Active Directory
This document provides the steps required to configure the Active Directory Inspector.
Quick Details
Recommended Agent: Self-Managed
Supported Agents: Self-Managed
Is Auto-Discovered By: Windows Server Inspector
Can Auto-Discover: N/A
Parent/Child Type Inspector: No
Inspection via: CLI
Data Summary: Here
Overview
See it in Action
Operating System Support
This Inspector has limited support when run against domain controllers running Windows Server 2012 R2 or older operating systems.
- This Inspector does not support "local inspections" (i.e., when the Liongard Agent is installed on the domain controller itself) for pre-2016 OS versions.
- "Remote inspections" where the Agent is installed on another server with a newer OS version are possible but require Active Directory Web Services on the target domain controller. ADWS was not included by default on older versions of Windows Server and must be installed separately and at your own discretion.
*For more information, please review this documentation.
Windows Agent
These instructions assume that you already have a Windows Agent installed in the Environment (e.g., on the local network) containing at least one Active Directory controller.
If not, refer to our Agents documentation
Inspector Setup Preparation
Active Directory PowerShell Scripts
Upon activation, the Active Directory Inspector will run a series of PowerShell scripts to return data to Liongard.
Ensure your system accounts for these actions to take place by allowlisting the Agent within the applicable software, such as ThreatLocker.
Identify Target Active Directory Domain Controller
This Inspector setup requires entering the fully qualified name (e.g., dc01.contoso.com) of one of your domain controllers. If you have more than one domain controller, the Inspector only needs to be set up against one of them.
If you do not know the name of your domain controller server(s), you can identify the name by following the options below which depend on whether you are currently logged into the domain controller or if you're on a remote device that is on the domain.
Active Directory Users & Computers
In the Active Directory Users & Computers UI tool, navigate to (your domain) > Domain Controllers OU. Then, select Properties of your desired domain controller to view the fully qualified name.
Fully qualified hostname via Domain Controller Properties.
PowerShell
Run the following PowerShell command from a Windows computer with the addsadministration module installed.
Refer to Microsoft's documentation for further information.
Get-ADDomainController | Where-Object{ Write-Host $_.HostName }
Verify Prerequisites
- Active Directory Tools must be installed. To do so, run the command below from an Administrator PowerShell Windows (e.g., right-click and Run As Administrator) or see Amazon's documentation for installing via the GUI.
Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter
- If the Agent does not reside on the Domain Controller itself, other tools must also be installed on the Agent server:
Install-WindowsFeature -Name GPMC,RSAT-ADDS-Tools,RSAT-DNS-Server
Liongard Inspector Setup
Single Inspector Liongard Setup
Username/Password
If you are running the On-Premises Liongard Agent locally on a Domain Controller, then you may leave the Username and Password fields blank. They are only necessary if the Agent is running on a different system joined to the domain with access to the Domain Controller.
In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Active Directory Inspector > Select Add System.
Fill in the following information:
- Environment: Select the Environment this System should be associated to
- Friendly Name: Suggested "Active Directory [Environment Name]"
- Agent: Select the On-premises Agent installed for this Environment
- Inspector Version: Latest
- Active Directory Domain Controller (Optional): Name of the Domain Controller identified above.
- Leave this field blank if the Agent is on the Domain Controller or if you are unsure.
- Limit Search by Organizational Units (Optional): Specify a semi-colon separated list of OU distinguished names to limit the inspection.
- Note: This will only affect items such as Computers, Users, and Groups.
- Leave this field blank to search all of Active Directory.
- Pause between Commands (Secs) (Optional): In most cases you do not need any pause between commands, but in certain cases, it may be required for resource constrained Domain Controllers.
- Domain Admin Username (Optional): If necessary, provide the Domain Admin service account name
- Leave this field blank if the Agent is on the Domain Controller or if you are unsure
- Domain Admin Password (Optional): If necessary, provide the Domain Admin service account password
- Leave this field blank if the Agent is on the Domain Controller or if you are unsure
- Trimmed Inspector Payload (Optional): Leave this blank unless you have issues with payload size. By choosing a level 1-5 with 5 being the most trimmed Data Print, you will be opting into bringing back a trimmed Inspector payload. Fore more information, please review our documentation.
- Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
Select Save. The Inspector will now be triggered to run within the minute
Optional: Turn on Flexible Asset/Configuration Auto-Updating
If you would like this Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for this Inspector:
- ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
- IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled
Active Directory Inspector KB and FAQs
Updated 3 months ago