Initial Setup & Requirements

5 min

this document outlines the initial setup and configuration steps required to deploy activate security group compliance manager (sgcm) within an existing activate environment prerequisites before configuring sgcm, ensure the following requirements are met activate platform installed – activate server and web components must be installed and operational active directory access – a service account with sufficient permissions to read and monitor active directory changes replicate directory changes permission – required to use the ad dirsync control for change detection network connectivity – the activate job service must be able to communicate with the monitored domain controllers database capacity – the activate database must have adequate storage for ad object data and compliance event history required permissions the account used for synchronisation must have replicate directory changes permission on the monitored domain by default, members of the domain admins group have this permission to delegate the permission to a non administrative account open active directory users and computers right click the domain root and select delegate control use the wizard to assign replicate directory changes to the service account alternatively, refer to microsoft kb 303972 – how to grant the “replicating directory changes” permission for the microsoft metadirectory services adma service account initial synchronisation sgcm relies on an initial synchronisation of active directory data to establish the baseline for change detection this process should be completed before enabling background polling to perform the initial synchronisation open activate studio navigate to resources > active directory select the subfolder for the target domain create a new parameter named connector adserver and set the value to the fully qualified domain name (fqdn) of the domain controller to be used right click the domain resource and select regenerate schema once the schema is generated, select show data to open the data view from the cog menu, choose import workflow to start the initial import once the import completes, verify that objects and memberships have been populated correctly under the data and members tabs changing the domain controller if it becomes necessary to change the domain controller used for synchronisation delete the parameter connector dirsynccookie from the domain resource update the connector adserver parameter with the new domain controller name re run the import workflow to perform a full resynchronisation this ensures sgcm resets its baseline and aligns with the new domain controller’s dirsync cookie verifying data synchronisation after the initial import, confirm successful synchronisation review object counts for users, groups, and computers validate that key ad attributes (displayname, samaccountname, department, etc ) appear correctly ensure that group membership lists are populated if synchronisation issues occur, check the activate job service logs and confirm that the service account has the correct permissions recommended schedule following the initial import, sgcm should be configured for continuous polling to detect and process changes automatically use the fullworkflowwithgroups workflow for this purpose typical polling intervals range between 5 to 15 minutes , depending on organisational scale and performance considerations summary the initial setup establishes the foundation for real time compliance monitoring by ensuring the correct domain controller and service account are configured schema and connector space are initialised the initial active directory data import completes successfully once verified, sgcm can begin automated monitoring and enforcement of security group compliance policies