Targeting Active Directory DN
For each Active Directory domain or forest, add a target (Manage the system > Resources > Target systems):
Type is Active Directory DN, listed under "Network Operating Systems" in the drop-down list.
Address uses syntax described in Table 1, “Active Directory DN address configuration”
When listing contacts Custom LDAP search expression for filtering users should be set to filter contacts.
Administrator ID and Password are the credentials for the target system administrator you configured earlier.
It is recommended that you write the administrator ID in the format:
NETBIOS\userid
or
userid@domain.com
This is required in some cases, including where:
Bravura Security Fabric is installed on a Windows XP workstation
The
plugin-winsvcplugin is configured to update service, scheduled task, and iis directory credentials (Bravura Privilege)The
nrcifsprogram is configured to manage resources whose access is mediated by membership in Active Directory groups (Bravura Identity)The List entire forest target address option is specified and Bravura Security Fabric will be acting on objects outside the domain specified in the Domain or domain controller target address option.
Set Program to generate a list of target systems to
dcselectto accelerate password replication in Active Directory domains.By default, all connectors run the Bravura Security Fabric processes on the Bravura Security Fabric server, as the local psadmin account. To enable the target system administrator to run those processes, select the Run as? checkbox.
The full list of target parameters is explained in Target System Options.
Option | Description |
|---|---|
Options marked with a | |
Domain or domain controller | The DNS domain name, the domain controller’s FQDN, a custom DNS name to target or IP address; for example: globaldomain.example.com or \\mydomaincontroller.example.com or \\mydomaincontroller or \\customdnsname Use the IP address only if DNS is not resolving, otherwise avoid using the IP address of the domain controller. The DNS domain name or the FQDN should be specified. A custom DNS name should only be used if absolutely necessary. (key: server) |
Connection over SSL | Select to enforce SSL connections. (key: ssl) |
Custom LDAP search expression for filtering users | Restrict user listing by using LDAP search filters. (key: userFilter) |
Custom LDAP search expression for filtering groups | Restrict group listing by using LDAP search filters. (key: groupFilter) |
OUs to list users from | List only those users who exist in one or more containers . (key: listOUs) |
Groups to list users from | List only those users who exist in one or more groups. (key: listGroups) |
OUs to list groups from | List only those groups that exist in one or more containers. (key: listGroupOUs) |
Groups to list member groups from | List only those groups that exist in one or more groups. (key: listGroupGroups) |
OUs to list computers from | List only those computer objects that exist in one or more containers. (key: listComputerOUs) |
Groups to list computers from | List only those computer objects that exist in one or more groups . (key: listComputerGroups) |
OUs to exclude from listing | Exclude certain OUs to further restrict listing. (key: excludeOUs) |
List nested groups | Recursively list all users and computers contained within groups specified by the " Groups to list. ." options. (key: listNestedGrps) |
List members for nested groups | Recursively list users’ group membership for groups contained within groups specified by the Groups to list users from option. (key: listNestedNOSGrps) |
Abort listing when an invalid group is encountered | Return failure when a group list includes an invalid group. (key: listFailOnNonExistentGrp) |
Abort listing when an invalid OU is encountered | Return failure when an OU list includes an invalid OU. (key: listFailOnNonExistentOU) |
When listing group members and managers, list groups as their individual user members | Depending on the version of Bravura Security Fabric you have installed, you may need to list groups and group managers in flattened form if nested groups are not supported. Bravura Security Fabric versions 9.0.1 or earlier do not support nested groups . (key: listFlatGroups) |
List entire forest | List objects outside the domain specified in the Domain or domain ontroller target address option. (key: listForest) |
Delete users with sub objects | Delete users with leaf objects. In some environments, Active Directory accounts will have a leaf object created, for example Exchange with ActiveSync. By default these users will not be deleted. (key: deleteSubs) |
Create an OU when creating user if it does not already exist | If enabled, when an account is being created, and a non-existing OU is specified , the OU will be created instead of giving an error. (key: createOU) |
List deleted users on supported systems | Choose whether to list only regular users (default), only deleted users, or both. Deleted users are listed in NT4 format. Active Directory moves deleted accounts to a "recycle bin". If enabled in Bravura Security Fabric , these accounts are restrored. (key: listDeleted) |
Name format | Use NT4 format or fully qualified domain name (FQDN). (key: nameFormat) |
Group Name format | Use NT4 format or fully qualified domain name (FQDN). (key: groupNameFormat) |
