ALTIRIS Integrated Component for Microsoft Active Directory 6.1 Help
Notice Altiris Integrated Component for Microsoft Active Directory 6.1 Help 1998-2006 Altiris, Inc. All rights reserved. Document Date: April 4, 2006 Protected by one or more of the following U.S. Patents: 5764593, 6144992, 5978805, 5778395, 5907672, 4701745, 5016009, 5126739, 5146221, 5414425, 5463390, 5506580. Other patents pending. Due to the inherently complex nature of computer software, Altiris does not warrant that the Altiris software is error-free, will operate without interruption, is compatible with all equipment and software configurations, or will otherwise meet your needs. The content of this documentation is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Altiris. Altiris, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. For the latest documentation, visit our Web site at www.altiris.com. Altiris, the Altiris logo, BootWorks, Eality, ImageBlaster, Inventory Solution, PC Transplant, RapiDeploy, RapidInstall, and Vision are registered trademarks of Altiris, Inc. in the United States. Altiris, the Altiris Logo, and ManageFusion are registered trademarks of Altiris, Inc. in other countries. Altiris Connector, Altiris express, Altiris Protect, Application Management Solution, Application Metering Solution, Asset Control Solution, Asset Management Suite, Carbon Copy, Client Management Suite, Compliance Toolkit, Connector Solution, Contract Management Solution, Deployment Server, Deployment Solution, Energy Saver Toolkit, Education Management Suite, FSLogic, Handheld Management Suite, Helpdesk Solution, Lab Management Suite, ManageFusion, Migration Toolkit, Mobile Client for SMS, Monitor Solution, Network Discovery, Notification Server, Package Importer, Patch Management Solution, Problem Management Suite, Recovery Solution, Security Solution, Server Management Suite, Site Monitor Solution, Software Delivery Solution, SNMP Management, Software Delivery Suite, TCO Management Solution, UNIX Client for SMS, Web Administrator, Web Reports, and other product names are trademarks of Altiris, Inc. in the United States and other countries. AuditExpress, Scan on Detect, and SecurityExpressions are trademarks of Pedestal Software Inc. in the United States. Audit on Connect and Audit on Detect are trademarks of Pedestal Software inc. in the United States and other countries. WebLens and Guaranteeing Your Net Works are registered trademarks of Tonic Software Inc. in the United States. WebInsight and RUM are a trademarks of Tonic Software Inc. in the United States. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the United States and/or other countries. HP and Compaq are registered trademarks of the Hewlett-Packard Corporation. Dell is a registered trademark of Dell Inc. Macintosh is a registered trademark of the Apple Computer Corporation. Palm OS is a registered trademark of Palm Computing, Inc. BlackBerry is a service mark and a trademark of Research In Motion Limited Corporation. RIM is a service mark and trademark of Research In Motion (RIM). Other company names, brands, or product names are or may be trademarks of their respective owners. Altiris Integrated Component for Microsoft Active Directory Help 2
Contents Chapter 1: Introduction.................................................. 4 Overview................................................................. 5 Understanding Import Rules................................................ 5 Understanding Resource Types.............................................. 6 How Import Rules and Resource Types Work Together............................... 6 Understanding the source of Imported Resources............................... 7 Understanding Filters.................................................. 8 Understanding the Import process............................................ 8 Resource Associations.................................................. 9 Collections Added to Notification Server.................................... 10 Understanding the Directory Synchronization Schedule............................. 10 Additional Resources..................................................... 10 Chapter 2: Getting Started............................................... 11 Importing Computers from the Domain........................................... 11 Creating a collection for a Software Delivery task.................................... 12 Importing department assets from Active Directory.................................. 14 Importing User s Managers and Direct Reports..................................... 15 Chapter 3: Installation.................................................. 17 Installing Altiris Integrated Component for Microsoft Active Directory.................... 17 Uninstalling Altiris Integrated Component for Microsoft Active Directory.............. 17 Chapter 4: Using Altiris Integrated Component for Microsoft Active Directory...... 18 Active Directory Import page.................................................. 18 Directory Synchronization Schedule.......................................... 21 Deleting Active Directory Objects............................................... 21 Active Directory Reports..................................................... 22 Active Directory Resources................................................... 22 Altiris Integrated Component for Microsoft Active Directory Help 3
