cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Synopsis

The FNMS beacon calls ActiveDirectoryImport.exe which uses a Windows system API for querying AD. It first obtains a list of all the organizational units (OU). The specific search for each OU to obtain users is then:

( &(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)) )

with the query results returned being "cn", "distinguishedName", "sAMAccountName", "mail", "objectGUID", "objectSid", "userAccountControl".

It then checks that each record has at least a cn, distinguishedName and userAccountControl. In addition it also checks that the name is not a conflict by ensuring that the distinguishedName does not include a "CNF:".

Finally, there is a check to make sure that the user is not a duplicate or a trust account and that they are a normal account.

Discussion

The following checks could be made for users that may be missing from a .actdir file:

1. Is the OU for the user being reported. If not, then all the users in that OU will not be reported.
Are the missing users non-normal accounts, trust accounts or duplicate accounts.

2. If the OU is missing, we could investigate that further.
Was this article helpful? Yes No
0% helpful (0/1)
Comments
RobertH
By
Level 6

Is this information correct for a later version like 2018 R1?  I don't understand the role the OU has in the import since I have not configured anything in FNMS to select an OU to use for Active Directory imports.

ChrisG
By Community Manager Community Manager
Community Manager

This article describe the query used to retrieve user information. A more complete set of LDAP queries used is as follows:

Queries to retrieve the following organizational structure properties: distinguishedName, objectGUID, gPOptions

(|(objectCategory=organizationalUnit)(objectCategory=container)(objectCategory=msExchConfigurationContainer)(objectCategory=lostAndFound))

(objectCategory=builtinDomain)

Query to retrieve the following user properties: cndistinguishedName, sAMAccountName, mail, objectGUID, objectSid, userAccountControl

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Query to retrieve the following computer proprieties: cn, distinguishedName, objectGUID, objectSid

(&(objectCategory=computer)(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Query to retrieve the following group properties: distinguishedName, objectGUID, objectSid, sAMAccountName

(&(objectCategory=group))

Query to retrieve the following sites properties: distinguishedName, cn

(objectCategory=site)

Query to retrieve the following subnet properties for each site returned from the previous query: distinguishedName, cn

(&(objectCategory=subnet)(siteObject=...))
Tooling42
By
Level 7

@ChrisG 
Will this also work after?

https://community.flexera.com/t5/FlexNet-Manager-Forum/March-2020-Updates-from-Microsoft-LDAP-specifically-and-the/m-p/135625/highlight/false#M5267

 

Version history
Last update:
‎Jun 02, 2018 01:02 PM
Updated by: