This guide provides the required steps to connect Microsoft Active Directory to Cloud Control Center (Connector Version 3.0 and newer) as a data enrichment source for users and devices. For details on what data and events Elisity collects and how that data is used, please see our Active Directory Integration Event Polling Details article.
This guide is for installing the Elisity Active Directory agent on any member server or domain controller using AD Agent 4.0.0+ with the latest available release of Cloud Control Center.
Installation Prerequisites
Outbound Port 443 is required to send Event Logs to Elisity CCC from the Elisity Agent.
A service account for the Elisity Connector Service with 'Logon as a Service' enabled and 'Event Log Reader' group membership. See steps below.
Minimum requirements for the agent host machine:
- Microsoft .Net Framework v4.7.2 or newer - Please use the link here for guidance on determining the framework version
- 4GB RAM
- 1 GB free disk space
The Elisity AD Connector should be installed on a Windows machine that is a member of the root domain of the enterprise.
Supported Windows versions for hosting the AD Agent include:
- Windows 10
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
It can also be installed directly on a Domain Controller running:
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Configuration Steps are as follows:
- Create a Service Account
- Update GPO Settings
- Modify User Audit Settings (ADSI Edit)
- Install the Agent
Create a Service Account for the Elisity AD Connector
- Create a new user in the appropriate domain to act as the Elisity AD Service Account
- Give the user a unique name to identify it as the Elisity AD Service Account
- Protect the user from accidental deletion
- Add the user to the group 'Event Log Readers'
Service User requires permissions to logon as a service.
Go to: Local Security Policy > Local Policies > User Rights Assignment and add the created Elisity Service Account to the allowed list for "Log on as a service."
Update Group Policy Settings
Go to: Server manager > Tools > Group Policy Management
- Create a new GPO (applicable to all DCs) or edit the default Domain Controller GPO as follows (figure 1)
Figure 1 (click image to enlarge)
Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon
- Enable Success (figure 2) for 'Kerberos Authentication Service'
- Enable Success (figure 2) for Audit Kerberos Service Ticket Operations
Figure 2 (click image to enlarge)
Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management
Enable Success for Audit Computer Account Management, Audit Security Group Management, and Audit User Account Management (figure 3)
Figure 3 (click image to enlarge)
Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access
- Enable Success for Audit Directory Service Changes (figure 4)
Figure 4 (click image to enlarge)
Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff
- Enable Success for Audit Account Lockout, Audit Group Membership, and Audit Logon
Figure 5 (click image to enlarge)
Modifying User Auditing Settings in ADSI Edit
Go To: Server Manager > Tools > ADSI Edit
- In ADSI Edit, click Action > Connect to… > 'Default Naming Context'
- Hit OK
Right Click Users and select Properties (figure 6)
Figure 6 (click image to enlarge)
Select Security tab > click Advanced > select Auditing tab (figure 7)
Figure 7 (click image to enlarge)
Click Add (figure 8) > click select principal (figure 9)
Figure 8 (click image to enlarge)
Figure 9 (click image to enlarge)
Check the full control box (figure 10), then deselect the following four checkboxes: Full control, List contents, Read all properties, Read permissions
Figure 10 (click image to enlarge)
Click OK and exit
After completing everything above, go to the command prompt and execute the command:
gpupdate/force
This will update all the policy changes without needing any reboots.
Installing the Active Directory Agent
To add an Active Directory agent in Cloud Control Center, navigate to Settings > Active Directory > Agents > + ADD AGENT
- Click DOWNLOAD ELISITY AD AGENT
- Save the agent zip file to your local laptop/desktop for later transfer, or directly on the machine where the Connector will be installed.
Here is where you can also view and copy the configuration information to onboard the agent.
- Click VIEW CONFIGURATION INFORMATION
- Copy and save both the Gateway Server URL and Gateway Credential
- Note: You can click the Copy icon to save the Credential to Clipboard
- These credentials are valid for 60 minutes after being generated.
AD Agent Installation
Installation Steps:
Open the Elisity AD Agent Installer. Click Next to begin configurations for the install.
1. Choose Destination Folder
-
- In the second window of the installer, you can change the destination folder. However, the main configuration file and the folder containing logs will remain in C:\ProgramData\Elisity\ADAgent and cannot be changed.
2. Select Service User
- Choose a Service User to run the service. This user will also communicate with Domain Controllers unless another user is configured during the "Configure Sync Domain Controller" step.
- With the checkbox "Add user to block list" selected, login events from the service account will be ignored.
- Supported formats for the Service User include:
- Down-level logon name (e.g., QALAB\elisity_service)
- User principal name (e.g., elisity_service@qalab.int)
Use the "Test Access" button to validate the credentials either on the machine or in the domain. If validation succeeds in either case, it will pass. This test also checks for "Log in as a service" and will notify the user if this configuration is missing.
REMINDER: Service User requires permissions to logon as a service.
Go to Local Security Policy > Local Policies > User Rights Assignment and add the created Elisity Service Account to the allowed list for "Log on as a service."
3. Provide Cloud Control Center Configuration Details
Enter the required CCC configuration details that can be gathered from the AD Agent Configuration Page in Cloud Control Center.
Use "Test Access" to verify connectivity using TLSv1.2 (the AD Agent supports both TLS 1.2 and 1.3, but the installer is limited to TLS 1.2).
4. Configure Optional Domain Controller Credentials
Here you can configure optional credentials for domain controller credentials. By default, the Elisity AD Agent will use the service account credentials previously entered to authenticate to the domain controller. These optional credentials will be used instead, if entered. It is important that the user credentials entered is a member of the Event Log Readers group for the domain. Sync Domain Controllers and Event Domain Controllers are now configured in Cloud Control Center after installation, and typically before the initial sync process.
LDAP queries default to using ldaps:// over port 636 with SSL. However, since LDAPS is disabled by default on most domain controllers (DCs), the AD Agent will automatically fall back to standard LDAP (ldap:// over port 389) if LDAPS is unavailable.
5. Final Installation
Complete the installation of the service by clicking Install.
Once done, ensure the Elisity AD Agent service has been started and maintains a Running status.
Configuring Event Collection Domain Controllers
After finishing configuring the AD Agent, go to Settings > Active Directory > Agents and click Edit Agent on the newly onborded agent.
Type in the Sync Domain Controller and the Domain Controllers for Event Pulling. At least one Domain Controller for Event Polling must be provided - this can be the same Domain Controller used for the initial sync. Click Save Changes.
Note: Domain Controllers for Event Polling can be pasted in as a comma separated string.
example:
DC-01.colo.elisity.net, DC-02.colo.elisity.net, DC-03.colo.elisity.net
After a few moments, you will see the monitored Domain Controllers in the Details view for the AD Agent. Check that the status for each monitored Domain Controller - you should see Active if no errors occured. For any DCs with Inactive status, hover over the status info icon for details on any errors that occured for assistance in troubleshooting. If errors have occured after deployment, you can check the Status Changed On attribute (for insight on when the error occured) to cross reference with any logs on the DC.
Domain Controller Status Indicators:
Active: AD Agent is actively polling events.
Inactive: AD Agent is not actively polling events (e.g., when the service is stopped) or the Domain Controller is unreachable.
Next, trigger a sync from Cloud Control Center when you are ready to start importing users and devices. Upon completing the initial sync, devices existing in Cloud Control Center are enriched with any existing data in Active Directory.
Locating and Managing Users After AD Connection
Once you have successfully connected Active Directory (AD) to your Cloud Control Center, navigating to and managing users is straightforward.
Navigate to the Settings > Active Directory > Users: Under the Active Directory section, you will find the "Users" tab.
Overview of the Users Page
The Users page is designed to provide a comprehensive overview of all users within the organization, directly pulled from Active Directory. Here's what you can expect.
User Information
The page lists essential details for each user, including Name, Account ID, Status (Active or Inactive), AD Membership (such as Users/Contractors, Users/Domain Users), Department, Company, IP Addresses, Title, Last Activity date, and more.
User Assets
You can see all assets associated with an Active Directory User by clicking the number of assets in the respective column. This is critical for quickly identifying which devices users are logged in to.
Assets are dynamically updated with user associations as they log in and out of domain-joined machines throughout the network. This ensures that policy can be configured to follow user identity regardless of where a user signs in, if this is the desired behavior.
Status Indicators
Each user's current status is clearly indicated, allowing administrators to quickly ascertain which users are active or inactive within the system.
Search and Filter
A search bar is provided at the top of the page, enabling administrators to quickly locate specific users based on their name or account ID. This is particularly useful in larger organizations with many users.
Robust Analytics Data
Beyond simple user information, the Elisity platform offers robust analytics on user behavior, including insights into the devices associated with each user, the policies governing their access, and the policy groups (PGs) they are part of. This analytics data aids in identifying usage patterns, potential security vulnerabilities, and compliance with established policies.