Chapter 1 Introduction The Altiris Integrated Component for Microsoft Active Directory lets you import Active Directory objects, such as users, computers, sites and subnets, into Notification Server. This lets you leverage the data that already exists in Microsoft Active Directory without re-creating it. You can schedule regular imports, to keep your Notification Server populated with up-to-date resources, allowing better management of your environment. Component for Microsoft Active Directory supports Windows 2000 and 2003 domains and has limited support for Microsoft Windows NT 4.0. Terminology Active Directory (AD) - Microsoft s domain security and account database. Organizational Units (OUs) - A container for storing users, computers, and other objects in Active Directory. Domain Controller (DC) - A server on a Microsoft Windows or Windows NT network that allows host access to Windows domain resources. The domain controllers in your network are the centerpiece of your Active Directory directory service. It stores user account information, authenticates users, and enforces security policies for a Windows domain. Lightweight Directory Access Protocol (LDAP) - A set of protocols for accessing information directories. Key features Component for Microsoft Active Directory uses LDAP (Lightweight Directory Access Protocol) to provide one-way synchronization from Active Directory to the Notification Server. This is the same protocol used by standard Active Directory administration tools. Import resources according to rules you define. Specify which Domain Controller (DC) the Active Directory data is gathered from, giving you more control of your environment, or specify a domain and allow the component to select the DC. Create Notification Server collections (groups of related resources) based upon Active Directory Organizational Units (OUs) and collections based upon groups. These collections can be used in policies across any Altiris solution. Schedule or manually initiate resource imports. If you schedule an import rule to run periodically, any subsequent changes to Active Directory are reflected in the Notification Server. Altiris Integrated Component for Microsoft Active Directory Help 4
Overview This section gives an overview of the main functions of the Altiris Integrated Component for Microsoft Active Directory. Quick Links Understanding Import Rules (page 5) Understanding the Import process (page 8) Understanding Resource Types (page 6) Additional Resources (page 10) Understanding Import Rules Component for Microsoft Active Directory uses resource import rules, which you define, to import resources from Organizational Units, User Groups, Distribution Groups, or Security Groups in Active Directory. This lets you populate your Notification Server with useful information, providing dual-platform integration. By default, five import rules, one for each of the supported resource types (User, Computer, Print Queue, Site, and Subnet) are added to the Active Directory Import page after the component is installed. Each rule has a resource type, source, domain or server, and a schedule. Import Rules have two modes: Full Import - Imports all resources from the targeted DC or domain. Update Import - Imports only resources that have changed since the last time the rule ran. For this rule type, we recommend targeting a DC. You cannot import a Users Group through an Update Import as this method relies on features not available in Microsoft Windows NT 4.0 domains. An Update Import will become a Full Import if: The rule is run for the first time. You have changed the domain or server. The DC it previously imported from is no longer available. You can run these rules manually or on a schedule. Running these rules periodically ensures any changes to Active Directory are reflected in the Notification Server. You can define your import rule to target a specific DC or a domain. If you have a heavily loaded environment, targeting a DC can force the load of import rules to a dedicated, less loaded DC. Targeting a DC also makes Update Import rules more reliable because the mechanism that determines what resources have changed since the last time the rule ran relies on DC-specific information. If you run an Update Import rule and you target a domain, Component for Microsoft Active Directory may switch to a different DC. This may result in a Full Import being performed because what has changed since the last time the rule ran, may not be determined. However, specifying a domain provides some redundancy - if a DC is unavailable, Component for Microsoft Active Directory will automatically select another. CAUTION To ensure the correct domain or DC is targeted, we recommend using a Fully Qualified Domain Name (FQDN). Altiris Integrated Component for Microsoft Active Directory Help 5
Understanding Resource Types Component for Microsoft Active Directory supports the following resource types: Users - The imported User data (from Active Directory or Windows NT/2000/2003 Groups) populates the contact information in Altiris Alert Manager, Altiris Helpdesk Solution, and other solutions. Note InetOrgPerson objects can be imported but Contacts cannot. Also, Notification Server Policies (NSPs) can t be sent to the Altiris Agent based on User objects, only based on Computer objects. Computers - The list of computers in AD can be imported to the Resources tab and targetted, through collections, for software delivery tasks. You can use this information to ensure the Altiris Agent is installed on all computers. Importing computer objects also provides a list of computers without the Altiris Agent for Altiris Asset Control Solution. Note Notification Server Policies are based on computer collections with the Altiris Agent installed. Just importing computers from Active Directory does not ensure that the Altiris Agent is installed on them. Print Queues - The list of printers published into AD can be imported into the Notification Server and managed with Altiris Asset Management Solution. Sites The imported Site data populates the Notification Server Site Maintenance page. Site collections can optionally be created that contain all machines in that site. This data is used for configuring the Package Server infrastructure used by Altiris Software Delivery Solution. Subnets The imported Subnet data populates the Notification Server Site Maintenance page. This data is used for configuring the Package Server infrastructure used by Altiris Software Delivery Solution. How Import Rules and Resource Types Work Together When you use an import rule to import a resource, you can apply six import features. The following table lists each resource type you can import and the import features you can apply. The features are: Domain Type - Import resources from a specific domain type. Source - Import resources from an Active Directory source. Create collections - Create collections with the imported data on the Resources tab. The type of collections creates depends on the Source. Filter - Add basic or advanced filters for a defined import rule. Match Computers with primary users - Import users and match them to computers they are primary users of. Column Mappings - Import from classes and select columns mappings you want to use to import data. Altiris Integrated Component for Microsoft Active Directory Help 6
Resource Type Domain Type Source Create Collections Import Feature Match Resources Filters Column Mappings User Microsoft Windows 2000/2003 Microsoft Windows NT 4.0 OU User Groups Security Groups Distribution Groups OU Collections Windows Collections Security Collections Distribution Collections Match computers with primary users Enabled LDAP Filter Edit Column Mappings Computers Microsoft Windows 2000/2003 OU Security Groups Distribution Groups OU Collections Security Collections Distribution Collections N/A Enabled Active within last N days Operating System - Server Edit Column Mappings - Workstation LDAP Filter Print Queues Sites Subnets Microsoft Windows 2000/2003 Microsoft Windows 2000/2003 Microsoft Windows 2000/2003 N/A N/A OU Collections Site Collections N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Understanding the source of Imported Resources Component for Microsoft Active Directory allows you to import computer resources from the Microsoft Windows 2000/2003 or NT 4.0 domains. You can import computer resources from the following sources: Security Groups Distribution Groups Organizational Units Security Groups and Distribution Groups import all matching resources from security and distribution groups in the target domain. Component for Microsoft Active Directory will recurse all the groups within these groups (including Distribution Groups inside Security Groups, and vice versa). As the name suggests, Organizational Units targets OUs. Due to the way LDAP works, selecting the Organizational Units source is the fastest import mechanism. Altiris Integrated Component for Microsoft Active Directory Help 7
User resources can be imported from the same sources as computers and also from User Groups. You can only import users from User Groups if you select Microsoft Windows NT 4.0 as the domain type. If used against a Windows 2000/2003 domain, it works like the Security Group source, but slower. Note Component for Microsoft Active Directory doens t import computers from Microsoft Windows NT 4.0 domains, this is performed by Resource Discovery. For information, see Altiris Notification Server Help. Printer resources can be imported from Organizational Units but Sites and Subnets have no distinct Active Directory source. Understanding Filters Filters let you constrain imported resources based on something other than the OU or resource group. Filtering imported users When importing users, Component for Microsoft Active Directory supports the following filters: Enabled You can disable a user through Active Directory Users and Computers and other administration tools. A disabled user cannot log onto the domain. Many organizations disable users before deleting them. Using this filter ensures that invalid user accounts are no longer imported. LDAP Filter This is an arbitrary LDAP query that further constrains the imported resources. Example: if you want to exclude service accounts and all service accounts in your organization start with Service_, you can use (!(name=service_*)). For information, see www.microsoft.com. Filtering imported computers When importing computers, Component for Microsoft Active Directory supports Enabled and LDAP filters and the following filters: Active A computer added to a domain automatically changes its password periodically. Active computers are those computer accounts where the password has been changed within the specified number of days (by default, 30 days). Like the enabled filter, this prevents the import of unused or stale computers. This filter is based on the pwdlastsetattribute in Active Directory. Operating System Component for Microsoft Active Directory supports importing all computers that are servers or workstations. Example: if you use Altiris products to only manage servers, select the Server Operating System filter to prevent the importing of irrelevant computer records. Understanding the Import process During the import process, the computers from Active Directory are matched with managed computers in the Altiris Database (using the computer name and domain). However, the import process imports all resources regardless of their Altiris Agent install status. The Active Directory OUs then appear as folders and optionally as collections in the Notification Server. To view imported OU folders in the Altiris Console click the Altiris Integrated Component for Microsoft Active Directory Help 8
