Configuring Forced-Identification Users

Forced-Identification users are required to identify themselves by a secondary log on prompt when logging on to any ObserveIT-monitored endpoint. The secondary logon authentication process forces generic users (such as Administrators or root) to be authenticated against an Active Directory identification target or against Local ObserveIT Users.

This topic describes how to add new Forced-Identification users. (It also describes how to delete Forced-Identification users.)

Adding Forced-Identification users does NOT create any actual users and has no effect on user accounts. It just configures ObserveIT to request a secondary logon when any of these users log on to a monitored endpoint.

To configure Forced-Identification Users

Navigate to the Configuration > Security & Privacy > Identification page.
Click Create in the Forced-Identification Users section.

The Identification User Policy Templates window opens, where you can specify whether to apply identification policies to a specific user or to all users. Whenever the specified users log on to any of the servers that are linked to the selected policies, they will be required to provide secondary authentication credentials.
Select whether to apply the identification policies to All users or a specific User.
If you selected the User option, select the domain name for the relevant Forced-Identification user, and specify the user's name.
The Domain drop-down list displays all the domains in the Active Directory forest in which the ObserveIT Application Server is a member. You can select "*" to select all domains.

In order to use domain local groups, you must enable the "Allow LDAP local groups" option in the System Settings page of the Web Console.

When you configure a Forced-Identification user, that user account cannot be used in the secondary ObserveIT Windows logon screen/Unix prompt. This means that if a Forced-Identification user such as *\Administrator is created, and a user logs on to a server with the PROD\Administrator account, they will be required to log on to the secondary ObserveIT Windows logon screen/Unix prompt with another account, either from Active Directory or from the Local ObserveIT Identification Users database.
In the Apply to Server Policy Templates section, update the server policy templates by selecting the check boxes of all the server policies on which you want to configure the user(s). You must select at least one check box, but you can make changes to these settings later.
Note the following:
1. In order for Forced-Identification users to be prompted to enter their secondary credentials, Enforce Login must be turned on for the selected Server Configuration Policies. To enable Enforce Login, select the check box in the Identification Policy section in the Server Policies Template window accessed from the Configuration > Recording Policies page. For further details, see Identification Policy.
2. You can also configure a recording policy for Forced-Identification users which specifies which users and/or user groups to include/exclude from being recorded. For further details, see User Recording Policy.
Instead of using Server Recording Policies, you can add individual Servers (or Agents) that will enforce the identification of the selected users. To do this, in the server list in the Apply to Servers section of the Policy Templates for Identification User window, select the check boxes next to the required server names.
This option has additional administrative overhead, as you may need to manually add servers to the list. To manually add a server to the list, go to the Configuration > Endpoints page, select the required server name (which is currently linked to a default policy template), unlink the server from the server policy, and click Save. The server will be included in the list of servers in the Apply to Server Policies section.
If you want to define more users, click the Add button in the Identification Users Policy Templates window, and repeat the above steps.
When you have finished defining all your required Forced-Identification Users, click Close.

The Forced-Identification Users list displays the users that you configured to authenticate themselves when they log on to a monitored server.
The next step is to configure an LDAP (or Active Directory) Identification Target, or Local ObserveIT Identification users. A warning message is displayed if you do not configure at least one Active Directory Identification Target or at least one Local ObserveIT Identification user. For further details, see Configuring Active Directory Identification Targets and Configuring Local ObserveIT Identification Users.

After creating the Forced-Identification user, and adding it to at least one Server Configuration Policy or Server, in that policy or server, you will be able to see the Forced-Identification user in the Identification Policy section of the Server Policy Template.

Deleting Forced-Identification Users

Deleting a Forced-Identification user does not have any effect on the actual user object, either in Active Directory or on the Windows Local Users. However, these users will no longer be required to identify themselves when they log on to the ObserveIT-monitored servers.

You can delete Forced-Identification users either from the Forced-Identification Users list or from the Server Configuration Policy to which they were linked.

To delete users from the Forced-Identification Users list

In the Forced-Identification Users section of the Identification page, click the relevant Delete link in the list of users.

You will be prompted to acknowledge your action.
Click OK to proceed, or Cancel to abort the deletion.

To delete Forced-Identification Users from the Server Configuration Policy to which they were linked

In the Server Policies page, navigate to the relevant Server Configuration Policy.
In the Identification Policy section of the policy, select the check box next to the Forced-Identification users that you want to remove.
Click Remove.
Click Save to save the server configuration policy.