Français

Integration to Active Directory

Modified: 2011/08/24 17:50 by pnarbonne - Categorized as: Implementation
Version française

The application ADSIReader (ESI.Octopus.ADSIReaderApp.exe) allows the import of users, computers (workstations and servers) and the printer queues from Active Directory. Users import can include the first name, the last name, the Windows username, the title, the department, the phone number (with the phone extention) and many others, while import of computers includes only the computer name. We then use the application WMIUpdater (ESI.Octopus.WMIUpdaterApp.exe) to obtain the technical configuration of the computer (operating system, memory, processor type, installed software, etc.).

About the printer queues, we suggest to exclude them at first for 2 reasons: the imported name is not always significant and there can be more than one queue per printer.

The steps below indicates the steps to follow to adequately import and use computers and users from Active Directory.

Edit

1. Create an Octopus system account

See article Octopus system account
Edit

2. Validate the information about the users to import

The correspondence between AD fields and Octopus fields is contained in the XML file named "ADSIReaderLDAPMappings.xml", located in the Octopus installation folder.

Here is the default content:

<?xml version="1.0" encoding="utf-8" ?>
<mappings>
  <mapping Name="Employee">
    <attribute LDAPAttribute="sAMAccountName" OctopusAttribute="Name"/>
    <attribute LDAPAttribute="GivenName" OctopusAttribute="FirstName"/>
    <attribute LDAPAttribute="sn" OctopusAttribute="LastName"/>
    <attribute LDAPAttribute="Mail" OctopusAttribute="EMailAddress"/>
    <attribute LDAPAttribute="Title" OctopusAttribute="Title"/>
    <attribute LDAPAttribute="TelephoneNumber" OctopusAttribute="TelephoneNumber" Index="0" Separator="x"/>
    <attribute LDAPAttribute="TelephoneNumber" OctopusAttribute="TelephoneNumberExtension" Index="1" Separator="x"/>
    <attribute LDAPAttribute="Mobile" OctopusAttribute="TelephoneMobile"/>
    <attribute LDAPAttribute="distinguishedName" OctopusAttribute="ActiveDirectoryKey"/>
    <attribute LDAPAttribute="Department" OctopusAttribute="Department"/>
    <attribute LDAPAttribute="EmployeeNumber" OctopusAttribute="EmployeeNumber"/>
    <attribute LDAPAttribute="Pager" OctopusAttribute="Pager"/>
    <attribute LDAPAttribute="physicalDeliveryOfficeName" OctopusAttribute="Local"/>
  </mapping>
  <mapping Name="Computer">
    <attribute LDAPAttribute="distinguishedName" OctopusAttribute="ActiveDirectoryKey"/>
    <attribute LDAPAttribute="Name" OctopusAttribute="Name"/>
  </mapping>
  <mapping Name="Printer">
    <attribute LDAPAttribute="distinguishedName" OctopusAttribute="ActiveDirectoryKey"/>
    <attribute LDAPAttribute="Name" OctopusAttribute="Name"/>
  </mapping>
</mappings>

You do not need to modify this file for the application to work.

Here are some examples of situations where you would necessitate to modify the mapping file :

i. Some fields in AD contain invalid values


Delete fields that you do not want to import.
For example,if you do not wish to import the user title, delete the following line:
<attribute LDAPAttribute="Title" OctopusAttribute="Title"/>

ii. The letter "p" is used to indicate the phone extension


Replace the "x", as a separator, by a "p" in the following 2 lines:
<attribute LDAPAttribute="TelephoneNumber" OctopusAttribute="TelephoneNumber" Index="0" Separator="x"/>
<attribute LDAPAttribute="TelephoneNumber" OctopusAttribute="TelephoneNumberExtension" Index="1" Separator="x"/>

iii. The phone number only has the phone extension


Replace the next 2 lines:
<attribute LDAPAttribute="TelephoneNumber" OctopusAttribute="TelephoneNumber" Index="0" Separator="x"/>
<attribute LDAPAttribute="TelephoneNumber" OctopusAttribute="TelephoneNumberExtension" Index="1" Separator="x"/>
by :
<attribute LDAPAttribute="TelephoneNumber" OctopusAttribute="TelephoneNumberExtension"/>

iv. Import of department AND sub-department


You can add departments and sub-departments to represent your organizational structure. In the initial file called ADSIReaderLDAPMappings.xml , the correspondence of the department field is already in the list, but not the sub department one. To add a correspondence between Active Directory and Octopus for the sub-department, you must add the following line:
   <attribute LDAPAttribute="NameOfFieldAD" OctopusAttribute="SubDepartment"/>

