Active Directory Integration

Support Team

August 14, 2021 03:46

Getting Ready with Active Directory (AD) Integration

LogMeOnce AD integration is based on locally installed agent in your environment to provide better security while maintaining a "zero knowledge" technology architecture. The communication between Agent and LogMeOnce server is a secure communication over Https protocol. LogMeOnce does not require any firewall changes by your administrator.

AD agent - AD Agent is installed on a Windows system which links your LogMeOnce main account with your Active Directory. For High Availability (HA), you can install multiple AD agents in your environment as need.

Prior to installing the AD Agent, please review the required account section and ensure all accounts prerequisites are met.

Supported Operating system

Windows 10 (For POC). Windows server 2012 R2, Windows Server 2016, or Windows Server 2019
.NET 4.5 or later.

Required prerequisites accounts

Windows account - This account is used to install the AD agent. During installation, it creates a new LogMeOnce Service Account or use your existing dedicated LogMeOnce service account. It is recommended that this windows account to be a member of the domain admins group and have local administrator privileges.
LogMeOnce service account - The service account is an AD domain service account which is used to run the service. This service account can be created by installer automatically, or by administrator manually. If it is created automatically by the installer, it is called LogmeOnceService and is member of the domain user group. If you create it manually, it should be member of the domain user group with "password set as never expires" and grant logon as a service to the domain user. If you get issues during installation due to service privileges', please check whether you have appropriate permissions, and if username and password are entered correctly.
LogMeOnce account - This is your LogMeOnce administrator or owner account that was used to create your LogMeOnce account. For audit trail, it is recommended to create a separate account for the agent integration for example adagent@YourCompany.com. This will help to segregate all agent operations separately and to effectively meet compliance requirements.

Account	Windows Privilege	Purpose
Windows Account	Member of the domain admins group Have local administrator privileges	This account is used to install the AD agent.
LogMeOnce service account	Member of the domain user group Password set as never expires Grant logon as a service	This account is used to run AD Agent Service.
LogMeOnce account	Is a LogMeOnce Super Administrator or Administrator Or any LogMeOnce user with Directory (Create, Update, View, Delete) permissions assigned to them. This could be the example adagent@yourcompany.com	This account is used to authenticate the LogMeOnce AD Agent with your LogMeOnce account.

Assigning a user account Logon as Service Rights

If you need to assign a user account Logon as Service rights, follow these steps:

Open Windows control panel. Open Administrative Tools.
Open Local Security Policy.
In the left pane, click Security Settings -> Local Policies -> User Rights Assignments.
In the right-hand pane, find the policy Log on as a service.
Right-click Logon as a service, and then click Properties.
In the Properties box, add the domain/serviceuser, and then click OK.

Active Directory Provisioning Groups

Create a Group in AD called "LogMeOnce". This group can be used to add users who need to be provisioned to LogMeOnce from AD.

Download AD Agent

Login to the LogMeOnce Account mentioned under required account and from "Smart Menu" go to "Directories". This will show a lot of all your directories installed, their status, number groups and users imported in real time. This is a Unified Directory solution, hence you can add as many directory services as you wish.

Click on Add Directory

Click on Download LogMeOnce Active Directory Agent (below image)

Installation Steps

Start the AD Agent setup agent_2.0.4.exe installation and Click on Next to start installation.

To proceed, you would need to agree with terms and click on Next

You have the option to allow LogMeOnce to create the service account used by AD Agent or use your existing service account. Please select and follow required privileges shown above at " Required prerequisites accounts" section, and then click on Next.

Enter LogMeOnce account information and click on Next.

Click on Next to continue. If you receive any error messages during the installation, please enter appropriate permission that is given for the required accounts.

After installation is completed. Click on Finish.

After installation is completed, please validate that LogMeOnce AD Agent is running.

Validate Agent is communicating with your LogMeOnce account. As shown the AD agent is installed and it is communicating the server, however it should be configured.

This completes your Active Directory installation task.

Related Articles:

AD Agent Configuration