2.4.3 Linking with Active Directory
By linking with Active Directory, you can retrieve information about devices registered on an Active Directory server, and register those devices with JP1/IT Desktop Management 2. You can also obtain information like user names, telephone numbers, and email addresses that JP1/IT Desktop Management 2 cannot collect automatically.
By acquiring department and location information from Active Directory, you can also synchronize the group relationships of managed devices and asset information with the organizational units (OU) managed by Active Directory.
Device information available from Active Directory
The following table describes some of the features that become available when you link with Active Directory.
|
Feature |
Description |
|---|---|
|
Device registration |
This feature lets you discover the computers managed by Active Directory and register them as management targets in JP1/IT Desktop Management 2. You can also update system information based on information provided by Active Directory. |
|
Information retrieval |
From the information managed by Active Directory, you can retrieve shared management items relating to device information and hardware asset information, and added management items relating to hardware asset information. Note that Active Directory must be set as the data source for the item. |
|
Retrieval of organizational hierarchy |
You can import the hierarchy of organizational units (OU) managed by Active Directory and use it to define the group configuration in JP1/IT Desktop Management 2. |
The following table shows the device information you can acquire from Active Directory.
|
Type of device information |
Linkage with Active Directory |
||
|---|---|---|---|
|
Device registration |
Information retrieval |
||
|
Device type |
PC (Windows) |
Y |
Y |
|
Server (Windows) |
Y |
Y |
|
|
System information |
Computer information |
Y |
N |
|
OS information |
Y |
N |
|
|
Network information |
Y |
N |
|
|
Shared management items |
Y |
Y |
|
|
Added management items |
Y |
Y |
|
Legend: Y: Can be acquired. N: Cannot be acquired.
For details about the device information you can acquire from Active Directory, see (3) Device information that can be acquired from Active Directory.
Timing of device information acquisition
If JP1/IT Desktop Management 2 is configured to link with Active Directory, it searches the Active Directory database daily at 23:00 and acquires the relevant device information. You can change the time and frequency of this search by setting a discovery schedule in the Active Directory view under Configurations in the Discovery area of the Settings module.
- Organization of this subsection
(1) Searching for devices in Active Directory
You can search for computers managed in Active Directory domains and root OUs and register them as management targets. We recommend that you use this method if your organization already uses Active Directory to manage computers.
The following figure shows an overview of searching Active Directory for devices.
![[Figure]](GRAPHICS/ZU050019.GIF)
Options for device discovery
You can use the following methods to search for devices registered in Active Directory.
- Immediate
-
JP1/IT Desktop Management 2 connects to Active Directory and searches for devices, acquiring device information for the devices it discovers. Use this option when you first install JP1/IT Desktop Management 2 or when you want changes to Active Directory information to be immediately reflected in the JP1/IT Desktop Management 2 database. You can begin a search from the Active Directory link under Discovery Condition Configuration in the Device Discovery view in the Setting module.
- Tip
-
If you cancel the search before it finishes, any computer information and group information that has been acquired to that point is incorporated into the database.
- Scheduled
-
Regular searches take place according to the discovery settings specified for Active Directory. During this process, device information is acquired for discovered devices. The discovery schedule is determined by the values in Start At, Repeat Interval (daily, weekly, or monthly), and Repeat in the Settings module. By default, discovery takes place daily at 23:00.
- Tip
-
If the search is interrupted or cannot take place at the scheduled time because the service is stopped, the system is shut down, or for some other reason, it will take place at the next scheduled start time.
If the search is interrupted, the process begins again for all computers the next time the service starts. Even if several search attempts have failed, this process takes place only once.
You can check the status of the search in the Last Discovery Log window accessed from the Discovery view in the Settings module. To notify the administrator by email when the process is finished, set a Notice of Discovery Completion in the Discovery view.
Removing managed devices
When you delete a computer from Active Directory, the corresponding information is not deleted from JP1/IT Desktop Management 2. To remove a computer that was discovered from Active Directory, remove it manually from the JP1/IT Desktop Management 2 database.
Discovery conflicts
The discovery of devices registered in Active Directory can sometimes conflict with other forms of discovery.
- Conflicts with other Active Directory searches
-
If Active Directory is already being searched when a search is scheduled to start, the latter process is canceled until the next scheduled start time.
