oleria

Outcome

Cloud-only NHI tools are blind to on-prem. Active Directory service accounts - some running since the early 2010s with non-rotating passwords and unconstrained Kerberos delegation - are the longest-lived, least-governed NHIs in most enterprises. Oleria surfaces them in the same graph as your cloud NHIs, making Active Directory Service Account Governance a continuous program rather than a periodic fire drill.

Why this is hard without Oleria

AD service accounts are the longest-lived NHIs in most enterprises. Some have authenticated continuously since the early 2010s. Most have non-rotating passwords by design. Many have Kerberos delegation set up "just in case." Cloud-only approaches to NHI security simply don't see them.

Covering AD requires an on-prem agent, and that's exactly what Oleria ships. The agent reads service account inventory, last-logon timestamps, password-not-required flags. NIST SP 800-63B and CIS Benchmarks for Active Directory both identify service account credential hygiene as a foundational control - one that requires visibility into the on-prem environment to enforce.

‍

What Oleria delivers

Hybrid-aware inventory - on-prem AD in the same graph as cloud NHIs.

he read-only on-prem agent surfaces service accounts, MSAs, and gMSAs alongside your cloud identities. One view, no coverage gaps.

Password-hygiene queue built automatically

Non-rotating passwords flagged by account, with last-password-set date - the cleanup list your AD admin has been meaning to build.

Full multi-domain forest coverage in a single connection

Cross-domain trust relationships become visible as scope, not just topology, so you see which accounts can move laterally across domains.

What good looks like

Before: Cloud NHI inventory is complete; on-prem AD is a blind spot with no owner list and no last-logon data. After: Hybrid inventory covers both, surfaced in one place.
Non-rotating-password service accounts decommissioned or migrated to MSA/gMSA on a quarterly cadence - not as a fire drill, as a routine.
Every 2010-era service account has a named owner and a review date - the accounts that have run unreviewed for 15 years finally enter the governance cycle.

Frequently Asked Questions

What does the agent actually do?

Read-only LDAP queries against the service accounts you scope it to. No writes, no domain controller modifications, no policy changes.

Is the agent supported on Windows Server 2016+?

Yes. Specifics are mentioned in the connector documentation.

How does this compare to using native AD tooling like ADUC or PowerShell Get-ADServiceAccount?

Native AD tools require domain admin access, return per-domain results, and produce no unified view across forests or cloud identities. Oleria uses a read-only agent, works across multi-domain forests in a single connection, and joins the AD inventory with your cloud NHIs.

Does this cover unconstrained Kerberos delegation, and why does that matter?

Yes. Accounts with unconstrained delegation are explicitly flagged. Unconstrained Kerberos delegation allows any service running under that account to impersonate any user to any other service in the domain - a common lateral movement path exploited in pass-the-ticket attacks.

How does this map to NIST, CIS, or SOC 2 compliance requirements?

AD service account findings map to NIST SP 800-53 AC-2 and IA-5, CIS Benchmarks for Active Directory, and SOC 2 CC6.1 (logical access controls).

How fresh is the inventory, and how does it handle accounts that are disabled but not deleted?

Inventory syncs on a scheduled cycle. Disabled accounts are included and clearly marked, because a disabled account with Kerberos delegation or group membership that gets re-enabled is a real risk pattern.

Find and govern every Active Directory service account - including the ones from 2010