ALTIRIS®

CONNECTOR 6.0 FOR

ACTIVE DIRECTORY
HELP
Notice
Copyright © 1998-2004 Altiris Inc. All rights reserved.

Product Version: 6.0

Document Date: April 1, 2004

Bootworks U.S. Patent No. 5,764,593.

RapiDeploy U.S. Patent No. 6,144,992.

Due to the inherently complex nature of computer software, Altiris does not warrant that the Altiris
software is error-free, will operate without interruption, is compatible with all equipment and
software configurations, or will otherwise meet your needs.

The content of this documentation is furnished for informational use only, is subject to change
without notice, and should not be construed as a commitment by Altiris. Altiris Inc. assumes no
responsibility or liability for any errors or inaccuracies that may appear in this documentation. For
the latest documentation, visit our Web site at www.altiris.com.

Altiris, the Altiris logo, BootWorks, Inventory Solution, LabExpert, PC Transplant, RapiDeploy,
and RapidInstall are registered trademarks of Altiris, Inc. in the United States.

Carbon Copy is a registered trademark licensed to Altiris, Inc. in the United States and a trademark
of Altiris, Inc. in other countries.

Altiris eXpress, Altiris Vision, Application Management Solution, Application Metering Solution,
Asset Control Solution, Asset Management Suite, Client Management Suite, Compliance Toolkit,
Conflict Analysis Solution, Contract Management Solution, Deployment Server, Deployment
Solution, Education Management Suite, Helpdesk, Helpdesk Solution,
HP Client Manager Software, Lab Management Suite, Migration Toolkit, Mobile Client for SMS,
My IT Forum, Notification Server, Problem Management Suite, Server Management Suite,
Server Monitor Solution, Site Monitor Solution, Software Delivery Solution,
TCO Management Solution, Unix Client for SMS, Unix Inventory Solution, Unix Software Deliver
Solution, Web Admin for SMS, Web Reports and other product names are trademarks of Altiris, Inc.
in the United States and other countries.

Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft
Corporation in the United States and/or other countries.

HP is a registered trademark of the Hewlett-Packard Corporation.

Compaq is a registered trademark of the Hewlett-Packard Corporation.

Macintosh is a registered trademark of the Apple Computer Corporation.

All other brand names are trademarks or registered trademarks of their respective companies.

Altiris Connector for Active Directory Help 2

Contents

Connector 6.0 for Active Directory

Altiris®
HELP

Notice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 1: Altiris Connector for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Installing the Altiris Connector for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Uninstalling the Altiris Connector for Active Directory ................................... 5
Using the Connector for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Domain / Directory Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Deleting Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Active Directory Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Monitoring Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Altiris Connector for Active Directory Help 1

Chapter 1:

Altiris Connector for Active Directory

The Altiris Connector for Active Directory lets you import Active Directory objects such as
Organizational Units, Users, and Computers into your Notification Server Database. The Connector
for Active Directory also imports User Group information into the Notification Database from
Windows NT4/2000/2003 domains.

The Connector for Active Directory uses LDAP to provide one-way synchronization from Active
Directory to the Notification Server. You can specify which Domain Controller the AD data is
gathered from.

The Connector for Active Directory creates Notification Server collections based upon Active
Directory Organizational Units (OUs) as well as collections based upon user groups. These
collections can be used in policies across any solution. For example, suppose you want to distribute
software to all computers in an OU. A collection based upon an Active Directory OU can be used as
a target for a Software Delivery policy. As another example, suppose you want to schedule a
Deployment Solution event to all computers for people in the Sales User Group. You can do this
using a User Group collection created as part of this Connector.

Imports can either be scheduled or can be manually initiated.

Collections Added to Notification Server

After you import data from Active Directory OUs or User Groups, collections based on this data are
added to Notification Server.

Active Directory Import

There are many types of Active Directory objects that you can import:

• Organizational Units (OUs) - Collections can optionally be created for Organizational Units
when resources are imported, by grouping them by Organizational Units. The collections that are
created enable you to define policies from any solution and target Active Directory OUs.
• Users - The imported User data (from either Active Directory or Windows NT/2000/2003 User
Groups) is used to populate the Contact information in Alert Manager, Helpdesk Solution, and
other Solutions.
Note: No policies can be sent to the Altiris Agent based on User objects, only based on Computer
objects. User data can be used for creating contacts in Alert Manager and Helpdesk Solution and
for generating reports. User data is also mapped to computers. Also note that policies are based
on collections of computers with the Altiris Agent installed. Just importing computers from
Active Directory does not ensure that the Altiris Agent is installed on them.
• Computers - Importing Computer objects has the following advantages:
• It provides a list for Asset Control Solution of those computers that do not have the Altiris
Agent.
• It lets you know which computers in your environment do not have the Altiris Agent
installed. You can then use this information to make sure the Altiris Agent is installed on all
of your computers.
• Sites and Subnets – The imported Site and Subnet data is used to populate the Notification
Server Site Maintenance configuration page. Site collections can optionally be created that
contain all machines in that site.

