1. Elisity
  2. Identity
  3. Active Directory

Connect Microsoft Active Directory

Avatar
Taylor Colwell

This guide provides the required steps to connect Microsoft Active Directory to Cloud Control Center as a data enrichment source for users and devices. For details on what data and events Elisity collects and how that data is used, please see our Active Directory Integration Event Polling Details article. 

This guide is for installing the Elisity Active Directory agent on any member server or domain controller using AD Agent 5.0.0+ with the latest available release of Cloud Control Center.

Installation Prerequisites

Outbound Port 443 is required to send Event Logs to Elisity CCC from the Elisity Agent.

A service account for the Elisity Connector Service with Logon as a Service enabled and Event Log Reader group membership. See steps below.

Minimum requirements for the agent host machine:

  • Microsoft .Net Framework v4.7.2 or newer - Please use the link here for guidance on determining the framework version
  • 4GB RAM
  • 1 GB free disk space

The Elisity AD Connector should be installed on a Windows machine that is a member of the root domain of the enterprise.

Supported Windows versions for hosting the AD Agent include:

  • Windows 10
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

It can also be installed directly on a Domain Controller running:

  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Host Operating System Considerations
Windows 10 and Windows Server 2016 can be used to host the AD Agent; however, these operating systems do not include native support for TLS 1.3, which provides enhanced encryption and performance benefits. In addition, Windows 10 has reached end of support from Microsoft. Customers with compliance or security requirements that specify newer TLS versions may prefer to deploy the AD Agent on Windows Server 2019 or later.

 

Configuration Steps are as follows:

  1. Create a Service Account
  2. Update GPO Settings
  3. Modify User Audit Settings (ADSI Edit)
  4. Install the Agent

Antivirus and Endpoint Protection Software Configuration

If your environment uses antivirus or endpoint protection software, configure exclusions for the Elisity AD Agent folders and processes before installation. Starting with AD Agent 5.0.0, the agent uses an automatic update mechanism that downloads and launches updated agent versions from a cache directory. Antivirus software may block these processes or quarantine files, preventing the agent from starting or updating properly.

Important: Failure to configure these exclusions may result in the AD Agent failing to start after automatic updates, requiring manual intervention to restore functionality.

Folders to Exclude from Antivirus Scanning

Configure your antivirus software to exclude the following folders from real-time scanning, monitoring, and quarantine:

  • C:\Program Files\Elisity\ADAgent - Main agent installation directory containing the initially installed agent executable and components
  • C:\ProgramData\Elisity\ADAgent - Agent data directory containing cache, logs, and configuration files
  • C:\ProgramData\Elisity\ADAgent\Cache\Versions - Downloaded agent versions directory where updated agent executables are stored and launched from

Windows Services

The AD Agent installs two Windows services: The Elisity AD Agent Bootstrapper and the Elisity AD Agent. Both services must be allowed to operate without interference:

  • Elisity AD Agent Bootstrapper - Locates the latest version of the agent executable and launches it with updater arguments. This service always runs from the Program Files installation directory and validates the digital signature of agent executables before launching. Runs as Local System to ensure access for configuring other windows services.
  • Elisity AD Agent Service - Main agent service that handles Active Directory integration and communication with Cloud Control Center. Initially runs from Program Files, but after updates runs from the Cache\Versions directory. Runs as a service user with supplied credentials during install with specific permissions for Active Directory and Event Log Reading. 

EventReader Processes: In addition to the two Windows services above, the AD Agent spawns a separate EventReader.exe process for each domain controller being monitored. These processes are responsible for reading and processing event logs from their respective domain controllers. You may observe multiple EventReader processes running simultaneously when monitoring multiple domain controllers - this is expected behavior.

Process Behavior and Antivirus Considerations

The AD Agent update mechanism works as follows:

  1. The Bootstrapper service launches Agent.exe with the -updater argument
  2. The updater process downloads new agent versions to C:\ProgramData\Elisity\ADAgent\Cache\Versions\{Revision}\Agent.exe
  3. The AD Agent Bootstrapper installs the Elisity AD Agent service and updates the service executable path to the cached version
  4. After the first update, both the updater and Agent service run from the Cache\Versions directory instead of Program Files

This architecture supports automatic rollbacks and fail-safes, but the dynamic executable paths may trigger antivirus heuristic detection or behavior monitoring. Ensure your antivirus software:

  • Allows processes to be launched from the ProgramData\Elisity folder structure
  • Does not block or quarantine executables downloaded to the Cache\Versions directory
  • Permits Windows services to modify their own executable paths
  • Allows the Bootstrapper to validate and launch signed executables

Configuration Guidance: Consult your antivirus software documentation for specific instructions on adding folder and process exclusions. These exclusions must be configured on all servers where the Elisity AD Agent will be installed. The Bootstrapper service validates the digital signature of all agent executables before launching them, providing security assurance even when excluded from antivirus scanning.

Tip: If you experience issues with the AD Agent not starting after an automatic update, check your antivirus logs for blocked processes or quarantined files in the C:\ProgramData\Elisity\ADAgent\Cache\Versions directory.

Create a Service Account for the Elisity AD Connector

  1. Create a new user in the appropriate domain which will be monitored for events by Elisity to act as the Elisity AD Service Account.
  2. Give the user a unique name to identify it as the Elisity AD Service Account.
  3. Protect the user from accidental deletion.
  4. Add the user to the group Event Log Readers.

Service User requires permissions to logon as a service. 

Go to: Local Security Policy > Local Policies > User Rights Assignment and add the created Elisity Service Account to the allowed list for Log on as a service.

 

Update Group Policy Settings

Go to: Server manager > Tools > Group Policy Management

  • Create a new GPO (applicable to all DCs) or edit the default Domain Controller GPO as follows (figure 1)

 
Figure 1 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon

  • Enable Success (figure 2) for 'Kerberos Authentication Service'
  • Enable Success (figure 2) for Audit Kerberos Service Ticket Operations

 
Figure 2 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management

Enable Success for Audit Computer Account Management, Audit Security Group Management, and Audit User Account Management (figure 3)

 
Figure 3 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access

  • Enable Success for Audit Directory Service Changes (figure 4)

 
Figure 4 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff

  • Enable Success for Audit Account Lockout, Audit Group Membership, and Audit Logon

 
Figure 5 (click image to enlarge)

Modifying User Auditing Settings in ADSI Edit

Go To: Server Manager > Tools > ADSI Edit

  • In ADSI Edit, click Action > Connect to… > Default Naming Context.
  • Click Ok.

Right click Users and select Properties (figure 6)

Figure 6 (click image to enlarge)

Select Security tab > click Advanced > select Auditing tab (figure 7)

 
Figure 7 (click image to enlarge)

Click Add (figure 8) > click select principal (figure 9)

 
Figure 8 (click image to enlarge)

 
Figure 9 (click image to enlarge)

Check the full control box (figure 10), then deselect the following four checkboxes: Full control, List contents, Read all properties, Read permissions

 
Figure 10 (click image to enlarge)

Click OK and exit

The purpose of these permissions is to enable the system to audit all writes and modifications in the AD database for "Everyone." These permissions allow the Elisity Connector to audit user/group attribute changes in real time. It is critical that the system get attribute changes to maintain accurate identification of users and assets. Without the permissions above, Active Directory will not generate audit events for attribute changes. These permissions DO NOT give write access or permissions to perform any actions, they simply allow auditing of writing, creating, deleting, etc.

After completing everything above, go to the command prompt and execute the command:

gpupdate/force

This will update all the policy changes without needing any reboots.

Installing the Active Directory Agent

To add an Active Directory agent in Cloud Control Center, navigate to Settings > Active Directory > Agents > + Add Agent.


 
 

  • Click DOWNLOAD ELISITY AD AGENT. If attempting to install an Active Directory Agent different than the version available for download in Cloud Control Center, contact your Elisity Engineer who can work with you to provide a specific version of the agent.
  • Save the agent zip file to your local laptop/desktop for later transfer, or directly on the machine where the Connector will be installed.

Here is where you can also view and copy the configuration information to onboard the agent.

  • Click VIEW CONFIGURATION INFORMATION.
  • Copy and save both the Gateway Server URL and Gateway Credential
    • Note: You can click the Copy icon to save the Credential to Clipboard
    • These credentials are valid for 60 minutes after being generated.

AD Agent Installation

Follow the steps below to install the AD Agent on the local Domain Controller or Member Server.

