Recommended Configurations for the .Active Directory Inventory Solution

The .Active Directory Inventory Solution has been configured by default to run with the out-of-the-box settings, but some settings are optional for configuration. It can be run directly or scheduled.

Dependencies

This job group does not have dependencies.

Targeted Hosts

The host list assignment has been configured under the .Active Directory Inventory > Settings > Host List Assignment node. It is set to target the Default domain controller host list, which is the domain in which the Access Analyzer Console server resides.

If targeting multiple domains, change the Host List Assignment to the ONE DOMAIN CONTROLLER PER DOMAIN host list.

The Default domain controller host list and ONE DOMAIN CONTROLLER PER DOMAIN host list are dynamic host lists based on the host inventory value in the isDomainController field in the Host Master Table.

Connection Profile

The Connection Profile has been configured under the .Active Directory Inventory > Settings > Connection node. It is set to Use the Default Profile, as configured at the global settings level. Ensure the assigned Connection Profile has the necessary permissions on all targeted domains.

If targeting multiple domains, ensure the assigned Connection Profile has the necessary permissions on all targeted domains.

History Retention

Not supported and should be turned off

Multi-Console Support

Not supported

Schedule Frequency

RECOMMENDED: Schedule the .Active Directory Inventory Job Group to run once a day.

If there are frequent AD changes within the target environment, then it can be executed more often. It is best to rerun it anytime AD changes might have occurred.

Run at the Solution Level

The jobs in the .Active Directory Inventory Job Group should be run together and in order by running the entire solution, instead of the individual jobs.

Query Configuration

The solution is best run with the default query configuration. However, a possible modification might be to include configurations of the scan options or additional custom attributes within the 1-AD_Scan Job.

Analysis Configuration

The solution is best run with the default analysis configuration. However, possible modifications might be to:

• Enable notification analysis tasks within the 2-AD_Changes Job
• Customize exception analysis parameters within the 3-AD_Exceptions Job

Workflow

The .Active Directory Inventory Job Group has been set to run against the following default dynamic host list:

• Default domain controller

Default dynamic host lists are populated from hosts in the Host Master Table that meet the host inventory criteria for the list. Ensure the appropriate host lists have been populated through host inventory results.

Step 1 – (Optional) Run a host discovery query to discover domain controllers. This is needed when targeting multiple domains.

Step 2 – Set a Connection Profile.

Step 3 – chedule the .Active Directory Inventory Job Group to run as desired.

Step 4 – Review the reports generated by the .Active Directory Inventory Job Group.