Full AD Scanning on Any Platform — Native LDAP Collection in Sentinel v0.3.0

March 14, 2026 · GrantFlow Team

Until now, scanning Active Directory users, groups, and group memberships required a Windows machine with the Active Directory PowerShell module installed. Starting with GrantFlow Sentinel v0.3.0, all AD collection runs over native LDAP — so you can audit your entire directory from macOS, Linux, or Windows without any extra dependencies.

What Changed

Sentinel v0.3.0 replaces the PowerShell-based AD user and group collector with a native LDAP implementation. Every user attribute the scanner needs — account status, last logon timestamps, password age, group memberships, SID resolution — is now fetched directly over LDAP.

This means:

  • macOS and Linux can now run full AD scans, not just ADCS checks
  • Windows no longer requires the Active Directory PowerShell module
  • Collection is faster thanks to LDAP paged searches and a SID resolution cache that maps security identifiers to account names in a single pass

If you were already running ADCS scans from macOS or Linux with LDAP credentials configured, the same configuration now automatically collects users and groups too. No changes to your sentinel.yaml needed.

Cross-Platform AD Scanning

Point Sentinel at your domain controller with LDAP credentials and run a full scan from any operating system:

yaml
ldap_server: dc.example.com
ldap_tls: true
ldap_bind_dn: "CN=sentinel,OU=ServiceAccounts,DC=example,DC=com"

Pass the bind password via the LDAP_BIND_PASS environment variable, then run:

bash
grantflow-sentinel ad

Sentinel collects users, groups, memberships, computer accounts, LAPS status, and certificate services data — all over LDAP. The resulting report is identical whether you scan from Windows, macOS, or Linux.

AI-Powered AD Hygiene Analysis

v0.3.0 also introduces SENT-ADHYG-100, a new AI-powered check that analyzes your entire AD hygiene posture holistically. Instead of checking individual signals in isolation, it correlates:

  • Stale user and computer accounts
  • Password policy gaps
  • LAPS deployment coverage
  • Disabled accounts that still retain group memberships
  • Service account exposure

The AI analysis produces a narrative assessment with prioritized remediation steps ranked by risk — helping you focus on the issues that matter most rather than working through a flat list of findings.

This check is optional and requires an AI endpoint configured in your scan profile. Without it, the check is skipped and all other AD hygiene checks still run normally.

Total Check Count

With the addition of SENT-ADHYG-100, Sentinel now includes 95 security checks across 15 domains.

Getting Started

If you are already running Sentinel with LDAP credentials, upgrade to v0.3.0 and your next scan will automatically collect users and groups over LDAP. No configuration changes required.

If you are new to Sentinel, see the Quick Start guide and the LDAP configuration options to get running on any platform.