LDAP command used when the beacon runs an active directory import

LDAP command used when the beacon runs an active directory import

Synopsis

The FNMS beacon calls ActiveDirectoryImport.exe which uses a Windows system API for querying AD. It first obtains a list of all the organizational units (OU). The specific search for each OU to obtain users is then:

( &(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)) )

with the query results returned being "cn", "distinguishedName", "sAMAccountName", "mail", "objectGUID", "objectSid", "userAccountControl".

It then checks that each record has at least a cn, distinguishedName and userAccountControl. In addition it also checks that the name is not a conflict by ensuring that the distinguishedName does not include a "CNF:".

Finally, there is a check to make sure that the user is not a duplicate or a trust account and that they are a normal account.

Discussion

The following checks could be made for users that may be missing from a .actdir file:

1. Is the OU for the user being reported. If not, then all the users in that OU will not be reported.
Are the missing users non-normal accounts, trust accounts or duplicate accounts.

2. If the OU is missing, we could investigate that further.
Was this article helpful? Yes No
0% helpful (0/1)
Comments

Is this information correct for a later version like 2018 R1?  I don't understand the role the OU has in the import since I have not configured anything in FNMS to select an OU to use for Active Directory imports.

This article describe the query used to retrieve user information. A more complete set of LDAP queries used is as follows:

Queries to retrieve the following organizational structure properties: distinguishedName, objectGUID, gPOptions

(|(objectCategory=organizationalUnit)(objectCategory=container)(objectCategory=msExchConfigurationContainer)(objectCategory=lostAndFound))

(objectCategory=builtinDomain)

Query to retrieve the following user properties: cndistinguishedName, sAMAccountName, mail, objectGUID, objectSid, userAccountControl

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Query to retrieve the following computer proprieties: cn, distinguishedName, objectGUID, objectSid

(&(objectCategory=computer)(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Query to retrieve the following group properties: distinguishedName, objectGUID, objectSid, sAMAccountName

(&(objectCategory=group))

Query to retrieve the following sites properties: distinguishedName, cn

(objectCategory=site)

Query to retrieve the following subnet properties for each site returned from the previous query: distinguishedName, cn

(&(objectCategory=subnet)(siteObject=...))

@ChrisG 
Will this also work after?

https://community.flexera.com/t5/FlexNet-Manager-Forum/March-2020-Updates-from-Microsoft-LDAP-specifically-and-the/m-p/135625/highlight/false#M5267

 

Version history
Revision #:
1 of 1
Last update:
‎Jun 02, 2018 01:02 PM
Updated by: