Sync AD Policies: Automating Asset Discovery & Group Sync
Satyam
Last Update 2 months ago
Sync Policies are the automation engine of the Active Directory Integration. Instead of manually triggering scans, a policy runs on a defined schedule — discovering new computers, mirroring security groups, and optionally onboarding devices without any manual intervention.
This article covers how to create and manage sync policies, configure auto-onboarding, and interpret policy execution results.
Policy Types
SecOps Solution supports two types of sync policies. Choose the one that matches your operational goal.
| Policy Type | What It Does |
| Asset Discovery | Performs an LDAP scan of the selected domain and imports all computer accounts as unmanaged devices in the Devices tab. Use this type to build your device inventory from Active Directory. |
| Group Synchronization | Reads your AD security groups and mirrors them as asset groups in SecOps Solution. Computers within those groups are surfaced in the Devices tab for review and approval. |
Creating a AD Sync Policy
- Navigate to AD Integration and click the Sync Policies tab.
- Click Create Policy.
- You will be taken to the Create AD Sync Policy full-page form. Complete each section as described below.
Section 1: Policy Details
| Field | Description |
| Name | A descriptive name for the policy. Example: Weekly Asset Discovery – testlab.local |
| Domain | Select the AD domain this policy should run against. Only domains that have been added and validated will appear here. |
| Policy Type | Choose Asset Discovery or Group Synchronization. |
| Description | Optional. Use this field to document the policy's purpose, scope, or owner for future reference. |
Section 2: Auto-Onboard Configuration (Asset Discovery policies only)
This section appears only when Asset Discovery is selected as the policy type. It allows you to configure automatic onboarding of newly discovered devices without requiring manual approval in the Devices tab.
To enable auto-onboarding, toggle the Auto-onboard discovered devices switch to the on position. When enabled, every device discovered by this policy will be automatically approved and onboarded using the method and credentials configured below.
If you prefer to review and approve devices manually before they are onboarded, leave this toggle off. Discovered devices will appear in the Devices tab with a Pending status.Onboarding Method
| Method | Description |
| Agent-based (deploy via GPO) | The SecOps agent is deployed to the device through a Group Policy Object. Best suited for Windows domain-joined machines. |
| Agentless (SSH / WinRM) | SecOps connects directly to the device using WinRM (Windows) or SSH (Linux/Mac) to perform scans without installing an agent. Requires network access and valid credentials for each device. |
Common Settings (both methods)
| Field | Description |
| Asset Criticality | Assigns a criticality level (1–5) to all devices onboarded by this policy. Level 1 is the default; Level 5 is highest criticality. |
| Asset Groups | Assign onboarded devices to one or more asset groups. You can select existing groups or type a new name to create one. |
| Jump Host Agent | The agent that will handle communication to the devices during onboarding. |
| Timeout (hrs) | How long SecOps Solution will wait for an onboarding attempt to complete before marking the device as failed. Default is 12 hours. |
Agentless Credentials (Agentless method only)
When agentless onboarding is selected, you must provide credentials for SecOps to connect to devices. Credentials are stored encrypted and used only during the onboarding process.
Windows Credentials
| Field | Description |
| Username | A local or domain account with administrative access to the target device. Example: administrator or DOMAIN\svc_secops |
| Password | Password for the above account. |
| WinRM Port | The port WinRM is listening on. Options: 5985 (HTTP, default) or 5986 (HTTPS). |
Linux & Mac Credentials
| Field | Description |
| Credential Type | Choose the authentication method (see table below). |
| Username | The SSH user. Example: root or a privileged service account. |
| SSH Port | Port 22 (default) or a custom port if your environment uses a non-standard SSH port. |
| Enable Sudo | Toggle on if the SSH user requires sudo to run privileged commands on the target device. |
Linux Credential Types
Type | When to Use |
| Password | Standard username and password authentication over SSH. Simplest to configure. |
| Upload Private SSH Key | Authenticate using a private key file (.pem or .key). Upload the file and optionally provide a passphrase if the key is encrypted. Use this when password-based SSH authentication is disabled in your environment. |
| Whitelist Public Key | SecOps generates a key pair and provides you with its public key. Add the public key to the authorized_keys file on target devices. This is the most secure option as it does not require storing a password or private key in SecOps. |
Section 3: Schedule
The schedule determines when the policy runs. All times are interpreted in the timezone configured in your SecOps account. You can schedule the policy based on the options available or you can create your own custom recurrence
Managing Existing Policies
All created policies are listed in the Sync Policies tab. Each row gives you a full operational picture of a policy at a glance:
To act on a policy, click the menu at the end of its row:
All created policies are listed in the Sync Policies tab. Each row gives you a full operational picture of a policy at a glance:
- Name — The policy name and optional description.
- Type — Asset Discovery or Group Synchronization.
- Domain — The AD domain the policy runs against.
- Status — Active means the policy is scheduled and will run as configured. Inactive means it has been paused.
- Last Run — Timestamp of the most recent completed execution.
- Execution Status — Outcome of the last run: Awaiting Execution, In Progress, Completed, or Error.
- Repeat — The recurrence pattern configured for the policy.
- Upcoming — The date and time of the next scheduled run.
To act on a policy, click the menu at the end of its row:
- Edit — Opens the full-page form with all fields pre-filled. You can update the name, schedule, credentials, or any other setting.
- Run Now — Triggers an immediate execution outside of the normal schedule. Useful for on-demand discovery or verifying that a newly created policy is working correctly.
- Delete — Permanently removes the policy after a confirmation prompt. Devices already discovered or onboarded by the policy are not affected and remain in your inventory.