NeQter Labs Initial Setup Guide
Active Directory
IMPORTANT: SOHO users without an AD Domain can skip this section.
Agent
In order to populate the Active Directory dashboard, we must pull logs from the Domain controller(s), with our active directory agent.
You can find out more information about installing our agents by visiting our Agent Manager Deployment How To Guide and our Agent Manager documentation for how to setup winlog collection.
GPO
We are now going to create a group policy so we can capture the correct information for our Active Directory Dashboard. In the start menu search for Group Policy Management and open the application.
In the left-hand menu, you should see your internal network underneath the Forest > Domains > {Your domain}. Right click on your domain and select Create a GPO in this domain, and Link it here… You will now be prompted to give the GPO a name of your choosing.
NOTE: The name should be able to quickly convey what exactly this policy group covers, such as NeQter Active Directory or AD for short!
Once you have created a GPO, in the menu on the left, there is a folder called Group Policy Objects. Open up this tree and right click on the Active Directory group policy that you have just created.
Click Import Settings…; the Import Settings Wizard will pop up. Click Next to continue.
Now you will see an option for Backup GPO. Do not choose anything to backup since the GPO is empty and will be overwritten later, click Next.
You will now see Backup Location. Choose Browse and search for the folder NeQter_AD located in the Inventory and Agents folder. Choose this file for the backup location. Click Next once you have chosen the file.
You will now see Source GPO. Use the GPO that you just backed up and click Next.
The screen will show you that it is scanning backup, and once it finishes, click Next.
Click Finish on the Completing the Import Settings Wizard page.
You should now see GPO: NeQter AD …Succeeded. If you do not get this message it means something went wrong and you will need to repeat the steps above.
Repeat the steps above for Active Directory monitoring on all of your Domain Controllers.
Now that the configuration is complete for the GPO, set up a Global Security Group to apply the GPO. Navigate to Active Directory Users and Computers. Once launched, find your domain in the left menu and select it. Find and take note of the User group you just created previously on the right-hand side for the following step.
Right-click on your User group, to ensure that the Group Scope is set to Global, and the Group Type is set to Security. This GPO will be used for Active Directory Auditing.
At this point you should still be on the same screen where you checked the scope and type in the step above. There are 4 tabs across the top labeled “General, Members, Members of, and Managed by”. Select the Members tab and click the Add button on the bottom to start adding user computers to the group. Ensure that under object types, that the computers option is selected. Once set up, close the Active Directory Users and Computers application, and navigate to the Group Policy Management application.
NOTE: The steps above can be skipped if all of your Users are located in a Domain group you can select (i.e. by typing Domain Users/Computers in the field)
Select your GPO in the left-hand menu and navigate to Scope, then click the Add button in the Security Filtering section on the right pane. Ensure that under object types that the computers option is selected. Also type “domain computers” in the field and check the name to guarantee this group ends up on the list as well. From here, add the User Global Security Group that was created.
Once the desired groups are added, right click the GPO on the left side and select Enforce. Now all the systems or users in the Security Filtering section will be audited, and the information will be sent to the NeQter Compliance Engine after they have been restarted and the GPO has been applied. In order to apply the GPO, you will have to force a GPO update. To do this, open the command prompt, and type in gpupdate /force, then press Enter.