Attributes sourced from Microsoft Active Directory can be used as Policy Group match criteria in a proactive manner through our Active Directory integration. Elisity queries the directory directly through the Active Directory Connector Service (ADCS), allowing you to define Policy Groups using directory data - even if no assets matching those attributes have yet been discovered or enriched in IdentityGraph.
Supported attributes include both device and user metadata, such as:
Device Attributes: Device Name, Operating System, Device Distinguished Name (DN), Group Membership
User Attributes: Account Name, Department, Title, Company, Employee Type, Group Membership, and more.
Note: Active Directory User Preemption (enabled by Default) ensures that the latest user login for a domain-joined device is used for classification. Learn more in the Active Directory article.
Device Attributes
Attribute Name |
Description | Proactive Match Criteria |
| Category | Elisity AI/ML derived classification of the device type or function | Yes |
| Device Account ID | The sAMAccountName or unique account name associated with the device in AD |
Yes |
| Device DN | Distinguished Name of the device in AD; represents full AD path | No |
| Device Member Of | AD groups to which the device object belongs | Yes |
| FQDN | Fully Qualified Domain Name registered in AD for the device | No |
| Operating System | OS reported by AD (from the operatingSystem field of the device object) |
Yes |
User Attributes
Attribute Name |
Description | Proactive Match Criteria |
| User Account ID | The unique login name (usually sAMAccountName) of the user |
Yes |
| User Account Name | The full display name (displayName) of the user in AD |
Yes |
| User Company | The company field (company) of the user account in AD |
No |
| User Department | The department field (department) of the user account in AD |
Yes |
| User DN | Distinguished Name of the user object in AD | No |
| User Employee Type | Classification of user employment type (employeeType) |
Yes |
| User Member Of | AD groups that the user is a member of | Yes |
| User Title | The title field (title) of the user account in AD |
Yes |
Note: Only attributes which have been ingested via Active Directory Connector Service (ADCS) for domain-joined devices can be used as match criteria.
This enables proactive segmentation strategies using identity-based criteria that are broadly defined across the organization. For more details, see the Policy Groups article.