Skip to main content

Active Directory Monitoring Solution

Purpose

This document delineates the contents applicable for monitoring the Active Directory Domain environment. Please review the implementation steps meticulously, as a significant portion of the content relies on the Active Directory plugin.

This article encompasses multiple components and contents. Please import and implement only the required components.

Associated Content

Content

ContentTypeFunction
Internal Monitor - Active Directory - Sync Out of DateInternal MonitorThis monitor looks for the AD server that has been onboarded for more than 30 days and is experiencing a credential issue in the Active Directory Plugin.
Internal Monitor - Active Directory - Enabled Test AccountsInternal MonitorThis monitor will look for any account with the name Test in the account name and will flag that account if it is enabled on the domain.
Internal Monitor - Active Computers in AD with No AgentInternal MonitorThe monitor set generates a client-level ticket containing details of domain-joined computers active within the domain, which have been joined to the domain for at least 7 days but do not have the Automate agent installed.
Internal Monitor - Active Directory - ADPluginUser - Create/UpdateInternal MonitorThe purpose of this monitor set is to create an 'ADPluginUser' account for the domain controllers detected in AD Plugin.
Remote Monitor - Active Directory Replication Anomaly MonitoringRemote MonitorThe monitor set operates on a cluster of Primary Domain Controllers (Infrastructure Masters) for each domain, triggering a failure alert upon detecting any Active Directory Replication Failure.
Script - New Domain Admin Monitor - CreateClient ScriptCreates remote monitors to ticket when a new domain admin is added and has not been excluded.
Active Directory Reporting SolutionReporting SolutionFull Reporting solution that pulls from the Active Directory Plugin
Remote Monitor - Domain Admin Account LockoutRemote MonitorThis remote monitor is configured to detect when the domain admin account is locked. It checks every 15 minutes and creates a ticket for the partner to review, providing complete details.

Non-Stack Content

ContentTypeFunction
Internal Monitor - Active Directory - User Last Logon > X DaysInternal MonitorThis monitor will check for users who have not logged in for more than X days and are not administrator accounts.
Internal Monitor - Active Computers in AD with No AgentInternal MonitorThe monitor set generates a client-level ticket containing details of domain-joined computers active within the domain, which have been joined to the domain for at least 7 days but do not have the Automate agent installed.
GPO AuditAudit ScriptThis audit script is designed to populate some dataviews outlining the currently installed GPOs in the Active Directory Environment.
Script - AD - Enable AD Recycle BinScriptThis script is designed to enable the AD recycle bin on a Domain Controller.

Script

ContentTypeFunction
Script - AD - Enable AD Recycle BinScriptThis script enables the AD Recycle Bin. Microsoft TechNet Article
Script - Weak Passwords - AD TestScriptThe script tests the hashed credentials in AD against a known compromised or weak list.
Script - Active Directory - Plugin User Account - Create/UpdateScriptThis script will create/update a domain admin account to be used with the AD plugin with a random password.
Script - Group Policy - AuditScriptThis process will execute PowerShell to gather GPO data.
AD - Create Views/Table/Schedule for AD Reporting SolutionScriptThis creates all the needed items in the Database to ensure the Active Directory Reporting Solution functions correctly.
Script - ScreenConnect - RMM+ Autofix - AD Plugin - Sync Out of Date [Ticket]ScriptThis script is intended to be used as an auto fix for the CWM - Automate - Internal Monitor - Active Directory - Sync Out of Date monitor. This script will not function if run manually.

Dataview

ContentTypeFunction
Dataview - Active Directory - AD UsersDataviewThis dataview displays all users associated with a domain and general information about all the users.
Dataview - Active Directory - Domain Groups and MembersDataviewThis dataview shows you all domains and their respective groups and a corresponding list of members.
Dataview - Windows - Group Policy ObjectsDataviewThis dataview shows information about GPOs, their applied policies, where they are linked to, and to what trustees they are applied.
Dataview - Windows - Group Policy SettingsDataviewThis dataview shows information about GPOs, their applied policies, and settings.
Dataview - Windows - Group Policy Object LinksDataviewThis dataview shows information about GPOs, their applied policies, and where they are linked to.
Dataview - Windows - Group Policy Object Security FilteringDataviewThis dataview displays information related to Group Policy Objects in Active Directory, specifically related to security policies.

Reports

ContentTypeFunction
Report - Active Directory User AssessmentReportDisplays an overall health view of the Client's Active Directory along with a full user report.
Report - Active Directory User Groups - DetailReportDisplays a complete user list with all groups that each user is in, along with an overall view of what groups are used the most.
Report - Computers in Active Directory - No AgentReportDisplays a list of all computers that are in Active Directory but not in Automate. Can be used to clean up Client Active Directories.
SubPageHeaderLandscapeSubreportUsed as the template for the page header on these reports.

Deprecated Content

ContentTypeFunction
Internal Monitor - Active Directory - New User Account CreatedInternal MonitorThis monitor looks for new domain user accounts that have a creation date within the past day. A ticket is created for each new account discovered.
Internal Monitor - Password Expires This Week [G]Internal MonitorDetects the domain users whose password is going to expire within a week.
Internal Monitor - Account DisabledInternal MonitorThis Monitor looks for the disabled accounts on Active Directory servers through the Active Directory plugin and creates a ticket for each one found.
Remote Monitor - Reset AD Users Password AgeRemote MonitorThis remote monitor checks AD user's login password age to see if the age is set to unlimited, and if so, it will change the user password from never expire to expire and will also change the default domain policy password age to 90 days.
Remote Monitor - AD Account Lockout DetectionRemote MonitorThis remote monitor will detect when any AD account is flagged as being locked out. This can be noisy, so it has been deprecated.
Script - Active Directory - Alerting - Password Expires This Week [Global, Autofix]*ScriptThis script sends an email to the user whose password is expiring within 1 week. This already happens through Windows, so it's been deprecated.

Implementation (Plugin)

  1. The solutions presented in this section rely on the functionality provided by the Active Directory plugin. Therefore, it is imperative to verify that both the Active Directory and Active Directory Remote plugins are correctly installed and operational within the environment. Image 1 Image 2

  2. Ensure that the RMM+ Plugin is correctly configured and operational within the environment, as this solution relies on the proper configuration of the CWM - Automate - RMM+ Plugin Configuration.

  3. Ensure the following content is imported to the environment as it is used in multiple solutions for ticketing:

    OR - If the partner does not have PSA Integration, the Email Creation Alert Templates can be used in place of the Ticket Creation ones:

    After importing, ensure the system property _sysTicketDefaultEmail is filled out with the email address specified by the consultant.

    Note: There is not currently an 'Email Creation - Client' script/alert template. If this is required, then a development ticket will need to be generated to get it created.

Reporting Solution

  1. Import the following content from the ProSync Plugin:

  2. Run the AD - Create Views/Table/Schedule for AD Reporting Solution script once on any random machine to create the framework needed for the solution.

    • Delete the script afterward.

  3. Download the attached SQL file named 'Import_All_AD_Reports.sql'. Refer to the below document for the attachment:

  4. Import the file using System → General → Import → SQL File (The SQL file is too large for a remote monitor). Image

Sync Out of Date

  1. Import the following content using the ProSync plugin:

  2. Reload the system cache. Image

  3. Navigate to Automation → Monitors → Internal Monitors and configure the following:

Enabled Test Accounts

  1. Import the following using the ProSync Plugin:

  2. Reload the System Cache: Image

  3. Navigate to Automation → Monitors → Internal Monitors and configure the following:

PC Missing Automate

  1. Import the following content from the ProSync Plugin:

  2. Reload the System Cache: Image

  3. Navigate to Automation → Monitors → Internal Monitors and configure the following:

ADPluginUser - Create

  1. Import the following content using the ProSync Plugin:

  2. Run the script against any online computer with Set Environment parameter set to 1.

    • Set the required values for the rest of the user parameters. (This should be specified by the consultant). Image
    • Note: There are default values for all the main parameters (Shown Below). Image

  3. Validate the system property values within the System Dashboard.

Last Login > X Days

  1. Import the following monitor using the ProSync Plugin:

  2. Reload the System Cache: Image

  3. Edit the monitor with the last login value specified by the consultant; if this has not been specified, then reach out to the consultant to clarify: Image

  4. Navigate to Automation → Monitors → Internal Monitors and configure the following:

Implementation (No Plugin)

The solutions presented in this section do not rely on any plugin.