You must replace the expression "NameOfFieldAD" by the field name that you use in AD to determine the sub-department.

If you have entered your department and sub-department in the department field of Activie Directory (under the format: Department - Sub-department), you must modify the following 2 lines: 
    <attribute LDAPAttribute="Department" OctopusAttribute="Department" Index="0" Separator="-"/>
    <attribute LDAPAttribute="Department" OctopusAttribute="SubDepartment" Index="1" Separator="-"/>

Note : Even if you have blank spaces in the AD field, you must not put any between the quotes of the "Separator" parameter.

To manually manage your departments and sub-departments:

  • Go to Tools > Reference Data Management.
  • Open the main node
  • Locate the departments section
    • To add a department, right click on Departments section to obtain the Add option
    • To add a sub-department, right click on a department to obtain the Add option.

Note: During the import, if the departments or sub-departments do not exist, they will automaticaly be created by Octopus.

Edit

3. Automatic attribution of a site to users/computers part of an Organizational Unit (OU)

You can import your AD users from the menu "Tools > Update list of users and computers...". However, take note that this action does not offer any additional options. It is preferable to benefit from the application ESI.Octopus.ADSIReaderApp.exe and its numerous parameters.

One of the parameter is /Domain, which is mandatory and corresponds to your domain name. Since a domain can contain several Organizational Unit (OU), you can decide to import one or several OU, but not necessarily the main node of your domain.

To automatically attribute to a site its users and computers contained in an OU, follow these steps:

  • Go to "Tools > Reference Data Management..."
  • Open the "General" node
  • Find and open the "Sites" section
    • Add a new site or select an existing one
    • Click on the network icon at the right of the text zone named "Groups in Active Directory" (a window with your AD structure will open)
    • Select an OU
    • Click on Ok
  • Save the modifications


At your next import, the users and computers of this OU will automatically be linked to their defined site.

The following exemple shows that the known users in the OU OU=ST-LAURENT,DC=ESITECHNOLOGIES,DC=com will be linked to the site ESI Ville St-Laurent.


Image


Edit

4. Automating data import from Active Directory to Octopus

Windows Scheduled Tasks Edit

5. Remove "generic" or "system" accounts from your users list

The application ESI.Octopus.ADSIReaderApp imports all users defined in AD. To restrain users import to specific OUs, please see this article: Integration to Active Directory for specific Organizational Units (OU)

At the import of AD, all users with a first and last namehave been imported into Octopus. However, certain among them are not users (generic account, resources, system account, etc.).

To remove them from your active users list, they must be disabled using the following method:

  • Go into "Users" module.
  • Click on the users list
  • Select a user to disable
  • Open the user file
  • In the right bottom corner, uncheck "Active".

To consult inactive users, select the list "Inactive users" located in the drop down field of additional lists.

Note: It is important to not delete these "false" users, as they would be imported once again during the next import.

Edit

6. Identifying laptop and server workstations

When computers are imported in Octopus, by default, they all have the CI type "Workstation". You need to make sure that the right type is being assigned top the corresponding CIs:

  • Go into "Configurations" module
  • Click on Workstation
  • Select the computers that are in fact servers. It is possible to modify several CIs simultaneously (as long as CI type is the same for all the selected ones).
  • Click on Change CI in the list of actions, in the left panel.
  • Select Server in the Type list
  • Click on OK

Repeat the same steps for laptops.

Administration | This wiki was designed using ScrewTurn.