/
dsRequester server installation and update requirements for GYTPOL 2.0

dsRequester server installation and update requirements for GYTPOL 2.0

Introduction

This document outlines the system requirements and prerequisites necessary for installing both the AD Domain Agent for GPO Validation and the GYTPOL dsRequester components.

The Policy Validation module within GYTPOL focuses on identifying and resolving gaps and issues associated with the implementation and enforcement of Group Policy Objects (GPOs). This includes detecting failures in applying Group Policy Preferences (GPPs), identifying inconsistencies in GPO settings, uncovering the presence of unmanaged local GPOs, locating orphaned GPO instances, and flagging settings that do not match intended configurations. By addressing these issues, organizations can ensure that their GPOs are correctly implemented, consistently applied across all endpoints, and aligned with organizational security and operational policies.

The GYTPOL dsRequester component facilitates retrieval of data from Active Directory and Group Policy sources. It plays a critical role in monitoring the health, maintenance, and security of the Active Directory environment, providing insights into the structure, configurations, and security status of Active Directory and GPO. This enables proactive identification of misconfigurations, stale objects, and security vulnerabilities, helping to maintain a resilient and compliant Active Directory and GPO infrastructure.

Checklist

Ensure that the following GYTPOL requirements are satisfied before initiating the installation of the GYTPOL Validator software:

  • Server sizing and OSVerify compatibility with GYTPOL server.

  • Users and GroupsValidate configurations in Active Directory and the GYTPOL dsRequester and Validator server for seamless integration.

  • PortsConfirm that the required ports are open on both the server and sensor sides to facilitate proper communication.

  • AntivirusTake precautions to prevent any interference from antivirus software that could impede the GYTPOL Validator's correct execution.

Server Sizing

A dedicated server is not mandatory; any existing domain-joined server can be utilized (and an installation on a Domain Controller isn’t necessary).

However, ensure that the selected server possesses a minimum of 4 cores and 8GB RAM for optimal performance.

dsRequester and Validator are installed once per domain. A single domain-joined server will run both components in each domain you wish to monitor.

OS

The GYTPOL Validator software is compatible with Windows Server 2016 Standard and later versions.

  • Windows Server language settings:

    • The Windows Server operating system must be set to use the English (United States) language.

    • The Windows Server language for non-Unicode programs must be set to use the English (United States) language.

Users and Groups

Create a domain user within your Active Directory and allocate the specified permissions as outlined in the table. Feel free to adopt your preferred naming convention; the names in the table are merely suggestions.

Ensure that the passwords for GYTPOL users exclude the characters ‘ “ ~ ; or spaces.

Permissions

Refer to the table to configure the permissions for both the user and the group (consult the hyperlinks for detailed instructions):

Type

Name

Permission set

AD User

GytpolSvc (or any other suitable naming convention)

Domain level:

  1. Member of Domain Group: “Performance Log Users”

  2. Active Directory delegation: “Generate Resultant Set of Policy (Planning)”

GYTPOL Server local settings:

  1. Local admin on GYTPOL dsRequester server

  2. Log on as a Batch Job

  3. Log on as a Service

Ports

From

To

Port number

Purpose

GYTPOL server

DC’s

389, 9389, 636, 135, 138-139, 445, 464, 53, 3268, 3269 +

Dynamic ports (49152-65535)

Group Policy PowerShell Queries and Group Policy Modeling Analysis

GYTPOL server

 

SaaS Customers:

The GYTPOL AWS Cloud instance details, including required firewall rules and URLs, are shared during onboarding and tenant creation.

If you're not familiar with these requirements or cannot locate them, please contact your GYTPOL TAM for assistance.

443

Self-Hosted Customers:

GYTPOL Services Server (Linux appliance)

443 + 8443

Antivirus

If whitelisting is required, ensure that the following paths and their subfolders and files are included:

  1. C:\Program Files\Gytpol (subfolders and files)

  2. C:\Program Files\WindowsPowershell\modules\gytpolServer (subfolders and files)

Detailed Configuration Instructions

How to Verify PowerShell Version and Review Restriction Mode

On the GYTPOL server, open the Start menu, type PowerShell into the search bar, and select Windows PowerShell from the results.

  1. Within the Windows PowerShell window, input the following command: $PSVersionTable.PSVersion

  2. Ensure that the Major version is set to 5 or above, and the Minor version is set to 1 or above by checking the output of the $PSVersionTable.PSVersion command.

