Highlighted
Flexera beginner

Inventory beacon collecting active directory data without any LDAP integration

Jump to solution

Hi Team, We have recently deployed FNMS and integrated the same with SCCM and Vcenter.Now when we are trying to create accounts for different users in FNMS and searching user id in the create account page, we are seeing all the active directory users are available for selection and we can login to FNMS using AD credential.We didn't integrate any domain controller with beacon server, still how active directory data is coming in FNMS?

Also we can see by default some active directory schedule import is running in beacon server where domain controller is showing as current domain with no user id/passoword. The account which we have used for beacon configuration shouldn't have access in domain controller.

 

Thanks

Suman

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Frequent contributor

Re: Inventory beacon collecting active directory data without any LDAP integration

Jump to solution

Hi Suman,

The AD queries that the beacon makes don't require privileged credentials to execute.  Any domain user can normally run the same queries to "read" the same level of info the beacon collects.   So, by default a standard install of the beacon will be primed to collect AD data from the domain it is connected to.  If you don't want the beacon to collect AD data it would be best to remove the task, or make sure there is no active schedule for it.

-Murray

View solution in original post

5 Replies
Highlighted
Frequent contributor

Re: Inventory beacon collecting active directory data without any LDAP integration

Jump to solution

Hi Suman,

The AD queries that the beacon makes don't require privileged credentials to execute.  Any domain user can normally run the same queries to "read" the same level of info the beacon collects.   So, by default a standard install of the beacon will be primed to collect AD data from the domain it is connected to.  If you don't want the beacon to collect AD data it would be best to remove the task, or make sure there is no active schedule for it.

-Murray

View solution in original post

Highlighted
Flexera beginner

Re: Inventory beacon collecting active directory data without any LDAP integration

Jump to solution

Hi Murray, Thanks for your quick response.As you mentioned that domain user can make normal queries in AD without any specific credential, along with that port 389 was already open from beacon to AD server and thats why beacon started collecting data.In other products we had to explicitly configure these details to fetch AD info.Thats why i was wondering how active directory data is getting synced automatically.

Thanks

Suman

0 Kudos
Highlighted
Intrepid explorer

Re: Inventory beacon collecting active directory data without any LDAP integration

Jump to solution

Hi Suman,

After installation, there is a default Active Directory connection configured in the Beacon UI. However,  there is a number of prerequisites for any Beacon for collecting data from Active Directory:

  • The default AD connection on the Beacon is configured for "Current domain", which is an invalid Windows domain name. It needs to be updated manually for a valid domain name.
  • There is no user account configured for the default AD connection. This means the Beacon will use the Windows user account that the "Beacon Engine" Windows services is running under. In case you did not change this account manually, the Beacon service will be running using the local Windows SYSTEM user account. This account has no access to any Windows domain by default.
  • The default AD connection is not running on a schedule. You have to trigger it manually by selecting it and using the "Execute Now" button, or manually reconfigure it to run on a schedule.


Since you apparently did import data from SCCM sucessfully, could it potentially be that users have been imported from SCCM?

0 Kudos
Highlighted
Flexera beginner

Re: Inventory beacon collecting active directory data without any LDAP integration

Jump to solution

Hi Elindeman,

Thanks for your response.

We have not configured any valid domain name and its running with "Current domain".Even the connection is running in a schedule and importing active directory data.Please refer attached screenshot.

Regarding SCCM import, i believe only asset users can be imported through this integration.Here i am able to login to FNMS using these AD credential which is not possible if its not connected to AD.

 

Thanks

Suman

0 Kudos