Connect Microsoft Active Directory

This guide provides the required steps to connect Microsoft Active Directory to Cloud Control Center (Connector Version 3.0 and newer) as a data enrichment source for users and devices. For details on what data and events Elisity collects and how that data is used, please see our Microsoft Active Directory Integration Event Polling Details Article.

 

Installation Prerequisites

The Elisity AD Connector should be installed on a Windows machine that is a member of the root domain of the enterprise.

Supported Windows versions for hosting the AD Agent include:
Windows 10

Windows Server 2016

Windows Server 2019

Windows Server 2022

 

It can also be installed directly on a Domain Controller running:

Windows Server 2016

Windows Server 2019

Windows Server 2022

 

This guide is for installing the Elisity Active Directory agent on any member server or domain controller.

 

PREREQUISITES:

  • Minimum requirements are:
    • Microsoft .Net Framework v4.7.2 or newer - Please use the link here for guidance on determining the framework version
    • 4GB RAM
    • 1 GB free disk space
  • Outbound Port 443 is required to send Event Logs to Elisity CCC.
  • A service account for the Elisity Connector Service

 

Create a Service Account for the Elisity AD Connector

  1. Create a new user in the appropriate domain to act as the Elisity AD Service Account
  2. Give the user a unique name to identify it as the Elisity AD Service Account
  3. Protect the user from accidental deletion
  4. Add the user to the group 'Event Log Readers'

Update Group Policy Settings

Go To: Server manager > Tools > Group Policy Management

  • Create a new GPO (applicable to all DCs) or edit the default Domain Controller GPO as follows (figure 1)


Figure 1 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon

  • Enable Success (figure 2) for 'Kerberos Authentication Service'
  • Enable Success (figure 2) for Audit Kerberos Service Ticket Operations


Figure 2 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management

Enable Success for Audit Computer Account Management, Audit Security Group Management, and Audit User Account Management (figure 3)


Figure 3 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access

  • Enable Success for Audit Directory Service Changes (figure 4)


Figure 4 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff

  • Enable Success for Audit Account Lockout, Audit Group Membership, and Audit Logon


Figure 5 (click image to enlarge)

 

Modifying User Auditing Settings in ADSI Edit

Go To: Server Manager > Tools > ADSI Edit

  • In ADSI Edit, click Action > Connect to… > 'Default Naming Context'
  • Hit OK

Right Click Users and select Properties (figure 6)

Figure 6 (click image to enlarge)

Select Security tab > click Advanced > select Auditing tab (figure 7)


Figure 7 (click image to enlarge)

Click Add (figure 8) > click select principal (figure 9)


Figure 8 (click image to enlarge)


Figure 9 (click image to enlarge)

Check the full control box (figure 10), then deselect the following four checkboxes: Full control, List contents, Read all properties, Read permissions


Figure 10 (click image to enlarge)

Click OK and exit

 

The purpose of these permissions is to enable the system to audit all writes and modifications in the AD database for "Everyone." These permissions allow the Elisity Connector to audit user/group attribute changes in real time. It is critical that the system get attribute changes to maintain accurate identification of users and assets. Without the permissions above, Active Directory will not generate audit events for attribute changes. These permissions DO NOT give write access or permissions to perform any actions, they simply allow auditing of writing, creating, deleting, etc.

 

After completing everything above, go to the command prompt and execute the command:

gpupdate/force

This will update all the policy changes without needing any reboots.

 

Elisity AD Connector Installation instructions

If you are deploying an AD Agent in 15.6.0+ the location in Cloud Control Center is now in the Active Directory tab rather than the Connectors tab.

 

Downloading the Agent and Gathering Client/Secret from Cloud Control Center

 

 

 

To add an Active Directory agent in Cloud Control Center, navigate to Settings > Active Directory > Agents > + ADD AGENT



  • Click DOWNLOAD ELISITY AD AGENT
  • Save the agent zip file to your local laptop/desktop for later transfer, or directly on the machine where the Connector will be installed.

Here is where you can also view and copy the configuration information to onboard the agent.

