Skip to main content

Targeting a specific container or containers

You can restrict Bravura Security Fabric to list only those users, groups and computer objects that exist in one or more named containers; for example, if your Active Directory is divided into organizational units. To do this, on the Target system address configuration page, specify:

  • OUs to list users from

  • OUs to list groups from

  • OUs to list computers from

These fields allow multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of these fields, and use the More button to add additional input boxes when more than one value is given. The value in each input box is treated as a single value, for example:

  • CN=myusers,DC=example,DC=com

  • *,OU=Groups,DC=example,DC=com

  • OU=people,OU=hr,DC=example,DC=com

  • CN=Computers,OU=it,DC=example,DC=com;CN=Computers,OU=hr,DC=example,DC=com

You can also exclude OUs to further restrict the listing of users. This option will remove all users that match the OU listed. To do this, specify OUs to exclude from listing. When the exclude OUs option and any of the list OUs options are used together, the listing process will list OUs first and then remove objects that match the exclude criteria.

If there are many OUs to list, there is an option to include all OUs in a file. To use the file, select File option from the drop-down list and specify file name in the field.

These files must be located in the \<instance>\script\ directory and contain a list of OUs to list or exclude users from. They cannot be combined into one file and must be separate.

For listing users from OUs:

# KVGROUP-V2.0

   listOUs = {

     "OU=people,OU=it,DC=example,DC=com";

     "OU=people,OU=hr,DC=example,DC=com";

   }

For listing groups from OUs:

# KVGROUP-V2.0

   listGroupOUs = {

     "OU=Groups,OU=it,DC=example,DC=com";

     "OU=Groups,OU=hr,DC=example,DC=com";

   }

For listing computers from OUs:

# KVGROUP-V2.0

   listComputerOUs = {

     "OU=ComputerOU,OU=it,DC=example,DC=com";

     "OU=ComputerOU,OU=hr,DC=example,DC=com";

   }

For excluding OUs:

# KVGROUP-V2.0

   excludeOUs = {

     "OU=disabled,OU=it,DC=example,DC=com";

     "OU=disabled,OU=hr,DC=example,DC=com";

   }

Some default Active Directory OUs require a different notation when listing from them. If the OU is a "Container" type instead of an "Organizational Unit" type, use ’CN’ instead of ’OU’ before the name. For example, the default Computers and Users OUs are "Container" types. To list from these OUs, the KVG would look like "CN=Users,OU=it,DC=example,DC=com";

The connector will not list any OU if an OU file is empty.

By default if an OU list includes invalid OUs the list will return success. You can cause the listing to abort when invalid OUs are detected by setting Abort listing when an invalid OU is encountered.

In this section: