Recommended Configurations for the 3.Computers Job Group

The Active Directory > 3.Computers Job Group has been configured by default to run with the default settings. It can be run directly or scheduled.

Dependencies

The .Active Directory Inventory Job Group needs to be successfully executed prior to running this job group.

Target Host

This job group does not collect data. No target host is required.

Connection Profile

This job group does not collect data. No specific Connection Profile is required.

Schedule Frequency

The data analyzed by the 3.Computers Job Group jobs is collected by the .Active Directory Inventory Job Group. Therefore, it is recommended to schedule these jobs to run after the .Active Directory Inventory job group collection has completed. These jobs can be scheduled to run as desired.

Run at the Job Group Level

RECOMMENDED: Run the jobs in the 3.Computers Job Group together and in order by running the entire job group, instead of the individual jobs.

Analysis Configuration

The 3.Computers Job Group should be run with the default analysis configurations. Most of the analysis tasks are preconfigured for this Job Group.

Some analysis tasks have customizable parameters:

• The Active Directory > 3.Computers > AD_StaleComputers Job defines stale users. The parameters can be customized.

Workflow

Step 1 – Prerequisite: Successful execution of the .Active Directory Inventory Job Group.

Step 2 – Schedule the 3.Computers Job Group to run as desired after the prerequisite job has completed.

Step 3 – Review the reports generated by the 3.Computers Job Group.

Recommended Configurations for the 5.Domains Job Group

The Active Directory > 5.Domains job group has been configured by default to run with the default settings. It can be run directly or scheduled.

Dependencies

This job group does not have dependencies.

Targeted Hosts

The AD_DomainControllers job has been configured to inherit its host from the 5.Domains > 0.Collection > Settings > Host List Assignment node. It is set to target the ONE DOMAIN CONTROLLER PER DOMAIN host list.

The host list assignment for the 0.Collection > AD_TimeSync and the 0.Collection > AD_DSRM jobs have been configured at the job’s Configure > Hosts node. They are set to run against the ALL DOMAIN CONTROLLERS host list.

The ONE DOMAIN CONTROLLER PER DOMAIN and ALL DOMAIN CONTROLLERS host lists are dynamic host lists based on the host inventory value in the isDomainController field in the Host Master Table.

The 5.Domains > AD_DomainInfo job needs to be set to run against the following:

• Custom host list with one domain controller per forest

Connection Profile

A Connection Profile should be assigned at the 5.Domains > Settings > Connection node with Domain Administrator privileges.

Schedule Frequency

This job group can be scheduled to run as desired.

Run at the Job Group Level

RECOMMENDED: Run the jobs in the 5.Domains job group together and in order by running the entire job group, instead of the individual jobs.

Query Configuration

The 5.Domains > 0.Collection > AD_DomainControllers job should be run with the default query configurations. Most of these queries are preconfigured for this Job Group and should not be modified.

The following query can be modified to use a secure connection with TLS/SSL:

• Domain Controller Listing Query which uses the LDAP Data Collector

Workflow

Step 1 – Set the host on the AD_DomainInfo job.

Step 2 – Run a host discovery query to discover domain controllers.

Step 3 – Set a Connection Profile on the job group.

Step 4 – Schedule the 5.Domains job group to run as desired.

Step 5 – Review the reports generated by the 5.Domains job group.

Recommended Configurations for the 4.Group Policy Job Group

The Active Directory > 4.Group Policy Job Group has been configured to run with the default settings. It can be run directly or scheduled.

Dependencies

This job group does not have dependencies.

Targeted Hosts

The AD_GroupPolicy Job has been configured to inherit its host from the 4.Group Policy > Settings > Host List Assignment node. It is set to target the Default domain controller host list, which is the domain in which the Enterprise Auditor Console server resides.

The host list assignment for the AD_CPassword and AD_PasswordPolicies jobs have been configured at the job’s > Configure > Hosts node. They are set to run against the ONE DOMAIN CONTROLLER PER DOMAIN host list.

The Default domain controller and ONE DOMAIN CONTROLLER PER DOMAIN host lists are dynamic host lists based on the host inventory value in the isDomainController field in the Host Master Table.

Connection Profile

A Connection Profile must be set directly on the collection jobs with Domain Administrator privileges.

Schedule Frequency

This job group can be scheduled to run as desired.

Run at the Job Group Level

RECOMMENDED: Run the jobs in the 4.Group Policy Job Group together and in order by running the entire job group, instead of the individual jobs. However, these jobs can be run independently, with the exception of the AD_OverlappingGPOs Job, which is dependent upon the AD_GroupPolicy Job for data collection.

Workflow

Step 1 – Run a host discovery query to discover domain controllers.

Step 2 – Set a Connection Profile on the jobs that run data collection.

Step 3 – Schedule the 4.Group Policy Job Group to run as desired.

