1 2 Previous Next 13 Replies Latest reply on Oct 15, 2010 3:39 PM by kink80

    LDAP Sync with AD Showing Complete but No Users

    ecardanha

        I went through the quick setup guide that is provided within this area, and I have everything setup, I have 2 LDAP Servers

      defined within the Registered Servers, and ran the test connection and they report back that they can successfully talk to

      the Domain Controllers.  When I attempt to run a EE LDAP User/Group Sync, it tells me it Completes without any issues,

      but when I look in the Encryption Users List, there are no users defined at all.  Did I skip a step?  What level of AD rights

      are needed on the account that is doing the sync?  Currently I have Domain Users and that is it for rights as I would prefer

      keep it as low as possible.  I am working with ePO 4.5 Patch 3, and EEPC 6.0 Patch 1, this is running on a Windows 2008

      R2 box with all the latest updates, using a SQL 2008 R2 Express.

        • 1. Re: LDAP Sync with AD Showing Complete but No Users
          kink80

          How are you adding users to the machines? Do you have Add Local Domain users enabled or are you just manually assigning users to machines?

          • 2. Re: LDAP Sync with AD Showing Complete but No Users
            ecardanha

            I haven't even gotten to that phase, I am still trying to populate my Encryption User List to even get to the

            point where I can start assigning users to machines.

            • 3. Re: LDAP Sync with AD Showing Complete but No Users
              kink80

              As far as I know it does not work that way. If you go to Menu > Data Protection > Encryption Users and select a machine from your tree. Then select Add Users it will let you search your LDAP server for the users you want to add. If you want to add a whole group or OU of users to a system tree branch you can do it the same way by highlighting the system tree branch and then selecting the Group Users tab and assigning the correct users or group of users by selecting it from your LDAP server.

              • 4. Re: LDAP Sync with AD Showing Complete but No Users
                ecardanha

                That may be the case, I'm working on get 6.0 setup and sort of a rookie at it compared to 5.0 which is where a lot of

                our machines are, we are trying to get everything moved over to 6.0.  If that is the case of how you select users to be

                assigned, on my Encryption Users Tab I don't see users or machines, and the OU Structure of AD isn't even present

                yet, which I know should appear.  Just puzzled why the LDAP Test Passes and then the Sync doesn't work.  I assume

                I have to be missing something along the way.

                • 5. Re: LDAP Sync with AD Showing Complete but No Users
                  kink80

                  So when you look at Menu > Encryption Users you don't see anything in the left hand pane under System Tree? Like My Organization? See pic below.

                  • 6. Re: LDAP Sync with AD Showing Complete but No Users
                    ecardanha

                    Correct I get My Org and Lost & Found and nothing else, which makes no sence, I would expect it blank if my LDAP

                    connection Test failed, but it passed as if everything was fine.

                    • 7. Re: LDAP Sync with AD Showing Complete but No Users
                      kink80

                      In Menu > Configuration > Registered Servers do you have your LDAP server entered here?

                      • 8. Re: LDAP Sync with AD Showing Complete but No Users
                        ecardanha

                        correct I defined one for each domain, as we have quite a few.  I tried using 3268 and using a Global Catalog but found

                        out that wasn't liked, so defaulted back to 389 and then it shows the Test Connection as a Pass, but never functions.

                        I figured since it passes that the credentials have enough permissions to do what they need, as it looks to only pull a

                        copy of the overall AD structure.

                        • 9. Re: LDAP Sync with AD Showing Complete but No Users

                          From Release Notes:

                           

                          Domain users group does not appear in Encryption Users list (Encryption Users | Actions | Endpoint Encryption | View Users), however the expected users from the group appear in EE users query (Menu | Reporting | Queries | Shared Groups | Endpoint Encryption, then click Run in EE: Users).

                           

                          So try to run that report.

                           

                           

                          More on this topic:

                           

                          Registering Windows Active Directory

                          Use this option to register a Windows Active Directory. You must have a registered AD to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable automatic user account creation.

                          Task
                          1. Log on to the ePolicy Orchestrator server as an administrator.
                          2. Click Menu | Configuration | Registered Servers, then click New Server. The Registered Server Builder wizard opens.
                          3. From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user friendly name) and any details, then click Next. The Details page appears.
                          4. Select Active Directory or Open LDAP from LDAP server type, then type the Domain name or the Server name.
                            NOTE: Use DNS-style domain name. While using DNS-style domain name, ensure that the system is configured with appropriate DNS setting and can resolve the DNS-style domain name of the Active Directory. The Server name is the name or IP address of the system where the Windows Active Directory is present.
                          5. Type the User name.
                            NOTE: User name should be of the format: domain\Username for Active Directory accounts.
                          6. Type the Password and confirm it.
                          7. Click Test Connection to ensure that the connection to the server works, then click Save.

                          Configuring automation task for LDAP synchronization

                          You can create many tasks that run at scheduled intervals to manage the ePO server and Endpoint software.

                          Task
                          1. Log on to the ePolicy Orchestrator server as an administrator.
                          2. Click Menu | Automation | Server Tasks, The Server Tasks page opens.
                          3. Click Actions | New Task. The Server Task Builder wizard opens.
                          4. On the Description page, name the task, type some notes about the task, and choose whether it is enabled, then click Next. The Actions page appears.
                          5. From the Actions drop-down list, select EE LDAP Server User/Group Synchronization and accept the default values.
                          6. Click Next. The Schedule page appears.
                          7. Schedule the task, then click Next. The Summary page appears.
                          8. Review the task details, then click Save.
                            NOTE: In addition to the task running at the scheduled time, you can run this task immediately by clicking Run next to the task on the Server Tasks page.
                          1 2 Previous Next