The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.
What are the default Active Directory elements that are imported by FlexNet Manager Suite when using the out of the box importer?
When using the default Active Directory Import with FlexNet Manager Suite what are the elements that are imported and used?
The following user information is imported by Active Directory:
In addition the following infrastructure information is imported:
The default Active Directory import will not import information such as the user's manager, location etc. Properties such as these can be imported using a business adapter.
on Jan 30, 2019 02:36 AM - edited on Aug 28, 2022 11:42 PM by ChrisG
Hi,
is it possible to add new elements in the standard Active Directory import because we would have the status about user and computer objects imported from AD to see it in FNMS ?
Reason:
Compare only active computer from AD vs. computer from Inventory
Compare only active user from AD vs. FNMS operators who are active in FNMS
THX for same feedback ....
@heiko_fuchs2 - You can bring in additional attributes from Active Directory by with a Business Adapter that connect to AD and extracts the additional attributes with an LDAP query. For example, the user 'Status' from AD can be imported with a Business Adapter to match to existing Users in FNMS to update the user 'Status.
@kclausen where is the computer information extracted from AD are used within FNMS
As per my understanding, the inventory tab only shows the information collected from agents from multiple sources FNMS, SCCM,.....
@kclausen I could not find ComplianceInventory in our DB would you please help me to navigate to find the DB.
Also, will any of this information extracted from AD will be considered for inventory reconciliation or license reconciliations.
@raghuvaran_ram - The database name should be something like "FNMSInventory".
Information extracted from AD is not used in any license reconciliation activity as AD does not provide any details around Hardware or Software Inventory. You need agent-inventory for that to work (SCCM, BigFix, FNMS Agent, etc.)
@kclausen it will also not have any impact on the inventory (device) collected from an agent, is that right?. in our estate the primary input is from SCCM and FNMS agent so any new asset that is not part of these 2 agents will not be added to the inventory and it will not show us in the UI?
@raghuvaran_ram - You are correct. Until a computer receives the SCCM or the FNMS Agent, they will not appear within FlexNet Manager as an inventory device.
Hi, I have a quick question here,
Question1: What is the purpose of computer data being imported into FNMS from AD? and again AD data should be in FNMSCompliance DB right? FNMSInventory should be for the Inventory data coming over Agents.
Question2: Is there any configuration in FNMS that if data(Computer) in SCCM is removed post some time, the same records in FNMS will be deleted?
Thanks in Advance,
Srikanth Mallampati
@srikanth_m - a key reason that computer details are imported from Active Directory is so that FlexNet Manager Suite can automatically delete old inventory data associated with any computer that is deleted/disabled in Active Directory.
Similar, if a computer is deleted from an SCCM database that FlexNet Manager Suite is importing from then those computer details will be deleted from FlexNet Manager Suite as part of the next import process.
Hi,
The default SCCM importer will also only import the information referenced above and can also be customised to bringing in additional attributes if required.
- What exactly do you mean by this statement? Are you saying that SCCM imports default user information into FNMS along with the Inventory information apart from AD? If yes, what all other sources can import User information into FNMS and what unique parameter does all those imports look while creating a new user if not already present? How can we remove the duplicate users if already created and how can we make sure in future duplicates wont be created? How to check in UI or backend(SQL) from which source did a User is created?
Thanks in Advance!
Regards,
Srikanth,
@srikanth_m - yes: the default integration with SCCM imports user name, domain and SAM account name details for users that have been discovered by SCCM. This data is sourced from the user_disc table in the SCCM database. Other inventory sources also have user information which may be imported, although the details of what is available will vary by source.
Generally you shouldn't end up with duplicate user records if you import data from multiple sources and key properties on the user records match. However if you are importing from multiple sources that logically contain data about the same user, but key properties for the user don't match, then you could end up with records that are logically duplicates of each other. For example, maybe one source identifies users by SAM account name and other sources identifies them by email address - when importing the data the system wouldn't be able to match up the two data sets. In that situation you may need to review where you get getting user data from and ensure the sources can provide data that can be matched up to each other.
@winvarma - This cannot be changed.
Besides, even if you are only focused on the Data Center you have user-based licensing that must be tracked. For example, for Microsoft MSDN if there is a dedicated DEV server, you need to assign that server to an MSDN user so that the software installed is consumed against the MSDN license.
You also have CALs and other user-based access licensing that requires User Accounts to calculate license consumption.
