Active Directory Actions

Actions for Active Directory #

• Change Computer Group. Changes the AD group membership for one or more assets.

• Disable Computer. Disables one or more computer objects in AD. When a computer object is disabled in AD, domain accounts cannot log in to the computer.

• Enable Computer. Enables one or more computer objects in AD. When a computer object is enabled in AD, domain accounts can log in to the computer.

• Change Computer OU. Changes the AD OU (organizational unit) for one or more computers.

• Change User Group. Changes the AD group membership for one or more users.

• Disable User. Disables one or more user objects in AD. When a user object is disabled in AD, the user cannot log in to the domain.

• Enable User. Enables one or more user objects in AD. When a user object is enabled in AD, the user can log in to the domain.

• Change User OU. Changes the AD OU (organizational unit) for one or more users.

Use Cases #

Below are the possible use cases for these actions:

• Change Computer Group. For idle computers (for example, computers that have not logged into the domain for a specified number of days), the computers can be moved to a different “archiving” group

• Disable Computer/Enable Computer. If one or more computers have certain security risks (for example., malware infection or non-compliances), the computer can be disabled in AD and enabled later after the risks have been mitigated

• Change Computer OU. For newly purchased computers, the computers can be moved from an IT organization unit to a different organization unit when they are assigned to the employees

• Change User Group. For newly promoted employees, users can be added to a different user groups to give them more access and permissions

• Disable User/Enable User. Employees with security risks (for example, leaving the company soon or non-compliances) can be disabled in AD and enable later after the risks have been mitigated,

Prerequisites #

To execute Active Directory actions, you must

Configure a Microsoft Active Directory API connection beforehand. The required parameters are described in the instructions for creating a Microsoft Active Directory connector in Lucidum https://lucidum.io/docs/microsoft-active-directory.

Workflows #

• Creating a new Configuration and a new Action
• Cloning an Existing Action
• Creating a new Action from the Location Results page
• Editing a Configuration
• Editing an Action
• Viewing Information about an Action

Active Directory Configuration #

• Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

• Host. The hostname or IP address of the LDAP server.

• Port. TCP/UDP port 389 or TCP port 636 if using an SSL connection.

• User Name. AD User name or email with read and write permission. For domain users, the user name should be in the form: DOMAIN\USERNAME (for example, LDAP\lucidum).

• Password. The password associated with User Name.

• User Base. Specify where in the AD hierarchy to start searching for user information. If you are unsure, specify the “root” base for Lucidum. For example, dc=ad,dc=lucidum,dc=com

• Computer Base. Specify where in the AD hierarchy to start searching for computer information. If you are unsure, specify the “root” base for Lucidum. For example, dc=ad,dc=lucidum,dc=com

• Verify SSL. For future use.

• Connection Timeout. Number of seconds to wait for a connection before timing out. Default value is 10

• Get Server Info. Tells the ldap3 library which server information to read from the LDAP server. This information allows the ldap3 library to convert retrieved data to the appropriate data format. The choices are:

  • get_info=SCHEMA (read the schema)

  • get_info=INFO (read the server information)

  • get_info=ALL (read the schema and the server information).

• Auto Bind. Toggle that specifies whether to automatically bind the new or updated records in Active Directory.

• Read Only. Specify if the connection to the Active Directory server is read-only.

• Check Names. When set as true, check attributes (field:value pairs) in assertions (“field operator value” statements) and filters against the schema. Note that to use this field, Get Server Info must be set to get_info=ALL or get_info=SCHEMA parameter. Search results will be formatted as specified in the schema.

• LDAP Version. LDAP version on the Active Directory server. Default value is “3”.

• Client Strategy. Communication strategy used by the client device. The default method is SYNC. Options are SYNC, ASYNC, LDIF, RESTARTABLE, REUSABLE, SAFE_SYNC, AND SAFE_RESTARTABLE. For details, see https://ldap3.readthedocs.io/en/latest/connection.html?highlight=client%20strategy#connection .

• Auto Referrals. A referral occurs when an active directory server does not contain the data required to complete a query but can point to another active directory server that might contain the required data. Default value is “off”.

• Authentication . Method to authenticate with the Active Directory server. Options are ANONYMOUS, SIMPLE, SASL or NTLM (uses NTMLv2). If the User Name and Password fields are empty, the default method is ANONYMOUS. If the User Name and Password fields are populated, the default method is SIMPLE.

• Page Size. Number of results per page, default is 1000.

• Mode. Specify how to resolve Active Directory servers with dual IPs in DNS. Options are: IP_SYSTEM_DEFAULT, IP_V4_ONLY, IP_V6_ONLY, IP_V4_PREFERRED, IP_V6_PREFERRED. For details, see https://ldap3.readthedocs.io/en/latest/server.html?highlight=dual%20ip#server-object .

• TLS Validation . The method to validate TLS. Options are CERT_NONE (certificates are ignored), CERT_OPTIONAL (not required, but validated if provided) and CERT_REQUIRED (required and validated). The default is “CERT_NONE”.

• TLS Version . Specify the TLS version for the active directory server. The default value is “PROTOCOL_TLSv1”.

• TLS Ciphers. TLS ciphers. The value default is ALL. The default option allows Lucidum to negotiate a matching cipher.

• Proxy. If you are using a proxy server with Lucidum, select from the list of already-configured proxy servers. To create a proxy server, see https://lucidum.io/docs/configuring-a-proxy-server/.

Create or Edit a New Action #

To create an action for Active Directory:

1. In the Create a New Action page, in the General step, enter:

   

   • Action Type. Select an action from the pulldown options.

   • Configuration Name. Select an action configuration from the pulldown options.
   • Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.
   • Description. Description of the action.

2. Click the Next (>) icon.

   

3. The Build a Query page appears.

   

4. In the Build a Query page, you define the query for the assets or users that the action will act upon.

5. Click Next.

6. In the Build a Current Query page, enter the fields, operators, and values for the query. For existing actions, the query is already loaded in this page.

   

7. For details on creating and editing queries in Lucidum, see the section on Building Queries.

   NOTE: To optimize performance, the default time range is Current. If you need to access historical data, contact Lucidum Custom Success for help on using historical data without affecting performance.

8. Click the Apply (page and pencil) icon.

9. Click the Next (>) icon.

10. In the Schedule step, enter:

    

    • Schedule Type. Define the schedule for the action. Choices are:

      • Recurrence. Specify a frequency for the recurring schedule.

      • After Data Ingestion. The action is executed after data ingestion, which happens at least once every 24 hours and can also be triggered manually.

    • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

11. Click the Next (>) icon.

12. The Details step differs depending on the action you choose in the General page.

13. If you choose:

    • AD: Change Computer Group

    • AD: Change User Group

    in the Action Type field in the General page, the following fields appear in the Details page:

    

    • Output Fields. For the records selected with the Filters field, specify the columns to display. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.

    • Target Group. Specify the new AD group to assign.

14. If you choose:

    • AD: Disable Computer

    • AD: Enable Computer

    • AD: Disable User

    • AD: Enable User

    in the Action Type field in the General page, the following fields appear in the Details page:

    

    • Output Fields. For the records selected with the Filters field, specify the columns to display. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.

15. If you choose:

    • AD: Change Computer OU

    • AD: Change User OU

    in the Action Type field in the General page, the following fields appear in the Details page:

    

    • Output Fields. For the records selected with the Filters field, specify the columns to display. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.

    • Target OU (Organizational Unit) . Specify the new OU to assign.