Faddom has the ability to connect to your Active Directory servers and determine which users are accessing which servers, both via direct logon and remote logins, including RDP. Using this information, Faddom can show you information such as the top users connecting to a server and which servers individual users are connecting to.
Using the feature requires access to Active Directory and requires a Windows Proxy to perform the task. To install the proxy, you can follow How to Setup the Faddom Proxy. This needs to be done prior to setting up the Active Directory connection, however, if you already have one setup, you do not need a second one for this task.
If Faddom is having issues completing the User Discovery, see the Troubleshooting User Discovery section below.
Setting Up Discovery
Go to Settings > User Discovery
Click Add Active Directory Domain
Add the required details. If you have multiple domains, you will need to do this per domain.
The user you wish to use needs to be a member of the Event Log Readers Group as the information is gathered via the AD Event Log
Detect DCs Automatically - Faddom will try to resolve the domain name to get a list of domain controllers. Alternatively, you can specify which domain controllers to connect to manually.
Enable Discovery - To populate this data, this should be toggled on.
Ports 135 and 445 need to be opened from the Faddom proxy to the domain controllers. See What ports need to be open for Faddom to function. for more information see What ports need to be open for Faddom to function?
Once added, you will be presented with a list of domain(s)added. You can use the Edit
icon amend the details or the Delete icon to remove the connection.
Viewing the Results
There are two ways to see the information. You can use the Search function to search by user. Performing this search will show which servers and applications a user has accessed, as well as when the login occurred.
You can also see the results of what Faddom is found by navigating to the Security tab by going to the Server Properties
Click on a server from a map, search, or click on the properties icon - from any list view
Click to expand the properties
Click on the Security tab where you will be presented with the information
You will see the Security Dashboard
Troubleshooting User Discovery
If Faddom is not detecting users, you can test access for reading the event log on a remote computer needed for the user login discovery, you can try running the following command in Powershell. This should be run either from the Windows Proxy (Linux installs) or from the server itself for Windows installs.
wevtutil qe Security /q:Event/System[EventID=4624] /c:10 /r:<ip-address> /u:<user-name>
Error Codes
After running the commands you may get one of the following common error codes:
Error Message | Likely Cause | Resolution Steps |
The RPC server is unavailable | The traffic to the server is being blocked - likely by a firewall rule | Check the required ports in the Firewall Rules section |
Access is denied
Error Code: 0x80070005 | Remote access permissions | Either an incorrect user name or password, or the user doesn't have remote access through DCOM. See Required Permissions section |
Access is denied
Error Code: 0x80041003 | WMI Permissions | The user managed to log in and access the server remotely, but does not have access to perform the WMI queries. See Required Permissions section |