Active Directory Scanner

If your organization uses Microsoft Active Directory (AD), you can import users, groups, Organizational units (OUs) and computers from multiple AD domains into the Endpoint Security Management Server. After the objects have been imported, you can assign policies.

When you first log in to SmartEndpoint, the Users and Computers tree is empty. To populate the tree with users from the Active Directory, you must configure the Directory Scanner.

The Directory Scanner scans the defined Active Directory and fills the Directories node in the Users and Computers tab, copying the existing Active Directory structure to the server database. For this to succeed, the user account related to each Directory Scanner instance requires read permissions to:

• The Active Directory path to be scanned.
• The deleted objects container.

  An object deleted from the Active Directory is not immediately erased but moved to the Deleted Objects container. Comparing objects in the AD with those in the Deleted objects container gives a clear picture of network resources (computers, servers, users, groups) that have changed since the last scan.

Note - When using multi-domain scanning, you must configure an Active Directory instance for each domain. A Directory Scanner instance has its own account, configured according to the requirements stated above.

Configuring a Directory Scanner Instance

A scanner instance defines which path of the Active Directory will be scanned and the scan frequency. One scanner instance can include the full Active Directory. You can configure multiple scanner instances to scan different domains or different OUs in the same domain.

Do not create a scanner instance for an OU that is already included in a different scan. If you try to create a scan that conflicts with a different scan, an error message shows.

If the domains use DNS servers, make sure that:

• The DNS server is configured on the Endpoint Security Management Server.
• The DNS server can supply a list of domain controllers in its domain. We recommend that you configure the DNS server to supply a list of the domain controllers for all domains that the Directory Scanner will scan.

To create a scanner instance:

1. In SmartEndpoint, open the Deployment tab > Organization Scanners.
2. Click Add Directory Scanner.
3. In the Active Directory Scanner Settings window:
   • Domain Name - Enter the Domain Name in FQDN format, for example, mycompany.com.
   • Username and Password - Enter the Username and Password of an administrator. The administrator must have read permissions to the scan path and the deleted objects container.
   • @ -The UPN suffix for the administrator is filled in automatically. Change it if it is different than the FQDN.
   • LDAP Path - The LDAP Path is filled in automatically if the domain controller was resolved by the DNS server. Click the browse button to select an OU. If you do not select an OU, the full domain is scanned.
4. In the Advanced area:
   • Domain Controller - Select a Domain Controller. If the domain has DNS, this is filled in automatically.
   • Connection - Choose the type of connection for the Directory Scanner communication.
     • GSS Enabled - Uses DNS to create Kerberos ticket requests. If DNS is not configured correctly on the Endpoint Security Management Server, the connection is not successful.
     • SSL Enabled - Uses SSL Tunneling. You must have an SSL certificate installed on the Domain Controller.
   • Port - The port over which the scan occurs.
   • Scan Interval - The Endpoint Security Management Server sends a request to the Domain Controller to see if changes were made to the domain. If changes were made, the Directory Scanner synchronizes Endpoint Security nodes in the Users and Computers tree with nodes in the Active Directory. The Scan Interval is the time, in minutes, between the requests.
5. Click OK.

   The scan shows in the Organization Scanner window.

Note - Scanning the Active Directory takes time. AD objects show in the sequence they are discovered.

The Organization Scanners Page

In the Deployment tab > Organization Scanners page, you can see all configured scans and their statuses. You can also do these operations:

• Add Directory Scan - Configure a scan of an Active Directory domain or OU.
• Edit - Edit a configured scan.
• Remove - Remove a scan from the list. It will not occur again.
• Rescan - Run a selected scan on demand.
• Start/Stop - Click the start or stop icon to start or stop a scan.
• Smart Card certificate scanning setting > Configure - Configure if all user certificates are scanned for Smart Card information during a scanner instance, or only those with the Smart Card Logon OID.

Directory Synchronization

At the specified interval of a scanner instance, the Directory Scanner synchronizes Endpoint Security nodes in the Users and Computers tree with nodes in the Active Directory. When synchronization occurs:

• New Active Directory objects are added to Endpoint Security and inherit a policy according to the Endpoint Security policy assignment.
• Deleted users are removed from the Users and Computers tree, but only if they had no encrypted removable media devices. Deleted users with encrypted removable media devices move to the Deleted Users/Computers folder. The user no longer exists in the Active Directory, but the server keeps the encryption keys for possible recovery.

  You can delete these users manually using SmartEndpoint.

• Computers deleted from the Active Directory that do not have Endpoint Security are deleted from Users and Computers.
• Computers deleted from the Active Directory that do have Endpoint Security move to the Deleted Users/Computers folder because they might require recovery. You can delete these computers manually from the Management Console.
• Objects updated in the Active Directory are also updated on the server.
• Unchanged records stay unchanged.