Managing Active Directory Scanners

If your organization uses Microsoft Active Directory (AD), you can import users, groups, Organizational units (OUs) and computers from multiple AD domains into the Endpoint Security Management Server. After the objects are imported, you can assign policies.

When you first log in to SandBlast Agent, the AD tree is empty. To populate the tree with computers from the Active Directory, you must configure the Directory Scanner.

The Directory Scanner scans the defined Active Directory and fills the AD table in the Computer Management tab, copying the existing Active Directory structure to the server database.

SandBlast Agent supports the use of multiple AD scanners per Active Directory domain, and multiple domains per service.

Required Permissions to Active Directory:

For the scan to succeed, the user account related to each Directory Scanner instance requires full read permissions to:

  • The Active Directory root.

  • All child containers and objects.

  • The deleted objects container.

An object deleted from the Active Directory is not immediately erased but moved to the Deleted Objects container.

Comparing objects in the AD with those in the Deleted objects container gives a clear picture of network resources (computers, servers, users, groups) that have changed since the last scan.

The Active Directory Scanner does not scan Groups of type "Distribution".

Organization Distributed Scan

Organization Distributed Scan is enabled by default. You can see its configured settings in the Endpoint Settings view > AD Scanners.

Each Endpoint client sends its path to the Security Management Server.

By default, each Endpoint client sends its path every 120 minutes. In this method, only devices with SandBlast Agent installed report their paths, other devices with do not report their information.

Full Active Directory Sync

In the Full Active Directory Sync, one Endpoint client is defined as the Active Directory scanner, it collects the information and sends it to the Security Management Server.

To configure the AD scanner:

  1. In the Computer Management view, click Create Directory Scanner.

    The Scanner window opens.

  2. Fill in this information:
    1. Computer name - Select a computer as your AD scanner

    2. AD Login Details - Enter the user name and password information to access the Active Directory.

    3. Domain controller - Enter the name of the Domain controller and the port for the scan.

    4. Use SSL communication (recommended) - Select this checkbox if you want the connection between the AD scanner to the Domain Controller to be over SSL.

    5. LDAP path - The address of the scanned directory server.

    6. Sync AD every - Select the interval at which the scanning will be performed

When you create a new AD scanner, the Organization Directory Scan is automatically disabled.

To see information on your activated AD scanners, go to the Endpoint Settings view.

Note - You can also reach scanner configuration form through the Endpoint Settings view > Setup full Active Directory sync.