How to Monitor Local Users

Scenario: I have two disconnected AD domains and a process on Domain A that must access a handful of computers on Domain A and on Domain B. That process is only smart enough to be able to use a single set of credentials.

At first glance, the obvious solution is a common Local User on each machine that needs to be accessed. The problem is, IDR doesn’t appear to see local users. Well, that’s one of the problems with this approach. Is there a way around this limitation? In a perfect world…well, I wouldn’t be in this situation…I’d add the user to Service Accounts so I could keep a close eye on it. Alternately, have I missed an obvious alternative to the local user?

Are you still dealing with this Bill, or did you find a solution outside of here?

Nope, my “What about Bob?” issue is still on the board looking for a clean solution, but we’re still pre-production. Plan B is to kill Bob and switch to domain-bound users in each domain, which checks my monitoring box but complicates the process that needs access to computers in each domain. Still looking for that win-win solution.

To clarify and make sure that I understand: The issue is that you can’t see local accounts on a disconnected from the domain machine.

In my Rapid7 environment I can see local users by searching for the asset name. Have you tried installing the agent on the machines? It’s a category called “Local Accounts” once you click the asset.
I believe the agent will collect this information for you.

Yes, there’s an agent on these machines, and yes, I see the local account on the asset, now that you mention it. At issue was that they don’t appear as a user within IDR’s Users and Accounts and I’ve assumed, perhaps incorrectly, that because they aren’t there, none of the usual user-based detection rules would apply.