Resources tab and select Resource Management > Resources > Organizational Structures > Import Source Domain. Import Source Domain is the Full Qualified Domain Name of where the OUs were imported from. Each imported OU folder will contain all the resources in that particular Active Directory OU. If a resource is imported which does not belong to any OU it will appear in the default folder for that particular resource type. Example: resources imported through a resource association. You can view the default folders on the Resources tab, at Resource Management > Resources > Default. At a peer level to the Import Source Domain folder, OUs can also appear in the Organizational Units Users to Machines folder. The collections in this folder contain computers that are included based upon the Users in the OU. They do NOT explicitly contain the computers that are in fact in the OU. These users to machine pairs are based on primary user information returned by the Altiris Agent. If the Altiris Agent is not installed on these computers, the match will not be made and no computer will appear in this collection for the user. Resource Associations Microsoft Active Directory not only stores objects, it also stores relationships between objects. Component for Microsoft Active Directory can extract these relationships from Active Directory and create resource associations. Component for Microsoft Active Directory supports 4 resource associations for users and also one between subnets and sites. User Resource Associations If you import users, resources outside the import rule can be imported if any of the following resource associations are referenced. For information on configuring Resource Associations, see To create a new import rule (page 19). Company - Reference the company attribute in Active Directory to import the user s company details. Department - Reference the department attribute in Active Directory to import the user s department details. User- Reference the directreports attribute in Active Directory to import the list of users that directly report to the user. User - Reference the manager attribute in Active Directory to import the user s manager details. Importing these additional resources populates the Altiris database for use with Altiris solutions such as Altiris Asset Solution. A small company may use this method of gathering information instead of a dedicated but more expensive HR software application. Sites and Subnets Resource Associations You can also associate sites and subnets imported from Active Directory with each other. If you import subnets, their associated sites can be automatically imported, and vice versa. This makes setting up Package Server infrastructure for a software delivery task much easier. By default, these associations are enabled. Altiris Integrated Component for Microsoft Active Directory Help 9
Caution If you import Sites without importing associated subnets, and you create collections with the import rule, the collections will be created but will be empty. This happens because Site collections reference the Subnet table, which is empty as no Subnets are imported. Collections Added to Notification Server When you create an import rule and select Create Organizational Unit collections, collections are generated and made available to all Altiris solutions as targets for policies, reports, software advertisements, and so on (if the Altiris Agent is present). How you configured your import rule defines what type of collection is created. For information, see How Import Rules and Resource Types Work Together (page 6). The types of collection that can be created are: Organizational Unit collection Security Group collection Distribution Group collection Users Group collection If you create an Organizational Unit collection it will contain all the imported resources from the OU and all imported resources from all child and descendant OUs. To view the collections in the Altiris Console, click the Resources tab and select Resource Management > Collections > Directory Collections > Import Source Domain > Collection type. Understanding the Directory Synchronization Schedule This schedule removes any imported resources in the Notification Server that no longer exist in Active Directory. It also detects any resources, renamed or moved outside of the OU's they were intially imported from, and delete them. To ensure the Altiris database has the most recent snapshot of Active Directory, run this schedule manually and then run your import rules. To run it manually, click Start on your desktop, select Programs > Accessories > System Tools > Scheduled Tasks, and run NS.Directory Resync Update Schedule Item. Additional Resources If you need to import additional object types from Active Directory or you need more control over what you import, Altiris Connector Solution provides a much wider range of options for importing information from Active Directory. It also supports non- AD LDAP sources, such as OpenLDAP, Novell e-directory, Sun's iplanet, and so on. Altiris Integrated Component for Microsoft Active Directory Help 10
