New KB on account exclusions

[tay-caliguiri]

New KB on account exclusions for multidomain environments when there is no domain trust relationship

[github-actions]

Pull Request Review: Account Exclusions KB Article

SUMMARY:
This PR adds a new KB article documenting how to manually exclude users from untrusted domains in Netwrix Activity Monitor by adding their SID to the agent configuration file. The article is well-structured and provides clear instructions.

STRENGTHS:

1. Clear problem definition with Symptom and Cause sections
2. Practical step-by-step solution with PowerShell commands
3. Good use of admonitions for warnings and notes
4. Consistent with repository KB article structure

DOCUMENTATION QUALITY ISSUES:

PowerShell Code Block at lines 42-49:

• Extra blank line at the beginning
• Typo in example: space before Server parameter
• Comment says outputs just SID but command outputs entire user object
• Recommend adding pipe to Select-Object -ExpandProperty SID to output only the SID value

Numbered List Formatting at lines 54-56:

• Uses tabs for sub-bullets which may not render consistently in Markdown
• Recommend using spaces instead of tabs for better compatibility

Configuration File Path:

• Should clarify upfront that this file is on the agent server

Frontmatter:

• Missing knowledge_article_id field that appears in other KB articles for consistency

SECURITY CONSIDERATIONS:
No security concerns identified. The article correctly recommends using SIDs and legitimate Active Directory queries.

TECHNICAL ACCURACY:
Verified that SID-based filtering is correct approach, Windows API requirements are accurate, and delimiter parsing guidance is sound.

RECOMMENDATIONS SUMMARY:

High Priority:

1. Fix PowerShell command typo at line 46
2. Add pipe to Select-Object to output just the SID

Medium Priority:
3. Replace tabs with spaces in list indentation
4. Remove leading blank line in code block

Low Priority:
5. Consider adding knowledge_article_id field
6. Add PowerShell alternative for service restart

APPROVAL STATUS:
Recommend approval with minor revisions. The identified issues are minor formatting and clarity improvements that would enhance documentation quality but do not block the PR. The article provides valuable troubleshooting information with clear instructions.

[github-actions]

PR Review: New KB on Account Exclusions

Thank you for this contribution! I've reviewed the new KB article on multi-domain account exclusions. Overall, this is a well-structured and helpful article that addresses a specific technical challenge. Below is my detailed feedback.

---

✅ Strengths

1. Clear Problem Definition: The "Related Queries" and "Symptom" sections effectively capture the user's pain point
2. Technical Accuracy: The SID-based workaround is the correct approach for untrusted domain scenarios
3. Good Use of Admonitions: The warning about delimiter mixing is prominently placed and helpful
4. Practical Examples: PowerShell command with example username makes it easy to follow
5. Proper Structure: Follows the standard Symptom → Cause → Resolution format used in other KB articles

---

🔍 Issues Found

Critical: Missing Required Frontmatter Field

Issue: The article is missing the knowledge_article_id field that is present in all other KB articles in the repository.

Location: docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md:1-14

Current frontmatter:

---
description: >-
products:
  - activitymonitor
sidebar_label: Account Exclusions Cannot Add User from Untrusted Domain
tags: []
title: "Netwrix Activity Monitor Account Exclusions Cannot Add User from Untrusted Domain"
---

Expected format (based on other articles in the same directory):

---
description: >-
  This article explains...
keywords:
  - Netwrix Activity Monitor
  - Account
  - Exclusions
  - Multidomain
  - No Trust
products:
  - activitymonitor
sidebar_label: Account Exclusions Cannot Add User from Untrusted Domain
tags: []
title: "Netwrix Activity Monitor Account Exclusions Cannot Add User from Untrusted Domain"
knowledge_article_id: kA0Qk0000000000000
---

Action Required: Add the knowledge_article_id field with the appropriate Salesforce Knowledge article ID.

---

High Priority: Admonition Format Inconsistency

Issue: The article uses Docusaurus-style admonitions (:::warning, :::note) instead of the standard blockquote format used throughout the repository.

Location:

• docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md:56-58
• docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md:65-68

Current format:

:::warning
**IMPORTANT**: If you mix commas and semicolons...
:::

:::note
The Activity Monitor filtering engine compares user SIDs directly...
:::

Expected format (based on latency_with_netapp.md:45 and other articles):

> **IMPORTANT:** If you mix commas and semicolons, the system may fail to load the exclusion or treat part of it as an invalid string.

> **NOTE:** The Activity Monitor filtering engine compares user SIDs directly. No name resolution is required once the SID is loaded, which is why this method works even without domain trust.

Why this matters: Consistency across the documentation ensures proper rendering and maintains the established documentation style.

---

Medium Priority: Section Naming Convention

Issue: The section is titled "Related Links" (plural) but only contains one link.

