Skip to main content

Active Directory Tab

This tab lists the domain (or domains) for which the inventory beacon collects information from Active Directory. This information includes sites, subnets, computers, groups, and users, and can save you a lot of data entry in IT Asset Management.

tip

If you have a hierarchy of domains, you must separately collect Active Directory data from each domain and subdomain. This is because IT Asset Management respects the separation of your domains (for example, isolating development or testing domains), and also needs to collect both the group membership and the foreign security principal objects from each domain and subdomain. You may achieve this either by having an inventory beacon within a target domain, or by using an inventory beacon that either has a trusted relationship with the target domain, or a username and password to access the target domain.

The following general principles apply to the Active Directory import. These principles apply equally to both computers and users imported from Active Directory; but to allow simpler explanation, we use the user records as our example:

  • Only users who are currently enabled in Active Directory are imported. Users disabled in Active Directory (or deleted from it, obviously) are not imported.

  • A user who was previously enabled and imported from Active Directory, but who is now disabled and not imported, is automatically deleted from IT Asset Management provided that she is not present in any other inventory source. (The general principle is that a user record is deleted when the user disappears from the last inventory source that identifies her.) Note that 'inventory source' here means Active Directory or another source like SCCM that provides independent user records; it is not sufficient to have a user name merely referenced in inventory from inventory devices.

tip

Digging deeper, the deletion within IT Asset Management happens in these stages:

note

The upload from the inventory beacon is first resolved into the inventory database. During that process, missing/ disabled computers/users in Active Directory are automatically removed from the inventory database (only).

note

Immediately after the update to the inventory database, a specialized import into the compliance database is triggered. This is for Active Directory data only, and this specialized import does not delete any user/computer records originally from Active Directory that are already in the compliance database from earlier imports. This means that, while new records in Active Directory are visible in Flexera One relatively soon after the AD import on the inventory beacon, deletions from Active Directory are not visible in the same time-frame.

note

When the next full inventory import (from all inventory sources) occurs, which by default is overnight, records that have disappeared from the inventory database, and that do not separately appear in any other inventory source, are removed from the compliance database. It is the cross-checking against all inventory sources that means this clean-up can occur only as part of the full inventory import, normally triggered immediately before the nightly license consumption (compliance) calculations. As a result, records deleted from Active Directory are normally visibly removed from Flexera One the day after the relevant AD import by an inventory beacon.

  • When a user is deleted (whether automatically as just described, or manually), all references to the user from other objects are automatically cleared as well. For example, suppose you had previously linked a user to an asset record. If this user is now deleted, the reference is also removed from the asset record. In another example, if the user had previously been referenced as the calculated user for an inventory device, these references are also cleaned up. In other words, it does not matter whether the link from a user to another object was made automatically or manually, clean-up can proceed.

The Active Directory data is collected by the inventory beacon at the time of your choosing. Completed collections are uploaded to the cloud promptly (the uploader is triggered by default every ten minutes). Once completely staged in the cloud, the data is immediately imported into your compliance database.

For details about the available columns, see Importing From Active Directory.