Attribute specifying group owners | The attribute name that specifies the owner or list of owners for a group. The default value is managedBy. When set to a single valued attribute such as managedBy, the Target system supports multiple owners on groups target system option should be unchecked. Only one group owner is supported in this case. A multi-valued attribute may also be specified in order to support multiple group owners. In this case, the Target system supports multiple owners on groups target system option should be checked. (key: grpowner_attr) |
Persistent list search wait time (in seconds) | The interval time in seconds that the connector will wait to search for changes in the native target. The default value is 7,200 seconds (2 hours). If this value is set too small for a large native target, the connector may not be able to retrieve changes completely in the native target. Setting the value too small will also impose excess load on related services, which drag down the system performance. (key: persistentSearchWait) |
Disable recursive searches of members in domain groups to improve nr performance | Recursively traverse all groups contained with groups when checking permissions in the network resources sub folder operation. Turning this option on is more precise for the checking of permissions, however it will have a performance impact. Default is false. (key: nrIsMemberOfDomainGroupRecursive) NoteThe option Disable recursive searches of members in domain groups to improve nr performance was added in Connector Pack 4.6.0. |
The Active Directory DN target system address syntax is as follows:
{server=(<DNS domain name> | \\<DC's FQDN or host name>);
[userFilter=<LDAP search filter>;]
[grpFilter=<LDAP search filter>;]
[listOUs={<OU>;<OU>;...};]
[listGroups={Bravura Group;Bravura Group;...};]
[listGroupOUs={<OU>;<OU>;...};]
[listGroupGroups={Bravura Group;Bravura Group;...};]
[listComputerOUs={<OU>;<OU>;...};]
[listComputerGroups={Bravura Group;Bravura Group;...};]
[excludeOUs={<OU>;<OU>;...};]
[listNestedGrps=<true|false>;]
[listNestedNOSGrps=<true|false>;]
[listFlatGroups=<true|false>;]
[ssl=<true|false>;]
[listFailOnNonExistentGrp=<true|false>;]
[listFailOnNonExistentOU=<true|false>;]
[listForest=<true|false>;]
[deleteSubs=<true|false>;]
[listDeleted=NODELETED|ONLYDELETED|BOTH;]
[nameFormat=<NT4|DN>;]
[groupNameFormat=<NT4|DN>;]
[persistentSearchWait=<seconds>;]
[nrIsMemberOfDomainGroupRecursive=<true|false>;]
}Note
Options are an intersection of the two when used together.
LDAP search filters
You can restrict user, contact and group listing by using LDAP search filters. On the Target system address configuration page, add a search filter; for example:
Custom LDAP search expression for filtering users
(&(objectCategory=person)(objectClass=user)(sAMAccountType=805306368))Custom LDAP search expression for filtering contacts
(&(objectCategory=person)(objectClass=contact))Custom LDAP search expression for filtering both users and contacts
(|(objectClass=user)(objectClass=contact))Custom LDAP search expression for filtering groups
(&(objectClass=group))
Targeting a specific container or containers
You can restrict Bravura Security Fabric to list only those users, groups and computer objects that exist in one or more named containers; for example, if your Active Directory is divided into organizational units. To do this, on the Target system address configuration page, specify:
OUs to list users from
OUs to list groups from
OUs to list computers from
These fields allow multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of these fields, and use the More button to add additional input boxes when more than one value is given. The value in each input box is treated as a single value, for example:
CN=myusers,DC=example,DC=com
*,OU=Groups,DC=example,DC=com
OU=people,OU=hr,DC=example,DC=com
CN=Computers,OU=it,DC=example,DC=com;CN=Computers,OU=hr,DC=example,DC=com
You can also exclude OUs to further restrict the listing of users. This option will remove all users that match the OU listed. To do this, specify OUs to exclude from listing. When the exclude OUs option and any of the list OUs options are used together, the listing process will list OUs first and then remove objects that match the exclude criteria.
If there are many OUs to list, there is an option to include all OUs in a file. To use the file, select File option from the drop-down list and specify file name in the field.
These files must be located in the \<instance>\script\ directory and contain a list of OUs to list or exclude users from. They cannot be combined into one file and must be separate.
For listing users from OUs:
# KVGROUP-V2.0
listOUs = {
"OU=people,OU=it,DC=example,DC=com";
"OU=people,OU=hr,DC=example,DC=com";
}For listing groups from OUs:
# KVGROUP-V2.0
listGroupOUs = {
"OU=Groups,OU=it,DC=example,DC=com";
"OU=Groups,OU=hr,DC=example,DC=com";
}For listing computers from OUs:
# KVGROUP-V2.0
listComputerOUs = {
"OU=ComputerOU,OU=it,DC=example,DC=com";
"OU=ComputerOU,OU=hr,DC=example,DC=com";
}For excluding OUs:
# KVGROUP-V2.0
excludeOUs = {
"OU=disabled,OU=it,DC=example,DC=com";
"OU=disabled,OU=hr,DC=example,DC=com";
}Some default Active Directory OUs require a different notation when listing from them. If the OU is a "Container" type instead of an "Organizational Unit" type, use ’CN’ instead of ’OU’ before the name. For example, the default Computers and Users OUs are "Container" types. To list from these OUs, the KVG would look like "CN=Users,OU=it,DC=example,DC=com";
The connector will not list any OU if an OU file is empty.
By default if an OU list includes invalid OUs the list will return success. You can cause the listing to abort when invalid OUs are detected by setting Abort listing when an invalid OU is encountered.