- Conflicts with network searches
-
If a network search is already in progress, the Active Directory search takes place as normal. If both processes discover the same device, the results of network discovery using administrative shares and SNMP take priority over the results of Active Directory discovery, and the results of Active Directory discovery take priority over the results of network discovery using ARP and ICMP.
Related Topics:
(2) Setting connection destinations for Active Directory searches
Before you can use Active Directory to search for and discover devices, you need to specify the connection-target Active Directory server and the root OU of the domains you want to search.
You can specify multiple connection targets, each consisting of an Active Directory address and a root OU. Set a number of connection targets equivalent to the number of Active Directory servers and root OUs where you want to discover devices.
The following are examples of setting connection targets for Active Directory searches.
- When connecting to one Active Directory server and discovering devices in multiple root OUs
-
Although the management server only connects to one Active Directory server, it searches for devices in multiple root OUs. This means that you need to create a number of connection destination settings equivalent to the number of root OUs.
![[Figure]](GRAPHICS/ZU050011.GIF)
- When connecting to several Active Directory servers
-
When searching for devices on several Active Directory servers, you need to create a connection destination setting for each Active Directory server.
![[Figure]](GRAPHICS/ZU050012.GIF)
- Important
-
When you perform the search for Active Directory, you must grant a user ID (specified in the Active Directory window) the Read permission for all objects that belongs to the specified root OU and for all objects that are referenced. If the user ID is not granted the Read permission, device information and group information may not be correctly obtained when you perform the search for Active Directory.
(3) Device information that can be acquired from Active Directory
The following table lists the device information you can obtain from an Active Directory server.
System information
|
Device information item |
Source |
Contents |
||
|---|---|---|---|---|
|
Object name (LDAP) |
Attribute name (LDAP) |
|||
|
Device type |
computer |
operatingSystem |
PC is set for client-type OSs. For server-type OSs, server is set. |
|
|
Computer information |
Computer name |
computer |
sAMAccountName |
Acquires the computer name of the computer. |
|
Host name |
computer |
dNSHostName |
Acquires the DNS name of the computer if one is assigned. |
|
|
computer |
sAMAccountName |
Acquires the computer name of the computer if no DNS name is assigned. |
||
|
OS information |
OS |
computer |
operatingSystem |
Acquires the name of the OS. |
|
OS service pack or version |
computer |
operatingSystemServicePack |
Acquires information about the OS service pack or version. |
|
|
Network information |
IP address |
-- |
-- |
Uses DNS to resolve an IP address from the host name. |
|
MAC address |
-- |
-- |
Uses ARP to acquire a MAC address from the IP address. |
|
Legend: --: Although this device information can be acquired from Active Directory, it does not appear on the source Active Directory server.
You can also acquire the information in the following table:
|
Device information item |
Description |
|---|---|
|
Registered Date/Time |
For a newly discovered device, the date and time when the device was discovered is acquired. When updating device information, the existing date and time is left unchanged. |
|
Last Modified Date/Time |
If the device has been modified, the date and time when the device was modified is acquired. No date and time is acquired if the device information has not been modified. |
|
Mode |
If the Auto-Manage Discovered Nodes option is selected and the device has a product license, Managed is set. If the Auto-Manage Discovered Nodes option is selected and the device does not have a product license, Discovered is set. If the Auto-Manage Discovered Nodes option is not selected, Discovered is set. |
|
Management Type |
Agentless Management (Authentication Successful) is set. |
|
Connection settings |
Unknown is set. |
|
Device Status |
Unknown is set. |
|
Management Status |
Agent not Installed is set. |
|
Last Alive Confirmation Date/Time |
The date and time when the server last connected to the Active Directory and found the device. |
Common management items
|
Shared management items |
Source |
Contents |
|
|---|---|---|---|
|
Object name (LDAP) |
Attribute name (LDAP) |
||
|
Department |
computer |
distinguishedName#1 |
Acquires the department with which the device is associated. |
|
Location |
computer |
location |
Acquires the location of the device. |
|
User Name |
User or InetOrgPerson#2 |
displayname |
Acquires the user name of the device. |
|
Account |
User or InetOrgPerson#2 |
userPrincipalName |
Acquires the account name of the device. |
|
|
User or InetOrgPerson#2 |
|
Acquires the e-mail address of the user of the device. |
|
Phone |
User or InetOrgPerson#2 |
telephoneNumber |
Acquires the telephone number of the user of the device. |
#1: Organization unit (OU) values in attributes are subjected to conversion before being registered in the common management item. For example, if the attribute value is CN=PC001,OU=2U,OU=Design1G,OU=DesignDivision,DC=domain,DC=local, then DesignDivision/Design1G/2U is registered as the department.
