Axonius Documentation
Start typing to search…

Microsoft Active Directory (AD)

Overview

Active Directory (AD) is Microsoft’s directory service that stores information about users, groups, devices, and other resources in a Windows domain. It is commonly used for authentication, authorization, and centralized management in enterprise environments.

The Microsoft Active Directory adapter connects Axonius to an AD domain. It retrieves user, group, device, and organizational information to support asset inventory, correlation, and security analysis. The adapter supports LDAP, LDAPS, and Kerberos connection methods.

Use cases the adapter solves

The adapter connects to Active Directory to identify users and devices, collecting data such as group memberships, organizational units, OS type, and distribution. This helps detect unmanaged Windows systems, verify agent coverage, analyze user access, and find over-privileged or inactive accounts, organizational units, OS type, and distribution. This helps detect unmanaged Windows systems, verify agent coverage, analyze user access, and find over-privileged or inactive accounts.

Types of Assets Fetched

Devices Users Groups Domains & URLs Organizational Units Compute Services Networks Accounts/Tenants Permissions

Data Retrieved from Active Directory

  • Devices: hostname, domain, OU, trusts, site, network details (interfaces, VLANs, IPs, MACs)
  • Users: username/UPN, display name, email, group memberships, OU memberships, password & logon data, account state, computed “Is Admin”
  • Groups: group metadata, memberships, customized group attributes (optional)
  • Permissions: user and group permissions (when Fetch Permissions via WinRM is enabled)
  • Networks: AD sites and subnets (when Fetch Subnets from Sites is enabled)
📘

Note:

'Is Admin':

Axonius describes 'Is Admin' for users in Active Directory. 'Is Admin' is described as 'Yes':

  • If the user is a member of the "Domain Admins" group (Default Active Directory Domain-Wide Admin Group)
  • Or a member of any of the groups listed in the Admin Groups setting on the 'Advanced Configuration' screen.
  • Or part of the Administrators group.

'Last Seen in Domain' Axonius shows you the 'Last Seen in Domain'. This value is calculated by Axonius by gathering all the information that indicates movement on that asset (for instance 'last password change', 'last logon', 'last logoff' and more). It is then sorted to get the value which is the most recent, and this is the value that populates the 'Last Seen in Domain' field.

Before You Begin

Authentication Methods

  • Service Account with username/password
  • Kerberos authentication (realm-based with SASL GSSAPI)

Required Permissions

The service account used by the adapter must have the following permissions:

  • Read access to the domain
  • Membership in the Remote Management Users group
  • Membership in the Account Operators group
  • Interactive logon disabled

Related Enforcement Actions

Refer to the Active Directory Related Enforcement Actions.


Updated 5 days ago