1. Launch the Installer

Open the Elisity AD Agent Installer as an Administrator. Click Next to begin configurations for the install.

2. Choose Destination Folder

  •  
    • In the second window of the installer, you can change the destination folder. However, the main configuration file and the folder containing logs will remain in C:\ProgramData\Elisity\ADAgent and cannot be changed.

3. Provide Cloud Control Center Configuration Details

Enter the required CCC configuration details that can be gathered from the AD Agent Configuration Page in Cloud Control Center. These are the credentials which were copied from Cloud Control Center in a previous step.

After entering the Gateway and Secret configurations, click Test access to verify access to Cloud Control Center. If outbound 443 is permitted and you have entered the correct credentials, you will see a Cloud Access Succeeded message. Errors with credentials or connectivity will result in a Cloud Access Failed message with appropriate error messages to assist in troubleshooting.

4. Final Installation

Complete the installation of the service by clicking Install.

Elisity AD Agent Bootstrapper Service

Once installation is complete, the Elisity AD Agent bootstrapper process will start and should maintain a running status until additional configurations are made in Cloud Control Center. The bootstrapper checks Cloud Control Center for configurations every 30 seconds until all configurations are submitted - at which point the Elisity AD Agent service will start and run in parallel with the bootstrapper service. 

Final Configurations in Cloud Control Center

Now that the AD Agent has been installed and the bootstrapper process has started, service credentials and Sync/Event Domain Controllers must be configured in Cloud Control Center to complete the installation process. 

Until these configurations are made, the AD Agent will remain in a degraded state with error messages viewable by hovering over the information icon next to the degraded status.
This is the expected state at this stage - the next two steps will provide configurations to remove the degraded status and finalize the configuration, resulting in an Active status.

Configuring the Elisity Service Account

To address the first degraded status message, we will set the service account credentials to be used by the agent. This account will also be used to communicate with configured Domain Controllers in the next step. Click on the Actions button to the right of the Agent details and select Set Credentials.

 

Enter the credentials for the service account created earlier. Note that for credentials to be accepted, the username must contain the SLD (second-level domain) with a blackslash, followed by the account name. In this example, the username is formatted as sld\username or mydomain\elisitysvc.

Select Use gMSA Account if the Elisity Agent will run using a Group Managed Service Account; leave it unchecked when using a standard Active Directory user account.

REMINDER: Service User requires permissions to logon as a service and must be a member of the Event Log Readers AD Group

 

 

Configuring Event Collection Domain Controllers

After successfully configuring the service account credentials, the degraded status message will change to No configuration found, please configure the Domain Controllers.

To address this message, configure both the Domain Controller used for initial Sync processes and the Domain Controllers which will be monitored for events.

Go to Settings > Active Directory > Agents and click the Actions menu (⋮) on the newly onboarded agent, then select Configure Agent. The Configure Agent page opens as a full-page view with the Agent Name, Description, and the Domain Controllers configuration section below.

The Configure Agent page contains two tabs: Domain Controllers and Domain Controllers Filters. The Domain Controllers tab provides a field for the Domain Controller for Sync (LDAPS/LDAP) used for initial synchronization, and an Interface Mode selector with two radio buttons — Visual Mode and Text Mode — for entering the Event Polling Domain Controllers. Switching between modes preserves entered values.

Visual Mode

Visual Mode is the default entry method and displays a Domain Controllers table listing each configured Event Polling Domain Controller by DC Name / Hostname. Each row includes edit and delete action icons. Click + Add Domain Controller to add a new entry.

Text Mode

Text Mode provides a Configuration text area for entering Domain Controllers in bulk. Enter one Domain Controller per line. Text Mode is useful when copying a list of Domain Controllers from an existing source or when configuring a large number of Domain Controllers at once. Switching back to Visual Mode preserves the entries.

After entering the Sync Domain Controller and at least one Event Polling Domain Controller, click Save Changes.

Post-Configuration Checks

After a few moments, the status of the AD Agent should show Active and you will see the monitored Domain Controllers in the Details view for the AD Agent. You will also see the domain in which the host machine resides, and consequently the domain which is being monitored by the Agent.

