Synchronize ESET PROTECT Cloud with Active Directory

Use the ESET Active Directory Scanner to synchronize Active Directory computers with the ESET PROTECT Cloud Web Console.



Active Directory Scanner cannot synchronize Active Directory users. This functionality will be added later.


Run the Active Directory Scanner as an Active Directory user on a computer connected to Active Directory.

Supported operating systems (support for HTTP/2): Windows 10, Windows Server 2016 and later.

Download and install .NET Core Runtime.

Using the Active Directory Scanner

1.In the ESET PROTECT Cloud Web Console, create the Agent GPO deployment script.

2.Log in to a computer in your Active Directory with an Active Directory user account. Make sure it meets the prerequisites listed above.

3.Download the latest Active Directory Scanner to the computer.

4.Unzip the downloaded file.

5.Download the Agent GPO deployment script (created in step 1) and copy it to the ActiveDirectoryScanner folder (a folder containing all Active Directory Scanner files).

6.In the ESET PROTECT Cloud Web Console, go to Computers and select the Static Group where you want to synchronize the Active Directory structure.

7.Click the gear icon next to the selected Static Group, select icon_license_owner Active Directory Scanner and copy the generated access token.



Each Static Group has its own token. The token identifies the Static Group where the Active Directory will be synchronized.

To invalidate the current token for security reasons, click Regenerate to create a new token. If the Active Directory synchronization with ESET PROTECT Cloud is already running, the synchronization will stop after the change of security token. You must run the Active Directory Scanner with the new token to re-enable the Active Directory synchronization.

8.Run the Active Directory Scanner (replace token_string with the token you copied in the previous step).

ActiveDirectoryScanner.exe --token token_string




By default, the latest Active Directory Scanner does not synchronize disabled Active Directory computers. To synchronize disabled Active Directory computers, use the --disabled-computers parameter:

ActiveDirectoryScanner.exe --token token_string --disabled-computers

9.When requested, type the Active Directory user password.

10. After the Active Directory Scanner completes the synchronization, your Active Directory structure (organizational units with computers) will appear in Computers in the ESET PROTECT Cloud Web Console as Static Groups with computers.



The Active Directory Scanner creates an Active Directory Synchronization task in the Windows Task Scheduler with a trigger repeat interval set to 1 hour. You can adjust the Active Directory synchronization interval in the Task Scheduler based on your preference. Any future changes to your Active Directory structure will be reflected in the ESET PROTECT Cloud Web Console after the next synchronization.



Active Directory synchronization limitations:

oActive Directory Scanner synchronizes only Active Directory organizational units that contain computers with DNS names. Organizational units that do not contain any computers will not be synchronized.

oIf the organizational unit name changes in Active Directory, a new Static Group with the new name will be created in the ESET PROTECT Cloud Web Console after the next synchronization. The Static Group corresponding to the old organizational unit name will remain the ESET PROTECT Cloud Web Console and it will be empty (computers will move to the new Static Group with the new name).

oIf you delete an organizational unit in Active Directory, all computers in the unit will be removed from the corresponding Static Group in the ESET PROTECT Cloud Web Console.

oIf you delete a synchronized Active Directory computer from the ESET PROTECT Cloud Web Console, it will not re-appear after the next synchronization, even though it remains in the Active Directory.

To see the Active Directory Scanner help, use one of these parameters: -? -h --help.


For troubleshooting purposes, view the logs located in C:\ProgramData\ESET\ActiveDirectoryScanner\Logs.


hmtoggle_plus0Workaround solutions