Hi @kclausen ,
what if the customer doesn't have any user based licensing products in the Data Center that requires user data to be populated from AD,what is the use of importing user details from AD what functionality or feature will be missing if we some how restrict the user data not to get populated in Flexera and customer security team is very keen on what value and benefit is actual being added where there is no dependency on the users imported from AD and the authentication is via SSO.
We have a tough situation on why we can't restrict the user data when there is no use.
Your customer does not have Microsoft 365, Adobe Cloud, MSDN?
Many server products are licensed based on User access instead of processors/cores - such as Microsoft CALs or DB2 Authorized Users.
Even when using SSO, User data is needed to create "Accounts" within FNMS/ITAM that you assign Security Roles to. Those User Account would be tied back to the AD Accounts within SSO.
@dsalter - if a user record has been created in FlexNet Manager Suite only based data imported from AD, then if/when the user is deleted or disabled in AD then it will typically be deleted from FlexNet Manager Suite too.
You may come across various situations where deletion won't happen however. For example, if the user record has also been imported from another source (such as SCCM) in addition to AD, then it will also need to be deleted from that source too before it will disappear from FlexNet Manager Suite.
@ChrisG What happens when importing from Microsoft or other publisher software usage for compliance, is it deleted or kept in the FNMSCompliance database ?
@didiercottereau in the Microsoft365 case, the primary key for users is the email address. If an AD user record also has the email address added, then the 365 user info is merged with that AD record.
If the AD record with the email address is deleted from AD and FNMS, then the incoming user record from M365 will create a new record. Super annoying!
Again to Chris' last point, delete from the source and it will go away.
It's not uncommon across customers that the offboarding processes for users aren't as streamlined as the onboarding. Seeing these types of anomalies are a good indication of that issue, hence it's good to engage your security team to mandate to other platform teams to clean up user records in their systems.
j
@dsalter - two examples of situations that come to mind where there is no process built in that would automatically delete a user record (so the records would remain in the system indefinitely) are:
Hi@kclausen,
I'm getting two records of user with same Account name and it is not merging based on the combination of Domain name and Account name.
When I checked history, it is showing both record are for same person and the name got changed.
Ex: Account name Domain name
Abhishek xy.companies
Abhishek xz.companies
Questions::
1. Why it is creating this duplicate record?
2.How it can be stopped?
Thank you
@abhishekg116 , I have seen instances of FlexNet Manager Suite on premises where there are two user records with the same domain\username. Looking through the database it some of the users were created from a connection that not longer existed; in the ComplianceUserConnection table the ComplianceConnectionID for the associated User record was a value that no longer existed in the ComplianceConnection table.
These 'orphaned' users were just hanging around causing all sorts of issues. My solution was to delete all user records where the ComplianceConnectionID no longer existed.
If your implementation is FlexeraOne then you wont have access to the database, but I believe you could request some queries to be run to see exactly where those records are originating from.
The cause might not be this, but it could lead to understanding why they are not merging.
I hope that helps.
j
Hi ChrisG
You mentioned that " if a user record has been created in FlexNet Manager Suite only based data imported from AD, then if/when the user is deleted or disabled in AD then it will typically be deleted from FlexNet Manager Suite too.".
How can I disable the delete on the user with deleted/disabled status in AD because we want to keep those users in FNMS.
@Woo_Lam - I don't know of any easy way to stop this behavior from occurring: it is built in and not configurable.
If you think being able to configure this behavior to not happen would be useful, you may want to consider logging in idea in Flexera Ideas so that people can vote for it and the Flexera Product Managers can assess the level of interest.
Hi Chris and community,
I am a new user to Flexera but many years of experience with other tools and the ITAM space. I am trying to understand the logic behind the removing of a user when they are removed from AD automatically. As I am going through the attributes you can set on PO, Hardware Asset, Contract, License Allocations and I am sure other places. You can set the multiple users (Ownership, Responsible) to those screens. As I am seeing it, those look-ups are pulling from the user record that AD created. If you choose the user and the user is removed from AD, you lose those values. You don't know who had it and now to recover HW when they leave. It would seem like lots of orphan records with no contact info. I could see a design of AD import set the User record to Inactive or something like that, but just removing the User record seems to go against asset tracking 101 for ITAM.
Am I missing something larger for how Flexera is designed or how we are to use it?
Thanks,
-Scott
@ScottB - I don't think you're missing anything. The current behavior is how the process has been designed and implemented, but as you have described there are other reasonable approaches that could be considered for dealing with these scenarios to. That's why I suggested in the previous comment on this article that somebody might like to log an idea in Flexera Ideas related to this if you have use cases that aren't covered well.