ITP for Active Directory Workload
The ITP for Active Directory workload fetches identity data—users, groups, service accounts, memberships, and ACLs—from Windows Active Directory. It provides a complete view of accounts and permissions, identifies admins and shadow admins, and highlights misconfigurations that can lead to unsecured accounts. Use this workload to integrate AD data with these platform features:
Prerequisites
Before you begin
-
Platform engine: Install one engine with the Active Directory workload.
-
.NET 8: Must be installed on the engine host.
-
Licensing: You need a Continuous Identity Discovery license.
For each AD domain
-
Service account
-
Able to list users, groups, computers, memberships.
-
Permissions: Read permissions, Read all properties (and optionally List contents).
-
-
Network connectivity: The engine host must reach the domain controllers.
-
Platform permissions: Rights to install engines and manage discovery sources and secrets.
Adding the ITP for Active Directory Workload
-
Navigate to the Engine Management page.
-
On the Engine management page, select or create a Site.
-
Select the Engines tab.
-
Select or create an engine.
-
Select the Capabilities tab.
-
On the Capabilities page, select Add Capabilities.
-
Select the box next to ITP for Active Directory.
-
Click Add.
Configuring an Active Directory Source
-
Navigate to the Sources page.
-
Select Create source.
-
Select Active Directory (type = Threat protection).
Assigning Permissions
Before you add domains, give your service account the necessary AD permissions.
-
Option A: Administrators Group (quick setup)
-
Add the account to Domain Admins or Administrators.
-
Grants full read access, including SACLs.
-
Not recommended for production.
-
-
Option B: Least Privilege (production best practice)
-
Open Active Directory Users and Computers (ADUC).
-
On the View menu, enable Advanced Features.
-
Right-click the target OU or object and choose Properties.
-
On the Security tab, select Advanced > Add, then select your service account.
-
Select Edit, then select these permissions:
-
Read permissions
-
Read all properties
-
(Optional) List contents
-
-
Set Apply to: This object and all descendant objects.
-
Adding a Domain
-
In your source, select Add new.
-
In the modal:
-
Domain name: Enter the DNS name (for example, sub.domain.com).
-
Friendly name: Enter a memorable label.
-
Site: Choose the engine site for data collection.
-
Credentials: Select the secret holding your service account.
-
Editing an Existing Source
-
Open the source and select the Configuration tab.
-
For each domain row, select the ellipsis (…) and choose Edit.
-
Update settings as needed, then click Save.
Troubleshooting Authentication Issues
To verify common causes of authentication failures:
-
Validate the following conditions:
-
Ensure the domain is entered in DNS format (for example, domain.example.com).
-
Confirm there is network connectivity between the workload machine and the Domain Controller.
-
Run the following command on the workload machine to validate connectivity and credentials. Substitute the appropriate username, password, and domain name.
dsquery user -u UserName -p Password -s DomainName -limit 1
-
- Verify the user account password is not expired.
- Ensure the user account is not configured to require a password change at the next login.
- Check the sharing settings of the secrets to make sure the engine has access to the secret.