint + Protector Client and components. +keywords: + - GlobalSign + - DigiCert + - root certificates + - Windows + - digital signature + - Netwrix Endpoint Protector + - EPPNotifier.exe + - Trusted Root Certification Authorities +products: + - endpoint-protector +sidebar_label: "Install GlobalSign and DigiCert Root Certificates on Windows" +tags: [] +title: "Install GlobalSign and DigiCert Root Certificates on Windows" +knowledge_article_id: kA0Qk0000002BFZKA2 +--- + +# Install GlobalSign and DigiCert Root Certificates on Windows + +## Overview + +This article explains how to install GlobalSign and DigiCert root certificates on Windows. These certificates may be required if you encounter digital signature errors when installing the Netwrix Endpoint Protector Client. The following error messages may populate: + +- "A digitally signed driver is required" +- "Microsoft Defender SmartScreen prevented an unrecognized app from starting" + +Installing the correct root certificates ensures that Windows recognizes the digital signatures used by Netwrix Endpoint Protector components. + +## Instructions + +1. To verify if the required GlobalSign root certificate is present, navigate to `Program Files\Cososys\EPPNotifier.exe`. +2. Right-click **EPPNotifier.exe** and select **Properties**. +3. Navigate to the **Digital Signatures** tab and select the certificate then click **Details**. + ![Viewing digital signature details for EPPNotifier.exe](./images/ka0Qk000000ETF3_0EMQk00000C8rxt.png) +4. If the GlobalSign root certificate is missing, download it from the official GlobalSign website: + GlobalSign Root Certificates ⸱ GlobalSign ↗️ + https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates +5. Search for the certificate named **GlobalSign Root R3** then download and install it in the **Trusted Root Certification Authorities** store. +6. If required, check for the **GlobalSign Code Signing Root R45** certificate in the certificate store: + ![Checking for GlobalSign Code Signing Root R45 in certificate store](./images/ka0Qk000000ETF3_0EMQk00000C8rLD.png) +7. For digital signature time-stamping, ensure the **DigiCert Assured ID Root CA** certificate (valid until 10 November 2031) is trusted. Download it from: + DigiCert Root Certificates ⸱ DigiCert ↗️ + https://www.digicert.com/kb/digicert-root-certificates.htm + +## Related Links + +- GlobalSign Root Certificates ⸱ GlobalSign ↗️ + https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates +- DigiCert Root Certificates ⸱ DigiCert ↗️ + https://www.digicert.com/kb/digicert-root-certificates.htm diff --git a/docs/kb/endpointprotector/install_client_on_macos_with_deep_packet_inspection_and_vpn_traffic_intercept.md b/docs/kb/endpointprotector/install_client_on_macos_with_deep_packet_inspection_and_vpn_traffic_intercept.md new file mode 100644 index 0000000000..50f7580ed1 --- /dev/null +++ b/docs/kb/endpointprotector/install_client_on_macos_with_deep_packet_inspection_and_vpn_traffic_intercept.md @@ -0,0 +1,75 @@ +--- +description: >- + This article explains how to ensure all prerequisites are in place and how to install the Endpoint Protector (EPP) Client on macOS endpoints with Deep Packet Inspection (DPI) and VPN Traffic Intercept active. +keywords: + - Endpoint Protector + - macOS installation + - Deep Packet Inspection + - VPN Traffic Intercept + - client software +sidebar_label: Install EPP Client on macOS +tags: [] +title: "Install Client on macOS with Deep Packet Inspection and VPN Traffic Intercept" +knowledge_article_id: kA0Qk0000002B64KAE +products: + - endpoint-protector +--- + +# Install Client on macOS with Deep Packet Inspection and VPN Traffic Intercept + +## Overview + +This article explains how to ensure all prerequisites are in place and how to install the Endpoint Protector (EPP) Client on macOS endpoints with Deep Packet Inspection (DPI) and VPN Traffic Intercept active. + +## Instructions + +1. In the Endpoint Protector console, navigate to **System Configuration** > **Client Software** and download the macOS **Endpoint Protector Agent**. + ![Installation on macOS with Deep Packet Inspection and VPN Traffic Intercept Active](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Admin/SystemConfiguration/ClientInstallationiOS.png?_LANG=enus) + +2. Unzip the downloaded file. + +3. Open the **.pkg** file. + +4. Follow the installation steps and grant the requested permissions. + +5. After installation, go to **System Preferences** > **Security & Privacy** > **Privacy** tab > **Full Disk Access**. Search for **Endpoint Protector Client**. Select the checkbox and then save the changes. + ![Grant permission to the Endpoint Protector Client](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Requirements/EPPAgentPermisions.png?_LANG=enus) + +6. In the Endpoint Protector console, navigate to **Device Control** > **Users/Computer/Group/Global Settings** > **Manage Settings** > **Endpoint Protector Client** > **Deep Packet Inspection** to enable DPI. + ![Activating Deep Packet Inspection](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Admin/DeviceControl/DPIon.png?_LANG=enus) + +7. Once enabled, go to **System Configuration** > **System Settings** > **Deep Packet Inspection Certificate** and download the **CA Certificate**. + ![Download the Client CA Certificates](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Admin/SystemConfiguration/DPIcertificate.png?_LANG=enus) + +8. Open the **Keychain Access** application on your macOS and select **System**. + ![Open the Keychain Access application from your macOS and select System](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Requirements/KeychainAccess.png?_LANG=enus) + +9. Unzip the downloaded **ClientCerts** file. + +10. Select the `cacert.pem` file and drag then drop it into **Keychain Access > System**. + ![Select cacert.pem file and drag and drop it on Keychain Access, System](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Requirements/ClientCerts.png?_LANG=enus) + +11. Double-click the newly added certificate and select **Always Trust**. + ![On the newly added certificate and on the Trust section, select Always Trust.](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Requirements/KeychainAccessTwo.png?_LANG=enus) + +12. **Save** the changes. + +13. In **Device Control > Global Settings**, enable **Intercept VPN Traffic**. + ![Activate Intercept VPN Traffic](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Admin/DeviceControl/InterceptVPNTraffic.png?_LANG=enus) + +14. Select one option for **EPP behavior when network extension is disabled**: + - **Temporarily Disable Deep Packet Inspection** – This option will temporarily disable Deep Packet Inspection. + - **Block Internet Access** – This option will end the Internet connection until the end user approves the **Endpoint Protector Proxy Configuration** once the computer is rebooted. + +15. **Save** the changes. + +16. A pop-up will be displayed informing the end user that a System Extension is blocked and needs to be allowed. + ![System Extension is blocked and needs to be allowed](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Requirements/SystemExtensionBlocked.png?_LANG=enus) + +17. Go to **System Preferences** > **Security and Privacy** > **General** tab and **allow** the **Endpoint Protector Client Extension**. + ![Select the General tab and allow the Endpoint Protector Client Extension](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Requirements/GeneralTabIOS.png?_LANG=enus) + +18. **Allow** the **Endpoint Protector Proxy Configuration** from the pop-up window. + ![Allow the Endpoint Protector Proxy Configuration from the pop-up window](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4/page/Content/Resources/Images/EndpointProtector/Requirements/ProxyPop-up.png?_LANG=enus) + +> **NOTE:** If EPPNotifier is not visible or notifications do not display after the installation or upgrade of the Endpoint Protector Client on macOS, restart your machine. If the Endpoint Protector Client is installed and then uninstalled on macOS, you may still see EPPNotifier in the Notification settings. To remove it from the list, right-click and select "Reset notifications."" \ No newline at end of file diff --git a/docs/kb/endpointprotector/install_the_linux_client.md b/docs/kb/endpointprotector/install_the_linux_client.md new file mode 100644 index 0000000000..ead54b7d28 --- /dev/null +++ b/docs/kb/endpointprotector/install_the_linux_client.md @@ -0,0 +1,41 @@ +--- +description: >- + This article provides step-by-step instructions for installing the Endpoint Protector Linux client. +keywords: + - Endpoint Protector + - Linux client + - installation +sidebar_label: Install Linux Client +tags: [] +title: "How to Install the Endpoint Protector Linux Client" +knowledge_article_id: kA0Qk0000002B6vKAE +products: + - endpoint-protector +--- + +# How to Install the Endpoint Protector Linux Client + +## Overview + +This article provides step-by-step instructions for installing the Endpoint Protector Linux client. + +## Instructions + +To install the Endpoint Protector Linux Client, follow the steps below: + +1. Request the Linux client by raising a ticket in the [Support Portal](https://www.netwrix.com/support.html). Specify the required Linux distribution. +2. After downloading and extracting the client, edit the **options.sh** file. +3. Remove the `#` character from the following six lines: + + ```plaintext + #EPPCLIENT_WS_SERVER=set.this.to.the.endpointprotector.server.com + #export EPPCLIENT_WS_SERVER + #EPPCLIENT_WS_PORT=443 + #export EPPCLIENT_WS_PORT + #EPPCLIENT_DEPARTMENT_CODE=defdep + #export EPPCLIENT_DEPARTMENT_CODE + ``` + +4. Additionally, replace `set.this.to.the.endpointprotector.server.com` with the Endpoint Protector Server IP address or FQDN/DNS. +5. Save the modified **options.sh** file. +6. Install the client by running the **install.sh** file. \ No newline at end of file diff --git a/docs/kb/endpointprotector/installing-a-monitoring-agent-on-the-virtual-appliance.md b/docs/kb/endpointprotector/installing-a-monitoring-agent-on-the-virtual-appliance.md new file mode 100644 index 0000000000..798f3e91f1 --- /dev/null +++ b/docs/kb/endpointprotector/installing-a-monitoring-agent-on-the-virtual-appliance.md @@ -0,0 +1,34 @@ +--- +description: >- + This article explains what you need and what to expect when you install a + monitoring agent on the virtual appliance, including NDA and support + considerations. +keywords: + - monitoring agent + - virtual appliance + - NDA + - Support Portal + - third-party software + - Endpoint Protector + - Netwrix Support + - installation + - troubleshooting +products: + - endpoint-protector +sidebar_label: Installing a Monitoring Agent on the Virtual Appli +tags: [] +title: "Installing a Monitoring Agent on the Virtual Appliance" +knowledge_article_id: kA0Qk0000002B2vKAE +--- + +# Installing a Monitoring Agent on the Virtual Appliance + +## Overview + +This article explains what you need and what to expect when you install a monitoring agent on the virtual appliance. + +## Instructions + +- To install any software on the server, you must sign an additional non-disclosure agreement (NDA) disclaimer. To start the process, please reach out to Netwrix Support via the [Support Portal](https://www.netwrix.com/support.html). +- Third-party software is not officially supported on the server. If issues occur, you will receive best endeavor support only. +- If you experience a problem, you will be asked to uninstall any third-party software and verify whether the problem persists before Netwrix Technical Support begins any investigation. diff --git a/docs/kb/endpointprotector/installing-the-agent-with-proxy-settings-on-macos.md b/docs/kb/endpointprotector/installing-the-agent-with-proxy-settings-on-macos.md new file mode 100644 index 0000000000..e4389413e0 --- /dev/null +++ b/docs/kb/endpointprotector/installing-the-agent-with-proxy-settings-on-macos.md @@ -0,0 +1,41 @@ +--- +description: >- + This article explains how to install the Netwrix Endpoint Protector (EPP) + agent on macOS when you use a proxy server, and how to configure proxy + settings so the agent can communicate through your proxy environment. +keywords: + - Netwrix Endpoint Protector + - macOS + - proxy + - agent installation + - EPP + - proxy authentication + - Device Control + - Computers +products: + - endpoint-protector +sidebar_label: Installing the Agent with Proxy Settings on MacOS +tags: [] +title: "Installing the Agent with Proxy Settings on MacOS" +knowledge_article_id: kA0Qk0000002B5vKAE +--- + +# Installing the Agent with Proxy Settings on MacOS + +## Overview + +This article explains how to install the Netwrix Endpoint Protector (EPP) agent on macOS when you use a proxy server. Proper configuration ensures the agent can communicate through your proxy environment. + +## Instructions + +Follow the steps below to install the EPP agent with proxy settings on macOS: + +1. Download the installer from the **Netwrix Endpoint Protector Web Console**. +2. Run the package using an administrator account. Alternatively, you can start the installation from the Terminal using `sudo` rights. +3. During the installation process, when you reach the **Proxy Settings** section, select **Use Manual Settings** and fill in the required fields. +4. If your proxy requires authentication, enter valid credentials in the appropriate fields. +5. You can enter a proxy IP address, DNS name, or fully qualified domain name (FQDN) in the proxy IP field. + +![ ](images/ka0Qk000000Dein_0EMQk00000CV0zJ.png) + +6. After installation is complete, wait a few minutes for processing. Then, verify that the computer appears in the **Device Control** > **Computers** section of the **Netwrix Endpoint Protector Web Console**. diff --git a/docs/kb/endpointprotector/installing-the-agent-with-proxy-settings-on-windows.md b/docs/kb/endpointprotector/installing-the-agent-with-proxy-settings-on-windows.md new file mode 100644 index 0000000000..fe8474dceb --- /dev/null +++ b/docs/kb/endpointprotector/installing-the-agent-with-proxy-settings-on-windows.md @@ -0,0 +1,39 @@ +--- +description: >- + Use this article to install the Netwrix Endpoint Protector agent on Windows in + environments that require a proxy. It explains the proxy settings to enter + during installation and how to verify the agent appears in the console. +keywords: + - endpoint protector + - proxy + - agent installation + - proxy authentication + - Windows + - EPP + - web console + - device control +products: + - endpoint-protector +sidebar_label: Installing the Agent with Proxy Settings on Window +tags: [] +title: "Installing the Agent with Proxy Settings on Windows" +knowledge_article_id: kA0Qk0000002B6OKAU +--- + +# Installing the Agent with Proxy Settings on Windows + +## Overview + +This article explains how to install the Netwrix Endpoint Protector (EPP) agent on Windows when using a proxy server. Proper configuration ensures the agent can communicate through your proxy environment. + +## Instructions + +Follow the steps below to install the EPP agent with proxy settings on Windows: + +1. Download the installer from the **Netwrix Endpoint Protector (EPP) Web Console**. +2. Run the setup with administrative rights. +3. During the installation process, when you reach the **Proxy Settings** section, select **Use Manual Settings** and fill in the required fields. +4. If your proxy requires authentication, enter valid credentials in the appropriate fields. +5. You can enter a proxy IP address, DNS name, or fully qualified domain name (`FQDN`) in the `proxy IP` field. + +6. After installation is complete, wait a few minutes for processing. Then, check the **Device Control** > **Computers** section in the Netwrix Endpoint Protector Web Console to verify that the computer has been added to the list. diff --git a/docs/kb/endpointprotector/installing_the_agent_with_proxy_settings_on_linux.md b/docs/kb/endpointprotector/installing_the_agent_with_proxy_settings_on_linux.md new file mode 100644 index 0000000000..0cefaf792c --- /dev/null +++ b/docs/kb/endpointprotector/installing_the_agent_with_proxy_settings_on_linux.md @@ -0,0 +1,29 @@ +--- +description: >- + This article explains how to install the Endpoint Protector agent on a Linux system that uses a proxy server. +keywords: + - Endpoint Protector + - Linux + - proxy settings +sidebar_label: Installing the Agent with Proxy Settings +tags: [] +title: "Installing the Agent with Proxy Settings on Linux" +knowledge_article_id: kA0Qk0000002B2iKAE +products: + - endpoint-protector +--- + +# Installing the Agent with Proxy Settings on Linux + +## Overview + +This article explains how to install the Endpoint Protector agent on a Linux system that uses a proxy server. Follow these steps to ensure the agent is configured to work with your proxy environment. + +## Instructions + +1. Download the installer provided by Netwrix Technical Support. +2. Unarchive the package and edit the `options.sh` file. +3. Locate the proxy settings section in `options.sh`. +4. Uncomment the last two lines and add your proxy settings as described in the first two comment lines. The proxy address can use a DNS name or Fully Qualified Domain Name (FQDN). +5. Run the `install.sh` script. +6. Once the installation is complete, open the applications menu and click **Endpoint Protector**. Wait a few minutes, then check the Endpoint Protector Web Console in **Device Control** > **Computers** to verify that the computer has been added to the list. \ No newline at end of file diff --git a/docs/kb/endpointprotector/locate-logs-in-content-aware-report-when-using-partitions.md b/docs/kb/endpointprotector/locate-logs-in-content-aware-report-when-using-partitions.md new file mode 100644 index 0000000000..f6743d7876 --- /dev/null +++ b/docs/kb/endpointprotector/locate-logs-in-content-aware-report-when-using-partitions.md @@ -0,0 +1,32 @@ +--- +description: >- + Learn how to locate logs in the Content Aware Report when partitions are used + so you can find results that may be stored on a different partition. +keywords: + - Content Aware Report + - partitions + - logs + - filter by date + - Endpoint Protector + - log partition + - report results +products: + - endpoint-protector +sidebar_label: Locate Logs in Content Aware Report When Using Par +tags: [] +title: "Locate Logs in Content Aware Report When Using Partitions" +knowledge_article_id: kA0Qk0000002B5wKAE +--- + +# Locate Logs in Content Aware Report When Using Partitions + +## Overview + +This article explains how to locate logs in the **Content Aware Report** when partitions are used. When you filter by specific dates, you may not see any results if the logs are stored on a different partition. + +## Instructions + +1. If no results are shown when filtering by date in the **Content Aware Report**, check which partition is currently selected. +2. Select the partition that corresponds to the time interval you are searching for to view the relevant logs. + +![Screenshot showing no results in Content Aware Report when filtering by date](./images/ka0Qk000000E7Pp_0EMQk00000C51uD.png) diff --git a/docs/kb/endpointprotector/locating-the-default-username-and-password-for-the-reporting-and-administration-tool.md b/docs/kb/endpointprotector/locating-the-default-username-and-password-for-the-reporting-and-administration-tool.md new file mode 100644 index 0000000000..9ea8ff38b9 --- /dev/null +++ b/docs/kb/endpointprotector/locating-the-default-username-and-password-for-the-reporting-and-administration-tool.md @@ -0,0 +1,32 @@ +--- +description: >- + This article provides the default username and password for the Reporting and + Administration Tool and recommends changing them immediately after setup. +keywords: + - default username + - default password + - reporting and administration tool + - credentials + - root + - epp2011 + - endpoint protector +products: + - endpoint-protector +sidebar_label: Locating the Default Username and Password for the +tags: [] +title: "Locating the Default Username and Password for the Reporting and Administration Tool" +knowledge_article_id: kA0Qk0000002BNcKAM +--- + +# Locating the Default Username and Password for the Reporting and Administration Tool + +## Question +What is the default username and password for the Reporting and Administration Tool? + +## Answer +The default username and password for the Reporting and Administration Tool after setup are: + +- **Username:** `root` +- **Password:** `epp2011` + +> **IMPORTANT:** We strongly recommend that you change the default username and password immediately after system setup. diff --git a/docs/kb/endpointprotector/managing-enforced-encryption-and-file-tracing-settings.md b/docs/kb/endpointprotector/managing-enforced-encryption-and-file-tracing-settings.md new file mode 100644 index 0000000000..be3496a5e9 --- /dev/null +++ b/docs/kb/endpointprotector/managing-enforced-encryption-and-file-tracing-settings.md @@ -0,0 +1,56 @@ +--- +description: >- + Describes how to manage Enforced Encryption settings in Endpoint Protector, + including master password configuration, password complexity rules, and + Enforced Encryption file tracing (including Offline File Tracing and File + Shadowing). +keywords: + - endpoint-protector + - enforced-encryption + - file-tracing + - offline-file-tracing + - file-shadowing + - master-password + - EasyLock + - Device-Control + - Endpoint-Protector-Client + - auditing +products: + - endpoint-protector +sidebar_label: Managing Enforced Encryption and File Tracing Sett +tags: [] +title: "Managing Enforced Encryption and File Tracing Settings" +knowledge_article_id: kA0Qk0000002BCkKAM +--- + +# Managing Enforced Encryption and File Tracing Settings + +## Overview + +The **Enforced Encryption Settings** section in Endpoint Protector allows remote management of encrypted devices. Before you use these features, you must configure a master password. + +![Enforced Encryption Settings section in Endpoint Protector](./images/ka0Qk000000FAYX_0EMQk00000CAOoY.png) + +Within the **Settings** section, you can configure the master password, enable Enforced Encryption file tracing, and define whether Enforced Encryption can be installed and executed only on computers with the Endpoint Protector Client present. + +Complex password rules can be enforced for both the master password and user password. If enabled, you can set password length, minimum character requirements, validity period, password history, and other settings. + +![Password complexity settings for Enforced Encryption](./images/ka0Qk000000FAYX_0EMQk00000CAPiz.png) + +## File Tracing Settings + +Endpoint Protector allows tracing of files copied and encrypted on portable devices using Enforced Encryption. + +You can activate this option from **Enforced Encryption** > **EasyLock** > **Settings** > **File Tracing/Offline File Tracing.** + +![File Tracing and Offline File Tracing settings in EasyLock](./images/ka0Qk000000FAYX_0EMQk00000DgyY9.png) + +By enabling the **File Tracing** option, all data transferred to and from devices using Enforced Encryption is recorded and logged for auditing. If the Endpoint Protector Client is present, the logged information is automatically sent to the Endpoint Protector Server. This occurs regardless of whether File Tracing is enabled for that specific computer in the **Device Control** module. + +If the Endpoint Protector Client is not present, the information is stored locally in an encrypted format on the device and will be sent later from any computer with the Endpoint Protector Client installed. + +The **Offline File Tracing** option extends this functionality by storing information directly on the device before it is sent to the Endpoint Protector Server. The list of copied files is sent the next time the device is plugged in and the Endpoint Protector Client is present and communicating with the server. + +Additionally, EasyLock performs file shadowing for files transferred if the Endpoint Protector Client is present and the **File Shadowing** option is enabled on the computer through the **Device Control** module. This is a real-time event, and no shadowing information is stored on the device. + +**NOTE:** Enabling global File Tracing does not automatically activate the File Tracing option on Enforced Encryption Trusted Device™ and vice versa. diff --git a/docs/kb/endpointprotector/managing-network-share-rights-in-device-control.md b/docs/kb/endpointprotector/managing-network-share-rights-in-device-control.md new file mode 100644 index 0000000000..150d066666 --- /dev/null +++ b/docs/kb/endpointprotector/managing-network-share-rights-in-device-control.md @@ -0,0 +1,55 @@ +--- +description: >- + Learn how to locate and modify access rights for Network Shares in Endpoint + Protector Device Control. This article explains the permission model, priority + order, and specific restrictions that apply to Network Shares on Windows and + macOS. +keywords: + - network share + - device control + - Endpoint Protector + - network shares + - access rights + - permissions + - Windows + - macOS + - global settings + - manage rights +products: + - endpoint-protector +visibility: public +sidebar_label: Managing Network Share Rights in Device Control +tags: [] +title: "Managing Network Share Rights in Device Control" +knowledge_article_id: kA0Qk0000002BHBKA2 +--- + +# Managing Network Share Rights in Device Control + +## Overview + +Network Shares allow users to access shared folders and files over a network. In Endpoint Protector, you can manage access rights for Network Shares through the **Device Control** module, alongside other removable devices and peripheral ports. This feature is currently supported on Windows and macOS platforms. + +This article explains how to locate and modify rights for Network Shares at the global, group, computer, or user level. It also outlines the specific permissions and restrictions that apply to Network Shares, which differ from those for other device types. Use these instructions to help secure your organization’s data while providing appropriate access to shared network resources. + +## Instructions + +1. In the Endpoint Protector Console, navigate to **Device Control** > **Global**, **Group**, **Computer**, or **User Settings** > **Select Item** > **Manage Rights**. + +If you configure device rights granularly for all entities, the priority order is as follows, starting with the highest: + +![Priority order for device rights in Endpoint Protector](./images/ka0Qk000000FAdN_0EMQk00000Dgxc5.png) + +If global rights indicate that no computer on the system has access to a specific device, and for one computer that device has been authorized, then that computer will have access to that device. + +## Network Share Behavior + +The intended behavior of a Network Share is slightly different from other devices with the same rights. Network Shares include the following permissions: + +- Files can be viewed on the Network Share. +- Files can be copied from the Network Share. +- Files cannot be deleted from the Network Share. +- Files cannot be renamed on the Network Share. +- Files cannot be copied to the Network Share. +- Files cannot be created on the Network Share. +- Files cannot be edited on the Network Share. diff --git a/docs/kb/endpointprotector/managing-system-administrators-and-administrator-groups.md b/docs/kb/endpointprotector/managing-system-administrators-and-administrator-groups.md new file mode 100644 index 0000000000..4f6f1fb2de --- /dev/null +++ b/docs/kb/endpointprotector/managing-system-administrators-and-administrator-groups.md @@ -0,0 +1,62 @@ +--- +description: >- + Shows how to view, create, and manage system administrators and administrator + groups in Netwrix Endpoint Protector, and how to configure related account + settings, roles, and two-factor authentication. +keywords: + - Netwrix Endpoint Protector + - system administrators + - administrator groups + - Super Administrator + - two-factor authentication + - roles and permissions + - Active Directory + - SSO +products: + - endpoint-protector +sidebar_label: Managing System Administrators and Administrator G +tags: [] +title: "Managing System Administrators and Administrator Groups" +knowledge_article_id: kA0Qk0000002BCTKA2 +--- + +# Managing System Administrators and Administrator Groups + +## Overview + +This article explains how to view, create, and manage system administrators and administrator groups in Netwrix Endpoint Protector. You can assign administrators different roles and permissions to control access to various modules and features. + +## Instructions + +### View or Manage Administrators + +1. In the Netwrix Endpoint Protector Console, navigate to **System Configuration** > **System Administrators**. + ![System Administrators section in Endpoint Protector](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4.2/page/Content/Resources/Images/EndpointProtector/Admin/SystemConfiguration/ClientUninstall.png?_LANG=enus) +2. To create a new administrator, click **Create** and provide the following details: + - Username and password + - Email address + - First and last name + - Phone number + - UI language +3. Configure account settings as needed: + - **Account is active:** Enable or disable the account. + - **Login Attempt Restrictions:** Set a timeout (5–10 minutes) after 5–10 unsuccessful login attempts. + - **Enforce login IP restrictions:** Restrict login attempts to specific IP addresses. + - **Require password change at next login:** Force the administrator to change their password at first login. + +> **CAUTION:** The **Require password change at next login** setting is ignored if **Enforce All Administrator Password Security at Next Login** is enabled for Active Directory imported users or for SSO users (Azure and OKTA). + +4. Optional: Enable additional settings as needed: + - **Failed Login Alert:** Receive alerts for failed login attempts. + - **Schedule Exports Alert:** Receive alerts for scheduled exports. + - **Ignore AD Authentication:** Allow login using local EPP credentials. +5. To assign Super Administrator privileges, enable **Super Administrator**. This grants access to all departments and Netwrix Endpoint Protector sections. + ![Super Administrator Details](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4.2/page/Content/Resources/Images/EndpointProtector/Admin/SystemConfiguration/SuperAdministratorDetails.png?_LANG=enus) +6. To enforce two-factor authentication, enable **Two Factor Authentication** and configure Google Authenticator. +7. Assign the administrator to one or more departments or administrator groups as needed. +8. To manage administrator groups, go to **System Configuration** > **Administrators Groups**. + - Click **Create** to add a new group. + - Provide a group name, select roles, add a description, and assign administrators. + ![Administrators Groups](https://helpcenter-be.netwrix.com/bundle/EndpointProtector_5.9.4.2/page/Content/Resources/Images/EndpointProtector/Admin/SystemConfiguration/AdministratorsGroups.png?_LANG=enus) + +> **NOTE:** The **Read Only** role cannot be combined with any other roles. The **Support** section is always available to all administrators, regardless of assigned roles. diff --git a/docs/kb/endpointprotector/migrate_the_endpoint_protector_server_to_a_new_virtual_machine.md b/docs/kb/endpointprotector/migrate_the_endpoint_protector_server_to_a_new_virtual_machine.md new file mode 100644 index 0000000000..3dbbf9a62f --- /dev/null +++ b/docs/kb/endpointprotector/migrate_the_endpoint_protector_server_to_a_new_virtual_machine.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains how to migrate the Endpoint Protector Server to a new virtual machine (VM) while preserving your configuration and data. +keywords: + - Endpoint Protector + - migration + - virtual machine +sidebar_label: Migrate Endpoint Protector Server +tags: [] +title: "Migrate the Endpoint Protector Server to a New Virtual Machine" +knowledge_article_id: kA0Qk0000002B6DKAU +products: + - endpoint-protector +--- + +# Migrate the Endpoint Protector Server to a New Virtual Machine + +## Overview + +This article explains how to migrate the Endpoint Protector Server to a new virtual machine (VM). Follow these steps to ensure a smooth migration and preserve your configuration and data. + +## Instructions + +> **IMPORTANT:** Before updating, create a snapshot of the current VM. Additionally, if you require offline patches, provide your current version to Netwrix Technical Support to receive the necessary files. + +1. Download the new VM image from the following link: + [https://nwxcorp.sharepoint.com/sites/Netwrix-EPP-Product/SitePages/EPP-Server-Classic---image-downloand.aspx](https://nwxcorp.sharepoint.com/sites/Netwrix-EPP-Product/SitePages/EPP-Server-Classic---image-downloand.aspx) +2. Import the VM image into your environment. +3. In the Endpoint Protector web console, verify the current version in the lower right corner. +4. Activate the trial license on the new server. +5. Update both Endpoint Protector servers to match the version of the new server. You can use **Live Update** or offline patches. +6. On the old server, go to **System Maintenance** > **System backup V2**. +7. Click **Create**. +8. Name the backup and add a description. +9. Click **Save**. +10. Copy the **System Backup Key** to a notepad. +11. Click **Yes, I saved the System Backup Key**. +12. Allow the backup to finish. +13. Download the backup file. +14. On the new server, go to **System Maintenance** > **System backup V2**. +15. Click **Import and Restore (Migrate)**. +16. Click **Choose File** and select the backup created on the old server. +17. Add the **System Backup Key**. +18. Click **Import**. +19. Allow the import to finish. +20. Once the backup is imported, refresh the page and log in using your previous credentials. +21. Navigate to the **License** page to ensure your licenses are present. +22. After the import is complete, you can turn off the old VM and change the IP address of the new VM to match the old one. Perform this step from the VM console. + +If you need assistance during the migration process, raise a ticket with [Netwrix Technical Support](https://www.netwrix.com/support.html) for further guidance. \ No newline at end of file diff --git a/docs/kb/endpointprotector/missing-devices-in-the-client-list.md b/docs/kb/endpointprotector/missing-devices-in-the-client-list.md new file mode 100644 index 0000000000..5550556299 --- /dev/null +++ b/docs/kb/endpointprotector/missing-devices-in-the-client-list.md @@ -0,0 +1,36 @@ +--- +description: >- + Steps to diagnose and resolve issues where devices do not appear in the client + list for Netwrix Endpoint Protector by checking certificates and digital + signatures. +keywords: + - missing devices + - client list + - certificate + - GlobalSign + - certmgr.msc + - digital signature + - Netwrix Endpoint Protector + - troubleshooting + - support +products: + - endpoint-protector +sidebar_label: Missing Devices in the Client List +tags: [] +title: "Missing Devices in the Client List" +knowledge_article_id: kA0Qk0000002B4FKAU +--- + +# Missing Devices in the Client List + +## Overview + +This article outlines the steps to diagnose and resolve issues where devices do not appear in the client list for Netwrix Endpoint Protector. + +## Instructions + +1. Open Certificate Manager in Windows 10 by running `certmgr.msc` from the command prompt. +2. Under **Trusted Root Certification Authorities** > **Certificates**, check if GlobalSign certificates are present and take a screenshot. +3. If there is more than one GlobalSign certificate, right-click each one then **Properties**, and take a screenshot of the properties window. +4. Right-click the installer on the affected machine, select **Properties** then go to the **Digital Signatures** tab (if available), and take a screenshot. +5. Send all the above screenshots to Netwrix Technical Support (https://www.netwrix.com/support.html) and specify the client version running on the affected machines. diff --git a/docs/kb/endpointprotector/network-ports-for-endpoint-protector-server-and-client.md b/docs/kb/endpointprotector/network-ports-for-endpoint-protector-server-and-client.md new file mode 100644 index 0000000000..68709fc61c --- /dev/null +++ b/docs/kb/endpointprotector/network-ports-for-endpoint-protector-server-and-client.md @@ -0,0 +1,47 @@ +--- +description: >- + This article lists the network ports used by Netwrix Endpoint Protector Server + and Client and explains firewall configuration required to ensure proper + communication, updates, and Active Directory integration. +keywords: + - endpoint protector + - network ports + - firewall + - SSH + - LDAP + - HTTPS + - agent deployment + - client-server communication +products: + - endpoint-protector +sidebar_label: Network Ports for Endpoint Protector Server and Cl +tags: [] +title: "Network Ports for Endpoint Protector Server and Client" +knowledge_article_id: kA0Qk0000002BDyKAM +--- + +# Network Ports for Netwrix Endpoint Protector Server and Client + +## Overview + +This article summarizes the network ports used by Netwrix Endpoint Protector Server and Client. Ensuring these ports are open in your firewall is essential for proper communication, updates, and integration with other systems. + +> **NOTE:** The port for the user interface and the port for the Netwrix Endpoint Protector client can be separated. To configure this, you must contact Support and request a remote session to make the necessary changes in the backend. Please raise a ticket with [Netwrix Technical Support 🤝](https://www.netwrix.com/support.html). + +## Port Usage Details + +| Port | Purpose | Direction | Notes | +|------|---------|-----------|-------| +| `443` | HTTPS communication between Netwrix Endpoint Protector Server and Clients | Inbound to Server | Default port for client-server communication. Required for agent deployment and management. ![Default port 443 setting in Client Software download section](./images/ka0Qk000000FFRl_0EMQk00000C7FeY.png) | +| `22` | SSH (Support access) | Inbound to Server | Used by Netwrix Technical Support for remote intervention if required. Should be restricted to trusted sources. | +| `389` | Active Directory integration | Outbound from Server | Default port for LDAP communication with Active Directory. | + +## Firewall Configuration + +1. Ensure that ports `443`, `22`, and `389` are not blocked by your firewall as required for your deployment. +2. For remote or decentralized environments (e.g., server at a central site, remote employees), configure perimeter firewalls to allow traffic between the Netwrix Endpoint Protector Server and client networks. + +## Additional Information + +- SSH access (port `22`) should be enabled only when support intervention is required and restricted to trusted sources. +- All communication between Netwrix Endpoint Protector Server and Clients is encrypted over HTTPS (port `443`). diff --git a/docs/kb/endpointprotector/optical_character_recognition_(ocr)_not_working.md b/docs/kb/endpointprotector/optical_character_recognition_(ocr)_not_working.md new file mode 100644 index 0000000000..84088b7a40 --- /dev/null +++ b/docs/kb/endpointprotector/optical_character_recognition_(ocr)_not_working.md @@ -0,0 +1,30 @@ +--- +description: >- + This article explains why Optical Character Recognition (OCR) may not be functioning in Endpoint Protector and provides steps to resolve the issue. +keywords: + - Optical Character Recognition + - OCR issues + - Endpoint Protector +sidebar_label: OCR Not Working +tags: [] +title: "Optical Character Recognition (OCR) Not Working" +knowledge_article_id: kA0Qk0000002B2gKAE +products: + - endpoint-protector +--- + +# Optical Character Recognition (OCR) Not Working + +## Question + +Why is Optical Character Recognition (OCR) not working in Endpoint Protector? + +## Answer + +OCR may not be working in Endpoint Protector due to low image quality, insufficient resolution, poor contrast, or an outdated client version. + +To resolve OCR issues, follow the steps below: + +1. Ensure the image quality is high, with a recommended minimum of **150 dpi** (dots/pixels per inch). Good contrast in the image also improves OCR accuracy. +2. To check the dpi of an image on Windows, open the image in **Paint**, go to **File** > **Properties**, and review the **Resolution** field (in dpi). +3. Make sure you are using the latest version of the Endpoint Protector client. \ No newline at end of file diff --git a/docs/kb/endpointprotector/otp_device_code_compatibility.md b/docs/kb/endpointprotector/otp_device_code_compatibility.md new file mode 100644 index 0000000000..7b3097d7cc --- /dev/null +++ b/docs/kb/endpointprotector/otp_device_code_compatibility.md @@ -0,0 +1,41 @@ +--- +description: >- + This article outlines recent improvements to the Offline Temporary Password (OTP) feature and the implementation of 8-digit device codes, which facilitate multiple device usage per company. +keywords: + - OTP + - device codes + - Endpoint Protector + - security + - authentication +sidebar_label: OTP Device Code Compatibility +tags: [] +title: "OTP Device Code Compatibility" +knowledge_article_id: kA0Qk0000002B7ZKAU +products: + - endpoint-protector +--- + +# OTP Device Code Compatibility + +## Overview + +This article outlines recent improvements to the Offline Temporary Password (OTP) feature and the implementation of 8-digit device codes, which facilitate multiple device usage per company. + +## Availability + +The 8-digit device code feature is available with **Endpoint Protector** agents version 5.7.2.4 for Windows and 2.5.1.3 for macOS. + +## Behavior Based on Endpoint Protector Agent Version + +1. ### For Versions 5.7.2.4 (Windows) or 2.5.1.3 (macOS) and Newer: + - The user interface displays an 8-digit device code. + - OTP codes are generated based on the 8-digit device code. + +2. ### For Versions Older Than 5.7.2.4 (Windows) or 2.5.1.3 (macOS): + - The user interface displays a 4-digit device code. + - OTP codes are generated based on the 4-digit device code. + +## Compatibility + +- Codes generated from the user interface can be used with older versions. +- The **Endpoint Protector Server** re-computes the OTP device codes and displays them in the appropriate format according to the agent version. \ No newline at end of file diff --git a/docs/kb/endpointprotector/overview_of_remediation_actions_in_ediscovery.md b/docs/kb/endpointprotector/overview_of_remediation_actions_in_ediscovery.md new file mode 100644 index 0000000000..9c570d39a8 --- /dev/null +++ b/docs/kb/endpointprotector/overview_of_remediation_actions_in_ediscovery.md @@ -0,0 +1,32 @@ +--- +description: >- + This article describes the remediation options available after completing an eDiscovery scan in Endpoint Protector, helping to mitigate risks associated with sensitive data discovered on endpoints. +keywords: + - eDiscovery + - remediation actions + - sensitive data +sidebar_label: Overview of Remediation Actions +tags: [] +title: "Overview of Remediation Actions in eDiscovery" +knowledge_article_id: kA0Qk0000002B9DKAU +products: + - endpoint-protector +--- + +# Overview of Remediation Actions in eDiscovery + +## Overview + +This article describes the remediation options available after completing an eDiscovery scan in Endpoint Protector. These actions help mitigate risks associated with sensitive data discovered on endpoints. + +## Instructions + +After an eDiscovery scan is complete, you can perform the following remediation actions: + +- Encrypt on target +- Decrypt on target +- Delete on target + +These options are available under the **Actions** column in **eDiscovery** > **Scan Results and Actions** within the Endpoint Protector Management Console. + +Use these actions to address potential risks if sensitive data, such as customer PII, is found on user endpoints. For example, retaining customer PII on endpoints may violate privacy regulations such as GDPR. \ No newline at end of file diff --git a/docs/kb/endpointprotector/printing_jobs_not_being_blocked_or_reported.md b/docs/kb/endpointprotector/printing_jobs_not_being_blocked_or_reported.md new file mode 100644 index 0000000000..bdd44d8e91 --- /dev/null +++ b/docs/kb/endpointprotector/printing_jobs_not_being_blocked_or_reported.md @@ -0,0 +1,29 @@ +--- +description: >- + This article explains how to ensure that printing jobs are properly blocked or reported by the Endpoint Protector (EPP) agent. +keywords: + - Endpoint Protector + - printing jobs + - Device Control +sidebar_label: Printing Jobs Not Being Blocked or Reported +tags: [] +title: "Printing Jobs Not Being Blocked or Reported" +knowledge_article_id: kA0Qk0000002B7CKAU +products: + - endpoint-protector +--- + +# Printing Jobs Not Being Blocked or Reported + +## Overview + +This article explains how to ensure that printing jobs are properly blocked or reported by the Endpoint Protector (EPP) agent. The **Advanced Printer and MTP Scanning** option must be enabled in Device Control settings for this functionality to work. + +## Instructions + +1. In the Endpoint Protector Management Console, go to **Device Control** > **Global Settings**. +2. Enable the **Advanced Printer and MTP Scanning** option. +3. On the EPP client, click the **Update Policies Now** icon to apply the new settings. +4. Reboot the machine to complete the update process. + +If the problem persists after following these steps, raise a ticket with Netwrix Technical Support for further assistance. \ No newline at end of file diff --git a/docs/kb/endpointprotector/protect-the-client-from-unauthorized-uninstallation.md b/docs/kb/endpointprotector/protect-the-client-from-unauthorized-uninstallation.md new file mode 100644 index 0000000000..52dc8d35d7 --- /dev/null +++ b/docs/kb/endpointprotector/protect-the-client-from-unauthorized-uninstallation.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains how you can secure the Netwrix Endpoint Protector (EPP) + client on endpoint machines against unauthorized uninstallation by using an + uninstall password and Tamper Mode. +keywords: + - endpoint protector + - uninstall password + - tamper mode + - uninstall protection + - policy refresh interval + - endpoint security + - EPP agent +products: + - endpoint-protector +sidebar_label: Protect the Client from Unauthorized Uninstallatio +tags: [] +title: "Protect the Client from Unauthorized Uninstallation" +knowledge_article_id: kA0Qk0000002B5yKAE +--- + +# Protect the Client from Unauthorized Uninstallation + +## Overview + +This article explains how you can secure the Netwrix Endpoint Protector (EPP) client on endpoint machines against unauthorized uninstallation. To address this matter, there are two security measures available: + +- Set an Uninstall Password: Requires users to enter a password defined by the EPP system administrator before uninstalling the EPP client. This applies to Windows, Linux, and macOS endpoint machines. +- Enable Tamper Mode: Available starting with Netwrix Endpoint Protector Server version `5.8.0.0`, this feature safeguards agent integrity and prevents unauthorized termination or alteration of the Netwrix Endpoint Protector Agent. Tamper Mode is available for Windows endpoints only and can be enabled from the **Device Control > Global Settings** page. + +## Instructions + +### Set an Uninstall Password + +1. Navigate to **System Configuration** > **System Security**. +2. Enter a password under **Security Password for Uninstall Protection** and click **Save**. + +![Screenshot showing Security Password for Uninstall Protection settings in EPP client](./images/ka0Qk000000E7fx_0EMQk00000C51pO.png) + +3. After saving the changes, a notification will appear stating the uninstall password is set. +4. Update the policies on the endpoint manually or wait for the policies to be automatically updated based on the time set for **Policy Refresh Interval**. + +### Enable Tamper Mode + +1. Navigate to **Device Control** > **Global Settings** > **Tamper Mode** and toggle the switch to **On**. +2. Scroll down to the bottom of the subsection labeled **Endpoint Protector Client** and click **Save**. + +![Screenshot showing Tamper Mode settings in EPP client](./images/ka0Qk000000E7fx_0EMQk00000C51as.png) + +3. Update the policies on the endpoint manually or wait for the policies to be automatically updated based on the time set for **Policy Refresh Interval**. diff --git a/docs/kb/endpointprotector/read_only_access_not_working_after_rights_change.md b/docs/kb/endpointprotector/read_only_access_not_working_after_rights_change.md new file mode 100644 index 0000000000..011fb7146e --- /dev/null +++ b/docs/kb/endpointprotector/read_only_access_not_working_after_rights_change.md @@ -0,0 +1,28 @@ +--- +description: >- + This article explains why the Read Only access right may not function as expected after changing access rights and provides guidance on how to ensure the correct permissions are applied. +keywords: + - Read Only access + - access rights + - Endpoint Protector +sidebar_label: Read Only Access Issues +tags: [] +title: "Read Only Access Not Working After Rights Change" +knowledge_article_id: kA0Qk0000002BIqKAM +products: + - endpoint-protector +--- + +# Read Only Access Not Working After Rights Change + +## Question + +Why does the Read Only right not work as intended after changing access rights? + +## Answer + +The Read Only right may not work as intended immediately after changing access rights because the device or media must be reconnected for the new permissions to take effect. + +When you modify access rights for a device in **Endpoint Protector**, such as changing from **Allow Access** or **Deny Access** to **Read Only**, the system does not require a reboot. However, the updated rights are only enforced after the device is unplugged and reconnected. For optical drives, you must remove and re-insert the CD or DVD to trigger the rights update. + +In contrast, installing the **Endpoint Protector Client** or changing default rights during installation does require a system reboot for changes to apply. For all other access right modifications, simply re-plugging the device or media ensures the correct rights are assigned and resolves most issues with Read Only access not working as expected. \ No newline at end of file diff --git a/docs/kb/endpointprotector/recommendations_for_endpoint_protector_interaction_with_security_vendors,_proxies,_casbs,_and_browse.md b/docs/kb/endpointprotector/recommendations_for_endpoint_protector_interaction_with_security_vendors,_proxies,_casbs,_and_browse.md new file mode 100644 index 0000000000..2df0f13c97 --- /dev/null +++ b/docs/kb/endpointprotector/recommendations_for_endpoint_protector_interaction_with_security_vendors,_proxies,_casbs,_and_browse.md @@ -0,0 +1,65 @@ +--- +description: >- + This article provides recommendations for ensuring seamless interaction between Endpoint Protector and various security vendors, proxies, cloud access security brokers (CASBs), and web browsers. +keywords: + - Endpoint Protector + - security vendors + - proxies + - CASBs + - web browsers +sidebar_label: Recommendations for Endpoint Protector Interaction +tags: [] +title: "Recommendations for Endpoint Protector Interaction with Security Vendors, Proxies, CASBs, and Browsers" +knowledge_article_id: kA0Qk0000002B7HKAU +products: + - endpoint-protector +--- + +# Recommendations for Endpoint Protector Interaction with Security Vendors, Proxies, CASBs, and Browsers + +## Overview + +This article provides recommendations for ensuring seamless interaction between Endpoint Protector and various security vendors, proxies, cloud access security brokers (CASBs), and web browsers. + +## General Recommendations + +- **Network Configuration and SSL Inspection:** + - If network routing is properly configured and no SSL inspection occurs, client-server communication should work without issues. + +- **Peer Certificate Validation:** + - Disable peer certificate validation if other security vendors perform SSL inspection. + +## Specific Vendor Solutions + +### Zscaler and Cisco VPNs (AnyConnect and Umbrella) + +- **Issue:** Difficulties in making the Deep Packet Inspection (DPI) filter work due to Zscaler. +- **Resolution:** + - Add custom ports for the proxies used. + - Disable DPI peer certificate validation: + - In the Endpoint Protector UI, navigate to **CAP > Deep Packet Inspection**. + - Check **Custom Ports** to enable them, select **Proxy type**, and add the customer's proxy port. + - Set **Peer Certificate Validation** to OFF. + +### Netskope + +- **Issue:** Netskope logs show `sslsplit.exe` instead of the original application name under traffic tunneling. +- **Resolution:** Enable the "Stealthy DPI driver" globally, per group, or per user/computer. + +### Forcepoint + +- **Issue:** Websites are inaccessible on Firefox with the Forcepoint certificate present and DPI enabled. +- **Resolution:** + - Add custom ports for the Forcepoint proxies. + - Disable Peer Certificate Validation. + - Clear the browser cache. + +### Sophos + +- **Issue:** Deep Packet Inspection prevents the use of Sophos WebControl's URL Categories Blocking. +- **Action:** Establish collaboration with Sophos to address the issue. + +### Firefox on macOS + +- **Issue:** Firefox on macOS does not use system certificates for validation by default, but rather the local Firefox profile (pre-cached) certificates. +- **Resolution:** Set `security.enterprise_roots.enabled` to TRUE in Firefox settings to trust third-party certificates such as those used by Endpoint Protector. \ No newline at end of file diff --git a/docs/kb/endpointprotector/reduce-the-number-of-false-positives.md b/docs/kb/endpointprotector/reduce-the-number-of-false-positives.md new file mode 100644 index 0000000000..6233e12713 --- /dev/null +++ b/docs/kb/endpointprotector/reduce-the-number-of-false-positives.md @@ -0,0 +1,50 @@ +--- +description: >- + Explains how to reduce the number of false positives by enabling and + configuring global Contextual Detection in Netwrix Endpoint Protector. +keywords: + - contextual detection + - false positives + - Netwrix Endpoint Protector + - system parameters + - content aware detection + - PII + - DLP + - related dictionary +products: + - endpoint-protector +sidebar_label: Reduce the Number of False Positives +tags: [] +title: "Reduce the Number of False Positives" +knowledge_article_id: kA0Qk0000002B6nKAE +--- + +# Reduce the Number of False Positives + +## Overview + +This article explains how to reduce the number of false positives by enabling and configuring global Contextual Detection. + +## Instructions + +1. In the Netwrix Endpoint Protector Console, navigate to **System Parameters** > **Contextual Detection** then enable Contextual Detection for each category of predefined. +2. Click **Add** and configure the following options as needed: + - **Category and Type** – The content aware detection function. + - **Surrounding text** – The number of characters in the search interval to determine the context. + - **Related Dictionary** – A set of keywords related to the PII. + - **Related Regular Expression** – An additional way of adding a related rule that is not among the content aware detection functions. + - **Related File Type** – The related file type. + - **Related File Size (MB)** – The related file size, in megabytes. + - **Minimum Matches** – The minimum number of items to match to validate the detection rule. + - **Unrelated Dictionary** – A set of keywords not related to the PII. + - **Unrelated Regular Expression** – An additional way of adding a non-related rule that is not among the content aware detection functions. + - **Unrelated File Type** – The unrelated file type. + - **Unrelated File Size (MB)** – The unrelated file size, in megabytes. + - **Maximum Matches** – The value above which the rule will not be validated (recommended value is 0). + +> **NOTE:** For more information, refer to the Contextual Detection section of the manual. + +## Related Links + +- /docs/endpoint-protector/5.9.3/endpointprotector/admin-guide/systemparameters — System Parameters Overview Documentation +- /docs/endpoint-protector/5.9.3/endpointprotector/admin-guide — Content Detection Summary Documentation diff --git a/docs/kb/endpointprotector/reinstalling-the-endpoint-protector-client-via-linux-terminal.md b/docs/kb/endpointprotector/reinstalling-the-endpoint-protector-client-via-linux-terminal.md new file mode 100644 index 0000000000..6e8f6ad6ec --- /dev/null +++ b/docs/kb/endpointprotector/reinstalling-the-endpoint-protector-client-via-linux-terminal.md @@ -0,0 +1,59 @@ +--- +description: >- + Shows how to uninstall and reinstall the Netwrix Endpoint Protector client on + Linux using terminal commands, and how to resolve missing dependency errors. +keywords: + - endpoint protector + - linux + - reinstall + - uninstall + - dpkg + - apt + - dependencies + - client + - pkgs +products: + - endpoint-protector +sidebar_label: Reinstalling the Endpoint Protector Client via Lin +tags: [] +title: "Reinstalling the Endpoint Protector Client via Linux Terminal" +knowledge_article_id: kA0Qk0000002B6JKAU +--- + +# Reinstalling the Endpoint Protector Client via Linux Terminal + +## Overview + +This article describes how to reinstall the Netwrix Endpoint Protector Client on Linux using terminal commands. The process includes uninstalling the current client, updating the server IP configuration, and reinstalling the client. + +## Instructions + +### Uninstall and Reinstall the Netwrix Endpoint Protector Client + +1. On the Netwrix Endpoint Protector client, open the terminal. +2. To uninstall the existing client, run the command below: +```bash +sudo bash uninstall.sh +``` +3. Set the Netwrix Endpoint Protector server IP address: +```bash +sudo nano options.sh +``` +4. Edit the file to set the correct server IP address, then save and exit. +5. Reinstall the client: +```bash +sudo bash install.sh +``` + +### Resolving Missing Dependency Errors + +If you encounter missing dependency errors during installation, run the following commands: +```bash +sudo bash uninstall.sh +sudo apt update +sudo dpkg -i ./pkgs/*.deb +sudo apt update +sudo apt upgrade +``` + +The `sudo dpkg -i ./pkgs/*.deb` command will display any missing dependencies. Use `sudo apt update` and `sudo apt upgrade` to resolve them. diff --git a/docs/kb/endpointprotector/resetting-an-administrator-password.md b/docs/kb/endpointprotector/resetting-an-administrator-password.md new file mode 100644 index 0000000000..da1f8eb8bb --- /dev/null +++ b/docs/kb/endpointprotector/resetting-an-administrator-password.md @@ -0,0 +1,42 @@ +--- +description: >- + Shows how to reset an administrator password on the Netwrix Endpoint Protector + Server for local administrators; administrators imported from Active Directory + must have their passwords managed in Active Directory. +keywords: + - endpoint protector + - administrator password + - reset + - Netwrix Endpoint Protector + - admin account + - password change + - support ticket + - System Administrators +products: + - endpoint-protector +sidebar_label: Resetting an Administrator Password +tags: [] +title: "Resetting an Administrator Password" +knowledge_article_id: kA0Qk0000002B2eKAE +--- + +# Resetting an Administrator Password + +## Overview + +This article explains how to reset an administrator password on the Netwrix Endpoint Protector Server. These instructions apply to regular Netwrix Endpoint Protector administrators. For administrators imported from Active Directory, you must manage the password through Active Directory. + +## Instructions + +1. In the Netwrix Endpoint Protector Console, navigate to **System Configuration** > **System Administrators**. +2. Edit the administrator account that requires a password reset. +3. Enter the new password in the **Password** and **Confirm Password** fields. +4. Check **Require password change at next login** to allow the administrator to set a password of their choice upon their next login. +5. Save the modifications. + +![Edit administrator password fields in Endpoint Protector](./images/ka0Qk000000EbSj_0EMQk00000CAmm2.png) + +![Require password change at next login option in Endpoint Protector](./images/ka0Qk000000EbSj_0EMQk00000CAaeP.png) + +6. If you encounter any issues and are unable to reset the password, create a support ticket via the [Netwrix Support portal](https://www.netwrix.com/support.html) for assistance. +7. If the server is hosted on your end, the support team will contact you to schedule a remote session for resetting the password in the server's backend. diff --git a/docs/kb/endpointprotector/resolve-black-screen-issues-during-remote-access.md b/docs/kb/endpointprotector/resolve-black-screen-issues-during-remote-access.md new file mode 100644 index 0000000000..d356d9edb0 --- /dev/null +++ b/docs/kb/endpointprotector/resolve-black-screen-issues-during-remote-access.md @@ -0,0 +1,44 @@ +--- +description: >- + Learn how to prevent a black screen when accessing a machine remotely by + adjusting Content Aware Protection (CAP) policy settings in Netwrix Endpoint + Protector. +keywords: + - remote access + - black screen + - Content Aware Protection + - CAP + - print screen + - Advanced Printer and MTP Scanning + - endpoint protector + - screen sharing + - troubleshooting +products: + - endpoint-protector +sidebar_label: Resolve Black Screen Issues During Remote Access +tags: [] +title: "Resolve Black Screen Issues During Remote Access" +knowledge_article_id: kA0Qk0000002B62KAE +--- + +# Resolve Black Screen Issues During Remote Access + +## Overview + +This article explains how to prevent a black screen from appearing when accessing a machine remotely. This issue can occur if a Content Aware Protection (CAP) policy has **Print screen** blocking enabled along with the **Advanced Printer and MTP Scanning** setting checked. + +The **Print screen** blocking feature prevents capturing the content of windows on the screen when accessed remotely or during screen sharing in a meeting. + +## Instructions + +Follow the steps below to resolve this issue: + +1. Open the CAP policy settings by navigating to **Content Aware Policies** and **Edit** the policy. + + ![CAP policy settings screenshot](./images/ka0Qk000000ES7h_0EMQk00000Cp0a9.png) + +2. Disable the **Print screen** blocking option. + + ![Disable Print screen blocking screenshot](./images/ka0Qk000000ES7h_0EMQk00000Cp0ez.png) + +3. Save the changes to the policy. diff --git a/docs/kb/endpointprotector/resolve-wifi-connection-issues-when-rights-are-set-to-allow-access.md b/docs/kb/endpointprotector/resolve-wifi-connection-issues-when-rights-are-set-to-allow-access.md new file mode 100644 index 0000000000..891b9c6545 --- /dev/null +++ b/docs/kb/endpointprotector/resolve-wifi-connection-issues-when-rights-are-set-to-allow-access.md @@ -0,0 +1,28 @@ +--- +description: >- + Explains why setting WiFi rights to Allow Access does not immediately enable + WiFi on a computer running the Endpoint Protector client and what to do. +keywords: + - WiFi + - wireless + - Endpoint Protector + - Allow Access + - client + - connectivity + - network updates + - rights +products: + - endpoint-protector +sidebar_label: Resolve WiFi Connection Issues When Rights Are Set +tags: [] +title: "Resolve WiFi Connection Issues When Rights Are Set to Allow Access" +knowledge_article_id: kA0Qk0000002BB4KAM +--- + +# Resolve WiFi Connection Issues When Rights Are Set to Allow Access + +## Question +Why does the WiFi connection not work after the WiFi rights are set to **Allow Access** on a computer running the Endpoint Protector client? + +## Answer +If your computer does not have a local network or internet connection, changes to WiFi rights cannot be delivered from the Endpoint Protector server to the client. As a result, setting WiFi rights to **Allow Access** will not enable WiFi until the computer is reconnected to the network and can receive updates from the Endpoint Protector server. diff --git a/docs/kb/endpointprotector/resolve_hsts_web_browser_errors_when_accessing_websites.md b/docs/kb/endpointprotector/resolve_hsts_web_browser_errors_when_accessing_websites.md new file mode 100644 index 0000000000..0f425d91b6 --- /dev/null +++ b/docs/kb/endpointprotector/resolve_hsts_web_browser_errors_when_accessing_websites.md @@ -0,0 +1,27 @@ +--- +description: >- + This article explains how to resolve HTTP Strict Transport Security (HSTS) errors that may occur in web browsers when accessing websites. +keywords: + - HSTS + - web browser errors + - HTTP errors +sidebar_label: Resolve HSTS Errors +tags: [] +title: "Resolve HSTS Web Browser Errors When Accessing Websites" +knowledge_article_id: kA0Qk0000002B6dKAE +products: + - endpoint-protector +--- + +# Resolve HSTS Web Browser Errors When Accessing Websites + +## Overview + +This article explains how to resolve HTTP Strict Transport Security (HSTS) errors that may occur in web browsers when accessing websites. These errors can often be resolved by clearing the browser cache and restarting the browser. + +## Instructions + +1. Clear the cache in your web browser. +2. Restart the web browser. + +After completing these steps, the HSTS error should be resolved. However, if the Deep Packet Inspection (DPI) option is being switched on and off by an Endpoint Protector (EPP) administrator, the error may reappear. In this case, repeat the steps above to resolve the issue. \ No newline at end of file diff --git a/docs/kb/endpointprotector/restart_the_client_without_restarting_the_computer.md b/docs/kb/endpointprotector/restart_the_client_without_restarting_the_computer.md new file mode 100644 index 0000000000..517bf10cfa --- /dev/null +++ b/docs/kb/endpointprotector/restart_the_client_without_restarting_the_computer.md @@ -0,0 +1,45 @@ +--- +description: >- + This article explains how to restart the Endpoint Protector (EPP) client on Windows, macOS, and Linux without restarting the computer. +keywords: + - Endpoint Protector + - restart client + - Windows + - macOS + - Linux +sidebar_label: Restart EPP Client +tags: [] +title: "Restart the Client Without Restarting the Computer" +knowledge_article_id: kA0Qk0000002B6QKAU +products: + - endpoint-protector +--- + +# Restart the Client Without Restarting the Computer + +## Overview + +This article explains how to restart the **Endpoint Protector** (EPP) client on Windows, macOS, and Linux without restarting the computer. You can restart the relevant service or process for each operating system. + +## Instructions + +### Windows + +Restart the **Endpoint Protector** service from the Windows Task Manager. + +### macOS + +Restart the EPP process by running the following commands in a Terminal: + +```bash +sudo launchctl unload /Library/LaunchDaemons/com.cososys.eppclient.launchdaemon.plist +sudo launchctl load /Library/LaunchDaemons/com.cososys.eppclient.launchdaemon.plist +``` + +### Linux + +Restart the service by running the following command in a Terminal: + +```bash +sudo service epp-client-daemon restart +``` \ No newline at end of file diff --git a/docs/kb/endpointprotector/restrict-applications-or-cli-commands.md b/docs/kb/endpointprotector/restrict-applications-or-cli-commands.md new file mode 100644 index 0000000000..e54eab63a2 --- /dev/null +++ b/docs/kb/endpointprotector/restrict-applications-or-cli-commands.md @@ -0,0 +1,45 @@ +--- +description: >- + Learn how to block or disable specific applications or CLI commands by + creating an Applications denylist in Netwrix Endpoint Protector policy + settings. +keywords: + - applications + - denylist + - CLI + - command line + - policy + - endpoint protector + - Denylists and Allowlists + - Add to content + - Generate + - content aware policy +products: + - endpoint-protector +sidebar_label: Restrict Applications or CLI Commands +tags: [] +title: "Restrict Applications or CLI Commands" +knowledge_article_id: kA0Qk0000002B69KAE +--- + +# Restrict Applications or CLI Commands + +## Overview + +This article explains how to block or disable specific applications or Command Line Interface (CLI) commands from running by creating an **Applications** denylist in the policy settings of Netwrix Endpoint Protector. + +## Instructions + +Follow the steps below to complete this process: + +1. Create an **Applications** denylist from **Denylists and Allowlists** > **Denylists** > **Applications**. +2. Enter the application name or CLI command you want to block. +3. Click the **Add to content** button. +4. Click the **Generate** button. + +![Screenshot showing how to add applications or CLI commands to the denylist](./images/ka0Qk000000ES65_0EMQk00000C528j.png) + +5. To include the newly created **Applications** denylist in a content aware policy, you must select the denylist in the policy settings. +6. Target the client machines where the policy should apply. + +![Screenshot showing how to include the denylist in a content aware policy and target client machines](./images/ka0Qk000000ES65_0EMQk00000C52DZ.png) diff --git a/docs/kb/endpointprotector/review_administrator_activity_in_the_console.md b/docs/kb/endpointprotector/review_administrator_activity_in_the_console.md new file mode 100644 index 0000000000..6979bf1bbc --- /dev/null +++ b/docs/kb/endpointprotector/review_administrator_activity_in_the_console.md @@ -0,0 +1,28 @@ +--- +description: >- + This article explains how to review the activity of administrators in the Endpoint Protector console using built-in reports. +keywords: + - administrator activity + - Endpoint Protector + - reports +sidebar_label: Review Admin Activity +tags: [] +title: "Review Administrator Activity in the Console" +knowledge_article_id: kA0Qk0000002B6hKAE +products: + - endpoint-protector +--- + +# Review Administrator Activity in the Console + +## Overview + +This article explains how to review the activity of administrators in the Endpoint Protector console. You can use the built-in reports to track actions performed by specific administrators. + +## Instructions + +1. Log in to the **Endpoint Protector** console. +2. Navigate to the **Reports and Analysis** section. +3. Select **Admin Actions**. +4. Review the logs related to administrator activity, such as adding custom rights for devices, performing Active Directory synchronizations, and creating or modifying groups. +5. Use the filters at the top of the page to search for a specific administrator, activity, operation, or UI section. \ No newline at end of file diff --git a/docs/kb/endpointprotector/secure_endpoint_protector_web_console_with_an_ssl_certificate.md b/docs/kb/endpointprotector/secure_endpoint_protector_web_console_with_an_ssl_certificate.md new file mode 100644 index 0000000000..636c84076b --- /dev/null +++ b/docs/kb/endpointprotector/secure_endpoint_protector_web_console_with_an_ssl_certificate.md @@ -0,0 +1,28 @@ +--- +description: >- + This article explains how to add an SSL certificate to Endpoint Protector using the web interface to secure communications between clients and the server. +keywords: + - SSL certificate + - Endpoint Protector + - secure communications +sidebar_label: Secure Endpoint Protector with SSL +tags: [] +title: "Secure Endpoint Protector Web Console with an SSL Certificate" +knowledge_article_id: kA0Qk0000002B6XKAU +products: + - endpoint-protector +--- + +# Secure Endpoint Protector Web Console with an SSL Certificate + +## Overview + +This article explains how to add an SSL certificate to **Endpoint Protector** using the web interface. Adding a valid SSL certificate helps secure communications between clients and the server. + +## Instructions + +1. Navigate to the **Endpoint Protector Console** > **Appliance** > **Server Maintenance**. +2. Copy and paste the content from your `.pem` certificate into the **Body** and **Key** text boxes. +3. Ensure you include the **BEGIN** and **END** directives for both the certificate body and private key. + ![SSL certificate entry fields in Endpoint Protector Server Maintenance](./images/servlet_image_2ab25cdeee54.png) +4. Save the changes. \ No newline at end of file diff --git a/docs/kb/endpointprotector/set-rights-for-a-specific-device.md b/docs/kb/endpointprotector/set-rights-for-a-specific-device.md new file mode 100644 index 0000000000..f9624acf83 --- /dev/null +++ b/docs/kb/endpointprotector/set-rights-for-a-specific-device.md @@ -0,0 +1,51 @@ +--- +description: >- + Learn how to set or remove rights for a specific device in the Netwrix + Endpoint Protector console. Follow step-by-step instructions to assign or + revoke device rights for users, computers, or groups. +keywords: + - endpoint protector + - device control + - manage rights + - device rights + - Netwrix Endpoint Protector + - devices + - allow list + - permissions +products: + - endpoint-protector +sidebar_label: Set Rights for a Specific Device +tags: [] +title: "Set Rights for a Specific Device" +knowledge_article_id: kA0Qk0000002B6rKAE +--- + +# Set Rights for a Specific Device + +## Question +Is it possible to set rights for a specific device? + +## Answer +Yes, this is possible. Follow the steps below to set or remove rights for a specific device. + +### Set Rights for a Specific Device +1. In the Netwrix Endpoint Protector console, navigate to **Device Control > Devices**. +2. Filter for the device to manage, then click **Actions** and select **Manage rights**. +3. Click **Add**. +4. Select the entity for which to allow the device (**User**, **Computer**, or **Group**). +5. Select the desired right for the device. +6. Click **Next**. +7. From the list of users/computers/groups, select the entity to assign the new right. +8. Select the checkboxes on the left side of the entity and click **Save**. +9. To verify that the correct right is set, navigate to **Device Control > Devices**. +10. Filter for the device, then click **Actions** and select **Manage rights** again. + +### Remove Device Rights for a Specific Computer, User, or Group +1. In the Netwrix Endpoint Protector console, navigate to **Device Control > Devices**. +2. Filter for the device to manage, then click **Actions** and select **Manage rights**. +3. From the list of entities where the device was given a specific right, click the **Actions** button and remove the entities where the specific right is no longer needed. +4. To check if the right was removed, navigate to **Device Control > Devices**. +5. Filter for the device, then click **Actions** and select **Manage rights**. + +## Related Links +- How to Add Specific Devices to the Allow List: /docs/kb/endpoint-protector/[update]-_how_to_add_specific_devices_to_allow_list! diff --git a/docs/kb/endpointprotector/set-up-url-allowlists-and-denylists.md b/docs/kb/endpointprotector/set-up-url-allowlists-and-denylists.md new file mode 100644 index 0000000000..73c4a1f584 --- /dev/null +++ b/docs/kb/endpointprotector/set-up-url-allowlists-and-denylists.md @@ -0,0 +1,59 @@ +--- +description: >- + Learn how to set up URL allowlists and denylists in Netwrix Endpoint + Protector, and how to apply them to users and computers. This article covers + enabling Deep Packet Inspection and configuring Domain and URL lists for + blocking or allowing uploads. +keywords: + - URL allowlist + - URL denylist + - Deep Packet Inspection + - Endpoint Protector + - Content Aware Protection + - Domain and URL + - allowlist + - denylist + - policy exit points + - DPI +products: + - endpoint-protector +visibility: public +sidebar_label: Set Up URL Allowlists and Denylists +tags: [] +title: "Set Up URL Allowlists and Denylists" +knowledge_article_id: kA0Qk0000002B6qKAE +--- + +# Set Up URL Allowlists and Denylists + +## Question +Is it possible to set up URL allowlists and denylists? + +## Answer +Yes, this is possible. To set up URL allowlists and denylists, ensure that Deep Packet Inspection is enabled in **Device Control > Global Settings**. + +### Setting Up a URL Denylist +The URL denylist is used to block access to specific websites. + +1. In the Netwrix Endpoint Protector Console, navigate to **Denylists and Allowlists > Denylists > Domain and URL**. +2. Click **Add** to create a list of URLs to block. Set a name and description for the list, add the URLs, and click **Save**. + +> **NOTE:** You can use `*` as a wildcard to match anything before or after the domain. For example, `*example*` will block access to any website with "example" in the URL." + +### Apply Denylist to Users/Computers +1. In the Netwrix Endpoint Protector Console, navigate to **Content Aware Protection > Content Aware Policies** and edit the policy. +2. Ensure that the web browsers used by users are included in the **Policy Exit Points**. +3. Scroll to the policy denylists, click the **Domain and URL** tab, select the checkbox next to the denylist you want to use, and click **Save**. + +### Setting Up a URL Allowlist +The URL allowlist is used to allow uploads to specific websites. + +1. In the Netwrix Endpoint Protector Console, navigate to **Denylists and Allowlists > Allowlist > Deep Packet Inspection**. +2. Click **Add** to create a list of URLs to allow uploads. Set a name and description for the list, add the URLs, and click **Save**. + +> **NOTE:** You can use `*` as a wildcard to match anything before or after the domain. For example, `*example*` will block access to any website with "example" in the URL. + +### Apply Allowlist to Users/Computers +1. In the Netwrix Endpoint Protector Console, navigate to **Content Aware Protection > Content Aware Policies** and edit the policy. +2. Ensure that the web browsers used by users are included in the **Policy Exit Points**. +3. Scroll to the policy allowlists, click the **Deep Packet Inspection** tab, select the checkbox next to the allowlist you want to use, and click **Save**. diff --git a/docs/kb/endpointprotector/set_password_validity_or_remove_password_expiration_for_administrators.md b/docs/kb/endpointprotector/set_password_validity_or_remove_password_expiration_for_administrators.md new file mode 100644 index 0000000000..4e3ece4b15 --- /dev/null +++ b/docs/kb/endpointprotector/set_password_validity_or_remove_password_expiration_for_administrators.md @@ -0,0 +1,29 @@ +--- +description: >- + This article explains how to change the validity period for administrator passwords or remove password expiration entirely. +keywords: + - password validity + - password expiration + - administrator accounts +sidebar_label: Set Password Validity +tags: [] +title: "Set Password Validity or Remove Password Expiration for Administrators" +knowledge_article_id: kA0Qk0000002B32KAE +products: + - endpoint-protector +--- + +# Set Password Validity or Remove Password Expiration for Administrators + +## Overview + +This article explains how to change the validity period for administrator passwords or remove password expiration entirely. + +## Instructions + +Follow these steps to set a custom password validity period or remove password expiration for administrator accounts: + +1. Navigate to **System Configuration > System Security** in Endpoint Protector. +2. In the **Advanced User Password Settings** section, select a custom validity period or choose to remove the expiry completely. + +![Advanced User Password Settings section in System Security](./images/servlet_image_bd860b27c3ec.png) \ No newline at end of file diff --git a/docs/kb/endpointprotector/set_up_a_report_only_content_aware_protection_policy.md b/docs/kb/endpointprotector/set_up_a_report_only_content_aware_protection_policy.md new file mode 100644 index 0000000000..1b39bb78db --- /dev/null +++ b/docs/kb/endpointprotector/set_up_a_report_only_content_aware_protection_policy.md @@ -0,0 +1,53 @@ +--- +description: >- + This article explains how to set up a Report Only Content Aware Protection (CAP) policy in Endpoint Protector, allowing you to monitor file movement across endpoints without enforcing restrictions. +keywords: + - Content Aware Protection + - Endpoint Protector + - Report Only Policy +products: + - endpoint-protector +sidebar_label: Set Up Report Only CAP Policy +tags: [] +title: Set Up a "Report Only" Content Aware Protection Policy +knowledge_article_id: kA0Qk0000002B9FKAU +--- + +# Set Up a "Report Only" Content Aware Protection Policy + +## Overview + +This article explains how to set up a **Report Only** Content Aware Protection (CAP) policy in **Endpoint Protector**. Creating a Report Only policy is recommended after configuring an Allow All Device Control Policy. This approach helps you understand file movement across endpoints without enforcing restrictions. + +> **IMPORTANT:** Report Only policies generate a large volume of logs and should be used on a limited number of computers. + +## Instructions + +### Configure Report Only Policy + +1. In the **Endpoint Protector Management Console**, navigate to **Content Aware Protection** > **Content Aware Policies**. +2. Click **Create Custom Policy**. +3. Define the policy settings: + - Select the **OS Type**. + - Enter a **Policy Name** (it is recommended to include "Reporting" or "Report Only" in the name or description). + - For the **Policy Action** field, select **Report Only**. +4. Click **Save** to create the policy. You will be returned to the Policies window. +5. If you manage multiple operating system types, repeat the above steps to create a policy framework for each platform. + +### Configure Exit Points and Denylist Items + +1. Select your policy and click the **Edit** icon on the right side of the policy window. +2. On the **Edit Policy** page, select the **Exit Points** of focus and the items you may later restrict: + - Use the **Applications** tab under Exit Points for common email clients and web browsers. + - Use the **Storage Devices** tab if you plan to restrict file transfers to storage media. +3. In the **Denylists** section, choose the objects to focus classification and determination on: + - Use the **File Type** tab to audit activity around specific file types. + - Use the **Predefined Content** tab for regulatory-bound content. + - Use the **Custom Content** tab for custom file entries, or the **Regular Expression** tab for logical operators. +4. Click **Save** for each Report Only policy you create. +5. After deploying agents, return to the policies and assign them to the target client systems. + +## Details + +- Report Only policies do not enforce restrictions, even if denylist items are configured. They are intended for auditing and monitoring purposes only. +- The CAP feature module focuses on in-motion objects and consumes minimal endpoint resources. Configure only the variables relevant to your environment to avoid unnecessary processing. \ No newline at end of file diff --git a/docs/kb/endpointprotector/set_up_a_siem_integration.md b/docs/kb/endpointprotector/set_up_a_siem_integration.md new file mode 100644 index 0000000000..6f64dbc121 --- /dev/null +++ b/docs/kb/endpointprotector/set_up_a_siem_integration.md @@ -0,0 +1,40 @@ +--- +description: >- + This article provides step-by-step instructions for setting up a SIEM integration with Endpoint Protector. +keywords: + - SIEM integration + - Endpoint Protector + - Syslog-ng +sidebar_label: Set Up SIEM Integration +tags: [] +title: "Set Up a SIEM Integration" +knowledge_article_id: kA0Qk0000002B75KAE +products: + - endpointprotector +--- + +# Set Up a SIEM Integration + +## Question + +Can you set up a SIEM integration? + +## Answer + +Yes, to integrate your SIEM server with **Endpoint Protector**, ensure the following requirements are met: + +- The SIEM server has a private IP address if it is on the same network as the **Endpoint Protector** server, or a public IP address or DNS if it is on a different network. +- The SIEM server can receive Syslog-ng type logs. + +Once the requirements are met, log in to the **Endpoint Protector** web console and follow these steps: + +1. Navigate to **Appliance > SIEM Integration**. +2. Click **Add New**. +3. In the New Server window, fill in all required information. You can use an IP address, DNS, or FQDN. +4. If you enable **Disable Server Logging**, logs are sent directly to the SIEM server and are not kept on the **Endpoint Protector** server. +5. The **Security Token** field is optional and is only required by some SIEM servers for a successful connection. +6. If you do not want to receive any header and only need the data, enable the **Exclude Headers** option. +7. Select all **Log Types** that you want to send to the SIEM server. +8. Click **Save** to complete the integration setup. The server will now redirect logs to your SIEM server. + +> **NOTE:** Previous logs will not be sent to the SIEM server. Only logs received after the integration is set up will be forwarded. \ No newline at end of file diff --git a/docs/kb/endpointprotector/set_up_automatic_license_release.md b/docs/kb/endpointprotector/set_up_automatic_license_release.md new file mode 100644 index 0000000000..c8a9155a78 --- /dev/null +++ b/docs/kb/endpointprotector/set_up_automatic_license_release.md @@ -0,0 +1,31 @@ +--- +description: >- + This article provides step-by-step instructions on setting up the Automatic License Release feature in Endpoint Protector to manage inactive licenses effectively. +keywords: + - Automatic License Release + - Endpoint Protector + - License Management +sidebar_label: Set Up Automatic License Release +tags: [] +title: "How to Set Up Automatic License Release" +knowledge_article_id: kA0Qk0000002B6yKAE +products: + - endpoint-protector +--- + +# How to Set Up Automatic License Release + +## Overview + +If you have licenses assigned to computers that are no longer active and want to ensure that licenses are not used unnecessarily, you can enable the Automatic License Release feature in Endpoint Protector. + +## Instructions + +To set up Automatic License Release, log in to the Endpoint Protector web console and follow these steps: + +1. In the Endpoint Protector console, navigate to **System Configuration** > **System Licensing**. +2. In the Licensing window, click **View Licenses**. +3. Click the **Automatic Release License** button in the **View Licenses** window. +4. Toggle the **Automatic Release License** option. In the **Last Online** drop-down, select either a predefined value or enter a custom value (between 1 and 360 days). + ![Automatic License Release configuration in Endpoint Protector](./images/servlet_image_d1e926f5d4e6.png) +5. Click the **Schedule** button. All computers that were last seen longer than the defined value will have their license released. \ No newline at end of file diff --git a/docs/kb/endpointprotector/supported_platforms_for_endpoint_protector_server_installation.md b/docs/kb/endpointprotector/supported_platforms_for_endpoint_protector_server_installation.md new file mode 100644 index 0000000000..2528c7c31b --- /dev/null +++ b/docs/kb/endpointprotector/supported_platforms_for_endpoint_protector_server_installation.md @@ -0,0 +1,33 @@ +--- +description: >- + This article outlines the platforms on which Endpoint Protector Server can be installed, including deployment methods and supported environments. +keywords: + - Endpoint Protector + - Virtual Appliance + - Cloud Platforms + - Active Directory Integration + - Deployment Methods +sidebar_label: Supported Platforms +tags: [] +title: "Supported Platforms for Endpoint Protector Server Installation" +knowledge_article_id: kA0Qk0000002B99KAE +products: + - endpoint-protector +--- + +# Supported Platforms for Endpoint Protector Server Installation + +## Question + +On which platforms can Endpoint Protector Server be installed? + +## Answer + +Endpoint Protector Server can be installed as a Virtual Appliance. For a complete list of supported server virtualization environments and client operating systems, see the official documentation: [Supported Platforms and Deployment Methods ⸱ Netwrix Help Center 🡥](/docs/endpointprotector/5.9.4.2/install/overview). + +Deployment methods include: + +- **Virtual Appliances**: Detailed instructions for configuration, deployment, and management. +- **Cloud Platforms**: Deployment strategies for AWS, GCP, and Azure, assuming existing cloud accounts and basic platform knowledge. +- **Active Directory Integration**: Leveraging Group Policy Objects for efficient client deployment. +- **Third-party Management Tools**: Utilizing JAMF and Microsoft Intune for streamlined deployment. \ No newline at end of file diff --git a/docs/kb/endpointprotector/system-backup-v2-not-showing-in-the-endpoint-protector-console.md b/docs/kb/endpointprotector/system-backup-v2-not-showing-in-the-endpoint-protector-console.md new file mode 100644 index 0000000000..2ca0f70af2 --- /dev/null +++ b/docs/kb/endpointprotector/system-backup-v2-not-showing-in-the-endpoint-protector-console.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains why System Backup V2 may not appear in the Netwrix Endpoint Protector + console for virtual appliances hosted on the Netwrix AWS platform and + instructs you to contact Netwrix Support for remediation. +keywords: + - endpoint protector + - System Backup V2 + - system backup + - console + - virtual appliance + - AWS + - Netwrix Support + - backup visibility +products: + - endpoint-protector +visibility: public +sidebar_label: System Backup V2 Not Showing in the Endpoint Prote +tags: [] +title: "System Backup V2 Not Showing in the Endpoint Protector Console" +knowledge_article_id: kA0Qk0000002B2jKAE +--- + +# System Backup V2 Not Showing in the Endpoint Protector Console + +## Question + +Why is System Backup V2 not showing up in the Netwrix Endpoint Protector console? + +## Answer + +This scenario applies to Netwrix Endpoint Protector virtual appliances hosted on the Netwrix AWS platform. If System Backup V2 is not visible in the console, you will need intervention from a Netwrix Support engineer. + +Please create a support ticket via the Netwrix Support portal for assistance: https://www.netwrix.com/support.html diff --git a/docs/kb/endpointprotector/troubleshoot_two-factor_authentication_issues.md b/docs/kb/endpointprotector/troubleshoot_two-factor_authentication_issues.md new file mode 100644 index 0000000000..50a4723635 --- /dev/null +++ b/docs/kb/endpointprotector/troubleshoot_two-factor_authentication_issues.md @@ -0,0 +1,36 @@ +--- +description: >- + This article provides troubleshooting steps for resolving issues with Two-Factor Authentication (2FA) in Endpoint Protector, focusing on time synchronization and alternative setup methods. +keywords: + - Two-Factor Authentication + - Endpoint Protector + - troubleshooting +sidebar_label: Troubleshoot 2FA Issues +tags: [] +title: "Troubleshoot Two-Factor Authentication Issues" +knowledge_article_id: kA0Qk0000002B61KAE +products: + - endpoint-protector +--- + +# Troubleshoot Two-Factor Authentication Issues + +## Overview + +This article provides troubleshooting steps for resolving issues with Two-Factor Authentication (2FA) in Endpoint Protector, focusing on time synchronization and alternative setup methods. + +## Instructions + +To troubleshoot issues with 2FA, try one or more of the following steps: + +1. Ensure that the **Endpoint Protector** server date/time matches exactly with the date/time on the phone used to scan the QR code. This can be checked by following these steps: + 1. In the **Endpoint Protector** console, go to **Appliance** > **Server Maintenance** and click **Synchronize time**. + 2. Check the date and time on the phone. +2. Disable Two-Factor Authentication (2FA) in **Endpoint Protector**, then re-enable it. For detailed steps on enabling or disabling 2FA, see [Enable Two-Factor Authentication](/docs/kb/endpointprotector/enable_two-factor_authentication_for_system_admins_with_google_authenticator_app). +3. Instead of scanning the QR code, manually enter the code in the **Google Authenticator** app. + +## Related Links + +- [Enable Two-Factor Authentication](/docs/kb/endpointprotector/enable_two-factor_authentication_for_system_admins_with_google_authenticator_app) +- [Managing System Administrators and Administrator Groups](/docs/kb/endpointprotector/managing-system-administrators-and-administrator-groups) +- [Two-Factor Authentication Overview – Endpoint Protector Documentation](/docs/endpointprotector/5.9.3/admin/systemconfiguration/overview) \ No newline at end of file diff --git a/docs/kb/endpointprotector/understanding-the-rights-hierarchy-for-devices.md b/docs/kb/endpointprotector/understanding-the-rights-hierarchy-for-devices.md new file mode 100644 index 0000000000..20bad5687b --- /dev/null +++ b/docs/kb/endpointprotector/understanding-the-rights-hierarchy-for-devices.md @@ -0,0 +1,43 @@ +--- +description: >- + This article explains the rights hierarchy for devices in Netwrix Endpoint + Protector and how permissions are applied and overridden. It also shows how to + set precedence between Computer and User rights and explains Custom Classes. +keywords: + - netwrix endpoint protector + - rights hierarchy + - device rights + - global rights + - group rights + - computer rights + - user rights + - custom classes + - system settings +products: + - endpoint-protector +visibility: public +sidebar_label: Understanding the Rights Hierarchy for Devices +tags: [] +title: "Understanding the Rights Hierarchy for Devices" +knowledge_article_id: kA0Qk0000002B6SKAU +--- + +# Understanding the Rights Hierarchy for Devices + +## Overview + +This article explains the rights hierarchy for devices, which determines how permissions are applied and overridden in Netwrix Endpoint Protector. + +The rights hierarchy for devices, from lowest to highest, is as follows: + +1. Global Rights +2. Group Rights +3. Computer or User Rights (You can configure which takes precedence in **System Configuration > System Settings.**) +4. Devices + +## Instructions + +1. To set precedence between **Computer Rights** and **User Rights**, go to **System Configuration > System Settings** and select the desired option. + ![System Settings page showing precedence configuration for Computer or User Rights](images/ka0Qk000000DzNR_0EMQk00000BmNLl.png) + +2. **Custom Classes** have the highest priority and override all other rights. Use Custom Classes to globally set rights for a device or class of devices identified by VID, PID, and Serial Number. diff --git a/docs/kb/endpointprotector/uninstall-the-client-from-a-mac-computer.md b/docs/kb/endpointprotector/uninstall-the-client-from-a-mac-computer.md new file mode 100644 index 0000000000..8d1efac115 --- /dev/null +++ b/docs/kb/endpointprotector/uninstall-the-client-from-a-mac-computer.md @@ -0,0 +1,36 @@ +--- +description: >- + Use the provided uninstall script to remove the Netwrix Endpoint Protector + client from a Mac computer. The steps explain how to run the + `remove-epp.command` file and what to do if you don't have the installation + kit. +keywords: + - uninstall + - Mac + - remove-epp.command + - endpoint-protector + - Netwrix Endpoint Protector + - installation kit + - uninstall script + - client removal +products: + - endpoint-protector +sidebar_label: Uninstall the Client From a Mac Computer +tags: [] +title: "Uninstall the Client From a Mac Computer" +knowledge_article_id: kA0Qk0000002B7SKAU +--- + +# Uninstall the Client From a Mac Computer + +## Overview + +This article explains how you can uninstall the client from a Mac computer using the provided uninstall script. + +## Instructions + +1. Locate the installation kit for the client on your Mac computer. +2. Run the `remove-epp.command` file within the installation kit to uninstall the client. +3. Follow the on-screen prompts to complete the uninstallation. + +> **NOTE:** If you do not have the installation kit, contact your administrator or Netwrix Technical Support team to obtain it. diff --git a/docs/kb/endpointprotector/update-the-endpoint-protector-server-ip-address-on-a-windows-endpoint.md b/docs/kb/endpointprotector/update-the-endpoint-protector-server-ip-address-on-a-windows-endpoint.md new file mode 100644 index 0000000000..14741b1b70 --- /dev/null +++ b/docs/kb/endpointprotector/update-the-endpoint-protector-server-ip-address-on-a-windows-endpoint.md @@ -0,0 +1,63 @@ +--- +description: >- + Learn how to review and change the Netwrix Endpoint Protector (EPP) server IP + address, communication port number, or department code on a Windows endpoint + without reinstalling the client. +keywords: + - endpoint protector + - set server ip + - EPPSetServer.exe + - SetServerIP.7z + - server IP + - communication port + - department code + - Windows endpoint +products: + - endpoint-protector +sidebar_label: Update the Endpoint Protector Server IP Address on +tags: [] +title: "Update the Endpoint Protector Server IP Address on a Windows Endpoint" +knowledge_article_id: kA0Qk0000002B6EKAU +--- + +# Update the Endpoint Protector Server IP Address on a Windows Endpoint + +## Overview + +This article explains how to review and change the Netwrix Endpoint Protector (EPP) server IP address, communication port number, or department code on a Windows endpoint machine without uninstalling and reinstalling the Netwrix Endpoint Protector Client. These steps allow you to redirect communication from an old EPP server to a new one or update connection details as needed. + +## Instructions + +### Configure Settings via EPP Console + +1. Download the Endpoint Protector Set Server IP application: + https://download.endpointprotector.com/Support_files/SetServerIP.7z +2. Extract the contents from the `SetServerIP.7z` archive into a new folder. +3. Check the current EPP Client details: + 1. Open the notifier. + 2. Click the **Settings** tab. + 3. Press `ALT + CTRL + I`. + + The current configuration details will be displayed as shown below. + + ![Current configuration details in Netwrix Endpoint Protector Notifier](./images/ka0Qk000000EcJx_0EMQk00000C91kM.png) + +4. Open the folder containing the `SetServerIP` application and run `EppSetServer.exe`. +5. Enter the new EPP server IP address, communication port number, or department code. +6. Click **Update** to apply the new settings. +7. Once a message populates stating the update was successful, restart the Windows endpoint machine for the changes to take effect. +8. Repeat step 3 to confirm that the new details have been applied to the Netwrix Endpoint Protector Client. + +### Configure Settings via Script + +1. Download the Endpoint Protector Set Server IP application: + https://download.endpointprotector.com/Support_files/SetServerIP.7z +2. Extract the contents from the `SetServerIP.7z` archive into a new folder. +3. Create a new note using Windows Notepad and save the file as `EPPSetServer.bat`. You must change the file extension from `.txt` to `.bat`. +4. Edit the batch file in Notepad and insert the following command, updating the details as needed: + +```bat +EPPSetServer.exe -ip 192.168.43.113 -port 443 -dept "ITDEP" +``` + +5. Run the script and then restart the Windows endpoint machine for the new details to be applied. diff --git a/docs/kb/endpointprotector/upgrade_linux_clients_without_uninstalling_and_reinstalling.md b/docs/kb/endpointprotector/upgrade_linux_clients_without_uninstalling_and_reinstalling.md new file mode 100644 index 0000000000..f1de0daeea --- /dev/null +++ b/docs/kb/endpointprotector/upgrade_linux_clients_without_uninstalling_and_reinstalling.md @@ -0,0 +1,46 @@ +--- +description: >- + This article explains how to upgrade the Endpoint Protector client on Linux without performing a full uninstall and reinstall, preserving configuration variables from the previous build. +keywords: + - Endpoint Protector + - Linux client upgrade + - configuration preservation +sidebar_label: Upgrade Linux Clients +tags: [] +title: "Upgrade Linux Clients Without Uninstalling and Reinstalling" +knowledge_article_id: kA0Qk0000002B6mKAE +products: + - endpoint-protector +--- + +# Upgrade Linux Clients Without Uninstalling and Reinstalling + +## Overview + +This article explains how to upgrade the Endpoint Protector client on Linux without performing a full uninstall and reinstall. The steps below allow you to upgrade the client while preserving configuration variables from the previous build. + +## Instructions + +1. Copy the new Endpoint Protector client installer to the Linux machine. +2. Open a Terminal window. +3. Export the variables from the `options.ini` file from the older build: + + ```plaintext + export EPPCLIENT_WS_SERVER=ip.of.the.server + export EPPCLIENT_WS_PORT=443 + export EPPCLIENT_DEPARTMENT_CODE=defdep + ``` + +4. Unpack the archive: + + ```plaintext + tar xvf [Filename.tar.xz] + ``` + +5. From the unpacked directory of the newer build, run: + + ```plaintext + sudo -E apt install ./pkgs/*.deb + ``` + +6. Open **Endpoint Protector Notifier** and confirm that the Endpoint Protector client was upgraded. \ No newline at end of file diff --git a/docs/kb/endpointprotector/upgrade_to_client_version_5.9.4.3.md b/docs/kb/endpointprotector/upgrade_to_client_version_5.9.4.3.md new file mode 100644 index 0000000000..e74645c3b0 --- /dev/null +++ b/docs/kb/endpointprotector/upgrade_to_client_version_5.9.4.3.md @@ -0,0 +1,90 @@ +--- +description: >- + This article provides step-by-step instructions for upgrading to Netwrix Endpoint Protector (EPP) client version 5.9.4.3, ensuring a smooth transition with minimal disruptions. +keywords: + - Netwrix Endpoint Protector + - EPP client upgrade + - software installation +sidebar_label: Upgrade to EPP Client 5.9.4.3 +tags: [] +title: "Upgrade to Client Version 5.9.4.3" +knowledge_article_id: kA0Qk0000002q5lKAA +products: + - endpoint-protector +--- + +# Upgrade to Client Version 5.9.4.3 + +## Overview + +This article provides instructions for upgrading to Netwrix Endpoint Protector (EPP) client version 5.9.4.3. Follow these procedures to ensure a smooth transition with minimal disruptions. + +> **IMPORTANT:** Before starting, capture a snapshot of the Endpoint Protector server. + +## Instructions + +### Upgrade the Endpoint Protector Server to 5.9.4.2 + +1. Download the EPP 5.9.4.2 package: [Download Link](https://download.endpointprotector.com/offline_patches/EPP500675942.tar.gz) +2. In the EPP console, navigate to **Dashboard** > **Live Update** > **Offline Patch Uploader**. +3. Select **Choose File** and upload the EPP 5.9.4.2 package. +4. Click **Back** and allow the upgrade to complete. +5. Verify the server displays version 5.9.4.2 in the bottom right corner of the console. Refresh the browser if necessary. + +### Download the EPP 5.9.4.3 Client Package + +- Access the Netwrix Community to download the required offline patches: + - **Windows:** [Download Link](https://releases.netwrix.com/products/endpointprotector/625/endpointprotector-client-setup-v6251004.zip) + - **macOS:** [Download Link](https://releases.netwrix.com/products/endpointprotector/305/endpointprotector-client-mac-setup-v3051005.zip) + - **New Outlook Add-in:** [Download Link](https://releases.netwrix.com/products/endpointprotector/1.0/endpointprotector-outlook-addin-v1.0.0.0.zip) + - **Combined Package:** [Download Link](https://releases.netwrix.com/products/endpointprotector/5.9/endpointprotector-mp-hwa-epp4-u0162-m0162-5.9.4.3.tar.gz) + +> **NOTE:** For installation instructions for the New Outlook Integration, refer to the [release notes](https://community.netwrix.com/t/version-5-9-4-3-released-now-with-hotfix-1/15972#p-22373-microsoft-new-outlook-full-support-6) or the readme documentation within the download package to configure `manifest_template.xml`. + +### Upgrade the Endpoint Protector Client + +- Deploy EPP 5.9.4.3 to endpoints manually, via the EPP 5.9.4.2 console, or through your preferred deployment tools. +- Using the EPP 5.9.4.2 console: + 1. Navigate to **Dashboard** > **Live Update** > **Offline Patch Uploader**. + 2. Choose the file for Windows, macOS, or the combined package download. + 3. Complete the installation process and ensure it is successful. + +### Verify Installation Success + +1. Navigate to **System Configuration** > **Client Software** in the console. +2. Windows should display version 6.2.5.1 and macOS 3.0.5.1. +3. The EPP appliance should show version 5.9.4.2 at the bottom right. + +### Configure Client Software Upgrade + +1. Go to **System Configuration** > **Client Software Upgrade**. +2. Choose the operating system for agent deployment and select **Next**. +3. Select the relevant group or computer for EPP 5.9.4.3 agent deployment and proceed. +4. Confirm upgrade details, initiate the upgrade job, and allow time for completion. + +### Verify Agent Connectivity + +- From the client computer: + 1. Open the EPP agent via the system tray icon. + 2. Navigate to **Settings** and press `Ctrl + Alt + i` (Windows) or `Command + Option + i` (macOS). + + ![EPP agent settings and version check](./images/servlet_image_13588715e752.png) + +- From the EPP server 5.9.4.2 console: + 1. Navigate to **Device Control** > **Computers** > **List of Computers**. + 2. Use filters to locate the computer by name or username and select **Apply**. + 3. Ensure the computer displays the correct client version and status. + +### Troubleshooting + +- If agents fail to connect, uninstall and reinstall the EPP client software on affected endpoints. +- For discrepancies in computer listings: + - In **Device Control** > **Global Settings**, increase **Maximum no. of records returned** and **No. of records per page**. +- Verify that all endpoints report accurately and that device control policies are operating correctly. + +> **NOTE:** If you encounter client connectivity issues, a clean uninstall and reinstall of the EPP client has resolved such problems previously. Always confirm that you possess the correct upgrade files and follow official upgrade documentation. + +## Related Links + +- [Version 5.9.4.2 Release Notes](https://community.netwrix.com/t/version-5-9-4-2-released/3466) +- [Version 5.9.4.3 Release Notes](https://community.netwrix.com/t/version-5-9-4-3-released/15972) \ No newline at end of file diff --git a/docs/kb/endpointprotector/user_interface_performance_issues.md b/docs/kb/endpointprotector/user_interface_performance_issues.md new file mode 100644 index 0000000000..058888d88d --- /dev/null +++ b/docs/kb/endpointprotector/user_interface_performance_issues.md @@ -0,0 +1,58 @@ +--- +description: >- + This article addresses performance issues related to the Endpoint Protector Console/User Interface, detailing symptoms, causes, and resolutions. +keywords: + - Endpoint Protector + - performance issues + - troubleshooting +sidebar_label: User Interface Performance Issues +tags: [] +title: "User Interface Performance Issues" +knowledge_article_id: kA0Qk0000002B6GKAU +products: + - endpoint-protector +--- + +# User Interface Performance Issues + +## Symptom + +The Endpoint Protector Console/User Interface is experiencing issues and other performance concerns. + +## Causes + +1. **Large number of logs or file shadows on the Endpoint Protector server.** +2. **Backend services being affected or disrupted.** +3. **Insufficient disk space on the server.** +4. **Insufficient CPU cores and RAM allocated to the server.** +5. **Endpoint Protector Server upgrades or audit log backups running.** Performance can decrease during upgrades or backup operations. +6. **Running older Endpoint Protector Server and Client versions.