  • The Agents table includes Active DCs and Inactive DCs columns that display the count of monitored Domain Controllers in each state. A green indicator accompanies the Active DCs count and a red indicator accompanies the Inactive DCs count, providing an at-a-glance view of Domain Controller health.
  • For any DCs with Inactive status, expand the agent row and hover over the status info icon for details on any errors that occurred. If errors have occurred after deployment, you can check the Status Changed On attribute (for insight on when the error occurred) to cross-reference with any logs on the DC.
  • The general guidance is 50 monitored domain controllers per AD agent, but depending on the environment the supported domain controllers per AD agent could be higher or lower depending on various factors. 

Domain Controller Status Indicators:
   Active: AD Agent is actively polling events.
   Inactive: AD Agent is not actively polling events (e.g., when the service is stopped) or the Domain Controller is unreachable.

Trigger an Initial Sync

Next, trigger a sync from Cloud Control Center when you are ready to start importing users and devices. Upon completing the initial sync, devices existing in Cloud Control Center are enriched with any existing data in Active Directory.

 

All status and configuration changes for both Agents and Monitored Domain Controllers can be viewed in the Cloud Control Center Monitoring dashboard. Go to Monitoring > Events and optionally filter by Category: Active Directory. Specifics for all events can be viewed in the Details column in the Events view.

Locating and Managing Users After AD Connection

Once you have successfully connected Active Directory (AD) to your Cloud Control Center, navigating to and managing users is straightforward. 

Navigate to the Settings > Active Directory > Users. Under the Active Directory section, you will find the Users tab.

Overview of the Users Page

The Users page is designed to provide a comprehensive overview of all users within the organization, directly pulled from Active Directory. Here's what you can expect.

User Information

The page lists essential details for each user, including Name, Account ID, Status (Active or Inactive), AD Membership (such as Users/Contractors, Users/Domain Users), Department, Company, IP Addresses, Title, Last Activity date, and more.

User Assets

You can see all assets associated with an Active Directory User by clicking the number of assets in the respective column. This is critical for quickly identifying which devices users are logged in to.

Assets are dynamically updated with user associations as they log in and out of domain-joined machines throughout the network. This ensures that policy can be configured to follow user identity regardless of where a user signs in, if this is the desired behavior.

Status Indicators

Each user's current status is clearly indicated, allowing administrators to quickly ascertain which users are active or inactive within the system.

Search and Filter

A search bar is provided at the top of the page, enabling administrators to quickly locate specific users based on their name or account ID. This is particularly useful in larger organizations with many users.

Robust Analytics Data

Beyond simple user information, the Elisity platform offers robust analytics on user behavior, including insights into the devices associated with each user, the policies governing their access, and the policy groups (PGs) they are part of. This analytics data aids in identifying usage patterns, potential security vulnerabilities, and compliance with established policies.

Integration and Consistency

It's important to note that this page maintains all the functionalities of the original Users page, with the added benefit of being directly integrated with Active Directory. This ensures that user management is streamlined and efficient, leveraging the centralized user information from AD.

Configuring AD User Preemption

AD User Preemption is a setting that determines how the Active Directory Connector handles user logins detected on domain-joined computers. This setting affects how quickly user-to-device associations are updated in IdentityGraph, which in turn impacts policy enforcement based on user identity.

When AD User Preemption is enabled (the default behavior), Cloud Control Center will immediately associate a new Active Directory user login with a device, replacing the previous user identity if one exists. This ensures the most up-to-date user is always reflected in IdentityGraph, enabling identity-based policy to follow the actual user more accurately and in near real time.

When disabled, user identity for a device will only be updated after four (4) hours of inactivity by the previously associated user. This provides a grace period where short-duration or transient logins will not trigger a change in device ownership unless they persist.

Note: This feature is controlled globally and applies to all Active Directory Connectors within your environment. There is no per-agent configuration.

Enabling or Disabling AD User Preemption

Navigate to Settings > Active Directory > Advanced Settings in Cloud Control Center and toggle Enable User Preemption on or off.

Viewing Active Directory User Logons in Device Details

AD User Logons

The AD User Logons tab displays a historical list of Active Directory users who have logged into the selected device. This view helps track which users have accessed a machine over time.

