Contact

Administration

Active Directory management and monitoring

Register AD forests, run inventory and health scans, detect stale accounts, monitor security events, and manage backups -- all dispatched through your existing SPOG agents.

Technical Manual
Status: Available

Prerequisites

  • At least one organization with an online host running the Go agent v1.7.0 or later
  • The probe host must be a domain-joined Windows server with RSAT tools installed (RSAT-AD-PowerShell, RSAT-AD-Tools)
  • The probe host must have repadmin available for replication health checks
  • Role with ad.view for read operations
  • Role with ad.manage for configuration and triggering scans
  • Role with ad.execute for ADGLP remediation and creating backups
  • Role with ad.restore for restoring from backup (highest privilege level)
RSAT installation command If RSAT is missing on the probe host, install it via PowerShell: Install-WindowsFeature RSAT-AD-PowerShell, RSAT-AD-Tools

Registering a forest

Each AD forest must be registered before SPOG can scan or manage it. One forest DNS name is allowed per organization.

  1. Identify a domain-joined Windows host in the target organization that has RSAT installed -- this becomes the probe host
  2. Navigate to Active Directory > Forests
  3. Click Register Forest
  4. Enter the Forest DNS Name -- this must be the FQDN of the forest root domain (e.g., corp.example.com)
  5. Select the Probe Host -- must belong to the same organization
  6. Set the Scan Interval (1-168 hours, default: 6)
  7. Click Save
Forest DNS NameFQDN of the forest root domain. Must be unique per organization.
Probe HostThe host that executes AD scans. Must be in the same org as the forest.
Scan Interval (hours)Automatic inventory scan frequency (default: 6, range: 1-168). Scheduler checks every 30 minutes.
ActiveDisable to pause all scheduled scans without deleting the forest.

Running inventory scans

Inventory scans enumerate users, computers, groups, OUs, GPOs, domain controllers, sites, subnets, and service accounts across the forest.

  1. Navigate to the forest detail page
  2. Click Run Inventory Scan (requires ad.manage)
  3. The system dispatches a job to the probe host. Status begins as pending.
  4. Once complete, view results on the Inventory tab

Scan results include

  • Denormalized counts: total users, computers, groups, OUs, GPOs, DCs
  • Domain controller details with OS versions
  • Sites and subnets topology
  • GPO summary
  • Server and client OS distribution breakdown
  • Group type distribution
Scheduled scans Inventory scans also run automatically at the configured scan interval. The scheduler checks for due scans every 30 minutes. Scans are skipped if a previous scan is still running.

Stale account detection

Configure policies to identify dormant or unused user and computer accounts that may pose security risks.

  1. Navigate to the forest detail page > Stale Accounts tab
  2. Click Create Policy
  3. Select the object type: user or computer (one policy per type per forest)
  4. Configure detection thresholds
  5. Set the scan interval (1-168 hours, default: 24)
  6. Click Save
Stale Logon Threshold (days)Days since last logon before marking as stale (default: 90, range: 1-3650)
Never Logged On Threshold (days)Days since account creation with no logon before flagging (default: 30)
Stale Password Threshold (days)Days since last password change before flagging (default: 180)
Scan Interval (hours)How often to run the stale audit (default: 24, range: 1-168)

Viewing results

After a scan completes, the results page shows per-account details including DN, SAM account name, display name, last logon date, creation date, enabled status, and password last set date. Use this data to feed your deprovisioning or cleanup workflows.

On-demand scan

Trigger an immediate stale audit by clicking Scan Now on the stale accounts tab. Filter by user or computer.

Replication health monitoring

Monitor AD replication convergence and identify failing replication partnerships before they cause data inconsistency.

  1. Navigate to the forest detail page > Replication tab
  2. Click Run Replication Check (or wait for scheduled check)
  3. Review the results dashboard

Result fields

Convergence TimeSeconds for a change to replicate across all DCs
Partner CountsTotal, healthy, and failed replication partner counts
Partner DetailsPer-partner replication status with last success/failure times
Failure DetailsSpecific replication failures with error codes and messages
Replication SummaryParsed repadmin /replsummary output

Use the History tab to view replication trends over time and spot degrading partnerships.

Group analysis and ADGLP remediation

Analyze AD group structures for nesting violations, circular memberships, ADGLP policy violations, empty groups, and direct permission assignments.

  1. Navigate to the forest detail page > Groups tab
  2. Click Run Group Analysis
  3. Once complete, review violations and the recommended remediation plan

Executing ADGLP remediation

  1. Review the ADGLP remediation plan on the analysis detail page
  2. Click Execute Remediation (requires ad.execute)
  3. Confirm the list of modifications: each is an add_member or remove_member action with group DN and member DN
  4. The system creates a job with no automatic retries for safety
  5. Monitor the job on the Jobs page
No auto-retry ADGLP remediation jobs intentionally have zero retries. If a modification fails, investigate the error before re-running manually. Group membership changes in production AD require careful handling.

