How to set up and configure policies to use LDAP Groups or LDAP Containers

Version 15

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    Description

     

    Targeting machines through Active Directory is a very useful and convenient way to manage software deployments.

     

    Ivanti EPM Software Distribution allows you to target an LDAP container or LDAP group.

     

    This document outlines the steps that you need to complete to get this working.

     

    Steps to Configure LDAP Policies

     

    1.  Enable LDAP enumeration on the agents

     

    The LDAP Enumeration registry setting instructs the agent to gather the current LDAP location and report this in the inventory of the machine.

     

    The registry key which controls LDAP group enumeration behavior for Software Distribution is:

     

    HKLM\Software\LANDesk\ManagementSuite\WinClient

     

    DWORD: DisableLdapGroupEnumeration

    0(default) - feature is disabled

    1 - feature is enabled

     

    ScreenHunter_48.jpg

     

    To make this configuration a permanent part of the default Agent configuration, do the following.

     

    Browse to the LDLOGON share on the core server.  Open the ntstacfg.in# file with notepad.exe.  Search for ldap, which should take you to this section:

     

    ; LDAP groups can be enumerated on the client, this provides more information in the inventory
    ; database and faster targeting of LDAP groups.  This also generates network traffic between the
    ; client and the LDAP server, the following registry value can be used to disable this option
    
    REG54=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\ManagementSuite\WinClient\DisableLdapGroupEnumeration, 0, , REG_DWORD

     

    The default value is 0 which is Disabled.  Change this to 1, and save the file.

     

    On the Ivanti EPM Core server, go to Configure | Services | Inventory and restart the Inventory Service.  This will run stamper.exe, which builds the ntstacfg.ini file from the ntstacfg.in# file.

     

    Next, in the Ivanti EPM Console, go to Tools | Configuration | Agent Configuration and click the "Rebuild All" button.  This will rebuild the Agent_Name.ini file from the ntstacfg.in# file.

     

    After doing this all of the Ivanti EPM Windows Agents will have LDAP enumeration enabled when the agent is installed.

     

     

    2. Configure the Directory Manager plugin

     

    In the Ivanti EPM Console, go to Tools | Distribution | Directory Manager.  Click the Key icon, and then the Add button.  Enter the credentials of a domain administrator or a user that can browse the domain.

     

     

    ScreenHunter_49.jpg

     

    After successfully authenticating to the Active Directory domain, the domain structure should be browsable.

    ScreenHunter_66.jpg

     

     

    3.Create the scheduled task that will target the LDAP objects.  For this example, the scheduled task is a Required Policy.

     

    ScreenHunter_59.jpg

     

    Save the policy after adding the software package and the delivery method.

     

      Note:  At this point, the policy has no targeted devices.

     

    4.To target the LDAP group or Active Directory OU, from Directory Manager drag the group or OU down onto the scheduled task.

     

    Browse to the desired OU in Directory Manager and highlight it.

     

    ScreenHunter_53.jpg

     

    Drag and drop the OU to the Scheduled Task that was created.

    ScreenHunter_61.jpg

     

    The following window will come up, prompting for the kind of LDAP objects to find.  Depending on the type of query and what is going to be targeted (users or machines), this will change.  For this example, both types are selected.

     

    ScreenHunter_62.jpg

     

    Another window will come up to save the query.  The query must be saved.

     

    ScreenHunter_63.jpg

     

    After saving the query, the LDAP OU will be targeted in the scheduled task.  To see the LDAP target, see the scheduled task under Target Devices.

     

    ScreenHunter_64.jpg