AD scan setup

Prerequisites

The endpoint (workstation or server) used for the scan deployment must meet the following prerequisites:

  • Windows version

    • Windows 10 or later on a workstation

    • Windows Server 2012 R2 or later on a server

  • Internet access

  • Enrollment in Active Directory and connection to the domain controller

  • Logged in to a domain administrator account

  • Allow execution of unsigned scripts

    • First solution -> Run the following command: Set-ExecutionPolicy Unrestricted -Scope LocalMachine

    • Second solution -> Add the binary file to the ignore list in Defender or a similar solution. Then, modify the execution policy: Set-ExecutionPolicy Bypass -Scope Process, and then run the script.

  • Use a script downloaded within the last 24 hours

  • Have the latest version of PowerShell installed

    • Run the following command to check the current version: $PSVersionTable.PSVersion

Initial setup

  1. Click on Active Directory

  2. Download the script

If the AD scan script does not download, your security settings may be blocking it. Check if the file appears in the "Downloads" tab of your file explorer. If the problem persists, modify your security settings to allow downloads.

  1. Run the script in a PowerShell console from an endpoint that meets the prerequisites mentioned above.

Re-run the scan

Updating the AD scan is manual: each new run must be initiated manually. The downloaded script is only valid for 24 hours: after this time, you must download it again.

The scan can be rerun as many times as necessary:

  • Under normal operation, we recommend running it monthly

  • During infrastructure security hardening phases, it can be run more frequently to verify that misconfigurations have been corrected.

The AD scan is automatically re-run daily for Stoïk MDR customers.

Debugging the AD scan

Script closure after execution

This means that script execution is restricted in the terminal. Here's a three-step solution:

  1. Download the script and go to Downloads, then type powershell -ep bypass in the search bar:

  2. The PowerShell console should open automatically. Once it does, type & and press Tab until the correct script file is visible:

  3. Press Enter.

PingCastle interruption

In this case, ensure that both of these conditions are met:

  • You have an internet connection to its domain controller

  • Your firewall is not blocking access to https://api.prod.ad-scan.cyber.stoik.io

Delete data after script execution

If you wish to delete the data after the script has run, you can execute the following command:

PreviousWhat is the Active Directory scan?NextHow to read results on the AD scan?

Last updated

Was this helpful?