Skip to main content

Targeting Active Directory DN

For each Active Directory domain or forest, add a target (Manage the system > Resources > Target systems):

  • Type is Active Directory DN, listed under "Network Operating Systems" in the drop-down list.

  • Address uses syntax described in Table 1, “Active Directory DN address configuration

    When listing contacts Custom LDAP search expression for filtering users should be set to filter contacts.

  • Administrator ID and Password are the credentials for the target system administrator you configured earlier.

    It is recommended that you write the administrator ID in the format:

    • NETBIOS\userid

      or

    • userid@domain.com

    This is required in some cases, including where:

    • Bravura Security Fabric is installed on a Windows XP workstation

    • The plugin-winsvc plugin is configured to update service, scheduled task, and iis directory credentials (Bravura Privilege)

    • The nrcifs program is configured to manage resources whose access is mediated by membership in Active Directory groups (Bravura Identity)

    • The List entire forest target address option is specified and Bravura Security Fabric will be acting on objects outside the domain specified in the Domain or domain controller target address option.

  • Set Program to generate a list of target systems to dcselect to accelerate password replication in Active Directory domains.

  • By default, all connectors run the Bravura Security Fabric processes on the Bravura Security Fabric server, as the local psadmin account. To enable the target system administrator to run those processes, select the Run as? checkbox.

The full list of target parameters is explained in Target System Options.

Table 1. Active Directory DN address configuration

Option

Description

Options marked with a redstar.png are required.

Domain or domain controller redstar.png

The DNS domain name, the domain controller’s FQDN, a custom DNS name to target or IP address; for example:

globaldomain.example.com or

\\mydomaincontroller.example.com or

\\mydomaincontroller or

\\customdnsname

Use the IP address only if DNS is not resolving, otherwise avoid using the IP address of the domain controller. The DNS domain name or the FQDN should be specified.

A custom DNS name should only be used if absolutely necessary. (key: server)

Connection over SSL

Select to enforce SSL connections.

(key: ssl)

Custom LDAP search expression for filtering users

Restrict user listing by using LDAP search filters.

(key: userFilter)

Custom LDAP search expression for filtering groups

Restrict group listing by using LDAP search filters.

(key: groupFilter)

OUs to list users from

List only those users who exist in one or more containers .

(key: listOUs)

Groups to list users from

List only those users who exist in one or more groups.

(key: listGroups)

OUs to list groups from

List only those groups that exist in one or more containers.

(key: listGroupOUs)

Groups to list member groups from

List only those groups that exist in one or more groups.

(key: listGroupGroups)

OUs to list computers from

List only those computer objects that exist in one or more containers.

(key: listComputerOUs)

Groups to list computers from

List only those computer objects that exist in one or more groups .

(key: listComputerGroups)

OUs to exclude from listing

Exclude certain OUs to further restrict listing.

(key: excludeOUs)

List nested groups

Recursively list all users and computers contained within groups specified by the " Groups to list. ." options.

(key: listNestedGrps)

List members for nested groups

Recursively list users’ group membership for groups contained within groups specified by the Groups to list users from option.

(key: listNestedNOSGrps)

Abort listing when an invalid group is encountered

Return failure when a group list includes an invalid group.

(key: listFailOnNonExistentGrp)

Abort listing when an invalid OU is encountered

Return failure when an OU list includes an invalid OU.

(key: listFailOnNonExistentOU)

When listing group members and managers, list groups as their individual user members

Depending on the version of Bravura Security Fabric you have installed, you may need to list groups and group managers in flattened form if nested groups are not supported. Bravura Security Fabric versions 9.0.1 or earlier do not support nested groups .

(key: listFlatGroups)

List entire forest

List objects outside the domain specified in the Domain or domain ontroller target address option.

(key: listForest)

Delete users with sub objects

Delete users with leaf objects. In some environments, Active Directory accounts will have a leaf object created, for example Exchange with ActiveSync. By default these users will not be deleted.

(key: deleteSubs)

Create an OU when creating user if it does not already exist

If enabled, when an account is being created, and a non-existing OU is specified , the OU will be created instead of giving an error.

(key: createOU)

List deleted users on supported systems

Choose whether to list only regular users (default), only deleted users, or both. Deleted users are listed in NT4 format. Active Directory moves deleted accounts to a "recycle bin". If enabled in Bravura Security Fabric , these accounts are restrored.

(key: listDeleted)

Name format

Use NT4 format or fully qualified domain name (FQDN).

(key: nameFormat)

Group Name format

Use NT4 format or fully qualified domain name (FQDN).

(key: groupNameFormat)

Attribute specifying group owners

The attribute name that specifies the owner or list of owners for a group. The default value is managedBy.

When set to a single valued attribute such as managedBy, the Target system supports multiple owners on groups target system option should be unchecked. Only one group owner is supported in this case.

A multi-valued attribute may also be specified in order to support multiple group owners. In this case, the Target system supports multiple owners on groups target system option should be checked.

(key: grpowner_attr)

Persistent list search wait time (in seconds)

The interval time in seconds that the connector will wait to search for changes in the native target.

The default value is 7,200 seconds (2 hours).

If this value is set too small for a large native target, the connector may not be able to retrieve changes completely in the native target. Setting the value too small will also impose excess load on related services, which drag down the system performance.

(key: persistentSearchWait)

Disable recursive searches of members in domain groups to improve nr performance

Recursively traverse all groups contained with groups when checking permissions in the network resources sub folder operation. Turning this option on is more precise for the checking of permissions, however it will have a performance impact.

Default is false.

(key: nrIsMemberOfDomainGroupRecursive)

Note

The option Disable recursive searches of members in domain groups to improve nr performance was added in Connector Pack 4.6.0.



The Active Directory DN target system address syntax is as follows:

{server=(<DNS domain name> | \\<DC's FQDN or host name>);

 [userFilter=<LDAP search filter>;]

 [grpFilter=<LDAP search filter>;]

 [listOUs={<OU>;<OU>;...};]

 [listGroups={Bravura Group;Bravura Group;...};]
   

 [listGroupOUs={<OU>;<OU>;...};]

 [listGroupGroups={Bravura Group;Bravura Group;...};]
   

 [listComputerOUs={<OU>;<OU>;...};]

 [listComputerGroups={Bravura Group;Bravura Group;...};]
   

 [excludeOUs={<OU>;<OU>;...};]

 [listNestedGrps=<true|false>;]

 [listNestedNOSGrps=<true|false>;]

 [listFlatGroups=<true|false>;]

 [ssl=<true|false>;]

 [listFailOnNonExistentGrp=<true|false>;]

 [listFailOnNonExistentOU=<true|false>;]

 [listForest=<true|false>;]

 [deleteSubs=<true|false>;]

 [listDeleted=NODELETED|ONLYDELETED|BOTH;]

 [nameFormat=<NT4|DN>;]

 [groupNameFormat=<NT4|DN>;]

 [persistentSearchWait=<seconds>;]

 [nrIsMemberOfDomainGroupRecursive=<true|false>;]

 }

Note

Options are an intersection of the two when used together.

In this section: