Tri Star Services uses KnowBe4 for User Security Awareness Training, Phishing, and Risk Assessment.
The URL is https://training.knowbe4.com/login
Users are loaded via Active Directory Sync Tool service which is running on Utility06.
** Note: AD accounts that SHOULD NOT be synchronized to KnowBe4, such as service accounts, should be added to the KnowBe4_Excluded group membership.
There are two files located on Utility06 in the Program Files (x86)/KnowBe4/ADIsync folder that control what AD OU’s and/or Groups are synchronized to KnowBe4. These two files are ADISync.conf and TRISTAR.LAN.conf.
ADISync.conf contains information on where to upload AD data to, what logs are to be kept, sync token (provided by KnowBe4 in Account Settings), and what AD email attribute should be used.
There are minor modifications to the default config file:
post-url = "https://training.knowbe4.com/api/v1/ldap/user_upload"
log-level = "ERROR"
log-size = 5242880
log-max-kept = 5
sync-token = "0c509ADEA9473E345AA1224EDD0BF012" <-- token assigned to Tri Star
debug = false
sync-interval = "6h0m0s"
useMailAttrib = false
emailAttribute = "proxyAddresses"
primaryProxyOnly = true <-- changed from false
TRISTAR.LAN.conf was created when the KnowBe4 Active Directory Integration (KnowBe4_AD_Sync.msi) was installed. This configuration controls what LDAP attributes are retrieved (the ones listed are the only one KnowBe4 supports), what User OUs should be included or excluded, and what Group OUs should be included or excluded.
Here's a dump of the TRISTAR.LAN.conf file with noted modifications:
[sync]
enabled = true
server = "DC01"
port = 636
use-ssl = true
root-ca-cert = ""
ssl-skip-verify = true
include-disabled-managers = false
basedn = "dc=TRISTAR,dc=LAN"
filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
filter_users_by_ou = "(&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*))"
filter_users_by_name = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(|{DYNAMIC_CONTENT}))"
filter_users_by_group = "(&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(|{DYNAMIC_CONTENT}))"
filter_users_by_token = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(primaryGroupID={DYNAMIC_CONTENT}))"
[sync.fields]
comment = ""
custom-date-1 = ""
custom-date-2 = ""
custom-field-1 = ""
custom-field-2 = ""
custom-field-3 = ""
custom-field-4 = ""
department = "department"
division = "division"
employee-number = "employeeNumber"
employee-start-date = "whenCreated"
first-name = "givenName"
last-name = "sn"
location = "physicalDeliveryOfficeName"
manager = "manager"
mobile-number = ""
organization = "o"
phone-number = "telephoneNumber"
title = "title"
[sync.users]
includedOUs = ["Store Operations","Support Center",“Sudden Service”] <-- added these OUs for users to be pulled from
excludedOUs = [""]
includedGroups = [""]
excludedGroups = ["Store Management","IT_Adm Accounts","KnowBe4_Excluded"] <-- added these to exclude accounts that should not be enrolled in KnowBe4
includedUsers = [""]
excludedUsers = [""]
[sync.groups]
includedOUs = [""]
excludedOUs = [""]
includedGroups = [""]
excludedGroups = [""]
To force an AD Sync:
- Log into Utility06 as an administrator
- Open Services
- Find Active Directory Integration Sync service and restart it
- This will kick-off an AD Sync