SpyCloud Guides
spycloud.comGet a demo
Start typing to search…

Requirements

For SpyCloud Active Directory Guardian.

This page outlines the software, hardware, permissions, and network configurations required to run Active Directory Guardian (ADG) 7.3 in your environment.

💻 Platform & Browser Compatibility

ComponentRequirement
Supported OSWindows 10 (workstation)
Windows Server 2012 and later
Browser✅ Google Chrome (v89+)
✅ Microsoft Edge (v91+)
❌ Internet Explorer is not supported
.NET Framework4.8 or higher (required)

👤 Required Permissions

Permission TypeDetails
Local (for install)

• Install software
• Configure Windows service
Log on as a service permission

Active Directory

• Reset user passwords
• Force password change at next login
• Read/write: lockoutTime, pwdLastSet, userAccountControl
• Replicating Directory Changes
• Replicating Directory Changes All

Best practice: Assign these permissions to a group via Delegate Control, then assign your service account to that group.

⚠️

Note: If group policy overrides group permissions, grant them directly to the service account.

🧮 Hardware Specifications

ComponentMinimum SpecNotes
Memory8 GB RAMMore is better for large banned password lists or fuzzy scans
Storage20 GBFor logs and hash cache
CPU2 GHz+ (multi-core)More cores = faster scanning. ADG uses one thread per core
🧠

If access to the domain controller or SpyCloud API is slow, ADG will limit to one CPU core for processing.

Definition of “Slow”:
When fetching one account from the DC takes longer than scanning it locally.

🌐 Network Access & Ports

ADG communicates with internal infrastructure and external APIs using specific ports. The following sections outline the necessary access requirements.

🔄 Internet Connectivity

🌐External API Communication
  • Port 443 (HTTPS) is required for outbound access to the SpyCloud API
  • Make sure *.spycloud.com is reachable from the ADG host

🖥️ Active Directory Communication

🧩Local AD Connectivity

ADG requires internal network access to your domain controllers on the following ports:

  • Port 389: LDAP
  • Port 135: MS-DRSR (Active Directory replication)

🧱 Proxy Environments

If your environment uses a proxy for outbound traffic:

  • Open your proxy's specific port for outbound HTTPS
  • Allow access to *.spycloud.com
  • Ensure DNS resolution is available for external domains

✉️ SMTP Configuration (If Using Email Alerts)

Use CaseCommon Ports
SMTP outbound25, 465, 587, 2525
Admin NotesCheck with your SMTP administrator to confirm which port is used

👇ACTIVE DIRECTORY GUARDIAN

Updated 4 months ago