Chapter 2 Getting Started The Getting Started tasks guide you through some basic tasks of Altiris Integrated Component for Microsoft Active Directory. Getting Started tasks 1. Importing Computers from the Domain (page 11) 2. Creating a collection for a Software Delivery task (page 12) 3. Importing department assets from Active Directory (page 14) 4. Importing User s Managers and Direct Reports (page 15) Prerequisites for Getting Started tasks Notification Server 6.0 SP3, or later Component for Microsoft Active Directory 6.1 installed on the Notification Server. See Installation (page 17). Importing Computers from the Domain Scenario You are responsible for administering all the computers used by the Marketing Department. This means one of your first tasks is to transfer computer details into Notification Server. You could use Resource Discovery on the Configuration tab but neither of the methods offered allow you to just import computers in your department. The company IT staff have arranged their Active Directory OU structure such that all computers in the Marketing Department are under the Marketing OU and you can use the Component for Microsoft Active Directory to import these computers. 1. In the Altiris Console, click the Configuration tab. 2. In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import. 3. In the right pane, click the button. This adds a new rule to the bottom of the Resource Import Rules list. 4. Select a resource type. a. In the new rule, click specified resource type. b. In the Resource Selection dialog, select Microsoft Windows 2000/2003 in the Domain Type drop-down list. c. In the Resource Type drop-down list, select Computers. 5. In the Source drop-down list, select Organizational Units. Altiris Integrated Component for Microsoft Active Directory Help 11
Note When importing OUs, OU folders are always created on the Resources tab in the Resource Management > Resources > Organizational Structures folder. 6. Enter the data source information. a. In the Domain or Server field, enter the data source domain. Example: CompanyA.com. b. If the Application ID for the Notification Server doesn t have read permission for the OUs, select Use these credentials, enter a User ID, enter the password and confirm. c. Click OK to save your changes and return to the Active Directory Import page. 7. Select the Organization Unit from which importing will start. a. In the new rule, click (none). b. In the Organizational Unit (OU) Picker dialog, select an OU. Example: Marketing Department. Note To import all OUs in a domain, select the root folder in the OU Selction dialog. c. Click OK to save your changes and return to the Active Directory Import page. 8. Click the button to run a full import and save the selected import rule. Note If you want to run this task periodically, click the Enable Schedule checkbox and select a time interval from the drop-down list. This ensures any subsequent changes to Active Directory will be reflected in the Notification Server. 9. (Optional) After you import computers from a domain, you can run the Resources Imported per Import Rule report to view the results. To access this report, click the Reports tab. In the left pane, select Reports > Notification Server Infrastructure > Active Directory. Creating a collection for a Software Delivery task Scenario You need to roll out a reporting and decision support software tool to management. To do this, you first need to setup your Package Server infrastructure. So, you need to define your sites and subnets and this information has already been entered into AD. Create two import rules that will add specific collections to your Resources tab. These collections are useful for Software Delivery tasks. The first rule imports a certain group from the Marketing Department, the second imports sites to populate the Notification Server with sites already defined in AD. To create the new rules 1. In the Altiris Console, click the Configuration tab. Altiris Integrated Component for Microsoft Active Directory Help 12
2. In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import. 3. In the right pane, click the button. This adds a new rule to the bottom of the Resource Import Rules list. 4. Select a resource type. a. in the new rule, click specified resource type. b. In the Resource Selection dialog, select Microsoft Windows 2000/2003 in the Domain Type drop-down list. c. In the Resource Type drop-down list, select User. 5. Select Security Groups as the container type to import from. 6. Select the Match computers with primary users checkbox. 7. Enter the data source information. a. In the Domain or Server field, enter the data source domain. Example: CompanyA.com. b. If the Application ID for the Notification Server doesn t have read permission for the OUs, select Use these credentials, enter a User ID, enter the password, and confirm. c. Click OK to save your changes and return to the Active Directory Import page. 8. Select the Security Groups from which importing will start. a. Click (none). b. In the Security Groups Selection dialog, select the group you want. Example: Marketing Department Managers. Add them to the Selected Groups window and click OK. 9. Click the button to run a full import and save the selected import rule. 10. In the right pane, click the button. This adds another new rule to the bottom of the Resource Import Rules list. 11. Select a resource type. a. In the new rule, click specified resource type. b. In the Resource Selection dialog, select Microsoft Windows 2000/2003 in the Domain Type drop-down list. c. In the Resource Type drop-down list, select Site. 12. Enter the data source information. a. In the Domain or Server field, enter the data source domain. Example: CompanyA.com. b. If the Application ID for the Notification Server doesn t have read permission for the OUs, select Use these credentials, enter a User ID, enter the password, and confirm. c. Click OK to save your changes and return to the Active Directory Import page. Altiris Integrated Component for Microsoft Active Directory Help 13