  • Click VIEW CONFIGURATION INFORMATION
  • Copy and save both the Gateway Server URL and Gateway Credential
    • Note: You can click the Copy icon to save the Credential to Clipboard
    • These credentials are valid for 60 minutes after being generated.

 

AD Agent Installation

Installation Steps:

Open the Elisity AD Agent Installer. Click Next to begin configurations for the install.

 

1. Choose Destination Folder

    • In the second window of the installer, you can change the destination folder. However, the main configuration file and the folder containing logs will remain in C:\ProgramData\Elisity\ADAgent and cannot be changed.

 

2. Select Service User

  • Choose a Service User to run the service. This user will also communicate with Domain Controllers unless another user is configured during the "Configure Sync Domain Controller" step.
  • Supported formats for the Service User include:
    • Down-level logon name (e.g., QALAB\elisity_service)
    • User principal name (e.g., elisity_service@qalab.int)

 

Service User requires permissions to logon as a service. 

Go to Local Security Policy > Local Policies > User Rights Assignment and add the created Elisity Service Account to the allowed list for "Log on as a service."

 

 

Use the "Test Access" button to validate the credentials either on the machine or in the domain. If validation succeeds in either case, it will pass. This test also checks for "Log in as a service" and will notify the user if this configuration is missing.

 

 

 

3. Provide Cloud Control Center Configuration Details

Enter the required CCC configuration details that can be gathered from the AD Agent Configuration Page in Cloud Control Center.

 

 

 

 

Use "Test Access" to verify connectivity using TLSv1.2 (the AD Agent supports both TLS 1.2 and 1.3, but the installer is limited to TLS 1.2).

 

 

4. Specify Domain Controller for Synchronization

"Sync Domain Controller" is the specified Domain Controller that will be used for the Initial Sync Process. Here we need to provide the FQDN of a Domain Controller that we can make LDAP queries to do a full sync. This DC needs have performance and compute resources to handle LDAP queries during the sync process, typically one of your primary Domain Controllers.

Enter the FQDN of the Domain Controller to be used for initial synchronization.

 

Event Log Readers group.

 

Test Access to Domain Controller uses credentials supplied (optional ones), service user credentials or the current user (started the installer) to query the Active Directory for a single record, if that succeeds it returns the DC and shows that in the dialog:

 

 

5. Specify Event Domain Controllers

Next, we need to configure which domain controllers we will use to collect data and monitor events. To do this, we need to modify a configuration file and insert the FQDN for each Domain Controller we wish to monitor.

This section of the installer allows us to configure which DCs we would like to monitor for events, or to choose No event collection to disable logon events entirely.

  • Options for specifying Event Domain Controllers include:
    • Use only Sync Domain Controller: Uses the previously specified Domain Controller. This means that the initial sync and the continuous event monitoring will use the same Domain Controller.
    • No event collection: The AD Agent will only perform an initial synchronization, and no logon events will be sent to CCC.
    • Use the following Domain Controllers: Allows you to list Domain Controllers, separated by commas (e.g., DC1,DC2,DC3). "Domain Controllers" is a list of domain controllers which we will use for regular monitoring. This list should be comprised of Domain Controllers where we are likely to see user authorization and attachments in environments where Elisity is deployed. There is a character limit of 512 for this line. If this is not enough to add all your monitored Domain Controllers, talk to your Elisity support engineer. 
    • You can monitor up to 20 additional servers with a single Elisity AD agent. 

 

 

Use "Test Access to Event Logs" with the same credentials to verify connectivity by reading the last event from the Security event log.

 

 

6. Final Installation

Complete the installation of the service. Once done, you will need to start the service. 

 

 

Next, trigger a sync from Cloud Control Center when you are ready to start importing users and devices.

  • Domain Controllers will remain inactive until synchronization is complete.
  • Upon completing the initial sync, devices existing in Cloud Control Center are enriched with any existing data in Active Directory.

 

 

Domain Controller Status Indicators:

  • Active: AD Agent is actively polling events.
  • Inactive: AD Agent is not actively polling events (e.g., during sync or when the service is stopped) or the Domain Controller is unreachable.

Uninstall/Reinstall/Upgrade

If the C:\ProgramData\Elisity\ADAgent\Cache folder contains data, it will be used (e.g., agent.dat holds the nodeID of the AD Agent). If the agent is reinstalled and was removed from CCC, delete all files from the Cache folder while the service is stopped (or before installation). Registration will be triggered upon service start/reinstallation.

 

If a configuration file exists in C:\ProgramData\Elisity\ADAgent\Config, the installer will detect it during an upgrade or reinstallation. There are two options to proceed:

 

Option 1: Keep Existing Configuration

  1. Select "Keep existing configuration."

  2. Specify the service user account. Using a different account than previously (in case of an upgrade) should work.
  3. Click "Test Access" for the "Next" button to become active.
  4. Proceed with the installation.

 

Option 2: Overwrite Existing Configuration

1. Deselect "Keep existing configuration."

 

2. Specify the service user account. Using a different account than previously (in case of an upgrade) should work. Click "Test Access" for the "Next" button to become active.

 

3. Provide cloud credentials.

 

4. Provide the sync Domain Controller hostname and specify the user for Domain Controllers communication (service user credentials are used if username and password are left empty).

 

5. Specify event Domain Controllers.

 

6. Finish the installation by clicking "Install."

 

Viewing Connector Status and Initiating a Sync from Cloud Control Center

After you have installed the connector on all of the relevant member servers and domain controllers, select a single domain controller to initiate your first sync. The Sync process will pick up all user/groups and data from the entire domain regardless of where you trigger the Sync from. Therefore you need to trigger a Sync for only ONE Active Directory Connector.

 

To initiate a sync process, go to Connectors, select the appropriate Active Directory Connector, and click [Sync]

 

 

Note: It will take a few minutes to pull all user and device data. Active Directory is used as an enrichment source for devices, so you should except to see updates to device identity data, as well as new users populated into Cloud Control Center. 

You can also view details about the AD connector agent, agent host machine, and status of all Domain Controllers monitored by the agent by clicking View Details. Check the status of your connector, and when the last status change for the connector occurred. This gives customers a quick way to view important information about all Elisity AD connectors deployed throughout their network. 

 

Locating and Managing Users After AD Connection

Once you have successfully connected Active Directory (AD) to your Cloud Control Center, navigating to and managing users is straightforward.

Finding the Users Page

To locate the Users page after connecting AD, follow these steps:

Step 1: Navigate to the Settings Menu: From the Elisity dashboard, click on the "Settings" tab located on the left-hand sidebar. This section allows you to configure and manage various aspects of the Elisity platform.

Step 2: Access the Active Directory Section: Within the Settings menu, click on the "Connectors" dropdown. Here, select "Active Directory" to view the AD-specific configurations and options.

Step 3: View Users: Under the Active Directory section, you will find the "Users" tab prominently displayed. Clicking on this tab will bring you to the Users page, which has been seamlessly integrated into the Elisity platform from AD.

 

Overview of the Users Page

The Users page is designed to provide a comprehensive overview of all users within the organization, directly pulled from Active Directory. Here's what you can expect.

 

User Information

The page lists essential details for each user, including Name, Account ID, Status (Active or Inactive), AD Membership (such as Users/Contractors, Users/Domain Users), Department, Company, IP Addresses, Title, and Last Activity date.

User Assets

You can see all assets associated with an Active Directory User by clicking the number of assets in the respective column. This is critical for quickly identifying which devices users are logged in to.

Status Indicators

Each user's current status is clearly indicated, allowing administrators to quickly ascertain which users are active or inactive within the system.

Search and Filter

A search bar is provided at the top of the page, enabling administrators to quickly locate specific users based on their name or account ID. This is particularly useful in larger organizations with many users.

Robust Analytics Data

Beyond simple user information, the Elisity platform offers robust analytics on user behavior, including insights into the devices associated with each user, the policies governing their access, and the policy groups (PGs) they are part of. This analytics data aids in identifying usage patterns, potential security vulnerabilities, and compliance with established policies.

Integration and Consistency

It's important to note that this page maintains all the functionalities of the original Users page, with the added benefit of being directly integrated with Active Directory. This ensures that user management is streamlined and efficient, leveraging the centralized user information from AD.

 

 

Was this article helpful?
0 out of 0 found this helpful