From 9937be4f78164b23cc9af4130175bec25d31edaa Mon Sep 17 00:00:00 2001 From: tay caliguiri Date: Tue, 27 Jan 2026 10:49:03 -0500 Subject: [PATCH 1/5] New KB on account exclusions for multidomain environments when there is no domain trust relationship --- .../multi-domain-account-exclusions.md | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md diff --git a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md new file mode 100644 index 0000000000..42868e9b5c --- /dev/null +++ b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md @@ -0,0 +1,69 @@ +--- +description: >- +This article explains how to manually exclude a user from an untrusted domain in Netwrix Activity Monitor by adding their SID to the agent's configuration file. It addresses the limitation of the UI when no domain trust exists and highlights the importance of using correct delimiters. +keywords: + - Netwrix Activity Monitor + - Account + - Exclusions + - Multidomain + - No Trust +products: + - activitymonitor +sidebar_label: Account Exclusions Cannot Add User from Untrusted Domain +tags: [] +title: "Netwrix Activity Monitor Account Exclusions Cannot Add User from Untrusted Domain" +knowledge_article_id: kA04u000000LLQXCA4 +--- + + +# Netwrix Activity Monitor Account Exclusions Cannot Add User from Untrusted Domain + +## Related Query + +- "I cannot select Domain2 when I need to specify account in Netwrix Activity Monitor." +- "Trying to exclude a user from Domain2 but cannot browse the account in Activity Monitor." + +## Symptom + +When attempting to add an account exclusion in **Netwrix Activity Monitor**, users from Domain2 cannot be browsed or selected in the **Account Exclusions** tab. The monitored host is joined to Domain1, and Domain2 users do not appear in the account picker. + +## Cause + +The monitored host is not part of Domain2, and there is no trust relationship between Domain1 and Domain2. As a result, the Activity Monitor UI cannot resolve or validate users from Domain2. The system relies on Windows APIs for domain enumeration and account lookup, which fail without domain trust. + +Additionally, if the user attempts to bypass this by editing the configuration file (`SbtFileMon.ini`), misconfigured entries—such as mixed delimiters (semicolons and commas)—may prevent exclusions from loading correctly. + +## Resolution + +To exclude users from an untrusted domain, use their **Security Identifier (SID)** and manually add it to the configuration file on the **agent system** collecting data from the monitored host. This method avoids the need for name resolution and is fully supported by the Activity Monitor filtering engine. + +### Instructions + +1. **Get the SID of the Domain2 user** from a system that can query Domain2: + ```powershell + Get-ADUser -Identity username -Server domain2.local -Properties SID + ``` +2. On the agent server for the monitored host, open the following file: `C:\ProgramData\Netwrix\Activity Monitor\Agent\SbtFileMon.ini` +3. Find the [FILE_MONITOR] section corresponding to the monitored host (_e.g., HOST=FILE-SERVER01_). +4. Edit the EXCSIDS line: + - Use semicolon delimiters only. Mixed separators (e.g., comma + semicolon) will break parsing. + - Example (**correct** format): `EXCSIDS=S-1-5-17;S-1-5-18;S-1-5-21-3693812452-4124425045-3432912480-1163` + - Example (**incorrect** format): `EXCSIDS=S-1-5-17;S-1-5-18,S-1-5-21-3693812452-4124425045-3432912480-1163` + +:::warning +**IMPORTANT**: If you mix commas and semicolons, the system may fail to load the exclusion or treat part of it as an invalid string. +:::warning + +5. Save the file. +6. Restart the Activity Monitor Agent service: + 1. Open Services + 2. Restart **Netwrix Activity Monitor Agent** service +7. Open the Account Exclusions UI again. + - You may not see the friendly name for the SID (due to the trust issue), but it will still function correctly at runtime. + +:::note +The Activity Monitor filtering engine compares user SIDs directly. No name resolution is required once the SID is loaded, which is why this method works even without domain trust. +::: + +Related Links +[Security Identifiers (SIDs) · Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) \ No newline at end of file From f27ad174c63a87295343e2238c1741837590d7ce Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Tue, 27 Jan 2026 10:52:59 -0500 Subject: [PATCH 2/5] Update multi-domain-account-exclusions.md Corrected warning admonition and related links header --- .../multi-domain-account-exclusions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md index 42868e9b5c..de1eabf14f 100644 --- a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md +++ b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md @@ -52,7 +52,7 @@ To exclude users from an untrusted domain, use their **Security Identifier (SID) :::warning **IMPORTANT**: If you mix commas and semicolons, the system may fail to load the exclusion or treat part of it as an invalid string. -:::warning +::: 5. Save the file. 6. Restart the Activity Monitor Agent service: @@ -65,5 +65,5 @@ To exclude users from an untrusted domain, use their **Security Identifier (SID) The Activity Monitor filtering engine compares user SIDs directly. No name resolution is required once the SID is loaded, which is why this method works even without domain trust. ::: -Related Links -[Security Identifiers (SIDs) · Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) \ No newline at end of file +## Related Links +[Security Identifiers (SIDs) · Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) From 4f31a5429b9a4a8bf88232045b6b6097543b35f4 Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Tue, 27 Jan 2026 11:01:24 -0500 Subject: [PATCH 3/5] Update multi-domain-account-exclusions.md Took some suggestions from Claude and made minor improvements --- .../multi-domain-account-exclusions.