SmartProfiler for Active Directory and ACTIVE DIRECTORY is designed to mitigate security risks in the AD and Active Directory environments by performing an advanced assessment and implementing the real-time monitoring to capture threats in real-time. Active Directory is a primary source for Authentication and Authorization for users and business applications. Microsoft doesn’t provide out of the box tools that can be used to perform health & risk assessment of Active Directory environment. Executing Active Directory Assessment using SmartProfiler-SecID will perform Active Directory assessment for multiple AD forests and provide an assessment report which includes issues and recommendations to fix the issues. Whereas SmartProfiler for AVD Assessment is designed to find bottlenecks/issues in the existing AVD environment and help in finding the missing settings recommended by Microsoft for improving the performance of the AVD environment. AVD Assessment can also check if the configuration is consistent across the host pools.
The following PowerShell Modules need to be installed on the SmartProfiler computer in order to execute all tests. Open a PowerShell window using elevated prompt and then run following commands:
Open a PowerShell window using elevated prompt and then run following commands:
On Windows Server:
On Windows 10 or Windows 11:
We need to ensure that we have connectivity to the below Active Directory objects for complete Active Directory Assessment:
The following communication ports are required for basic AD communication from SmartProfiler computer to all Domain Controllers:
SmartProfiler-SecID provides AD Health Monitoring component which can be used to monitor Active Directory health and notify if any issues. The email template requires the following data to be filled:
| Parameter | Value | Remark |
| Email To | Support@YourDomain.com | Provide Email Address to which the email will be sent. |
| SMTP Server | smtp.office365.com | Provide SMTP Server address |
| SMTP Port | 587 | Provide SMTP Port |
| Use SSL | TRUE | Provide if Email is going to use SSL or Not – True or False |
| Sender Email | Alerts@domain.com | Provide Sender Email Address |
| Sender Username | Alerts@domain.com | Provide Sender Username |
| Sender Password | Password1 | Provide Sender Password |
| Using Open Relay | No | Please specify Yes if using Open Relay. In Open Relay the process does not need sender password. |
| Subject | SmartProfiler-SecID Health Notification | Please enter Email Subject |
| Email Body | SmartProfiler-SecID Health Notification | Please enter Email Body. Email Body will be appended. |
Please note if your SMTP Server doesn’t require authentication then say “Yes” to “Using Open Relay” in Email Template.
The Active Directory with SmartProfiler requires credentials as below:
| Technology/Target | Permissions Needed | Remark |
| Active Directory Forest – AD Assessment | Domain Admin Account if Active Directory Forest is running with a Single Domain.Enterprise Admin Account if Active Directory Forest is running with multiple AD Domains in order to access all AD Domains. | All Domain Controllers in each domain must be reachable to perform a complete assessment. Note: The Active Directory Assessment can be executed using a Normal Domain User account. In that case the 56 Domain Controllers tests will not be executed. |
| Active Directory Forest – AD Assessment Scheduler | Domain Admin Account if Active Directory Forest is running with a Single Domain.Enterprise Admin Account if Active Directory Forest is running with multiple AD Domains in order to access all AD Domains. | The AD Assessment Scheduler Service requires a Service Account that is a member of Domain Admins or Enterprise Admins. Note: The Active Directory Assessment Scheduler Service can be executed using a Normal Domain User account. In that case the 56 Domain Controllers tests will not be executed. |
| Active Directory Forest – Real-Time Monitoring | SmartProfiler Active Directory Real-Time Monitoring requires a normal Domain User account to execute and process all Active Directory Real-Time Alerts. | The Real-Time Service Account must be configured with Password Never Expires attribute. |
| Active Directory Forest –Health Checker and Notifier | SmartProfiler Active Directory DC Health Checker and Notifier requires a Domain Admin or Enterprise Admin Account. | The DC Health Checker Service Account must be configured with Password Never Expires attribute. |
Active Directory Assessment supports two connection methods; Executing Assessment using Locally Logged On Credentials and STORED-CRED.
Executing Assessment Using Locally Logged On Credentials
STORED-CRED
The Configuration to Active Directory Agent is required. If you plan to use Active Directory Health Check, Assessment Scheduler and AD Real-Time Monitoring features of Active Directory you must provide AD credentials.
To configure the AD Agents, open the SmartProfiler Agent UI from Desktop:
You are required to provide the following inputs as part of Agent Configuration:
In the Active Directory Credentials tab,
Note that credentials entered in Active Directory tab will be used by AD Assessment, Health Check Monitoring, CIS/NIST analyzer, DHCP and other technologies.
Once you have provided credentials, click on “CONNECT AND SAVE” button to connect and save the credentials with SmartProfiler.
To register Active Directory Tenant with SmartProfiler-SecID, please expand Tenants and Settings Section in left pane and then click on “Add New Tenant” button as shown below:
Then in the “register a new tenant window”, select Active Directory in the list of available technologies and provide the Tenant details as below:
SmartProfiler requires the following inputs for ACTIVE DIRECTORY Tenants:
If you have purchased an Active Directory Assessment license, then click on Browse button to apply the license codes from the license file.
