ReportByEmail Microsoft Active Directory
Page 2 of 13 Content Introduction to Microsoft Active Directory... 2 Microsoft AD... 3 Warning... 3 Install a linked server into your SQL Server... 4 Adjust amount of data returned by ADSI Server... 6 Runtime error when opening SQL views... 6 Create a ReportByEmail database to contain predefined Views... 7 Create a scalar function to convert numbers into human-readable fields... 7 Import ReportByEmail Views... 9 Import the remaining views... 10 Adjust Organizational Unit path in Microsoft AD Views... 11 ODBC data-source... 12 Excel sheets and ReportByEmail Notifications... 12 Introduction to Microsoft Active Directory This document describes needed adjustments to your ReportByEmail server and to a Microsoft SQL Server, which works as a kind of front-end to Microsoft Active Directory access. All files to build the application can be found on ftp://ftp.reportbyemail.com. Current view:
Page 3 of 13 The *.SQL files are views to import into Microsoft SQL Server. The *.xml documents are exported ReportByEmail templates, ready to be imported into your ReportByEmail application. The *.xlsx are Microsoft Excel 2007 documents relating to the ReportByEmail notifications. Both *.XML and *.xlsx documents can be imported into ReportByEmail by rightclicking and choosing Import notification. Microsoft AD Connect to Microsoft AD through a SQL Server. This is a bit complicated, but works fine and is a great way to cross-reference settings between AD and other systems including systems handling employees and salaries, electronic door access system etc. Warning
Page 4 of 13 If you have setup the linked server as shown below on one SQL-server, please don t attempt to copy the settings to another SQL-server, although the connection settings are the same (Username and password), for some reason it does not work! Please follow this manual again, if you need to set it up on a new SQL server in your organization. Install a linked server into your SQL Server Install Microsoft AD into your SQL server: Open a query and paste the following text into it: sp_addlinkedserver 'ADSI', 'Active Directory Service Interfaces', 'ADSDSOObject', 'adsdatasource' Run it by pressing the Run-button. An ADSI-Database is created in the structure Server Objects / Linked Servers.
Page 5 of 13 Browse to this object and choose Properties on the ADSI object. Change to the Security tab. Choose Be made using the security context and insert an account with read-access to the Microsoft AD using the syntax: <Netbiosdomainname>\<username> And your password. We recommend using a dedicated username and password in order to maintain this user under the ReportByEmail AD container. A suggested username: RBEADSI. Test the connection by right-clicking the ADSI object and choose test connection. This is only supported on MS SQL Server 2008. On MS SQL Server 2005 you must be careful when entering the data!
Page 6 of 13 Adjust amount of data returned by ADSI Server An ADSI Server object returns LDAP objects from Microsoft Active Directory. In order not to overload AD-controllers Microsoft has limited the number of objects returned default to 1000 objects. If you have a fairly large AD, you will only see a fraction of the users, computers etc. in the reports returned by ReportByEmail. Microsoft has released knowledgebase articles this limitation: http://support.microsoft.com/kb/299410 Please read the Limitations section at the end of the document. And the solution how to increase the limit: http://support.microsoft.com/kb/315071/ Please follow these guidelines and increase the limit to a suitable value for your Microsoft AD. Run all reports again and discover more users, computers etc. NTDSUTIL: LDAP Policies Connect to DNS Server Q Show values Set MaxPageSize to 10000 Commit changes Q Q Runtime error when opening SQL views After installing the views into a database or using a fully featured database called RBEMICROSOFTAD, an error can occur when a view is returning records from AD. The views will for instance return 901 records and display an error. If that s the case, the maxpagesize needs to be adjusted using NTDSUTIL as described in the previous section.
Page 7 of 13 Create a ReportByEmail database to contain predefined Views Create a new db: Click Ok. Create a scalar function to convert numbers into human-readable fields Go to the Scalar functions:
Page 8 of 13 Right click and choose New scalar-valued function Default code is entered by the SQL Management Studio manager: Select all the text and replace it with the data in the ConvertNSSince1601 function as found on ftp.reportbyemail.com.
Page 9 of 13 Choose Execute in the menu. A new scalar function has been created. Import ReportByEmail Views Go to the View section of the database as shown above. Import the scripts supplied by ReportByEmail. Go to the top of the database and choose New Query Paste the *.SQL-files from ftp.reportbyemail.com into this new query. The following is an example: USE [RBEMicrosoftAD] GO /****** Object: View [dbo].[rbemicrosoftadcomputers] Script Date: 11/12/2008 16:57:13 ******/ SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE VIEW [dbo].[rbemicrosoftadcomputers] AS
Page 10 of 13 SELECT distinguishedname, samaccountname, cn, modifytimestamp, createtimestamp, dbo.convertnssince1601(lastlogontimestamp) AS lastlogontimestampd, dnshostname, operatingsystemservicepack, operatingsystemversion, operatingsystem, logoncount, accountexpires, dbo.convertnssince1601(pwdlastset) AS pwdlastsetd, lastlogoff, dbo.convertnssince1601(lastlogon) AS lastlogond, whenchanged, whencreated, objectcategory, name, displayname FROM OPENQUERY(ADSI, 'SELECT sn, samaccountname, distinguishedname, displayname, cn, name, objectcategory, whencreated, whenchanged, lastlogon, lastlogoff, pwdlastset,accountexpires, logoncount, operatingsystem, operatingsystemversion, operatingsystemservicepack, dnshostname, lastlogontimestamp, createtimestamp, modifytimestamp FROM ''LDAP://cphad08'' where objectcategory = ''Computer'' and objectclass = ''Computer''') AS derivedtbl_1 GO Replace the text in the top: FROM ''LDAP://cphad08'' where objectcategory = ''Computer'' and objectclass = ''Computer''') AS derivedtbl_1 Where you change //cphad08 into the LDAP-server, you re using. Typically a Microsoft AD server is running LDAP already and no more configurations needs to be done. Choose Execute. Import the remaining views Follow the procedure described above for all the View s supplied by ReportByEmail for this database.
Page 11 of 13 Adjust Organizational Unit path in Microsoft AD Views If you have a larger Microsoft AD organization of maybe 1000 users, you might have been organizing the users into different tree structures. Depending on what you want to do with the ReportByEmail reports you might have to adjust the views. If you move disabled users to a separate root path in AD, you might not be interested in getting a report for those disabled users normally, but when you want to find disabled users in order to delete them, you would like to have a complete list of disabled users in the full AD. In order to support this, you need to adjust the more views, which are basically copies of the views imported above, but with modified LDAP strings. View [RBEMicrosoftADUsers]: FROM ''LDAP://cphad08'' where objectcategory = ''Computer'' and objectclass = ''Computer''') AS derivedtbl_1 Will find all users in AD. View [RBEMicrosoftADUsersRBETEST]: FROM ''LDAP://cphad08/ou=RBETEST,ou=users,ou=pcsys,dc=cph,dc=pcsys,dc=dk'' where objectcategory = ''Person'' and objectclass = ''User''') AS derivedtbl_1 Will find only users in the OU RBETEST located in the full OU as specified above. Notice that all the other text is the same, only the FROM -statement needs to be edited.
Page 12 of 13 You know have two Views for users: [RBEMicrosoftADUsers] [RBEMicrosoftADUsersRBETEST] Within the Excel sheets a reference to the RBEMIcrosoftADUsers is listed in MS Query. You need to copy the Excel sheet to another name and edit the MS query source form RBEMicrosoftADUsers to RBEMicrosoftADUsersRBETEST and now you ll see only users within the selected context. ODBC data-source Remember to create a data-source to your SQL-server. Same procedure as described in other manuals. You need to install the ODBC data source on both the ReportByEmail server and all ReportByEmail client machines. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\RBEMicrosoftAD] "Driver"="C:\\WINDOWS\\system32\\SQLSRV32.dll" "Server"="cphsql08" "Database"="RBEMicrosoftAD" "LastUser"="david" "Trusted_Connection"="Yes" This works if your Database is called RBEMicrosoftAD as suggested above. Notice that the ODBC connector is also called RBEMicrosoftAD. All the pre-generated reports listed in the next section on works if the database is named RBEMicrosoftAD. Excel sheets and ReportByEmail Notifications Visit: ftp://ftp.reportbyemail.com/standardtemplates/microsoft AD/ and have a look at the many templates and notifications:
Page 13 of 13 Copy all the files to a temporary location and use the ReportByEmail client to import all the reports into a new container. When choosing right-click Import Notification point to the separate XMLdocuments and import both a default schedule and recipient and the reports into the ReportByEmail server. Remember to adjust the recipients of the notifications and test to see you receive them. You probably need to adjust the frequency of the notifications and due to all the inconsistencies you ll find, you ll need to run the notifications often initially!