Adding an Active Directory user data source
You can use an existing Active Directory connection to bring in user data. To add custom attributes for users that are added from an Active Directory source, create and import a data user file that includes the users' first and last names, email or logon information, and the custom attributes you want to use.
Symantec Data Loss Prevention
automatically associates the file-based user data with the existing user records brought in from your Active Directory source.Symantec Data Loss Prevention
uses this Active Directory filter to retrieve user data (line breaks added for readability): (& (objectClass=user) (objectCategory=person) (sAMAccountType=805306368) (! (| (& (sAMAccountType=805306368) (sAMAccountName=-*) ) (& (sAMAccountType=805306368) (sAMAccountName=_*) ) ) ) )
Your Active Directory credentials must have permission to access the following user attributes:
FIRST_NAMEgivenNameLAST_NAMEsnLOGIN_NAMEsAMAccountNameTELEPHONEtelephoneNumberTITLEtitleCOUNTRYcoDEPARTMENTdepartmentEMPLOYEE_IDemployeeIdSTREET_ADDRESSstreetAddressLOCALITY_NAMElPOSTAL_CODEpostalCodeSTATE_OR_PROVINCEstOBJECT_DISINGUISHED_NAMEdistinguishedName
Your Active Directory credentials must also have permission to access the RootDSE record.
Symantec Data Loss Prevention
reads these attributes from RootDSE:namingContexts defaultNamingContext rootDomainNamingContext configurationNamingContext schemaNamingContext isGlobalCatalogReady highestCommittedUSN
- To add an Active Directory user data source
- In the Enforce Server administration console, go toSystem > Users > Data Sources.
- On theData Source Managementpage, clickAdd > AD User Source. TheAdd AD User Sourcedialog box appears.
- In theAdd > AD User Sourcedialog box, enter the following information:
- Name:Specify a name for the data source.
- Directory Connection:Select an existing Active Directory connection.
- Advanced Options > AD Custom Filter:Specify an optional filter for your Active Directory user data source, such as a workgroup. For example:(&(region=North America)(!systemAccount=true))
- ClickSubmit.
A best practice is that you should refer to directory connection objects with baseDNs in the user section of your directory tree. For example:
ou=Users,dc=corp,dc=company,dc=com
.