Some users may experience issues accessing the case portal. For more information, please click here.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

LDAP command used when the beacon runs an active directory import

LDAP command used when the beacon runs an active directory import


The FNMS beacon calls ActiveDirectoryImport.exe which uses a Windows system API for querying AD. It first obtains a list of all the organizational units (OU). The specific search for each OU to obtain users is then:

( &(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)) )

with the query results returned being "cn", "distinguishedName", "sAMAccountName", "mail", "objectGUID", "objectSid", "userAccountControl".

It then checks that each record has at least a cn, distinguishedName and userAccountControl. In addition it also checks that the name is not a conflict by ensuring that the distinguishedName does not include a "CNF:".

Finally, there is a check to make sure that the user is not a duplicate or a trust account and that they are a normal account.


The following checks could be made for users that may be missing from a .actdir file:

1. Is the OU for the user being reported. If not, then all the users in that OU will not be reported.
Are the missing users non-normal accounts, trust accounts or duplicate accounts.

2. If the OU is missing, we could investigate that further.
Was this article helpful? Yes No
0% helpful (0/1)

Is this information correct for a later version like 2018 R1?  I don't understand the role the OU has in the import since I have not configured anything in FNMS to select an OU to use for Active Directory imports.

This article describe the query used to retrieve user information. A more complete set of LDAP queries used is as follows:

Queries to retrieve the following organizational structure properties: distinguishedName, objectGUID, gPOptions



Query to retrieve the following user properties: cndistinguishedName, sAMAccountName, mail, objectGUID, objectSid, userAccountControl


Query to retrieve the following computer proprieties: cn, distinguishedName, objectGUID, objectSid


Query to retrieve the following group properties: distinguishedName, objectGUID, objectSid, sAMAccountName


Query to retrieve the following sites properties: distinguishedName, cn


Query to retrieve the following subnet properties for each site returned from the previous query: distinguishedName, cn


Will this also work after?


Version history
Last update:
‎Jun 02, 2018 01:02 PM
Updated by: