Installation
This page walks you through installing Authnull Agentless AD on your Domain Controller. The whole process takes under 10 minutes.
Step 1 — Download the Sensor
- Log in to the Authnull dashboard
- Go to Active Directory → Agentless AD
- Click Download Sensor — this downloads
AuthnullDCSensor.exe - On the same page, click Download Configuration — this downloads your pre-configured
sensor.yml
The
sensor.ymlcontains tenant-specific configuration and a secure bootstrap token used to establish trust with the Authnull backend. Do not share it or commit it to version control.
Copy both files to the Domain Controller. We recommend placing them at:
C:\Program Files\Authnull\AgentlessAD\AuthnullDCSensor.exe
C:\ProgramData\Authnull\sensor.yml
Step 2 — Service Account
The sensor service requires Local Administrator on the Domain Controller to read the Windows Security Event Log and manage WFP rules. It does not require Domain Admin privileges.
You can run the service under any of the following:
| Option | Notes |
|---|---|
| Local System | Simplest — no account setup required |
| Dedicated local account | Recommended for environments with strict service account policies |
| gMSA | Recommended for larger deployments — automatic password management |
Step 3 — Install as a Windows Service
Open PowerShell as Administrator on the DC and run:
sc.exe create AuthnullDCSensor `
binPath= "C:\Program Files\Authnull\AgentlessAD\AuthnullDCSensor.exe" `
start= auto `
DisplayName= "Authnull Agentless AD"
sc.exe description AuthnullDCSensor "Authnull Agentless AD — MFA enforcement for Active Directory"
sc.exe start AuthnullDCSensor
Step 4 — Verify It's Running
Check the service status:
sc.exe query AuthnullDCSensor
You should see:
STATE: 4 RUNNING
Then check the sensor log to confirm it connected to the backend successfully:
Get-WinEvent -LogName Application -MaxEvents 20 |
Where-Object Source -eq 'AuthnullDCSensor' |
Select-Object TimeCreated, Message | Format-List
Look for these lines — they confirm the sensor is active:
Authnull DC Sensor started (mode=monitor, fallback=allow)
Security Event Log monitor active — watching 6 event IDs
Step 5 — Confirm in the Dashboard
Go back to the Authnull dashboard → Active Directory → Agentless AD.
Your DC should appear as Connected within 30 seconds of the service starting. If it shows as Pending after a minute, refer to the Troubleshooting guide.
Step 6 — Test in Monitor Mode
Your sensor starts in monitor mode by default — it detects and logs authentication events without blocking any logins. This lets you verify coverage before enforcing.
Log in to any domain-joined machine using an AD account. In the Authnull dashboard you should see the authentication event appear under Active Directory → Recent Activity, along with the MFA result.
Once you're satisfied with the coverage, go to Active Directory → Agentless AD → Settings and switch the mode to Enforce.
Upgrading
sc.exe stop AuthnullDCSensor
# Replace AuthnullDCSensor.exe with the new binary
sc.exe start AuthnullDCSensor
Your sensor.yml does not need to change unless the dashboard prompts you to re-download it.
Uninstalling
sc.exe stop AuthnullDCSensor
sc.exe delete AuthnullDCSensor
Remove the files:
Remove-Item -Recurse "C:\Program Files\Authnull\AgentlessAD"
Remove-Item -Recurse "C:\ProgramData\Authnull"
Uninstalling has no impact on Active Directory — no residual configuration is left behind.