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md index de1eabf14f..7a774c4271 100644 --- a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md +++ b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md @@ -12,13 +12,12 @@ products: sidebar_label: Account Exclusions Cannot Add User from Untrusted Domain tags: [] title: "Netwrix Activity Monitor Account Exclusions Cannot Add User from Untrusted Domain" -knowledge_article_id: kA04u000000LLQXCA4 --- # Netwrix Activity Monitor Account Exclusions Cannot Add User from Untrusted Domain -## Related Query +## Related Queries - "I cannot select Domain2 when I need to specify account in Netwrix Activity Monitor." - "Trying to exclude a user from Domain2 but cannot browse the account in Activity Monitor." @@ -41,10 +40,16 @@ To exclude users from an untrusted domain, use their **Security Identifier (SID) 1. **Get the SID of the Domain2 user** from a system that can query Domain2: ```powershell - Get-ADUser -Identity username -Server domain2.local -Properties SID + + Get-ADUser -Identity username -Server domain2 -Properties SID + + # Example + # Get-ADUser -Identity Michael.Scott - Server contoso2.com -Properties SID + # This will output just the SID, example: S-1-5-21-3693812452-4124425045-3432912480-1163 + ``` 2. On the agent server for the monitored host, open the following file: `C:\ProgramData\Netwrix\Activity Monitor\Agent\SbtFileMon.ini` -3. Find the [FILE_MONITOR] section corresponding to the monitored host (_e.g., HOST=FILE-SERVER01_). +3. Find the [FILE_MONITOR] section corresponding to the monitored host (*e.g., HOST=FILE-SERVER01*). 4. Edit the EXCSIDS line: - Use semicolon delimiters only. Mixed separators (e.g., comma + semicolon) will break parsing. - Example (**correct** format): `EXCSIDS=S-1-5-17;S-1-5-18;S-1-5-21-3693812452-4124425045-3432912480-1163` @@ -56,7 +61,7 @@ To exclude users from an untrusted domain, use their **Security Identifier (SID) 5. Save the file. 6. Restart the Activity Monitor Agent service: - 1. Open Services + 1. Open Services (services.msc) 2. Restart **Netwrix Activity Monitor Agent** service 7. Open the Account Exclusions UI again. - You may not see the friendly name for the SID (due to the trust issue), but it will still function correctly at runtime. @@ -66,4 +71,4 @@ The Activity Monitor filtering engine compares user SIDs directly. No name resol ::: ## Related Links -[Security Identifiers (SIDs) · Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) +[Security Identifiers (SIDs) · Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) From 4184ebe5d9f65656c6325f1250ba88d31fb4689c Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Tue, 27 Jan 2026 11:06:02 -0500 Subject: [PATCH 4/5] Update multi-domain-account-exclusions.md typo in powershell command --- .../multi-domain-account-exclusions.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md index 7a774c4271..58ed60e7c9 100644 --- a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md +++ b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md @@ -40,13 +40,11 @@ To exclude users from an untrusted domain, use their **Security Identifier (SID) 1. **Get the SID of the Domain2 user** from a system that can query Domain2: ```powershell - Get-ADUser -Identity username -Server domain2 -Properties SID # Example - # Get-ADUser -Identity Michael.Scott - Server contoso2.com -Properties SID + # Get-ADUser -Identity Michael.Scott -Server contoso2.com -Properties SID # This will output just the SID, example: S-1-5-21-3693812452-4124425045-3432912480-1163 - ``` 2. On the agent server for the monitored host, open the following file: `C:\ProgramData\Netwrix\Activity Monitor\Agent\SbtFileMon.ini` 3. Find the [FILE_MONITOR] section corresponding to the monitored host (*e.g., HOST=FILE-SERVER01*). From 56d37efe19c644693809964c25e3bd4ebb0b9c54 Mon Sep 17 00:00:00 2001 From: Hil-Ram-NWX Date: Tue, 27 Jan 2026 15:38:14 -0500 Subject: [PATCH 5/5] Update symptom description for Domain2 account exclusions Revised symptom phrasing --- .../multi-domain-account-exclusions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md index 58ed60e7c9..3d438a9d55 100644 --- a/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md +++ b/docs/kb/activitymonitor/monitoring-platforms-and-storage/multi-domain-account-exclusions.md @@ -24,7 +24,7 @@ title: "Netwrix Activity Monitor Account Exclusions Cannot Add User from Untrust ## Symptom -When attempting to add an account exclusion in **Netwrix Activity Monitor**, users from Domain2 cannot be browsed or selected in the **Account Exclusions** tab. The monitored host is joined to Domain1, and Domain2 users do not appear in the account picker. +When you attempt to add an account exclusion in **Netwrix Activity Monitor**, you cannot browse or select Domain2 users in the **Account Exclusions** tab. Domain1 and the monitored host are joined, and Domain2 users do not appear in the account picker. ## Cause