Location: docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md:71

Current:

## Related Links
[Security Identifiers (SIDs) · Microsoft Learn](https://learn.microsoft.com/...)

Recommendation: Change to "Related Link" (singular) or add more relevant links, such as:

• Netwrix Activity Monitor documentation on account exclusions
• Documentation on domain trusts in Activity Monitor
• Best practices for multi-domain environments

Based on repository patterns: Articles with multiple links use "Related Articles" (e.g., latency_with_netapp.md:47), while those with a single link should use singular form.

---

Low Priority: Code Block Language Specification

Issue: The PowerShell code block uses the generic powershell tag, which is correct, but the second example/comment block could benefit from explicit formatting.

Location: docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md:41-47

Current format is acceptable, but consider adding more context:

# Get the SID of a specific user from Domain2
Get-ADUser -Identity username -Server domain2 -Properties SID

# Example output:
# DistinguishedName : CN=Michael.Scott,OU=Users,DC=contoso2,DC=com
# SID               : S-1-5-21-3693812452-4124425045-3432912480-1163

This is a minor point and not required, but it would improve clarity.

---

Low Priority: Instructions Formatting

Issue: The numbered steps use a mix of formatting styles. Step 4 has sub-items with indentation inconsistency.

Location: docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md:50-54

Current:

4. Edit the EXCSIDS line:
	- Use semicolon delimiters only...
	- Example (**correct** format): `EXCSIDS=...`
	- Example (**incorrect** format): `EXCSIDS=...`

Recommendation: Use consistent 3-space indentation for nested lists (standard across the repository):

4. Edit the EXCSIDS line:
   - Use semicolon delimiters only. Mixed separators (e.g., comma + semicolon) will break parsing.
   - Example (**correct** format): `EXCSIDS=S-1-5-17;S-1-5-18;S-1-5-21-3693812452-4124425045-3432912480-1163`
   - Example (**incorrect** format): `EXCSIDS=S-1-5-17;S-1-5-18,S-1-5-21-3693812452-4124425045-3432912480-1163`

---

📋 Recommendations

Content Enhancements

1. Add verification step: Consider adding a step to verify the exclusion is working (e.g., checking logs or testing file access)

2. Clarify agent vs. monitored host: In step 2, you mention "the agent server for the monitored host" - it might be helpful to clarify whether this is the same system or a separate agent server

3. Add troubleshooting section: Consider adding a brief troubleshooting section for common issues:

   • What to do if the SID still doesn't work
   • How to verify the SID was loaded correctly
   • What logs to check

Style Consistency

4. Consistent terminology: The article uses both "Domain2" and "domain2" - ensure consistent capitalization when referring to domain names in examples

5. Code path formatting: Consider using inline code formatting for the file path in step 2: `C:\ProgramData\Netwrix\Activity Monitor\Agent\SbtFileMon.ini`

---

🔒 Security Review

✅ No security concerns identified

• The article correctly uses SIDs rather than credentials
• No hardcoded secrets or sensitive information
• Proper permissions model (requires access to agent server)

---

🧪 Test Coverage

N/A - This is documentation, not code. However, consider:

• Testing the instructions on a real multi-domain setup to ensure accuracy
• Verifying the PowerShell command syntax
• Confirming the service restart is necessary

---

📊 Summary

Category	Status
Structure	✅ Good
Content Quality	✅ Good
Technical Accuracy	✅ Good
Format Consistency	⚠️ Needs fixes
Completeness	⚠️ Missing required field

Required Changes Before Merge:

1. ✋ Add knowledge_article_id field to frontmatter
2. ✋ Convert Docusaurus admonitions to blockquote format

Recommended Changes:

3. Fix "Related Links" → "Related Link" or add more links
4. Improve indentation consistency in step 4
5. Consider content enhancements mentioned above

---

Overall Assessment: This is a valuable addition to the knowledge base. With the two critical fixes (knowledge_article_id and admonition format), this article will be ready to merge. Great work on providing a clear solution to a complex multi-domain scenario! 🎯

[jth-nw]

The document looks good! You can ignore the doc reviewer stuff - I made some comments suggesting some changes (I want the doc reviewer to do it this way in the future)

[github-actions]

Pull Request Review: New KB on Account Exclusions

Thank you for this contribution! I've reviewed the KB article and have the following feedback:

Overall Assessment

This is a well-structured KB article that provides clear, actionable guidance for a specific technical scenario. The content is technically sound and follows most repository conventions.