#2: The User or InetOrgPerson object associated with the managedBy attribute of the computer object.
Added management items
You can use the following methods to relate information retrieved from Active Directory to added management items.
Legend: Y: Template provided. N: No template provided.
- Item specification
-
A method that uses supplied templates to specify objects in the Active Directory database.
For example: Name (Computer)
- Customized
-
A process whereby the administrator specifies the object names managed by Active Directory and the LDAP attribute names.
Added management items are acquired as character string data.
The following table shows the objects you can acquire for each entity specified when acquiring information from Active Directory.
|
Specifiable entity |
Associated object |
Description |
|---|---|---|
|
Computer |
Computer |
Used to manage computer information. |
|
Organizational unit (OU) |
Organization Unit (OU) |
Contains Computer, User, and other values of Organization Unit. This information is used to record the department and location of a device, and to acquire information about the organizational unit (OU) to which a computer belongs. |
|
User |
User |
Used to acquire information about the administrator of a computer. |
|
InetOrgPerson# |
A type of user. This object is used to acquire information about the administrator of a computer. |
#: In Windows 2000, you must apply the InetOrgPerson Kit to use this object.
The following table lists the information that can be acquired from the Computer object.
|
Item name |
LDAP attribute name |
Template provided |
|---|---|---|
|
Name (Computer) |
sAMAccountName |
Y |
|
DNS Host Name |
dNSHostName |
Y |
|
Description |
description |
Y |
|
Name |
operatingSystem |
N |
|
Version |
operatingSystemVersion |
N |
|
Service Pack |
operatingSystemServicePack |
N |
|
Location |
location |
Y |
|
Name (User) |
managedBy |
Y |
|
Office Location |
--# |
N |
|
Country |
--# |
N |
|
State |
--# |
N |
|
City |
--# |
N |
|
Address |
--# |
N |
|
Phone |
--# |
N |
|
FAX |
--# |
N |
|
Canonical name of object |
distinguishedName |
N |
#: Shows the corresponding attribute value for the User or inetOrgPerson object whose value is the same as Name (User). For details on the LDAP attribute names used to acquire this information, see the tables later in this section that show the information that can be acquired from the User and InetOrgPerson objects.
The following table lists the information that can be acquired from an Organization Unit (OU) object.
|
Property name |
LDAP attribute name |
Template provided |
|---|---|---|
|
Country |
co |
Y |
|
Zip code |
postalCode |
N |
|
State |
st |
N |
|
City |
l |
N |
|
Address |
street |
N |
|
Description |
description |
N |
|
Name |
managedBy |
Y |
|
Link to group policy object |
gPLink |
N |
The following table lists the information that can be acquired from a User object.
|
Item name |
LDAP attribute name |
Template provided |
|---|---|---|
|
Last Name |
sn |
Y |
|
First Name |
givenName |
Y |
|
Initials |
initials |
Y |
|
Display Name |
displayName |
Y |
|
Description |
description |
Y |
|
Office Location |
physicalDeliveryOfficeName |
Y |
|
Phone |
telephoneNumber |
Y |
|
|
|
Y |
|
Web Page |
wWWHomePage |
Y |
|
Country |
co |
Y |
|
Zip code |
postalCode |
Y |
|
State |
st |
Y |
|
City |
l |
Y |
|
P. O. Box |
postOfficeBox |
Y |
|
Address |
streetAddress |
Y |
|
Logon name |
userPrincipalName |
Y |
|
Logon name (Windows 2000 or earlier) |
sAMAccountName |
N |
|
Log on to |
userWorkstations |
N |
|
User profile profile path |
profilePath |
N |
|
User profile logon script |
scriptPath |
N |
|
Home folder Local path |
homeDirectory |
N |
|
Home folder Connect |
homeDrive |
N |
|
Home phone |
homePhone |
Y |
|
Pager |
pager |
Y |
|
Mobile |
mobile |
Y |
|
FAX |
facsimileTelephoneNumber |
Y |
|
IP Phone |
ipPhone |
Y |
|
Notes |
info |
Y |
|
Company |
company |
Y |
|
Department |
department |
Y |
|
Job title |
title |
Y |
|
Manager Name |
manager |
Y |
|
Report Direct |
directReports |
Y |
The following table lists the information that can be acquired from an InetOrgPerson object.
