Configure AD (Active Directory) Policies

Configure AD (Active Directory) Policies

ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with Active Directory and how policy decisions are applied.

If you wish to assign policy using Entra ID (formerly Azure AD), then use this guide for Entra ID Group Policies.

Client Device Based Sync

ScoutDNS does not require direct access to any domain controllers, nor does it require a virtual machine or sync application. The ScoutDNS agents collect domain, user, and group information directly from each client device. This information is then used during the configuration of the Persona, which is the object used to set user- and group-based policy rules. This approach simplifies administration while also reducing risk.

Allow User Policies in Device Profiles

Since AD policies apply to roaming clients, we must first configure Device Profiles and deploy roaming clients to the users we want to manage policies for. If you have not yet deployed roaming clients, start here.

You will need to enable the User Policies switch, which allows ScoutDNS to collect AD information and ensures that group-based policies override the Device Profile policy. Keep in mind that the Device Profile default policy will apply to any user who is a member of a group that does not yet have an assigned policy via the Persona.


Info
Keep in mind that the device profile default policy will be the primary policy for any user who is a member of a group that does not yet have an assigned policy via the Persona.


Create Persona     

Now that we have configured device profiles to allow user-based policies, we need to create a Persona, which defines how ScoutDNS applies group-based policies.

New Persona

Navigate to the Users tab and select the Configure sub-tab. On the far right, select New Persona. You will need to name the persona in the Settings tab.



Bind Domain

Next, select the Active Directory sub-tab. This is where we will bind a domain to the Persona. A single Persona can only bind to one domain, and each domain can only be bound once to a single Persona. An account can have multiple Personas with different domains.



Define Group Policy and Priority 

Once you have chosen the domain to bind, you can view all groups discovered by the roaming clients. For a group to be discovered, a user who is part of that group must have logged into a roaming client at least once. Choose all groups you wish to base policies on and add them to the right side of the column. Here, you can set a policy for any selected group.

In addition to setting a policy, you can define the order or priority of groups and policies in case a user is a member of multiple groups with different policies. A priority of 1 is considered the highest.




Simply save the Persona, and ScoutDNS will apply the policy accordingly.

Notes
Any security group can be selected to apply a policy to.


For accounts with the Organization Management tab, you should link the Persona to the appropriate organization to ensure that the User tab and associated reporting data align correctly. This functions similarly to linking a Site (for network-based deployments) and Profiles (for roaming clients). Like the other objects mentioned, you can automatically link a Persona to any organization by creating the Persona from within a selected Organization view.





Alert
Don't forget to link the Persona to the correct organization.

If you want to assign policies based on Entra ID groups instead of Active Directory, note that Entra ID support is coming soon.


    • Related Articles

    • Configure Entra ID based Policies

      ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS ...

    • Roaming Clients / Device Agents - Setup, Configure, and Manage

      ScoutDNS provides device agents for organizations that wish to protect devices with DNS-layer security both on and off the network. The ScoutDNS device agent is an extremely lightweight application, best installed on managed devices where ...

    • Relay - Setup and Configure

      ScoutDNS supports a Relay configuration, allowing operators to install a lightweight service within their network. The relay acts as a local forwarding resolver, processing internal queries while forwarding public queries to the ScoutDNS cloud ...

    • Add System Users - Role Based Access

      ScoutDNS supports role-based access, allowing multiple operators within a single account to access the system. This article describes how to configure role-based access directly in ScoutDNS. To configure and manage role-based access from Entra ID ...

    • Configure Custom Block Pages

      Admins can edit the default block page and create multiple custom block pages for end users. Block pages are rendered through our block page service engine. Custom block pages can be assigned to WANs under Sites and to Roaming Clients on the Profile ...