Importing data from Active Directory


Importing data from Active Directory

The Engine provides an out the box integration with Active Directory to retrieve the following information via the Lightweight Directory Access Protocol (LDAP):

  • User: Distinguished Name, Full name, Department, Job title.
  • Device: Distinguished Name.
  • Printer: Location.
  • Destination: Name.

This article discusses data integration from Active Directory and should not be confused with Active Directory Authentication.

LDAPv3 and Active Directory

Reference document: Active Directory LDAP Compliance provided by Microsoft.

Windows Server 2000

The Windows 2000 implementation of Active Directory is an LDAP-compliant directory supporting the core LDAPv3 RFCs available.

Windows Server 2003

Building on the foundation established in Windows 2000 Server, the Active Directory service in Windows Server 2003 is offering new LDAPv3 capabilities:

  • Transport Layer Security (TLS) - Connections to Active Directory over LDAP can now be protected using the TLS security protocol.
  • Digest Authentication Mechanism - Connections to Active Directory over LDAP can now be authenticated using the DIGEST-MD5 Simple Authentication and Security Layer (SASL) authentication mechanism. The Windows Digest Security Support Provider (SSP) provides an interface for using Digest Authentication as an SASL mechanism.

Windows Server 2008 and 2012

Both Windows Server 2008 and Windows Server 2012 support LDAPv3.

Other implementations

Although Nexthink officially supports Active Directory based on Windows Servers only, other LDAPv3 compliant implementations (such as OpenLDAP) should work as long as the schema in use is the same as in Active Directory.

Setting Up Active Directory Authentication

LDAP servers require an authenticated connection before they will allow queries (searches). This authenticated connection is called a bind. Most LDAPs allow an anonymous bind─where no username or password is submitted; however, others restrict searches to its members and require an authenticated username and password. An Active Directory server requires authenticated access for read-only searches, and you need to have a bind DN and the corresponding bind password. The syntax for the bind DN depends on the LDAP server itself:

NetBIOS logon name
<domain name>\<username>
Active Directory User Principal Name (UPN)
[email protected]
Distinguished Name
CN=username, OU=users, DC=domain, DC=name

The Engine supports the authenticated method using the Distinguished Name syntax only.

Configuring the Engine through the Web-console

  1. Connect to the Web Console (by default
  2. On the left menu, go to Engine > Active Directories.
  3. Click the plus symbol on the right to add a new Active Directory server.
  4. Complete the LDAP Server Connection fields as follows:
    • LDAP server name: The generic name for your LDAP server. Example: if you write “”, the usernames in the Finder will be shown as [email protected]
    • LDAP Server:Enter here the IP address of your Active Directory server (we currently do not support the DNS or Netbios name) and the TCP server port (usually 389).
    • LDAP Bind DN: The Distinguished Name. Example: CN=reflexengine, CN=applications, OU=servers, DC=company, DC=local.
    • LDAP Bind Password: Enter the password corresponding to the LDAP Bind DN account.
    • LDAP Base DN: The Base DN to be used as a starting point for directory searches. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Example: If Distinguished Name = “CN=reflexengine, CN=applications, OU=servers, DC=company, DC=local”, you can choose the Base DN as “DC=company, DC=local”.
    • LDAP Scope: The SCOPE setting is the starting point of an LDAP search and the depth from the base DN to which the search should occur. There are three options (values) that can be assigned to the LDAP SCOPE parameter (we strongly recommend the SUBTREE scope option):
      • BASE: This value is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
      • ONELEVEL: This value is used to indicate searching all entries one level under the base DN - but not including the base DN and not including any entries under that one level under the base DN.
      • SUBTREE: This value is used to indicate searching of all entries at all levels under and including the specified base DN. Threescopeoption.png
  5. Click on Save (the Engine reboots).

Trusted Domains

Due to the technology used to query Active Directory, the Engine retrieves information from those objects belonging to the domain specified in the configuration only (see LDAP Base DN above). It does not follow referrals nor retrieve any information from objects in other domains, even when these other domains share a trust relationship with the configured domain.

Add as many Active Directory servers to the configuration as needed to retrieve objects from several domains.

Querying Active Directory to obtain a User's Distinguished Name

For testing purposes, we advise you to use a powerful tool from Microsoft called Active Directory Explorer. Download it from here.

Here is an example on how you can retrieve a user's DN using this tool :

  1. Connect to your AD using your windows username.
  2. Click on Search > "class = User -- user" > "Attribute = sAMAccountname" > "relation = is" > "value = YOUR Windows username", then click on Add.
  3. Click on Search to retrieve the corresponding user's DN.

Active Directory data retrieval

The Engine queries its configured LDAP servers each time that it discovers a new user or a new device.


Engines do not automatically refresh LDAP information once they have retrieved it for a particular user or device. It is however possible to force a manual update via the Finder:

  1. Log in to the Finder as administrator.
  2. Click the sprocket icon in the top right corner of the Finder window.
  3. Select the option Synchronize with Active Directory....

The Finder schedules a synchronization with Active Directory data.

The operations described in this article should only be performed by a Nexthink Engineer or a Nexthink Certified Partner.

If you need help or assistance, please contact your Nexthink Certified Partner.