Integration and Consistency
It's important to note that this page maintains all the functionalities of the original Users page, with the added benefit of being directly integrated with Active Directory. This ensures that user management is streamlined and efficient, leveraging the centralized user information from AD.
Upgrade or Uninstall Process
To Upgrade or Uninstall, run the latest version of the AD Agent installer. The installer will check the version of the currently installed Elisity agent and present the appropriate options to upgrade, repair/change configurations, or uninstall. If the currently installed version is the same as the installer version, running the insgtaller will present the Change, repair, remove installation window.
If the installer version is newer than the currently installed version, the change/repair/remove wizard is skipped and the upgrade wizard is started immediately.
Upgrading the AD Agent
If the C:\ProgramData\Elisity\ADAgent\Cache folder contains data, it will be used (e.g., agent.dat holds the nodeID of the AD Agent). If the agent is reinstalled and was removed from CCC, delete all files from the Cache folder while the service is stopped (or before installation). Registration will be triggered upon service start/reinstallation
If a configuration file exists in C:\ProgramData\Elisity\ADAgent\Config, the installer will detect it during an upgrade or reinstallation. There are two options to proceed:
Option 1: Keep Existing Configuration
- Select Keep existing configuration.
- Specify the service user account. Using a different account than previously (in case of an upgrade) should work. Click "Test Access" for the "Next" button to become active.
- Proceed with the installation.
Option 2: Overwrite Existing Configuration
1. Deselect Keep existing configuration.
2. Specify the service user account. Using a different account than previously (in case of an upgrade) should work. Click "Test Access" for the "Next" button to become active.
3. Provide cloud credentials.
4. Provide optional alternate user credentials for Domain Controllers communication (service user credentials are used if username and password are left empty).
5. Finish the installation by clicking "Install."
Filtering and Exporting AD Agents and Monitored DCs
The Active Directory Agents page can be filtered, customized, and even exported as a CSV - consistent with all other tables in Cloud Control Center.
Exports can be performed in one of two ways:
Export All Data: This option ignores any applied filters and exports all available columns, even those hidden in the current view. However, the column order in the Cloud Control Center is retained, ensuring that the exported data aligns with your customized layout.
Export Filtered Data: Use this option to export only the DCs currently visible on the page. Any filters applied to the device page are preserved in the exported data, and hidden columns are excluded. Like the "Export All Data" option, the column order from Cloud Control Center is retained in the exported file.
Click the Export data icon in the AD Agent list view to generate a downloadable spreadsheet containing structured data about each agent and controller in the deployment.
Exported data includes the following fields:
Field | Description |
---|---|
Agent Name | The hostname of the AD Agent. |
Status | Indicates whether the Agent is ACTIVE or INACTIVE . |
Inactivity Reason | Provides error context if the Agent is inactive (e.g., communication failure). |
IP Address | The IP address assigned to the Agent. |
Agent ID | The unique identifier of the Agent in the system. |
Version | The installed version of the AD Agent. |
Date Created | Timestamp of when the Agent was added to the system. |
In addition, each associated Domain Controller (DC) is listed with the following details:
Field | Description |
---|---|
DC Host Name | The hostname of the Domain Controller. |
Status | Active/inactive state of the DC from the Agent's perspective. |
Inactivity Reason | Diagnostic message explaining the cause of any inactive state. |
IP Addresses | IP address(es) assigned to the Domain Controller. |
Status Changed On | Timestamp of the last status change event. |
Exported reports are helpful for:
-
Troubleshooting AD connectivity issues
-
Verifying deployment coverage
-
Reviewing AD Agent software versions and status trends
Active Directory Attributes Available as Match Criteria
Attributes sourced from Microsoft Active Directory can be used as Policy Group match criteria in a proactive manner through our Active Directory integration. Elisity queries the directory directly through the Active Directory Connector Service (ADCS), allowing you to define Policy Groups using directory data - even if no assets matching those attributes have yet been discovered or enriched in IdentityGraph.
Supported attributes include both device and user metadata, such as:
-
Device Attributes: Device Name, Operating System, Device Distinguished Name (DN), Group Membership
-
User Attributes: Account Name, Department, Title, Company, Employee Type, Group Membership, and more
This enables proactive segmentation strategies using identity-based criteria that are broadly defined across the organization. For more details, see the Policy Groups article.