TABLE OF CONTENTS

On-premise ADI

The On-premise Active Directory Integration (OADI) allows you to synchronize your Microsoft On-premise Active Directory Users and Groups to your Phish Insight account. This feature uses AD Sync Tool to retrieve and upload the information from your Active Directory securely. You can visit our Data Privacy Policy F.A.Q. article to know more about how Phish Insight protects your data.


After the integration, you can use the synchronized Users and Groups' information in your phishing simulation and training campaigns.


How does the On-premise ADI Work?

  1. Download and configure the AD Sync Tool.

  2. Start the synchronization.

  3. The AD Sync Tool will use your configuration to access the Active Directory, retrieve Users and Groups' information, and uploads this data to our Phish Insight servers.

  4. Phish Insight will put the Users and Groups' information to your account. Please take note that it will overwrite all previous synced AD information.


Things to prepare before using On-premise ADI

  1. Microsoft On-premise Active Directory
    Note: Confirm if your Active Directory is only reachable through a proxy. If yes, you will need to configure the proxy in your AD Sync Tool later.
    • It should be running version 2006 or higher.

  2. PC to run AD Sync Tool
    Note: You can run your AD Sync Tool in a PC  that has any of the following requirement.
    • Windows Desktop 7/Vista/8/10 
    • Windows Server 2008/2012/2016/2019 (64 bit)
    • Windows OS which have .net framework 3.xx and above

  3. Domain information
    Note:  The AD Sync Tool can support multiple domains.
    • IP address or Server FQDN - the domain where the AD Sync Tool will query the information
    • Username/Password to query LDAP: An AD account that has permission to perform LDAP queries on your domain

  4.  Group names, e.g. `All of Company Users` (if you like to sync users under specific groups)
    Note: Specifying group name is case insensitive and strict in spelling.


Important: Please note that we will only sync groups with a type equal to "Distribution". Groups with a type equal to "Security" will not be synced. 


Downloading and Configuring AD Sync Tool

  1. Log in to your Phish Insight account then go to Settings and click AD synchronization.


  2. Click On-premise AD. 
  3. Click Set active data source so you can see your users and groups after the sync. 

  4. Click Download to download an AD sync tool.

  5. Click Download to confirm.

  6. Extract the downloaded file.  Open a command prompt and go to the directory of the extracted folder.


    Tip: You can go to the file explorer, open the extracted folder and type cmd in the address bar. It will automatically open command prompt and go to the directory of the folder.

  7. In the command prompt, execute this command: ADSyncTool.exe -c

  8. Start the configuration. 
    1. Specify the Active Directory server FQDN or IP address.
    2. Specify the user name (domain\user name).
    3. Specify the password.
    4. Does your Active Directory server need a proxy to connect
      1. If yes, press y then enter. You can now start adding proxy configuration.
        1. Specify the proxy server protocol (HTTP or SOCKS5).
        2. Specify the proxy server FQDN or IP address.
        3. Specify the proxy server port number.
        4. Does the proxy server require authentication?
          1. If yes, press y then enter. You can now start adding proxy server credentials.
            1. Specify the user name.
            2. Specify the password.
          2. If no, press n then enter.
    5. Ad Sync Tool will then verify your configuration. If your configuration is invalid, please update the configuration again.
    6. Specify the type of email you want to sync.
      1. p - Primary SMTP address is the primary email address of an Exchange recipient object. For example, SMTP:user@contoso.com.
      2. s - Secondary SMTP address is the secondary email address of an Exchange recipient object, which can have multiple secondary email addresses.. For example, smtp:user@contoso.com.
        References: Primary and Secondary SMTP Address Terminology
    7. Specify group names that you want to sync.
      1. Specify a group.
      2. Do you have another group to sync? 
        1. If yes, press y then enter
        2. If no, press n then enter.

          Tip: You can directly edit the CustomGroupsFilter.config file to add the groups you wish to sync. You can right click on the file, open with Notepad, add your groups and then save.

Synchronizing Active Directory (AD)

  1. On the command prompt, enter the command :
    ADSyncTool.exe -s
  2. The AD Sync Tool will start retrieving your AD information. Once the information is retrieved, the tool will upload it to your Phish Insight account.

    What to do when the synchronization is unsuccessful?

    • You must first configure Active Directory settings. Please execute [ADSyncTool.exe -c] before syncing.
      • Cause: You have not added any configuration to the agent that it can use to fetch data from your Active Directory.
      • Solution: Please follow the instructions for downloading and configuring the AD Sync Tool first. You can proceed to sync again afterward.
    • Active Directory data retrieval: unsuccessful
      • ERROR: Unable to connect to the domain. Kindly verify your configuration settings.
        • Cause: You may have added invalid server FQDN, username, or password in the AD Sync Tool configuration. The tool needs a valid configuration to acquire authorization and fetch any data from your Active Directory.
        • Solution: Please configure the AD Sync Tool connection settings again and make sure that you add valid server FQDN, username, and password. 
      • ERROR: No users or groups found. Kindly verify your configuration settings.
        • Cause: You may have added non-existing group. The tool needs at least 1  valid group to fetch user and group data.
        • Solution: Please configure the AD Sync Tool Groups again and make sure that you add an existing and valid group. 
          Note: You can do this without overwriting the Active Directory connection settings.
    • Active Directory data upload: unsuccessful
      • ERROR: This AD Sync Tool is not valid. Please verify the source of the application.
        • Cause: You are trying to sync with an AD Sync Tool that is not from Phish Insight.
        • Solution: Use the AD Sync Tool downloaded from Phish Insight.
      • ERROR: This AD Sync Tool is not active. Please sync from the active AD Sync Tool to upload.
        • Cause: You are trying to sync with an Inactive AD Sync Tool. For security purposes, the system will only allow a sync from the most recently downloaded AD Sync Tool.
        • Solution: Please use the latest downloaded AD Sync Tool. If you do not have the latest tool, you can download a new one.


Setting up a Regular Sync for Windows 10 Users

Setting up a regular sync with the AD Sync Tool is divided into two parts, Creating the ADSync script and Scheduling the task


Creating the ADSync Script

  1. Open the folder of your AD Sync Tool.

  2. Click on the right empty part of the address bar, and it will highlight the address of your AD Sync Tool folder. Right-click on it and choose Copy
    Tip: Once you click on the address bar, you can press Ctrl + C to copy the address of your AD Sync Tool.

  3. Once you have the AD Sync Tool address ready, open the Windows Start Menu.

  4. Search for Notepad and click it to open.

  5. On the notepad, type cd then space. After that, right-click and click Paste.

  6. Press Enter to create new line.

  7. Type the sync command  
    ADSyncTool.exe -s


  8. Click File menu on the top of the notepad, and select Save As.
  9. On the "Save as type" field, change type from Text Documents(*.txt) to All Files. 

  10. On the "File Name" field, type adsync.ps1 then click Save.

You can proceed in scheduling the task after saving the created ADSync Script.
 

Scheduling the task

  1. Open Windows Start Menu.

  2. Search for Task Scheduler and click it to open.

  3. Click the "Task Scheduler Library" branch to make the folder active. Right-click the "Task Scheduler Library" branch and select the New Folder option.
  4. Type ADIntegration as the name for the folder. 

  5. Click the OK button.

  6. Expand the "Task Scheduler Library" branch, and select the ADIntegration folder.

  7. Click the Action menu.

  8. Select the Create Basic Task option.
  9. In the "Name" field, type ADSync as a short descriptive name for the task.

  10. In the "Description" field, copy "This task is for syncing AD information to Phish Insight Account" as your task description. 

  11. Click the Next button.

  12. Select the Weekly option.
    Depending on your requirements, you can select select any recurrence you like. In this example, we will be selecting the option to run the sync every week.

  13. Click the Next button.

  14. Using the "Start" settings, specify when the task should start running and the time (crucial).
    In this example, we will be scheduling the tasks to run at 9:00 AM every Monday of the week starting August 23, 2020. 

  15. Click the Next button.

  16. Select the Start a program option to execute the script file.

  17. Click Browse.
  18. Go to the folder where the ADSync script is. Click the file then click Open.

  19. Click Next.
  20. Click the Finish button.

Once you've completed the steps, the task will run automatically on the schedule you have specified.

References:
How to create automated task using task scheduler windows 10
Ways To Start Task Scheduler Windows


Additional things to know about the AD Sync Tool

  1. Only the Active AD Sync Tool is allowed to sync AD information.  The Active AD Sync Tool is the latest downloaded agent from your Phish Insight account, and all previous agents are obsolete.
  2. AD Sync Tool does not support regular sync on its own, but you can set it up using Task Schedulers.