HomeLiongardRequest a DemoKnowledge Base

Active Directory

This document provides the steps required to configure the Active Directory Inspector.

Suggest Edits

👍

Quick Details

Recommended Agent: Self-Managed
Supported Agents: Self-Managed
Is Auto-Discovered By: Windows Server Inspector
Can Auto-Discover: Windows Server Inspector
Parent/Child Type Inspector: No
Inspection via: CLI
Data Summary: Here

Overview

See it in Action

❗️

Operating System Support

This Inspector has limited support when run against domain controllers running Windows Server 2008 R2 or older operating systems.

  • This Inspector does not support "local inspections" (i.e., when the Liongard Agent is installed on the domain controller itself) for pre-2012 OS versions.
  • "Remote inspections" where the Agent is installed on another server with a newer OS version are possible but require Active Directory Web Services on the target domain controller. ADWS was not included by default on older versions of Windows Server and must be installed separately and at your own discretion.
    *For more information, please review this documentation.

📘

Windows Agent

These instructions assume that you already have a Windows Agent installed in the Environment (e.g., on the local network) containing at least one Active Directory controller.

If not, refer to our Agents documentation

Inspector Setup Preparation

🚧

Active Directory PowerShell Scripts

Upon activation, the Active Directory Inspector will run a series of PowerShell scripts to return data to Liongard.

Ensure your system accounts for these actions to take place by allowlisting the Agent within the applicable software, such as ThreatLocker.

Identify Target Active Directory Domain Controller

This Inspector setup requires entering the fully qualified name (e.g., dc01.contoso.com) of one of your domain controllers. If you have more than one domain controller, the Inspector only needs to be set up against one of them.

If you do not know the name of your domain controller server(s), you can identify the name by following the options below which depend on whether you are currently logged into the domain controller or if you're on a remote device that is on the domain.

Active Directory Users & Computers

In the Active Directory Users & Computers UI tool, navigate to (your domain) > Domain Controllers OU. Then, select Properties of your desired domain controller to view the fully qualified name.

918

Fully qualified hostname via Domain Controller Properties.

PowerShell

Run the following PowerShell command from a Windows computer with the addsadministration module installed.

Refer to Microsoft's documentation for further information.

Get-ADDomainController | Where-Object{ Write-Host $_.HostName }

Verify Prerequisites

  • Active Directory Tools must be installed. To do so, run the command below from an Administrator PowerShell Windows (e.g., right-click and Run As Administrator) or see Amazon's documentation for installing via the GUI. 
Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter
  • If the Agent does not reside on the Domain Controller itself, other tools must also be installed on the Agent server:
Install-WindowsFeature -Name GPMC,RSAT-ADDS-Tools,RSAT-DNS-Server

Liongard Inspector Setup

Activating Auto-Discovered Inspectors

If you have activated the Windows Server Inspector for your Domain Controller, it will Auto-Discover your Active Directory Inspector. If you have not activated a Windows Server Inspector, you can follow the instructions for Single Inspector Setup. Follow the steps below to activate:

Navigate to Admin > Inspectors > Select Active Directory > Select the Discovered Systems tab

Here you can Activate your Discovered Active Directory Inspectors:

  • Select the checkbox to the left of the Inspector(s) that you would like to Activate
  • Select the Actions drop down menu above the Discovered Systems table
  • Select Activate Launchpoints

🚧

Active Directory Auto-Discovery

Liongard will auto-discover Windows servers with the following parameters:

  • Someone has logged into the server within the last 45 days
  • The operating system has the words “Windows Server” in the name. This allows us to discover launchpoints only for the Windows Servers and not the workstations.
  • The machine is currently "Enabled" in Active Directory

Single Inspector Liongard Setup

🚧

Username/Password

If you are running the On-Premises Liongard Agent locally on a Domain Controller, then you may leave the Username and Password fields blank. They are only necessary if the Agent is running on a different system joined to the domain with access to the Domain Controller.

In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Active Directory Inspector > Select Add System.

Fill in the following information:

  • Environment: Select the Environment this System should be associated to
  • Friendly Name: Suggested "Active Directory [Environment Name]"
  • Agent: Select the On-premises Agent installed for this Environment
  • Inspector Version: Latest
  • Active Directory Domain Controller (Optional): Name of the Domain Controller identified above.
  • Leave this field blank if the Agent is on the Domain Controller or if you are unsure.
  • Limit Search by Organizational Units (Optional): Specify a semi-colon separated list of OU distinguished names to limit the inspection.
    • Note: This will only affect items such as Computers, Users, and Groups.
    • Leave this field blank to search all of Active Directory.
  • Pause between Commands (Secs) (Optional): In most cases you do not need any pause between commands, but in certain cases, it may be required for resource constrained Domain Controllers.
  • Domain Admin Username (Optional): If necessary, provide the Domain Admin service account name
    • Leave this field blank if the Agent is on the Domain Controller or if you are unsure
  • Domain Admin Password (Optional): If necessary, provide the Domain Admin service account password
    • Leave this field blank if the Agent is on the Domain Controller or if you are unsure
  • Trimmed Inspector Payload (Optional): Leave this blank unless you have issues with payload size. By choosing a level 1-5 with 5 being the most trimmed Data Print, you will be opting into bringing back a trimmed Inspector payload. Fore more information, please review our documentation.
  • Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule

Select Save. The Inspector will now be triggered to run within the minute

Optional: Turn on Flexible Asset/Configuration Auto-Updating

If you would like this Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for this Inspector:

  • ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
  • IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled

Auto-Discovery: Windows Server

The Windows Server Inspector Auto-Discovers Active Directory, Hyper-V, SQL Server, and Network Discovery Inspectors (if a Network Discovery Inspector isn't already present).

To set up an Auto-Discovered Windows Server Inspector(s), please see our Windows Server Inspector documentation.

Active Directory Inspector KB and FAQs

Active Directory Inspector KB and FAQs

Inspector FAQs

Updated 2 months ago