Group Policy Audit

  1. Import the following content from the ProSync Plugin:

  2. Reload the System Cache: Image

  3. Schedule the Script - Group Policy - Audit to run once per day against the domain controllers group. Image Image

  4. Only perform this step if requested by the consultant:

    • Navigate to Automation → Monitors → Internal Monitors and configure the following:
      • Find the Internal Monitor - GPO Modified.
        • Assign the △ Custom - Ticket Creation - Computer alert template.
        • OR
        • Assign the △ Custom - Email Creation - Computer alert template. Image

Enable AD Recycle Bin

  1. Import the following content from the ProSync Plugin:

  2. Import the Role - AD Domain Recycle Bin Feature.

  3. Import the CWM - Automate - Remote Monitor - AD Recycle Bin State Check using the following instructions outlined here: Import - Remote Monitor - AD Recycle Bin State Check.

  4. Reload the System Cache: Image

  5. Locate the EPM - User Management - Remote Monitor - Reset AD Users Password Age remote monitor.

    • By opening the Domain Controllers group.
      • Apply the △ Custom - Execute Script - AD - Enable AD Recycle Bin alert template to the group monitor.

Replication Anomaly

  1. Import the Remote Monitor - Active Directory Replication Anomaly Monitoring using the following instructions outlined here: Implement - Remote Monitor - Active Directory Replication Anomaly Monitoring.

  2. Reload the System Cache: Image

  3. Locate the RSM - Active Directory - Remote Monitor - Active Directory Replication Anomaly Monitoring remote monitor.

    • By opening the Domain Controllers group.
      • Apply the △ Custom - Ticket Creation Computer - Failures Only alert template to the group monitor.
      • OR
      • Apply the △ Custom - Email Creation Computer - Failures Only alert template to the group monitor.

New Domain Admin

  1. Remove the existing ProVal - Production - New Domain Admin monitor set from the groups it's already applied to.

    • Execute this SQL query from a RAWSQL monitor set to get rid of the existing monitors: 
      Delete From Groupagents where `Name` = 'ProVal - Production - New Domain Admin'

  2. Open the Server Status tool by navigating to HelpServer Status. Image

  3. Click the Do Group Refresh button to refresh and apply the changes made. Image

  4. Click OK to the popup message and wait for a minute to allow the changes to take effect. Image

  5. Import the following script from the ProSync Plugin:

  6. Run/Debug the Script

    • Execute or debug the script against a single client, with the Set_Environment parameter set to 1. This action will generate the necessary system properties and Extra Data Fields (EDFs) for managing the remote monitors. Image Image

  7. Reload System Cache. Image

  8. Configure System Properties and EDFs.

    • Navigate to the System Dashboard → Config → Configurations → Properties.
    • Find the properties beginning with NDA_Monitoring. Image
      • The consultant should have provided you with any customizations that are required. Please read through the detailed System Properties and EDF explanations to understand how to configure any customizations. You can find that here.

  9. Schedule the Script.

    • Schedule the script to run once per day, preferably around midnight, from the dashboard for optimal results. Image

Domain Admin Lockout

  1. Import the Remote Monitor - Domain Admin Account Lockout using the following implementation instructions:

  2. If the partner does not have any PSA integration, then navigate to the Domain Controllers group: Image

    • Then adjust the alert template for this monitor to be:
      • Alert Template - △ Custom - Email Creation Computer - Failures Only
    • Otherwise, ensure the alert template is set to the following:
      • Alert Template - △ Custom - Ticket Creation Computer - Failures Only