This article summarizes how to install the Elisity Active Directory Agent directly on Domain Controllers.
The Elisity AD Connector should be installed on a Windows Server (Windows 10/Windows Server 2016/2019) that is a domain controller on the enterprise network.
- Minimum requirements are:
- Microsoft .Net Framework v4.7.1. Please use the link here for guidance on determining the framework version
- 4GB RAM
- 1 GB free disk space
- Outbound Port 443 is required to send Event Logs to Elisity CCC.
- Must be installed with Administrator Privileges
- A service account for the Elisity Connector Service
NOTE: This command enables the event source computer, in this case your domain controller, to respond affirmatively to source initiated subscriptions. The following command enables Windows Event Collector Utility quick config (with the /q switch allowing source initiated subscriptions.)
wecutil qc /q
- Elisity Active Directory (AD) Connector is required for customers with an on-premise Active Directory (AD) environment. Elisity AD connector will keep the user login data synchronized with the Elisity Cloud Control Center (CCC) and provide the means of defining policies through User Identity.
- Go through this installation process on each domain controller you want to onboard, but you should only SYNC from ONE domain controller. More details are found in the following steps.
Passwords are never synced to the Elisity Cloud Control Center.
Create a Service Account for the Elisity AD Connector
- Create a new user in the appropriate domain to act as the Elisity AD Service Account
- Give the user a unique name to identify it as the Elisity AD Service Account
- Protect the user from accidental deletion
- Add the user to the group “Event Log Readers”
Update Group Policy Settings
Go To: Server manager > Tools > Group Policy Management
- Create a new GPO (applicable to all DCs) or edit the default Domain Controller GPO as follows (figure 1)
Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon
- Enable Success (figure 2) for "Kerberos Authentication Service"
- Enable Success (figure 2) for Audit Kerberos Service Ticket Operations
Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management
Enable Success for Audit Computer Account Management, Audit Security Group Management, and Audit User Account Management (figure 3)
Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access
- Enable Success for Audit Directory Service Changes (figure 4)
Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff
- Enable Success for Audit Account Lockout, Audit Group Membership, and Audit Logon
Modifying User Auditing Settings in ADSI Edit
Go To: Server Manager > Tools > ADSI Edit
- In ADSI Edit, click Action > Connect to… > “Default Naming Context”
- Hit OK
Right Click Users and select Properties (figure 6)
Select Security tab > click Advanced > select Auditing tab (figure 7)
Click Add (figure 8) > click select principal (figure 9)
Check the full control box (figure 10), then deselect the following four checkboxes: Full control, List contents, Read all properties, Read permissions
Click OK and exit
After completing everything above, go to the command prompt and execute the command:
This will update all the policy changes without needing any reboots.
Elisity AD Connector Installation instructions
- Navigate to Elisity Cloud Control Center
- Navigate to the Connectors section in Cloud Control Center
- Click on +IDP/Connectors in the top right corner (figure 11)
- Click DOWNLOAD on the Active Directory connector
- Save the file to your local laptop/desktop or the machine where the Connector will be run.
- Copy the ElisityADConnectorInstaller.zip file into a TMP directory in the target machine (Windows 2016/2019 Server) to host the Elisity AD Connector Service.
- Extract the files after copying them into the target machine.
- Run setup.exe as an administrator (figure 13). Leave all options as default.
The Connector is configured as a Windows Service as LocalService and will need further configurations (via another tabbed window, “Elisity AD Connector Config App”).
At this point, you can click on [Close] to dispose of the installer window.
After successfully installing the Agent, open Windows Explorer, go to the installation folder, click on Security and provide full-control access to Service Account User for the default folder “C:\Programs Files\Elisity Inc”
Optionally, you can provide access to the group: Event Log Readers
Connecting the Elisity AD Connector Config App to CCC
- Go back to Cloud Control Center connectors page
- Click the view configuration button on the Active Directory connector
- Copy and save both the Gateway Server URL and Gateway Credential (figure 15)
- You can click the Copy icon to save the Credential to Clipboard
Figure 15 (click image to enlarge)
Paste these credentials into the Elisity AD Connector. Click on Register Software.
Now we will enter the credentials of the service account that we created earlier.
- Navigate to the Eada Service tab on the Elisity AD Connector Config App. Enter the service user credentials in the format domain\userid and enter the service user password. Click Save Service Config.
Here the Application will configure the Connector Service to run as the user you have provided.
The status of the Service will be in a “Stopped” state.
Final Configurations and Sync Process
Go to the configuration file located at
- C:\Program Files\Elisity Inc\ElisityADConnector\ElisityConfGloba.json
Make sure that the DCHostGC field is set to your domain controller FQDN.
- Example: "DCHostGC": "ad1.acme.com"
After you have installed the connector on all of the relevant domain controllers, select a single domain controller to initiate your first sync. The Sync process will pick up all user/groups and data from the entire domain regardless of where you trigger the Sync from. Therefore you need to trigger a Sync from only ONE domain controller.To initiate the first full sync of the AD database with Elisity Cloud Control Center, you can click on [Resync] to sync all the AD Users/Groups and Computers.
- After the Sync is complete, the Connector Windows Service will be started
- The status will show as “running” if the workflow is completed
- You can see the status of the Connector in the Elisity Cloud Control Center UI.
The connector onboarding is complete.