Skip to main content
Skip table of contents

Active Directory Actions

Actions for Active Directory

  • Change Computer Group. Changes the AD group membership for one or more assets.

  • Disable Computer. Disables one or more computer objects in AD. When a computer object is disabled in AD, domain accounts cannot log in to the computer.

  • Enable Computer. Enables one or more computer objects in AD. When a computer object is enabled in AD, domain accounts can log in to the computer.

  • Change Computer OU. Changes the AD OU (organizational unit) for one or more computers.

  • Change User Group. Changes the AD group membership for one or more users.

  • Disable User. Disables one or more user objects in AD. When a user object is disabled in AD, the user cannot log in to the domain.

  • Enable User. Enables one or more user objects in AD. When a user object is enabled in AD, the user can log in to the domain.

  • Change User OU. Changes the AD OU (organizational unit) for one or more users.

Use Cases

Below are the possible use cases for these actions:

  • Change Computer Group. For idle computers (for example, computers that have not logged into the domain for a specified number of days), the computers can be moved to a different “archiving” group

  • Disable Computer/Enable Computer. If one or more computers have certain security risks (for example., malware infection or non-compliances), the computer can be disabled in AD and enabled later after the risks have been mitigated

  • Change Computer OU. For newly purchased computers, the computers can be moved from an IT organization unit to a different organization unit when they are assigned to the employees

  • Change User Group. For newly promoted employees, users can be added to a different user groups to give them more access and permissions

  • Disable User/Enable User. Employees with security risks (for example, leaving the company soon or non-compliances) can be disabled in AD and enable later after the risks have been mitigated,

Prerequisites

To execute Active Directory actions, you must

Configure a Microsoft Active Directory API connection beforehand. The required parameters are described in the instructions for creating a Microsoft Active Directory connector in Lucidum https://luciduminc.atlassian.net/wiki/spaces/ProdDocs/pages/1673887868/Microsoft+Active+Directory .

NOTE. The specified account should have read and write permissions.

Workflows

Active Directory Configuration

  • Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

  • Host. The hostname or IP address of the LDAP server.

  • Port. TCP/UDP port 389 or TCP port 636 if using an SSL connection.

  • User Name. AD User name or email with read and write permission. For domain users, the user name should be in the form: DOMAIN\USERNAME (for example, LDAP\lucidum).

  • Password. The password associated with User Name.

  • User Base. Specify where in the AD hierarchy to start searching for user information. If you are unsure, specify the “root” base for Lucidum. For example, dc=ad,dc=lucidum,dc=com

  • Computer Base. Specify where in the AD hierarchy to start searching for computer information. If you are unsure, specify the “root” base for Lucidum. For example, dc=ad,dc=lucidum,dc=com

  • Verify SSL. For future use.

  • Connection Timeout. Number of seconds to wait for a connection before timing out. Default value is 10

  • Get Server Info. Tells the ldap3 library which server information to read from the LDAP server. This information allows the ldap3 library to convert retrieved data to the appropriate data format. The choices are:

    • get_info=SCHEMA (read the schema)

    • get_info=INFO (read the server information)

    • get_info=ALL (read the schema and the server information).

  • Auto Bind. Toggle that specifies whether to automatically bind the new or updated records in Active Directory.

  • Read Only. Specify if the connection to the Active Directory server is read-only.

  • Check Names. When set as true, check attributes (field:value pairs) in assertions (“field operator value” statements) and filters against the schema. Note that to use this field, Get Server Info must be set to get_info=ALL or get_info=SCHEMA parameter. Search results will be formatted as specified in the schema.

  • LDAP Version. LDAP version on the Active Directory server. Default value is “3”.

  • Client Strategy. Communication strategy used by the client device. The default method is SYNC. Options are SYNC, ASYNC, LDIF, RESTARTABLE, REUSABLE, SAFE_SYNC, AND SAFE_RESTARTABLE. For details, see https://ldap3.readthedocs.io/en/latest/connection.html?highlight=client%20strategy#connection .

  • Auto Referrals. A referral occurs when an active directory server does not contain the data required to complete a query but can point to another active directory server that might contain the required data. Default value is “off”.

  • Authentication . Method to authenticate with the Active Directory server. Options are ANONYMOUS, SIMPLE, SASL or NTLM (uses NTMLv2). If the User Name and Password fields are empty, the default method is ANONYMOUS. If the User Name and Password fields are populated, the default method is SIMPLE.

  • Page Size. Number of results per page, default is 1000.

  • Mode. Specify how to resolve Active Directory servers with dual IPs in DNS. Options are: IP_SYSTEM_DEFAULT, IP_V4_ONLY, IP_V6_ONLY, IP_V4_PREFERRED, IP_V6_PREFERRED. For details, see https://ldap3.readthedocs.io/en/latest/server.html?highlight=dual%20ip#server-object .

  • TLS Validation . The method to validate TLS. Options are CERT_NONE (certificates are ignored), CERT_OPTIONAL (not required, but validated if provided) and CERT_REQUIRED (required and validated). The default is “CERT_NONE”.

  • TLS Version . Specify the TLS version for the active directory server. The default value is “PROTOCOL_TLSv1”.

  • TLS Ciphers. TLS ciphers. The value default is ALL. The default option allows Lucidum to negotiate a matching cipher.

  • Proxy. If you are using a proxy server with Lucidum, enter the IP address:port for the proxy server.

Create or Edit a New Action

To create an action for Active Directory:

  1. In the Create a New Action page, in the General step, enter:

    • Action Type. Select an action from the pulldown options.

      • Configuration Name. Select an action configuration from the pulldown options.

      • Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.

      • Description. Description of the action.

  2. Click the Next (>) icon.

  3. In the Filters page, click Configure Filters.

  4. The Configure Filters for Action page appears.

  5. In the Configure Filters for Action page, you define the query for the assets or users that the action will act upon. For existing actions, the query is already loaded in this page.

  6. For details on creating and editing queries in Lucidum, the section on Building Queries.

    NOTE: To optimize performance, the default time range is Current. If you need to access historical data, contact Lucidum Custom Success for help on using historical data without affecting performance.

  7. Click the Apply (page and pencil) icon.

  8. Click the Next (>) icon.

  9. In the Schedule step, enter:

    • Schedule Type. Define the schedule for the action. Choices are:

      • Recurrence. Specify a frequency for the recurring schedule.

      • After Data Ingestion. The action is executed after data ingestion, which happens at least once every 24 hours and can also be triggered manually.

    • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

  10. Click the Next (>) icon.

  11. In the Details step, enter the following:

    • Output Fields. For the records selected with the Filters field, specify the columns to display. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.

    • Target Group. If you select AD: Change Computer Group or AD: Change User Group in the Action Type field, specify the new group to assign.

    • Target OU (Organizational Unit) . If you select AD: Change Computer OU or AD: Change Computer OU in the Action Type field, specify the new OU to assign.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.