Recommended Configurations for AD Permissions Analyzer Solution
Dependencies
The following Access Analyzer job groups need to be successfully run:
- .Active Directory Inventory Job Group
The following jobs need to be run prior to running the AD_ShadowAccess Job:
- .Active Directory Inventory >1-AD_Scan > ADInventory
- Active Directory > 1.Groups > AD_SensitiveSecurityGroups
- Active Directory Permissions Analyzer > 7.Containers > AD_AdminSDHolder
- Active Directory Permissions Analyzer > 8.Domains > AD_DomainReplication
- Active Directory Permissions Analyzer > 1.Users > AD_ResetPasswordPermissions
- Active Directory Permissions Analyzer > 2.Groups > AD_GroupMembershipPermissions
The following jobs can be optionally run to enhance reporting in the AD_ShadowAccess Job:
- Active Directory > 2.Users > AD_WeakPasswords
- FileSystem > 7.Sensitive Data > FS_DLPResults > FS_DLPResults
- Databases > 0.Collection >SQL > 2-SQL_SensitiveDataScan > SQLServer_SDD
- Windows > Privileged Accounts > Local Administrators > SG_Sessions
- Windows > Privileged Accounts > Local Administrators > SG_LocalAdmins
Targeted Hosts
The Active Directory Permissions Analyzer > 0. Collection Job Group has been set to run against the following default host list:
- One Domain Controller Per Domain
Connection Profile
Assign a Connection Profile at the Active Directory Permissions Analyzer > 0. Collection > Settings > Connection node with local Administrator privileges on the target host, or Domain Administrator privileges if the target host is a domain controller.
See the Connection topic for additional information.
Schedule Frequency
This job group can be scheduled to run as desired.
Workflow
Step 1 – Prerequisite: Successful execution of the .Active Directory Inventory Job Group.
Step 2 – Schedule the Active Directory Permissions Analyzer Job Group to run as desired.
- Run sub-job groups individually if desired, but run the 0.Collection Job Group first
Step 3 – Review the reports generated by the Active Directory Permissions Analyzer Job Group.