- 22 Dec 2022
- 7 Minutes to read
Microsoft Active Directory (AD)
- Updated on 22 Dec 2022
- 7 Minutes to read
Microsoft Active Directory (AD) is a directory service for Windows domain networks that authenticates and authorizes all users and computers.
About Microsoft Active Directory
Microsoft's Active Directory (AD) is a User and Asset management system. It is used by customers to provide authentication and authorization services for users, and access control to systems.
Use cases the adapter solves
Primarily user and device enumeration are obtained from AD. This populates assets in Axonius and brings valuable information about the respective assets such as Group / OU memberships, OS type, and distribution. These asset properties ultimately lead to informed decision-making. In addition, it helps identify unmanaged Windows systems, with secondary purposes of qualifying other categories of usage, such as the deployment of agents on Windows systems. You can discover users with too many permissions, or those not logged in for a specified time.
Data retrieved by Microsoft Active Directory
The Microsoft Active Directory Adapter will fetch two distinct asset classes: devices and users. Devices include fields such as the Hostname, Domain, OU, Trusts, Site, and Network information (interfaces, VLANs, IPs, MAC). User fields align with devices, including account, password, and logon details (all AD objects relating to the account).
Using Axonius to provide visibility and searchability into AD brings Enforcement Center to the fore. Devices can be 'decommissioned', moved/segmented based on non-configuration criteria; and user accounts can be modified, enabled, or disabled.
Types of Assets Fetched
This adapter fetches the following types of assets:
- DC Address (required) - The address of the Domain Controller (DC). Can be either an IP address or a valid DNS name that Axonius can communicate with via the Required Ports. You can configure the DC Address field with a customized LDAP port. To add the customized LDAP port enter a DC Address and a port number separated with a colon in the following format DC_NAME:PORT_NUMBER. When you use this format you direct the system to use the value following DC_NAME: as a custom port.
- User Name and Password (required) - A user with regular LDAP query rights and its password. The user name should be in the form: DOMAIN\USERNAME. Please note that the prefix is case sensitive.
- DNS Address (optional) - By default we assume that the DC server is also a DNS server. This is not the case if the user specifies another DNS server for this Active Directory.
- Alternative DNS Suffix (optional) - Replace the device original DNS suffix for DNS resolving. For example, if the device name is windows8.acme.corp , and the Alternative DNS Suffix defined is 'acme-corp.lan', DNS resolving will be done for windows8.acme-corp.lan.
- Use SSL for connection (optional, default: Unencrypted) - Use LDAPS (LDAP over SSL).
- CA File (PEM Format) (optional) - If you choose to use LDAPS (LDAP over SSL), you need to add SSL certificates (PEM format CA file) to the credentials.
- Do Not Fetch Users (optional, default: False) - Select this option if you do not want to fetch users.
- Fetch Disabled Devices and Fetch Disabled Users (optional) - Select to fetch disabled devices or users. By default, Axonius fetches only enabled devices and users.
- Connect to Global Catalog (GC) - Select this option if the configured DC has a Global Catalog role.
- Organizational units include list (optional) - Set one or more OUs so Axonius will fetch entities that reside only in the listed organizational units. Each item in the list should represent an 'OU' value of the desired OU DN. For example, for OU DN (“Ireland Office/acme/corp , New York Office/acme/corp”), specify the organizational units of Acme corporation of the Ireland Office and New York Office.
- Organizational units to exclude (optional) - Set one or more OUs so that Axonius will not fetch entities that belong to the specified organizational units. Each item in the list should represent an 'OU' value of the OU DN that should be excluded. For example, for OU DN (“Ireland Office/acme/corp , New York Office/acme/corp”), specify the organizational units of Acme corporation of the Ireland Office and New York Office.
- To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
From Version 4.6, Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
- Enable IP Resolving (required, default: true)
- If enabled, all connections for this adapter will try to find the IP of the fetched AD entities using three entities (the DNS configured on the machine, the DNS supplied in the creds, and the AD DC itself)
- If disabled, all connections for this adapter will try to find the IP of the fetched AD entities using only AD DC itself.
- Max parallel DNS queries (optional, default: 1000) - This field limits the number of parallel DNS queries.
- Show verbose notifications about connection failures (optional)
- If enabled, all connections for this adapter will fetch verbose notifications about auth failures.
- If disabled, all connections for this adapter will not fetch verbose notifications about auth failures.
- Fetch Users Image (required, default: true)
- If enabled, all connections for this adapter will fetch users images.
- If disabled, all connections for this adapter will not fetch users images.
- Get nested group membership for each user (required, default: true)
- If enabled, all connections for this adapter will fetch the group membership for each user.
- If disabled, all connections for this adapter will not fetch the group membership for each user.
- Get the most recent lastLogin by connecting to all DCs - By default, the "LastLogonTimestamp" value is replicated only once every 2 weeks in the domain, and the "LastLogon" value shows the value of the last logon per each Domain Controller. If this option is selected, Axonius will connect to each domain controller to pull the "LastLogon" value for each user, to show this value accurately in Axonius.
LDAP pagination (entries per page) (required, default: 900) - How much entities to fetch in each LDAP request.
LDAP socket connection timeout (seconds) (required, default: 10) -The maximum socket connection timeout.
LDAP socket receive timeout (seconds) (required, default: 120) - The maximum socket receive timeout.
Devices to exclude by objectCategory (optional)
- If supplied, all connections for this adapter will exclude devices with the specified AD objectCategory.
- If not supplied, all connections for this adapter will not exclude any devices.
This field allows you to add input in order to exclude devices that have a specific AD objectCategory.
LDAP fields to exclude (optional) - Specify a comma-separated list one or more LDAP fields to exclude from the data. For example, "employeeID, givenName". This will exclude both of these from the raw and parsed data from the adapter.
- If supplied, all connections for this adapter will not fetch the specified LDAP fields. The specified fields will not be part of the assets data in Axonius.
- If not supplied, all connections for this adapter will fetch all asset LDAP fields.
Parse all LDAP attributes to basic view - Select to show all fields/values from the Advanced view in Basic view on the Device Profile page.
Fetch Specops password expiration date - Select whether to fetch the number of days left to password expiration from Specops for systems that manage passwords using Specops, and calculate a password expiration date.
Distinguish group managed service accounts as users (optional) - Select to distinguish group Managed Service Accounts as users. When cleared, group Managed Service Accounts are considered devices.
When adding DCs (Domain Controllers) to the AD Forest, date values should not be updated, otherwise data that was previously ignored by Axonius will become active and no longer ignored.
Axonius must be able to communicate with the value supplied in DC Address via the following ports:
- TCP/UDP port 389.
- TCP port 636 - if the Use SSL for connection checkbox is enabled.
- TCP port 3268 - if the Connect to Global Catalog (GC) checkbox is enabled.
- TCP port 3269 - if both Use SSL for connection and Connect to Global Catalog (GC) checkboxes are enabled.
- Custom Port - If you set a custom port in DC Address, this must be available.
The value supplied in User Name must be a read-only service account to all assets and users in the AD tree.
View BitLocker Information permission is required for Axonius to obtain BitLocker data managed by Microsoft AD.