** + +## Resolutions + +1. **Large Number of Logs or File Shadows** + 1. Check **Appliance > Server Information** for the number of logs and file shadows. + 2. Delete older or unnecessary logs or archive them using the Audit Log Backup functionality. + 3. Externalize logs using External Storage or SIEM integration functionality. + +2. **Backend Services Being Affected** + 1. Reboot the Endpoint Protector server from **Appliance > Server Maintenance > Reboot** or from your hosting platform (VM, AWS, Azure, GCP). + +3. **Disk Space Issues** + 1. Review **Appliance > Server Information** for disk space details. + 2. Remove unnecessary files and raise a support ticket for investigation if necessary. + 3. If hosted on your end (VM, AWS, Azure, GCP), allocate extra disk space and contact support for disk resizing. + +4. **Resource Issues** + 1. If hosted on your end (VM, AWS, Azure, GCP), add extra CPU cores and RAM. + 2. Contact support via a support ticket to allocate additional resources on the Endpoint Protector server. + +5. **Endpoint Protector Server Upgrades or Audit Log Backups Running** + 1. Expect temporary UI performance decrease during and shortly after these processes. + +6. **Running Older Endpoint Protector Server and Client Versions** + 1. Always use the latest Endpoint Protector server and client versions available as a best practice. + +## Related Links + +- [Endpoint Protector Deployment Resources](/docs/endpointprotector/) \ No newline at end of file diff --git a/docs/kb/endpointprotector/user_remediation_reporting.md b/docs/kb/endpointprotector/user_remediation_reporting.md new file mode 100644 index 0000000000..621602b075 --- /dev/null +++ b/docs/kb/endpointprotector/user_remediation_reporting.md @@ -0,0 +1,34 @@ +--- +description: >- + This article explains how to locate and review logs of end user responses to User Remediation interventions in Endpoint Protector. +keywords: + - User Remediation + - Endpoint Protector + - logs + - reports + - administration +sidebar_label: User Remediation Reporting +tags: [] +title: "User Remediation Reporting" +knowledge_article_id: kA0Qk0000002B94KAE +products: + - endpoint-protector +--- + +# User Remediation Reporting + +## Overview + +This article explains how to locate and review logs of end user responses to **User Remediation** interventions in Endpoint Protector. Reviewing these reports helps administrators track justifications and actions taken when users remediate blocked activities. + +## Instructions + +1. Log in to the **Endpoint Protector Management Console**. +2. Navigate to **Reports and Analysis** > **Content Aware Report**. +3. Locate the relevant event where **User Remediation** was used to authorize a bypass or transmission of sensitive content. +4. Review the **Justification** field to see any user-submitted messages or explanations provided during the remediation process. + +## Related Links + +- [How to Configure User Remediation for Device Control](/docs/kb/endpointprotector/how-to-configure-user-remediation-for-device-control) +- [Enabling User Remediation in Content Aware Protection Policies](/docs/kb/endpointprotector/enabling-user-remediation-in-content-aware-protection-policies) \ No newline at end of file diff --git a/docs/kb/endpointprotector/using-smart-groups-for-automatic-computer-and-user-assignment.md b/docs/kb/endpointprotector/using-smart-groups-for-automatic-computer-and-user-assignment.md new file mode 100644 index 0000000000..fff041db95 --- /dev/null +++ b/docs/kb/endpointprotector/using-smart-groups-for-automatic-computer-and-user-assignment.md @@ -0,0 +1,43 @@ +--- +description: >- + Use Smart Groups in Netwrix Endpoint Protector to automatically assign + computers and users to groups by name patterns. Configure wildcard include and + exclude rules to keep group membership current without manual intervention. +keywords: + - smart groups + - Netwrix Endpoint Protector + - endpoint protector + - device control + - groups + - wildcard + - automatic assignment + - computers + - users +products: + - endpoint-protector +sidebar_label: Using Smart Groups for Automatic Computer and User +tags: [] +title: "Using Smart Groups for Automatic Computer and User Assignment" +knowledge_article_id: kA0Qk0000002B6MKAU +--- + +# Using Smart Groups for Automatic Computer and User Assignment + +## Overview + +Smart Groups enable automatic assignment of computers or users to groups based on name patterns. By configuring wildcard rules, you can include or exclude entities from groups without manual intervention. + +## Instructions + +1. In the Netwrix Endpoint Protector Console, navigate to **System Configuration** > **System Settings** and enable **Smart Groups**. +2. Navigate to **Device Control** > **Groups**. +3. Mark the desired group as a smart group. +4. Name the group and select the department from which you want to add computers or users. +5. Select either **Computers** or **Users** to add to the group. +6. Specify which entities to include by typing a specific part of the entity name using wildcards: + - `XYZ*` — Name starts with XYZ + - `*XYZ*` — Name contains XYZ + - `*XYZ` — Name ends with XYZ +7. To exclude certain computers or users from the group, specify names or patterns to be excluded. +8. For example, all computers with names starting with **XYZ** will be included in the group, except those starting with **XYZA**. + ![Smart Group configuration example in Netwrix Endpoint Protector](./images/ka0Qk000000EaoP_0EMQk00000BmIKT.png) diff --git a/docs/kb/endpointprotector/utilize-the-monitor-webmail-setting-for-subject-and-body-scanning.md b/docs/kb/endpointprotector/utilize-the-monitor-webmail-setting-for-subject-and-body-scanning.md new file mode 100644 index 0000000000..d37781ac4a --- /dev/null +++ b/docs/kb/endpointprotector/utilize-the-monitor-webmail-setting-for-subject-and-body-scanning.md @@ -0,0 +1,37 @@ +--- +description: >- + Explains how to enable the Monitor webmail setting in Netwrix Endpoint + Protector to scan the subject and body of web-based email messages and + describes behavior, considerations, and limitations. +keywords: + - monitor webmail + - webmail scanning + - deep packet inspection + - Gmail + - Yahoo + - Outlook + - Netwrix Endpoint Protector + - Content Aware Protection +products: + - endpoint-protector +sidebar_label: Utilize the Monitor Webmail Setting for Subject an +tags: [] +title: "Utilize the Monitor Webmail Setting for Subject and Body Scanning" +knowledge_article_id: kA0Qk0000002BFdKAM +--- + +# Utilize the Monitor Webmail Setting for Subject and Body Scanning + +## Overview + +The **Monitor webmail** setting in Netwrix Endpoint Protector enables subject and body scanning for web-based email services, including Gmail, Yahoo, and Outlook, when accessed through a browser. This article explains how to enable the Monitor webmail setting, describes its behavior, and highlights important considerations and limitations, especially when using Yahoo and Linux environments. + +> **NOTE:** When using Yahoo, the email recipients whitelist for attachments will work only if the attachment is uploaded after the recipients are added. If the recipients are modified after the attachment has been added, the file will not be scanned again or validated against the new recipients list. Inconsistent behavior may be experienced on Linux machines. + +## Instructions + +1. Activate the **Deep Packet Inspection** module if it is not already activated. +2. Go to **Content Aware Protection** > **Deep Packet Inspection** and check the **Monitor webmail for Gmail** setting. + + ![Creating a policy in Content Aware Protection](./images/ka0Qk000000ESkP_0EMQk00000C7Jbh.png) +3. Go to **Content Aware Protection** and create the desired policy. diff --git a/docs/kb/endpointprotector/verify-if-the-endpoint-protector-network-extension-is-enabled.md b/docs/kb/endpointprotector/verify-if-the-endpoint-protector-network-extension-is-enabled.md new file mode 100644 index 0000000000..09e20a2534 --- /dev/null +++ b/docs/kb/endpointprotector/verify-if-the-endpoint-protector-network-extension-is-enabled.md @@ -0,0 +1,47 @@ +--- +description: >- + Use this article to verify whether the Endpoint Protector network extension is + enabled. You can check the status via the command line or the Endpoint + Protector Console. +keywords: + - Endpoint Protector + - network extension + - systemextensionsctl + - network extension status + - Filters & Proxies + - console + - systemextensionsctl list + - verify +products: + - endpoint-protector +visibility: public +sidebar_label: Verify if the Endpoint Protector Network Extension +tags: [] +title: "Verify if the Endpoint Protector Network Extension Is Enabled" +knowledge_article_id: kA0Qk0000002B6TKAU +--- + +# Verify if the Endpoint Protector Network Extension Is Enabled + +## Overview + +This article describes how to verify whether the Endpoint Protector network extension is enabled. You can verify the status using either the command line interface or the Endpoint Protector Console. + +## Instructions + +### Verify Status via Command Line Interface + +1. Run the following command in the terminal: + +``` +```bash +systemextensionsctl list +``` +``` + +2. The Endpoint Protector network extension should display both **Enabled** and **activated** in the output. + +### Verify Status via Endpoint Protector Console + +1. In the console, navigate to **System Settings** > **Network** > **Filters** > **Filters & Proxies**. +2. Verify that the Endpoint Protector network extension is present and that the status shows **Enabled**. diff --git a/docs/kb/endpointprotector/what-do-the-colors-represent-in-endpoint-protector-server-and-client.md b/docs/kb/endpointprotector/what-do-the-colors-represent-in-endpoint-protector-server-and-client.md new file mode 100644 index 0000000000..21a538f330 --- /dev/null +++ b/docs/kb/endpointprotector/what-do-the-colors-represent-in-endpoint-protector-server-and-client.md @@ -0,0 +1,44 @@ +--- +description: >- + This article explains what the color indicators mean in the Endpoint Protector + Server and Client. It maps each color to the corresponding device right or + status so you can interpret device states at a glance. +keywords: + - endpoint protector + - colors + - trusted device + - device rights + - client + - server + - read-only + - allow charging +products: + - endpoint-protector +visibility: public +sidebar_label: What Do the Colors Represent in Endpoint Protector +tags: [] +title: "What Do the Colors Represent in Endpoint Protector Server and Client?" +knowledge_article_id: kA0Qk0000002B63KAE +--- + +# What Do the Colors Represent in Endpoint Protector Server and Client? + +## Question +What rights do the colors represent in the Endpoint Protector Server and Client? + +## Answer +Endpoint Protector uses color indicators to represent device rights and statuses in both the Server and Client interfaces. + +### Server Side +- **Red**: The device is blocked in the system. +- **Green**: The device is allowed on computers or users. +- **Yellow**: The device is allowed on some users or computers with restrictions. + +### Client Side +- **Red**: The device is blocked. +- **Green**: The device is allowed. +- **Yellow**: The device is set to Trusted Device Level 1; otherwise, it is read-only. +- **Orange**: The device is set to Read-Only. +- **Blue**: The device is set to TD 1, TD 2, TD 3, or TD 1+ (all Trusted Device levels). +- **Turquoise**: The iPhone is set to Allow Charging. +- **Grey**: The device was disconnected on macOS and Linux. diff --git a/docs/kb/endpointprotector/what_are_cryptographic_hashes.md b/docs/kb/endpointprotector/what_are_cryptographic_hashes.md new file mode 100644 index 0000000000..1d79edf799 --- /dev/null +++ b/docs/kb/endpointprotector/what_are_cryptographic_hashes.md @@ -0,0 +1,44 @@ +--- +description: >- + This article explains the purpose of cryptographic hashes and how to verify the integrity and authenticity of files downloaded from Endpoint Protector. +keywords: + - cryptographic hashes + - file integrity + - checksum verification +sidebar_label: Cryptographic Hashes Overview +tags: [] +title: "What Are Cryptographic Hashes?" +knowledge_article_id: kA0Qk0000002BM5KAM +products: + - endpointprotector +--- + +# What Are Cryptographic Hashes? + +## Overview + +This article explains the purpose of cryptographic hashes. Verifying cryptographic hashes ensures the integrity and authenticity of files downloaded from Endpoint Protector. + +## Instructions + +### Using Cryptographic Hashes + +As a data security vendor, Endpoint Protector provides cryptographic hashes on product download pages to help you verify that you have received unaltered files. Checksum algorithms, such as MD5 and SHA256, generate a unique fingerprint for each file, allowing you to detect errors or tampering that may have occurred during transmission or storage. + +To confirm file integrity, use the Terminal or a checksum utility to calculate the hash for files downloaded from the Endpoint Protector website. If the hash you calculate matches the one provided, you can be certain the file is intact. SHA and MD5 utilities are available for Windows, macOS, and Linux. + +### Calculating MD5 and SHA256 on Linux + +Most Linux distributions provide built-in commands for calculating MD5 and SHA256 message digests: + +![Terminal showing MD5 checksum calculation on Linux](https://www.endpointprotector.com/images/img/support/calculate-md5-linux.png) ![Terminal showing SHA256 checksum calculation on Linux](https://www.endpointprotector.com/images/img/support/calculate-sha256-linux.png) + +### Calculating MD5 and SHA256 on Windows + +Several tools are available for Windows. The **File Checksum Integrity Verifier (FCIV)** utility can be used to calculate MD5 and SHA256 checksums. For more information, see [File Checksum Integrity Verifier ⸱ Microsoft 🡥](https://support.microsoft.com/en-us/kb/841290). + +### Calculating MD5 and SHA256 on macOS + +macOS provides command-line utilities for calculating message digests. Depending on the OS version, some commands may vary. The following example shows the recommended method: + +![Terminal showing MD5 checksum calculation on macOS](https://www.endpointprotector.com/images/img/support/calculate-md5-mac.png) ![Terminal showing SHA256 checksum calculation on macOS](https://www.endpointprotector.com/images/img/support/calculate-sha256-mac.png) \ No newline at end of file diff --git a/docs/kb/endpointprotector/what_is_a_file_read-write_event.md b/docs/kb/endpointprotector/what_is_a_file_read-write_event.md new file mode 100644 index 0000000000..a310b219a6 --- /dev/null +++ b/docs/kb/endpointprotector/what_is_a_file_read-write_event.md @@ -0,0 +1,46 @@ +--- +description: >- + This article explains what a "File Read-Write" event is on the Endpoint Protector Server and provides instructions for setting up alerts and tracking existing alerts. +keywords: + - File Read-Write event + - Endpoint Protector + - alert setup +products: + - endpoint-protector +sidebar_label: File Read-Write Event Overview +tags: [] +title: What Is a "File Read-Write" Event? +knowledge_article_id: kA0Qk0000002BAiKAM +--- + +# What Is a "File Read-Write" Event? + +## Question + +What is a "File Read-Write" event on the Endpoint Protector Server? + +## Answer + +On the Endpoint Protector Server, a "File Read-Write" event monitors scenarios where files are accessed for both reading and writing, such as when editing a document. Administrators can set up alerts for these events to track and respond to such activities effectively. + +### Setting Up a "File Read-Write" Alert + +1. Navigate to **Device Control Alerts** in the Endpoint Protector console as root, Super Admin, or Device Control Admin. +2. Click **Create** to start setting up a new alert. +3. Configure the alert information: + - **Event:** Select **File Read-Write** from the drop-down menu. + - **Administrators:** Choose the administrators who should receive alert notifications. + - **Alert Name:** Provide a meaningful name for the alert. +4. Specify device types and devices: + - **Device Type:** Choose the type of device (for example, USB, external hard drive) where you want the alert to be active. + - **Device:** Select the specific device(s) to which the alert should apply. +5. Select monitored entities: + - Choose which groups, computers, or users should be monitored for this event. +6. Click **Save** to finalize the alert setup. + +### Tracking Existing Alerts + +1. Navigate to **Log Reports** within the **Reports and Analysis** section. +2. In **Log Reports**, go to **Filters** > **Events**. +3. Select **File Read-Write** from the drop-down menu. +4. Click **Apply** to view events that match your criteria. \ No newline at end of file diff --git a/docs/kb/endpointprotector/whitelist_or_exclude_endpoint_protector_processes_in_crowdstrike.md b/docs/kb/endpointprotector/whitelist_or_exclude_endpoint_protector_processes_in_crowdstrike.md new file mode 100644 index 0000000000..c1173b73ce --- /dev/null +++ b/docs/kb/endpointprotector/whitelist_or_exclude_endpoint_protector_processes_in_crowdstrike.md @@ -0,0 +1,36 @@ +--- +description: >- + This article explains how to whitelist or exclude Endpoint Protector (EPP) processes in CrowdStrike to ensure proper functionality without interference from security policies. +keywords: + - Endpoint Protector + - CrowdStrike + - whitelisting + - exclusion list + - security policies +sidebar_label: Whitelist or Exclude EPP Processes +tags: [] +title: "Whitelist or Exclude Endpoint Protector Processes in CrowdStrike" +knowledge_article_id: kA0Qk0000002B7GKAU +products: + - endpoint-protector +--- + +# Whitelist or Exclude Endpoint Protector Processes in CrowdStrike + +## Overview + +This article explains how to whitelist or exclude Endpoint Protector (EPP) processes in CrowdStrike. This ensures that Endpoint Protector functions correctly and is not blocked or interfered with by CrowdStrike security policies. + +## Instructions + +Follow these steps to add EPP processes to the CrowdStrike whitelist or exclusion list, based on your operating system: + +### For Windows + +- **Path:** `C:\Program Files\CoSoSys\Endpoint Protector\EPPService.exe` +- **Application:** `EPPService.exe` + +### For macOS + +- **Path:** `/Applications/EndpointProtectorClient.app/Contents/MacOS/EppClient` +- **Application:** `EndpointProtectorClient.app` \ No newline at end of file diff --git a/docs/kb/endpointprotector/whitelisting-authentication-servers-for-deep-packet-inspection.md b/docs/kb/endpointprotector/whitelisting-authentication-servers-for-deep-packet-inspection.md new file mode 100644 index 0000000000..decff464a0 --- /dev/null +++ b/docs/kb/endpointprotector/whitelisting-authentication-servers-for-deep-packet-inspection.md @@ -0,0 +1,48 @@ +--- +description: >- + Use these steps to whitelist authentication servers in Netwrix Endpoint + Protector so authentication succeeds when Deep Packet Inspection (DPI) is + enabled. +keywords: + - deep packet inspection + - DPI + - whitelist + - authentication servers + - ADFS + - Netwrix Endpoint Protector + - allowlists + - content aware policies +products: + - endpoint-protector +sidebar_label: Whitelisting Authentication Servers for Deep Packe +tags: [] +title: "Whitelisting Authentication Servers for Deep Packet Inspection" +knowledge_article_id: kA0Qk0000002BDuKAM +--- + +# Whitelisting Authentication Servers for Deep Packet Inspection + +## Overview + +When Deep Packet Inspection (DPI) is enabled in environments using an authentication server, you must whitelist authentication resources to prevent authentication timeouts or failures. Without these allowances, the authentication service may detect DPI as a "man in the middle" and block or delay authentication attempts. + +This article describes how to whitelist authentication servers in Netwrix Endpoint Protector to ensure successful authentication when DPI is enabled. + +## Instructions + +1. Log in to the Netwrix Endpoint Protector Console. +2. Go to **Denylists and Allowlists** and select **Allowlists**. + ![Allowlists section in Netwrix Endpoint Protector](./images/ka0Qk000000Eb4X_0EMQk00000CAOF3.png) +3. Select the **Deep Packet Inspection** tab and click **Add**. + ![Deep Packet Inspection tab in Allowlists](./images/ka0Qk000000Eb4X_0EMQk00000CAOGf.png) +4. Fill in all required fields to define your authentication resource(s) (e.g., ADFS), then click **Save**. + ![Defining authentication resource in DPI allowlist](./images/ka0Qk000000Eb4X_0EMQk00000CAOIH.png) +5. Go to **Content Aware Protection** > **Content Aware Policies** and select your policy then click **Edit**. +6. Navigate to the **Policy Allowlists** section and click the **Deep Packet Inspection** tab. +7. Select the entry defined in step 4 and verify the accuracy of your selected policy entities. + ![Selecting DPI allowlist entry in policy](./images/ka0Qk000000Eb4X_0EMQk00000CAOJt.png) +8. Click **Save**. +9. On the managed endpoint, right-click the System Tray or Menu Bar item for Netwrix Endpoint Protector and select **Update policies now**. + ![Update policies now in Netwrix Endpoint Protector client](./images/ka0Qk000000Eb4X_0EMQk00000CAON7.png) +10. Verify that authentication succeeds when DPI is enabled. + diff --git a/docs/kb/endpointprotector/why-do-various-linux-system-users-appear-in-the-endpoint-protector-user-interface.md b/docs/kb/endpointprotector/why-do-various-linux-system-users-appear-in-the-endpoint-protector-user-interface.md new file mode 100644 index 0000000000..dd056622b0 --- /dev/null +++ b/docs/kb/endpointprotector/why-do-various-linux-system-users-appear-in-the-endpoint-protector-user-interface.md @@ -0,0 +1,34 @@ +--- +description: >- + Explains why various Linux system users (for example, root, 65534, lightdm) + appear in the Endpoint Protector user interface and how the client determines + the active user. +keywords: + - endpoint protector + - linux + - system users + - active user + - root + - lightdm + - 65534 + - endpoint client + - ui +products: + - endpoint-protector +sidebar_label: Why Do Various Linux System Users Appear in the En +tags: [] +title: "Why Do Various Linux System Users Appear in the Endpoint Protector User Interface?" +knowledge_article_id: kA0Qk0000002BCgKAM +--- + +# Why Do Various Linux System Users Appear in the Endpoint Protector User Interface? + +## Question +Why do various Linux system users appear in the **Endpoint Protector UI**? + +## Answer +On Linux endpoints, you will see both standard and system users in the **Endpoint Protector UI**. System users such as `root`, `65534`, and `lightdm` are created by the operating system and may appear as active users depending on running processes. + +The Endpoint Protector client determines the active user by querying a system library, which returns the current user context. The UI reflects the user reported by this library at any given time. + +To ensure optimal accuracy and feature support, keep both the Endpoint Protector server and client updated to the latest versions. diff --git a/docs/kb/endpointprotector/why-is-a-printer-detected-as-an-usb-storage-device.md b/docs/kb/endpointprotector/why-is-a-printer-detected-as-an-usb-storage-device.md new file mode 100644 index 0000000000..9ce96a62b4 --- /dev/null +++ b/docs/kb/endpointprotector/why-is-a-printer-detected-as-an-usb-storage-device.md @@ -0,0 +1,32 @@ +--- +description: >- + Explains why Netwrix Endpoint Protector detects printers with internal storage + as USB storage devices and how device type information is reported by the + operating system. +keywords: + - endpoint protector + - printer + - usb storage + - internal storage + - device detection + - operating system + - data remanence +products: + - endpoint-protector +sidebar_label: Why Is a Printer Detected as an USB Storage Device +tags: [] +title: "Why Is a Printer Detected as an USB Storage Device?" +knowledge_article_id: kA0Qk0000002BLzKAM +--- + +# Why Is a Printer Detected as an USB Storage Device? + +## Question + +Why does Endpoint Protector detect the printer as a USB storage device? + +## Answer + +You should be aware that printers with internal storage are identified by the operating system as both printers and storage devices. This is because their ability to store, manage, and access files directly is similar to how traditional storage devices function. As a result, sensitive or confidential information may remain on the printer for extended periods. + +Endpoint Protector receives device type information from the operating system. The printing function is managed under the **Printers** device type, while the internal storage is managed under the **USB Storage Device** type. diff --git a/docs/kb/endpointprotector/why-smartphones-are-detected-as-multiple-device-types.md b/docs/kb/endpointprotector/why-smartphones-are-detected-as-multiple-device-types.md new file mode 100644 index 0000000000..d82744f259 --- /dev/null +++ b/docs/kb/endpointprotector/why-smartphones-are-detected-as-multiple-device-types.md @@ -0,0 +1,45 @@ +--- +description: >- + Explains how Netwrix Endpoint Protector identifies smartphones and why a + single phone may be detected as multiple device types depending on + manufacturer and configuration. +keywords: + - endpoint protector + - smartphones + - MTP + - USB storage + - USB modem + - tethering + - device types + - mobile devices + - Android +products: + - endpoint-protector +sidebar_label: Why Smartphones Are Detected as Multiple Device Ty +tags: [] +title: "Why Smartphones Are Detected as Multiple Device Ty" +knowledge_article_id: kA0Qk0000002B96KAE +--- + +# Why Smartphones Are Detected as Multiple Device Ty + +## Question + +How does Netwrix Endpoint Protector identify smartphones, and why might multiple device types appear depending on manufacturer and configuration? + +## Answer + +Netwrix Endpoint Protector identifies smartphones based on how the operating system (OS) presents the device when it is connected. Modern smartphones function as full-featured computers with their own operating systems, and their connection behavior can vary by manufacturer and configuration. + +For example: + +- **Apple phones** typically appear as a single device type when connected. +- **Some Android phones** (such as Samsung devices) may appear as multiple device types. + +Depending on the phone’s features and settings, the OS and Netwrix Endpoint Protector may detect the following device types: + +- **MTP Device**: Most smartphones are detected as Media Transfer Protocol (MTP) devices in Device Manager. +- **USB Storage Device**: If the phone uses an SD card and is configured to appear as a storage device, Netwrix Endpoint Protector will detect it as a USB storage device. +- **USB Modem**: If internet sharing (tethering) is enabled, the device may also be detected as a USB modem. + +To manage access and apply the appropriate policies, review the device types detected in Netwrix Endpoint Protector for each scenario. diff --git a/docs/kb/endpointprotector/why_does_an_iphone_remain_blocked_despite_having_allow_access_rights.md b/docs/kb/endpointprotector/why_does_an_iphone_remain_blocked_despite_having_allow_access_rights.md new file mode 100644 index 0000000000..4752d2314d --- /dev/null +++ b/docs/kb/endpointprotector/why_does_an_iphone_remain_blocked_despite_having_allow_access_rights.md @@ -0,0 +1,24 @@ +--- +description: >- + This article explains why an iPhone may remain blocked by Endpoint Protector despite having Allow Access rights and provides guidance on how to resolve the issue. +keywords: + - iPhone + - Endpoint Protector + - Allow Access rights +sidebar_label: iPhone Blocked by Endpoint Protector +tags: [] +title: "Why Does an iPhone Remain Blocked Despite Having Allow Access Rights?" +knowledge_article_id: kA0Qk0000002B9JKAU +products: + - endpoint-protector +--- + +# Why Does an iPhone Remain Blocked Despite Having Allow Access Rights? + +## Question + +Why is an iPhone blocked by Endpoint Protector even if it has Allow Access rights? + +## Answer + +If you update the firmware on your iDevice (iPhone, iPad, or iPod Touch), Endpoint Protector will detect it as a new device and automatically block its access. Reassign **Allow Access** rights after each firmware update to ensure uninterrupted access. \ No newline at end of file diff --git a/docs/kb/endpointprotector/why_does_the_ediscovery_scanning_status_progress_bar_drop_to_a_lower_percentage.md b/docs/kb/endpointprotector/why_does_the_ediscovery_scanning_status_progress_bar_drop_to_a_lower_percentage.md new file mode 100644 index 0000000000..80fca45139 --- /dev/null +++ b/docs/kb/endpointprotector/why_does_the_ediscovery_scanning_status_progress_bar_drop_to_a_lower_percentage.md @@ -0,0 +1,32 @@ +--- +description: >- + This article explains why the eDiscovery Scanning Status progress bar may drop to a lower percentage during a scan and the factors affecting its recovery time. +keywords: + - eDiscovery + - scanning status + - Endpoint Protector Client +sidebar_label: eDiscovery Scanning Status Progress Bar +tags: [] +title: "Why Does the eDiscovery Scanning Status Progress Bar Drop to a Lower Percentage?" +knowledge_article_id: kA0Qk0000002BIlKAM +products: + - endpoint-protector +--- + +# Why Does the eDiscovery Scanning Status Progress Bar Drop to a Lower Percentage? + +## Question + +Why does the eDiscovery Scanning Status progress bar drop to a lower percentage? + +## Answer + +If the **Endpoint Protector Client** is updated during a running scan, the Scanning Status progress bar may drop to a very low percentage. It can take anywhere from a few minutes to several hours for the progress bar to return to normal. + +An inaccurate progress bar can also appear immediately after a computer is restarted while a scan is running. + +These situations occur because the **Endpoint Protector Client** requires time to recalculate and transmit an accurate status of the files already scanned, the confidential information discovered, and related data. + +The time required for the progress bar to return to normal depends on several factors, including the computer's processing power, the number of scanned files, the number of policy violations discovered, the total number of files, and available hard disk space. + +> **NOTE:** It is recommended to stop any active scans on a specific computer before performing an update of the **Endpoint Protector Client**. \ No newline at end of file diff --git a/docs/kb/endpointprotector/why_dpi_does_not_inspect_content_when_vpn_add-ons_are_installed_on_browsers.md b/docs/kb/endpointprotector/why_dpi_does_not_inspect_content_when_vpn_add-ons_are_installed_on_browsers.md new file mode 100644 index 0000000000..cb37d762e9 --- /dev/null +++ b/docs/kb/endpointprotector/why_dpi_does_not_inspect_content_when_vpn_add-ons_are_installed_on_browsers.md @@ -0,0 +1,32 @@ +--- +description: >- + This article explains why Deep Packet Inspection (DPI) does not inspect content when VPN add-ons are installed on browsers and outlines the implications for endpoint data loss prevention. +keywords: + - Deep Packet Inspection + - VPN add-ons + - Data Loss Prevention + - Endpoint Protector + - content inspection +sidebar_label: DPI and VPN Add-ons +tags: [] +title: "Why DPI Does Not Inspect Content When VPN Add-ons Are Installed on Browsers" +knowledge_article_id: kA0Qk0000002B9TKAU +products: + - endpoint-protector +--- + +# Why DPI Does Not Inspect Content When VPN Add-ons Are Installed on Browsers + +## Question + +Why is Deep Packet Inspection (DPI) not inspecting content when VPN add-ons are installed on browsers? + +## Answer + +Endpoint Protector is an endpoint Data Loss Prevention (DLP) solution. Content inspection occurs on the endpoint when a monitored application accesses a file that is being monitored for content using custom content dictionaries, predefined content, regular expressions (regexes), and similar methods. + +With the introduction of Deep Packet Inspection (DPI) functionality, an additional content inspection mechanism is available that inspects packets sent to the network. As an enterprise solution, the DPI feature within Endpoint Protector is designed to work in scenarios where only corporate VPNs are used. Such VPN solutions provide various configuration options that can be utilized by a network administrator to align with the overall, company-wide security policy. + +End users are generally restricted from installing their own applications or deploying individual solutions such as VPN add-ons in browsers. This restriction is enforced by network administrators to ensure business continuity, limit exposure and risks, and ensure data security measures are effective. + +The DPI feature within Endpoint Protector is not designed to cover scenarios where end users deploy their own browser-based VPN add-ons. In such cases, the Deep Packet Inspection functionality should be disabled, allowing the default method of confidential content inspection to operate. \ No newline at end of file diff --git a/docs/kb/endpointprotector/why_endpoint_protector_detects_cameras_as_digital_cameras_or_windows_portable_devices_(mtp).md b/docs/kb/endpointprotector/why_endpoint_protector_detects_cameras_as_digital_cameras_or_windows_portable_devices_(mtp).md new file mode 100644 index 0000000000..d00de45312 --- /dev/null +++ b/docs/kb/endpointprotector/why_endpoint_protector_detects_cameras_as_digital_cameras_or_windows_portable_devices_(mtp).md @@ -0,0 +1,30 @@ +--- +description: >- + This article explains why Endpoint Protector detects cameras as Digital Cameras on some computers and as Windows Portable Devices (MTP) on others. +keywords: + - Endpoint Protector + - Digital Cameras + - Windows Portable Devices +sidebar_label: Why Endpoint Protector Detects Cameras +tags: [] +title: "Why Endpoint Protector Detects Cameras as Digital Cameras or Windows Portable Devices (MTP)" +knowledge_article_id: kA0Qk0000002BE7KAM +products: + - endpoint-protector +--- + +# Why Endpoint Protector Detects Cameras as Digital Cameras or Windows Portable Devices (MTP) + +## Question + +Why does Endpoint Protector detect cameras as Digital Cameras on some computers and as Windows Portable Devices (MTP) on others? + +## Answer + +If drivers are installed for the camera, Endpoint Protector detects and displays the camera in the web interface as a **Digital camera**. + +If drivers are not installed, the camera is detected as a **Windows Portable Device (MTP)** because the operating system recognizes it through the Media Transfer Protocol. + +## Related Links + +- [Endpoint Protector Deployment Resources](/docs/endpointprotector/) \ No newline at end of file diff --git a/docs/kb/endpointprotector/why_is_the_serial_number_not_correctly_identified_for_my_iphone.md b/docs/kb/endpointprotector/why_is_the_serial_number_not_correctly_identified_for_my_iphone.md new file mode 100644 index 0000000000..7211d1a096 --- /dev/null +++ b/docs/kb/endpointprotector/why_is_the_serial_number_not_correctly_identified_for_my_iphone.md @@ -0,0 +1,30 @@ +--- +description: >- + This article explains why the serial number for an iPhone may not be correctly identified and the implications of Apple's security limitations on device identification. +keywords: + - iPhone + - serial number + - USB storage device +sidebar_label: iPhone Serial Number Identification +tags: [] +title: "Why Is the Serial Number Not Correctly Identified for My iPhone?" +knowledge_article_id: kA0Qk0000002BIoKAM +products: + - endpoint-protector +--- + +# Why Is the Serial Number Not Correctly Identified for My iPhone? + +## Question + +Why is the serial number not correctly identified for my iPhone? + +## Answer + +Devices such as iPhones can be connected and detected as various device types, depending on the computer operating system. An iPhone, in addition to being a smartphone, can also function as a USB storage device. + +Although USB devices are identified using Vendor ID (VID), Product ID (PID), and serial number, Apple prohibits access to the device identifying data that is visible in the iOS Settings app. + +These security limitations imposed by Apple are further extended, as the USB serial number is also used by iTunes to name the backup folder for an iPhone on the computer. + +As a result, the serial number displayed by Endpoint Protector will be the iPhone's USB storage device serial number, not the iPhone serial number shown in the phone's settings menu. \ No newline at end of file diff --git a/docs/kb/endpointprotector/will-content-aware-protection-block-sensitive-content-in-files-from-the-allowed-file-allowlist.md b/docs/kb/endpointprotector/will-content-aware-protection-block-sensitive-content-in-files-from-the-allowed-file-allowlist.md new file mode 100644 index 0000000000..921e157a89 --- /dev/null +++ b/docs/kb/endpointprotector/will-content-aware-protection-block-sensitive-content-in-files-from-the-allowed-file-allowlist.md @@ -0,0 +1,41 @@ +--- +description: >- + Explains that Content Aware Protection does not block files included in the + Allowed File allowlist in Netwrix Endpoint Protector and shows where to + configure and assign the allowlist. +keywords: + - allowed file + - allowlist + - Content Aware Protection + - CAP + - Netwrix Endpoint Protector + - sensitive content + - eDiscovery + - Policy Allowlists +products: + - endpoint-protector +sidebar_label: Will Content Aware Protection Block Sensitive Cont +tags: [] +title: "Will Content Aware Protection Block Sensitive Content in Files from the Allowed File Allowlist?" +knowledge_article_id: kA0Qk0000002BE9KAM +--- + +# Will Content Aware Protection Block Sensitive Content in Files from the Allowed File Allowlist? + +## Question + +Will Content Aware Protection block sensitive content files from the "Allowed File" Allowlist? + +## Answer + +No, Content Aware Protection will not block sensitive content in files that are included in the "Allowed File" Allowlist. **Allowed Files** Allowlists are custom groups of files you exclude from Netwrix Endpoint Protector sensitive content detection. These allowlists are available for both the Content Aware Protection and eDiscovery modules. + +You can find the Allowed Files allowlist under **Denylists and Allowlists** > **Allowlists** > **Allowed File.** + +![Allowed File allowlist in Netwrix Endpoint Protector](./images/ka0Qk000000ETJt_0EMQk00000C8uNt.png) + +After creating the allowlist, add it to the Content Aware Protection (CAP) policy under **Policy Allowlists.** + +![Assigning Allowed File allowlist to a CAP policy](./images/ka0Qk000000ETJt_0EMQk00000C8uB1.png) + +Once the allowlist is assigned to the policy, the Content Aware Protection policy will inspect but ignore sensitive content in files included in the Allowed File list. Files on the allowlist are not blocked, even if they contain sensitive content. diff --git a/docs/kb/general/_category_.json b/docs/kb/general/_category_.json new file mode 100644 index 0000000000..bd0adf85a3 --- /dev/null +++ b/docs/kb/general/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "Knowledge Base Articles", + "position": 999, + "collapsed": true, + "collapsible": true +} diff --git a/docs/kb/general/access-to-administrative-portal-in-non-domain-dmz.md b/docs/kb/general/access-to-administrative-portal-in-non-domain-dmz.md new file mode 100644 index 0000000000..fec90ec405 --- /dev/null +++ b/docs/kb/general/access-to-administrative-portal-in-non-domain-dmz.md @@ -0,0 +1,48 @@ +--- +description: >- + If you install Password Manager on a non-domain DMZ, users cannot log in to + the Help-Desk or Admin portals with domain credentials because the front-end + server authenticates using local accounts. This article explains two ways to + use domain accounts for these portals. +keywords: + - Password Manager + - DMZ + - non-domain + - Admin portal + - Help-Desk + - IIS + - back-end server + - local accounts + - authentication +products: + - general +sidebar_label: Access to Administrative portal in non-domain DMZ +tags: [] +title: "Access to Administrative portal in non-domain DMZ" +knowledge_article_id: kA00g000000H9bTCAS +--- + +# Access to Administrative portal in non-domain DMZ + +## Symptom +I installed Password Manager on a non-domain DMZ and cannot log to the **Help-Desk** or **Admin portal** using regular credentials. + +--- + +## Cause +The issue occurs because users are authenticated by the front-end server. Non-domain machine has only local accounts and cannot use domain accounts. + +--- + +## Resolution +There are two ways of using domain accounts to authenticate the **Admin** or **Help-Desk** portals installed on a non-domain DMZ: + +### Option 1. Configure the Password Manager Web application as follows: +1. Configure **Internet Information Services (IIS)** on your back-end server. +2. Install the **Password Manager Web application** on the back-end server. +3. Remove the **Help-Desk** and **Admin portals** from the front-end server. + +### Option 2. Create new local accounts with the same credentials on both front-end and back-end servers. +- The accounts must be assigned local administrators rights. +- Use these accounts to log on the **Admin** or **Help-Desk** portals on a non-domain DMZ. +- When logging on, enter user names without any domain prefix. diff --git a/docs/kb/general/adjusting-event-log-size-and-retention-settings.md b/docs/kb/general/adjusting-event-log-size-and-retention-settings.md new file mode 100644 index 0000000000..5971d4d737 --- /dev/null +++ b/docs/kb/general/adjusting-event-log-size-and-retention-settings.md @@ -0,0 +1,27 @@ +--- +description: >- + Select the Netwrix Auditor product version to view instructions for adjusting + Windows Server event log size and retention settings. +keywords: + - event log + - Windows Server + - event log size + - retention + - Netwrix Auditor + - WS_Event_Log_Settings + - Auditor 10.0 + - Auditor 10.5 +products: + - general +sidebar_label: Adjusting Event Log Size and Retention Settings +tags: [] +title: "Adjusting Event Log Size and Retention Settings" +knowledge_article_id: kA04u000000LLiHCAW +--- + +# Adjusting Event Log Size and Retention Settings + +Select your product version of Netwrix Auditor: + +- 10.0 +- 10.5 diff --git a/docs/kb/general/all-users-are-able-to-access-all-password-manager-portals.md b/docs/kb/general/all-users-are-able-to-access-all-password-manager-portals.md new file mode 100644 index 0000000000..ee4d9b7290 --- /dev/null +++ b/docs/kb/general/all-users-are-able-to-access-all-password-manager-portals.md @@ -0,0 +1,49 @@ +--- +description: >- + Users can access all Password Manager portals due to IIS authentication being + configured with a specific user for path credentials instead of pass-through + authentication. This article explains how to configure pass-through + authentication in IIS so the website uses the credentials of the visiting + user. +keywords: + - IIS + - Password Manager + - pass-through authentication + - Anonymous Authentication + - Default Web Site + - Connect as + - Application user + - Self Service Portal +products: + - general +sidebar_label: 'All users are able to access all Password Manager ' +tags: [] +title: "All users are able to access all Password Manager portals" +knowledge_article_id: kA00g000000H9ZyCAK +--- + +# All users are able to access all Password Manager portals + +All users are able to access all Password Manager portals, regardless of the roles assigned within Password Manager. + +--- + +A user has been specified for path credentials in IIS. You need to use pass-through authentication, so the credentials of the user using the website are passed through, instead of forcing a service account/specific user. + +--- + +## Resolution + +Perform the following steps in IIS on the Netwrix Password Manager Server: + +1. Open IIS +2. Click on **Default Web Site** or whatever site you put Netwrix Password Manager under +3. Click **Basic Settings** on the right +4. Click the **Connect as...** button +5. Select **Application user (pass-through authentication)** + +Note that the **Self Service Portal** uses **Anonymous Authentication** so any user should be able to access it but only users defined in the **Role** are allowed to perform actions on their accounts. + +See the image below for reference + +![User-added image](./images/ka04u00000116Ru_0EM700000005hyC.png) diff --git a/docs/kb/general/are-netwrix-products-affected-by-log4j-vulnerability.md b/docs/kb/general/are-netwrix-products-affected-by-log4j-vulnerability.md new file mode 100644 index 0000000000..3c0c25e076 --- /dev/null +++ b/docs/kb/general/are-netwrix-products-affected-by-log4j-vulnerability.md @@ -0,0 +1,27 @@ +--- +description: >- + Netwrix products are not affected by the Apache Log4j CVE-2021-44228 + vulnerability. See the official Netwrix statement for full details and + guidance. +keywords: + - log4j + - CVE-2021-44228 + - Apache Log4j + - Netwrix + - vulnerability + - security bulletin + - statement + - mitigation +products: + - general +sidebar_label: Are Netwrix Products affected by log4j vulnerabili +tags: [] +title: "Are Netwrix Products affected by log4j vulnerability?" +knowledge_article_id: kA04u0000000HfsCAE +--- + +# Are Netwrix Products affected by log4j vulnerability? + +No. + +Read More: https://www.netwrix.com/netwrix_statement_on_cve_2021_44228_the_apache_log4j_vulnerability.html diff --git a/docs/kb/general/automatic-user-enrollment-failed-the-certificate-authority-is-invalid-or-incorrect.md b/docs/kb/general/automatic-user-enrollment-failed-the-certificate-authority-is-invalid-or-incorrect.md new file mode 100644 index 0000000000..83a0735ca2 --- /dev/null +++ b/docs/kb/general/automatic-user-enrollment-failed-the-certificate-authority-is-invalid-or-incorrect.md @@ -0,0 +1,63 @@ +--- +description: >- + Resolve "Automatic user enrollment failed: The certificate authority is + invalid or incorrect (Error code: 12045)" when using a self-signed SSL + certificate for the Self-Service portal by deploying the certificate to client + machines via Group Policy or using a third-party signed certificate. +keywords: + - automatic user enrollment + - certificate authority + - Error 12045 + - self-signed certificate + - Self-Service portal + - Group Policy + - Trusted Root Certification Authorities + - gpupdate +products: + - general +sidebar_label: 'Automatic user enrollment failed: The certificate ' +tags: [] +title: >- + Automatic user enrollment failed: The certificate authority is invalid or + incorrect (Error code: 12045) +knowledge_article_id: kA00g000000H9TOCA0 +--- + +# Automatic user enrollment failed: The certificate authority is invalid or incorrect (Error code: 12045) + +## Problem +On startup, the enrollment wizard does not start and returns the following error: + +"Automatic user enrollment failed: The certificate authority is invalid or incorrect (Error code: 12045)" + +## Cause +This issue occurs when you use a self-signed SSL certificate for the Self-Service portal. + +## Resolution +To resolve the issue, either obtain a signed third-party SSL certificate, or deploy the self-signed certificate to the root CA (certificate authority) store of all problematic workstations. + +## To deploy a self-signed certificate +1. Save the certificate to a file locally. To do this: + - Browse to the website you have assigned a certificate to. + - Click Agree to continue on the notification screen. + - In the address bar, find the certificate and open the certificate information (see screenshots – **View certificates** or **Certificate information**). + + ![User-added image](./images/ka04u00000116cj_0EM700000004yH3.png) + +2. Go to the **Details** tab and click **Copy to file…** (a wizard opens). +3. Select **Cryptographic Message Syntax Standard (PKCS #7)** and click **Next**. +4. Select a path to save the file and click **Next**, then click **Finish**. +5. Copy the file to the machine where Group Policy Manager is installed. +6. Start **Group Policy Manager** and edit **Default Domain Policy**. +7. In the Group Policy Object Editor, navigate to: + **Computer Configuration - Windows Settings – Security Settings - Public Key Policies - Trusted Root Certification Authorities**, right-click and select **Import**. +8. In the wizard, specify the file you created earlier and click **Next**. +9. Leave Certificate Store as default and click **Next**, then click **Finish**. +10. Run `gpupdate /force` or wait until the policy applies automatically. + +![User-added image](./images/ka04u00000116cj_0EM700000004yHD.png) + +## Additional notes +- Also make sure that the name of the server stored in the certificate matches the name you specified on the Password Manager client setup. + +More screenshots here: [Deploying a Self-Signed Root Certificate with Group Policy](http://unixwiz.net/techtips/deploy-webcert-gp.html) diff --git a/docs/kb/general/calculate-percentages-in-sql-properly.md b/docs/kb/general/calculate-percentages-in-sql-properly.md new file mode 100644 index 0000000000..d981ede1d8 --- /dev/null +++ b/docs/kb/general/calculate-percentages-in-sql-properly.md @@ -0,0 +1,68 @@ +--- +description: >- + Explains why integer division in T-SQL can produce 0 or 100 and shows how to + calculate percentages correctly using decimal casting and ROUND. +keywords: + - SQL + - T-SQL + - percentages + - integer division + - CAST + - ROUND + - decimal + - SQL Server +products: + - general +sidebar_label: calculate percentages in SQL properly +tags: [] +title: "calculate percentages in SQL properly" +knowledge_article_id: kA04u0000000IQqCAM +--- + +# calculate percentages in SQL properly + +## Summary +When working with TSQL percentages you see unexpected results where a percent will either be 0 or 100. + +## Issue +Number values tend to be `INTEGER (int)` type; when working with percentages SQL expects decimal. You can fix this by explicitly converting values to a decimal type or using decimal literals. The examples below show two options. + +## Instructions +In the following example, both data types are `int`, so the result of the operation is also an `int` instead of a decimal, which would be required to show the percentage value you are trying to generate. For example, the following calculation returns 0: + +```sql +SELECT 3/4 * 100 +GO +``` + +You actually expect the answer to be 75. But SQL Server sees you dividing the integer 3 by the integer 4. + +The examples below show how to get the expected result: + +```sql +SELECT 3.0/4.0 * 100 +GO +``` + +or + +```sql +SELECT cast(3 as decimal)/ cast(4 as decimal) * 100 +GO +``` + +These examples return the value you're looking for because you explicitly cast the integer values as decimals. The first example forces the integer to become a decimal by referencing the integer 3 as the decimal number `3.0`. The second example uses the `CAST()` function to do the same. + +Optionally, you can also produce a result with decimal precision. For example, to see 75.1% you can use the `ROUND()` function, which rounds a number to a specified number of decimal places. + +Parameter: +`ROUND(number, decimals, operation)` + +Example: + +```sql +SELECT cast(Round(((3*100.0)/4)) as decimal(5,1)) +``` + +## Legacy Article ID +2300 diff --git a/docs/kb/general/cannot-access-licensing-page.md b/docs/kb/general/cannot-access-licensing-page.md new file mode 100644 index 0000000000..b7059d46d4 --- /dev/null +++ b/docs/kb/general/cannot-access-licensing-page.md @@ -0,0 +1,53 @@ +--- +description: >- + When you open the Licensing page in the Password manager Administration + console, you may see a server error caused by the service lacking permissions + to read the license information from the registry. This article explains the + cause and how to resolve it by granting the required permissions. +keywords: + - Password Manager + - licensing + - Administration console + - registry + - HKLM + - Wow6432Node + - permissions + - service account + - Netwrix Password Manager +products: + - general +sidebar_label: Cannot access Licensing page +tags: [] +title: "Cannot access Licensing page" +knowledge_article_id: kA00g000000H9byCAC +--- + +# Cannot access Licensing page + +## Symptoms + +I get the following error when trying to get to a License page in the Administration console of the Password manager. + +An error occurred on the server when processing the URL. Please contact the system administrator. +If you are the system administrator please click here to find out more about this error. + +--- + +## Cause + +The error occurs because Password Manager service fails to get information about current license form the registry. + +--- + +## Resolution + +To address the issue make sure that the Password Manager service account has Full control on the following: + +1. Password Manager installation directory +2. Registry key `HKLMSoftware[Wow6432Node]NetwrixPassword Manager (Wow6432Node only for x64 OS)` + +![User-added image](./images/ka04u00000116bt_0EM700000004yh6.png) +![User-added image](./images/ka04u00000116bt_0EM700000004yh1.png) + +Even if the service account is a member of local Administrators group, please try to grant Full control to the service account explicitly. +Restart the Netwrix Password Manager service after granting permissions. diff --git a/docs/kb/general/client-crash-runtime-error.md b/docs/kb/general/client-crash-runtime-error.md new file mode 100644 index 0000000000..6b6033bf93 --- /dev/null +++ b/docs/kb/general/client-crash-runtime-error.md @@ -0,0 +1,50 @@ +--- +description: >- + Explains how to resolve a runtime error that occurs when the Password Manager + client crashes at startup by checking deployment permissions and required + registry keys. +keywords: + - Password Manager + - client crash + - runtime error + - UAC + - registry + - NetWrixPasswordManager + - deployment + - local admin +products: + - general +sidebar_label: Client crash - Runtime Error! +tags: [] +title: "Client crash - Runtime Error!" +knowledge_article_id: kA00g000000H9bcCAC +--- + +# Client crash - Runtime Error! + +I deployed the Password Manager client on several machines and on some of them I receive the following error at startup + +![User-added image](./images/ka04u00000116ci_0EM7000000052dI.png) + +--- + +The application adds files to Program files and keys to the registry, also registers its components in registry. +The error above occurs because some of required components were not installed or registered. + +The most common reason is the lack of permissions granted to the account under which the client was installed. +Microsoft User Account Control (UAC) can also cause this. + +--- + +1. First of all make sure that the account used to deploy the client has full access to the local system (local admin permissions or local system account). +2. Try perform the deployment with UAC disabled. + +If the issue persists, please manually check that after deployment of the client the following registry keys exist. + +- `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\NetWrixPasswordManager` +- `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\NetwrixPasswordManager` (this is only in 64-bit OS) + +![User-added image](./images/ka04u00000116ci_0EM7000000052dS.png) + +If the key does not exist you can create it manually. No values are necessary. +Change the deployment procedure to create this key. diff --git a/docs/kb/general/cloud-permission-analyzer-configuring-dropbox-apps.md b/docs/kb/general/cloud-permission-analyzer-configuring-dropbox-apps.md new file mode 100644 index 0000000000..633a3bcd13 --- /dev/null +++ b/docs/kb/general/cloud-permission-analyzer-configuring-dropbox-apps.md @@ -0,0 +1,80 @@ +--- +description: >- + Instructions to configure Netwrix Cloud Permission Analyzer (CPA) to work with + Dropbox using Dropbox Apps, including Dropbox app creation, permissions, token + generation, and CPA configuration. +keywords: + - Dropbox + - Cloud Permission Analyzer + - CPA + - access token + - OAuth + - App key + - application permissions + - Dropbox Apps + - admin + - collection +products: + - general +sidebar_label: Cloud Permission Analyzer Configuring Dropbox Apps +tags: [] +title: "Cloud Permission Analyzer Configuring Dropbox Apps" +knowledge_article_id: kA04u000000PdBmCAK +--- + +# Cloud Permission Analyzer Configuring Dropbox Apps + +This article will cover the process of configuring Netwrix Cloud Permission Analyzer (CPA) to work with Dropbox using Dropbox Apps. This process is divided into two parts: Dropbox configuration and Cloud Permission Analyzer configuration. + +## Dropbox Configuration + +1. In your web browser, log in to Dropbox using an admin account (or TeamAdmin if you have an Advanced subscription with tiered admin permissions). +2. Go to the Dropbox developer page: https://www.dropbox.com/developers/apps + +3. Create a new app with these settings: + - Choose an API = Scoped Access + - Choose the type of access you need = Full Dropbox + - Name your app = `Netwrix Cloud Permission Analyzer for ` * + + ![User-added image](./images/ka04u000000HdEw_0EM4u000002DWQU.png) + ![User-added image](./images/ka04u000000HdEw_0EM4u000002DWQP.png) + + **NOTE**: Name of the App should be unique among all the Dropbox Apps. + +4. On the page with the created app do the following: + + 4.1. In the **Permissions** section, choose the following permissions: + - Individual: `files.metadata.read`, `sharing.read`, `files.content.read` + - Team: `team_info.read`, `team_data.member`, `members.read`, `groups.read` + + 4.2. In **Settings** section, generate the Access Key: + - set OAuth 2/Access Token Expiration = `No Expiration` + - generate access token in OAuth 2/Generated Access Token/[Generate] + + ![User-added image](./images/ka04u000000HdEw_0EM4u000002DWQj.png) + + 4.3. Check the setting responsible for the usage of the Apps outside the App Center. + - In Dropbox, go to **Admin console > Settings > Application permissions > Other apps** and check the status of **Default permission for apps not listed in App Center** + - If it is in **Block** state, there are 2 ways to make an app work. + - The simple one is to change **Block** state to **Allow**, but it will also allow all the other apps from outside of App Center. + - A more difficult, however more secure way is to add the App to the exception list. To do so: + + 1. In the **App Console**, on the **Settings tab**, copy the `App key`. + + ![User-added image](./images/ka04u000000HdEw_0EM4u000002DrWi.png) + + 2. In the **Admin console > Settings > Application permissions** on the Other apps tab: click **Add exception**, and in the window that appears, insert the `App key` from the previous step. + 3. Select the **Allow** option. + 4. After that, if everything is done right, the App should appear in the exceptions list. + + **NOTE**: By default the new app is created with the "Development" Status. It is recommended to leave the status as is, as changing it to production will yield no additional use for CPA." + **N.B.