Configure AD (Active Directory) Policies
ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with Active Directory and how policy decisions are applied.
If you wish to assign policy using Entra ID (formerly Azure AD), then use this guide for Entra ID Group Policies.
Client Device Based Sync
ScoutDNS does not require direct access to any domain controllers, nor does it require a virtual machine or sync application. The ScoutDNS agents collect domain, user, and group information directly from each client device. This information is then used during the configuration of the Persona, which is the object used to set user- and group-based policy rules. This approach simplifies administration while also reducing risk.
Allow User Policies in Device Profiles
Since AD policies apply to roaming clients, we must first configure Device Profiles and deploy roaming clients to the users we want to manage policies for. If you have not yet deployed roaming clients, start here.
You will need to enable the User Policies switch, which allows ScoutDNS to collect AD information and ensures that group-based policies override the Device Profile policy. Keep in mind that the Device Profile default policy will apply to any user who is a member of a group that does not yet have an assigned policy via the Persona.
Keep in mind that the device profile default policy will be the primary policy for any user who is a member of a group that does not yet have an assigned policy via the Persona.
Create Persona
Now that we have configured device profiles to allow user-based policies, we need to create a Persona, which defines how ScoutDNS applies group-based policies.
New Persona
Navigate to the Users tab and select the Configure sub-tab. On the far right, select New Persona. You will need to name the persona in the Settings tab.
Bind Domain
Next, select the Active Directory sub-tab. This is where we will bind a domain to the Persona. A single Persona can only bind to one domain, and each domain can only be bound once to a single Persona. An account can have multiple Personas with different domains.
Define Group Policy and Priority
Once you have chosen the domain to bind, you can view all groups discovered by the roaming clients. For a group to be discovered, a user who is part of that group must have logged into a roaming client at least once. Choose all groups you wish to base policies on and add them to the right side of the column. Here, you can set a policy for any selected group.
In addition to setting a policy, you can define the order or priority of groups and policies in case a user is a member of multiple groups with different policies. A priority of 1 is considered the highest.
Simply save the Persona, and ScoutDNS will apply the policy accordingly.
Any security group can be selected to apply a policy to.
Link Persona to Organization
For accounts with the Organization Management tab, you should link the Persona to the appropriate organization to ensure that the User tab and associated reporting data align correctly. This functions similarly to linking a Site (for network-based deployments) and Profiles (for roaming clients). Like the other objects mentioned, you can automatically link a Persona to any organization by creating the Persona from within a selected Organization view.
Don't forget to link the Persona to the correct organization.
If you want to assign policies based on Entra ID groups instead of Active Directory, note that Entra ID support is coming soon.
Related Articles
Configure Entra ID based Policies
ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS ...Roaming Clients / Device Agents - Setup, Configure, and Manage
ScoutDNS provides device agents for organizations that wish to protect devices with DNS-layer security both on and off the network. The ScoutDNS device agent is an extremely lightweight application, best installed on managed devices where ...Relay - Setup and Configure
ScoutDNS supports a Relay configuration, allowing operators to install a lightweight service within their network. The relay acts as a local forwarding resolver, processing internal queries while forwarding public queries to the ScoutDNS cloud ...Add System Users - Role Based Access
ScoutDNS supports role-based access, allowing multiple operators within a single account to access the system. This article describes how to configure role-based access directly in ScoutDNS. To configure and manage role-based access from Entra ID ...Configure Custom Block Pages
Admins can edit the default block page and create multiple custom block pages for end users. Block pages are rendered through our block page service engine. Custom block pages can be assigned to WANs under Sites and to Roaming Clients on the Profile ...
Popular Articles
Working with Whitelist and Blacklist
At times, it may be helpful to fully block or allow a domain based on your desired outcome. The White/Black List tab allows you to create and manage custom block and allow lists. You can associate these lists with all policies (global) or assign them ...Quick Start Setup Guide - WAN Forwarding
There are three methods you can use to protect your networks and users with ScoutDNS: 1) WAN Forwarding – This method involves configuring ScoutDNS with your WAN IP address and forwarding DNS queries from inside your network to our anycast resolver ...Content Categories
Below is a list of Content Categories and their descriptions. Adult Abortions These are sites that present arguments either in favor of or against abortion. This includes information on abortion procedures, sites that offer assistance in obtaining ...Mixing DNS Providers
It is generally not recommended to mix DNS providers. Most routers and systems randomly select which DNS server receives each packet, which can lead to issues with filtering and reporting due to mixed rules in the system cache. To avoid these ...Dynamic IP Setup
ScoutDNS supports dynamic DNS IP address integration with most dynamic DNS providers. Popular Dynamic DNS solutions include: No-IP ChangeIP DynDNS FreeDNS Once you have an account with one of these or a similar solution, you can configure ScoutDNS to ...
Recent Articles
Applications Categories - Zero Trust App Management
The ScoutDNS Application Policy sub-tab lets you block whole groups of web applications while still allowing specific apps through an allow list. It covers tens of thousands of domains and supports a zero-trust security approach. For example, you can ...Configure Entra ID based Policies
ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS ...Setup and Use Guide for MSPs
ScoutDNS is built for Managed Service Providers (MSPs) to deliver robust DNS protection to their customers and end users. Setup is straightforward, thanks to our object-based configuration approach. Here is a brief outline of what this guide covers. ...Configure AD (Active Directory) Policies
ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with ...Configurable Objects and Their Associations
ScoutDNS is designed with an object-based configuration model to simplify management and large-scale deployment. In this article, we will explore the various configurable objects and their associations. Allow/Block List Allow/Block List Description ...