Synchronizing with Active Directory

This section gives an overview of Active Directory synchronization.

What does Active Directory synchronization do for me?

With Active Directory synchronization, you can synchronize Enterprise Console groups with Active Directory containers. New computers and containers discovered in Active Directory are copied into Enterprise Console automatically. You can also choose to protect discovered Windows workstations automatically. This allows you to minimize the time in which computers can become infected and reduce the amount of work you need to do to organize and protect computers.

Note: Computers running Windows server operating systems, Mac OS, Linux, or UNIX are not protected automatically. You must protect such computers manually.

After you have set up synchronization, you can set up email alerts to be sent to your chosen recipients about new computers and containers discovered during future synchronizations. If you choose to protect computers in synchronized Enterprise Console groups automatically, you can also set up alerts about automatic protection failures.

How does Active Directory synchronization work?

In Enterprise Console, you can have both “normal,” unsynchronized groups that you manage yourself and groups synchronized with Active Directory.

When setting up synchronization, you select or create a synchronization point: an Enterprise Console group to be synchronized with an Active Directory container. All computers and subgroups contained in the Active Directory are copied into Enterprise Console and kept synchronized with Active Directory.

Note: To learn more about synchronization points, see What is a synchronization point? To learn more about synchronized groups, see What is a synchronized group?

After you set up synchronization with Active Directory, the synchronized part of Enterprise Console group structure matches exactly the Active Directory container it is synchronized with. This means the following:

By default, synchronization occurs every 60 minutes. You may change the synchronization interval if required.

How do I approach synchronization?

It is your decision what groups to synchronize with Active Directory and how many synchronization points to set up. Consider whether the size of groups that will be created will be manageable. You should be able to deploy software, scan and clean up computers easily. This is especially important for the initial deployment.

Note: If you have a complex Active Directory structure and want to synchronize domain local groups or nested Active Directory groups, please see knowledgebase article 122529 for information about enabling this functionality.

The recommended approach is as follows:

  1. Import the group structure (without computers), using the Import from Active Directory function. For instructions, see Import containers and computers from Active Directory.
  2. Review the imported group structure and choose your synchronization points.
  3. Set up group policies and apply them to the groups and subgroups. For instructions, see Create a policy and Assign a policy to a group.
  4. Synchronize your chosen synchronization points, one at a time, with Active Directory. For instructions, see Synchronize with Active Directory.