Adding an Active Directory user data source

You can use an existing Active Directory connection to bring in user data. To add custom attributes for users that are added from an Active Directory source, create and import a data user file that includes the users' first and last names, email or logon information, and the custom attributes you want to use.
Symantec Data Loss Prevention
automatically associates the file-based user data with the existing user records brought in from your Active Directory source.
Symantec Data Loss Prevention
uses this Active Directory filter to retrieve user data (line breaks added for readability):
(& (objectClass=user) (objectCategory=person) (sAMAccountType=805306368) (! (| (& (sAMAccountType=805306368) (sAMAccountName=-*) ) (& (sAMAccountType=805306368) (sAMAccountName=_*) ) ) ) )
Your Active Directory credentials must have permission to access the following user attributes:
FIRST_NAME
givenName
LAST_NAME
sn
EMAIL
mail
LOGIN_NAME
sAMAccountName
TELEPHONE
telephoneNumber
TITLE
title
COUNTRY
co
DEPARTMENT
department
EMPLOYEE_ID
employeeId
STREET_ADDRESS
streetAddress
LOCALITY_NAME
l
POSTAL_CODE
postalCode
STATE_OR_PROVINCE
st
OBJECT_DISINGUISHED_NAME
distinguishedName
Your Active Directory credentials must also have permission to access the RootDSE record.
Symantec Data Loss Prevention
reads these attributes from RootDSE:
namingContexts defaultNamingContext rootDomainNamingContext configurationNamingContext schemaNamingContext isGlobalCatalogReady highestCommittedUSN
  1. To add an Active Directory user data source
  2. In the Enforce Server administration console, go to
    System > Users > Data Sources
    .
  3. On the
    Data Source Management
    page, click
    Add > AD User Source
    . The
    Add AD User Source
    dialog box appears.
  4. In the
    Add > AD User Source
    dialog box, enter the following information:
    • Name:
      Specify a name for the data source.
    • Directory Connection:
      Select an existing Active Directory connection.
    • Advanced Options > AD Custom Filter:
      Specify an optional filter for your Active Directory user data source, such as a workgroup. For example:
      (&(region=North America)(!systemAccount=true))
  5. Click
    Submit
    .
A best practice is that you should refer to directory connection objects with baseDNs in the user section of your directory tree. For example:
ou=Users,dc=corp,dc=company,dc=com
.