ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with Active Directory and how policy decisions are applied.
Client Device Based Sync
ScoutDNS does not require direct access to any domain controllers, nor does it require a virtual machine or sync application. The ScoutDNS agents collect domain, user, and group information directly from each client device. This information is then used during the configuration of the Persona, which is the object used to set user- and group-based policy rules. This approach simplifies administration while also reducing risk.
Allow User Policies in Device Profiles
Since AD policies apply to roaming clients, we must first configure Device Profiles and deploy roaming clients to the users we want to manage policies for. If you have not yet deployed roaming clients,
start here.
You will need to enable the User Policies switch, which allows ScoutDNS to collect AD information and ensures that group-based policies override the Device Profile policy. Keep in mind that the Device Profile default policy will apply to any user who is a member of a group that does not yet have an assigned policy via the Persona.

Keep in mind that the device profile default policy will be the primary policy for any user who is a member of a group that does not yet have an assigned policy via the Persona.
Create Persona
Now that we have configured device profiles to allow user-based policies, we need to create a Persona, which defines how ScoutDNS applies group-based policies.
New Persona
Navigate to the Users tab and select the Configure sub-tab. On the far right, select New Persona. You will need to name the persona in the Settings tab.
Bind Domain
Next, select the Active Directory sub-tab. This is where we will bind a domain to the Persona. A single Persona can only bind to one domain, and each domain can only be bound once to a single Persona. An account can have multiple Personas with different domains.
Define Group Policy and Priority
Once you have chosen the domain to bind, you can view all groups discovered by the roaming clients. For a group to be discovered, a user who is part of that group must have logged into a roaming client at least once. Choose all groups you wish to base policies on and add them to the right side of the column. Here, you can set a policy for any selected group.
In addition to setting a policy, you can define the order or priority of groups and policies in case a user is a member of multiple groups with different policies. A priority of 1 is considered the highest.
Simply save the Persona, and ScoutDNS will apply the policy accordingly.

Any security group can be selected to apply a policy to.
Link Persona to Organization
For accounts with the Organization Management tab, you should link the Persona to the appropriate organization to ensure that the User tab and associated reporting data align correctly. This functions similarly to linking a Site (for network-based deployments) and Profiles (for roaming clients). Like the other objects mentioned, you can automatically link a Persona to any organization by creating the Persona from within a selected Organization view.

Don't forget to link the Persona to the correct organization.
If you want to assign policies based on Entra ID groups instead of Active Directory, note that Entra ID support is coming soon.