Active Directory Organizational Units Grouping
In a Microsoft® Windows server environment, a useful type of directory object contained within domains is the organizational unit. Organizational units (OU) are Active Directory (AD) containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains.
FortiClient Manager allows for AD OU grouping in order to easily manage FortiClient/AD OU groups. After you synchronize the AD server to FortiClient Manager, all the AD OUs are imported into FortiClient Manager. You can then keep all the policies set on a FortiClient group up to date, even when new FortiClient users are added to AD OUs.
After a new user is added to a AD OU group and FortiClient is installed on the user’s computer, FortiClient automatically registers with FortiClient Manager. Then FortiClient Manager automatically places the new user into the correct group based on the computer’s domain and computer name. After registration, FortiClient Manager sends the policies for the group the new user was placed in.
To add Active Directory Organizational Unit to FortiClient Manager groups:
1. Create the LDAP (Active Directory) server settings that will use the Organizational Units (OU). Go to FortiClient Manager > Settings > LDAP Integration > LDAP Settings and click Create New.
3. Create the OU group. Go to FortiClient Manager > Settings > LDAP Integration > AD OU Grouping and click Create New.
4. In the New AD Grouping window enter the following information:
Name | Enter a name for the AD OU grouping. |
LDAP Name | Select the name of the LDAP server created in Step 1. |
Root OU | Select the OU group level. You can select any OU as the root OU. All OUs under the root OU will be imported into the FortiClient groups. |
Description | Enter a description for the OU group. |
5. Synchronize the AD OU and FortiClient. In the AD OU Grouping tab, click the Synchronizing with AD Server icon.
6. Once the synchronizing is complete, you can view the AD OU groups. Go to FortiClient Manager > Client/Group > Group. The OU groups are displayed in the tree.
The imported FortiClient group names consist of the names of each level in the OU starting from the Root OU. For example, if the Root OU is Accounting and the subsequent level is Purchasing, and then Canada and US at the same level, then the FortiClient group names will be Canada_Purchasing_Accounting and US_Purchasing_Accounting.
If an OU is deleted from the AD server, a delete icon is displayed on the group name in the tree and the word (Deleted) shown next to the group name to indicate that it has been deleted from the AD server. The FortiClient group name will remain in the list. You can copy its policy to another group and/or delete it from FortiClient Manager permanently.
