ITP for Active Directory Workload

The ITP for Active Directory workload fetches identity data—users, groups, service accounts, memberships, and ACLs—from Windows Active Directory. It provides a complete view of accounts and permissions, identifies admins and shadow admins, and highlights misconfigurations that can lead to unsecured accounts. Use this workload to integrate AD data with these platform features:

Prerequisites

Before you begin

Platform engine: Install one engine with the Active Directory workload.
.NET 8: Must be installed on the engine host.
Licensing: You need a Continuous Identity Discovery license.

For each AD domain

Service account
- Able to list users, groups, computers, memberships.
- Permissions: Read permissions, Read all properties (and optionally List contents).
Network connectivity: The engine host must reach the domain controllers.
Platform permissions: Rights to install engines and manage discovery sources and secrets.

Adding the ITP for Active Directory Workload

Navigate to the Engine Management page.
On the Engine management page, select or create a Site.
Select the Engines tab.
Select or create an engine.
Select the Capabilities tab.
On the Capabilities page, select Add Capabilities.
Select the box next to ITP for Active Directory.
Click Add.

Configuring an Active Directory Source

Navigate to the Sources page.
Select Create source.
Select Active Directory (type = Threat protection).

Assigning Permissions

Before you add domains, give your service account the necessary AD permissions.

Option A: Administrators Group (quick setup)
- Add the account to Domain Admins or Administrators.
- Grants full read access, including SACLs.
- Not recommended for production.
Option B: Least Privilege (production best practice)
1. Open Active Directory Users and Computers (ADUC).
2. On the View menu, enable Advanced Features.
3. Right-click the target OU or object and choose Properties.
4. On the Security tab, select Advanced > Add, then select your service account.
5. Select Edit, then select these permissions:
  - Read permissions
  - Read all properties
  - (Optional) List contents
6. Set Apply to: This object and all descendant objects.

Adding a Domain

In your source, select Add new.
In the modal:
1. Domain name: Enter the DNS name (for example, sub.domain.com).
2. Friendly name: Enter a memorable label.
3. Site: Choose the engine site for data collection.
4. Credentials: Select the secret holding your service account.

Editing an Existing Source

Open the source and select the Configuration tab.
For each domain row, select the ellipsis (…) and choose Edit.
Update settings as needed, then click Save.

Active Directory Integration – Local Entities Scanning Requirements

The AD Integration feature for ITP provides the capability to scan local users and groups on both Windows and UNIX endpoints. This enables customers to:

Gain visibility into local users on each machine.
Identify what each user has access to.
Detect potential privilege escalation paths.

To perform these scans, specific permissions must be granted to the scanning accounts. This document outlines the required configuration and access settings for both UNIX and Windows systems.

UNIX Local Account Scanning

Required Permissions

To scan local users and groups on UNIX machines, a scanning account must be configured with access to system user and group files.

Configuration

Create a local user account on each UNIX endpoint or per domain.
Store the account credentials securely as a secret and associate it with the relevant domain in the ITP platform.

Required File Access

The scanning account must have read access to the following files:

```
/etc/passwd
```
```
/etc/group
```

Optional (Enhanced Visibility)

To retrieve extended user information such as password-related properties, grant passwordless sudo access to the scanning account.

Required for:

```
PasswordLastSet
```
```
FirstPasswordHashCharacter
```
```
AccountExpiresDate
```
```
MaximumPasswordAge
```

Ensure that the sudo configuration allows running the necessary commands without a password prompt.

Windows Local Account Scanning

Required Permissions

To scan local users and groups on Windows machines, the scanning account must be granted specific local permissions on each endpoint.

Access This Computer from the Network: This permission allows the scanning account to connect to the endpoint remotely.
Remote Access to SAM (if applicable): Some Windows versions require an additional setting to allow remote access to local SAM accounts.

Access This Computer from the Network

Access the windows command line and run gpedit.msc. The Local Group Policy Editor window opens.
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Double-click the Access this computer from the network policy. The properties for the policy appear.
Select the Add User or Group button to add it.

Modifying this policy may overwrite or remove access to the device for remote processes. This policy is not usually configured by default, so any existing inherited permissions could be overwritten.

Remote Access to SAM

Some Windows versions require an additional setting to allow remote access to local SAM accounts.

Look at the following list of operating systems and updates to determine if any of them match your system:
- Windows 10, version 1607 and later
- Windows 10, version 1511 with KB 4103198 installed
- Windows 10, version 1507 with KB 4012606 installed
- Windows 8.1 with KB 4102219 installed
- Windows 7 with KB 4012218 installed
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2 with KB 4012219 installed
- Windows Server 2012 with KB 4012220 installed
- Windows Server 2008 R2 with KB 4012218 installed
If you find a match, do the following:
1. Open Local Group Policy Editor (gpedit.msc)
2. Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
3. Double-click Network access: Restrict clients allowed to make remote calls to SAM.
4. Select Edit Security. The Security descriptor window opens.
5. Add the scanning account if not listed.
6. Select the account and ensure that the Remote Access permission is set to Allow.
7. Click OK to save changes.

LDAP Scanning Account Requirements

The same Windows scanning account used for LDAP integration per domain should also be assigned the above local permissions to enable local account scanning on Windows endpoints.

Final Steps

Once permissions are configured:

Log in to the platform.
Navigate to Source > Active Directory > Configurations section.
For each domain, locate the Local Entity Scanning setting.
Enable the checkbox to allow scanning of local users and groups.

Once enabled, ITP will automatically begin collecting local account data during scheduled AD scans.

Troubleshooting local users not appearing in scans

Verify file access on UNIX endpoints.
Ensure that the scanning account is not being blocked by local firewall rules.
Check Windows Event Logs for access denials.
Reconfirm policy changes were applied and replicated (if using Group Policy).

Troubleshooting Authentication Issues

To verify common causes of authentication failures:

Validate the following conditions:
- Ensure the domain is entered in DNS format (for example, domain.example.com).
- Confirm there is network connectivity between the workload machine and the Domain Controller.
- Run the following command on the workload machine to validate connectivity and credentials. Substitute the appropriate username, password, and domain name.
```
dsquery user -u UserName -p Password -s DomainName -limit 1
```
Verify the user account password is not expired.
Ensure the user account is not configured to require a password change at the next login.
Check the sharing settings of the secrets to make sure the engine has access to the secret.