AD Rapid Discovery Workload

This feature is currently available only to customers participating in a Public Preview. For details, see Preview Program.

AD Rapid Discovery accelerates and enhances the synchronization of account information from Active Directory (AD) into the Delinea Platform, compared to the standard sync process handled by the Delinea AD Connector. Its main job is to keep the Delinea Platform’s inventory of accounts up-to-date with what’s in Active Directory.

How AD Rapid Discovery Differs from the Standard Connector Sync

  • Delinea AD Connector: Traditionally, the Delinea AD Connector syncs information from AD to the platform, but this process is typically scheduled and may not reflect changes in AD immediately. There can be a delay between when an account is added/removed in AD and when it shows up in the Delinea Platform.

  • AD Rapid Discovery: This feature provides near real-time synchronization. It detects changes in AD and updates the Delinea Platform inventory much faster—by default, every 5 minutes, and you can make it even more frequent.

Why Use AD Rapid Discovery?

  • Faster Policy Deployment: You don’t have to wait for the next scheduled sync to apply security policies to new or changed accounts.

  • Up-to-Date Inventory: Your list of accounts in the Delinea Platform is always current, reducing security gaps.

  • Better Automation: Enables more responsive automation and security workflows.

The Windows Server Manager can be used to change computer properties within AD. For computers that have been added to a PCS Zone in Delinea Platform, any changes to those computers in AD trigger real-time synchronization through AD Rapid Discovery to the Server Suite Agent. Changes to the computer where AD Rapid Discovery is running appear in the Inventory page of the Delinea Platform after synchronization.

Deployment

The AD Rapid Discovery workload can be installed and run on any domain joined machine. This page gives details about how to set up the workload.

Editing AD Rapid Discovery Settings

To execute the AD Rapid Discovery workload, a Service account must be selected. Use the following steps to add the account. You will only see accounts for which you have permissions.

You can also use these steps to adjust the refresh interval.

  1. Open the Engine management page (use the Search bar to find it).

  2. Select a site.

  3. Click the Settings tab.

  4. In AD Rapid Discovery, click Edit.

  5. You can make the following settings:

    • AD Rapid Discovery Account: This account is used to run AD Rapid Discovery.

    • Type a new value for the frequency at which AD Rapid Discovery synchronizes with AD, and click Save.

Setting Description
AD Rapid Discovery Account This account is used to run AD Rapid Discovery. You can use any domain account that has the permissions described later in this page, in Setting AD Rapid Discovery Account Permissions.
Synchronizes with AD Time interval (in minutes) between times when the AD Rapid Discovery workload uploads any new data from AD to the platform.

Setting AD Rapid Discovery Account Permissions

On the server where you will install the AD Rapid Discovery workload, define a service account for AD Rapid Discovery, then configure the account with local server permissions and domain permissions.

Local Server Permissions

With local permissions on the server where the AD Rapid Discovery workload will be installed, the AD Rapid Discovery service account can run the setup for AD Rapid Discovery.

The local server permissions must include the Log on as a batch job permission and the Log on as a service permission.

To assign the required logon permissions:

  1. Select Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  2. Select the Log on as a batch job permission and the Log on as a service permission.

  3. On the Local Security Setting tab, click Add User or group.

  4. Navigate to and select the AD Rapid Discovery service account to apply the permissions.

Domain Permissions

The AD Rapid Discovery workload requires the AD permission Replicating Directory Changes. This permission must be granted to the AD Rapid Discovery service account on the root domain node.

In the Permissions section of the Windows Permission Entry dialog, select the checkbox for Replicating Directory Changes.