Skip to main content

Microsoft Active Directory

Integrating with Active Directory

The integration allows GravityZone to import the computer inventory from Active Directory on-premises. This way, you can easily deploy and manage protection on Active Directory endpoints. Integration is performed through a managed endpoint called Active Directory Integrator.

To manage the Active Directory integration, you can do the following:

Set up the Active Directory Integrator

You can define multiple Active Directory integrators for the same domain, and also for each available domain.

Prerequisites

The Active Directory Integrator must meet the following conditions:

  • It runs Windows OS.

  • It is joined in Active Directory.

  • It is protected by Bitdefender Endpoint Security Tools.

  • It is always online. If not, it may affect the synchronization with Active Directory.

Important

If you have inherited policies that were assigned on folders prior to the Active Directory integration, all the endpoints discovered in an Active Directory domain will be moved from their current folder to the Active Directory folder and will be assigned with the policy that is set as default.

You will be able to assign a new policy after the Active Directory sync is complete.

Steps for setting an Active Directory Integrator

  1. Go to the Network page.

  2. Navigate through the network inventory to the group where your endpoint is and select it.

    Note

    If you want to define multiple integrators, you need to select one endpoint at a time.

  3. Click the integrations.pngIntegrations button at the upper side of the table and choose Set as Active Directory Integrator.

  4. Click Yes to confirm your action.

    You can notice the new ad_syncer.png icon of the endpoint stating that it is an Active Directory Integrator. In a couple of minutes, you will be able to view the Active Directory tree next to Computers and Groups. For large Active Directory networks, the synchronization may take a longer time to complete. The endpoints joined in the same domain as the Active Directory Integrator will move from Computers and Groups to the Active Directory container.

Synchronizing with Active Directory

GravityZone synchronizes with Active Directory only automatically. This process is repeated every hour.

GravityZone is unable to synchronize with an Active Directory domain if the following situations occur:

  • All Active Directory integrator roles have been removed

  • Lost connection between Active Directory integrators and GravityZone for at least 2 hours.

  • None of the Active Directory integrators from the same domain can communicate with the Domain Controller.

  • A domain-joined account is not logged into the endpoint that acts as AD integrator. Without having a domain user logged in, there are no cached credentials, and the queries to the AD server fail.

In any of these cases, an Active Directory issue will be triggered under the Notifications Area. For more information, refer to Notifications.

Entities reported by Active Directory Integrator

The Active Directory Integrator reports computers, organizational units, users, containers, security groups.

In order for a computer to be discovered and reported by the Active Directory Integrator, the following attributes must be non-empty:

  • distinguishedName

  • dnshostname

  • objectGUID

  • name

  • samaccountname

  • objectSid

The details of a computer can be retrieved using the following PowerShell command executed from an elevated terminal, on the Domain Controller:

Get-ADComputer -Identity {machine_hostname} -Properties *

In order for a user to be discovered & reported by the Active Directory Integrator, the following attributes must be non-empty:

  • distinguishedName

  • name

  • objectGUID

  • objectClass

The details of a user can be retrieved using the following PowerShell command executed from an elevated terminal, on the Domain Controller:

Get-ADUser -Identity {username} -Properties *

Note

  • The list of reported entities does not contain disabled entities - e.g. computers and/or users. If an entity (that is already present on the reported entities list) is disabled, on the next scheduled run, the disabled entity will no longer be reported.

  • When moving an entity (e.g. user, computer, security group) from an organizational unit to another one, the change will be reported by the Active Directory Integrator on the next scheduled run.

  • When moving an entity (e.g. user, computer) to/from a security group, the change will not be reported by the Active Directory Integrator since security group membership is not tracked. For users, such changes are tracked by the user-aware rules for policies. See Configuring user rules for more details.

  • When updating the details of a user (i.e. department, title, sn, giveName, mail, mailNickname), the change will be reported by the Active Directory Integrator on the next scheduled run.

  • A Security group is reported regardless of whether it has members in it.

Remove the Active Directory Integrator

To remove the role of Active Directory Integrator from an endpoint:

  1. Go to the Network page.

  2. Navigate through the network inventory to the group where the Active Directory Integrator is and select it.

    Note

    If you want to remove multiple integrators, you need to select one endpoint at a time.

  3. Click the integrations.pngIntegrations button at the upper side of the table and choose Remove Active Directory Integrator.

  4. A confirmation message will appear.

    • If there is not another endpoint with Active Directory Integrator role in the same domain, the confirmation message will also warn that the current domain will not be synchronized anymore with GravityZone.

    • If the endpoint is offline, the Active Directory Integrator role will be removed after it will be turned on.

You can check if any Active Directory integrator was removed from your managed network in the User Activity section, by filtering the user logs using the following criteria:

  • Area: Active Directory

  • Action: Removed AD Integrator

For more information, refer to User Activity Log.

Remove the Active Directory integration

You can choose to remove one or several domains from the Active Directory folder, as follows:

  1. Go to the Network page.

  2. Under the Network tree from the left pane, select the Active Directory folder.

  3. Go to the right pane and select the folder of the domain you want to remove.

  4. Click the integrations.pngIntegrations button at the upper side of the table and choose Remove Active Directory Integration.

  5. A confirmation message will appear. An option available with this message allows you to choose whether you want to delete the unmanaged endpoints from the Network Inventory or not. Be careful, this option is enabled by default. Click Confirm to proceed.

  6. All the endpoints under the selected domain will be placed under Computer and Groups folder (or their original groups), and the Active Directory integrator role will be removed from the assigned endpoints of this domain.

  7. All the policies that were assigned to the Active Directory folders or endpoints will be unassigned.

  8. All endpoints will be moved to Computer and Groups and the policy that is assigned to the folder in which they are moved will be assigned to them as well.

    Note

    If no policy is assigned to the folder, all endpoints will revert to the default policy.

Active Directory Integration vs Azure Active Directory Integration

Unlike Active Directory Integration that allows GravityZone to import the computers inventory from Active Directory on-premises, Azure AD Integration cannot be used to import the computers inventory within GravityZone security solution, as it can be used only to connect using Single Sign on authentication.

Note

For additional information on how to configure GravityZone Cloud SSO with Azure AD visit this page.