|
Item name |
LDAP attribute name |
Template provided |
|---|---|---|
|
Last Name |
sn |
Y |
|
First Name |
givenName |
Y |
|
Initials |
initials |
Y |
|
Display Name |
displayName |
Y |
|
Description |
description |
Y |
|
Office Location |
physicalDeliveryOfficeName |
Y |
|
Phone |
telephoneNumber |
Y |
|
|
|
Y |
|
Web Page |
wWWHomePage |
Y |
|
Country |
co |
Y |
|
Zip code |
postalCode |
Y |
|
State |
st |
Y |
|
City |
l |
Y |
|
P. O. Box |
postOfficeBox |
Y |
|
Address |
streetAddress |
Y |
|
Logon name |
userPrincipalName |
Y |
|
Logon name (Windows 2000 or earlier) |
sAMAccountName |
N |
|
Log on to |
userWorkstations |
N |
|
User profile profile path |
profilePath |
N |
|
User profile logon script |
scriptPath |
N |
|
Home folder Local path |
homeDirectory |
N |
|
Home folder Connect |
homeDrive |
N |
|
Home Phone |
homePhone |
Y |
|
Pager |
pager |
Y |
|
Mobile |
mobile |
Y |
|
FAX |
facsimileTelephoneNumber |
Y |
|
IP Phone |
ipPhone |
Y |
|
Notes |
info |
Y |
|
Company |
company |
Y |
|
Department |
department |
Y |
|
Job Title |
title |
Y |
|
Manager Name |
manager |
Y |
|
Report Direct |
directReports |
Y |
- Important
-
Although you can specify attributes that acquire information from items not mentioned in these tables, operation is not guaranteed in these circumstances.
For a detailed description of device information, see the following sections:
(4) Importing departmental group configurations from Active Directory
By importing information about the structure of organizational units (OU) from Active Directory, you can synchronize the department hierarchy maintained by JP1/IT Desktop Management 2 with the Active Directory OUs. By actively maintaining the department group configuration managed by Active Directory, you can centrally manage the configuration of managed devices.
JP1/IT Desktop Management 2 imports information about organizational units as part of the search process.
When you specify an organizational unit (root OU) that you want to import from Active Directory, the group configuration for its subordinate OUs is automatically created in the corresponding department group. To import information about department group hierarchies from Active Directory, select Get Department Hierarchy Information in the Active Directory view accessed from the General menu. When this check box is selected, the manager collects department group information when it accesses Active Directory to search for devices. For details on searching Active Directory for devices, see (1) Searching for devices in Active Directory.
The following table shows the effect that importing organizational units (OUs) from Active Directory has on the JP1/IT Desktop Management 2 group configuration.
|
Active Directory organizational unit (OU) |
JP1/IT Desktop Management 2 department group configuration |
|
|---|---|---|
|
Present |
Not present |
|
|
Present |
If the name is different, the group name is updated accordingly. |
The group is added. |
|
Not present |
The group is removed. |
No action taken. |
Note that changing the department group configuration in JP1/IT Desktop Management 2 does not affect the organizational units (OU) registered on the Active Directory server.
- Important
-
After the import process, do not manually add, change, or remove any part of a department group configuration that is synchronized with Active Directory. Any such changes will be overwritten when organizational unit (OU) information is next imported.
If a managed device belongs to a group that is synchronized with an Active Directory OU, the group affiliation of the device changes in line with the Active Directory OU. If the group to which the device belongs is removed, the device is reassigned to the Unknown group.
- Tip
-
If you specify an upper-level domain and its lower-level domain simultaneously in a domain name attribute, the manager imports information for the organizational unit (OU) of the upper-level domain, which includes the information for lower-level domains.
(5) Cautionary notes for Active Directory linkage
Note the following when linking with Active Directory:
-
You cannot acquire information from an organizational unit (OU) that does not contain at least one computer.
-
Even if a computer is registered in Active Directory, you cannot acquire device information if the computer is not a JP1/IT Desktop Management 2 management target.
-
Only character string data can be acquired from Active Directory.
-
You cannot use certain single-byte symbols and tab characters in the name of an OU in Active Directory.#
#: Do not use the following symbols: !, ", %, ', *, /, : (colon), <, >, ?, @, \, |, +, =, , (comma), or ; (semicolon). The linkage function might not operate correctly if an OU name contains any of these characters.