ITP for Active Directory Workload

The ITP for Active Directory workload fetches identity data—users, groups, service accounts, memberships, and ACLs—from Windows Active Directory. It provides a complete view of accounts and permissions, identifies admins and shadow admins, and highlights misconfigurations that can lead to unsecured accounts. Use this workload to integrate AD data with these platform features:

• Continuous Identity Discovery

• ITP and PCCE

Prerequisites

Before you begin

• Platform engine: Install one engine with the Active Directory workload.

• .NET 8: Must be installed on the engine host.

• Licensing: You need a Continuous Identity Discovery license.

For each AD domain

• Service account

  • Able to list users, groups, computers, memberships.

  • Permissions: Read permissions, Read all properties (and optionally List contents).

• Network connectivity: The engine host must reach the domain controllers.

• Platform permissions: Rights to install engines and manage discovery sources and secrets.

Adding the ITP for Active Directory Workload

1. From the left navigation menu click Settings, then click Engine Management.

2. On the Engine management page, select or create a Site.

3. Select the Engines tab.

4. Select or create an engine.

5. Select the Capabilities tab.

6. On the Capabilities page, select Add Capabilities.

7. Select the box next to ITP for Active Directory.
   

8. Click Add.

Configuring an Active Directory Source

1. From the left navigation menu select Discovery, then Sources.

2. Select Create source.

3. Select Active Directory (type = Threat protection).

Assigning Permissions

Before you add domains, give your service account the necessary AD permissions.

• Option A: Administrators Group (quick setup)

  • Add the account to Domain Admins or Administrators.

  • Grants full read access, including SACLs.

  • Not recommended for production.

• Option B: Least Privilege (production best practice)

  1. Open Active Directory Users and Computers (ADUC).

  2. On the View menu, enable Advanced Features.

  3. Right-click the target OU or object and choose Properties.

  4. On the Security tab, select Advanced > Add, then select your service account.

  5. Select Edit, then select these permissions:

     • Read permissions

     • Read all properties

     • (Optional) List contents

  6. Set Apply to: This object and all descendant objects.

Adding a Domain

1. In your source, select Add new.

2. In the modal:

   1. Domain name: Enter the DNS name (for example, sub.domain.com).

   2. Friendly name: Enter a memorable label.

   3. Site: Choose the engine site for data collection.

   4. Credentials: Select the secret holding your service account.

Editing an Existing Source

1. Open the source and select the Configuration tab.

2. For each domain row, select the ellipsis (…) and choose Edit.

3. Update settings as needed, then click Save.