13. Click the button to run a full import and save the selected import rule. To view the Security Group collection 1. In the Altiris Console, click the Resources tab. 2. In the left pane, select Collections > Directory Collections > Domain > Security Groups. This collection can be used as a target for a Software Delivery task. Example: if you want to install software solely on the Marketing Department manager s managed computers. To view the Site collection 1. In the Altiris Console, click the Resources tab. 2. In the left pane, select Collections > Directory Collections > Sites. Importing department assets from Active Directory Scenario The Accounts department has requested details on all printers in the company. You will need to import data from AD and run a report to present to the Accounts department. To create the new rule 1. In the Altiris Console, click the Configuration tab. 2. In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import. 3. In the right pane, click the button. This adds a new rule to the bottom of the Resource Import Rules list. 4. Select a resource type. a. In the new rule, click specified resource type. b. In the Resource Selection dialog, select Microsoft Windows 2000/2003 in the Domain Type drop-down list. c. In the Resource Type drop-down list, select Site. 5. Select the Create organizational unit collections checkbox. 6. Enter the data source information. a. In the Domain or Server field, enter the data source domain. Example: CompanyA.com. b. If the Application ID for the Notification Server doesn t have read permission for the OUs, select Use these credentials, enter a User ID, enter the password, and confirm. c. Click OK to save your changes and return to the Active Directory Import page. 7. Click the button to run a full import and save the selected import rule. Altiris Integrated Component for Microsoft Active Directory Help 14
Run a report to view the imported information 1. In the Altiris Console, click the Reports tab. 2. In the left pane, select Reports > Notification Server Infrastructure Infrastructure > Server > Resource Reports. 3. Click All Print Queues. 4. In the right pane, click Run. Importing User s Managers and Direct Reports Scenario The Accounts department want information about users managers and subordinates so they can model cost center information more accurately. Create a new rule, with the necessary resource associations, to import users from the Marketing OU. 1. In the Altiris Console, click the Configuration tab. 2. In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import. 3. In the right pane, click the button. This adds a new rule to the bottom of the Resource Import Rules list. 4. Select a resource type. a. In the new rule, click specified resource type. b. In the Resource Selection dialog, select Microsoft Windows 2000/2003 in the Domain Type drop-down list. c. In the Resource Type drop-down list, select Users. 5. In the Source drop-down list, select Organizational Units. 6. Enter the data source information. a. In the Domain or Server field, enter the data source domain. Example: CompanyA.com. b. If the Application ID for the Notification Server doesn t have read permission for the OUs, select Use these credentials, enter a User ID, enter the password and confirm. c. Click OK to save your changes and return to the Active Directory Import page. 7. Select the Organization Unit from which importing will start. a. In the new rule, click (none). b. In the Organizational Unit (OU) Picker dialog, select an OU. Example: Marketing Department. c. Click OK to save your changes and return to the Active Directory Import page. 8. Select the Resource Associations you want to create. a. In the Import Rule, click these resource associations. Altiris Integrated Component for Microsoft Active Directory Help 15
b. In the Enable Resource Associations dialog, enable the Direct Reports and Manager associations. c. Click OK to save your changes and return to the Active Directory Import page. 9. Click the button to run a full import and save the selected import rule. To view imported resource associations 1. In the Altiris Console, click the Resources tab. 2. In the left pane, select Resource Management > Resources > Organizational Structures > Imported OU. 3. Double-click any imported user, the Resource Manager console opens. 4. Click the Associations tab to view resource associations for the user. Altiris Integrated Component for Microsoft Active Directory Help 16
Chapter 3 Installation Installing Altiris Integrated Component for Microsoft Active Directory 1. In the Altiris Console, click the Getting Started tab. 2. Under Install Solutions, click Install Altiris Solutions from the Solution Center. 3. Click the Available Solutions tab and then the Segments button. 4. Expand the Components section and click Altiris Integrated Component for Microsoft Active Directory. 5. In the Solution Update dialog, click Start. 6. When the component is installed, you will be able to see a new the Active Directory Import page on the Configuration tab. In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import. Uninstalling Altiris Integrated Component for Microsoft Active Directory To uninstall this component, in the Control Panel, open the Add/Remove Programs option, select the component, and click Remove. Altiris Integrated Component for Microsoft Active Directory Help 17