** It is possible to use Short-Lived tokens with CPA; however, you will not be able to obtain newly generated Tokens automatically. If you choose short-lived tokens, you will have to manually insert a new token every day inside CPA. + +## Cloud Permission Analyzer Configuration + +1. Before binding Cloud Permission Analyzer to Dropbox, configure the collection settings. +2. To bind Cloud Permission Analyzer to Dropbox, fill in the following fields in the settings: + - `Dropbox administrator account` = Dropbox Admin email + - `Dropbox Access Token` = Token, generated during step 4.2 of the Dropbox Configuration process + +3. Return to the overview page and wait for the Collection to finish. diff --git a/docs/kb/general/common-deployment-types.md b/docs/kb/general/common-deployment-types.md new file mode 100644 index 0000000000..59dc28e08b --- /dev/null +++ b/docs/kb/general/common-deployment-types.md @@ -0,0 +1,39 @@ +--- +description: >- + Describes four common Password Manager deployment types: single server, dual + server (web roles separate), dual server (self-service in DMZ only), and + cluster install. +keywords: + - password manager + - deployment + - single server + - dual server + - DMZ + - cluster + - load balancing + - failover + - web portal +products: + - general +sidebar_label: Common deployment types +tags: [] +title: "Common deployment types" +knowledge_article_id: kA00g000000H9djCAC +--- + +# Common deployment types + +There are four ways in which Password Manager can be deployed. Below is a short summary of common deployment types. + +1. Single Server Installation — All roles (the service and web-portals) located on a single server deployed internally only or both internally and externally with a NAT through the external firewall. This is the most common and easiest deployment type: +[![User-added image](./images/ka04u00000116dB_0EM700000004vJL.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g0000004KSE&feoid=00N700000032Pj2&refid=0EM700000004vJL) + +2. Dual server install, Web roles separate from Core server — The Core Password Manager Service is installed on the internal server (that does not have web portals) and the web portals are installed on a separate server within the DMZ. This allows all web roles to be accessed externally. This deployment scenario is described in detail in the Administrator's guide in paragraph 4.4 page 19: +http://www.netwrix.com/download/documents/NetWrix_Password_Manager_Administrator_Guide.pdf +[![User-added image](./images/ka04u00000116dB_0EM700000004vJQ.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g0000004KSE&feoid=00N700000032Pj2&refid=0EM700000004vJQ) + +3. Another type of dual server install is full Password Manager installation on the internal server (both the service and web portals) and the Self-service Web portal only installed on the DMZ server. This allows all web roles to be accessed internally and only the Self-service portal to be accessed from outside the network. It is the most secure deployment: +[![User-added image](./images/ka04u00000116dB_0EM700000004vJV.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g0000004KSE&feoid=00N700000032Pj2&refid=0EM700000004vJV) + +4. Cluster Install — Cluster of the Front and/or Back End servers. The Front End server can be clustered in an Active/Active role for Load-Balancing and the Back End server can be clustered in an Active/Passive mode only for Failover. Clustering of only Back-end or only Front-end is allowed. It is also possible to cluster a single-server installation. All this can be done by means of built-in Windows features. +[![User-added image](./images/ka04u00000116dB_0EM700000004vJa.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g0000004KSE&feoid=00N700000032Pj2&refid=0EM700000004vJa) diff --git a/docs/kb/general/common-issues-of-installation-in-dmz.md b/docs/kb/general/common-issues-of-installation-in-dmz.md new file mode 100644 index 0000000000..e36fea57a6 --- /dev/null +++ b/docs/kb/general/common-issues-of-installation-in-dmz.md @@ -0,0 +1,69 @@ +--- +description: >- + Lists common issues and solutions when installing Password Manager web-sites + in a DMZ, including portal load errors, Server.CreateObject errors, and + authentication failures. Includes references to related KB articles for each + scenario. +keywords: + - DMZ + - Password Manager + - portals + - Self Service + - Admin + - Helpdesk + - Server.CreateObject + - 401 Unauthorized + - troubleshooting + - KB +products: + - general +sidebar_label: Common issues of installation in DMZ +tags: [] +title: "Common issues of installation in DMZ" +knowledge_article_id: kA00g000000H9dgCAC +--- + +# Common issues of installation in DMZ + +Installation of Password Manager Web-sites in DMZ can cause several issues. **NOTE.** To troubleshoot a DMZ installation all 3 portals must be tested as there are several scenarios. + +### Issue 1: Portals never load — just stay blank in loading state + +[![User-added image](./images/ka04u00000116cw_0EM700000005OPr.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005OPr) + +**Explanation:** Refer to the [KB1315](https://kb.netwrix.com/1315) +--------------- + +### Issue 2: Self Service portal does not load at all, Admin and Helpdesk portals return a Server.CreateObject Failed error + +[![User-added image](./images/ka04u00000116cw_0EM700000005OPh.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005OPh) [![User-added image](./images/ka04u00000116cw_0EM700000005OPm.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005OPm) + +**Explanation:** Refer to the [KB1314](https://kb.netwrix.com/1314). +--------------- + +### Issue 3: Self Service portal does not load at all, Admin and Helpdesk portals return a Server.CreateObject Access error + +[![User-added image](./images/ka04u00000116cw_0EM700000005OPh.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005OPh) [![User-added image](./images/ka04u00000116cw_0EM700000005Wbv.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005Wbv) + +**Explanation:** Refer to the [KB1308](https://kb.netwrix.com/1308). +--------------- + +### Issue 4: Self-Service portal works fine, while Admin and Helpdesk return the Server.CreateObject Access error + +[![User-added image](./images/ka04u00000116cw_0EM700000005Wc0.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005Wc0) [![User-added image](./images/ka04u00000116cw_0EM700000005Wbv.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005Wbv) + +**Explanation:** Specific for non-domain front-end server. Refer to the [KB1310](https://kb.netwrix.com/1310). +--------------- + +### Issue 5: Admin and Helpdesk portals work, but Self-service returns an error or does not load at all + +[![User-added image](./images/ka04u00000116cw_0EM700000005OPh.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005OPh) + +**Explanation:** Refer to the [KB1303](https://kb.netwrix.com/1303). +--------------- + +### Issue 6: Self-Service portal works fine but you get a 401 - Unauthorized error on Admin and Helpdesk portals + +[![User-added image](./images/ka04u00000116cw_0EM700000005OQL.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000Xe0L&feoid=00N700000032Pj2&refid=0EM700000005OQL) + +**Explanation:** You need to use accounts that the front-end is aware of and which have appropriate rights on the front-end server. Refer to the [KB1368](https://kb.netwrix.com/1368) in case of a non-domain front-end. diff --git a/docs/kb/general/configure_the_audit_log_backup.md b/docs/kb/general/configure_the_audit_log_backup.md new file mode 100644 index 0000000000..c161203636 --- /dev/null +++ b/docs/kb/general/configure_the_audit_log_backup.md @@ -0,0 +1,58 @@ +--- +description: >- + This article provides step-by-step instructions on how to configure the Audit Log Backup in the system, including options for manual and scheduled backups. +keywords: + - audit log backup + - manual backup + - scheduled backup +sidebar_label: Configure Audit Log Backup +tags: [] +title: "Configure the Audit Log Backup" +knowledge_article_id: kA0Qk0000002B7DKAU +products: + - general +--- + +# Configure the Audit Log Backup + +## Question + +How can the Audit Log Backup be configured? + +## Answer + +The Audit Log Backup can be configured from the **System Maintenance** > **Audit Log Backup** menu, which includes two main options: **Manual Audit Log Backup** and **Scheduled Audit Log Backup**. + +Use the **Manual Audit Log Backup** option to perform a one-time backup of audit logs. Use the **Scheduled Audit Log Backup** option to create recurring backups at a frequency you choose. Both options allow you to select the type of logs to back up, set retention and packaging preferences, and choose whether to include file shadows. + +### Manual Audit Log Backup + +Use this option to perform a one-time backup of audit logs. + +![Manual Audit Log Backup section in Endpoint Protector](./images/servlet_image_5c836ce7f58d.png) + +### Scheduled Audit Log Backup + +Use this option to create a recurring audit log backup that runs at a frequency you choose (from a few days to several months). This is similar to the manual backup, but it runs automatically at the specified interval. + +![Scheduled Audit Log Backup section in Endpoint Protector](./images/servlet_image_d9422308ff4b.png) + +### Configure the Audit Log Backup + +1. Choose the type of logs you want to back up. + ![Select log types for backup in Endpoint Protector](./images/servlet_image_cfc48ae58743.png) + +2. If you intend to delete logs after backup to avoid filling up the server, leave the following option unchecked: + ![Option to keep logs after backup in Endpoint Protector](./images/servlet_image_43592b74bddb.png) + +3. Select which old logs to back up. All logs older than the specified number of days or months will be removed from the server and saved as backups. + ![Select old logs to backup in Endpoint Protector](./images/servlet_image_6d5dba18caac.png) + +4. Select the number of logs in one package; the default is 1 million. + +5. Select the backup file format. + +6. Choose whether to delete and back up Shadows as well. Including Shadows is recommended, as file shadows can occupy more space than logs and may be the main cause of increased server disk space usage. + +7. Once the Audit Log Backup has completed, the archived logs will appear at the bottom of this menu in the **Backup List**: + ![Backup List section in Endpoint Protector](./images/servlet_image_c59a8c7e74e8.png) \ No newline at end of file diff --git a/docs/kb/general/corrupt-errorevent-in-event-reports.md b/docs/kb/general/corrupt-errorevent-in-event-reports.md new file mode 100644 index 0000000000..409c3f9985 --- /dev/null +++ b/docs/kb/general/corrupt-errorevent-in-event-reports.md @@ -0,0 +1,66 @@ +--- +description: >- + If Netwrix Change Tracker events reports contain ErrorEvent entries labeled + "Corrupt", multiple conflicting agent configuration files may be present on + affected devices. This article explains how to identify affected agents and + perform an agent reset to resolve the issue. +keywords: + - Netwrix Change Tracker + - ErrorEvent + - Corrupt + - agent reset + - gen7agent + - rolling-log + - Hubdetails.xml + - Config-*.xml + - AgentID +products: + - general +sidebar_label: Corrupt ErrorEvent in Event Reports +tags: [] +title: "Corrupt ErrorEvent in Event Reports" +knowledge_article_id: kA0Qk0000000ahpKAA +--- + +# Corrupt ErrorEvent in Event Reports + +## Symptoms + +- The events report in Netwrix Change Tracker contains one or more `ErrorEvent` events. Their description states `Corrupt`. +- Agent logs located in `C:\ProgramData\NNT\gen7agent.service\rolling-log.txt` contain the following line: + +```text +[timestamp] ERROR AgentTaskRunner - task execution failed for task %#% - %task_name% [timestamp] +``` + +## Cause + +The agent directory on affected devices contains multiple conflicting `Config-*.xml` files. These files cause conflicts in device agent events. + +## Resolution + +> **NOTE:** You can establish the affected agents via the events report—review the **DeviceName** and **AgentID** column values. + +Perform an agent reset to reconfigure affected agents. Refer to the following steps: + +1. Stop the Netwrix Change Tracker Agent Service. Refer to the following Linux command: + +```bash +# service nntgen7agent stop +``` + +2. Navigate to the agent directory containing the Rolling-Log files. Refer to the following default path: + +```text +C:\ProgramData\NNT\gen7agent.service\ +``` + +3. Right-click the `Hubdetails.xml` file and select **Edit**. + +4. Replace the `` tag pair with the `` tag pair. Replace the contents with the current agent account password, as defined on your Netwrix Change Tracker Hub Server. Save the changes. + +5. Start the Agent Service. Refer to the following Linux command: + +```bash +# service nntgen7agent start +``` diff --git a/docs/kb/general/custom-branding-in-a-two-server-install-configuration.md b/docs/kb/general/custom-branding-in-a-two-server-install-configuration.md new file mode 100644 index 0000000000..e53b4fbf51 --- /dev/null +++ b/docs/kb/general/custom-branding-in-a-two-server-install-configuration.md @@ -0,0 +1,33 @@ +--- +description: >- + When you add a custom logo in the Branding tab of the Netwrix Password Reset + admin portal and the Admin and Self-Service portals are on different web + servers, the Self-Service portal may not display the new logo. Copy the logo + file to the Self-Service server Web_SSImages folder to resolve the issue. +keywords: + - custom branding + - logo + - Self-Service portal + - Admin portal + - Netwrix Password Reset + - Web_SSImages + - logo.gif + - two server install +products: + - general +sidebar_label: Custom Branding in a two server install configurat +tags: [] +title: "Custom Branding in a two server install configuration" +knowledge_article_id: kA00g000000H9aRCAS +--- + +# Custom Branding in a two server install configuration + +When you add a custom logo on the **Branding** tab in the Netwrix Password Reset admin portal, the Self-Service portal does not show this logo. + +When the Self-Service portal and the Admin portal are on two different web servers, the image does not exist in the Self-Service portal's web folder. + +### Resolution + +1. On the computer that hosts the Self-Service portal, navigate to ` %install drive%Program Files(x86)Netwrix Password ManagerWeb_SSImages ` and copy the logo into this folder to replace the existing `logo.gif`. +2. Refresh the Self-Service portal. After refreshing the Self-Service portal, the new logo should show up. diff --git a/docs/kb/general/desktop-client-error-messages.md b/docs/kb/general/desktop-client-error-messages.md new file mode 100644 index 0000000000..a8b63b041e --- /dev/null +++ b/docs/kb/general/desktop-client-error-messages.md @@ -0,0 +1,42 @@ +--- +description: >- + Describes how to suppress Password Manager client error messages when the + client cannot reach the server at startup by setting a registry value or + deploying a Group Policy template. +keywords: + - Password Manager + - Desktop Client + - suppress errors + - PRM_SuppressEnrollmentErrors + - registry + - netwrixprm.adm + - Group Policy +products: + - general +sidebar_label: Desktop Client Error Messages +tags: [] +title: "Desktop Client Error Messages" +knowledge_article_id: kA00g000000H9aTCAS +--- + +# Desktop Client Error Messages + +Error messages showing up for the Password Manager client that you would like to suppress. + +--- + +Password Manager client starts on machine startup and tries to connect to the Password Manager server. +If for some reasons it can not connect, an error is shown. + +It is expected if a machine is off the network and the server cannot be reached. For such situations there is an option to suppress error messages. + +--- + +If you are getting error messages on your Desktop Clients for Password Manager and need to suppress the error messages, do the following: + +1. Open Registry on the Desktop Client +2. Go to `HKLMSoftware[Wow6432Node]PoliciesNetwrixPasswordManager` +3. Create a DWORD value titled `PRM_SuppressEnrollmentErrors` and set the value to `1` + +This value can be distributed across multiple machines by means of `netwrixprm.adm` template for Group policy, located in the Password Manager installation directory. +The policy is called **Suppress Enrollment Errors** diff --git a/docs/kb/general/directory-name-is-invalid-error.md b/docs/kb/general/directory-name-is-invalid-error.md new file mode 100644 index 0000000000..25e8dd77f9 --- /dev/null +++ b/docs/kb/general/directory-name-is-invalid-error.md @@ -0,0 +1,46 @@ +--- +description: >- + Netwrix Data Classification reports "The directory name is invalid" when a + configured file share is unavailable or inaccessible. This article explains + the symptom, likely causes, and recommended resolutions. +keywords: + - Directory name is invalid + - file share + - network share + - Netwrix Data Classification + - Error refreshing source + - '%share_path%' + - FileSystemConfigManager.Refresh + - conceptCollector +products: + - general +sidebar_label: Directory Name Is Invalid Error +tags: [] +title: "Directory Name Is Invalid Error" +knowledge_article_id: kA0Qk0000000bIvKAI +--- + +# Directory Name Is Invalid Error + +## Symptom + +Netwrix Data Classification prompts the following error: + +```text +Component: conceptCollector +Level: Error +FileSystemConfigManager.Refresh() +Error refreshing source %share_path%: The directory name %share_path% is invalid. +``` + +## Cause + +A file share is unavailable. + +- The affected share does not exist or was removed. The source is still added in Netwrix Data Classification. +- The Netwrix Data Classification service account does not have permissions to access the source. + +## Resolutions + +- Review the path and verify the share is still available. If the affected share is not available, delete the source to stop the error. +- Review the path and verify the Netwrix Data Classification service account has Full Control permissions to access the shared folder. diff --git a/docs/kb/general/disconnected-mode-password-reset.md b/docs/kb/general/disconnected-mode-password-reset.md new file mode 100644 index 0000000000..7f410f8350 --- /dev/null +++ b/docs/kb/general/disconnected-mode-password-reset.md @@ -0,0 +1,47 @@ +--- +description: >- + Explains how disconnected-mode password reset works for the Logon Prompt + Extension and how to configure registry keys to enforce or prohibit local + cached password resets. +keywords: + - disconnected-mode + - password reset + - cached password + - GINA + - Logon Prompt Extension + - PRM_SuppressLaterEnrollment + - PRM_ResetCredentialsCache + - Group Policy +products: + - general +sidebar_label: Disconnected-mode password reset +tags: [] +title: "Disconnected-mode password reset" +knowledge_article_id: kA00g000000H9dxCAC +--- + +# Disconnected-mode password reset + +## Overview +The disconnected-mode reset enables the GINA extension on the Windows logon screen to reset a user's cached password, even when the machine is not connected to the domain. + +Netwrix Password Manager is able to reset a password in a local cache if both of the following are true: + +## Requirements +1. The Password manager Logon Prompt Extension is installed +2. The user is enrolled through the local enrollment wizard, which is a part of the Logon Prompt Extension + +## Behavior +If the Password Manager server cannot be reached, the Password Manager client can reset the password locally (in the cache). That password applies only to the current machine and becomes invalid as soon as the machine reconnects to the domain. + +## Registry settings +To ensure all users enroll through the enrollment wizard, enable forced enrollment by creating the key `PRM_SuppressLaterEnrollment` with the value `1` in `HKLMSoftwareWow6432NodePoliciesNetWrixPassword Manager` (Wow6432Node only for x64 OS). + +If you want to prohibit the reset of the password in the local cache, create the DWORD `PRM_ResetCredentialsCache` with the value `0` in `HKLMSoftwareWow6432NodePoliciesNetWrixPassword Manager` (Wow6432Node only for x64 OS). + +All the above keys can be applied to all machines via Group Policy, using the template provided with Netwrix Password Manager. + +## Reference +Refer to paragraph 3.3 procedure 4 of the Administrators guide for detailed information on applying the template: + +https://www.netwrix.com/download/documents/NetWrix_Password_Manager_Administrator_Guide.pdf diff --git a/docs/kb/general/disk_space_occupied_by_core._files_in_gen_7_agent_servers.md b/docs/kb/general/disk_space_occupied_by_core._files_in_gen_7_agent_servers.md new file mode 100644 index 0000000000..a28450ff61 --- /dev/null +++ b/docs/kb/general/disk_space_occupied_by_core._files_in_gen_7_agent_servers.md @@ -0,0 +1,28 @@ +--- +description: >- + This article explains the purpose of `core.*` files in Gen 7 Agent servers and whether they can be safely deleted to free up disk space. +keywords: + - core files + - Gen 7 Agent + - disk space +sidebar_label: Disk Space and Core Files +tags: [] +title: "Disk Space Occupied by Core.* Files in Gen 7 Agent Servers" +knowledge_article_id: kA0Qk0000000NuHKAU +products: + - general +--- + +# Disk Space Occupied by Core.* Files in Gen 7 Agent Servers + +## Questions + +The `opt/nnt/gen7agent/bin/` directory in Gen 7 Agent servers contains multiple `core.*` files. + +1. What are these files? +2. Is it safe to delete these files? + +## Answers + +1. The `core.*` files located in the `opt/nnt/gen7agent/bin/` directory are core dumps. These core dumps are generated upon a process crash or a fatal error—they contain a snapshot of the process memory at the time of the crash or error. +2. These core files can be safely deleted to free up disk space. \ No newline at end of file diff --git a/docs/kb/general/dmz-installation-portals-never-load.md b/docs/kb/general/dmz-installation-portals-never-load.md new file mode 100644 index 0000000000..dc08bc3533 --- /dev/null +++ b/docs/kb/general/dmz-installation-portals-never-load.md @@ -0,0 +1,41 @@ +--- +description: >- + Troubleshoot Password Manager portals in a DMZ that keep loading by verifying + frontend/backend connectivity, firewall rules, and antivirus settings. +keywords: + - DMZ + - portals + - Password Manager + - firewall + - antivirus + - connectivity + - ping + - KB2145 + - frontend + - backend +products: + - general +sidebar_label: 'DMZ installation: Portals never load' +tags: [] +title: 'DMZ installation: Portals never load' +knowledge_article_id: kA00g000000H9afCAC +--- + +# DMZ installation: Portals never load + +I installed Password Manager portals on a server in a DMZ and configured as per Administrator's guide, but I cannot get to any portal. +All 3 of them keep loading and do not show anything. + +![User-added](images/servlet_image_6d5dba18caac.png) + +--- + +Such behavior occurs when the frontend server cannot communicate to the backend because of the firewall or antivirus software blocking connection. + +--- + +## Troubleshooting steps + +1. Make sure that the frontend can `ping` the backend and vice versa. +2. Make sure that all required firewall rules are in place. Refer to the KB2145: https://kb.netwrix.com/2145 +3. If the above does not help, try temporarily disabling all firewalls and antivirus software to confirm whether they are blocking the connection. diff --git a/docs/kb/general/dmz-installation-self-service-portal-does-not-load-while-admin-and-helpdesk-portals-work-fine.md b/docs/kb/general/dmz-installation-self-service-portal-does-not-load-while-admin-and-helpdesk-portals-work-fine.md new file mode 100644 index 0000000000..3a30948595 --- /dev/null +++ b/docs/kb/general/dmz-installation-self-service-portal-does-not-load-while-admin-and-helpdesk-portals-work-fine.md @@ -0,0 +1,58 @@ +--- +description: >- + The Self-Service portal can return an error or fail to load when anonymous + authentication uses an IIS account that lacks COM permissions on the back-end + server. This article shows which COM settings to verify to resolve the issue. +keywords: + - Self-Service portal + - DMZ installation + - IIS + - Connect as + - COM Security + - Remote activation + - Netwrix Password Manager + - Admin portal + - Helpdesk portal + - permissions +products: + - general +sidebar_label: 'DMZ installation: Self-Service portal does not load while Admin and Helpdesk portals work fine' +tags: [] +title: >- + DMZ installation: Self-Service portal does not load while Admin and Helpdesk + portals work fine +knowledge_article_id: kA00g000000H9acCAC +--- + +# DMZ installation: Self-Service portal does not load while Admin and Helpdesk portals work fine + +## Symptoms +The Self-service portal returns an error or does not load at all. + +![User-added image](./images/ka04u00000116Nr_0EM700000005OPh.png) + +However Admin and Helpdesk portals work. + +![User-added image](./images/ka04u00000116Nr_0EM700000005ORT.png) + +--- + +## Cause +When you log in to the **Admin** or **Helpdesk** portal, the portal prompts for credentials and then uses those credentials to communicate with the back-end once authentication is complete. The Self-Service portal uses anonymous authentication and, as a result, uses the account specified in IIS at **Connect as**: + +![User-added image](./images/ka04u00000116Nr_0EM700000005ORY.png) + +The issue occurs when the account specified for anonymous authentication in **Connect as** does not have the required permissions on the back-end server. + +--- + +## Resolution +Make sure that COM settings on the back-end server are correct: + +1. Ensure **COM Security** properties for the **My Computer** node allow `Remote activation`. + + ![User-added image](./images/ka04u00000116Nr_0EM700000005ORn.png) + +2. Ensure properties of the Netwrix Password Manager COM object allow `Remote activation`. + + ![User-added image](./images/ka04u00000116Nr_0EM700000005ORx.png) diff --git a/docs/kb/general/does-the-password-manager-always-use-your-current-windows-user-to-authenticate.md b/docs/kb/general/does-the-password-manager-always-use-your-current-windows-user-to-authenticate.md new file mode 100644 index 0000000000..9435e3ed21 --- /dev/null +++ b/docs/kb/general/does-the-password-manager-always-use-your-current-windows-user-to-authenticate.md @@ -0,0 +1,40 @@ +--- +description: >- + Netwrix Password Manager uses Integrated Windows authentication by default. + This article shows two options to force prompting for credentials by changing + zone settings or disabling automatic authentication for the Local Intranet + zone. +keywords: + - Netwrix Password Manager + - Integrated Windows authentication + - Local Intranet + - Internet zone + - Helpdesk portal + - credentials + - automatic logon + - Internet Options +products: + - general +sidebar_label: 'Does the Password Manager always use your current Windows user to authenticate?' +tags: [] +title: >- + Does the Password Manager always use your current Windows user to + authenticate? +knowledge_article_id: kA00g000000H9dwCAC +--- + +# Does the Password Manager always use your current Windows user to authenticate? + +Netwrix Password Manager uses Integrated Windows authentication. By default for Local Intranet zone there is a setting to logon automatically using current credentials. + +There are two options to force prompting for credentials: + +1. Move Helpdesk portal to the Internet zone. + To do it, go to **Control panel - Internet options - Security** tab. Select Local Internet zone, click **Sites** and remove the Helpdesk portal URL. Click **Ok** and then disable Automatic detection of local intrnate sites. + + [![User-added image](./images/ka04u00000116d7_0EM700000004yI6.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAb4&feoid=00N700000032Pj2&refid=0EM700000004yI6) + +2. Disable automatic authentication for Local intrantet zone + To do it, go to **Control panel - Internet options - Security** tab. Select Local Intranet zone, click Custom level, in subwindows scroll to the very bottom and under **User Authentication - Logon** select **Prompt for user name and password**. + + [![User-added image](./images/ka04u00000116d7_0EM700000004yHw.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAb4&feoid=00N700000032Pj2&refid=0EM700000004yHw) diff --git a/docs/kb/general/enable_encryption_option_missing_from_the_siem_integration_configuration.md b/docs/kb/general/enable_encryption_option_missing_from_the_siem_integration_configuration.md new file mode 100644 index 0000000000..422d1d5b1b --- /dev/null +++ b/docs/kb/general/enable_encryption_option_missing_from_the_siem_integration_configuration.md @@ -0,0 +1,27 @@ +--- +description: >- + This article explains why the Enable Encryption option may be missing from the SIEM Integration configuration and how to resolve the issue. +keywords: + - SIEM Integration + - Enable Encryption + - Ubuntu +sidebar_label: Enable Encryption Option Missing +tags: [] +title: "Enable Encryption Option Missing from the SIEM Integration Configuration" +knowledge_article_id: kA0Qk0000002B10KAE +products: + - general +--- + +# Enable Encryption Option Missing from the SIEM Integration Configuration + +## Overview + +This article explains why the **Enable Encryption** option may be missing from the SIEM Integration configuration. This option allows you to encrypt communication with SIEM servers using the TCP protocol. To enable encryption, you must upload the root CA (in `.pem` format) that was used to sign the SIEM server certificate. + +## Instructions + +If the **Enable Encryption** option is missing, determine your appliance's operating system version: + +- **Ubuntu 14.04 or older:** The appliance does not support SIEM encryption. You must install an appliance with a newer OS version. +- **Ubuntu 18.04 or 22.04:** The **syslog-ng** service may not be installed. Contact [Netwrix Technical Support](https://www.netwrix.com/support.html) to verify and install the required service on the server. \ No newline at end of file diff --git a/docs/kb/general/enrollment-failed-cannot-save-secret.md b/docs/kb/general/enrollment-failed-cannot-save-secret.md new file mode 100644 index 0000000000..03c04c41e4 --- /dev/null +++ b/docs/kb/general/enrollment-failed-cannot-save-secret.md @@ -0,0 +1,39 @@ +--- +description: >- + When you enroll a user, this error occurs if the Netwrix Password Secure + service account lacks write access to the installation directory. Grant + Modify/Write permissions or verify administrative membership to resolve the + issue. +keywords: + - Enrollment failed + - cannot save secret + - secrets.bin + - permissions + - service account + - Netwrix Password Secure + - installation directory + - Modify + - Write +products: + - general +sidebar_label: 'Enrollment failed: cannot save secret' +tags: [] +title: 'Enrollment failed: cannot save secret' +knowledge_article_id: kA00g000000H9bXCAS +--- + +# Enrollment failed: cannot save secret + +When enrolling a user, the following error occurs: + +`Enrollment failed: cannot save secret` + +## Cause + +Netwrix Password Secure is trying to create a `secrets.bin` file in the Netwrix Password Secure installation directory. The account used for the Netwrix Password Secure service does not have proper write access to the Netwrix Password Secure installation directory. + +## Resolution + +1. Provide the Netwrix Password Secure service account rights with `Modify` and/or `Write` to the Netwrix Password Secure installation directory. +2. Verify that the account is a domain admin and a local administrator on the Netwrix server where Netwrix Password Secure is installed. +3. Verify the Administrators group on the Netwrix server has `Modify`/`Write` access to the Netwrix Password Secure installation directory. diff --git a/docs/kb/general/enrollment-wizard-prompts-for-credentials.md b/docs/kb/general/enrollment-wizard-prompts-for-credentials.md new file mode 100644 index 0000000000..b6e9d4cd87 --- /dev/null +++ b/docs/kb/general/enrollment-wizard-prompts-for-credentials.md @@ -0,0 +1,25 @@ +--- +description: >- + When you install the Netwrix Password Manager client, the Enrollment wizard + prompts you to register and then to enter credentials to connect to + `gina_set_answers_anonymous.asp`. +keywords: + - Enrollment wizard + - credentials + - gina_set_answers_anonymous.asp + - Netwrix Password Manager + - registration + - username + - password + - client installation +products: + - general +sidebar_label: Enrollment wizard prompts for credentials +tags: [] +title: "Enrollment wizard prompts for credentials" +knowledge_article_id: kA00g000000PbdQCAS +--- + +# Enrollment wizard prompts for credentials + +When you install the Netwrix Password Manager client on your computer, you are prompted to register. After registration, you are prompted to enter a username and password to connect to `gina_set_answers_anonymous.asp`. diff --git a/docs/kb/general/error-401-in-the-enrollment-wizard.md b/docs/kb/general/error-401-in-the-enrollment-wizard.md new file mode 100644 index 0000000000..84441aba54 --- /dev/null +++ b/docs/kb/general/error-401-in-the-enrollment-wizard.md @@ -0,0 +1,53 @@ +--- +description: >- + Resolve Error 401 (Not authorized) that appears when starting the Enrollment + wizard by adding the Password Manager Self-service portal URL to the Local + Intranet Zone or by configuring automatic logon settings. +keywords: + - Error 401 + - Enrollment wizard + - Password Manager + - Local Intranet Zone + - Internet Options + - Automatic logon + - Group Policy + - self-service portal +products: + - general +sidebar_label: Error 401 in the Enrollment wizard +tags: [] +title: "Error 401 in the Enrollment wizard" +knowledge_article_id: kA00g000000H9UUCA0 +--- + +# Error 401 in the Enrollment wizard + +You see the Error 401 (Not authorized) message when starting the Enrollment wizard. + +## Resolution + +To resolve the issue, add the Password Manager Self-service portal URL to the **Local Intranet Zone**. + +1. Launch **Internet Options** from **Control Panel** +2. Go to the **Security** tab +3. Select **Local intranet**, click **Sites** +4. Click **Advanced** +5. Type the URL and click **Add** +6. Click **Close**, then **Ok**, and again **Ok** + +![User-added image](./images/ka04u00000116cL_0EM700000004yGK.png) + +## Workaround: Force the browser to send credentials to the Internet zone + +As a workaround, you can force the browser to send credentials to the Internet zone. + +1. Launch **Internet Options** from **Control Panel** +2. Go to the **Security** tab +3. Select **Internet**, click **Custom level** +4. In the **Security Settings** window that opens, scroll to the bottom +5. Select **Automatic logon with current username and password** radio-button under **User authentication - Logon** +6. Click **Ok** then **Ok** again + +![User-added image](./images/ka04u00000116cL_0EM700000004yGP.png) + +These settings can also be applied via Group Policy. diff --git a/docs/kb/general/error-401-unauthorized-access-is-denied-due-to-invalid-credentials.md b/docs/kb/general/error-401-unauthorized-access-is-denied-due-to-invalid-credentials.md new file mode 100644 index 0000000000..b9c06af0db --- /dev/null +++ b/docs/kb/general/error-401-unauthorized-access-is-denied-due-to-invalid-credentials.md @@ -0,0 +1,68 @@ +--- +description: >- + Error 401 occurs when accessing the Administrative or Help-Desk portals due to + failed authentication in Internet Information Services (IIS). This article + explains causes and steps to verify IIS authentication settings, folder + permissions, and portal roles. +keywords: + - Error 401 + - Unauthorized + - IIS + - Administrative portal + - Help-Desk portal + - Self-Service portal + - authentication + - permissions + - Password Manager +products: + - general +sidebar_label: 'Error 401: Unauthorized: Access is denied due to i' +tags: [] +title: 'Error 401: Unauthorized: Access is denied due to invalid credentials' +knowledge_article_id: kA00g000000H9Y6CAK +--- + +# Error 401: Unauthorized: Access is denied due to invalid credentials + +Error 401 occurs when trying to access Administrative and Help-Desk Portals, while Self-Service Portal works fine. + +![User-added image](./images/ka04u00000116cs_0EM700000004xce.png) + +--- + +This error is returned by Internet Information Services (IIS). It occurs when the authentication to Admin or Helpdesk portal fails. Administrative and Helpdesk portals have similar authentication settings, Self-Service portal has different, that is why the Self-Service portal does not return this error. + +Authentication can fail because authentication settings are misconfigured or the account does not have read permissions to the physical folder on the server. + +--- + +To resolve the issue verify authentication settings and account permisions. + +1. Make sure all authentication types except **Windows authentication** or **Basic authentication** are disabled in Internet Information Services (IIS) Manager, and either **Windows** or **Basic** authentication is enabled. + + To ensure the required settings are enabled in IIS6, do the following: + + 1. In **IIS Manager** left pane, navigate to ` - Web Sites - Default Web Site - PM`. + 2. Right-click the **helpdesk** (or **admin**) virtual directory under **PM** folder and select **Properties**. + 3. In the **Properties** dialog, open the **Directory Security** tab, and select **Edit** for Authentication and access control. + 4. In the **Authentication Methods** dialog, enable either the **Integrated Windows authentication** box or **Basic authentication** (password is sent in clear text), and clear all other authentication options for Authentication access. + + ![User-added image](./images/ka04u00000116cs_0EM700000004xcF.png) + + To ensure the required settings are enabled in IIS7, do the following: + + 1. In **IIS Manager** left pane, navigate to ` - Web Sites - Default Web Site - PM - helpdesk` (or **admin**) + 2. In the Manager central pane, double-click the **Authentication** option under IIS block + 3. In the **Authentication** list, enable either **Windows Authentication** option or **Basic Authentication**, and disable all other authentication options. + + ![User-added image](./images/ka04u00000116cs_0EM700000004xcK.png) ![User-added image](./images/ka04u00000116cs_0EM700000004xcP.png) + +2. The account whose credentials are specified to access the portal has Read permisison to the Password Manager instalaltion directory. + + ![User-added image](./images/ka04u00000116cs_0EM700000004xcj.png) + +3. The account is granted the appropriate role: Administrators role to access Administrative portal and Help Desk Operators role to access Help Desk portal. + + ![User-added image](./images/ka04u00000116cs_0EM700000004xco.png) + +
diff --git a/docs/kb/general/error-updating-sql-schema-in-collector-service.md b/docs/kb/general/error-updating-sql-schema-in-collector-service.md new file mode 100644 index 0000000000..535d78e290 --- /dev/null +++ b/docs/kb/general/error-updating-sql-schema-in-collector-service.md @@ -0,0 +1,72 @@ +--- +description: >- + When Netwrix Data Classification (NDC) shows "Invalid Config Detected" and the + Collector Service reports "Error updating SQL schema", follow these steps to + verify the service account, SQL permissions, and database connectivity to + resolve the issue. +keywords: + - Netwrix Data Classification + - NDC + - Collector Service + - SQL schema + - db_owner + - service account + - Internal Server Error + - SQL Server + - Repair +products: + - general +sidebar_label: Error Updating SQL Schema in Collector Service +tags: [] +title: "Error Updating SQL Schema in Collector Service" +knowledge_article_id: kA0Qk0000000bKXKAY +--- + +# Error Updating SQL Schema in Collector Service + +## Symptoms + +- When you attempt to run Netwrix Data Classification (NDC), your browser prompts the following error: + +``` +Internal Server Error (500) — Invalid Config Detected +``` + +- The Collector Service in Service Viewer prompts the following error message: + +``` +Invalid configuration: Error updating SQL schema +``` + +## Causes + +1. NDC services use a local system or service account to run instead of a dedicated Netwrix service account. +2. The service account to connect to the dedicated SQL database does not have the `db_owner` role. +3. After a recent migration, your NDC instance cannot connect to the dedicated NDC SQL database. + +> NOTE: Refer to the following article to learn more about requirements for the NDC service account: /docs/data-classification/5.7/ndc/requirements (Requirements to Install Netwrix Data Classification − Accounts and Required Permissions · v5.7). + +## Resolutions + +1. Verify the account used to run NDC services is a Windows domain account. + + 1. In your NDC server, run **Services**. + 2. Locate the three NDC services in the list, NDC Classifier, NDC Collector, and NDC Indexer. Review the **Log On As** column for the services—verify a Windows domain account runs all services instead of local system or service. + 3. If required, change the **Log On As** account—right-click the affected account and select **Properties**. + 4. In the **Log On** tab, specify the domain account you'd like to use. Once you specify it, click **Apply** to save changes. + 5. Restart the services and start NDC to verify the fix. + +2. Verify the service account has the `db_owner` role for the NDC database. Refer to the following steps: + + 1. In your SQL server, run **SQL Server Management Studio** and connect to your SQL Server instance. + 2. In the left pane, proceed to **Security** > **Logins** > **target_account**. Right-click the account and select **Properties**. + 3. In the left pane, select **User Mapping**. Locate the NDC database, highlight it, and verify the `db_owner` role is assigned. If not, assign the role. Save the changes. + +3. Verify the NDC database still exists in your SQL server. If none exists, you can create a new database to use instead. Refer to the following article for additional information on NDC database configuration: /docs/data-classification/5.7/ndc/requirements (Install Netwrix Data Classification − Configure NDC SQL Database · v5.7). + +> NOTE: To alter the server name in case of a recent SQL Server migration, run the NDC installer to select the **Repair** option. You can specify the new SQL Server instance there. + +## Related Articles + +- /docs/data-classification/5.7/ndc/requirements (Requirements to Install Netwrix Data Classification − Accounts and Required Permissions · v5.7) +- /docs/data-classification/5.7/ndc/requirements (Install Netwrix Data Classification − Configure NDC SQL Database · v5.7) diff --git a/docs/kb/general/error_c38_-_unable_to_connect_to_sharepoint_online.md b/docs/kb/general/error_c38_-_unable_to_connect_to_sharepoint_online.md new file mode 100644 index 0000000000..799532ccf5 --- /dev/null +++ b/docs/kb/general/error_c38_-_unable_to_connect_to_sharepoint_online.md @@ -0,0 +1,51 @@ +--- +description: >- + This article provides troubleshooting steps for resolving the "Error C:38 - Unable to Connect to SharePoint Online" issue encountered during SharePoint Job Group execution. +keywords: + - SharePoint Online + - Error C:38 + - PowerShell script +products: + - general +sidebar_label: "Error C:38 - Unable to Connect to SharePoint Online" +tags: [] +title: "Error C:38 - Unable to Connect to SharePoint Online" +knowledge_article_id: kA0Qk0000001hKfKAI +--- + +# Error C:38 - Unable to Connect to SharePoint Online + +## Symptoms + +When running the SharePoint Job Group and attempting a connection to SharePoint Online, the following issues appear: + +- There is a failure in the connection attempt. +- The system generates the following error message: + +``` +Error C:38 - Unable to Connect to SharePoint Online +``` + +## Cause + +The PowerShell (PS) script used in the `SP_RegisterAzureAppAuth` Job was not configured to use the password associated with the temporary connection profile. + +## Resolution + +To resolve this error, follow these steps: + +1. Replace the app password value within the PS script with the password associated with the Azure AD connection profile. + + ![PowerShell script showing app password replacement](./images/servlet_image_a57eed7fed62.png) + +2. After updating these lines within the PS script and the connection profile, run the `SP_RegisterAzureAppAuth` Job. This job generates a new connection profile and automatically opens a browser to confirm permissions. + + > **NOTE:** For more information about the `SP_RegisterAzureAppAuth` Job, refer to the following article: SP_RegisterAzureAppAuth Job. + +3. Once the new profile is created, add the **newly generated .pfx file** into the generated file path along with the password for the connection profile into the SharePoint connection profile. + +4. Apply the **newly generated connection profile** to the SPAA system scans job. This should successfully connect you to the SharePoint site. + +## Related Article + +- SP_RegisterAzureAppAuth Job \ No newline at end of file diff --git "a/docs/kb/general/error_\342\200\234collect_'exchange_mailbox'_information_warning_on_server.....md" "b/docs/kb/general/error_\342\200\234collect_'exchange_mailbox'_information_warning_on_server.....md" new file mode 100644 index 0000000000..142b634723 --- /dev/null +++ "b/docs/kb/general/error_\342\200\234collect_'exchange_mailbox'_information_warning_on_server.....md" @@ -0,0 +1,37 @@ +--- +description: >- + This article addresses the warning message related to collecting 'Exchange_Mailbox' information on the server and provides steps to resolve the issue. +keywords: + - Exchange_Mailbox + - Microsoft Exchange + - Information Store service +sidebar_label: Exchange Mailbox Warning Resolution +tags: [] +title: "Error: “Collect 'Exchange_Mailbox' Information Warning on Server”" +knowledge_article_id: kA00g000000H9SMCA0 +products: + - general +--- + +# Error: “Collect 'Exchange_Mailbox' Information Warning on Server” + +## Symptom + +The following error appears: + +*“Collect 'Exchange_Mailbox' information warning on server: %owa server name%. The action could not be completed because the Microsoft Exchange Information Store service is unavailable. Be sure the service is running and you have network connectivity to the Microsoft Exchange Server computer. ..... List of failed procedures Microsoft Exchange Management Last command: SELECT * FROM Exchange_Mailbox %Date%: Collect 'Exchange_PublicFolder' information warning on server: %owa server name% The HTTP service used by Public Folders is not available, possible causes are that Public stores are not mounted and the Information Store service is not running.”