  1. In the same PowerShell window, enter the following command: Get-ExecutionPolicy -List. Confirm that the PowerShell scripts are not set to "Restricted" in any of its categories. The desired results include "RemoteSigned", "AllSigned", or "Undefined" for the execution policies.

Adding a Local Administrator

  1. Log in to the server with an existing administrator account.

  2. Open Computer Management:

    • Press Windows Key + X, then select Computer Management,
      or

    • Press Windows Key + R, type compmgmt.msc, and press Enter.

  3. In Computer Management, expand:

    • System ToolsLocal Users and GroupsGroups.

  4. Click on the Administrators group.

  5. In the Administrators Properties window, click Add.

  6. In the Enter the object names to select box:

    • Type GYTPOSVC.

    • Click Check Names to validate.

    • If the name resolves correctly, click OK.

  7. Click Apply and then OK to save changes.

  8. Close Computer Management.

Log on as a Batch Job

  1. Log in to the server with an administrator account.

  2. Open Local Security Policy:

    • Press Windows Key + R, type secpol.msc, and press Enter.

  3. In Local Security Policy, navigate to:

    • Local PoliciesUser Rights Assignment.

  4. Find and double-click Log on as a batch job.

  5. In the properties window, click Add User or Group.

  6. In the Enter the object names to select box:

    • Type GYTPOSVC.

    • Click Check Names to validate.

    • Click OK.

  7. Click Apply and then OK to save changes.

  8. Close Local Security Policy.

image-20250429-142159.png

Log on as a Service

  1. Log in to the server with an administrator account.

  2. Open Local Security Policy:

    • Press Windows Key + R, type secpol.msc, and press Enter.

  3. In Local Security Policy, navigate to:

    • Local PoliciesUser Rights Assignment.

  4. Find and double-click Log on as a service.

  5. In the properties window, click Add User or Group.

  6. In the Enter the object names to select box:

    • Type GYTPOSVC.

    • Click Check Names to validate.

    • Click OK.

  7. Click Apply and then OK to save changes.

  8. Close Local Security Policy.

image-20250429-142211.png

  • If Group Policy (GPO) manages the "Log on as a batch job" and/or “Log on as a service” setting, any manual changes made locally will be overwritten at the next Group Policy refresh.

  • To make permanent changes when GPO controls this setting, you must update the appropriate GPO (typically via Group Policy Management Console on the domain controller).

Network access: Do not allow storage of passwords and credentials for network authentication

If there are no Group Policies imposing "Network access: Do not allow storage of passwords and credentials for network authentication" restrictions, you can leave the configuration unchanged.

  1. Log in to the server with an administrator account.

  2. Open Local Security Policy:

    • Press Windows Key + R, type secpol.msc, and press Enter.

  3. In the Local Group Policy Editor, navigate to:

    • Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.

  4. Find and double-click Network access: Do not allow storage of passwords and credentials for network authentication.

  5. In the properties window:

    • Set the option to Disabled.

    • Click OK to apply the change.

  6. Close the Local Group Policy Editor.

image-20250429-141958.png

  • If Group Policy (GPO) manages the "Network access: Do not allow storage of passwords and credentials for network authentication" setting, any manual changes made locally will be overwritten at the next Group Policy refresh.

  • Modify the GPO to exclude the GYTPOL dsRequester server from this restriction.

How to Verify the Setting

  1. Open PowerShell as Administrator.

  2. Run the following command:

(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name disabledomaincreds -ErrorAction Stop).disabledomaincreds

This PowerShell command retrieves and displays the value of the "disableDomainCreds" registry key under the specified path. If the output is 0, it confirms that the setting is disabled.

Include the GYTPOL user in the Domain group "Performance Log Users"

  1. Log in to a computer that has Remote Server Administration Tools (RSAT) installed.

  2. Open Active Directory Users and Computers:

    • Press Windows Key, search for Active Directory Users and Computers, and select it from the results.

  3. In Active Directory Users and Computers:

    • In the left pane, expand the domain as needed.

    • Navigate to the Built-in container or wherever the Performance Log Users group is located.

  4. Locate and double-click the Performance Log Users group.

  5. In the group properties window:

    • Go to the Members tab.

    • Click Add.

  6. In the Enter the object names to select field:

    • Type the name of the GYTPOL user you created earlier.

    • Click Check Names to validate the entry.

    • Click OK.

