Host Defender fails to install on a Windows Active Directory Server with the error "Group S-1-5-32-544 was not found"

Host Defender fails to install on a Windows Active Directory Server with the error "Group S-1-5-32-544 was not found"

5187
Created On 07/07/24 20:48 PM - Last Modified 11/01/24 17:20 PM


Symptom


When running the defender installation script in Powershell, the following error is returned: 
Get-LocalGroup : Group S-1-5-32-544 was not found.
At C:\Program Files\defender.ps1:214 char:14
+ $group = Get-LocalGroup -SID "S-1-5-32-544"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (S-1-5-32-544:SecurityIdentifier) [Get-LocalGroup], GroupNotFoundException
+ FullyQualifiedErrorId : GroupNotFound,Microsoft.PowerShell.Commands.GetLocalGroupCommand
Screenshot 2024-07-07 at 3.35.45 PM.jpg

Environment


Prisma Cloud Compute Edition
Prisma Cloud Runtime Security (SaaS Enterprise Edition)
Windows Server with Active Directory

Cause


The defender script by default looks for the group name of the default local group using the SID "S-1-5-32-544"

$group = Get-LocalGroup -SID "S-1-5-32-544"

However, there are no “Local Groups” on servers that function as Active Directory servers. Instead, they use "AD Groups"

 

Resolution


1. Edit the defender.ps1 script. The script should still be left behind in your Windows VM after the previous failed install. It is located in 'C:/Program Files/Twistlock/scripts'.

2. Open the file using any text editor and locate the function "get-admin-group-name". 
function get-admin-group-name {
    # Built-in SID for the Administrators group
    $group = Get-LocalGroup -SID "S-1-5-32-544"
    return $group.Name
}
3. Modify it to use Get-ADGroup instead. The modified script should look something similar to:
  
function get-admin-group-name {
    # Built-in SID for the Administrators group
    # $group = Get-LocalGroup -SID "S-1-5-32-544"
    $group = Get-ADGroup -Identity S-1-5-32-544 -Properties member 
    return $group.Name
}
4. Save the changes and manually install the defender by first ensuring you are in the correct directory by running the following command in Powershell: 
cd 'C:/Program Files/Twistlock/scripts'
And then running the following command: 
.\defender.ps1 -type serverWindows -consoleCN xxxxx.cloud.twistlock.com -install
* Change the value of consoleCN to match your "Path to console" less your Customer ID. (ex. us-east1.cloud.twistlock.com)

5. The host defender should install successfully.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010zCcCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language