Targeting groups
You can restrict Bravura Security Fabric to list only those users, groups and computer objects who exist in one or more named groups. To do this, on the Target system address configuration page, specify:
Groups to list users from
Groups to list member groups from
Groups to list computers from
These fields allow multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of these fields, and use the More button to add additional input box(es) when more than one value is given. Value in each input box is treated as a single value, for example:
CN=IT,OU=Groups,DC=domain,DC=local
OU=Groups,OU=IT,DC=domain,DC=local
OU=Computers,OU=IT,DC=domain,DC=local
If there are many groups to list, there is an option to include all groups in a file. To use the file, select the File option from the drop-down list and specify file name in the field.
These files must be located in the \<instance>\script\ directory and contain a list of groups to list from. They cannot be combined into one file and must be separate.
For listing users from groups:
# KVGROUP-V2.0
listGroups = {
"CN=IT,OU=Groups,DC=domain,DC=local";
"CN=Sales,OU=Groups,DC=domain,DC=local";
"CN=Finance,OU=Groups,DC=domain,DC=local";
}For listing member groups from groups:
# KVGROUP-V2.0
listGroupGroups = {
"OU=Groups,OU=IT,DC=domain,DC=local";
"OU=Groups,OU=Sales,DC=domain,DC=local";
"OU=Groups,OU=Finance,DC=domain,DC=local";
}For listing computers from groups:
# KVGROUP-V2.0
listComputerGroups = {
"OU=Computers,OU=IT,DC=domain,DC=local";
"OU=Computers,OU=Sales,DC=domain,DC=local";
"OU=Computers,OU=Finance,DC=domain,DC=local";
}Active Directory DN connector will not list any group if the group file is empty.
By default if a group list includes invalid groups the list will return success. You can cause the listing to abort when invalid groups are detected by setting Abort listing when an invalid group is encountered.
Listing group membership recursively
You can recursively list all users and computers contained groups specified by the " Groups to list …" options.
To list user and computer objects recursively, select the List nested groups option.
If specified, the connector recursively searches for groups managed by the groups specified in the address, then constructs a user list search based on all groups.
If not specified, only immediate members of a specified group are listed.
Listing managed group membership recursively
You can recursively list users’ group membership for groups contained within groups specified by the Groups to list users from option. To list group membership recursively, select the List members for nested groups option.
If selected, the connector recursively searches for groups managed by the groups specified in the address, then constructs a user list search based on all managed groups.
If not selected, only immediate members of a specified group are listed.
Depending on the version of Bravura Security Fabric you have installed, you may need to list groups and group managers in flattened form if nested groups are not supported. Bravura Security Fabric versions 9.0.1 or earlier do not support nested groups.
To list nested groups recursively in flattened form, select When listing group members and managers, list groups as their individual user members.
If selected, the list of groups constructed will list all the immediate members of the specified group and all the members of the groups nested within the specified group.
Caution
If your Bravura Security Fabric version does support nested groups (9.0.2 or later) the use of the listFlatGroups option is strongly discouraged.
Selecting the long ID name format
You can specify the format of the users long ID during listing. The default long ID listed is the NT4 domain name format.
You can select the fully qualified domain name (FQDN) name format as an alternative. To do this, select "DN" from the Name format list on the Target system address configuration page.
The fully qualified domain name (FQDN) long IDs have the potential to be longer than the 200 characters allowed by the Bravura Security Fabric.
Use the default NT4 name format when there are domain accounts that run a service, scheduled task, DCOM object, COM+ application, or IIS anonymous access on a managed target system.
Selecting the long ID group name format
You can specify the format of the groups long ID during listing. The default long ID listed is the fully qualified domain name (FQDN) name format.
Use the NT4 domain name format when there are nested domain groups within local groups of a member server. To do this, select "NT4" from the Group Name format list on the Target system address configuration page.
The fully qualified domain name (FQDN) long IDs have the potential to be longer then the 200 characters allowed by the Bravura Security Fabric .
Using sub-hosts to replicate password changes
In a global, native-mode Active Directory domain, password resets may take a long time to replicate from the domain controller serving the Bravura Security Fabric server to domain controllers accessed by users.
Bravura Security Fabric can bypass this replication process by directly setting a user’s new password and account status flags (intruder lockout, change password flag and expiry time/date) on each DC that the user might access. This includes DCs in the site from which the user’s web browser connected to Bravura Security Fabric , DCs in the site housing the user’s home directory, and regional DCs accessed by mail, database or other systems that the user might access.
To accelerate password replication in this way, set the Program to generate a list of target systems on the Target system information page for your Active Directory domain to dcselect.exe.
The sub-host plugin adds a list of DCs and sites to the help desk password reset screen, so that a help desk user can reset passwords on specific domain controllers. The plugin also automatically selects domain controllers for all self-service functions, based on the user’s web browser IP address and home directory server IP address.
To specify additional domain controllers for users of certain sites, edit the text file dc.man in the \<instance>\script\ directory. This file has the format:
domain domain-name site site-name DC1 DC2
Site names may contain the wild cards ? (any single character) and ⋆ (any sequence of characters).
An example of dc.man follows:
domain example.com # Every user should get a password reset on this central DC: site ⋆ centraldc.example.com # Users in Madrid should get a reset in London too: site madrid.⋆ londondc1.example.com londondc2.example.com # Users in Hong Kong should get a reset in Tokyo: site hk.example.com tokdc1.example.com tokdc1.example.com