* + +## Cause + +This warning typically occurs when the Microsoft Exchange Information Store service is not running on the target OWA Server. + +## Resolution + +To resolve this issue, follow these steps: + +1. Ensure that the Microsoft Exchange Information Store service is running on the target OWA Server. +2. If the issue persists, exclude the required OWA Server from data collection by modifying the file called **omitserverlist_ecr.txt**. +3. The configuration file is stored in the **%Product installation folder%\Active Directory Auditing**. +4. Add one OWA Server name per line, for example: + - OWA-SERVER01 + - OWA-SERVER02 \ No newline at end of file diff --git a/docs/kb/general/failed-to-grant-log-on-as-a-service-right.md b/docs/kb/general/failed-to-grant-log-on-as-a-service-right.md new file mode 100644 index 0000000000..476cca3771 --- /dev/null +++ b/docs/kb/general/failed-to-grant-log-on-as-a-service-right.md @@ -0,0 +1,48 @@ +--- +description: >- + Explains how to grant the "Log on as a service" right to the service account + when installation reports the error during product installation. +keywords: + - log on as a service + - service account + - secpol.msc + - local security policy + - Password Manager + - service rights + - Windows +products: + - general +sidebar_label: Failed to grant "Log on as a service" right +tags: [] +title: Failed to grant \"Log on as a service\" right +knowledge_article_id: kA00g000000H9ZuCAK +--- + +# Failed to grant "Log on as a service" right + +During product installation you are asked to specify credentials to run the software. + +But you receive the "Failed to grant the "Log on as a service" right to the service account" error. + +![User-added image](./images/ka04u00000116cm_0EM700000005joE.png) + +--- + +Password Manager is based on a service. + +The service should run under an account with appropriate rights to perform required operations. + +However the service account also should be allowed to run services. The right is called "Log on as a service" and can be granted via Local security policy. + +--- + +## Resolution + +To grant the "Log on as a service" rights please: + +1. Run `secpol.msc` +2. In the left pane navigate to **Security Settings - Local policies - User rights assignment** +3. Double-click the **Log on as a service** entry in the right pane and add the account you want the service to run under +4. Click **OK** to apply + +![User-added image](./images/ka04u00000116cm_0EM700000005jox.png) diff --git a/docs/kb/general/faq-netwrix-password-manager-discontinued.md b/docs/kb/general/faq-netwrix-password-manager-discontinued.md new file mode 100644 index 0000000000..0a48d5b4ef --- /dev/null +++ b/docs/kb/general/faq-netwrix-password-manager-discontinued.md @@ -0,0 +1,50 @@ +--- +description: >- + This article explains the discontinuation schedule and support details for + Netwrix Password Manager, recommends an alternative solution, and provides + guidance for deployment assistance and the status of the Freeware edition. +keywords: + - netwrix + - password manager + - discontinued + - end of support + - directory manager + - migration + - freeware + - password management + - support case +products: + - general +sidebar_label: 'FAQ: Netwrix Password Manager Discontinued' +tags: [] +title: 'FAQ: Netwrix Password Manager Discontinued' +knowledge_article_id: kA04u00000111LqCAI +--- + +# FAQ: Netwrix Password Manager Discontinued + +## When will Netwrix Password Manager be discontinued? + +Netwrix Password Manager will be discontinued on October 17th, 2024. Sales and renewals have stopped since October 17th, 2023. + +## What is the level of support Netwrix will provide for Netwrix Password Manager until October 17th, 2024? + +Netwrix will provide technical support to customers using Netwrix Password Manager up to October 17th, 2024. Thereafter, technical support for Netwrix Password Manager will end. + +## What will happen after October 17th, 2024? + +After October 17th, 2024, Netwrix Password Manager will not receive any future quality or security updates. + +## What is the recommended solution for Netwrix Password Manager users? + +It is recommended to switch to Netwrix Directory Manager Password Management, an alternative solution that enhances your password management experience and ensures a smooth transition. Learn more about how Netwrix Directory Manager Password Management compares in [Discover Netwrix GroupID Password Management · Netwrix](https://try.netwrix.com/discover_netwrix_groupid). + +For additional information on available Netwrix password management products, visit [Netwrix Enterprise Password Security Solution · Netwrix](https://www.netwrix.com/enterprise-password-management-solution.html). + +## How can I receive assistance when deploying Netwrix Directory Manager Password Management? + +You can initiate a support case in [My Tickets · Netwrix](https://www.netwrix.com/tickets.html#/tickets/open). Our team will guide you through the deployment process. + +## What about the Freeware Edition? + +Please note that the Freeware version of Netwrix Password Manager is no longer distributed and is now considered outdated and non-functional. diff --git a/docs/kb/general/faq-netwrix-password-manager.md b/docs/kb/general/faq-netwrix-password-manager.md new file mode 100644 index 0000000000..e3f1392c60 --- /dev/null +++ b/docs/kb/general/faq-netwrix-password-manager.md @@ -0,0 +1,100 @@ +--- +description: >- + Frequently asked questions about Netwrix Password Manager, covering + encryption, authentication, licensing, upgrades, troubleshooting, and known + issues. +keywords: + - Netwrix Password Manager + - FAQ + - password manager + - SSL + - PRMService + - Helpdesk portal + - Self-Service portal + - licensing + - enrollment +products: + - general +sidebar_label: FAQ Netwrix Password Manager +tags: [] +title: "FAQ Netwrix Password Manager" +knowledge_article_id: kA00g000000H9dkCAC +--- + +# FAQ Netwrix Password Manager + +> **IMPORTANT:** Netwrix Password Manager will be discontinued in October 2024, with no further updates or support available. For additional information, refer to the following article: FAQ: Netwrix Password Manager Discontinued. + +### Q1: Are the verification questions/security answers encrypted? + +A1: The verification questions are public, and they are stored in the plain text format. The secret answers are encrypted with the one-way MD5 hash function. + +### Q2: When logging into the Password Manager Helpdesk Portal, is there a way to input the AD user name without adding the domain name as a prefix? + +A2: Netwrix Password Manager Helpdesk Portal relies on Windows Authentication, which requires the domain name to be entered, not just the user name. + +### Q3: Does the licensing for Password Manager include the Microsoft Windows Logon GINA Extension? + +A3: The license for the Password Manager software includes the Windows Logon GINA extension. + +### Q4: Does Password Manager support 2048 bit encryption on SSL? + +A4: Yes, if your web browser and IIS server support it. The GINA extension uses the Microsoft Internet Explorer engine to communicate with the web server, so the support of 2048-bit encryption on SSL totally depends on the version of IE installed in the system. + +### Q5: After applying a binding to the Password Manager site (or changing from http:// to https://), the shortcuts found in All Programs->Netwrix->Password Manager do not work. + +A5: By design, any changes to the **Admin**, **Helpdesk** and **Self-Service** shortcuts are disabled. Delete the old shortcuts and manually create new ones. + +### Q6: "This portal is temporarily unavailable, please contact your IT Helpdesk" error message comes up when trying to open the Self-Service Portal." + +A6: This message indicates that all options on the **User Options** tab of the **Settings** in the **Administrative Portal** are disabled. To resolve this issue, enable these options as necessary. + +### Q7: A user gets the following error message "Administrator restricted access to users of your domain" during any operation with the Self-Service portal. + +A7: Go to the **Administrative Portal** -> **Roles** and make sure that the **Self-Service Access** is granted to 'Everyone'. + +### Q8: Server CPU is running at 100% caused by the PRMService and web portals are non-operational. + +A8: This is a known issue that was addressed in the latest Netwrix Password Manager version. Contact Netwrix Technical Support to get the latest product version here: [Open a Ticket](https://www.netwrix.com/tickets.html#/open-a-ticket). + +### Q9: How do I upgrade Netwrix Password Manager to a newer version? + +A9: To upgrade Netwrix Password Manager to a newer product version, simply run the installer. It will upgrade all system files automatically. Note that the installer only updates the default files and folders, and ignores files and folders added manually. If you have a non-standard configuration (for example, you have two Self-Service Portals with a separate folder for the second portal which was created manually), you will have to update the files in the non-default folder by copying them manually. + +### Q10: How does Netwrix Password Manager handle expired accounts? Will the product reset or extend them? + +A10: The product does not do anything to expired accounts. Netwrix Password Manager will simply display a message that an account has expired. + +### Q11: When I enter the new license, the user counter is reset. Do I lose my previously counted users? + +A11: Netwrix Password Manager license counts active users (per username). When users perform any operation (enroll, reset password, unlock account) via Password Manager, they are counted. Your users were counted during the enroll procedure. When you enter the new license, the counter is reset. The users will be counted again, if they perform any action, so neither the users' nor enroll information is lost. + +### Q12: Can I save reports generated by Netwrix Password Manager locally on my computer? + +A12: Starting from Netwrix Password Manager version 6.2.676, there is an option to save reports in CSV format. To do this, in **Help-Desk portal**, click the **Download report** button next to **Generate Report**. + +### Q13: Is Netwrix Password Manager compliant with the PCI regulation? + +A13: Yes, Netwrix Password Manager is PCI Compliant. + +### Q14: Where can I find the version number? + +A14: The version number can be found in two ways: +1. On the Details tab of the Properties dialog of the `PRMServcie.exe` file located Password Manager installation directory. +2. On the **Updates** tab of **Settings** on the **Administrative portal**. Please note, the Current version field may be empty for older product versions. in this case, use the first method. + +### Q15: Is there a way for Netwrix Password Manager to automatically de-enroll users that no longer exist? When an employee leaves, we disable the account and then delete it. Will we also need to manually delete the profile from Netwrix Password Manager? + +A15: Starting from the version 6.2.774 of Netwrix Password Manager, there is a similar functionality - non-existing users are marked in the Help Desk portal as "Not found". + +### Q16: After the Netwrix Password Manager client is installed, some of our users get a pop up asking to "Insert a Smart Card" when launching Microsoft Lync 2010 and/or Outlook 2010. + +A16: It is a known issue of some versions of Password Manager Self-Service client. Contact Netwrix Technical Support to get the latest product version here: [Open a Ticket](https://www.netwrix.com/tickets.html#/open-a-ticket). + +### Q17: Will changes to web-portal affect enrolled computers? + +A17: Computers do not get enrolled, users do. Data is stored locally on the Password Manager server and is not affected by web-site properties and configurations. You can easily change URL/bindings, or set up redirects, etc. + +### Q18: What about the Freeware Edition? + +A18: Please note that the Freeware version of Netwrix Password Manager is no longer distributed and is now considered outdated and non-functional. diff --git a/docs/kb/general/files_cannot_be_scanned_in_end-to-end_encrypted_applications.md b/docs/kb/general/files_cannot_be_scanned_in_end-to-end_encrypted_applications.md new file mode 100644 index 0000000000..d55b62bc71 --- /dev/null +++ b/docs/kb/general/files_cannot_be_scanned_in_end-to-end_encrypted_applications.md @@ -0,0 +1,28 @@ +--- +description: >- + This article explains why files cannot be scanned in end-to-end encrypted applications like WhatsApp Web and Telegram Web, and provides potential workarounds. +keywords: + - end-to-end encryption + - file scanning + - Deep Packet Inspection +sidebar_label: Files Not Scanned in Encrypted Apps +tags: [] +title: "Files Cannot Be Scanned in End-to-End Encrypted Applications" +knowledge_article_id: kA0Qk0000002B6jKAE +products: + - general +--- + +# Files Cannot Be Scanned in End-to-End Encrypted Applications + +## Question + +Why are files not scanned in end-to-end encrypted applications such as WhatsApp Web and Telegram Web? + +## Answer + +This is a known limitation. The client can intercept files uploaded through the web browser to WhatsApp Web and Telegram Web, but these files are encrypted. As a result, only the encrypted file can be scanned, and the original file content cannot be analyzed. + +Files can be scanned or intercepted if Deep Packet Inspection (DPI) is disabled. Another workaround is to block the domains `web.whatsapp.com` and `web.telegram.org`. + +As an alternative, use the desktop versions of these applications, which are not monitored via DPI. In this case, files can be blocked as expected. \ No newline at end of file diff --git a/docs/kb/general/firewall-rules-required-by-password-manager.md b/docs/kb/general/firewall-rules-required-by-password-manager.md new file mode 100644 index 0000000000..bae427bd2e --- /dev/null +++ b/docs/kb/general/firewall-rules-required-by-password-manager.md @@ -0,0 +1,76 @@ +--- +description: >- + Lists the firewall rules and required ports for DMZ, Backend, Domain + Controllers, DNS, and Mail servers used by Password Manager. +keywords: + - firewall + - ports + - RPC + - DCOM + - DMZ + - domain controllers + - DNS + - mail server + - Lsass + - Password Manager +products: + - general +sidebar_label: Firewall rules required by Password Manager +tags: [] +title: "Firewall rules required by Password Manager" +knowledge_article_id: kA00g000000H9cMCAS +--- + +# Firewall rules required by Password Manager + +The table below lists all necessary properties for the firewall rules: + +## On DMZ + +| Type | Local Ports | Remote ports | Remote machine | Protocol | Application | Action | +|---------|-------------|--------------|----------------|------------|-------------|--------| +| Inbound | `80,443` | Any | Any | TCP | Any | Allow | +| Inbound | `135` | RPC range* | Backend | TCP | Any | Allow | +| Outbound| `RPC range` | `135-139` | Backend, all DCs | TCP, UDP | Any | Allow | +| Outbound| `RPC range` | `88, 389,464`| All DCs | TCP, UDP | Any | Allow | +| Outbound| `RPC range` | DCOM range | Backend | TCP | Any | Allow | +| Outbound| `RPC range` | `53` | DNS | UDP | Any | Allow | + +## On Backend + +| Type | Local Ports | Remote ports | Remote machine | Protocol | Application | Action | +|---------|--------------|--------------|---------------------------|------------|-----------------|--------| +| Inbound | DCOM range | RPC range | DMZ | TCP | Any | Allow | +| Inbound | `135-139` | RPC range | DMZ | TCP, UDP | Any | Allow | +| Outbound| RPC range | `135-139` | DMZ, all DCs | TCP, UDP | Any | Allow | +| Outbound| RPC range | `88,389,464` | All DCs | TCP, UDP | Any | Allow | +| Outbound| RPC range | `53` | DNS | UDP | Any | Allow | +| Outbound| RPC range | RPC range | All DCs | TCP | `Lsass.exe**` | Allow | +| Outbound| RPC range | `25` | Mail server | TCP | Any | Allow | + +## On DCs + +| Type | Local ports | Remote ports | Remote machine | Protocol | Application | Action | +|---------|----------------|--------------|---------------------|------------|------------------|--------| +| Inbound | `88,389,464` | RPC range | DMZ, Backend | TCP, UDP | Any | Allow | +| Inbound | `135-139` | RPC range | Backend | TCP, UDP | Any | Allow | +| Inbound | RPC dynamics | RPC range | Backend | TCP | `Lsass.exe**` | Allow | + +## On DNS server + +| Type | Local ports | Remote ports | Remote machine | Protocol | Application | Action | +|---------|-------------|--------------|----------------|----------|-------------|--------| +| Inbound | `53` | Any | Any | UDP | Any | Allow | + +## On Mail server + +| Type | Local ports | Remote ports | Remote machine | Protocol | Application | Action | +|---------|-------------|--------------|----------------|----------|-------------|--------| +| Inbound | `25` | Any | Any | TCP | Any | Allow | + +* `RPC range` is `1024 – 65535` (Windows NT/XP/2003) or `49152 – 65535` (Windows Vista/2008/7/2k8r2) +RPC dynamic port allocation can be reconfigured. Refer the following Microsoft Knowledge Base article: [http://support.microsoft.com/kb/154596](http://support.microsoft.com/kb/154596) + +** `Lsass.exe is %systemroot%System32lsass.exe` + +Note: All Inbound and Outbound connections on all servers are blocked if they do not match the rules. diff --git a/docs/kb/general/helpdesk-operators-cannot-remove-accounts.md b/docs/kb/general/helpdesk-operators-cannot-remove-accounts.md new file mode 100644 index 0000000000..a5d3227921 --- /dev/null +++ b/docs/kb/general/helpdesk-operators-cannot-remove-accounts.md @@ -0,0 +1,44 @@ +--- +description: >- + HelpDesk operators cannot remove accounts by default and receive a + "Permissions denied" error. This article explains why and shows how to enable + the permission by adding a registry DWORD and restarting the service. +keywords: + - HelpDesk operators + - remove accounts + - Permissions denied + - AllowRemoveByHelpdesk + - registry + - regedit + - Netwrix Password Manager + - Services snap-in +products: + - general +sidebar_label: HelpDesk operators cannot remove accounts +tags: [] +title: "HelpDesk operators cannot remove accounts" +knowledge_article_id: kA00g000000H9XzCAK +--- + +# HelpDesk operators cannot remove accounts + +Helpdesk Operators cannot remove accounts from the list — when they attempt to remove an account, they receive an error message — `Permissions denied`. + +![User-added image](./images/ka04u00000116ex_0EM700000005jDw.png) + +--- + +It is by design — by default HelpDesk operators are not allowed to remove accounts. However this permission can be granted. + +--- + +## Resolution + +In order to grant the permission, perform the following steps: + +1. Run **Registry Editor** (Start - Run, `regedit`). +2. Go to `HKLMSoftware[Wow6432Node]NetwrixPassword Manager` (Wow6432Node only for x64 OS). +3. Create DWORD `AllowRemoveByHelpdesk` with value of `1`. +4. Restart the **Netwrix Password Manager** service via **Services snap-in**. + +![User-added image](./images/ka04u00000116ex_0EM700000004xLJ.png) diff --git a/docs/kb/general/how-to-add-attachments-to-netwrix-support-tickets.md b/docs/kb/general/how-to-add-attachments-to-netwrix-support-tickets.md new file mode 100644 index 0000000000..29704684dc --- /dev/null +++ b/docs/kb/general/how-to-add-attachments-to-netwrix-support-tickets.md @@ -0,0 +1,47 @@ +--- +description: >- + Learn how to upload files and other artifacts to a Netwrix Support ticket + using the Netwrix Customer Portal. This article shows how to add attachments + after ticket creation and during ticket submission. +keywords: + - Netwrix Support + - Customer Portal + - attachments + - upload files + - support ticket + - add attachments + - Netwrix +products: + - general +sidebar_label: How to Add Attachments to Netwrix Support Tickets +tags: [] +title: "How to Add Attachments to Netwrix Support Tickets" +knowledge_article_id: kA0Qk0000002A1hKAE +--- + +# How to Add Attachments to Netwrix Support Tickets + +## Question + +How can you add attachments (e.g., files) to a Netwrix Support ticket? + +## Answer + +Uploading artifacts to the ticket via the Netwrix Customer Portal is the most secure and recommended way to send files to Netwrix Support. To add attachments such as files to a Netwrix Support ticket, follow the steps below: + +1. Log in to the Netwrix Customer Portal at https://netwrix.com/my_account.html. + ![](./images/ka0Qk000000Cs7t_0EMQk00000BMJLp.png) + +2. Click the **My Tickets** tab. + ![](./images/ka0Qk000000Cs7t_0EMQk00000BMIhX.png) + +3. Locate the ticket for the artifacts and select **Add attachments** from the Actions column on the right. + ![](./images/ka0Qk000000Cs7t_0EMQk00000BMOgT.png) + +> **NOTE:** There is also the option to upload attachments immediately upon submitting a ticket once the **Browse** button is enabled using the below steps: +> +> 1. Click **Browse**, select your file(s), and click **Save**. +> ![](./images/ka0Qk000000Cs7t_0EMQk00000BMlOY.png) +> +> 2. Click **Back to My Tickets** to view your ticket. If needed, this is where you can upload any additional files via the **Add attachments** Action button of the ticket interface. +> ![](./images/ka0Qk000000Cs7t_0EMQk00000BMoHZ.png) diff --git a/docs/kb/general/how-to-apply-license-to-password-manager.md b/docs/kb/general/how-to-apply-license-to-password-manager.md new file mode 100644 index 0000000000..55da69b973 --- /dev/null +++ b/docs/kb/general/how-to-apply-license-to-password-manager.md @@ -0,0 +1,39 @@ +--- +description: >- + Shows how to apply or change a license code in Password Manager using the + Admin portal. Steps include navigating to the Admin portal, opening the + License dialog, and entering the new license code. +keywords: + - password manager + - license + - license code + - admin portal + - apply license + - change license + - pmserver + - copy paste +products: + - general +sidebar_label: How to apply license to Password Manager +tags: [] +title: "How to apply license to Password Manager" +knowledge_article_id: kA00g000000PbdMCAS +--- + +# How to apply license to Password Manager + +How to apply license code to Password manager? + +To enter a new license, do the following: + +1. In the browser navigate to the Admin portal of Password Manager (default URL is `http://%pmserver%/pm/admin`) +2. Click the **License** button + +![User-added image](./images/ka04u00000116S3_0EM700000005b8K.png) + +3. If there is a license applied already, click **Change license**. +4. Enter the new code and click **OK**. + +![User-added image](./images/ka04u00000116S3_0EM700000005b7r.png) + +**Note:** When entering the license code it is recommended to use copy/paste to input the license code. Also it is common if copying from an HTML document to also copy an extra space so ensure these are removed upon paste. diff --git a/docs/kb/general/how-to-change-the-text-of-email-notifications.md b/docs/kb/general/how-to-change-the-text-of-email-notifications.md new file mode 100644 index 0000000000..d582d8860d --- /dev/null +++ b/docs/kb/general/how-to-change-the-text-of-email-notifications.md @@ -0,0 +1,91 @@ +--- +description: >- + Explains how to customize the text of email notifications by editing the + template .txt files in the Templates subfolder of the Netwrix Password Reset + installation directory. +keywords: + - email templates + - notifications + - Netwrix Password Reset + - templates + - localization + - change_body_template + - enroll_template + - unlock_template +products: + - general +sidebar_label: How to change the text of email notifications +tags: [] +title: "How to change the text of email notifications" +knowledge_article_id: kA00g000000H9TICA0 +--- + +# How to change the text of email notifications + +Is there a way for me to change the text in these emails that come out when a users signs up to Netwrix Password Reset? + +There is a way to change the text of notifications. + +## Where templates are stored + +E-mail templates are stored in the **Templates** subfolder of the Netwrix Password Reset installation directory. There are a lot of text files for different languages there. + +## Some useful tips + +1. We use clear titles for template text files. For example, the file `change_body_template.txt` contains the body text of the email sent as a change password notification. +2. There are 2 files for each type of notification: one for the subject of an email and one for the body. +3. Files with `_adm` in the filename are templates for emails sent to administrators (specified on **Admin portal/Settings/Alerts**), while files without `_adm` are sent to the user(s). +4. Languages are specified as additional postfix (for example `_de`, `_fr`). + +## Available languages + +| File | Language | +|--------|---------------------| +| cn.asp | Chinese | +| de.asp | German | +| en.asp | English | +| es.asp | Spanish | +| fr.asp | French | +| he.asp | Hebrew | +| it.asp | Italian | +| jp.asp | Japanese | +| ko.asp | Korean | +| pt.asp | Portuguese | +| ru.asp | Russian | +| sk.asp | Slovak | +| zh.asp | Traditional Chinese | + +However Netwrix Password Reset uses only files without postfix in the name (for example `action_body_template.txt`, not `action_body_template_ko.txt`) to send notification. Here is the full list of files used: + +- `action_body_template.txt` +- `action_subject_template.txt` +- `change_body_template.txt` +- `change_body_template_adm.txt` +- `change_subject_template.txt` +- `change_subject_template_adm.txt` +- `enroll_body_template.txt` +- `enroll_body_template_adm.txt` +- `enroll_subject_template.txt` +- `enroll_subject_template_adm.txt` +- `reset_body_template.txt` +- `reset_body_template_adm.txt` +- `reset_subject_template.txt` +- `reset_subject_template_adm.txt` +- `unlock_body_template.txt` +- `unlock_body_template_adm.txt` +- `unlock_subject_template.txt` +- `unlock_subject_template_adm.txt` +- `verification_body_template.txt` +- `verification_body_template_adm.txt` +- `verification_subject_template.txt` +- `verification_subject_template_adm.txt` + +## How to change language or edit templates + +- To change the language of a template, rename the respective localized template file to the default name. + + Example: to switch the text of the notification about a password change to German, rename `change_body_template_de.txt` to `change_body_template.txt`. + +- Alternatively, edit the existing default English templates. + +To do this, edit the `.txt` files located in the **Templates** subfolder of the Netwrix Password Reset installation directory. diff --git a/docs/kb/general/how-to-configure-google-drive-for-crawling.md b/docs/kb/general/how-to-configure-google-drive-for-crawling.md new file mode 100644 index 0000000000..6b02dc922c --- /dev/null +++ b/docs/kb/general/how-to-configure-google-drive-for-crawling.md @@ -0,0 +1,148 @@ +--- +description: >- + Step-by-step instructions to configure Google Drive for crawling by creating a + Google Cloud project, service account, service account key, enabling + domain-wide delegation, and enabling required APIs for use with Netwrix Cloud + Permission Analyzer. +keywords: + - Google Drive + - Google Workspace + - service account + - OAuth 2.0 + - domain-wide delegation + - Google Drive API + - Admin SDK + - Netwrix Cloud Permission Analyzer + - service account key +products: + - general +sidebar_label: How to configure Google Drive for Crawling +tags: [] +title: "How to configure Google Drive for Crawling" +knowledge_article_id: kA04u0000000H8tCAE +--- + +# How to configure Google Drive for Crawling + +To authenticate to your Google Workspace (formerly known as G Suite) domain to perform crawling, Netwrix uses the OAuth 2.0 protocol. Data in individual and shared Drives will be accessed using the Google Drive API. You will need to create a service account and authorize it to access data on behalf of the user. + +To configure Google Workspace for crawling, you should take the following steps (explained later in detail): + +In the Google Cloud Platform web console + +1. Create a new project. +2. Create a new service account. +3. Create a service account key (JSON, save a copy for the data source configuration). +4. Enable domain-wide delegation for the service account (write down the Client ID). +5. Enable the Google Drive API and the Admin SDK API. + +In the Google Workspace Admin Console + +1. Authorize service account to access the Google Drive API + +NOTE: Google administrative interfaces tend to change over time, so if you cannot configure Google Drive for crawling using as described in this article, refer to the following guide for instructions on creating OAuth 2.0 service accounts: [Using OAuth 2.0 for Server to Server Applications](https://developers.google.com/identity/protocols/oauth2/service-account) + +## Configure Google Workspace for crawling + +### Step 1. Create a new project + +1. Log in to the **Google Cloud Platform** web console: [https://console.cloud.google.com/](https://console.cloud.google.com/) as a Google Workspace administrator. +2. Click **Select a project**. In the **Select a project** dialog, click **New Project**: + +![User-added image](./images/ka04u000000HcZf_0EM4u000002D34F.png) + +3. In the dialog, specify the following: + - Project name — *NetwrixPermissionAnalyzer*. + - IMPORTANT! Provide a meaningful name for your project **without spaces**. Pay attention to the **Project ID** below and make sure it is identifiable for you since you cannot edit it later. + ![User-added image](./images/ka04u000000HcZf_0EM4u000002D3i0.png) + - Organization — provide your organization's domain. + - Location — provide your parent organization or folder. +4. Click **Create**. + +### Step 2. Create a new service account + +1. Click the **Google Cloud Platform** icon. +2. Navigate to **IAM & Admin** → **Service Accounts**. +3. Click **Create Service Account**: + +![User-added image](./images/ka04u000000HcZf_0EM4u000002D35r.png) + +4. In the **Create service account** dialog, provide the **Service account details**: + - Service account name — new service account name. For example, *Netwrix Permission Analyzer Service Account*. + - Service account ID — is set automatically. + - Service account description — description if needed. +5. Click **Done**. + +### Step 4. Create a service account key + +1. On the **Service accounts** page, click the newly created service account. +2. In your account configuration wizard, go to the **Keys** tab. +3. Expand the **Add Key** list and select **Create new key** option. +4. In the **Create private key for [Service account name]** dialog, select `JSON` format. +5. The key will be downloaded automatically. Save the file to a known location as it will be required later. + +NOTE: Your new public / private keypair is generated and downloaded to your machine. Store it securely. If you lose this keypair, you will need to generate a new one. + +### Step 5. Delegate domain-wide authority to the service account + +1. Go back to your service account **Details** tab. +2. Expand **Show Domain-Wide Delegation** and tick the **Enable G Suite Domain-wide Delegation** checkbox. +3. Provide a product name. For example, *NetwrixPermissionAnalyzer* (if you have already configured a service account, Google ignores this step). +4. Click **Save**. +5. Once completed, make sure that *Domain-wide delegation* is enabled for the account. +6. Click the **View Client ID** link. + +![User-added image](./images/ka04u000000HcZf_0EM4u000002D3i5.png) + +7. Copy the Client ID, you will need it later. + +### Step 6. Enable the Google Drive API and Admin SDK API + +1. Click the **Google Cloud Platform** icon to go back to the home page. +2. Navigate to **APIs & Services** on the left, and select the **Dashboard** menu. +3. Click **Enable APIs and Services** at the top. + +![User-added image](./images/ka04u000000HcZf_0EM4u000002Plj2.png) + +NOTE: If you already have any enabled APIs and/or Services in your project, skip this step and proceed with the instructions below. + +4. Search for **Google Drive API** and click **Enable** (or **Manage** if you have this API in your project). +5. If you are going to process large amounts of data, Netwrix recommends you set quotas for this API (OPTIONAL): + - On the **Google Drive API** page, select the **Quotas** menu on the left. + - Expand queries by clicking the expand icon on the right. + - Find the **Queries per 100 seconds per user** line and click the edit icon to edit. + - Set the quota limit to `"10,000"` and save your changes. + + ![User-added image](./images/ka04u000000HcZf_0EM4u000002Pljb.png) + +6. IMPORTANT! Go back to **APIs & Services** → **Dashboard** and repeat steps 2 - 3 to enable the **Admin SDK API**. If you have this API in your project, skip this step, and proceed. + +### Step 7. Configure domain-wide delegation to a new API client + +1. Switch to the Google Workspace Admin Console: [https://admin.google.com/](https://admin.google.com/) +2. Navigate to **Security** → **API Controls** → **Domain-wide delegation**. +3. On the **API controls** page, click **Manage domain-wide delegation** at the bottom. +4. Click **Add new** to add a new API client. +5. In the **Add a new client ID** dialog, provide the ID you copied earlier (see the corresponding step). +6. Then, specify necessary scopes in the **OAuth scopes** field. These can be: + +```text +https://www.googleapis.com/auth/drive.readonly, +https://www.googleapis.com/auth/admin.directory.domain.readonly, +https://www.googleapis.com/auth/admin.directory.user.readonly, +https://www.googleapis.com/auth/admin.directory.group.readonly +``` + +NOTE: For your convenience, the scopes are listed as comma-delimited. Google splits them accordingly, so you can paste the whole list to a field right from this article. + +7. Click **Authorize**. Wait for Google to recognize the scopes and then click **Authorize** again to apply. + +## What is next: + +1. Log in to Netwrix Cloud Permission Analyzer. +2. Read the **Get Started** section. Click **Continue**. +3. In the Google Drive connection settings, provide the Google Drive administrator account under which you logged in to the **Google Cloud Platform** web console. +4. Click **Import JSON file with Google service account settings** and select the file you downloaded on [step 4](#Key). +5. IMPORTANT! **Configure scope** – add your shared and/or personal Google Drives to the list. You can use a wildcard (`*`) if you want to crawl all drives in your Google Drive. + +NOTE: By default, Netwrix Cloud Permission Analyzer collects Google Drive data once a day. If you modify your Google Drive configuration and save your changes, the product initiates data collection automatically. diff --git a/docs/kb/general/how-to-configure-two-different-self-service-portals.md b/docs/kb/general/how-to-configure-two-different-self-service-portals.md new file mode 100644 index 0000000000..8914d60228 --- /dev/null +++ b/docs/kb/general/how-to-configure-two-different-self-service-portals.md @@ -0,0 +1,37 @@ +--- +description: >- + Shows how to create a second Self-Service portal instance by copying the + Web_SS folder and configuring a new IIS virtual directory to support separate + portals for different domains. +keywords: + - Self-Service portal + - Web_SS + - IIS + - virtual directory + - PM + - NetWrix Password Manager + - branding settings + - predefined domain +products: + - general +sidebar_label: How to configure two different Self-Service portal +tags: [] +title: "How to configure two different Self-Service portals" +knowledge_article_id: kA00g000000H9WpCAK +--- + +# How to configure two different Self-Service portals + +How to create the second instance of Self-Service portal? I have two domains and whant to have a separate portal for each domain. + +To create the second instance of Self-Service portal, do the following: + +1. In the NetWrix Password Manager installation directory, create a new folder. +2. Copy the entire content of `Web_SS` folder to the new folder. +3. Run Internet Information Services (IIS) Manager. +4. Create a new virtual directory in the same site, where the **PM** virtual directory is located (by default it is `%ComputerName%/Sites/Default Web Site/PM`). +5. In the **Add Virtual Directory** dialog, populate the **Physical path** field with the new folder full name, for example `C:Program files (x86)Netwrix Password ManagerWeb_SS_2`. Click **OK**. + +**NOTE**: In this case all the Branding settings (logo, support phone/link, prdefined domaine, etc) will be copied too. However changing of these settings via the Administrative portal will only affect the original Self-Service portal. + +Refer to the following KB for instructions on hiding domain list and setting predefined domain for portals: https://kb.netwrix.com/2062 diff --git a/docs/kb/general/how-to-create-a-redirection-for-the-password-manager-web-portal.md b/docs/kb/general/how-to-create-a-redirection-for-the-password-manager-web-portal.md new file mode 100644 index 0000000000..4de84dc4c1 --- /dev/null +++ b/docs/kb/general/how-to-create-a-redirection-for-the-password-manager-web-portal.md @@ -0,0 +1,91 @@ +--- +description: >- + Shows three methods to redirect the root URL to the Password Manager web + portal using IIS: modify the default iisstart.htm, enable HTTP Redirect, or + create a URL Rewrite rule. +keywords: + - Password Manager + - IIS + - redirect + - URL Rewrite + - HTTP Redirect + - iisstart.htm + - iisreset + - DNS alias +products: + - general +sidebar_label: How to create a redirection for the Password Manag +tags: [] +title: "How to create a redirection for the Password Manager web portal" +knowledge_article_id: kA00g000000PbdWCAS +--- + +# How to create a redirection for the Password Manager web portal + +## Question + +You want users to access Password Manager by browsing to the server root (for example, `http://`) instead of `http:///pm`. How can you redirect users to the Password Manager website? + +## Answer + +You can redirect users to the Password Manager self-service portal using one of these options: + +### Option 1. Modify the default `iisstart.htm` + +Change the `iisstart.htm` file in the root folder of the Default Web Site. Note that you will not be able to see the default IIS page after this change. + +1. Locate `iisstart.htm` (by default at `C:\inetpub\wwwroot`), right-click it and select **Edit**. +2. Replace the existing text in the file with the following HTML: +```html + +``` +3. Save changes to the file. + +### Option 2. Use the **HTTP Redirect** feature of IIS + +Refer to the IIS documentation for additional information: http://www.iis.net/configreference/system.webserver/httpredirect + +![httpredirect - Copy.png](./images/ka04u00000116bf_0EM4u0000084iLI.png) + +Perform the following steps: + +1. In the left pane of **IIS Manager** navigate to the website that contains the Password Manager virtual directory (by default “PM”). +2. In the central pane, double-click the **HTTP Redirect** icon under the **IIS** category. +3. Check the **Redirect requests to this destination** checkbox and enter the URL to redirect to (for example, `http://%servername%/pm`). +4. Check the **Redirect all requests to exact destination (instead of relative to destination)** checkbox. +5. Check the **Only redirect requests to content of this directory (not subdirectories)** checkbox. +6. Set **Status code** to **Found (302)**. +7. Click **Apply** in the right pane. + +![httpredirect_ex - Copy1.png](./images/ka04u00000116bf_0EM4u0000084iLS.png) + +### Option 3. Use **URL Rewrite** rules + +Download and install the URL Rewrite module from: http://www.iis.net/downloads/microsoft/url-rewrite + +![url_re.png](./images/ka04u00000116bf_0EM4u0000084iLX.png) + +After installing the URL Rewrite module, perform these steps: + +1. In the left pane of **IIS Manager** navigate to the website that contains the Password Manager virtual directory (by default “PM”). +2. In the central pane, double-click the **URL Rewrite** icon under the **IIS** category. +3. Click **Add rule(s)…** in the right pane. +4. Select **Blank rule** under **Inbound rules** and click **OK**. +5. Enter a **Name** for the rule. +6. In the **Match URL** area: + a. Select **Requested URL: Matches the pattern** and **Using: Regular expressions** in the dropdown lists. + b. Enter the following **Pattern:** `^$`. + c. Check the **Ignore case** checkbox. +7. In the **Action** area: + a. Select **Action: Redirect** from the dropdown list. + b. Enter the **Redirect URL** (for example, `http://%servername%/pm`). + c. Check the **Append query string** checkbox. + d. Select **Redirect type: Permanent (301)** from the dropdown list. +8. Click **Apply** and then click **Back to Rules**. The configured rule should now be listed. +9. Restart IIS by running the `iisreset` command in **Command Prompt** run as administrator. + +![url_re_complete.png](./images/ka04u00000116bf_0EM4u0000084iLw.png) + +These steps allow the self-service portal to be accessible via the short URL `http://` instead of `http:///pm`. + +**NOTE:** If you want to make the self-service portal accessible from an external network, create a DNS alias (CNAME) for the Password Manager self-service portal address. See the Microsoft documentation for details: https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1 diff --git a/docs/kb/general/how-to-create-failover-cluster-for-password-manager.md b/docs/kb/general/how-to-create-failover-cluster-for-password-manager.md new file mode 100644 index 0000000000..7fd201e032 --- /dev/null +++ b/docs/kb/general/how-to-create-failover-cluster-for-password-manager.md @@ -0,0 +1,68 @@ +--- +description: >- + This article describes how to create a Windows failover cluster and configure + Netwrix Password Manager for high availability. It covers prerequisites, + storage requirements, installation placement, cluster creation, and service + configuration. +keywords: + - failover cluster + - Netwrix Password Manager + - high availability + - Windows Server + - failover clustering + - cluster storage + - registry synchronization +products: + - general +sidebar_label: How to create Failover cluster for Password Manage +tags: [] +title: "How to create Failover cluster for Password Manager?" +knowledge_article_id: kA00g000000H9diCAC +--- + +# How to create Failover cluster for Password Manager? + +We recommend using Windows 2008 R2 or newer to build a failover cluster. Note that only Enterprise and Datacenter editions have the Failover cluster feature. Do the following: + +## 1. Enable the Failover cluster feature + +1. Run **Server Manager** snap-in. +2. In the left pane, right-click **Features**, select **Add feature**. A wizard opens. +3. Enable the **Failover clustering** check-box, click **Next**, then click **Install**. + +## 2. Create network storage + +Create a network storage as per the instructions linked below. The storage should include at least two disks (one active and another one "witness"). + +- http://blogs.technet.com/b/canitpro/archive/2011/04/12/creating-a-san-using-microsoft-iscsi-software-target-3-3.aspx + +NOTE: The machine that hosts storage drives should not be included to a cluster as a node. + +## 3. Install Netwrix Password Manager + +Install Netwrix Password Manager on all the machines that will be included into the cluster. The installation directory should be placed on the shared storage and be accessible from every node. + +- Every new installation will overwrite this directory. + +## 4. Create the failover cluster + +Create a failover cluster as per the instructions linked below. + +- http://blogs.msdn.com/b/clustering/archive/2008/01/18/7151154.aspx + +## 5. Configure the Netwrix Password Manager service for high availability + +1. Run the **Failover Cluster Manager** snap-in. +2. In the left pane go to **Failover Cluster Manager - \ - Services and applications**. +3. Click **Configure a Service or Applications** in the right pane. A window opens. +4. Select **Generic service** from the list, click **Next**. +5. Select **Netwrix Password Manager** from the list, click **Next**. +6. Enter a name for the failover service and the IP address by which Password Manager will be available. Click **Next**. +7. Select the storage where the Password Manager installation directory is located from the list. Click **Next**. +8. Specify a registry key which should be synchronized between the cluster nodes. For Password Manager it is `HKLMSoftwareWow6432NodeNetwrixPassword Manager`. Click **Next**. +9. Verify all settings and confirm by clicking **Next**. +10. Wait until the failover service is configured. + +For more information and screenshots refer to: + +- http://technet.microsoft.com/en-us/library/cc731844(v=ws.10).aspx diff --git a/docs/kb/general/how-to-create-second-help-desk-portal.md b/docs/kb/general/how-to-create-second-help-desk-portal.md new file mode 100644 index 0000000000..d9c6b95d61 --- /dev/null +++ b/docs/kb/general/how-to-create-second-help-desk-portal.md @@ -0,0 +1,56 @@ +--- +description: >- + Learn how to create a second Help-Desk portal for Netwrix Password Manager by + copying the web folder, creating an IIS virtual directory, and assigning + permissions to a security group. +keywords: + - Help-Desk portal + - Helpdesk2 + - IIS virtual directory + - Netwrix Password Manager + - Windows authentication + - Help Desk Operators + - security group + - PM site +products: + - general +sidebar_label: How to create second Help-Desk portal +tags: [] +title: "How to create second Help-Desk portal" +knowledge_article_id: kA00g000000H9WgCAK +--- + +# How to create second Help-Desk portal + +Is there a way to create separate Help-desk portal? Can we have certain users have certain permissions on the second Help-desk portal? + +To create another portal and assign permissions, do the following: + +1. Navigate to the Netwrix Password Manager installation directory, the default path: `C:Program Files (x86)Netwrix Password Manager`. +2. In the installation directory, create a copy of the **Web** folder and name it as **Helpdesk2**. + +![User-added image](./images/ka04u00000116eV_0EM700000004y52.png) + +3. Select the **Web** folder, right-click it and select **Properties**. +4. In the **Properties** dialog, navigate to the **Security** tab and change Windows security permissions: + - disable all inherited permissions + - leave full control for SYSTEM, CREATOR OWNER, Administrators + - create a group of users who should have access to the fully functional Help-desk portal, and grant this group full control. + +![User-added image](./images/ka04u00000116eV_0EM700000004y5C.png) + +5. Start the Internet Informational Services (IIS) Manager. +6. In the left pane, navigate to **%ComputerName%** - **Sites** - **Default Web Site** - **PM**, right-click the **PM** node and select **Add Virtual Directory**. +7. In the **Add Virtual Directory** dialog, specify **Alias** (for example, helpdesk2), and **Physical path** to the new directory created earlier: `C:Program Files (x86)Netwrix Password ManagerHelpdesk2`. + +![User-added image](./images/ka04u00000116eV_0EM700000004y5M.png) + +8. Make sure that only Windows authentication is enabled for this new virtual directory. +9. Open the **Administrative portal**, go to **Roles** and add the security group created in step 4 to the **Help Desk Operators** role. + +Now you have two Help-desk portals: + +1. [http://prmserver/pm/helpdesk2](http://prmserver/pm/helpdesk2) - can be accessed by all users, granted the Help Desk Operators role. +2. [http://prmserver/pm/helpdesk](http://prmserver/pm/helpdesk2) - can be accessed only by Administrators and the special security group you have created. + +If you want to add or remove some functionality from the second Help-desk portal, please [contact Netwrix Technical Support](https://www.netwrix.com/support_ticket.html). diff --git a/docs/kb/general/how-to-customize-text-in-the-password-manager-self-service-portal.md b/docs/kb/general/how-to-customize-text-in-the-password-manager-self-service-portal.md new file mode 100644 index 0000000000..58d8214bf3 --- /dev/null +++ b/docs/kb/general/how-to-customize-text-in-the-password-manager-self-service-portal.md @@ -0,0 +1,55 @@ +--- +description: >- + Shows how to customize text strings on the Password Manager Self-Service + portal by editing the language .asp files in the installation folder and + restarting IIS. +keywords: + - Password Manager + - Self-Service + - customize text + - Web_SSLocals + - en.asp + - iisreset + - localization +products: + - general +sidebar_label: How to customize text in the Password Manager Self +tags: [] +title: "How to customize text in the Password Manager Self-Service portal" +knowledge_article_id: kA00g000000H9UCCA0 +--- + +# How to customize text in the Password Manager Self-Service portal + +## Overview +All text on the Password Manager Self-Service Portal is determined by string values and can be changed. If you want to customize any string of text in the Self-Service portal, edit the appropriate language `.asp` file and restart IIS. + +## Procedure +1. Navigate to the Password Manager installation folder. +2. Locate the sub-folder called **Web_SSLocals**. +3. Locate the `.asp` file that corresponds with the language used on the Self-Service portal. By default - `en.asp`. Open it with Notepad. +4. Edit any string value in the file and save it. +5. Execute the `iisreset` command. + +Names of values are intuitive. If you want to remove a string of text completely, leave the value blank. + +For example, if you want to remove the copyright text, set `strCopyright=`. + +![User-added image](./images/ka04u00000116bQ_0EM700000004yGU.png) + +## Language files +| File | Language | +|--------|---------------------| +| `cn.asp` | Chinese | +| `de.asp` | German | +| `en.asp` | English | +| `es.asp` | Spanish | +| `fr.asp` | French | +| `he.asp` | Hebrew | +| `it.asp` | Italian | +| `jp.asp` | Japanese | +| `ko.asp` | Korean | +| `pt.asp` | Portuguese | +| `ru.asp` | Russian | +| `sk.asp` | Slovak | +| `zh.asp` | Traditional Chinese | diff --git a/docs/kb/general/how-to-deploy-password-manager-client-via-system-center-configuration-manager-2012-sp1.md b/docs/kb/general/how-to-deploy-password-manager-client-via-system-center-configuration-manager-2012-sp1.md new file mode 100644 index 0000000000..29f61aa5f7 --- /dev/null +++ b/docs/kb/general/how-to-deploy-password-manager-client-via-system-center-configuration-manager-2012-sp1.md @@ -0,0 +1,49 @@ +--- +description: >- + Shows how to deploy the Netwrix Password Reset client via System Center + Configuration Manager 2012 SP1 using the prm_client.msi and + gina_registry_settings.reg files. +keywords: + - Netwrix Password Reset + - SCCM + - System Center Configuration Manager + - prm_client.msi + - gina_registry_settings.reg + - deployment + - Wow6432Node + - client installation +products: + - general +sidebar_label: 'How to deploy Netwrix Password Reset client via System Center Configuration Manager 2012 SP1' +tags: [] +title: >- + How to deploy Netwrix Password Reset client via System Center Configuration + Manager 2012 SP1 +knowledge_article_id: kA00g000000PbdVCAS +--- + +# How to to deploy Netwrix Password Reset client via System Center Configuration Manager 2012 SP1? + +--- + +**NOTE**. If you do not need a detailed description on how to create a new package, program and advertisement in System Center Configuration Manager, refer to Step 2 point 7 to find the command line string parameter for the deployed program. + +To install Netwrix Password Reset Logon Prompt Extension via System Center Configuration Manager (simplest scenario) perform the following steps. + +## Step 1. Prepare files for deployment. Package should include `prm_client.msi` itself and `gina_registry_settings.reg` with settings. Draft `gina_registry_settings.reg` is attached to the article. + +1. Change the `prm_client.msi` default settings if needed, refer to [this article](https://kb.netwrix.com/2014) if you want to change this. + +2. Edit `gina_registry_settings.reg` file with Notepad to apply required settings. Un-comment the required values (remove #) and change them. Refer to [this article](https://kb.netwrix.com/2056) describing keys and values. + +**NOTE**. `PM_Server` is mandatory. + +**NOTE**. Remove the `Wow6432Node` registry key from the file if you are going to use the client on a 32-bit machine. + +3. Copy both files to your System Center Configuration Manager packages folder + +## Step 2. Create a new package in SCCM + +1. Launch **SCCM 2012 Configuration Manager** and choose **Software Library** node +2. Right-click on **Packages** and choose **Create package** + diff --git a/docs/kb/general/how-to-migrate-netwrix-password-manager-to-another-server.md b/docs/kb/general/how-to-migrate-netwrix-password-manager-to-another-server.md new file mode 100644 index 0000000000..c53cb38244 --- /dev/null +++ b/docs/kb/general/how-to-migrate-netwrix-password-manager-to-another-server.md @@ -0,0 +1,51 @@ +--- +description: >- + Describes how to migrate Netwrix Password Manager to a new server by copying + the installation files, transferring enrollment data, and updating client + settings and GPOs. +keywords: + - Netwrix Password Manager + - migrate + - server migration + - secrets.bin + - alinfo.bin + - PredefinedQuestions.txt + - Templates + - GPO + - Password Manager Server URL +products: + - general +sidebar_label: How to migrate Netwrix Password Manager to another +tags: [] +title: "How to migrate Netwrix Password Manager to another server" +knowledge_article_id: kA00g000000H9T5CAK +--- + +# How to migrate Netwrix Password Manager to another server? + +--- + +To migrate Netwrix Password Manager perfrom the following steps: + +1. Install Netwrix Password Manager on a new server. +2. Then, stop the product service on the new server. +3. Stop the Netwrix Password Manager service on the old server +4. Copy the following files from the Password Manager installation directory on the old server to the same location on the new server: + - `secrets.bin` + - `alinfo.bin` + - `PredefinedQuestions.txt` (if you changed predefined questions) + - `Templates` subfolder (if you cahnged notifications text) + +![User-added image](./images/ka04u00000116Rj_0EM700000004xV4.png) + +5. Start the Netwrix Password Manager service on the new server. +6. Wait for several minutes to allow the service read the users enrollment data. +7. Go to Administrative portal and apply license +8. Make sure firewall is configured corretly o the new server to accept connections + +**NOTE.** If you use the Password Manager clients, change the Password Manager server address in their settings.To do this, perform the following steps + +1. Navigate to **Start - -> Group Policy Management** Console snap-in. +2. Right-click the GPO created for Netwrix Password Manager and select **Edit** from the popup menu. +3. In the dialog that opens, navigate to **Computer Configuration - -> Administrative Templates - -> <Your_Password_Manager_Template>**. +4. In the right pane, specify the new server URL in the **Password Manager Server URL** entry field. diff --git a/docs/kb/general/how-to-modify-the-password-manager-service-account.md b/docs/kb/general/how-to-modify-the-password-manager-service-account.md new file mode 100644 index 0000000000..efc0403614 --- /dev/null +++ b/docs/kb/general/how-to-modify-the-password-manager-service-account.md @@ -0,0 +1,35 @@ +--- +description: >- + Explains how to modify the Windows service account used by the Netwrix + Password Manager service after installation. +keywords: + - Password Manager + - service account + - services.msc + - Windows Services + - Netwrix Password Manager + - modify service account +products: + - general +sidebar_label: How to modify the Password Manager Service account +tags: [] +title: "How to modify the Password Manager Service account" +knowledge_article_id: kA00g000000H9dnCAC +--- + +# How to modify the Password Manager Service account + +Password Manager runs as a service. The service account is the account you use to run the Netwrix Password Manager service. The Password Manager installer prompts you for the credentials of this account. + +## Modify the service account + +To modify this account after installation, do the following: + +1. Run the **Services** snap-in (navigate to **Start** -> **Run** and type `services.msc`). +2. Locate the **Netwrix Password Manager** service. +3. Right-click it and select **Properties**. +4. Navigate to the **Log on** tab. +5. Specify the account you want to use to run the service. +6. Click **OK** and restart the service. + +[![User-added image](./images/ka04u00000116Ro_0EM700000004xUu.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAd0&feoid=00N700000032Pj2&refid=0EM700000004xUu) diff --git a/docs/kb/general/how-to-remove-enrollment-wizard-from-startup.md b/docs/kb/general/how-to-remove-enrollment-wizard-from-startup.md new file mode 100644 index 0000000000..82a54119b7 --- /dev/null +++ b/docs/kb/general/how-to-remove-enrollment-wizard-from-startup.md @@ -0,0 +1,45 @@ +--- +description: >- + Learn how to remove the Enrollment Wizard from startup after client deployment + by removing or modifying the startup registry value and using Group Policy for + multiple machines. +keywords: + - Enrollment Wizard + - startup + - registry + - Netwrix Password Manager + - Group Policy + - Run key + - deployment + - startup programs +products: + - general +sidebar_label: How to remove Enrollment Wizard from startup +tags: [] +title: "How to remove Enrollment Wizard from startup" +knowledge_article_id: kA00g000000H9VzCAK +--- + +# How to remove Enrollment Wizard from startup + +How can I remove Enrollment Wizard from startup after deployment of the client? + +Please see [KB2014](https://kb.netwrix.com/2014) if you are looking for a way to disable the client from adding itself to startup. During deployment the client adds a Reg_SZ value called `Netwrix Password Manager` to the startup registry key. + +![User-added image](./images/ka04u00000116Q2_0EM700000005b6s.png) + +## Registry keys + +- In 32-bit OS the key is `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` +- In 64bit OS the key is `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run` + +## Remove or disable the Enrollment Wizard + +To prevent the Enrollment wizard from running on startup you need to remove the value, or alternatively change its value to point to a non-existing executable. The value can be removed or changed on several machines by means of Group Policy. + +- Open the registry key shown above on the target machine. +- Locate the `Reg_SZ` value named `Netwrix Password Manager`. +- Either: + 1. Delete the `Netwrix Password Manager` value to remove the startup entry, or + 2. Edit the value and change its data to point to a non-existing executable path to disable startup behavior without deleting the entry. +- To apply this change across multiple machines, use Group Policy to delete or modify the registry value remotely. diff --git a/docs/kb/general/how-to-remove-languages-from-the-self-service-portal.md b/docs/kb/general/how-to-remove-languages-from-the-self-service-portal.md new file mode 100644 index 0000000000..a5970f0cb1 --- /dev/null +++ b/docs/kb/general/how-to-remove-languages-from-the-self-service-portal.md @@ -0,0 +1,56 @@ +--- +description: >- + Shows how to remove languages from the list displayed on the Self-Service + Portal by renaming language files in the Web_SSLocals folder and restarting + IIS. +keywords: + - self-service portal + - languages + - Web_SSLocals + - iisreset + - password manager + - localization + - language files + - de.asp + - en.asp +products: + - general +sidebar_label: How to remove languages from the Self-Service Port +tags: [] +title: "How to remove languages from the Self-Service Portal" +knowledge_article_id: kA00g000000H9UICA0 +--- + +# How to remove languages from the Self-Service Portal + +How to remove certain languages from the list displayed on the Self-Service portal? + +In order to remove languages from the webpage, perform the following steps: + +1. Open the `Web_SSLocals` subfolder of the Password Manager installation directory. +2. Change the file extension for all languages that should not be displayed on the web portal. +3. Execute the `iisreset` command on the web-server. + +The following table lists the files and their corresponding languages: + +| File | Language | +|------|----------| +| `cn.asp` | Chinese | +| `de.asp` | German | +| `en.asp` | English | +| `es.asp` | Spanish | +| `fr.asp` | French | +| `he.asp` | Hebrew | +| `it.asp` | Italian | +| `jp.asp` | Japanese | +| `ko.asp` | Korean | +| `pt.asp` | Portuguese | +| `ru.asp` | Russian | +| `sk.asp` | Slovak | +| `zh.asp` | Traditional Chinese | + +EXAMPLE: to remove German, rename the `de.asp` file to `de.asp.old` + +![User-added image](./images/ka04u00000116cK_0EM700000004xIe.png) + +NOTE: English (`en.asp`) cannot be removed by design of the software diff --git a/docs/kb/general/how-to-save-and-zip-the-netwrix-cloud-agent-event-log.md b/docs/kb/general/how-to-save-and-zip-the-netwrix-cloud-agent-event-log.md new file mode 100644 index 0000000000..3bd4230754 --- /dev/null +++ b/docs/kb/general/how-to-save-and-zip-the-netwrix-cloud-agent-event-log.md @@ -0,0 +1,53 @@ +--- +description: >- + Instructions to export and compress the Netwrix Cloud Agent event log using + either the Command Prompt or Event Viewer. Includes a note to perform these + steps on the server where the Cloud Agent is installed. +keywords: + - Netwrix Cloud Agent + - event log + - wevtutil + - EVTX + - Event Viewer + - export + - zip + - desktop + - log export +products: + - onesecure +sidebar_label: 'How to Save and Zip the Netwrix Cloud Agent Event ' +tags: [] +title: "How to Save and Zip the Netwrix Cloud Agent Event Log" +knowledge_article_id: kA0Qk00000020QXKAY +--- + +# How to Save and Zip the Netwrix Cloud Agent Event Log + +## Question + +How can you export and compress the Netwrix Cloud Agent event log? + +## Answer + +You can save and zip the Netwrix Cloud Agent event log using either the Command Prompt or the Event Viewer. The following steps will guide you through each method: + +> **NOTE:** Perform these steps on the server where the Netwrix Cloud Agent is installed. + +### Export Cloud Agent event log via Command Prompt + +Execute the following command in an elevated Command Prompt line: + +```bat +wevtutil epl "Netwrix Cloud Agent" %userprofile%\desktop\NCA.evtx +``` + +The exported Cloud Agent event log will appear on your Desktop. + +### Export Cloud Agent event log via Event Viewer + +1. Open **Event Viewer**. +2. Expand the **Applications and Services Logs** folder in the left pane. + ![WINWORD_d4dzmyjY6t.png](./images/ka0Qk000000Cr3l_0EMQk00000AdKCR.png) +3. Right-click on **Netwrix Cloud Agent** and select **Save All Events As**. +4. Name the file and click **Save**. +5. Once the file is saved, right-click it and zip the file. diff --git a/docs/kb/general/how-to-tell-password-manager-to-use-a-specific-domain-controller.md b/docs/kb/general/how-to-tell-password-manager-to-use-a-specific-domain-controller.md new file mode 100644 index 0000000000..f8c5d82ad0 --- /dev/null +++ b/docs/kb/general/how-to-tell-password-manager-to-use-a-specific-domain-controller.md @@ -0,0 +1,36 @@ +--- +description: >- + Shows how to configure Password Manager to use a specific Domain Controller + for all account operations by adding a registry value, restarting the service, + and verifying the change in the ALService log. +keywords: + - password manager + - domain controller + - TargetDC + - registry + - HKLMSoftwareNetwrixPassword Manager + - ALService + - target_comp + - password reset + - service restart +products: + - general +sidebar_label: How to tell Password Manager to use a specific Dom +tags: [] +title: "How to tell Password Manager to use a specific Domain Controller" +knowledge_article_id: kA00g000000PbdICAS +--- + +# How to tell Password Manager to use a specific Domain Controller + +How to point Password Manager to use a specific Domain Controller for all account operations (password reset, password change etc..)? + +## Procedure + +1) On the server where the **Password Manager Service** runs, open the **registry** and navigate to `HKLMSoftwareNetwrixPassword Manager` (for 64-bit systems go to `HKLMSoftwareWow6432NodeNetwrixPassword Manager`). + +2) Create a new `String Value` named `TargetDC` and specify the **IP address** of the domain controller you want to use. + +3) **Restart** the **Password Manager service** after making this registry change to ensure the change is reflected in the next operation. + +4) To verify the change is being applied, navigate to the product install directory and find the **ALService** text file. You can then search for the string ` "target_comp" ` occurring at a time AFTER the registry modification was made. diff --git a/docs/kb/general/how-to-update-password-manager.md b/docs/kb/general/how-to-update-password-manager.md new file mode 100644 index 0000000000..3520ef8032 --- /dev/null +++ b/docs/kb/general/how-to-update-password-manager.md @@ -0,0 +1,61 @@ +--- +description: >- + Describes how to update Netwrix Password Secure in single-server and DMZ + (frontend/backend) setups, including pre-upgrade backups and DCOM settings + verification. +keywords: + - Netwrix Password Secure + - update + - upgrade + - PRMService.exe + - prm_setup.exe + - prm_client.msi + - DCOM + - DMZ + - backup +products: + - general +sidebar_label: How to update Password Manager +tags: [] +title: "How to update Password Manager" +knowledge_article_id: kA00g000000H9V1CAK +--- + +# How to update Password Manager + +## What is the procedure to update Netwrix Password Secure? + +Prior to upgrade backup the following files from the product installation directory (on backend in case of DMZ setup). This is done for emergency and normally these files will not be required later. + +- **alinfo.bin** +- **secrets.bin** +- **Predefined Questions.txt** +- **Templates folder** + +![User-added image](./images/ka04u00000116Oz_0EM7000000054kp.png) + +### I. Procedure for single server setup + +1. Run the installer and follow the instructions of the wizard. All settings will be saved so there is no additional configuration or re-configuration required. + +### II. Procedure for DMZ installation + +1. Run the installer on the backend server under an account with local admin permissions. Setup will update all product files but will not change any product settings (or IIS settings if it is installed on BE). +2. Run the installer on the frontend server under an account with local admin permissions. Setup will update all product files, including `PRMService.exe` (this file will be recreated if you removed it previously). +3. Make sure the Netwrix Password Secure service is still disabled on the frontend server. +4. Navigate to the product installation directory and rename `PRMService.exe` to `PRMService.exe.old`. +5. Run Task Manager and make sure there is no `PRMService.exe` process running on the frontend server. +6. Check that DCOM settings for Netwrix Password Secure didn't change: + + - Run Component Services configuration (**Start - Run** - `dcomcnfg`) + - Navigate to **Component Services - Computers - My Computer - DCOM Config - Netwrix Password Secure** + - Right click **Netwrix Password Secure** node and select **Properties** + - Go to **Location** tab and make sure that **Run application on this computer** checkbox is disabled and **Run application on the following computer** is enabled and points to the backend + +![User-added image](./images/ka04u00000116Oz_0EM7000000056MB.png) + +**NOTE.** For the update it is possible to use both the Identity Management installer or explicit installer `prm_setup.exe` that you may get from support. + +**NOTE.** Though all new versions of the server are backward compatible with older versions of clients, it is recommended to update Netwrix Password Secure clients on workstations as well. It can be done with help of `prm_client.msi` installer that can be either found in the product installation directory or received from support. + +**NOTE.** It may be required to restart the Netwrix Password Secure service upon completion of the upgrade. diff --git a/docs/kb/general/how_does_the_file_copy_event_work_on_linux_distributions.md b/docs/kb/general/how_does_the_file_copy_event_work_on_linux_distributions.md new file mode 100644 index 0000000000..1e9256a768 --- /dev/null +++ b/docs/kb/general/how_does_the_file_copy_event_work_on_linux_distributions.md @@ -0,0 +1,25 @@ +--- +description: >- + This article explains how the File Copy event functions on various Linux distributions, detailing its compatibility and logging specifics. +keywords: + - File Copy event + - Linux distributions + - file transfer +sidebar_label: File Copy Event on Linux +tags: [] +title: "How Does the File Copy Event Work on Linux Distributions?" +knowledge_article_id: kA0Qk0000002B7hKAE +products: + - general +--- + +# How Does the File Copy Event Work on Linux Distributions? + +## Overview + +Starting with client version 1.7.1.2, the File Copy event is supported on all Linux distributions that have available clients, such as Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, RHEL 8.1, and RHEL 8.3. This functionality works regardless of the kernel version used by the distribution; events will be created even if the kernel is lower or higher than 5.1. + +## Details + +- **Event Direction:** The File Copy event is recorded only when transferring files from a PC to a USB device. +- **Logging:** The logs will report only the file that was copied. The source and destination paths are not displayed. \ No newline at end of file diff --git a/docs/kb/general/how_to_capture_client_logs_manually_on_a_linux_machine.md b/docs/kb/general/how_to_capture_client_logs_manually_on_a_linux_machine.md new file mode 100644 index 0000000000..606987ce92 --- /dev/null +++ b/docs/kb/general/how_to_capture_client_logs_manually_on_a_linux_machine.md @@ -0,0 +1,68 @@ +--- +description: >- + This article provides step-by-step instructions on how to enable and capture client logs on a Linux machine. +keywords: + - client logs + - Linux + - troubleshooting +sidebar_label: Capture Client Logs on Linux +tags: [] +title: "How to Capture Client Logs Manually on a Linux Machine" +knowledge_article_id: kA0Qk0000002B6uKAE +products: + - general +--- + +# How to Capture Client Logs Manually on a Linux Machine + +## Overview + +This article provides step-by-step instructions on how to enable and capture client logs on a Linux machine. + +## Instructions + +### Capture Regular Client Logs + +1. Open a terminal on the client machine and run the following commands: + + ```bash + cd /var/log/epp-client/ + sudo touch /var/log/epp-client/epp_client_daemon.log + sudo touch /var/log/epp-client/eppsslsplit.log + sudo service epp-client-daemon restart + ``` + +2. Replicate the issue. + +3. Copy the log files to your desktop by executing the following commands: + + ```bash + cp /var/log/epp-client/epp_client_daemon.log /home/user/Desktop/ + cp /var/log/epp-client/eppsslsplit.log /home/user/Desktop/ + ``` + +4. Submit the log files to the support team. + +> **NOTE:** Restarting the system clears existing log entries. To retain log entries after a system restart, capture logs in append mode. + +### Capture Client Logs in Append Mode + +1. Open a terminal on the client machine and run the following commands: + + ```bash + cd /var/log/epp-client/ + sudo touch /var/log/epp-client/epp_client_daemon_append.log + sudo touch /var/log/epp-client/eppsslsplit.log + sudo service epp-client-daemon restart + ``` + +2. Replicate the issue or wait for the issue to occur. + +3. Copy the log files to your desktop by executing the commands: + + ```bash + cp /var/log/epp-client/epp_client_daemon_append.log /home/user/Desktop/ + cp /var/log/epp-client/eppsslsplit.log /home/user/Desktop/ + ``` + +4. Submit the log files to the support team. \ No newline at end of file diff --git a/docs/kb/general/how_to_collect_http_archive_logs_in_a_web_browser.md b/docs/kb/general/how_to_collect_http_archive_logs_in_a_web_browser.md new file mode 100644 index 0000000000..43dcdb24dc --- /dev/null +++ b/docs/kb/general/how_to_collect_http_archive_logs_in_a_web_browser.md @@ -0,0 +1,31 @@ +--- +description: >- + This article explains how to collect HTTP Archive (HAR) logs in a web browser, which are useful for troubleshooting web application issues by capturing network requests and responses. +keywords: + - HAR logs + - web browser + - troubleshooting +sidebar_label: Collect HTTP Archive Logs +tags: [] +title: "How to Collect HTTP Archive Logs in a Web Browser" +knowledge_article_id: kA0Qk0000002B18KAE +products: + - general +--- + +# How to Collect HTTP Archive Logs in a Web Browser + +## Overview + +This article explains how to collect HTTP Archive (HAR) logs in a web browser. HAR logs are useful for troubleshooting web application issues by capturing network requests and responses. + +## Instructions + +1. Open **Chrome**, **Edge**, or **Firefox** and navigate to the page where the issue is occurring. +2. Select the **Application Menu** button, then choose **More Tools** > **Developer Tools**. +3. Click the **Network** tab and keep it open. +4. Make sure the round **Record** button in the upper left is red. If it is gray, click it to start recording. Select the **Preserve log** checkbox, then click the **Clear** crossed circle button to remove previous logs. +5. Reproduce the issue so that all relevant network activity is captured. If required, repeat this step with and without DPI enabled. +6. Click the **Export HAR** button and save the file to your computer as **Save as HAR with Content**. + +![Dialog box for exporting HAR logs with the Export HAR button highlighted](./images/servlet_image_25a6a63e2d98.png) \ No newline at end of file diff --git a/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D34F.png b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D34F.png new file mode 100644 index 0000000000..81f65e48be Binary files /dev/null and b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D34F.png differ diff --git a/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D35r.png b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D35r.png new file mode 100644 index 0000000000..c5dbc4c2b8 Binary files /dev/null and b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D35r.png differ diff --git a/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D3i0.png b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D3i0.png new file mode 100644 index 0000000000..b057cb800e Binary files /dev/null and b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D3i0.png differ diff --git a/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D3i5.png b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D3i5.png new file mode 100644 index 0000000000..9a61f343a5 Binary files /dev/null and b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002D3i5.png differ diff --git a/docs/kb/general/images/ka04u000000HcZf_0EM4u000002Plj2.png b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002Plj2.png new file mode 100644 index 0000000000..ca10b711dc Binary files /dev/null and b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002Plj2.png differ diff --git a/docs/kb/general/images/ka04u000000HcZf_0EM4u000002Pljb.png b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002Pljb.png new file mode 100644 index 0000000000..ee56b8a29a Binary files /dev/null and b/docs/kb/general/images/ka04u000000HcZf_0EM4u000002Pljb.png differ diff --git a/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQP.png b/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQP.png new file mode 100644 index 0000000000..5d33be86e9 Binary files /dev/null and b/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQP.png differ diff --git a/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQU.png b/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQU.png new file mode 100644 index 0000000000..de9cddd2c9 Binary files /dev/null and b/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQU.png differ diff --git a/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQj.png b/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQj.png new file mode 100644 index 0000000000..fffeed8ce2 Binary files /dev/null and b/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DWQj.png differ diff --git a/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DrWi.png b/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DrWi.png new file mode 100644 index 0000000000..377142f858 Binary files /dev/null and b/docs/kb/general/images/ka04u000000HdEw_0EM4u000002DrWi.png differ diff --git a/docs/kb/general/images/ka04u000000ww3T_0EM700000005jlZ.png b/docs/kb/general/images/ka04u000000ww3T_0EM700000005jlZ.png new file mode 100644 index 0000000000..74a9f5d3ea Binary files /dev/null and b/docs/kb/general/images/ka04u000000ww3T_0EM700000005jlZ.png differ diff --git a/docs/kb/general/images/ka04u000000wwEl_0EM4u000004cBqK.png b/docs/kb/general/images/ka04u000000wwEl_0EM4u000004cBqK.png new file mode 100644 index 0000000000..7cff2ec2f2 Binary files /dev/null and b/docs/kb/general/images/ka04u000000wwEl_0EM4u000004cBqK.png differ diff --git a/docs/kb/general/images/ka04u00000116Nr_0EM700000005OPh.png b/docs/kb/general/images/ka04u00000116Nr_0EM700000005OPh.png new file mode 100644 index 0000000000..267c1b6f3c Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Nr_0EM700000005OPh.png differ diff --git a/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORT.png b/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORT.png new file mode 100644 index 0000000000..68c72ae609 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORT.png differ diff --git a/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORY.png b/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORY.png new file mode 100644 index 0000000000..572872bf08 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORY.png differ diff --git a/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORn.png b/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORn.png new file mode 100644 index 0000000000..d1b592ccfc Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORn.png differ diff --git a/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORx.png b/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORx.png new file mode 100644 index 0000000000..58bbd5eb8f Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Nr_0EM700000005ORx.png differ diff --git a/docs/kb/general/images/ka04u00000116O1_0EM700000005OQ1.png b/docs/kb/general/images/ka04u00000116O1_0EM700000005OQ1.png new file mode 100644 index 0000000000..f2322773c2 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116O1_0EM700000005OQ1.png differ diff --git a/docs/kb/general/images/ka04u00000116O1_0EM700000005OR9.png b/docs/kb/general/images/ka04u00000116O1_0EM700000005OR9.png new file mode 100644 index 0000000000..b1f0628ef7 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116O1_0EM700000005OR9.png differ diff --git a/docs/kb/general/images/ka04u00000116Oa_0EM700000004xFz.png b/docs/kb/general/images/ka04u00000116Oa_0EM700000004xFz.png new file mode 100644 index 0000000000..1468a037c0 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Oa_0EM700000004xFz.png differ diff --git a/docs/kb/general/images/ka04u00000116Oa_0EM700000004xkd.png b/docs/kb/general/images/ka04u00000116Oa_0EM700000004xkd.png new file mode 100644 index 0000000000..6297414bbf Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Oa_0EM700000004xkd.png differ diff --git a/docs/kb/general/images/ka04u00000116Oa_0EM700000004xki.png b/docs/kb/general/images/ka04u00000116Oa_0EM700000004xki.png new file mode 100644 index 0000000000..f402977959 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Oa_0EM700000004xki.png differ diff --git a/docs/kb/general/images/ka04u00000116Of_0EM7000000052QE.png b/docs/kb/general/images/ka04u00000116Of_0EM7000000052QE.png new file mode 100644 index 0000000000..bcc290cde0 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Of_0EM7000000052QE.png differ diff --git a/docs/kb/general/images/ka04u00000116Of_0EM7000000052QO.png b/docs/kb/general/images/ka04u00000116Of_0EM7000000052QO.png new file mode 100644 index 0000000000..b79cd62b3c Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Of_0EM7000000052QO.png differ diff --git a/docs/kb/general/images/ka04u00000116Of_0EM7000000052QT.png b/docs/kb/general/images/ka04u00000116Of_0EM7000000052QT.png new file mode 100644 index 0000000000..f402977959 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Of_0EM7000000052QT.png differ diff --git a/docs/kb/general/images/ka04u00000116Of_0EM7000000052QY.png b/docs/kb/general/images/ka04u00000116Of_0EM7000000052QY.png new file mode 100644 index 0000000000..68c72ae609 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Of_0EM7000000052QY.png differ diff --git a/docs/kb/general/images/ka04u00000116Of_0EM7000000052Qi.png b/docs/kb/general/images/ka04u00000116Of_0EM7000000052Qi.png new file mode 100644 index 0000000000..c45a9991e6 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Of_0EM7000000052Qi.png differ diff --git a/docs/kb/general/images/ka04u00000116Of_0EM7000000052Qn.png b/docs/kb/general/images/ka04u00000116Of_0EM7000000052Qn.png new file mode 100644 index 0000000000..f2322773c2 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Of_0EM7000000052Qn.png differ diff --git a/docs/kb/general/images/ka04u00000116Op_0EM700000004xkx.png b/docs/kb/general/images/ka04u00000116Op_0EM700000004xkx.png new file mode 100644 index 0000000000..38b24b9ae0 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Op_0EM700000004xkx.png differ diff --git a/docs/kb/general/images/ka04u00000116Op_0EM700000004xl2.png b/docs/kb/general/images/ka04u00000116Op_0EM700000004xl2.png new file mode 100644 index 0000000000..ae6588b595 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Op_0EM700000004xl2.png differ diff --git a/docs/kb/general/images/ka04u00000116Op_0EM700000005OBu.png b/docs/kb/general/images/ka04u00000116Op_0EM700000005OBu.png new file mode 100644 index 0000000000..52e395a70a Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Op_0EM700000005OBu.png differ diff --git a/docs/kb/general/images/ka04u00000116Oz_0EM7000000054kp.png b/docs/kb/general/images/ka04u00000116Oz_0EM7000000054kp.png new file mode 100644 index 0000000000..5329f5df15 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Oz_0EM7000000054kp.png differ diff --git a/docs/kb/general/images/ka04u00000116Oz_0EM7000000056MB.png b/docs/kb/general/images/ka04u00000116Oz_0EM7000000056MB.png new file mode 100644 index 0000000000..d19f4b61b4 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Oz_0EM7000000056MB.png differ diff --git a/docs/kb/general/images/ka04u00000116P4_0EM700000005ZT6.png b/docs/kb/general/images/ka04u00000116P4_0EM700000005ZT6.png new file mode 100644 index 0000000000..a0646eb031 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116P4_0EM700000005ZT6.png differ diff --git a/docs/kb/general/images/ka04u00000116P4_0EM700000005ZTB.png b/docs/kb/general/images/ka04u00000116P4_0EM700000005ZTB.png new file mode 100644 index 0000000000..67b7ab1aa2 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116P4_0EM700000005ZTB.png differ diff --git a/docs/kb/general/images/ka04u00000116Q2_0EM700000005b6s.png b/docs/kb/general/images/ka04u00000116Q2_0EM700000005b6s.png new file mode 100644 index 0000000000..2d91219cae Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Q2_0EM700000005b6s.png differ diff --git a/docs/kb/general/images/ka04u00000116Q7_0EM7000000058Xp.png b/docs/kb/general/images/ka04u00000116Q7_0EM7000000058Xp.png new file mode 100644 index 0000000000..b46e467e20 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Q7_0EM7000000058Xp.png differ diff --git a/docs/kb/general/images/ka04u00000116Q7_0EM7000000058Xu.png b/docs/kb/general/images/ka04u00000116Q7_0EM7000000058Xu.png new file mode 100644 index 0000000000..3954f1519b Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Q7_0EM7000000058Xu.png differ diff --git a/docs/kb/general/images/ka04u00000116Rj_0EM700000004xV4.png b/docs/kb/general/images/ka04u00000116Rj_0EM700000004xV4.png new file mode 100644 index 0000000000..5329f5df15 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Rj_0EM700000004xV4.png differ diff --git a/docs/kb/general/images/ka04u00000116Ro_0EM700000004xUu.png b/docs/kb/general/images/ka04u00000116Ro_0EM700000004xUu.png new file mode 100644 index 0000000000..5a221d3b88 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Ro_0EM700000004xUu.png differ diff --git a/docs/kb/general/images/ka04u00000116Ru_0EM700000005hyC.png b/docs/kb/general/images/ka04u00000116Ru_0EM700000005hyC.png new file mode 100644 index 0000000000..d56345e47f Binary files /dev/null and b/docs/kb/general/images/ka04u00000116Ru_0EM700000005hyC.png differ diff --git a/docs/kb/general/images/ka04u00000116S3_0EM700000005b7r.png b/docs/kb/general/images/ka04u00000116S3_0EM700000005b7r.png new file mode 100644 index 0000000000..91c1aacc74 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116S3_0EM700000005b7r.png differ diff --git a/docs/kb/general/images/ka04u00000116S3_0EM700000005b8K.png b/docs/kb/general/images/ka04u00000116S3_0EM700000005b8K.png new file mode 100644 index 0000000000..bb2ed53a9a Binary files /dev/null and b/docs/kb/general/images/ka04u00000116S3_0EM700000005b8K.png differ diff --git a/docs/kb/general/images/ka04u00000116bK_0EM700000004xaY.png b/docs/kb/general/images/ka04u00000116bK_0EM700000004xaY.png new file mode 100644 index 0000000000..d1acde88ef Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bK_0EM700000004xaY.png differ diff --git a/docs/kb/general/images/ka04u00000116bK_0EM700000004xan.png b/docs/kb/general/images/ka04u00000116bK_0EM700000004xan.png new file mode 100644 index 0000000000..dc6def4645 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bK_0EM700000004xan.png differ diff --git a/docs/kb/general/images/ka04u00000116bK_0EM700000004xas.png b/docs/kb/general/images/ka04u00000116bK_0EM700000004xas.png new file mode 100644 index 0000000000..07e91ed48e Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bK_0EM700000004xas.png differ diff --git a/docs/kb/general/images/ka04u00000116bK_0EM700000004xax.png b/docs/kb/general/images/ka04u00000116bK_0EM700000004xax.png new file mode 100644 index 0000000000..7cd4f813ae Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bK_0EM700000004xax.png differ diff --git a/docs/kb/general/images/ka04u00000116bK_0EM700000004xb2.png b/docs/kb/general/images/ka04u00000116bK_0EM700000004xb2.png new file mode 100644 index 0000000000..7587b9c05b Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bK_0EM700000004xb2.png differ diff --git a/docs/kb/general/images/ka04u00000116bK_0EM700000004xb7.png b/docs/kb/general/images/ka04u00000116bK_0EM700000004xb7.png new file mode 100644 index 0000000000..a8a9e37989 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bK_0EM700000004xb7.png differ diff --git a/docs/kb/general/images/ka04u00000116bK_0EM700000004xbC.png b/docs/kb/general/images/ka04u00000116bK_0EM700000004xbC.png new file mode 100644 index 0000000000..61554545b4 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bK_0EM700000004xbC.png differ diff --git a/docs/kb/general/images/ka04u00000116bK_0EM700000004xbH.png b/docs/kb/general/images/ka04u00000116bK_0EM700000004xbH.png new file mode 100644 index 0000000000..e615dce105 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bK_0EM700000004xbH.png differ diff --git a/docs/kb/general/images/ka04u00000116bQ_0EM700000004yGU.png b/docs/kb/general/images/ka04u00000116bQ_0EM700000004yGU.png new file mode 100644 index 0000000000..3b7e8c24a6 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bQ_0EM700000004yGU.png differ diff --git a/docs/kb/general/images/ka04u00000116bZ_0EM700000005OBz.png b/docs/kb/general/images/ka04u00000116bZ_0EM700000005OBz.png new file mode 100644 index 0000000000..86072c195d Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bZ_0EM700000005OBz.png differ diff --git a/docs/kb/general/images/ka04u00000116bZ_0EM700000005OC4.png b/docs/kb/general/images/ka04u00000116bZ_0EM700000005OC4.png new file mode 100644 index 0000000000..6c7ebb6b1f Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bZ_0EM700000005OC4.png differ diff --git a/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLI.png b/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLI.png new file mode 100644 index 0000000000..1f626c2f24 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLI.png differ diff --git a/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLS.png b/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLS.png new file mode 100644 index 0000000000..ca7ba3d137 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLS.png differ diff --git a/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLX.png b/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLX.png new file mode 100644 index 0000000000..ae3072aca1 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLX.png differ diff --git a/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLw.png b/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLw.png new file mode 100644 index 0000000000..1bd9d97c41 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bf_0EM4u0000084iLw.png differ diff --git a/docs/kb/general/images/ka04u00000116bt_0EM700000004yh1.png b/docs/kb/general/images/ka04u00000116bt_0EM700000004yh1.png new file mode 100644 index 0000000000..61554545b4 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bt_0EM700000004yh1.png differ diff --git a/docs/kb/general/images/ka04u00000116bt_0EM700000004yh6.png b/docs/kb/general/images/ka04u00000116bt_0EM700000004yh6.png new file mode 100644 index 0000000000..2f836c33a5 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116bt_0EM700000004yh6.png differ diff --git a/docs/kb/general/images/ka04u00000116cK_0EM700000004xIe.png b/docs/kb/general/images/ka04u00000116cK_0EM700000004xIe.png new file mode 100644 index 0000000000..7b9fe1ded1 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cK_0EM700000004xIe.png differ diff --git a/docs/kb/general/images/ka04u00000116cL_0EM700000004yGK.png b/docs/kb/general/images/ka04u00000116cL_0EM700000004yGK.png new file mode 100644 index 0000000000..91f8ce4f92 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cL_0EM700000004yGK.png differ diff --git a/docs/kb/general/images/ka04u00000116cL_0EM700000004yGP.png b/docs/kb/general/images/ka04u00000116cL_0EM700000004yGP.png new file mode 100644 index 0000000000..e082c9259d Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cL_0EM700000004yGP.png differ diff --git a/docs/kb/general/images/ka04u00000116cN_0EM7000000054QL.png b/docs/kb/general/images/ka04u00000116cN_0EM7000000054QL.png new file mode 100644 index 0000000000..2eaed77b12 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cN_0EM7000000054QL.png differ diff --git a/docs/kb/general/images/ka04u00000116cN_0EM7000000054QQ.png b/docs/kb/general/images/ka04u00000116cN_0EM7000000054QQ.png new file mode 100644 index 0000000000..f8b37d7c58 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cN_0EM7000000054QQ.png differ diff --git a/docs/kb/general/images/ka04u00000116ci_0EM7000000052dI.png b/docs/kb/general/images/ka04u00000116ci_0EM7000000052dI.png new file mode 100644 index 0000000000..1aad57daf4 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ci_0EM7000000052dI.png differ diff --git a/docs/kb/general/images/ka04u00000116ci_0EM7000000052dS.png b/docs/kb/general/images/ka04u00000116ci_0EM7000000052dS.png new file mode 100644 index 0000000000..cc8bfd3ba6 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ci_0EM7000000052dS.png differ diff --git a/docs/kb/general/images/ka04u00000116cj_0EM700000004yH3.png b/docs/kb/general/images/ka04u00000116cj_0EM700000004yH3.png new file mode 100644 index 0000000000..c249a0b631 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cj_0EM700000004yH3.png differ diff --git a/docs/kb/general/images/ka04u00000116cj_0EM700000004yHD.png b/docs/kb/general/images/ka04u00000116cj_0EM700000004yHD.png new file mode 100644 index 0000000000..98e7076f52 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cj_0EM700000004yHD.png differ diff --git a/docs/kb/general/images/ka04u00000116cm_0EM700000005joE.png b/docs/kb/general/images/ka04u00000116cm_0EM700000005joE.png new file mode 100644 index 0000000000..84fbcf3f59 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cm_0EM700000005joE.png differ diff --git a/docs/kb/general/images/ka04u00000116cm_0EM700000005jox.png b/docs/kb/general/images/ka04u00000116cm_0EM700000005jox.png new file mode 100644 index 0000000000..30bc7a6201 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cm_0EM700000005jox.png differ diff --git a/docs/kb/general/images/ka04u00000116cs_0EM700000004xcF.png b/docs/kb/general/images/ka04u00000116cs_0EM700000004xcF.png new file mode 100644 index 0000000000..a47decb86d Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cs_0EM700000004xcF.png differ diff --git a/docs/kb/general/images/ka04u00000116cs_0EM700000004xcK.png b/docs/kb/general/images/ka04u00000116cs_0EM700000004xcK.png new file mode 100644 index 0000000000..abd0749336 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cs_0EM700000004xcK.png differ diff --git a/docs/kb/general/images/ka04u00000116cs_0EM700000004xcP.png b/docs/kb/general/images/ka04u00000116cs_0EM700000004xcP.png new file mode 100644 index 0000000000..1b5e48535d Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cs_0EM700000004xcP.png differ diff --git a/docs/kb/general/images/ka04u00000116cs_0EM700000004xce.png b/docs/kb/general/images/ka04u00000116cs_0EM700000004xce.png new file mode 100644 index 0000000000..8d468fcba4 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cs_0EM700000004xce.png differ diff --git a/docs/kb/general/images/ka04u00000116cs_0EM700000004xcj.png b/docs/kb/general/images/ka04u00000116cs_0EM700000004xcj.png new file mode 100644 index 0000000000..0698392c56 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cs_0EM700000004xcj.png differ diff --git a/docs/kb/general/images/ka04u00000116cs_0EM700000004xco.png b/docs/kb/general/images/ka04u00000116cs_0EM700000004xco.png new file mode 100644 index 0000000000..974f4052c2 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cs_0EM700000004xco.png differ diff --git a/docs/kb/general/images/ka04u00000116cw_0EM700000005OPh.png b/docs/kb/general/images/ka04u00000116cw_0EM700000005OPh.png new file mode 100644 index 0000000000..267c1b6f3c Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cw_0EM700000005OPh.png differ diff --git a/docs/kb/general/images/ka04u00000116cw_0EM700000005OPm.png b/docs/kb/general/images/ka04u00000116cw_0EM700000005OPm.png new file mode 100644 index 0000000000..6297414bbf Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cw_0EM700000005OPm.png differ diff --git a/docs/kb/general/images/ka04u00000116cw_0EM700000005OPr.png b/docs/kb/general/images/ka04u00000116cw_0EM700000005OPr.png new file mode 100644 index 0000000000..20a67b76af Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cw_0EM700000005OPr.png differ diff --git a/docs/kb/general/images/ka04u00000116cw_0EM700000005OQL.png b/docs/kb/general/images/ka04u00000116cw_0EM700000005OQL.png new file mode 100644 index 0000000000..350c8c80a2 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cw_0EM700000005OQL.png differ diff --git a/docs/kb/general/images/ka04u00000116cw_0EM700000005Wbv.png b/docs/kb/general/images/ka04u00000116cw_0EM700000005Wbv.png new file mode 100644 index 0000000000..b1f0628ef7 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cw_0EM700000005Wbv.png differ diff --git a/docs/kb/general/images/ka04u00000116cw_0EM700000005Wc0.png b/docs/kb/general/images/ka04u00000116cw_0EM700000005Wc0.png new file mode 100644 index 0000000000..f2322773c2 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116cw_0EM700000005Wc0.png differ diff --git a/docs/kb/general/images/ka04u00000116d1_0EM700000004xbv.png b/docs/kb/general/images/ka04u00000116d1_0EM700000004xbv.png new file mode 100644 index 0000000000..48a7505beb Binary files /dev/null and b/docs/kb/general/images/ka04u00000116d1_0EM700000004xbv.png differ diff --git a/docs/kb/general/images/ka04u00000116d1_0EM700000004xc5.png b/docs/kb/general/images/ka04u00000116d1_0EM700000004xc5.png new file mode 100644 index 0000000000..974f4052c2 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116d1_0EM700000004xc5.png differ diff --git a/docs/kb/general/images/ka04u00000116d1_0EM700000004xcF.png b/docs/kb/general/images/ka04u00000116d1_0EM700000004xcF.png new file mode 100644 index 0000000000..a47decb86d Binary files /dev/null and b/docs/kb/general/images/ka04u00000116d1_0EM700000004xcF.png differ diff --git a/docs/kb/general/images/ka04u00000116d1_0EM700000004xcK.png b/docs/kb/general/images/ka04u00000116d1_0EM700000004xcK.png new file mode 100644 index 0000000000..abd0749336 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116d1_0EM700000004xcK.png differ diff --git a/docs/kb/general/images/ka04u00000116d1_0EM700000004xcP.png b/docs/kb/general/images/ka04u00000116d1_0EM700000004xcP.png new file mode 100644 index 0000000000..1b5e48535d Binary files /dev/null and b/docs/kb/general/images/ka04u00000116d1_0EM700000004xcP.png differ diff --git a/docs/kb/general/images/ka04u00000116d7_0EM700000004yHw.png b/docs/kb/general/images/ka04u00000116d7_0EM700000004yHw.png new file mode 100644 index 0000000000..72707cdc2a Binary files /dev/null and b/docs/kb/general/images/ka04u00000116d7_0EM700000004yHw.png differ diff --git a/docs/kb/general/images/ka04u00000116d7_0EM700000004yI6.png b/docs/kb/general/images/ka04u00000116d7_0EM700000004yI6.png new file mode 100644 index 0000000000..15b040a95d Binary files /dev/null and b/docs/kb/general/images/ka04u00000116d7_0EM700000004yI6.png differ diff --git a/docs/kb/general/images/ka04u00000116dB_0EM700000004vJL.png b/docs/kb/general/images/ka04u00000116dB_0EM700000004vJL.png new file mode 100644 index 0000000000..8aa75e69e3 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116dB_0EM700000004vJL.png differ diff --git a/docs/kb/general/images/ka04u00000116dB_0EM700000004vJQ.png b/docs/kb/general/images/ka04u00000116dB_0EM700000004vJQ.png new file mode 100644 index 0000000000..17c58a66c3 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116dB_0EM700000004vJQ.png differ diff --git a/docs/kb/general/images/ka04u00000116dB_0EM700000004vJV.png b/docs/kb/general/images/ka04u00000116dB_0EM700000004vJV.png new file mode 100644 index 0000000000..1eba11d5c9 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116dB_0EM700000004vJV.png differ diff --git a/docs/kb/general/images/ka04u00000116dB_0EM700000004vJa.png b/docs/kb/general/images/ka04u00000116dB_0EM700000004vJa.png new file mode 100644 index 0000000000..c90d337f6d Binary files /dev/null and b/docs/kb/general/images/ka04u00000116dB_0EM700000004vJa.png differ diff --git a/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPS.png b/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPS.png new file mode 100644 index 0000000000..6297414bbf Binary files /dev/null and b/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPS.png differ diff --git a/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPX.png b/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPX.png new file mode 100644 index 0000000000..267c1b6f3c Binary files /dev/null and b/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPX.png differ diff --git a/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPc.png b/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPc.png new file mode 100644 index 0000000000..d19f4b61b4 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116eJ_0EM700000005OPc.png differ diff --git a/docs/kb/general/images/ka04u00000116eV_0EM700000004y52.png b/docs/kb/general/images/ka04u00000116eV_0EM700000004y52.png new file mode 100644 index 0000000000..926cebe8a1 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116eV_0EM700000004y52.png differ diff --git a/docs/kb/general/images/ka04u00000116eV_0EM700000004y5C.png b/docs/kb/general/images/ka04u00000116eV_0EM700000004y5C.png new file mode 100644 index 0000000000..b3653791d8 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116eV_0EM700000004y5C.png differ diff --git a/docs/kb/general/images/ka04u00000116eV_0EM700000004y5M.png b/docs/kb/general/images/ka04u00000116eV_0EM700000004y5M.png new file mode 100644 index 0000000000..9bd2c3c9be Binary files /dev/null and b/docs/kb/general/images/ka04u00000116eV_0EM700000004y5M.png differ diff --git a/docs/kb/general/images/ka04u00000116ee_0EM700000005OPh.png b/docs/kb/general/images/ka04u00000116ee_0EM700000005OPh.png new file mode 100644 index 0000000000..267c1b6f3c Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ee_0EM700000005OPh.png differ diff --git a/docs/kb/general/images/ka04u00000116ee_0EM700000005OPw.png b/docs/kb/general/images/ka04u00000116ee_0EM700000005OPw.png new file mode 100644 index 0000000000..b1f0628ef7 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ee_0EM700000005OPw.png differ diff --git a/docs/kb/general/images/ka04u00000116ee_0EM700000005OQ6.png b/docs/kb/general/images/ka04u00000116ee_0EM700000005OQ6.png new file mode 100644 index 0000000000..5903cd141c Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ee_0EM700000005OQ6.png differ diff --git a/docs/kb/general/images/ka04u00000116ee_0EM700000005OQB.png b/docs/kb/general/images/ka04u00000116ee_0EM700000005OQB.png new file mode 100644 index 0000000000..fbe422c7de Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ee_0EM700000005OQB.png differ diff --git a/docs/kb/general/images/ka04u00000116ee_0EM700000005OQG.png b/docs/kb/general/images/ka04u00000116ee_0EM700000005OQG.png new file mode 100644 index 0000000000..572872bf08 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ee_0EM700000005OQG.png differ diff --git a/docs/kb/general/images/ka04u00000116es_0EM700000004xUQ.png b/docs/kb/general/images/ka04u00000116es_0EM700000004xUQ.png new file mode 100644 index 0000000000..6bb225ab63 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116es_0EM700000004xUQ.png differ diff --git a/docs/kb/general/images/ka04u00000116ex_0EM700000004xLJ.png b/docs/kb/general/images/ka04u00000116ex_0EM700000004xLJ.png new file mode 100644 index 0000000000..c230eae7c0 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ex_0EM700000004xLJ.png differ diff --git a/docs/kb/general/images/ka04u00000116ex_0EM700000005jDw.png b/docs/kb/general/images/ka04u00000116ex_0EM700000005jDw.png new file mode 100644 index 0000000000..95cdd98761 Binary files /dev/null and b/docs/kb/general/images/ka04u00000116ex_0EM700000005jDw.png differ diff --git a/docs/kb/general/images/ka04u00000117xM_0EM4u000002CKXg.png b/docs/kb/general/images/ka04u00000117xM_0EM4u000002CKXg.png new file mode 100644 index 0000000000..7f6f215f41 Binary files /dev/null and b/docs/kb/general/images/ka04u00000117xM_0EM4u000002CKXg.png differ diff --git a/docs/kb/general/images/ka04u00000117xM_0EM4u000007qlPA.png b/docs/kb/general/images/ka04u00000117xM_0EM4u000007qlPA.png new file mode 100644 index 0000000000..2d29d94817 Binary files /dev/null and b/docs/kb/general/images/ka04u00000117xM_0EM4u000007qlPA.png differ diff --git a/docs/kb/general/images/ka0Qk0000000zmf_0EM4u000008L7rd.png b/docs/kb/general/images/ka0Qk0000000zmf_0EM4u000008L7rd.png new file mode 100644 index 0000000000..34e6f0385c Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000000zmf_0EM4u000008L7rd.png differ diff --git a/docs/kb/general/images/ka0Qk0000000zmf_0EM4u000008L7s7.png b/docs/kb/general/images/ka0Qk0000000zmf_0EM4u000008L7s7.png new file mode 100644 index 0000000000..2ccb181dc6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000000zmf_0EM4u000008L7s7.png differ diff --git a/docs/kb/general/images/ka0Qk00000010xF_0EM4u000008M2t9.png b/docs/kb/general/images/ka0Qk00000010xF_0EM4u000008M2t9.png new file mode 100644 index 0000000000..b21c5810c5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk00000010xF_0EM4u000008M2t9.png differ diff --git a/docs/kb/general/images/ka0Qk0000001E8z_0EM4u000008M2t9.png b/docs/kb/general/images/ka0Qk0000001E8z_0EM4u000008M2t9.png new file mode 100644 index 0000000000..b21c5810c5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000001E8z_0EM4u000008M2t9.png differ diff --git a/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVg.png b/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVg.png new file mode 100644 index 0000000000..04f479efa9 Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVg.png differ diff --git a/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVq.png b/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVq.png new file mode 100644 index 0000000000..74e997e35a Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVq.png differ diff --git a/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVr.png b/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVr.png new file mode 100644 index 0000000000..985c909daf Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVr.png differ diff --git a/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVv.png b/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVv.png new file mode 100644 index 0000000000..2dec225990 Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000001LQb_0EM4u000004dDVv.png differ diff --git a/docs/kb/general/images/ka0Qk0000001LaH_0EM4u000008M5Wm.png b/docs/kb/general/images/ka0Qk0000001LaH_0EM4u000008M5Wm.png new file mode 100644 index 0000000000..2b91f31bdb Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000001LaH_0EM4u000008M5Wm.png differ diff --git a/docs/kb/general/images/ka0Qk0000002ekX_0EM4u0000084eUX.png b/docs/kb/general/images/ka0Qk0000002ekX_0EM4u0000084eUX.png new file mode 100644 index 0000000000..64ce77631d Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000002ekX_0EM4u0000084eUX.png differ diff --git a/docs/kb/general/images/ka0Qk0000002ldx_0EM4u000004biML.png b/docs/kb/general/images/ka0Qk0000002ldx_0EM4u000004biML.png new file mode 100644 index 0000000000..24ce5ec371 Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000002ldx_0EM4u000004biML.png differ diff --git a/docs/kb/general/images/ka0Qk0000002xX3_0EMQk000002m1YX.png b/docs/kb/general/images/ka0Qk0000002xX3_0EMQk000002m1YX.png new file mode 100644 index 0000000000..2b4bafe531 Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000002xX3_0EMQk000002m1YX.png differ diff --git a/docs/kb/general/images/ka0Qk0000002xX3_0EMQk000002m1a9.png b/docs/kb/general/images/ka0Qk0000002xX3_0EMQk000002m1a9.png new file mode 100644 index 0000000000..f57a767beb Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000002xX3_0EMQk000002m1a9.png differ diff --git a/docs/kb/general/images/ka0Qk00000053wX_0EM4u000008LzrT.png b/docs/kb/general/images/ka0Qk00000053wX_0EM4u000008LzrT.png new file mode 100644 index 0000000000..7c0dd9a3ba Binary files /dev/null and b/docs/kb/general/images/ka0Qk00000053wX_0EM4u000008LzrT.png differ diff --git a/docs/kb/general/images/ka0Qk0000006ihW_0EMQk00000E9IC9.png b/docs/kb/general/images/ka0Qk0000006ihW_0EMQk00000E9IC9.png new file mode 100644 index 0000000000..6513c97890 Binary files /dev/null and b/docs/kb/general/images/ka0Qk0000006ihW_0EMQk00000E9IC9.png differ diff --git a/docs/kb/general/images/ka0Qk00000077b3_0EMQk000008M3Qr.png b/docs/kb/general/images/ka0Qk00000077b3_0EMQk000008M3Qr.png new file mode 100644 index 0000000000..77c7d4d664 Binary files /dev/null and b/docs/kb/general/images/ka0Qk00000077b3_0EMQk000008M3Qr.png differ diff --git a/docs/kb/general/images/ka0Qk00000077b3_0EMQk000008M3U5.png b/docs/kb/general/images/ka0Qk00000077b3_0EMQk000008M3U5.png new file mode 100644 index 0000000000..a326577629 Binary files /dev/null and b/docs/kb/general/images/ka0Qk00000077b3_0EMQk000008M3U5.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lrve.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lrve.png new file mode 100644 index 0000000000..93c97438bc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lrve.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005ls6y.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005ls6y.png new file mode 100644 index 0000000000..d29e5a9ef0 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005ls6y.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lsoU.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lsoU.png new file mode 100644 index 0000000000..64e2fb5fdd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lsoU.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lwId.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lwId.png new file mode 100644 index 0000000000..834381c202 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lwId.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lxoA.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lxoA.png new file mode 100644 index 0000000000..0c72788941 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lxoA.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lzGU.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lzGU.png new file mode 100644 index 0000000000..fb56aa3503 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005lzGU.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m13n.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m13n.png new file mode 100644 index 0000000000..549eceda3d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m13n.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3Ov.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3Ov.png new file mode 100644 index 0000000000..b14fb53585 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3Ov.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3VN.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3VN.png new file mode 100644 index 0000000000..93112b3319 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3VN.png differ diff --git a/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3gf.png b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3gf.png new file mode 100644 index 0000000000..2b4cc89290 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000B4l3_0EMQk000005m3gf.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009ApiQ.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009ApiQ.png new file mode 100644 index 0000000000..064757c52a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009ApiQ.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AqjL.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AqjL.png new file mode 100644 index 0000000000..976db0382a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AqjL.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AsTP.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AsTP.png new file mode 100644 index 0000000000..751d5c2f7e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AsTP.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AsTQ.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AsTQ.png new file mode 100644 index 0000000000..d2d1b59199 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AsTQ.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AvCk.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AvCk.png new file mode 100644 index 0000000000..0f857e4852 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AvCk.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AvKp.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AvKp.png new file mode 100644 index 0000000000..70cc7ad309 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AvKp.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AwFI.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AwFI.png new file mode 100644 index 0000000000..0c36359e6b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AwFI.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AxL1.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AxL1.png new file mode 100644 index 0000000000..0760b97523 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009AxL1.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009Ayow.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009Ayow.png new file mode 100644 index 0000000000..a1cb481e0c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009Ayow.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2Kf.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2Kf.png new file mode 100644 index 0000000000..450d6c3450 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2Kf.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2MH.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2MH.png new file mode 100644 index 0000000000..f88f52060a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2MH.png differ diff --git a/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2Nt.png b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2Nt.png new file mode 100644 index 0000000000..6500c9f782 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000BQ0n_0EMQk000009B2Nt.png differ diff --git a/docs/kb/general/images/ka0Qk000000Be8b_0EMQk00000AQtvx.png b/docs/kb/general/images/ka0Qk000000Be8b_0EMQk00000AQtvx.png new file mode 100644 index 0000000000..ab792e1358 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Be8b_0EMQk00000AQtvx.png differ diff --git a/docs/kb/general/images/ka0Qk000000Bq05_0EMQk00000A5Yg2.png b/docs/kb/general/images/ka0Qk000000Bq05_0EMQk00000A5Yg2.png new file mode 100644 index 0000000000..465e6b7685 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Bq05_0EMQk00000A5Yg2.png differ diff --git a/docs/kb/general/images/ka0Qk000000Cr3l_0EMQk00000AdKCR.png b/docs/kb/general/images/ka0Qk000000Cr3l_0EMQk00000AdKCR.png new file mode 100644 index 0000000000..415c79fe2d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Cr3l_0EMQk00000AdKCR.png differ diff --git a/docs/kb/general/images/ka0Qk000000Cr3l_0EMQk00000AdaQr.png b/docs/kb/general/images/ka0Qk000000Cr3l_0EMQk00000AdaQr.png new file mode 100644 index 0000000000..1823d46c38 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Cr3l_0EMQk00000AdaQr.png differ diff --git a/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMIhX.png b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMIhX.png new file mode 100644 index 0000000000..0817157cca Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMIhX.png differ diff --git a/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMJLp.png b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMJLp.png new file mode 100644 index 0000000000..cda29655bb Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMJLp.png differ diff --git a/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMOgT.png b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMOgT.png new file mode 100644 index 0000000000..c0ff37a85a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMOgT.png differ diff --git a/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMlOY.png b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMlOY.png new file mode 100644 index 0000000000..eb5dab58f8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMlOY.png differ diff --git a/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMoHZ.png b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMoHZ.png new file mode 100644 index 0000000000..c4ab1b8814 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Cs7t_0EMQk00000BMoHZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ctn7_0EM4u000008LiI7.png b/docs/kb/general/images/ka0Qk000000Ctn7_0EM4u000008LiI7.png new file mode 100644 index 0000000000..8a8d6bcf15 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ctn7_0EM4u000008LiI7.png differ diff --git a/docs/kb/general/images/ka0Qk000000DG8b_0EMQk00000BprDf.png b/docs/kb/general/images/ka0Qk000000DG8b_0EMQk00000BprDf.png new file mode 100644 index 0000000000..a14d409526 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DG8b_0EMQk00000BprDf.png differ diff --git a/docs/kb/general/images/ka0Qk000000DKlh_0EMQk00000C5cIh.png b/docs/kb/general/images/ka0Qk000000DKlh_0EMQk00000C5cIh.png new file mode 100644 index 0000000000..815ed0bc10 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DKlh_0EMQk00000C5cIh.png differ diff --git a/docs/kb/general/images/ka0Qk000000DMp7_0EMQk00000Bq4h7.png b/docs/kb/general/images/ka0Qk000000DMp7_0EMQk00000Bq4h7.png new file mode 100644 index 0000000000..a14d409526 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DMp7_0EMQk00000Bq4h7.png differ diff --git a/docs/kb/general/images/ka0Qk000000DMqk_0EMQk00000Bs0kh.png b/docs/kb/general/images/ka0Qk000000DMqk_0EMQk00000Bs0kh.png new file mode 100644 index 0000000000..a14d409526 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DMqk_0EMQk00000Bs0kh.png differ diff --git a/docs/kb/general/images/ka0Qk000000DNd7_0EMQk00000BsCU5.png b/docs/kb/general/images/ka0Qk000000DNd7_0EMQk00000BsCU5.png new file mode 100644 index 0000000000..a14d409526 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DNd7_0EMQk00000BsCU5.png differ diff --git a/docs/kb/general/images/ka0Qk000000DOPV_0EM4u000007cf5s.png b/docs/kb/general/images/ka0Qk000000DOPV_0EM4u000007cf5s.png new file mode 100644 index 0000000000..e4e318c4d7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DOPV_0EM4u000007cf5s.png differ diff --git a/docs/kb/general/images/ka0Qk000000DOPV_0EM4u000007cf5t.png b/docs/kb/general/images/ka0Qk000000DOPV_0EM4u000007cf5t.png new file mode 100644 index 0000000000..f75c90e48a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DOPV_0EM4u000007cf5t.png differ diff --git a/docs/kb/general/images/ka0Qk000000DZWD_0EM4u000007cexF.png b/docs/kb/general/images/ka0Qk000000DZWD_0EM4u000007cexF.png new file mode 100644 index 0000000000..72e3092383 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DZWD_0EM4u000007cexF.png differ diff --git a/docs/kb/general/images/ka0Qk000000Deaj_0EMQk00000CUzaD.png b/docs/kb/general/images/ka0Qk000000Deaj_0EMQk00000CUzaD.png new file mode 100644 index 0000000000..ebf0cb1496 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Deaj_0EMQk00000CUzaD.png differ diff --git a/docs/kb/general/images/ka0Qk000000DefZ_0EMQk00000CV1FR.png b/docs/kb/general/images/ka0Qk000000DefZ_0EMQk00000CV1FR.png new file mode 100644 index 0000000000..7325a293c0 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DefZ_0EMQk00000CV1FR.png differ diff --git a/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaRV.png b/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaRV.png new file mode 100644 index 0000000000..a37dba8211 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaRV.png differ diff --git a/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaT7.png b/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaT7.png new file mode 100644 index 0000000000..ab18271dbd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaT7.png differ diff --git a/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaUj.png b/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaUj.png new file mode 100644 index 0000000000..acaabd9601 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Dg33_0EMQk000001gaUj.png differ diff --git a/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccr9.png b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccr9.png new file mode 100644 index 0000000000..816964d903 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccr9.png differ diff --git a/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrA.png b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrA.png new file mode 100644 index 0000000000..816964d903 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrA.png differ diff --git a/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrB.png b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrB.png new file mode 100644 index 0000000000..e41a0b5ced Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrB.png differ diff --git a/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrC.png b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrC.png new file mode 100644 index 0000000000..f60ee5d6db Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrC.png differ diff --git a/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrD.png b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrD.png new file mode 100644 index 0000000000..0ab8e6100d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Dlab_0EM4u000007ccrD.png differ diff --git a/docs/kb/general/images/ka0Qk000000DsPB_0EMQk000009d2RO.png b/docs/kb/general/images/ka0Qk000000DsPB_0EMQk000009d2RO.png new file mode 100644 index 0000000000..f3441e114d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DsPB_0EMQk000009d2RO.png differ diff --git a/docs/kb/general/images/ka0Qk000000DsPB_0EMQk00000AGwf1.png b/docs/kb/general/images/ka0Qk000000DsPB_0EMQk00000AGwf1.png new file mode 100644 index 0000000000..b65b008cd4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000DsPB_0EMQk00000AGwf1.png differ diff --git a/docs/kb/general/images/ka0Qk000000E59V_0EM700000004xgW.png b/docs/kb/general/images/ka0Qk000000E59V_0EM700000004xgW.png new file mode 100644 index 0000000000..cadf846540 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E59V_0EM700000004xgW.png differ diff --git a/docs/kb/general/images/ka0Qk000000E59V_0EM700000004xgl.png b/docs/kb/general/images/ka0Qk000000E59V_0EM700000004xgl.png new file mode 100644 index 0000000000..39038f7601 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E59V_0EM700000004xgl.png differ diff --git a/docs/kb/general/images/ka0Qk000000E5pR_0EMQk00000C50Zx.png b/docs/kb/general/images/ka0Qk000000E5pR_0EMQk00000C50Zx.png new file mode 100644 index 0000000000..fa29117bd7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E5pR_0EMQk00000C50Zx.png differ diff --git a/docs/kb/general/images/ka0Qk000000E7BJ_0EMQk00000C8DVp.png b/docs/kb/general/images/ka0Qk000000E7BJ_0EMQk00000C8DVp.png new file mode 100644 index 0000000000..ba0aa7110a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E7BJ_0EMQk00000C8DVp.png differ diff --git a/docs/kb/general/images/ka0Qk000000E7G9_0EMQk000008ueUQ.png b/docs/kb/general/images/ka0Qk000000E7G9_0EMQk000008ueUQ.png new file mode 100644 index 0000000000..5feea4c71f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E7G9_0EMQk000008ueUQ.png differ diff --git a/docs/kb/general/images/ka0Qk000000E7Hl_0EMQk00000BprDf.png b/docs/kb/general/images/ka0Qk000000E7Hl_0EMQk00000BprDf.png new file mode 100644 index 0000000000..a14d409526 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E7Hl_0EMQk00000BprDf.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9Rd_0EMQk000008pRuP.png b/docs/kb/general/images/ka0Qk000000E9Rd_0EMQk000008pRuP.png new file mode 100644 index 0000000000..67a4ade3ca Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9Rd_0EMQk000008pRuP.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUk0.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUk0.png new file mode 100644 index 0000000000..b3ddc65b45 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUk0.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmF.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmF.png new file mode 100644 index 0000000000..4ceb4abf5b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmF.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmG.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmG.png new file mode 100644 index 0000000000..ca4f18dec2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmG.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmK.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmK.png new file mode 100644 index 0000000000..e650b91b03 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmK.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmU.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmU.png new file mode 100644 index 0000000000..24aea70253 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmU.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmZ.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmZ.png new file mode 100644 index 0000000000..1149f9c85f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUme.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUme.png new file mode 100644 index 0000000000..1d293ab073 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUme.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmj.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmj.png new file mode 100644 index 0000000000..12ffde6a4d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmj.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmo.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmo.png new file mode 100644 index 0000000000..55b566df5d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmo.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmt.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmt.png new file mode 100644 index 0000000000..cf9c2f4ed7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmt.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmy.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmy.png new file mode 100644 index 0000000000..48554b7058 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUmy.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUn3.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUn3.png new file mode 100644 index 0000000000..6314042be6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUn3.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUn8.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUn8.png new file mode 100644 index 0000000000..caaf7e1825 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUn8.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnD.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnD.png new file mode 100644 index 0000000000..4eb35caaf1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnD.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnI.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnI.png new file mode 100644 index 0000000000..5e629f43cb Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnI.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnN.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnN.png new file mode 100644 index 0000000000..35f212ee7b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnN.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnO.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnO.png new file mode 100644 index 0000000000..49e833d91b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnO.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnS.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnS.png new file mode 100644 index 0000000000..b94070c01e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnS.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnX.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnX.png new file mode 100644 index 0000000000..9f08679437 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnX.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnh.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnh.png new file mode 100644 index 0000000000..4367d07754 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnh.png differ diff --git a/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnr.png b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnr.png new file mode 100644 index 0000000000..ec4c1c0a75 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000E9zV_0EM4u000004bUnr.png differ diff --git a/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLClf.png b/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLClf.png new file mode 100644 index 0000000000..c772b66fc5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLClf.png differ diff --git a/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLFoN.png b/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLFoN.png new file mode 100644 index 0000000000..6ae6d4943a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLFoN.png differ diff --git a/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLJX0.png b/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLJX0.png new file mode 100644 index 0000000000..bf98c37dc3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLJX0.png differ diff --git a/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLJtZ.png b/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLJtZ.png new file mode 100644 index 0000000000..3c97c2e880 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EFs1_0EMQk00000CLJtZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000EHPB_0EM4u000008LA1V.png b/docs/kb/general/images/ka0Qk000000EHPB_0EM4u000008LA1V.png new file mode 100644 index 0000000000..4b1769c82e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EHPB_0EM4u000008LA1V.png differ diff --git a/docs/kb/general/images/ka0Qk000000EWxh_0EMQk00000D9prq.png b/docs/kb/general/images/ka0Qk000000EWxh_0EMQk00000D9prq.png new file mode 100644 index 0000000000..bb1dc02db5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EWxh_0EMQk00000D9prq.png differ diff --git a/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084oo1.png b/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084oo1.png new file mode 100644 index 0000000000..10f40a9da5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084oo1.png differ diff --git a/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084oo6.png b/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084oo6.png new file mode 100644 index 0000000000..4aefc2b9b7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084oo6.png differ diff --git a/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084ooB.png b/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084ooB.png new file mode 100644 index 0000000000..78fdc8e867 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084ooB.png differ diff --git a/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084ooG.png b/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084ooG.png new file mode 100644 index 0000000000..272c9e5119 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EhgD_0EM4u0000084ooG.png differ diff --git a/docs/kb/general/images/ka0Qk000000Eo8D_0EMQk00000CAbyi.png b/docs/kb/general/images/ka0Qk000000Eo8D_0EMQk00000CAbyi.png new file mode 100644 index 0000000000..7b172d58c0 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Eo8D_0EMQk00000CAbyi.png differ diff --git a/docs/kb/general/images/ka0Qk000000Eosz_0EMQk00000BmSyC.png b/docs/kb/general/images/ka0Qk000000Eosz_0EMQk00000BmSyC.png new file mode 100644 index 0000000000..c1eb37f169 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Eosz_0EMQk00000BmSyC.png differ diff --git a/docs/kb/general/images/ka0Qk000000Et4f_0EMQk00000BlzZb.png b/docs/kb/general/images/ka0Qk000000Et4f_0EMQk00000BlzZb.png new file mode 100644 index 0000000000..e68a52bd1d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Et4f_0EMQk00000BlzZb.png differ diff --git a/docs/kb/general/images/ka0Qk000000EuIT_0EMQk00000BhAaT.png b/docs/kb/general/images/ka0Qk000000EuIT_0EMQk00000BhAaT.png new file mode 100644 index 0000000000..687c7be480 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EuIT_0EMQk00000BhAaT.png differ diff --git a/docs/kb/general/images/ka0Qk000000EwIf_0EMQk00000CM1t1.png b/docs/kb/general/images/ka0Qk000000EwIf_0EMQk00000CM1t1.png new file mode 100644 index 0000000000..2db6348a3a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EwIf_0EMQk00000CM1t1.png differ diff --git a/docs/kb/general/images/ka0Qk000000EwIf_0EMQk00000CM8RR.png b/docs/kb/general/images/ka0Qk000000EwIf_0EMQk00000CM8RR.png new file mode 100644 index 0000000000..250f16e7e6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000EwIf_0EMQk00000CM8RR.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ez21_0EMQk00000BYywH.png b/docs/kb/general/images/ka0Qk000000Ez21_0EMQk00000BYywH.png new file mode 100644 index 0000000000..300ccbd78b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ez21_0EMQk00000BYywH.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CIy8V.png b/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CIy8V.png new file mode 100644 index 0000000000..a3ba4b7ca3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CIy8V.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CJ38A.png b/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CJ38A.png new file mode 100644 index 0000000000..bdc2979cc4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CJ38A.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CJ7YL.png b/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CJ7YL.png new file mode 100644 index 0000000000..bbaa27a646 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0hF_0EMQk00000CJ7YL.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CCtme.png b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CCtme.png new file mode 100644 index 0000000000..9f98689200 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CCtme.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CCxTh.png b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CCxTh.png new file mode 100644 index 0000000000..ac39f4e815 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CCxTh.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD1KO.png b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD1KO.png new file mode 100644 index 0000000000..5d0ae71adb Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD1KO.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD1p0.png b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD1p0.png new file mode 100644 index 0000000000..5c411d53e9 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD1p0.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD4LU.png b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD4LU.png new file mode 100644 index 0000000000..49a8a18072 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD4LU.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD5So.png b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD5So.png new file mode 100644 index 0000000000..767440e438 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD5So.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD80t.png b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD80t.png new file mode 100644 index 0000000000..d714075180 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD80t.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD8NR.png b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD8NR.png new file mode 100644 index 0000000000..f40f20afc3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0kT_0EMQk00000CD8NR.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0pJ_0EMQk00000BhlyD.png b/docs/kb/general/images/ka0Qk000000F0pJ_0EMQk00000BhlyD.png new file mode 100644 index 0000000000..7c4687e28b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0pJ_0EMQk00000BhlyD.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0pJ_0EMQk00000BhmEL.png b/docs/kb/general/images/ka0Qk000000F0pJ_0EMQk00000BhmEL.png new file mode 100644 index 0000000000..baa25045b3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0pJ_0EMQk00000BhmEL.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWLS.png b/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWLS.png new file mode 100644 index 0000000000..a39738e713 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWLS.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWoT.png b/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWoT.png new file mode 100644 index 0000000000..4c26cd339c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWoT.png differ diff --git a/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWuv.png b/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWuv.png new file mode 100644 index 0000000000..8d220596e6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F0xN_0EMQk00000BuWuv.png differ diff --git a/docs/kb/general/images/ka0Qk000000F1VF_0EMQk000009tXe6.png b/docs/kb/general/images/ka0Qk000000F1VF_0EMQk000009tXe6.png new file mode 100644 index 0000000000..f0a6eae31e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F1VF_0EMQk000009tXe6.png differ diff --git a/docs/kb/general/images/ka0Qk000000F1VF_0EMQk000009taX7.png b/docs/kb/general/images/ka0Qk000000F1VF_0EMQk000009taX7.png new file mode 100644 index 0000000000..d0bb022db1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F1VF_0EMQk000009taX7.png differ diff --git a/docs/kb/general/images/ka0Qk000000F1VF_0EMQk00000AqHwf.png b/docs/kb/general/images/ka0Qk000000F1VF_0EMQk00000AqHwf.png new file mode 100644 index 0000000000..9e7b1c32c1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F1VF_0EMQk00000AqHwf.png differ diff --git a/docs/kb/general/images/ka0Qk000000F2nt_0EMQk000001mFc5.png b/docs/kb/general/images/ka0Qk000000F2nt_0EMQk000001mFc5.png new file mode 100644 index 0000000000..ce220dc21c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F2nt_0EMQk000001mFc5.png differ diff --git a/docs/kb/general/images/ka0Qk000000F2nt_0EMQk00000DifhX.png b/docs/kb/general/images/ka0Qk000000F2nt_0EMQk00000DifhX.png new file mode 100644 index 0000000000..8bf7c986dd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F2nt_0EMQk00000DifhX.png differ diff --git a/docs/kb/general/images/ka0Qk000000F4JR_0EMQk00000BA4X4.png b/docs/kb/general/images/ka0Qk000000F4JR_0EMQk00000BA4X4.png new file mode 100644 index 0000000000..48d7d02f63 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F4JR_0EMQk00000BA4X4.png differ diff --git a/docs/kb/general/images/ka0Qk000000F4JR_0EMQk00000BABS5.png b/docs/kb/general/images/ka0Qk000000F4JR_0EMQk00000BABS5.png new file mode 100644 index 0000000000..a612684caf Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F4JR_0EMQk00000BABS5.png differ diff --git a/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzRON.png b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzRON.png new file mode 100644 index 0000000000..805c4ed1be Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzRON.png differ diff --git a/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzToN.png b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzToN.png new file mode 100644 index 0000000000..47f9d19cee Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzToN.png differ diff --git a/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzUfa.png b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzUfa.png new file mode 100644 index 0000000000..f61147ec70 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzUfa.png differ diff --git a/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzVYQ.png b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzVYQ.png new file mode 100644 index 0000000000..a20b991e78 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzVYQ.png differ diff --git a/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzWUU.png b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzWUU.png new file mode 100644 index 0000000000..87eb38bcb4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzWUU.png differ diff --git a/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzWiz.png b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzWiz.png new file mode 100644 index 0000000000..ad4da13e70 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000F4L3_0EMQk00000BzWiz.png differ diff --git a/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tH7k.png b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tH7k.png new file mode 100644 index 0000000000..c06f802615 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tH7k.png differ diff --git a/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tL01.png b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tL01.png new file mode 100644 index 0000000000..977660c6c8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tL01.png differ diff --git a/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tLo2.png b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tLo2.png new file mode 100644 index 0000000000..091f74c116 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tLo2.png differ diff --git a/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tMXD.png b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tMXD.png new file mode 100644 index 0000000000..f5ee0d4931 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tMXD.png differ diff --git a/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tOSX.png b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tOSX.png new file mode 100644 index 0000000000..ac41e5effd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tOSX.png differ diff --git a/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tPOb.png b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tPOb.png new file mode 100644 index 0000000000..39e7b9c4c3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tPOb.png differ diff --git a/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tlXC.png b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tlXC.png new file mode 100644 index 0000000000..310c72d934 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FAGn_0EMQk000001tlXC.png differ diff --git a/docs/kb/general/images/ka0Qk000000FAgb_0EMQk00000DgBFh.png b/docs/kb/general/images/ka0Qk000000FAgb_0EMQk00000DgBFh.png new file mode 100644 index 0000000000..78c0f0c86b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FAgb_0EMQk00000DgBFh.png differ diff --git a/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000BhgDl.png b/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000BhgDl.png new file mode 100644 index 0000000000..a7c6708047 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000BhgDl.png differ diff --git a/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000BhgIc.png b/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000BhgIc.png new file mode 100644 index 0000000000..993a5b36cf Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000BhgIc.png differ diff --git a/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000Bhgld.png b/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000Bhgld.png new file mode 100644 index 0000000000..9b4005efdd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FB3B_0EMQk00000Bhgld.png differ diff --git a/docs/kb/general/images/ka0Qk000000FBhV_0EMQk00000BuXxR.png b/docs/kb/general/images/ka0Qk000000FBhV_0EMQk00000BuXxR.png new file mode 100644 index 0000000000..1fec050b91 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FBhV_0EMQk00000BuXxR.png differ diff --git a/docs/kb/general/images/ka0Qk000000FDHt_0EMQk00000ByG5B.png b/docs/kb/general/images/ka0Qk000000FDHt_0EMQk00000ByG5B.png new file mode 100644 index 0000000000..da0b4f7c1c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FDHt_0EMQk00000ByG5B.png differ diff --git a/docs/kb/general/images/ka0Qk000000FDeT_0EMQk00000Dw954.png b/docs/kb/general/images/ka0Qk000000FDeT_0EMQk00000Dw954.png new file mode 100644 index 0000000000..4fb0aa96bd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FDeT_0EMQk00000Dw954.png differ diff --git a/docs/kb/general/images/ka0Qk000000FDeT_0EMQk00000DwCJ4.png b/docs/kb/general/images/ka0Qk000000FDeT_0EMQk00000DwCJ4.png new file mode 100644 index 0000000000..f6b8ffea2a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FDeT_0EMQk00000DwCJ4.png differ diff --git a/docs/kb/general/images/ka0Qk000000FE13_0EMQk00000Dgxdi.png b/docs/kb/general/images/ka0Qk000000FE13_0EMQk00000Dgxdi.png new file mode 100644 index 0000000000..008c567c43 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FE13_0EMQk00000Dgxdi.png differ diff --git a/docs/kb/general/images/ka0Qk000000FE13_0EMQk00000DgzNl.png b/docs/kb/general/images/ka0Qk000000FE13_0EMQk00000DgzNl.png new file mode 100644 index 0000000000..5ca71f3ab3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FE13_0EMQk00000DgzNl.png differ diff --git a/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R1Z.png b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R1Z.png new file mode 100644 index 0000000000..18798442e1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R1Z.png differ diff --git a/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R3B.png b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R3B.png new file mode 100644 index 0000000000..faa9f49b03 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R3B.png differ diff --git a/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R4n.png b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R4n.png new file mode 100644 index 0000000000..3add277963 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R4n.png differ diff --git a/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R6P.png b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R6P.png new file mode 100644 index 0000000000..c0d5553944 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R6P.png differ diff --git a/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R81.png b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R81.png new file mode 100644 index 0000000000..ee93e14019 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R81.png differ diff --git a/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R9d.png b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R9d.png new file mode 100644 index 0000000000..d4bcfc0ed6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3R9d.png differ diff --git a/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3RBF.png b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3RBF.png new file mode 100644 index 0000000000..2bc9c2d730 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FEHB_0EMQk00000C3RBF.png differ diff --git a/docs/kb/general/images/ka0Qk000000FFLJ_0EMQk00000BhkNp.png b/docs/kb/general/images/ka0Qk000000FFLJ_0EMQk00000BhkNp.png new file mode 100644 index 0000000000..da0b4f7c1c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FFLJ_0EMQk00000BhkNp.png differ diff --git a/docs/kb/general/images/ka0Qk000000FFmj_0EMQk00000BYvqN.png b/docs/kb/general/images/ka0Qk000000FFmj_0EMQk00000BYvqN.png new file mode 100644 index 0000000000..4bd6d7f9c2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FFmj_0EMQk00000BYvqN.png differ diff --git a/docs/kb/general/images/ka0Qk000000FFrZ_0EMQk00000BZhjh.png b/docs/kb/general/images/ka0Qk000000FFrZ_0EMQk00000BZhjh.png new file mode 100644 index 0000000000..2cc34f00f3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FFrZ_0EMQk00000BZhjh.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RET.png b/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RET.png new file mode 100644 index 0000000000..8167eb3c35 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RET.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RG5.png b/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RG5.png new file mode 100644 index 0000000000..46918936d8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RG5.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RHh.png b/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RHh.png new file mode 100644 index 0000000000..d78a0b38d7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGSf_0EMQk00000C3RHh.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGVt_0EMQk00000C3SdZ.png b/docs/kb/general/images/ka0Qk000000FGVt_0EMQk00000C3SdZ.png new file mode 100644 index 0000000000..cf77a18dc6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGVt_0EMQk00000C3SdZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGVt_0EMQk00000C3SfB.png b/docs/kb/general/images/ka0Qk000000FGVt_0EMQk00000C3SfB.png new file mode 100644 index 0000000000..3f9e965bbf Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGVt_0EMQk00000C3SfB.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAKTC.png b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAKTC.png new file mode 100644 index 0000000000..78c7d6aa98 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAKTC.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAM6o.png b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAM6o.png new file mode 100644 index 0000000000..104085b024 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAM6o.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMJh.png b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMJh.png new file mode 100644 index 0000000000..fd2e88f51b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMJh.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMLJ.png b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMLJ.png new file mode 100644 index 0000000000..95fd9ee857 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMLJ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMMv.png b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMMv.png new file mode 100644 index 0000000000..0e25ecbf48 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMMv.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMQ9.png b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMQ9.png new file mode 100644 index 0000000000..faa351afc8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMQ9.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMRl.png b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMRl.png new file mode 100644 index 0000000000..a7ac318322 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMRl.png differ diff --git a/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMTN.png b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMTN.png new file mode 100644 index 0000000000..ace6348d4d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FGaj_0EMQk00000CAMTN.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CANdy.png b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CANdy.png new file mode 100644 index 0000000000..22743ea2bc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CANdy.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAP1R.png b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAP1R.png new file mode 100644 index 0000000000..c6e8f76226 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAP1R.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPFx.png b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPFx.png new file mode 100644 index 0000000000..ab5e14fb66 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPFx.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPPd.png b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPPd.png new file mode 100644 index 0000000000..45ca96a4a1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPPd.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPRF.png b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPRF.png new file mode 100644 index 0000000000..6ed3810378 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPRF.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPUT.png b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPUT.png new file mode 100644 index 0000000000..0d3b01e957 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPUT.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPXh.png b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPXh.png new file mode 100644 index 0000000000..0f726777d7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH0X_0EMQk00000CAPXh.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH29_0EMQk00000CAPnp.png b/docs/kb/general/images/ka0Qk000000FH29_0EMQk00000CAPnp.png new file mode 100644 index 0000000000..2992e0dd93 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH29_0EMQk00000CAPnp.png differ diff --git a/docs/kb/general/images/ka0Qk000000FH29_0EMQk00000CAPr3.png b/docs/kb/general/images/ka0Qk000000FH29_0EMQk00000CAPr3.png new file mode 100644 index 0000000000..e97edf04cc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FH29_0EMQk00000CAPr3.png differ diff --git a/docs/kb/general/images/ka0Qk000000FIhN_0EMQk00000BuX4c.png b/docs/kb/general/images/ka0Qk000000FIhN_0EMQk00000BuX4c.png new file mode 100644 index 0000000000..b910b3fe24 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FIhN_0EMQk00000BuX4c.png differ diff --git a/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdBLU.png b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdBLU.png new file mode 100644 index 0000000000..8e4fede870 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdBLU.png differ diff --git a/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdJdy.png b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdJdy.png new file mode 100644 index 0000000000..dd96795449 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdJdy.png differ diff --git a/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdJsU.png b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdJsU.png new file mode 100644 index 0000000000..6637dcd7ed Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdJsU.png differ diff --git a/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdKYP.png b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdKYP.png new file mode 100644 index 0000000000..8208e73025 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdKYP.png differ diff --git a/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdKzp.png b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdKzp.png new file mode 100644 index 0000000000..d617b9e205 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdKzp.png differ diff --git a/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdLHa.png b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdLHa.png new file mode 100644 index 0000000000..c571e77fba Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FImE_0EMQk00000BdLHa.png differ diff --git a/docs/kb/general/images/ka0Qk000000FKRR_0EMQk00000BuWV7.png b/docs/kb/general/images/ka0Qk000000FKRR_0EMQk00000BuWV7.png new file mode 100644 index 0000000000..4279d26e8d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FKRR_0EMQk00000BuWV7.png differ diff --git a/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000Bhh6b.png b/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000Bhh6b.png new file mode 100644 index 0000000000..8ea20442f4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000Bhh6b.png differ diff --git a/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000CUuSU.png b/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000CUuSU.png new file mode 100644 index 0000000000..c89c789f4e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000CUuSU.png differ diff --git a/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000CV0Xt.png b/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000CV0Xt.png new file mode 100644 index 0000000000..c82de86c96 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FKWH_0EMQk00000CV0Xt.png differ diff --git a/docs/kb/general/images/ka0Qk000000FKhZ_0EMQk00000CGmD3.png b/docs/kb/general/images/ka0Qk000000FKhZ_0EMQk00000CGmD3.png new file mode 100644 index 0000000000..636fa5190f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FKhZ_0EMQk00000CGmD3.png differ diff --git a/docs/kb/general/images/ka0Qk000000FKkn_0EMQk00000CGefK.png b/docs/kb/general/images/ka0Qk000000FKkn_0EMQk00000CGefK.png new file mode 100644 index 0000000000..f5b94d4059 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FKkn_0EMQk00000CGefK.png differ diff --git a/docs/kb/general/images/ka0Qk000000FMrR_0EMQk00000EA0t7.png b/docs/kb/general/images/ka0Qk000000FMrR_0EMQk00000EA0t7.png new file mode 100644 index 0000000000..61b0ff6192 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FMrR_0EMQk00000EA0t7.png differ diff --git a/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMbTR.png b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMbTR.png new file mode 100644 index 0000000000..2270de63d3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMbTR.png differ diff --git a/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMibO.png b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMibO.png new file mode 100644 index 0000000000..fc1e0bd287 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMibO.png differ diff --git a/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMj2n.png b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMj2n.png new file mode 100644 index 0000000000..7bf5f8f1cf Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMj2n.png differ diff --git a/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMkTV.png b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMkTV.png new file mode 100644 index 0000000000..46606c5301 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CMkTV.png differ diff --git a/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CinkU.png b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CinkU.png new file mode 100644 index 0000000000..a97cb40c2b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FN7Z_0EMQk00000CinkU.png differ diff --git a/docs/kb/general/images/ka0Qk000000FNAn_0EMQk00000EA2lG.png b/docs/kb/general/images/ka0Qk000000FNAn_0EMQk00000EA2lG.png new file mode 100644 index 0000000000..7bea5493ed Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FNAn_0EMQk00000EA2lG.png differ diff --git a/docs/kb/general/images/ka0Qk000000FNAn_0EMQk00000EA3PZ.png b/docs/kb/general/images/ka0Qk000000FNAn_0EMQk00000EA3PZ.png new file mode 100644 index 0000000000..7bea5493ed Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FNAn_0EMQk00000EA3PZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FNE1_0EMQk00000Dn10H.png b/docs/kb/general/images/ka0Qk000000FNE1_0EMQk00000Dn10H.png new file mode 100644 index 0000000000..5314ad62b0 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FNE1_0EMQk00000Dn10H.png differ diff --git a/docs/kb/general/images/ka0Qk000000FO0P_0EMQk00000EA42H.png b/docs/kb/general/images/ka0Qk000000FO0P_0EMQk00000EA42H.png new file mode 100644 index 0000000000..6029b6aca5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FO0P_0EMQk00000EA42H.png differ diff --git a/docs/kb/general/images/ka0Qk000000FO8T_0EMQk00000EABet.png b/docs/kb/general/images/ka0Qk000000FO8T_0EMQk00000EABet.png new file mode 100644 index 0000000000..18804b5805 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FO8T_0EMQk00000EABet.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CF5F2.png b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CF5F2.png new file mode 100644 index 0000000000..049af317df Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CF5F2.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFDqr.png b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFDqr.png new file mode 100644 index 0000000000..292d8b37ea Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFDqr.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFFMR.png b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFFMR.png new file mode 100644 index 0000000000..cb8a8bd2e9 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFFMR.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFGrx.png b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFGrx.png new file mode 100644 index 0000000000..5d3bd0319a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFGrx.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFHeM.png b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFHeM.png new file mode 100644 index 0000000000..937e7c61cd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFHeM.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFJt3.png b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFJt3.png new file mode 100644 index 0000000000..88f5a86654 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWsP_0EMQk00000CFJt3.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFJt4.png b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFJt4.png new file mode 100644 index 0000000000..e193d287c2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFJt4.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFKxE.png b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFKxE.png new file mode 100644 index 0000000000..2154b72125 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFKxE.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFMJ4.png b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFMJ4.png new file mode 100644 index 0000000000..01dd3b51d5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFMJ4.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFMhH.png b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFMhH.png new file mode 100644 index 0000000000..78e157750c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFMhH.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFXMX.png b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFXMX.png new file mode 100644 index 0000000000..6544961ce3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFXMX.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFXrB.png b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFXrB.png new file mode 100644 index 0000000000..c8653b0bad Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWu1_0EMQk00000CFXrB.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLapa.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLapa.png new file mode 100644 index 0000000000..355659268b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLapa.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbk1.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbk1.png new file mode 100644 index 0000000000..c45adccee4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbk1.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbld.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbld.png new file mode 100644 index 0000000000..60a2f8fb01 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbld.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbnG.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbnG.png new file mode 100644 index 0000000000..fa5142a5aa Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbnG.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbor.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbor.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbor.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbqT.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbqT.png new file mode 100644 index 0000000000..5399279b15 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbqT.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbs5.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbs5.png new file mode 100644 index 0000000000..e7dcf5ba63 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbs5.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbth.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbth.png new file mode 100644 index 0000000000..521d963112 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbth.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbvJ.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbvJ.png new file mode 100644 index 0000000000..1a86b5b443 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbvJ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbwv.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbwv.png new file mode 100644 index 0000000000..ff29859e8e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbwv.png differ diff --git a/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbyX.png b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbyX.png new file mode 100644 index 0000000000..78d85fed7b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FWvd_0EMQk00000CLbyX.png differ diff --git a/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMSQA.png b/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMSQA.png new file mode 100644 index 0000000000..34cd7b62a0 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMSQA.png differ diff --git a/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMbrd.png b/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMbrd.png new file mode 100644 index 0000000000..deb89d8234 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMbrd.png differ diff --git a/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMby5.png b/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMby5.png new file mode 100644 index 0000000000..8c42954d29 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FX3h_0EMQk00000CMby5.png differ diff --git a/docs/kb/general/images/ka0Qk000000FX8X_0EMQk00000CMgGD.png b/docs/kb/general/images/ka0Qk000000FX8X_0EMQk00000CMgGD.png new file mode 100644 index 0000000000..c14e72d574 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FX8X_0EMQk00000CMgGD.png differ diff --git a/docs/kb/general/images/ka0Qk000000FX8X_0EMQk00000CMhAf.png b/docs/kb/general/images/ka0Qk000000FX8X_0EMQk00000CMhAf.png new file mode 100644 index 0000000000..90a8275d30 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FX8X_0EMQk00000CMhAf.png differ diff --git a/docs/kb/general/images/ka0Qk000000FXDN_0EMQk00000CMxfF.png b/docs/kb/general/images/ka0Qk000000FXDN_0EMQk00000CMxfF.png new file mode 100644 index 0000000000..68af3f0a46 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FXDN_0EMQk00000CMxfF.png differ diff --git a/docs/kb/general/images/ka0Qk000000FXDN_0EMQk00000CMxk5.png b/docs/kb/general/images/ka0Qk000000FXDN_0EMQk00000CMxk5.png new file mode 100644 index 0000000000..45386f922c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FXDN_0EMQk00000CMxk5.png differ diff --git a/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BX5tr.png b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BX5tr.png new file mode 100644 index 0000000000..41b6ffa282 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BX5tr.png differ diff --git a/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BX5ts.png b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BX5ts.png new file mode 100644 index 0000000000..73d9386bf6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BX5ts.png differ diff --git a/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXD51.png b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXD51.png new file mode 100644 index 0000000000..46b2500d6f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXD51.png differ diff --git a/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHBp.png b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHBp.png new file mode 100644 index 0000000000..bfd2622ca8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHBp.png differ diff --git a/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHi5.png b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHi5.png new file mode 100644 index 0000000000..9c34c4b687 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHi5.png differ diff --git a/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHtN.png b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHtN.png new file mode 100644 index 0000000000..d96efc3164 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FY4b_0EMQk00000BXHtN.png differ diff --git a/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXDVr.png b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXDVr.png new file mode 100644 index 0000000000..f25a50df4e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXDVr.png differ diff --git a/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXERv.png b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXERv.png new file mode 100644 index 0000000000..32dd7b2d09 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXERv.png differ diff --git a/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXJRa.png b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXJRa.png new file mode 100644 index 0000000000..07c5a2a5b9 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXJRa.png differ diff --git a/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXJoA.png b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXJoA.png new file mode 100644 index 0000000000..448b7313e6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXJoA.png differ diff --git a/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXMm1.png b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXMm1.png new file mode 100644 index 0000000000..fd84e6a02c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXMm1.png differ diff --git a/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXOhQ.png b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXOhQ.png new file mode 100644 index 0000000000..15aafd7477 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FYxR_0EMQk00000CXOhQ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR6ws.png b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR6ws.png new file mode 100644 index 0000000000..8215ffbbe3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR6ws.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR7bC.png b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR7bC.png new file mode 100644 index 0000000000..5a9e50f320 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR7bC.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR7mU.png b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR7mU.png new file mode 100644 index 0000000000..8d8be96abb Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR7mU.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8Dt.png b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8Dt.png new file mode 100644 index 0000000000..c45adccee4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8Dt.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8Du.png b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8Du.png new file mode 100644 index 0000000000..e75e3bb73e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8Du.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8FV.png b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8FV.png new file mode 100644 index 0000000000..254c52a803 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8FV.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8H7.png b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8H7.png new file mode 100644 index 0000000000..50af85774f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ0f_0EMQk00000CR8H7.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPAWk.png b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPAWk.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPAWk.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB4c.png b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB4c.png new file mode 100644 index 0000000000..56f571f5cf Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB4c.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB7p.png b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB7p.png new file mode 100644 index 0000000000..d8b685f425 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB7p.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB9R.png b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB9R.png new file mode 100644 index 0000000000..799aa07d56 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPB9R.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPBB3.png b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPBB3.png new file mode 100644 index 0000000000..77d5ffed16 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPBB3.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPBCf.png b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPBCf.png new file mode 100644 index 0000000000..f67de93530 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ2H_0EMQk00000CPBCf.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPAba.png b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPAba.png new file mode 100644 index 0000000000..cea8c0b123 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPAba.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPAzl.png b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPAzl.png new file mode 100644 index 0000000000..799aa07d56 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPAzl.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB1N.png b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB1N.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB1N.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB2z.png b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB2z.png new file mode 100644 index 0000000000..0799bccf84 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB2z.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB4b.png b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB4b.png new file mode 100644 index 0000000000..d3084a81fc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB4b.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB6D.png b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB6D.png new file mode 100644 index 0000000000..d8b685f425 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZ3t_0EMQk00000CPB6D.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAlF.png b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAlF.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAlF.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAmr.png b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAmr.png new file mode 100644 index 0000000000..6ad6167a2b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAmr.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAoT.png b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAoT.png new file mode 100644 index 0000000000..4f9e782ec4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAoT.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAq5.png b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAq5.png new file mode 100644 index 0000000000..df6072fb71 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAq5.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPArh.png b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPArh.png new file mode 100644 index 0000000000..6d92fcb593 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPArh.png differ diff --git a/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAtJ.png b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAtJ.png new file mode 100644 index 0000000000..28e78439e4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FZNF_0EMQk00000CPAtJ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESYRi.png b/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESYRi.png new file mode 100644 index 0000000000..60e33057e5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESYRi.png differ diff --git a/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESbW1.png b/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESbW1.png new file mode 100644 index 0000000000..6a70dc8833 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESbW1.png differ diff --git a/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESeX7.png b/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESeX7.png new file mode 100644 index 0000000000..7e247ac4f0 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FbYj_0EMQk00000ESeX7.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fgmv_0EM4u000008LgxD.png b/docs/kb/general/images/ka0Qk000000Fgmv_0EM4u000008LgxD.png new file mode 100644 index 0000000000..2b4a538b8f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fgmv_0EM4u000008LgxD.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000CO06Q.png b/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000CO06Q.png new file mode 100644 index 0000000000..bc1970c733 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000CO06Q.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000CO5Fn.png b/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000CO5Fn.png new file mode 100644 index 0000000000..7b4c0fd7b8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000CO5Fn.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000COAKH.png b/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000COAKH.png new file mode 100644 index 0000000000..18e706580e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000COAKH.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000COAnJ.png b/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000COAnJ.png new file mode 100644 index 0000000000..e1818aec4e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjJN_0EMQk00000COAnJ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA5J.png b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA5J.png new file mode 100644 index 0000000000..93d436b5a4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA5J.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA6v.png b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA6v.png new file mode 100644 index 0000000000..96885a78cc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA6v.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA8X.png b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA8X.png new file mode 100644 index 0000000000..489bf6b9a1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPA8X.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPAA9.png b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPAA9.png new file mode 100644 index 0000000000..50a5d20f88 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPAA9.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPABl.png b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPABl.png new file mode 100644 index 0000000000..cd426b7d00 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjKz_0EMQk00000CPABl.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAID.png b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAID.png new file mode 100644 index 0000000000..489bf6b9a1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAID.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAJp.png b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAJp.png new file mode 100644 index 0000000000..0f476814bc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAJp.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPALR.png b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPALR.png new file mode 100644 index 0000000000..7dd7998e4b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPALR.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAN3.png b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAN3.png new file mode 100644 index 0000000000..ccda712bf4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAN3.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAOf.png b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAOf.png new file mode 100644 index 0000000000..27a29fd54f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAOf.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAQH.png b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAQH.png new file mode 100644 index 0000000000..2f99964537 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPAQH.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPARt.png b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPARt.png new file mode 100644 index 0000000000..50a5d20f88 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjMb_0EMQk00000CPARt.png differ diff --git a/docs/kb/general/images/ka0Qk000000FjOD_0EMQk00000CPAWj.png b/docs/kb/general/images/ka0Qk000000FjOD_0EMQk00000CPAWj.png new file mode 100644 index 0000000000..b054e3351e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FjOD_0EMQk00000CPAWj.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAOg.png b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAOg.png new file mode 100644 index 0000000000..5c6eb7c989 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAOg.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAZx.png b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAZx.png new file mode 100644 index 0000000000..4ada9f9ef3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAZx.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAbZ.png b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAbZ.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAbZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAdB.png b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAdB.png new file mode 100644 index 0000000000..8a19824fcc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAdB.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAen.png b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAen.png new file mode 100644 index 0000000000..9e753cbe6a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAen.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAgP.png b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAgP.png new file mode 100644 index 0000000000..6f5a4ee347 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm4L_0EMQk00000CPAgP.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtKaI.png b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtKaI.png new file mode 100644 index 0000000000..0881537977 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtKaI.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtLxm.png b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtLxm.png new file mode 100644 index 0000000000..342e266cb4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtLxm.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtLzN.png b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtLzN.png new file mode 100644 index 0000000000..5c1f9c415f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtLzN.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM2b.png b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM2b.png new file mode 100644 index 0000000000..8d6213da51 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM2b.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM5p.png b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM5p.png new file mode 100644 index 0000000000..c870b6570e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM5p.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM93.png b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM93.png new file mode 100644 index 0000000000..c83a25cfc2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtM93.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtMCH.png b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtMCH.png new file mode 100644 index 0000000000..bab0bb9012 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fm5x_0EMQk00000CtMCH.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtLOI.png b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtLOI.png new file mode 100644 index 0000000000..7c09bc1797 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtLOI.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtN8L.png b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtN8L.png new file mode 100644 index 0000000000..049c2fc43c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtN8L.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtN9x.png b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtN9x.png new file mode 100644 index 0000000000..0a8c14a6c4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtN9x.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNBZ.png b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNBZ.png new file mode 100644 index 0000000000..cd89b5d3e6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNBZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNDB.png b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNDB.png new file mode 100644 index 0000000000..2ed5f41e30 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNDB.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNEn.png b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNEn.png new file mode 100644 index 0000000000..f6a09fc320 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNEn.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNGP.png b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNGP.png new file mode 100644 index 0000000000..de74e3cd4f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp3p_0EMQk00000CtNGP.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp73_0EMQk00000Cyp0k.png b/docs/kb/general/images/ka0Qk000000Fp73_0EMQk00000Cyp0k.png new file mode 100644 index 0000000000..2fac20b0f2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp73_0EMQk00000Cyp0k.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp73_0EMQk00000CypFF.png b/docs/kb/general/images/ka0Qk000000Fp73_0EMQk00000CypFF.png new file mode 100644 index 0000000000..7c80898383 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp73_0EMQk00000CypFF.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CydAs.png b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CydAs.png new file mode 100644 index 0000000000..73bec0c67a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CydAs.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CynBq.png b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CynBq.png new file mode 100644 index 0000000000..bb59b37e60 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CynBq.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CyouJ.png b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CyouJ.png new file mode 100644 index 0000000000..1cf15a7234 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CyouJ.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000Cyr0v.png b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000Cyr0v.png new file mode 100644 index 0000000000..2a7820463c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000Cyr0v.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000Cyr8z.png b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000Cyr8z.png new file mode 100644 index 0000000000..e209a3af8d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000Cyr8z.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CyrCD.png b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CyrCD.png new file mode 100644 index 0000000000..bd052471aa Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fp8f_0EMQk00000CyrCD.png differ diff --git a/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSX83.png b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSX83.png new file mode 100644 index 0000000000..dad21c0cce Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSX83.png differ diff --git a/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DScCY.png b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DScCY.png new file mode 100644 index 0000000000..7409e3f340 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DScCY.png differ diff --git a/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DShc2.png b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DShc2.png new file mode 100644 index 0000000000..5c084e5ea6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DShc2.png differ diff --git a/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSjKT.png b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSjKT.png new file mode 100644 index 0000000000..a86f7aece6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSjKT.png differ diff --git a/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSjp7.png b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSjp7.png new file mode 100644 index 0000000000..e89b3c5d2c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FpDV_0EMQk00000DSjp7.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DA8ck.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DA8ck.png new file mode 100644 index 0000000000..3bddaf1595 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DA8ck.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DA9Yq.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DA9Yq.png new file mode 100644 index 0000000000..c3c88de16f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DA9Yq.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DABnX.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DABnX.png new file mode 100644 index 0000000000..a60e0af55c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DABnX.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DACA7.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DACA7.png new file mode 100644 index 0000000000..1e19f087c2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DACA7.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHGE.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHGE.png new file mode 100644 index 0000000000..e841c34ec5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHGE.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHXx.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHXx.png new file mode 100644 index 0000000000..459ff08513 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHXx.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHhd.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHhd.png new file mode 100644 index 0000000000..46e920935d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAHhd.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAI93.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAI93.png new file mode 100644 index 0000000000..4e9572ba04 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAI93.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAIFV.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAIFV.png new file mode 100644 index 0000000000..7b82fddf91 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAIFV.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAIvR.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAIvR.png new file mode 100644 index 0000000000..3fa7a43555 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAIvR.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAJ57.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAJ57.png new file mode 100644 index 0000000000..ce670badf3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAJ57.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAJDB.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAJDB.png new file mode 100644 index 0000000000..f02996be4b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAJDB.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAKHJ.png b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAKHJ.png new file mode 100644 index 0000000000..d3d8084233 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fs6X_0EMQk00000DAKHJ.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftgv_0EMQk00000BSOM1.png b/docs/kb/general/images/ka0Qk000000Ftgv_0EMQk00000BSOM1.png new file mode 100644 index 0000000000..54f3fba904 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftgv_0EMQk00000BSOM1.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP1x3.png b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP1x3.png new file mode 100644 index 0000000000..78f525be1d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP1x3.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP1yf.png b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP1yf.png new file mode 100644 index 0000000000..4ed7ac5bbf Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP1yf.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP20H.png b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP20H.png new file mode 100644 index 0000000000..9269a4607b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP20H.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP21t.png b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP21t.png new file mode 100644 index 0000000000..e0a689595f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP21t.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP23V.png b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP23V.png new file mode 100644 index 0000000000..5ec3c34158 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftk9_0EMQk00000BP23V.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3af.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3af.png new file mode 100644 index 0000000000..ed4ab80ac5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3af.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3cH.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3cH.png new file mode 100644 index 0000000000..f7504aae63 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3cH.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3dt.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3dt.png new file mode 100644 index 0000000000..effb9f9ff8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3dt.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3fV.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3fV.png new file mode 100644 index 0000000000..4ef4086cc0 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3fV.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3ij.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3ij.png new file mode 100644 index 0000000000..abeea803a1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3ij.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3kL.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3kL.png new file mode 100644 index 0000000000..3d6a7bd0dc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3kL.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3lx.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3lx.png new file mode 100644 index 0000000000..8d7dd1e3cd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3lx.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3nZ.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3nZ.png new file mode 100644 index 0000000000..b34e9db6f8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3nZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3pB.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3pB.png new file mode 100644 index 0000000000..5d2fc9429c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3pB.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3qn.png b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3qn.png new file mode 100644 index 0000000000..78a296aae6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftll_0EMQk00000BP3qn.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8mX.png b/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8mX.png new file mode 100644 index 0000000000..63ea8b973e Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8mX.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8pl.png b/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8pl.png new file mode 100644 index 0000000000..3ec88f8bc5 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8pl.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8ub.png b/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8ub.png new file mode 100644 index 0000000000..f8527c15f3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8ub.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8zR.png b/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8zR.png new file mode 100644 index 0000000000..58085207e6 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftqb_0EMQk00000BN8zR.png differ diff --git a/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQXBk.png b/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQXBk.png new file mode 100644 index 0000000000..497edf7e42 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQXBk.png differ diff --git a/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQZYT.png b/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQZYT.png new file mode 100644 index 0000000000..68f02c4b98 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQZYT.png differ diff --git a/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQZmz.png b/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQZmz.png new file mode 100644 index 0000000000..a74ab321c4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FtsD_0EMQk00000BQZmz.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fttp_0EMQk00000C13Mk.png b/docs/kb/general/images/ka0Qk000000Fttp_0EMQk00000C13Mk.png new file mode 100644 index 0000000000..026acae5fb Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fttp_0EMQk00000C13Mk.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fttp_0EMQk00000C19C1.png b/docs/kb/general/images/ka0Qk000000Fttp_0EMQk00000C19C1.png new file mode 100644 index 0000000000..516ce5b7f4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fttp_0EMQk00000C19C1.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000Az6M6.png b/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000Az6M6.png new file mode 100644 index 0000000000..76ced973bd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000Az6M6.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000Az8kU.png b/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000Az8kU.png new file mode 100644 index 0000000000..055df177d7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000Az8kU.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000AzEMr.png b/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000AzEMr.png new file mode 100644 index 0000000000..df3709aefc Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftx3_0EMQk00000AzEMr.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftyf_0EMQk00000BS31S.png b/docs/kb/general/images/ka0Qk000000Ftyf_0EMQk00000BS31S.png new file mode 100644 index 0000000000..e9ecadf9b3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftyf_0EMQk00000BS31S.png differ diff --git a/docs/kb/general/images/ka0Qk000000Ftyf_0EMQk00000BS90Q.png b/docs/kb/general/images/ka0Qk000000Ftyf_0EMQk00000BS90Q.png new file mode 100644 index 0000000000..8ef26d945a Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Ftyf_0EMQk00000BS90Q.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEqL.png b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEqL.png new file mode 100644 index 0000000000..5c6eb7c989 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEqL.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzErx.png b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzErx.png new file mode 100644 index 0000000000..9e948779d2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzErx.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEtZ.png b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEtZ.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEtZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEvB.png b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEvB.png new file mode 100644 index 0000000000..4ada9f9ef3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEvB.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEwn.png b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEwn.png new file mode 100644 index 0000000000..370becb960 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEwn.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEyP.png b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEyP.png new file mode 100644 index 0000000000..fc92b62414 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvcH_0EMQk00000CzEyP.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEiH.png b/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEiH.png new file mode 100644 index 0000000000..6b8f62bc6c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEiH.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEjt.png b/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEjt.png new file mode 100644 index 0000000000..87d8c4cb8c Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEjt.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEn7.png b/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEn7.png new file mode 100644 index 0000000000..559f87cf45 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvdt_0EMQk00000CzEn7.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFJN.png b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFJN.png new file mode 100644 index 0000000000..d610b2e263 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFJN.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFKz.png b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFKz.png new file mode 100644 index 0000000000..44f1775d99 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFKz.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFMb.png b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFMb.png new file mode 100644 index 0000000000..eaa70eed62 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFMb.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFOD.png b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFOD.png new file mode 100644 index 0000000000..934645aae1 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFOD.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFPp.png b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFPp.png new file mode 100644 index 0000000000..d9dbddcc7f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvh7_0EMQk00000CzFPp.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF3F.png b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF3F.png new file mode 100644 index 0000000000..7ca581494b Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF3F.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF4r.png b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF4r.png new file mode 100644 index 0000000000..d09bdf18a2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF4r.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF6T.png b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF6T.png new file mode 100644 index 0000000000..b7d35d6f5f Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF6T.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF85.png b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF85.png new file mode 100644 index 0000000000..7cd727a426 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF85.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF9h.png b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF9h.png new file mode 100644 index 0000000000..8db24e8f8d Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzF9h.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzFBJ.png b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzFBJ.png new file mode 100644 index 0000000000..3928bdcb14 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvqn_0EMQk00000CzFBJ.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFBK.png b/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFBK.png new file mode 100644 index 0000000000..4acbe382d7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFBK.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFEX.png b/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFEX.png new file mode 100644 index 0000000000..119c293e17 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFEX.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFG9.png b/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFG9.png new file mode 100644 index 0000000000..129325fdf2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFG9.png differ diff --git a/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFHl.png b/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFHl.png new file mode 100644 index 0000000000..87d057f7aa Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000FvsP_0EMQk00000CzFHl.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzDKo.png b/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzDKo.png new file mode 100644 index 0000000000..82660a2115 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzDKo.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzFWH.png b/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzFWH.png new file mode 100644 index 0000000000..fedb7fd6fa Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzFWH.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzFXt.png b/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzFXt.png new file mode 100644 index 0000000000..ae4bf04542 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fvvd_0EMQk00000CzFXt.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzDaw.png b/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzDaw.png new file mode 100644 index 0000000000..6f95bbe9cf Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzDaw.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzFcj.png b/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzFcj.png new file mode 100644 index 0000000000..90dc440dfd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzFcj.png differ diff --git a/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzFeL.png b/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzFeL.png new file mode 100644 index 0000000000..54277ffc94 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000Fw5J_0EMQk00000CzFeL.png differ diff --git a/docs/kb/general/images/ka0Qk000000G0AX_0EM4u000002PWPR.png b/docs/kb/general/images/ka0Qk000000G0AX_0EM4u000002PWPR.png new file mode 100644 index 0000000000..87ee6cdeb8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G0AX_0EM4u000002PWPR.png differ diff --git a/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngEj.png b/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngEj.png new file mode 100644 index 0000000000..20b7f8fc22 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngEj.png differ diff --git a/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngGL.png b/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngGL.png new file mode 100644 index 0000000000..d794e7f540 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngGL.png differ diff --git a/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngHx.png b/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngHx.png new file mode 100644 index 0000000000..4dcac30049 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngHx.png differ diff --git a/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngJZ.png b/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngJZ.png new file mode 100644 index 0000000000..0a526d7f39 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G0FN_0EMQk00000DngJZ.png differ diff --git a/docs/kb/general/images/ka0Qk000000G1TB_0EMQk00000F8mRq.png b/docs/kb/general/images/ka0Qk000000G1TB_0EMQk00000F8mRq.png new file mode 100644 index 0000000000..fdf5ef7f47 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G1TB_0EMQk00000F8mRq.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfMD.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfMD.png new file mode 100644 index 0000000000..f0977c36cd Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfMD.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfNp.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfNp.png new file mode 100644 index 0000000000..a2a14f8be3 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfNp.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfPR.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfPR.png new file mode 100644 index 0000000000..c9841dcb62 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfPR.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfR3.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfR3.png new file mode 100644 index 0000000000..69569553a2 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfR3.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfSf.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfSf.png new file mode 100644 index 0000000000..e2c5d72151 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfSf.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfUH.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfUH.png new file mode 100644 index 0000000000..0266219080 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfUH.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfVt.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfVt.png new file mode 100644 index 0000000000..6de35d3dc4 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfVt.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfXV.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfXV.png new file mode 100644 index 0000000000..c94558d7ba Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfXV.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfZ7.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfZ7.png new file mode 100644 index 0000000000..734f56a854 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000DxfZ7.png differ diff --git a/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000Dxfaj.png b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000Dxfaj.png new file mode 100644 index 0000000000..be782508b7 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G4fZ_0EMQk00000Dxfaj.png differ diff --git a/docs/kb/general/images/ka0Qk000000G5Jt_0EM4u000008LXj2.png b/docs/kb/general/images/ka0Qk000000G5Jt_0EM4u000008LXj2.png new file mode 100644 index 0000000000..d6021013e8 Binary files /dev/null and b/docs/kb/general/images/ka0Qk000000G5Jt_0EM4u000008LXj2.png differ diff --git a/docs/kb/general/images/servlet_image_2583da6d156d.png b/docs/kb/general/images/servlet_image_2583da6d156d.png new file mode 100644 index 0000000000..2ccb181dc6 Binary files /dev/null and b/docs/kb/general/images/servlet_image_2583da6d156d.png differ diff --git a/docs/kb/general/images/servlet_image_25a6a63e2d98.png b/docs/kb/general/images/servlet_image_25a6a63e2d98.png new file mode 100644 index 0000000000..61b0ff6192 Binary files /dev/null and b/docs/kb/general/images/servlet_image_25a6a63e2d98.png differ diff --git a/docs/kb/general/images/servlet_image_2f7e50c41ebc.png b/docs/kb/general/images/servlet_image_2f7e50c41ebc.png new file mode 100644 index 0000000000..74a9f5d3ea Binary files /dev/null and b/docs/kb/general/images/servlet_image_2f7e50c41ebc.png differ diff --git a/docs/kb/general/images/servlet_image_43592b74bddb.png b/docs/kb/general/images/servlet_image_43592b74bddb.png new file mode 100644 index 0000000000..8e4fede870 Binary files /dev/null and b/docs/kb/general/images/servlet_image_43592b74bddb.png differ diff --git a/docs/kb/general/images/servlet_image_5c836ce7f58d.png b/docs/kb/general/images/servlet_image_5c836ce7f58d.png new file mode 100644 index 0000000000..8208e73025 Binary files /dev/null and b/docs/kb/general/images/servlet_image_5c836ce7f58d.png differ diff --git a/docs/kb/general/images/servlet_image_6d5dba18caac.png b/docs/kb/general/images/servlet_image_6d5dba18caac.png new file mode 100644 index 0000000000..dd96795449 Binary files /dev/null and b/docs/kb/general/images/servlet_image_6d5dba18caac.png differ diff --git a/docs/kb/general/images/servlet_image_a57eed7fed62.png b/docs/kb/general/images/servlet_image_a57eed7fed62.png new file mode 100644 index 0000000000..5feea4c71f Binary files /dev/null and b/docs/kb/general/images/servlet_image_a57eed7fed62.png differ diff --git a/docs/kb/general/images/servlet_image_bc580d43e371.png b/docs/kb/general/images/servlet_image_bc580d43e371.png new file mode 100644 index 0000000000..34e6f0385c Binary files /dev/null and b/docs/kb/general/images/servlet_image_bc580d43e371.png differ diff --git a/docs/kb/general/images/servlet_image_c59a8c7e74e8.png b/docs/kb/general/images/servlet_image_c59a8c7e74e8.png new file mode 100644 index 0000000000..c571e77fba Binary files /dev/null and b/docs/kb/general/images/servlet_image_c59a8c7e74e8.png differ diff --git a/docs/kb/general/images/servlet_image_cfc48ae58743.png b/docs/kb/general/images/servlet_image_cfc48ae58743.png new file mode 100644 index 0000000000..d617b9e205 Binary files /dev/null and b/docs/kb/general/images/servlet_image_cfc48ae58743.png differ diff --git a/docs/kb/general/images/servlet_image_d9422308ff4b.png b/docs/kb/general/images/servlet_image_d9422308ff4b.png new file mode 100644 index 0000000000..6637dcd7ed Binary files /dev/null and b/docs/kb/general/images/servlet_image_d9422308ff4b.png differ diff --git a/docs/kb/general/implications_of_targeting_computers_vs._user_groups_for_client_upgrades.md b/docs/kb/general/implications_of_targeting_computers_vs._user_groups_for_client_upgrades.md new file mode 100644 index 0000000000..76beb5b614 --- /dev/null +++ b/docs/kb/general/implications_of_targeting_computers_vs._user_groups_for_client_upgrades.md @@ -0,0 +1,42 @@ +--- +description: >- + This article discusses the implications of targeting computer groups versus user groups for client upgrades, highlighting the benefits and limitations of each approach. +keywords: + - client upgrades + - computer groups + - user groups +sidebar_label: Targeting Computers vs. User Groups +tags: [] +title: "Implications of Targeting Computers vs. User Groups for Client Upgrades" +knowledge_article_id: kA0Qk0000002Vm5KAE +products: + - general +--- + +# Implications of Targeting Computers vs. User Groups for Client Upgrades + +## Question + +What are the implications of targeting computer groups versus user groups for client upgrades? + +## Answer + +Targeting computers ensures that all devices within a specified group receive the upgrade, regardless of the user logged in. This approach is beneficial for maintaining consistent security across all endpoints. + +Targeting users allows for more personalized upgrades based on user roles or needs but may not cover all computers if users switch between multiple devices. + +### Targeting Computers + +- **Consistency Across Computers:** Upgrading by targeting computers ensures that every device within the specified group receives the upgrade. This is crucial for maintaining a uniform security posture across all endpoints, as every computer will have the latest protection features regardless of who is using it. +- **Simplified Management:** This method simplifies the management process, as administrators can apply upgrades to all devices in a network or group without needing to consider individual user settings or roles. +- **Applicability:** This approach is particularly useful in environments where computers are shared among multiple users, ensuring that security measures are consistently applied to all computers. + +### Targeting Users + +- **Flexibility:** Targeting users provides flexibility in managing upgrades, as administrators can apply different policies or upgrades to different user groups based on their specific requirements. +- **Limitations:** This method may not ensure that all computers are upgraded if users frequently switch between multiple computers, potentially leaving some devices with outdated security measures. + +### Considerations + +- **Mixed Environments:** In environments with both shared and personal computers, a combination of both strategies might be necessary to ensure comprehensive coverage. +- **Policy Management:** Administrators should carefully plan and manage policies to ensure that the right upgrades are applied to the right targets, whether they are users or computers. \ No newline at end of file diff --git a/docs/kb/general/install_and_uninstall_the_windows_agent_from_the_command_line.md b/docs/kb/general/install_and_uninstall_the_windows_agent_from_the_command_line.md new file mode 100644 index 0000000000..8b597773bd --- /dev/null +++ b/docs/kb/general/install_and_uninstall_the_windows_agent_from_the_command_line.md @@ -0,0 +1,44 @@ +--- +description: >- + This article provides step-by-step instructions for installing and uninstalling the Windows agent from the command line. +keywords: + - Windows agent + - command line + - installation + - uninstallation + - msiexec +sidebar_label: Install and Uninstall Windows Agent +tags: [] +title: "Install and Uninstall the Windows Agent from the Command Line" +knowledge_article_id: kA0Qk0000002B71KAE +products: + - general +--- + +# Install and Uninstall the Windows Agent from the Command Line + +## Question + +Can you install and uninstall the Windows agent from the terminal/command line prompt? + +## Answer + +Yes, this is possible. Follow the steps below to complete this process: + +### Install the Agent from the Command Line + +Use the following command syntax to install the agent: + +```plaintext +msiexec.exe /i "path_to_msi" WSIP="EPP_server_IP" WSPORT="443" DEPT_CODE=defdep /q REBOOT=ReallySuppress +``` + +### Uninstall the Agent from the Command Line + +Use the following command syntax to uninstall the agent: + +```plaintext +msiexec.exe /x "path_to_msi" ADMIN_PASSWORD_0="your_uninstall_password" REBOOT=ReallySuppress REMOVE_PROP=1 /qn +``` + +> **NOTE:** Enter your uninstall password in the above command only if a password was previously configured in the server UI. Otherwise, you can remove the `ADMIN_PASSWORD_0` attribute. \ No newline at end of file diff --git a/docs/kb/general/installation-of-logon-prompt-extenstion-for-password-manager-via-command-prompt.md b/docs/kb/general/installation-of-logon-prompt-extenstion-for-password-manager-via-command-prompt.md new file mode 100644 index 0000000000..29e13e249a --- /dev/null +++ b/docs/kb/general/installation-of-logon-prompt-extenstion-for-password-manager-via-command-prompt.md @@ -0,0 +1,57 @@ +--- +description: >- + Shows how to install the Netwrix Password Manager Logon Prompt Extension using + msiexec from the command prompt and describes package-specific MSI options and + examples. +keywords: + - Netwrix Password Manager + - msiexec + - MSI installation + - logon prompt + - PM_URL + - PM_NOLPE + - PM_NOREBOOT + - ALLUSERS +products: + - general +sidebar_label: 'Installation of Logon Prompt Extenstion for Password Manager via command prompt' +tags: [] +title: >- + Installation of Logon Prompt Extenstion for Password Manager via command + prompt +knowledge_article_id: kA00g000000H9dRCAS +--- + +# Installation of Logon Prompt Extenstion for Password Manager via command prompt + +Netwrix Password Manager Logon Prompt Extension is an .msi package and there for can be installed via command prompt. +To install the client, use `msiexec` with any of its options enabled, for example: + +```bash +msiexec.exe /i prm_client.msi /quiet +``` + +**NOTE:** To check all available options, in command line type in `msiexec /?` and press ENTER. + +Except default `msiexec` options, Logon Prompt Extension package has its own options that can be set by the command parameters: + +- `PM_NOLPE` — can be `"true"` or `"false"`, quotes needed. If `true`, only enrollment wizard is installed, but logon prompt extensions, which helps you to reset password from logon screen, is not +- `PM_URL` — URL of the Password Manager server, usually it should be as follows: `http://%PRMservername%/pm`. If you do not specify this value, client will consider it as `https://localhost/pm` +- `ALLUSERS` — can be `"0"` or `"1"`, if `1` - enrollment wizard is installed for All users +- `PM_NOREBOOT` — can be `"true"` or `"false"`, quotes needed. If `true`, Windows XP/2003 machines will not reboot after installation + +To enable these options, add their names with the required value to the command prompt when installing the client. + +The options should be added in the following format: `msiexec /i \.msi