Altiris Connector for Active Directory Help 2

Chapter 1: Altiris Connector for Active Directory

Note: When you install Asset Control Solution, you can import more types of Active Directory
objects. For more information, see the Altiris Asset Control Solution User Guide.

During the import process, the computers from Active Directory are matched with known Altiris
enabled computers in the Notification Server Database (using the computer name and domain).
Note, however, that the import process imports all resources regardless of their Altiris Agent install
state. The Organizational Units then appear as folders and optionally as collections in the
Notification Server. The imported Organizational Unit folders appear in the Altiris Console on the
Resources tab view: Resource Management > Resources > Organizational Structures > Import Source
Domain

Import Source Domain is the Full Qualified Domain Name of where the Organizational Units were
imported from. Each Organizational Unit folder will contain all the resources that are in that OU. If
a resource is imported which does not belong to any OU it will appear in that default folder for that
particular resource type.

The Organizational Units collections will appear in the Altiris Console on the Resources tab view:
Resource Management > Collections > Directory Collections > Import Source Domain > Organizational
Units

These collections are then available to all Altiris Solutions as targets for policies, reports, software
advertisements, etc. (only if the Altiris Agent is present).

At a peer level to the Import Source Domain folder, OUs can also appear in the Organizational Units
– Users to Machines folder. The collections in the Organizational Units – Users to Machines folder
contain computers mapped based upon the Users in the OU. They do NOT explicitly contain the
computers that are in fact in the OU.

These “users to machine” pairs are based on primary user data matched to computers.

For Example:

If you want your Policies to go to computers based on location of computers in the OU, select from
the OU collections in the Organizational Units folder. For example, if you have a North America\Sales
OU with 3 computers and 6 users and you want your policies to go to the 3 computers, you would
use the corresponding North America\Sales collection located in the Organizational Units folder.

If you want your Policies to go to users in an OU, select from the OU collections in the Organizational
Units – Users to Machines folder. For example, if you have a North America\Sales OU with 3
computers and 6 users and you want your policies to go to the computers that the 6 users use, you
would use the corresponding North America\Sales collection from the Organizational Units – Users
to Machines folder.

Altiris Connector for Active Directory Help 3

Chapter 1: Altiris Connector for Active Directory

User Group Import

Three types of User groups can be imported:

• Distribution Groups
• Security Groups
• Windows User Groups (only imports user id and domain name information using the WinNT
provider).
The user group collections will appear in the Altiris Console on the Resources tab view: Resource
Management > Collections > Directory Collections > Import Source Domain > Group Type

Where Group Type is one of:

• Distribution Groups
• Security Groups
• User Groups
For example if a Distribution Group called “All Managers” was imported the following collection
would be created:
Resource Management > Collections > Directory Collections > Import Source Domain > Distribution Groups
> All Managers

At a peer level to the Import Source Domain folder, “Users to Machines” collections can also be
imported. The Users to Machines collections will appear in the Altiris Console on the Resources tab
view: Resource Management > Collections > Directory Collections > Import Source Domain > Group Type

Where Group Type is one of:

• Distribution Groups
• Security Groups
• User Groups
Each of these collections contains computers whose primary users are the users in the corresponding
user group collections - thus these are dynamic collections.

For Example:

If you want your Policies to use collections based on User Group data, they can only use collections
found in the “User Group Type - Users to Machines” folders.

Collections found in the “User Group Type” folders cannot be used by Policies.

Altiris Connector for Active Directory Help 4

Chapter 1: Altiris Connector for Active Directory Installation

See Also
• “Installation” on page 5
• “Using the Connector for Active Directory” on page 5
• “Monitoring Performance” on page 7

Installation
This section tells you how to install and uninstall the Connector for Active Directory.

Installing the Altiris Connector for Active Directory

1 Open the Altiris Console.
• Click Start > Programs > Altiris > Altiris Console.
2 Select the Getting Started tab.
3 Click the link Install Altiris Solutions from the Solution Center under Install Solutions.
4 Scroll down the content pane to reach the Available Solutions tab.
5 Click Altiris Connector for Active Directory.
6 Click Start.
When the Connector for Active Directory has been installed, you will be able to see a new task when
you click the Altiris Console Configuration tab:
Server Settings > Notification Server Infrastructure > Active Directory Import.

Uninstalling the Altiris Connector for Active

Directory
1 Open Add/Remove Programs from the Control Panel.
2 Remove Altiris Notification Server Directory Connector.

Using the Connector for Active Directory

This section tells you how to configure the Connector for Active Directory on your Notification
Server.

Domain / Directory Import

The Domain / Directory Import task lets you import AD objects including Computers, Users,
Organizational Units, User Groups and Sites from Windows NT4/2000/2003 Domains on a
schedule. The Domain Controller used can be a Windows NT4/2000/2003 Domain Controller.

To access this task

1 In the Altiris Console, select the Configuration tab.
2 In the treeview pane, select Server Settings > Notification Server Infrastructure > Active Directory
Import.

To add a new import rule

1 Click New Import Rule.
A new rule appears in the Rules list.
2 Select a resource type.

Altiris Connector for Active Directory Help 5

Chapter 1: Altiris Connector for Active Directory Using the Connector for Active Directory

a Click specified resource type.

b Select the desired Active Directory item from the drop-down list.
c Click Apply.
3 Select the container type to group the imported resources.
Note: User resources can be imported from the following container types:

• Organizational Units
• Distribution Groups
• Security Groups
• Windows User Groups (only imports user id and domain name information)
Sites and Subnets do not belong to any container type. Any other resource type (including
Computers) will be grouped using the Organizational Unit container.

4 Select the collection types that are to be created on import.

Note: When importing OUs, OU folders are always created under the Resource Management >
Resources > Organizational Structures folder.

You must enable the collection creation checkboxes to have OU, User Group and Site collections
created.

5 Enter the data source information.

a Click Specified data source.
b Enter the domain or server of the data source.
If you enter the domain, LDAP may query any Domain Controller. This could cause
unnecessary network traffic. To ensure a local Domain Controller is queried, specify the
name of the Domain Controller.
Examples:
Mycompany.com
Server1
c Enter the user ID of a user who has administrative privileges for the domain.
The user ID can be in the form domain\user. If no user ID is specified, you will be connected
using the security context defined in the Notification Server > Application Identity configuration
page.
Note: This user only needs to have rights to enumerate. This user does not need to have
modify/create rights.
d Enter the password and confirm.
e Click Apply.
6 Select the Organization Unit from which importing will start. (Only if Organizational Units are
used as the container type).
a Click Root.
b Select the desired Organization Unit from the drop-down list.
c Select whether or not to import items in all Organizational Units under the selected OU.
This lets you import a portion of your Active Directory data. For example, suppose your
Notification Server site contains data for all of your North America sites and you have a
North America OU. You can then import only users/computers in North America.
d Click Apply.
7 Select the user groups to import from (only if importing users from Distribution Groups, Security
Groups or Windows User Groups).
a Select one or more groups from the list of Available Groups that are found in the domain.
Click Add or Remove to add or remove groups to/from the list of Selected Groups.

Altiris Connector for Active Directory Help 6

Chapter 1: Altiris Connector for Active Directory Using the Connector for Active Directory

b Click Apply.
8 Select the default column mapping (if “and using the specified column mapping” appears).
a Click specified.
Note: If you get an LDAP class enumeration error, retry clicking specified. This error means
that you haven’t given the class enumeration time to authenticate.
b Select the Class to import from.
c Select the Columns mappings you wish to use to import data. You can enable/disable specific
groups or select different entries in the Data Source Column.
Note: The out-of-the-box defaults should be sufficient for User or Computer. These fields are
generally used for new asset types in conjunction with Asset Control Solution.
d Click Apply.
9 Select the schedules you wish to use to import data.
a Click specified schedules.
1 Define and enable the schedules. A shared schedule can be selected from the drop-down list.
If you select Custom Schedule from the drop-down list, a link appears which lets you create
a custom schedule.
b Click Apply.
10 Click the Enable check box to enable the import rule.
11 Click Apply to save the import rule.
Note: When importing occurs, NS message files are created in the Event Queue directory. If there
are errors check the Notification Server status log ( http://NSName/Altiris/NS/LogView.asp) for more
information.

Deleting Objects
If an object, such as User, Computer or OU, is deleted from Active Directory and it has been
previously imported into the Notification Server it will deleted from the Notification Server when
the Directory Synchronization scheduled task runs.

This schedule will delete any imported items and resources that no longer exist in the directory. This
will occur if directory items are deleted, renamed or moved.

Active Directory Reports

Several reports are provided that list information Active Directory information.

To access these reports

1 Open the Altiris Console.
• Click Start > Programs > Altiris > Altiris Console.
2 Click the Reports tab.
3 In the treeview pane, click Reports > Notification Server Infrastructure > Active Directory.

Monitoring Performance
The Directory Import in the Last 'N Days report can be used to see how the Notification Server is
performing Active Directory and User Group imports. The report is found under the Reports >
Notification Server Infrastructure > Active Directory > Directory Import in the Last 'N Days. This report
lists (in seconds) how long each Directory import took over the last N days. By drilling down into
this report, the details of all the successful, failed and stopped directory import tasks can be viewed.

Altiris Connector for Active Directory Help 7

Chapter 1: Altiris Connector for Active Directory Using the Connector for Active Directory

These reports can help you decide the best time for importing Active Directory and User Group data.
For example, if you have 10,000 users, it might be best to perform the importing during the night or
only on weekends.

Altiris Connector for Active Directory Help 8

Index

A
Active Directory Import 2
Active Directory reports 7
AD import 2
C
copyright 2
creation date of document 2
D
document
print date 2
I
import
Active Directory 2
NT Groups 2
importing data 2
Installation 5
L
legal notice 2
M
Monitoring Performance 7
N
notice 2
NT Groups 2
P
patent 2
product version 2
R
reports
Active Directory 7
T
trademark 2
V
version 2

Altiris Connector for Active Directory Help 9