Chapter 4 Using Altiris Integrated Component for Microsoft Active Directory This section covers all Component for Microsoft Active Directory functionality on the various tabs of the Altiris Console. Quick Links Active Directory Import page (page 18) Deleting Active Directory Objects (page 21) Active Directory Reports (page 22) Active Directory Resources (page 22) Active Directory Import page The Active Directory Import page lets you import Active Directory objects including Computers, Users, Organizational Units, User Groups, and Sites from Windows NT4/ 2000/2003 Domains on a schedule. The Domain Controller used can be a Windows NT4/ 2000/2003 Domain Controller. Create a new import rule Delete Run the selected import rule now (Full Import) Refresh import rules Stop the selected rule Run the selected import rule now (Update Import) The clickable icons on the Active Directory Import toolbar are: Create a new import rule - click to add a new rule to the Resource Import Rules list. Delete - click to delete a selected rule. Run the selected import rule now (Full Import) - select a rule and click to import all resources from the targetted DC or domain. Run the selected import rule now (Update Import) - select a rule and click to only import resources that have changed since the last time the rule was run. Altiris Integrated Component for Microsoft Active Directory Help 18
To access this page 1. In the Altiris Console, click the Configuration tab. 2. In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import. To create a new import rule 1. In the right pane, click the button. This adds a new rule to the bottom of the Resource Import Rules list. 2. Select a resource type. a. Click specified resource type in the new rule to open the Resource Selection dialog. b. In the Domain Type drop-down list, select Microsoft Windows 2000/2003 or Microsoft NT 4.0. c. In the Resource Type drop-down list, select the resource you want to import. 3. Select the source to import the resources from. User resources can be imported from: Organizational Units Distribution Groups Security Groups User Groups (only available if you selected the Microsoft Windows NT 4.0 domain type and only imports user ID and domain name information) Sites and Subnets are not imported from a source. Computers can be imported from OUs, Security Groups, and Distribution Groups. Print Queues can be imported from OUs. 4. If you want to create collections upon import, select the appropriate Create Collection checkbox. Note When importing OUs, OU resource folders are always created on the Resource tab, under the Resource Management > Resources > Organizational Structures folder. 5. Enter the data source information. a. In the Domain or Server field, enter the data source domain or a DC. To ensure the correct domain or DC is targeted, enter a Fully Qualified Domain Name (FQDN). b. If the Application ID for the Notification Server doesn t have read permission for the imported resources, OUs, or groups, select Use these credentials, enter a User ID, enter the password, and confirm. c. Click OK to save your changes and return to the Active Directory Import page. 6. Select the Organization Unit from which importing will start (if you selected Organizational Units in Step 3). a. Click (none) in the new rule. Altiris Integrated Component for Microsoft Active Directory Help 19
b. In the Organizational Unit (OU) Picker dialog, select an OU. Note Under the OU, you can select to import items in all OUs. c. Click OK to save your changes and return to Active Directory Import page. 7. Select the groups to import from (if you selected Distribution Groups, Security Groups or User Groups in Step 3). a. Click (none). b. In the pop-up dialog, select the group you want. Example: Marketing Department Managers. Add them to the Selected Groups window and click OK. 8. If the specified column mappings option appears in the Import Rule, click it to select classes to import from, and columns mappings you want to use to import data. This option will only appear if you are importing users or computers. a. In the Column Mappings dialog, select the class to import from. You can enable/disable specific groups or select different entries in the Data Source Column. The default settings should be sufficient for User or Computer. These mappings can be used to import additional attributes when the AD Schema has been extended. These fields are generally used for new asset types in conjunction with Altiris Asset Control Solution. b. Click OK to return to the Active Directory Import page. 9. Select the Resource Associations you want to create (only available if you are importing users, sites, or subnets). a. In the Import Rule, click these resource associations. b. In the Enable Resource Associations dialog, enable the associations you want from: Create a Company resource for the imported User based on its company attribute in Active Directory. Create a Department resource for the imported User based on its department attribute in Active Directory. Create a User resource for the imported User based on its directreports attribute in Active Directory. Create a User resource for the imported User based on its manager attribute in Active Directory. c. Click OK to return to the Active Directory Import page. 10. To run this task periodically. a. Click the Enable Schedule checkbox and select a time interval from the dropdown list. This ensures any subsequent changes to Active Directory will be reflected in the Notification Server. b. To apply the schedule to a rule, select the Enabled checkbox beside the rule. 11. Click Apply to save the import rule. Altiris Integrated Component for Microsoft Active Directory Help 20
