Skip to main content

Incident ResponderIncident Responder Documentation

Configure the Microsoft Active Directory (AD) (Latest) Service

Configure Microsoft on-premises Active Directory (AD) as a service to manage groups, accounts, and credentials, and run other Microsoft Active Directory (AD) (Latest) actions.

Prerequisites

Last updated: June 15, 2022

Ensure you have a Windows user account with the necessary permissions. You must have a user account in the Domain Admins security group or use an organizational unit (OU) to delegate the permissions, called administrative tasks, required for each action to a user account:

Incident Responder action

Required administrative task

Get User Information

Read all user information

List User’s Groups

Read all user information

Add User to Group

Modify the membership of a group

Remove User From Group

Modify the membership of a group

Expire Password

Reset user passwords and force password change at next logon

Reset password

Reset user passwords and force password change at next logon

Set New Password

Create, delete and manage user accounts

Disable user account

Create, delete and manage user accounts

Enable user account

Create, delete and manage user accounts

Unlock User Account

Create, delete and manage user accounts

Set Host Attribute

Write All Properties

Change Host’s Organizational Unit

Write All Properties

Create a Custom Administrative Task for the Set Host Attribute or Change Host's Organizational Units Action

For the Set Host Attribute and Change Host's Organizational Units actions, you must also create a custom administrative task that allows your account to rename a computer in a domain.

  1. Right-click the OU containing the user account, then select Delegate Control....

  2. In the Delegation of Control Wizard, click Next >.

  3. Select the user account, then click Next >.

  4. Select Create a custom task to delegate, then click Next >.

  5. Select Only the following objects in the folder, select Computer objects, then click Next >.

  6. Under Show these permissions:, select Propert-specific; under Permissions:, select Write All Properties, Validated write to DNS host name, and Validated write to service principal name; then click Next >.

  7. Review the changes you made, then click Finish.

Configure the Service in Exabeam Incident Responder

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Active Directory Latest.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service. 

    • Host – Enter the IP address or hostname of your Microsoft Azure AD endpoint.

    • Username – Enter the username of your Microsoft account.

    • Password – Enter the password to your Microsoft account.

    • Domain (One per line) – Enter the domains of the domain controllers running Microsoft Azure AD. Enter one domain per line.

    • TCP port – Enter the TCP port number you use to connect to your Microsoft Azure AD endpoint.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.