  7. Confirm the changes by clicking Apply and then OK to close the group properties window.

image-20250429-142323.png

Delegate "Generate Resultant Set of Policy (Planning)" Permission

  1. Log in to a computer that has Remote Server Administration Tools (RSAT) installed.

  2. Open Active Directory Users and Computers:

    • Click the Start menu, search for Active Directory Users and Computers, and open it.

  3. In Active Directory Users and Computers:

    • In the left pane, right-click the domain where you want to assign the delegation.

    • Select Delegate Control.

  4. In the Delegation of Control Wizard:

    • Click Next on the welcome screen.

  5. On the Users or Groups page:

    • Click Add.

    • Enter the name of the GYTPOL user.

    • Click Check Names to validate.

    • Click OK, then Next.

  6. On the Tasks to Delegate page:

    • Select Delegate the following common tasks.

    • Check Generate Resultant Set of Policy (Planning).

    • Click Next.

  7. Click Finish to complete the wizard.

image-20250429-141839.png

Windows Features installation

Launch Server Manager on the GYTPOL server and follow these steps:

  1. Navigate to "Add Roles and Features."

  2. Click "Next" until you reach the "Features" tab.

  3. Check the following Features:

    1. Group Policy Management

    2. Remote Server Administration Tools

      • Role Administration Tools

        • Active Directory module for PowerShell

        • AD DS Tools

        • AD LDS Snap-Ins and Command-Line Tools

Ensure that the specified features are selected for installation.

image-20250627-124402.png
image-20250627-124423.png

 

Proceed by clicking "Next" and then "Install." Wait patiently until the installation process concludes.

Automatic pre-checker tool

Download the automatic pre-checker tool from the https://gytpol.com/dschecker and transfer it to the GYTPOL dsRequester server.

Next, right-click on the downloaded tool and choose "Run as Administrator" to launch the DS Checker tool.

Enter the GYTPOL user, i.e., DOMAIN\gytpolSvc, and click "Check" to initiate the validation process.

Allow the checks to run for approximately 1 minute. The checklist encompasses internal ports, DC communication ports, user permissions, and other essential features to ensure correct configurations.

Wait patiently for the results to be displayed.

Pay attention to the results:

  • Red X sign (error): Indicates a critical error that requires resolution before proceeding with the installation. Hover over the question mark (?) for guidance on the necessary actions.

  • Yellow Exclamation mark (warning): Represents a failed check that is not critical for immediate resolution. However, consider addressing warnings for optimal performance.

  • Defender icon: Denotes a successful check, confirming that the specific aspect has passed verification.

Review the results carefully, addressing any red X errors promptly, and considering improvements for yellow exclamation warnings. The presence of the Defender icon signifies successful checks.

Once all issues are addressed and resolved, click on "Export results" within the DS Checker tool. Proceed to email the generated log to the assigned GYTPOL engineer for further review and confirmation.

Click Exit once done.

Please restart the server before the installation.

 

Here’s a video that demonstrates the Checker running its tests during the check process.

If you cannot see the results screen at the end or if the Checker is "killed" during execution, please ensure there are no EDR restrictions or other interferences affecting the Checker’s flow.

2024-10-24_10-56-21.mp4

dsRequester installation / update

  1. You can obtain the dsRequester MSI file directly from the GYTPOL console. Navigate to Settings in the left pane, then select System Health (only UI2 Customers). Alternatively, feel free to contact the GYTPOL team for a direct download link.

  2. Place the downloaded MSI file on the server.

  3. Open an elevated Command Prompt:

    • Right-click on CMD.

    • Select "Run as Administrator."

Once the elevated Command Prompt is open:

  1. Navigate to the location of the MSI file you want to install.

  2. Hold down the left Shift key.

  3. Right-click on the MSI file.

  4. Click on "Copy as Path."

This action copies the full path of the MSI file to the clipboard, making it easier to reference in the command line.

In the elevated Command Prompt window:

  1. Right-click to paste the path of the MSI file that you copied as instructed.

  2. Press Enter.

This command executes the installation or update process for the dsRequester using the provided MSI file.

Throughout the installation process, you will be prompted to input the credentials for the GYTPOL account established during the setup process, as explained earlier.

Upon completion, the progress window will close automatically.

To confirm a successful installation, follow these steps:

  1. Open Task Scheduler.

  2. Navigate to the Task Scheduler Library.

  3. Look for tasks related to gytpolServer in the Task Scheduler Library.

The presence of gytpolServer tasks in the Task Scheduler Library indicates a successful installation.

Please note, that the tasks will run as the GYTPOLSVC user that was created earlier.