cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP command used when the beacon runs an active directory import

LDAP command used when the beacon runs an active directory import

Synopsis

The FNMS beacon calls ActiveDirectoryImport.exe which uses a Windows system API for querying AD. It first obtains a list of all the organizational units (OU). The specific search for each OU to obtain users is then:

( &(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)) )

with the query results returned being "cn", "distinguishedName", "sAMAccountName", "mail", "objectGUID", "objectSid", "userAccountControl".

It then checks that each record has at least a cn, distinguishedName and userAccountControl. In addition it also checks that the name is not a conflict by ensuring that the distinguishedName does not include a "CNF:".

Finally, there is a check to make sure that the user is not a duplicate or a trust account and that they are a normal account.

Discussion

The following checks could be made for users that may be missing from a .actdir file:

1. Is the OU for the user being reported. If not, then all the users in that OU will not be reported.
Are the missing users non-normal accounts, trust accounts or duplicate accounts.

2. If the OU is missing, we could investigate that further.
Was this article helpful? Yes No
No ratings