Note Save the import rule by clicking Apply or by running the rule. See To run an import rule (page 21). If you erase an import rule by mistake, click Cancel to reinstate it. When importing occurs, Notification Server message files are created in the Event Queue directory. If there are errors, check the Notification Server status log (Start > Programs > Altiris > Diagnostics > Log Viewer), for information. To run an import rule 1. In the Altiris Console, click the Configuration tab. 2. In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import. 3. Select the Import Rule you want to run (select the row the rule is in, not the checkbox next to the rule). 4. To run a full import of the selected import rule, click the button. 5. To run an update import of the selected import rule, click the button. Note You cannot import a User Group through an Update Import as this method relies on features not available in Microsoft Windows NT 4.0 domains. Running an import rule also saves the rule. Directory Synchronization Schedule On the Active Directory Import page, enable this schedule to delete any imported items and resources that no longer exist in Microsoft Active Directory. This will occur if directory items are deleted, renamed, or moved. For information, see Understanding the Directory Synchronization Schedule (page 10). To enable the schedule 1. In the Altiris Console, click the Configuration tab. 2. In the left pane, select Server Settings > Notification Server Infrastructure > Active Directory Import. 3. In the Resource Import Rules list, select the Enabled checkbox of the import rule you want to run to a schedule. 4. In the right pane, select the Enable Schedule checkbox and then select a time period in the drop-down list. 5. Click Apply to save your changes. Deleting Active Directory Objects The Directory Synchronization Schedule will delete any imported items and resources that no longer exist in Active Directory. This will occur if directory items are deleted, renamed, or moved. Altiris Integrated Component for Microsoft Active Directory Help 21
Caution If you move a computer from a domain to a workgroup you must delete the computer s record from Active Directory to avoid duplication in the database. This also applies if you re-image a computer to a Windows 9x operating system. Active Directory Reports The following reports list Active Directory information: Computers with Directory User Profiles Container Members by Operating System Directory Computers without the Altiris Agent Directory Import in the Last N Days Directory Import Rule Task Runs Directory Resources by Container Directory Users with Contact Detail Resources Imported per Import Rule Windows Computers not imported from Directory To access these reports 1. In the Altiris Console, click the Reports tab. 2. In the left pane, select Reports > Notification Server Infrastructure > Active Directory. These reports can help you decide the best time for importing Active Directory and User Group data. Example: if you have 10,000 users, it might be best to perform the importing during the night or only on weekends. Active Directory Resources Directory Collections When you create an Import Rule you can select collection types to be created on import. See the table, under How Import Rules and Resource Types Work Together (page 6), for information on the different collections you can create for different resource types. To access these reports 1. In the Altiris Console, click the Resources tab. 2. In the left pane, select Resource Management > Collections > Directory Collections. Directory Resources The Organizational Structures folder on the Resources tab contains all imported resources. A sub-folder is created for the domain or server the data was imported from that contains the data. For information, see Understanding the Import process (page 8). Altiris Integrated Component for Microsoft Active Directory Help 22
To access these resources 1. In the Altiris Console, click the Resources tab. 2. In the left pane, select Resource Management > Resources > Organizational Structures > Import Source Domain. Altiris Integrated Component for Microsoft Active Directory Help 23
Index A Active Filter 8 Active Directory definition 4 reports 22 resources 22 Active Directory Import page 18 Active Directory objects delete 21 Altiris Connector Solution 10 assets import 14 C collections added by import 10 Distribution Group 10 Organizational Unit 10 Security Group 10 Users Group 10 computers import from a domain 11 D data source information import rule 12 delete Active Directory objects 21 Direct Reports resopurce association import 15 Directory Synchronization Schedule 21 Distribution Group collections 10 Domain Controller 4 E Enabled filter 8 F Filter Active 8 Enabled 8 LDAP Filter 8 Operating System 8 I import assets 14 collections 10 computers from a domain 11 Direct Reports resource association 15 process 8 rule features 6 rule modes 5 rules 5 User s managers resource association 15 import rule create 19 data source information 12 resource type 11 run 21 Install Component for Active Directory 17 L LDAP defintion 4 filter 8 O Operating System filter 8 Organizational Unit collections 10 definition 4 R reports Active Directory 22 resource associations 9 resource type import rule 11 supported 6 resources Active Directory 22 S Security Group collections 10 U Uninstall Component for Active Directory 17 User s Managers resource association import 15 Users Group collections 10 Altiris Integrated Component for Microsoft Active Directory Help 24