Step 4 – Review the reports generated by the 4.Group Policy Job Group.

Recommended Configurations for the 1.Groups Job Group

The Active Directory > 1.Groups Job Group has been configured by default to run with the default settings. It can be run directly or scheduled.

Dependencies

The .Active Directory Inventory Job Group needs to be successfully executed prior to running this job group.

Target Host

This job group does not collect data. No target host is required.

Connection Profile

This job group does not collect data. No specific Connection Profile is required.

Schedule Frequency

The data analyzed by the 1.Groups Job Group jobs is collected by the .Active Directory Inventory Job Group. Therefore, it is recommended to schedule these jobs to run after the .Active Directory Inventory job group collection has completed. These jobs can be scheduled to run as desired.

Run at the Job Group Level

RECOMMENDED: Run the jobs in the 1.Groups Job Group together and in order by running the entire job group, instead of the individual jobs.

Analysis Configuration

The 1.Groups Job Group should be run with the default analysis configurations. Most of the analysis tasks are preconfigured for this job group.

Some analysis tasks have customizable parameters:

• The .Active Directory Inventory Solution defines large groups, deeply nested groups, and stale users. These parameters can be customized.

  • Customize within .Active Directory Inventory > 3-AD_Exceptions Job analysis tasks

    NOTE: Changes to an exception’s definition will affect all jobs dependent upon that exception as well as all Access Information Center Exceptions reports.

Workflow

Step 1 – Prerequisite: Run the .Active Directory Inventory Job Group.

Step 2 – Schedule the 1.Groups Job Group to run as desired after the prerequisite job has completed.

Step 3 – Review the reports generated by the 1.Groups Job Group.

Recommended Configurations for the 2.Users Job Group

The Active Directory > 2.Users Job Group has been configured by default to run with the out-of-the-box settings. It can be run directly or scheduled.

Dependencies

• The .Active Directory Inventory Job Group needs to be successfully executed prior to running this job group

  • For the AD_ServiceAccounts Job, the .Active Directory Inventory > 1-AD_Scan Job needs to be configured to collect servicePrincipalName as a Custom Attribute

• For the AD_WeakPassword Job:

  • Requires the DSInternals PowerShell Module, which is a third-party package. See the AD_WeakPasswords Job topic for additional information.
  • The AD_WeakPasswords Job depends on a dictionary file. See the PasswordSecurity: Dictionaries topic for additional information.

  RECOMMENDED: If this job is not to be used, disable the job to prevent execution when the job group is executed.

Targeted Host(s)

Only the AD_WeakPasswords Job requires a host list. The host list assignment has been configured under the 2. Users > AD_WeakPasswords > Configure > Hosts node. It is set to target the ONE DOMAIN CONTROLLER PER DOMAIN host list. This host list is a dynamic host list based on the host inventory value in the isDomainController field in the Host Master Table.

Connection Profile

Only the AD_WeakPasswords Job requires a Connection Profile. It must be set directly on the AD_WeakPasswords Job (through the Job Properties window) with Domain Administrator privileges.

NOTE: The AD_WeakPassword Job can be executed with a least privilege credential. See the Active Directory Auditing Configuration topic for additional information.

Schedule Frequency

The data analyzed by the 2.Users Job Group jobs is collected by the .Active Directory Inventory Job Group. Therefore, it is recommended to schedule these jobs to run after the .Active Directory Inventory job group collection has completed. These jobs can be scheduled to run as desired.

Run at the Job Group Level

Run the jobs in the 2.Users Job Group together and in order by running the entire job group, instead of the individual jobs.

Remember, if the AD_WeakPassword Job is not to be executed, it can be disabled.

Analysis Configuration

The 2.Users Job Group should be run with the default analysis configurations. Most of the analysis tasks are preconfigured for this Job Group.

Some analysis tasks have customizable parameters:

• The .Active Directory Inventory Solution defines stale users. These parameters can be customized.

  • Customize within .Active Directory Inventory > 3-AD_Exceptions Job analysis tasks

    NOTE: Changes to an exception’s definition will affect all jobs dependent upon that exception as well as all Access Information Center Exceptions reports.

Workflow

Step 1 – Prerequisite: Ensure the .Active Directory Inventory Job Group has been successfully run.

Step 2 – For AD_WeakPassword Job: Run a host discovery query to discover domain controllers.

• The AD_WeakPasswords Job has been set to run against the following default dynamic host list:

  • ONE DOMAIN CONTROLLER PER DOMAIN

  NOTE: Default dynamic host lists are populated from hosts in the Host Master Table that meet the host inventory criteria for the list. Ensure the appropriate host lists have been populated through host inventory results.

Step 3 – Set a Connection Profile on the job that runs the data collection.

Step 4 – Schedule the 2.Users Job Group to run as desired after the prerequisite job has completed.

Step 5 – Review the reports generated by the 2.Users Job Group.