Microsoft Active Directory
Integrating with Active Directory
The integration allows GravityZone to import the computer inventory from Active Directory on-premises. This way, you can easily deploy and manage protection on Active Directory endpoints. Integration is performed through a managed endpoint called Active Directory Integrator.
To manage the Active Directory integration, you can do the following:
Set up the Active Directory Integrator
Remove the Active Directory Integrator
Remove the integration
Set up the Active Directory Integrator
You can define multiple Active Directory integrators for the same domain, and also for each available domain.
Prerequisites
The Active Directory Integrator must meet the following conditions:
It runs Windows OS.
It is joined in Active Directory.
It is protected by Bitdefender Endpoint Security Tools.
It is always online. If not, it may affect the synchronization with Active Directory.
Important
If you have inherited policies that were assigned on folders prior to the Active Directory integration, all the endpoints discovered in an Active Directory domain will be moved from their current folder to the Active Directory folder and will be assigned with the policy that is set as default.
You will be able to assign a new policy after the Active Directory sync is complete.
Steps for setting an Active Directory Integrator
Log in to GravityZone Control Center.
Go to the Network page from the left side menu.
Navigate through the network inventory to the group where your endpoint is and select it.
Note
If you want to define multiple integrators, you need to select one endpoint at a time.
Click the Integrations button at the upper side of the table and choose Set as Active Directory Integrator.
Click Yes to confirm your action.
You can notice the new icon of the endpoint stating that it is an Active Directory Integrator. In a couple of minutes, you will be able to view the Active Directory tree next to Computers and Groups. For large Active Directory networks, the synchronization may take a longer time to complete. The endpoints joined in the same domain as the Active Directory Integrator will move from Computers and Groups to the Active Directory container.
Synchronizing with Active Directory
GravityZone synchronizes with Active Directory only automatically. This process is repeated every hour.
GravityZone is unable to synchronize with an Active Directory domain if the following situations occur:
All Active Directory integrator roles have been removed
Lost connection between Active Directory integrators and GravityZone for at least 2 hours.
None of the Active Directory integrators from the same domain can communicate with the Domain Controller.
A domain-joined account is not logged into the endpoint that acts as AD integrator. Without having a domain user logged in, there are no cached credentials, and the queries to the AD server fail.
In any of these cases, an Active Directory issue will be triggered under the Notifications Area. For more information, refer to Notifications.
Entities reported by Active Directory Integrator
The Active Directory Integrator reports computers, organizational units, users, containers, security groups.
In order for a computer to be discovered and reported by the Active Directory Integrator, the following attributes must be non-empty:
distinguishedName
dnshostname
objectGUID
name
samaccountname
objectSid
The details of a computer can be retrieved using the following PowerShell command executed from an elevated terminal, on the Domain Controller:
Get-ADComputer -Identity {machine_hostname} -Properties *
In order for a user to be discovered & reported by the Active Directory Integrator, the following attributes must be non-empty:
distinguishedName
name
objectGUID
objectClass
The details of a user can be retrieved using the following PowerShell command executed from an elevated terminal, on the Domain Controller:
Get-ADUser -Identity {username} -Properties *
Note
The list of reported entities does not contain disabled entities - e.g. computers and/or users. If an entity (that is already present on the reported entities list) is disabled, on the next scheduled run, the disabled entity will no longer be reported.
When moving an entity (e.g. user, computer, security group) from an organizational unit to another one, the change will be reported by the Active Directory Integrator on the next scheduled run.
When moving an entity (e.g. user, computer) to/from a security group, the change will not be reported by the Active Directory Integrator since security group membership is not tracked. For users, such changes are tracked by the user-aware rules for policies. See Configuring user rules for more details.
When updating the details of a user (i.e. department, title, sn, giveName, mail, mailNickname), the change will be reported by the Active Directory Integrator on the next scheduled run.
A Security group is reported regardless of whether it has members in it.
Remove the Active Directory Integrator
To remove the role of Active Directory Integrator from an endpoint:
Log in to GravityZone Control Center.
Go to the Network page from the left side menu.
Navigate through the network inventory to the group where the Active Directory Integrator is and select it.
Note
If you want to remove multiple integrators, you need to select one endpoint at a time.
Click the Integrations button at the upper side of the table and choose Remove Active Directory Integrator.
A confirmation message will appear.
If there is not another endpoint with Active Directory Integrator role in the same domain, the confirmation message will also warn that the current domain will not be synchronized anymore with GravityZone.
If the endpoint is offline, the Active Directory Integrator role will be removed after it will be turned on.
You can check if any Active Directory integrator was removed from your managed network in the User Activity section, by filtering the user logs using the following criteria:
Area: Active Directory
Action: Removed AD Integrator
For more information, refer to User Activity Log.
Remove the Active Directory integration
You can choose to remove one or several domains from the Active Directory folder, as follows:
Log in to GravityZone Control Center.
Go to the Network page from the left side menu.
Under the Network tree from the left pane, select the Active Directory folder.
Go to the right pane and select the folder of the domain you want to remove.
Click the Integrations button at the upper side of the table and choose Remove Active Directory Integration.
A confirmation message will appear. An option available with this message allows you to choose whether you want to delete the unmanaged endpoints from the Network Inventory or not. Be careful, this option is enabled by default. Click Confirm to proceed.
All the endpoints under the selected domain will be placed under Computer and Groups folder (or their original groups), and the Active Directory integrator role will be removed from the assigned endpoints of this domain.
All the policies that were assigned to the Active Directory folders or endpoints will be unassigned.
All endpoints will be moved to Computer and Groups and the policy that is assigned to the folder in which they are moved will be assigned to them as well.
Note
If no policy is assigned to the folder, all endpoints will revert to the default policy.
Active Directory Integration vs Azure Active Directory Integration
Unlike Active Directory Integration that allows GravityZone to import the computers inventory from Active Directory on-premises, Azure AD Integration cannot be used to import the computers inventory within GravityZone security solution, as it can be used only to connect using Single Sign on authentication.
Note
For additional information on how to configure GravityZone Cloud SSO with Azure AD visit this page.