Empty list for Privileged Admin Groups under IDR Settings

akira.tiukichi · May 20, 2025, 11:59am

We have noticed in our IDR settings >> Admin Groups are empty. When we try to Add Privileged Admin Group and no options available. But if we check “Users and Accounts” we do have several admin accounts. When digging further for each admin account. We can see a pop-up message below.

This user belongs to these privileged groups tracked by InsightIDR:

Schema Admins
Administrators
Enterprise Admins
Domain Admins

Users that belong to privileged groups are closely monitored by InsightIDR as they may pose a higher risk to your organization.

This user was directly collected from a directory service, such as Microsoft Active Directory.

Screenshot for refenrence

Need advise if this is normal or not?
@david_smith
@david_smith1

david_smith · May 20, 2025, 4:35pm

Hey Roy,

this relies on our LDAP event source pulling in groups successfully, do you have a functional LDAP event source?

Perhaps its not pulling in all groups because a BaseDN is defined that excludes groups?

David

akira.tiukichi · May 20, 2025, 11:43pm

Hi David,

we have several LDAP event sources, and all of them are working. We’re also using the root base dn below. I can also see several 4728 event codes in log search. So I’m not sure why the list is still empty when I’m trying to add a privileged admin group in the settings section.

DC=xxxx,DC=xxxx,DC=com,DC=au

david_smith · May 21, 2025, 12:54am

We must not be pulling in group info from the LDAP, I’d recommend a support case so we can take a closer look