Once done, click on “Add Tenant” button to add tenant under the management of SmartProfiler.
Note that you need to create an assessment view before the assessment can be executed. To create an Assessment View, expand Tenants and Settings section in left pane and then click on “Manage Settings” button:
And then click on “Create View” button. In the Create a New View Window, provide the following inputs:
Once you have provided details for a new Assessment View, click on “Create View” button to create the view.
Once the Tenant has been registered with SmartProfiler and you have created an Assessment View, you can expand “Assessment Views” section in the left pane to see your view, expand the Assessment View and then click on “Assessment Console” to open the assessment console as shown below:
The first step in Active Directory Assessment is to run AD Discovery to collect objects from Active Directory and to make sure all domain controllers are reachable. To runt the AD Discovery, click on “AD Discovery” under assessment view.
Click on “Run AD Discovery” button to start the discovery process. Once the AD Discovery process is over you will be able to see a list of domains, sites and domain controllers discovered and will also be able to see the connectivity status for all domain controllers.
Once the AD Discovery is successful, next is to open the AD Assessment Dashboard for execution as shown below:
Opening the AD Assessment Dashboard screen will show you option to execute the AD Assessment:
Click on the Play Icon as marked in the red square in above screenshot to show the execution screen:
In the “Select Credential” dropdown, select the credential. We recommend using Locally Logged on As Domain Admin/Enterprise Admin credentials to be able to execute Assessment quickly.
Next, provide Assessment Run Name and select the Assessment Scope.
Click on “Execute Assessment” button to start the assessment. The Active Directory Assessment will start, and you will be able to see the status of execution on the screen.
Once the Assessment is completed, the AD Assessment Dashboard screen will refresh to show status of your Active Directory environment.
To generate a report for Active Directory Tenant, click on “AD Generate Report” tree view node under the Assessment view:
In the screen below, click on Browse button to select the report location.
Note that SmartProfiler for Active Directory is capable of generating a Microsoft Word Report, an excel summary which contains the affected objects list and Business Executive presentation.
Please click on “Generate Report” button. The process will take some time, and progress will be shown on the screen.
SmartProfiler-SecID has been designed to enable Active Directory Health Monitoring for AD Forests. The Health Monitoring component can check DCDiag and various other settings on domain controller and notify if any issues occur. To enable the AD Health Monitoring, you need to create a Health Profile.
A Health Profile consists of the following components:
To create a test Template, click on “Manage Settings” under Tenants and Settings section in left pane:
Once you click in the Create Template, provide the below inputs for creating a Test Template:
In the Create New Template window, please provide the following inputs:
Once done, click on “Create Template” button to create the template.
To create an email Template, click on “Create Template” button and select “Email Template” in the Template Type drop down as shown in the screenshot below:
Next, load the Email Template from the list of available templates and provide the Email Settings as below:
| Email To | Support@YourDomain.com | Provide Email Address to which the email will be sent. |
| SMTP Server | smtp.office365.com | Provide SMTP Server address |
| SMTP Port | 587 | Provide SMTP Port |
| Use SSL | TRUE | Provide if Email is going to use SSL or Not – True or False |
| Sender Email | Alerts@domain.com | Provide Sender Email Address |
| Sender Username | Alerts@domain.com | Provide Sender Username |
| Sender Password | Password1 | Provide Sender Password |
| Using Open Relay | No | Please specify Yes if using Open Relay. In Open Relay the process does not need sender password. |
| Subject | SmartProfiler-SecID Health Notification | Please enter Email Subject |
| Email Body | SmartProfiler-SecID Health Notification | Please enter Email Body. Email Body will be appended. |
Please note if your SMTP Server doesn’t require authentication then say “Yes” to “Using Open Relay” in Email Template.
Once you have created a Test and Email Template, next we need to create a Schedule. To create the Schedule, please switch to “Schedules” tab on the same screen and then click on “Create Schedule” button.
The following input need to be provided for creating the schedule:
Once done, click on “Create/Update Schedule” button to create the schedule.
Once the schedules have been created then will appear under the Health Check Profiles section in left pane:
To start using the Health Check Profiles, expand a Health Check profile in “Health Check Profiles” left pane and then click on of the menu under “Manual_Refresh”:
A Health Check Profile can be executed manually to check the health of the Active Directory environment. Please note that Health Check profiles can only be executed from the Manual_Refresh schedule. Click on “Execution/Log” item to open the execution window for health profile as shown below:
When you click on “Execute” button the health profile items will execute and result will be available in Objects Health Window.
To see the status of all health items as part of Active Directory Health Check, please click on “Objects Health”:
In the Objects Health you can see DCDiag Status on domain controllers, DC Event Logs, Services, Disk Space, Time Sync and other items.
Try SmartProfiler, a unified tool to help with security evaluation across many Microsoft technologies.
Try SmartProfiler, a unified tool to help with security evaluation across many Microsoft technologies.