---

Strengths

1. Clear Problem Definition: The article clearly describes the symptom and cause of the issue
2. Actionable Resolution: Step-by-step instructions are detailed and easy to follow
3. Good Use of Examples: PowerShell example and SID format examples are helpful
4. Technical Accuracy: The explanation of SID-based filtering is correct
5. Proper Warning Usage: Good use of admonitions (warning and note boxes)

---

Documentation Standards & Consistency Issues

1. Section Header Inconsistency (Minor)

Location: Lines 20-33, 35

Your article uses:

• "Related Queries" (line 20)
• "Symptom" (line 25)
• "Cause" (line 29)
• "Resolution" (line 35)

Based on other KB articles in the repository, the standard headers are:

• "Symptom" or "Symptoms" ✓
• "Cause" or "Causes" ✓
• "Resolution" or "Resolutions" ✓

However, "Related Queries" is unique to this article. Other articles use:

• "Summary:" (sfam-log-locations.md:23)
• "Issue:" (sfam-log-locations.md:26)

Recommendation: Consider whether "Related Queries" should be "Summary" for consistency, or if this is an intentional new section type for this category of articles.

2. Missing Knowledge Article ID (Medium Priority)

Location: Frontmatter metadata

Your article is missing the knowledge_article_id field that other KB articles have:

knowledge_article_id: kA04u0000000IxYCAU  # Example from other articles

Action Required: Add the knowledge article ID if one has been assigned in your tracking system.

---

Content & Technical Improvements

3. PowerShell Comment Could Be Clearer (Minor)

Location: Lines 45-47

Current:

# Example
# Get-ADUser -Identity Michael.Scott -Server contoso2.com -Properties SID
# This will output just the SID, example: S-1-5-21-3693812452-4124425045-3432912480-1163

The comment says "This will output just the SID", but Get-ADUser -Properties SID actually outputs the full user object.

Recommendation: Clarify the comment or update the command:

# Example - Get the SID from the output
# Get-ADUser -Identity Michael.Scott -Server contoso2.com | Select-Object -ExpandProperty SID
# Or view all properties including SID:
# Get-ADUser -Identity Michael.Scott -Server contoso2.com -Properties SID

4. File Path Reference (Minor Enhancement)

Location: Line 49

Current: C:\ProgramData\Netwrix\Activity Monitor\Agent\SbtFileMon.ini

Recommendation: Consider using the pattern from line 35 where you use code formatting for paths. Also, you might want to add a note about whether this path is consistent across all installations or if it could vary.

5. Restart Instructions Location (Minor)

Location: Lines 61-63

The restart instructions appear in the middle of the workflow (after saving the file but before checking the UI). Consider whether users need to restart before step 7, or if step 7 should come before the restart.

Current flow:

1. Edit file
2. Save file
3. Restart service
4. Open UI to verify

Consider: Does the UI verification require the restart, or could verification happen before restart?

---

Security Considerations

6. No Security Concerns ✅

The article correctly:

• Uses SIDs (not credentials)
• Recommends proper file editing practices
• Warns about configuration syntax errors
• Does not expose sensitive information

---

Performance Considerations

7. No Performance Issues ✅

The article addresses performance implicitly by:

• Recommending direct SID comparison (efficient)
• Warning against malformed entries that could cause parsing failures

---

Test Coverage

This is documentation, not code, so traditional test coverage doesn't apply. However:

8. Testing Scenarios (Enhancement Opportunity)

Recommendation: Consider adding a "Verification" or "Expected Results" section describing what users should see after completing these steps:

• What should appear (or not appear) in the Account Exclusions UI
• How to verify the exclusion is working (e.g., checking logs, confirming events are filtered)
• Troubleshooting if it doesn't work

---

Style & Formatting

9. Consistent Use of Bold ✓

Good use of bold for UI elements and important terms.

10. Code Block Formatting ✓

PowerShell syntax highlighting is correctly specified.

11. List Formatting ✓

The numbered steps are clear and properly formatted.

---

Additional Recommendations

12. Related Links Section (Enhancement)

Location: Lines 71-72

You have one related link. Consider adding:

• Link to the Activity Monitor documentation about account exclusions
• Link to documentation about the SbtFileMon.ini configuration file
• Link to domain trust relationship concepts (if relevant)

---

Summary of Action Items

Must Fix (before merge):

• Add knowledge_article_id to frontmatter if available
• Verify section header "Related Queries" aligns with documentation standards

Should Fix (recommended):

• Clarify PowerShell command output in comment
• Add verification/testing steps to help users confirm success
• Verify the workflow order for restart vs. UI verification

Nice to Have:

• Add more related links for comprehensive reference
• Consider adding a troubleshooting subsection

---

Conclusion

This is a high-quality KB article that provides valuable technical guidance. The issues identified are mostly minor consistency items and enhancements. The core technical content is accurate and well-presented.

Recommendation: Approve with minor revisions.

Great work on documenting this complex cross-domain scenario! 🎯