Description

Targeting machines through Active Directory is a very useful and convenient way to manage software deployments.

LANDesk Software Distribution allows you to target an LDAP container or LDAP group.

This document outlines the steps that you need to complete to get this working.

Steps to Configure LDAP Policies

1.  Enable LDAP enumeration on the agents

The LDAP Enumeration registry setting instructs the agent to gather the current ldap location and report this in the inventory of the machine.

The registry key which controls LDAP group enumeration behavior for Software Distribution is:

HKLM\Software\LANDesk\ManagementSuite\WinClient

DWORD: DisableLdapGroupEnumeration

1 (default) - feature is disabled

0 - feature is enabled

To make this configuration a permanent part of the default Agent configuration, do the following.

Browse to the LDLOGON share on the core server.  Open the ntstacfg.in# file with notepad.exe.  Search for ldap, which should take you to this section:

; LDAP groups can be enumerated on the client, this provides more information in the inventory
; database and faster targeting of LDAP groups.  This also generates network traffic between the
; client and the LDAP server, the following registry value can be used to disable this option

REG54=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\ManagementSuite\WinClient\DisableLdapGroupEnumeration, 0, , REG_DWORD

The default value is 1 which is Disabled.  Change this to 0, and save the file.

On the LANDesk Core server, go to Configure | Services | Inventory and restart the Inventory Service.  This will kick off stamper.exe, which builds the ntstacfg.ini file from the ntstacfg.in# file.

Next, in the LANDesk Console, go to Tools | Configuration | Agent Configuration and click the "Rebuild All" button.  This will rebuild the Agent_Name.ini file from the ntstacfg.in# file.

After doing this all of the LANDesk Windows Agents will have LDAP enumeration enabled when the agent is installed.

2. Configure the Directory Manager plugin

In the LANDesk Console, go to Tools | Distribution | Directory Manager.  Click the Key icon, and then the Add button.  Enter the credentials for a domain administrator or a user that can browse the domain.

After successfully authenticating to the Active Directory domain, the domain structure should be browsable.

3.Create the scheduled task that will target the LDAP objects.  For this example the scheduled task is a Required Policy.

Save the policy after adding the software package and the delivery method.

  Note:  At this point, the policy has no targeted devices.

4.To target the LDAP group or Active Directory OU, from Directory Manager drag the group or OU down onto the scheduled task.

Browse to the desired OU in Directory Manager and hightlight it.

Drag and drop the OU to the Scheduled Task that was created.

The following window will come up, prompting for the kind of LDAP objects to find.  Depending on the type of query and what is going to be targeted (users or machines), this will change.  For this example both types are selected.

Another window will come up to save the query.  The query must be saved.

After saving the query, the LDAP OU will be targeted in the scheduled task.  To see the LDAP target, see the scheduled task under Target Devices.