Table Columns

  • User – Username of the logged-in AD user

  • IP Address – IP address used during the login

  • Login Time – Timestamp of the logon event

Table Features

  • Time range selector: Last 1 hour, 24 hours, 7 days, 30 days

  • Sortable and searchable columns

  • Save, export, and import filters

  • CSV export with full “Select All” support

Logon events are retained for 30 days. The tab is shown for all devices but will be empty unless AD logon data is available.

This view is especially useful when using AD group-based match criteria for user policy groups. It allows administrators to confirm which users—and by extension which policies—have applied to the device over time.

Upgrade or Uninstall Process

To Upgrade or Uninstall, run the latest version of the AD Agent installer. The installer will check the version of the currently installed Elisity agent and present the appropriate options to upgrade, repair/change configurations, or uninstall. If the currently installed version is the same as the installer version, running the insgtaller will present the Change, repair, remove installation window.

If the installer version is newer than the currently installed version, the change/repair/remove wizard is skipped and the upgrade wizard is started immediately.

Upgrading the AD Agent

If using AD Agent 5.0.0+, upgrades happen automatically using the AD Agent boostrapper process. If upgrading from a previous version, follow these steps:

If the C:\ProgramData\Elisity\ADAgent\Cache folder contains data, it will be used (e.g., agent.dat holds the nodeID of the AD Agent). If the agent is reinstalled and was removed from CCC, delete all files from the Cache folder while the service is stopped (or before installation). Registration will be triggered upon service start/reinstallation

If a configuration file exists in C:\ProgramData\Elisity\ADAgent\Config, the installer will detect it during an upgrade or reinstallation. There are two options to proceed:

Option 1: Keep Existing Configuration

  1. Select Keep existing configuration.
     
     
  2. Proceed with the installation.

Option 2: Overwrite Existing Configuration

1. Deselect Keep existing configuration.

2. Provide cloud credentials.

3. Finish the installation by clicking Install.

Filtering and Exporting AD Agents and Monitored DCs

The Active Directory Agents page can be filtered, customized, and even exported as a CSV - consistent with all other tables in Cloud Control Center. 

Exports can be performed in one of two ways:

Export All Data: This option ignores any applied filters and exports all available columns, even those hidden in the current view. However, the column order in the Cloud Control Center is retained, ensuring that the exported data aligns with your customized layout.
Export Filtered Data: Use this option to export only the DCs currently visible on the page. Any filters applied to the device page are preserved in the exported data, and hidden columns are excluded. Like the "Export All Data" option, the column order from Cloud Control Center is retained in the exported file.

Click the Export data icon in the AD Agent list view to generate a downloadable spreadsheet containing structured data about each agent and controller in the deployment.

Exported data includes the following fields:

Field Description
Agent Name The hostname of the AD Agent.
Status Indicates whether the Agent is ACTIVE or INACTIVE.
Inactivity Reason Provides error context if the Agent is inactive (e.g., communication failure).
IP Address The IP address assigned to the Agent.
Agent ID The unique identifier of the Agent in the system.
Version The installed version of the AD Agent.
Date Created Timestamp of when the Agent was added to the system.

In addition, each associated Domain Controller (DC) is listed with the following details:

Field Description
DC Host Name The hostname of the Domain Controller.
Status Active/inactive state of the DC from the Agent's perspective.
Inactivity Reason Diagnostic message explaining the cause of any inactive state.
IP Addresses IP address(es) assigned to the Domain Controller.
Status Changed On Timestamp of the last status change event.

Exported reports are helpful for:

  • Troubleshooting AD connectivity issues

  • Verifying deployment coverage

  • Reviewing AD Agent software versions and status trends

Active Directory Attributes Available as Match Criteria

Attributes sourced from Microsoft Active Directory can be used as Policy Group match criteria in a proactive manner through our Active Directory integration. Elisity queries the directory directly through the Active Directory Connector Service (ADCS), allowing you to define Policy Groups using directory data - even if no assets matching those attributes have yet been discovered or enriched in IdentityGraph.

Supported attributes include both device and user metadata, such as:

  • Device Attributes: Device Name, Operating System, Device Distinguished Name (DN), Group Membership

  • User Attributes: Account Name, Department, Title, Company, Employee Type, Group Membership, and more

This enables proactive segmentation strategies using identity-based criteria that are broadly defined across the organization. For more details, see the Active Directory Attributes in IdentityGraph or the Policy Groups article.

Was this article helpful?
0 out of 0 found this helpful