Microsoft Active Directory (AD)
  • 4 minutes to read
  • Print
  • Share
  • Dark
    Light

Microsoft Active Directory (AD)

  • Print
  • Share
  • Dark
    Light

Microsoft Active Directory (AD) is a directory service for Windows domain networks that authenticates and authorizes all users and computers.

Parameters

  1. DC Address (required) - The address of the Domain Controller (DC). Can be either IP or a valid DNS name that Axonius can communicate with via the Required Ports.
  2. User Name and Password (required) - A user with regular LDAP query rights and its password. The user name should be in the form: DOMAIN\USERNAME. Please note that the prefix is case sensitive.
  3. DNS Address (optional, default: False) - By default we assume that the DC server is also a DNS server. This is not the case if the user specifies another DNS server for this Active Directory.
  4. Alternative DNS Suffix (optional, default: False) - Replace the device original DNS suffix for DNS resolving. For example, if the device name is windows8.acme.corp , and the Alternative DNS Suffix defined is 'acme-corp.lan', DNS resolving will be done for windows8.acme-corp.lan.
  5. Use SSL for connection (optional, default: Unencrypted) - Use SLDAP (LDAP over SSL).
  6. CA File (optional) - If you choose to use SLDAP (LDAP over SSL), you need to add SSL certificates (CA File) to the credentials.
  7. Do Not Fetch Users (optional, default: False) - Select this option if you do not want to fetch users.
  8. Fetch Disabled Devices and Fetch Disabled Users (optional, default: False) - Select to fetch disabled devices or users. By default, Axonius fetches only enabled devices and users.
  9. Connect to Global Catalog (GC) (required, default: False) - Select this option if the configured DC has a Global Catalog role.
  10. Organizational units whitelist (optional) - Set one or more OUs so Axonius will fetch entities that reside only in the listed organizational units. Each item in the list should represent an 'OU' value of the desired OU DN. For example, for OU DN ("OU=Ireland Office,DC=acme,DC=corp"), specify 'Ireland Office'.
  11. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

image.png

Advanced Settings

  1. Enable IP Resolving (required, default: True)
    • If enabled, all connections for this adapter will try to find the IP of the fetched AD entities using three entities (the DNS configured on the machine, the DNS supplied in the creds, and the AD DC itself)
    • If disabled, all connections for this adapter will try to find the IP of the fetched AD entities using only AD DC itself.
  2. Max parallel DNS queries (optional, default: 1000) - This field limits the number of parallel DNS queries.
  3. Show verbose notifications about connection failures (optional, default: False)
    • If enabled, all connections for this adapter will fetch verbose notifications about auth failures.
    • If disabled, all connections for this adapter will not fetch verbose notifications about auth failures.
  4. Fetch Users Image (Required, default: True)
    • If enabled, all connections for this adapter will fetch users images.
    • If disabled, all connections for this adapter will not fetch users images.
  5. Get nested group membership for each user (required, default: True)
    • If enabled, all connections for this adapter will fetch the group membership for each user.
    • If disabled, all connections for this adapter will not fetch the group membership for each user.
  6. LDAP pagination (entries per page) (required, default: 900) - How much entities to fetch in each LDAP request.
  7. LDAP socket connection timeout (seconds) (required, default: 10) -The maximum socket connection timeout.
  8. LDAP socket receive timeout (seconds) (required, default: 120) - The maximum socket receive timeout.
  9. Devices to exclude by objectCategory (optional, default: empty)
    • If supplied, all connections for this adapter will exclude devices with the specified AD objectCategory.
    • If not supplied, all connections for this adapter will not exclude any devices.
      This field allows you to add input in order to exclude devices that have a specific AD objectCategory.
  10. LDAP fields to exclude (optional, default: empty) - Specify a comma-separated list one or more LDAP fields to exclude from the data. For example, "employeeID, givenName". This will exclude both of these from the raw and parsed data from the adapter.
    • If supplied, all connections for this adapter will not fetch the specified LDAP fields. The specified fields will not be part of the assets data in Axonius.
    • If not supplied, all connections for this adapter will fetch all asset LDAP fields.

image.png

Required Ports

Axonius must be able to communicate with the value supplied in DC Address via the following ports:

Was this article helpful?