How to set up and configure policies to use LDAP Groups or LDAP Containers

Version 15

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x



    Targeting machines through Active Directory is a very useful and convenient way to manage software deployments.


    Ivanti EPM Software Distribution allows you to target an LDAP container or LDAP group.


    This document outlines the steps that you need to complete to get this working.


    Steps to Configure LDAP Policies


    1.  Enable LDAP enumeration on the agents


    The LDAP Enumeration registry setting instructs the agent to gather the current LDAP location and report this in the inventory of the machine.


    The registry key which controls LDAP group enumeration behavior for Software Distribution is:




    DWORD: DisableLdapGroupEnumeration

    0(default) - feature is disabled

    1 - feature is enabled




    To make this configuration a permanent part of the default Agent configuration, do the following.


    Browse to the LDLOGON share on the core server.  Open the file with notepad.exe.  Search for ldap, which should take you to this section:


    ; LDAP groups can be enumerated on the client, this provides more information in the inventory
    ; database and faster targeting of LDAP groups.  This also generates network traffic between the
    ; client and the LDAP server, the following registry value can be used to disable this option
    REG54=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\ManagementSuite\WinClient\DisableLdapGroupEnumeration, 0, , REG_DWORD


    The default value is 0 which is Disabled.  Change this to 1, and save the file.


    On the Ivanti EPM Core server, go to Configure | Services | Inventory and restart the Inventory Service.  This will run stamper.exe, which builds the ntstacfg.ini file from the file.


    Next, in the Ivanti EPM Console, go to Tools | Configuration | Agent Configuration and click the "Rebuild All" button.  This will rebuild the Agent_Name.ini file from the file.


    After doing this all of the Ivanti EPM Windows Agents will have LDAP enumeration enabled when the agent is installed.



    2. Configure the Directory Manager plugin


    In the Ivanti EPM Console, go to Tools | Distribution | Directory Manager.  Click the Key icon, and then the Add button.  Enter the credentials of a domain administrator or a user that can browse the domain.





    After successfully authenticating to the Active Directory domain, the domain structure should be browsable.




    3.Create the scheduled task that will target the LDAP objects.  For this example, the scheduled task is a Required Policy.




    Save the policy after adding the software package and the delivery method.


      Note:  At this point, the policy has no targeted devices.


    4.To target the LDAP group or Active Directory OU, from Directory Manager drag the group or OU down onto the scheduled task.


    Browse to the desired OU in Directory Manager and highlight it.




    Drag and drop the OU to the Scheduled Task that was created.



    The following window will come up, prompting for the kind of LDAP objects to find.  Depending on the type of query and what is going to be targeted (users or machines), this will change.  For this example, both types are selected.




    Another window will come up to save the query.  The query must be saved.




    After saving the query, the LDAP OU will be targeted in the scheduled task.  To see the LDAP target, see the scheduled task under Target Devices.