WEF event monitoring

Monitor security events from Windows Event Forwarding across your forest. Configure which event categories to collect and how frequently to poll.

  1. Navigate to the forest detail page > Events tab
  2. Click Configure Event Monitoring
  3. Toggle event categories on or off
  4. Optionally add watched group DNs for targeted group change monitoring
  5. Set the poll interval (60-86400 seconds, default: 300)
  6. Click Save

Event type mappings

Windows Event IDEvent Type
4728, 4732, 4756group_member_added
4729, 4733, 4757group_member_removed
4624logon_success
4625logon_failure
4740account_lockout
4768kerberos_tgt_request
4769kerberos_service_ticket
4771kerberos_preauth_failure

Monitoring configuration toggles

Monitor Group ChangesEnable/disable collection of group membership events (4728, 4729, 4732, 4733, 4756, 4757)
Monitor Logon EventsEnable/disable collection of logon events (4624, 4625)
Monitor Account LockoutsEnable/disable collection of account lockout events (4740)
Monitor Kerberos EventsEnable/disable collection of Kerberos authentication events (4768, 4769, 4771)
Watched GroupsOptional list of specific group DNs to watch for targeted group change monitoring
Poll IntervalCollection frequency (60-86400 seconds, default: 300)

View collected events at Events > Event Log. Filter by event type, date range, or use the summary view for aggregated counts over a configurable time window.

Backup and restore

Creating a backup

  1. Navigate to the forest detail page > Backups tab
  2. Click Create Backup (requires ad.execute)
  3. Select the backup type: system_state, gpo, or dns_zone
  4. For GPO backups: enter the GPO name and GUID
  5. For DNS zone backups: enter the zone name
  6. Add an optional description
  7. Click Start Backup
Status flowpendinguploadingcompleted (or failed)
EncryptionAll backup files are encrypted at rest with AES-256-GCM using the organization's secret. This is transparent -- no user action required.
IntegritySHA-256 hash is stored and verified on every download.

Downloading a backup

  1. Navigate to the backup list and find the completed backup
  2. Click Download (requires ad.view)
  3. The file is decrypted on the fly and streamed to your browser
  4. SHA-256 hash is verified after decryption for integrity
  5. The download is recorded in the audit log

Restoring from backup

  1. Find the completed backup on the Backups tab
  2. Click Restore (requires ad.restore -- highest privilege level)
  3. Confirm the restore operation
  4. The probe agent downloads the backup (decrypted on the fly by the server) and executes the restore
  5. Monitor the restore job on the Jobs page
Restore is a privileged operation ad.restore is the highest AD permission level. Only grant it to senior administrators. Restore operations cannot be undone.

Deleting a backup

Click Delete on a backup record (requires ad.manage). This removes both the database record and the encrypted file from disk. There is no automated backup retention policy -- manage cleanup manually.

Cross-forest dashboard

The AD dashboard aggregates data across all active forests for a given organization, showing total counts of forests, domains, users, computers, groups, and domain controllers along with per-forest summaries from the latest completed inventory scans.

No counts showing? Dashboard data comes from completed inventory scans. If no scans have run yet, the dashboard will show zeroes. Run an inventory scan first.

Scan interval reference

Scan typeRangeDefaultNotes
Forest inventory1-168 hours6 hoursScheduler checks every 30 min
Stale account audit1-168 hours24 hoursOne policy per object type per forest
Event collection60-86400 seconds300 secondsUses high-water mark cursor

Permissions reference

PermissionGrants
ad.viewList/view forests, domains, inventory, stale results, replication, groups, events, backups, download backups, dashboard
ad.manageCreate/update/delete forests and stale policies. Configure event monitoring. Trigger inventory, stale, replication, and group scans. Delete backups.
ad.executeExecute ADGLP remediation (group modifications). Create backups.
ad.restoreRestore from backup. Highest privilege level.

Troubleshooting

SymptomCauseFix
No scans runningForest is disabled or no probe host assignedEnable the forest and assign a probe host
Scan stuck in "pending"Probe host offline or agent not pollingVerify probe host status is "online" on the Hosts page
All AD jobs failingProbe host missing RSAT toolsInstall RSAT on the probe host (see prerequisites)
422 on forest createProbe host in different orgProbe host must belong to the same organization as the forest
409 on forest createA forest with that DNS name already exists in the organizationUpdate or delete the existing forest first
409 on stale policy createPolicy already exists for that object typeUpdate the existing policy or delete it first
422 on restoreBackup not in "completed" statusWait for backup to complete or choose a different backup
Missing eventsEvent cursor not resetThe event collection cursor may need manual reset if events were missed while the agent was offline
Dashboard shows no countsNo completed inventory scansRun an inventory scan first
Backup files accumulatingNo automated retention policyThere is no automated backup cleanup. Delete old backups manually from the Backups tab.