By adding your directory services to vScope’s discovery scope you will be allowed to build reports about user accounts, domains, groups or other information related to your directory service.
The short story – Adding directory service to Discovery Manager
Adding your directory service to the discovery scope is easy.
- Open the Discovery Manager
- Click + Add More
- Select your Directory service (Active Directory or LDAP)
- Enter Username, password Base DN (optional)
- Enter target=hostname/IP of you domain controller
- Click Next
If you stumbled on something related to “invalid credential” or are looking for more advanced information related to to discovery services, please see below:
More information – Directory Services Credential
The directory services credential is used by vScope to discover your LDAP and Active Directory Domain Controllers. We will refer to these as DS (Directory Service).
From the Discovery Manager -> Credentials -> +CREDENTIAL -> Directory Services
Required. The username used to log into your DS.
- Active Directory:
OpenLDAP: Often a Dn specifying the admin user. Example:
Required. The password used in conjunction with your username to log into your DS. Should not be left empty.
Required. The type of the DS. Currently one of two options:
- AD – Active Directory
- LDAP – Generic LDAP (OpenLDAP)
vScope will attempt to identify the server type when connecting and might override the setting if it detects a better match.
Required: The type of protocol used when connecting to the DS.
- Plain – Plain unencrypted connection. Default port 389.
- LDAPS (recommended) – Encrypted connection. Default port 636.
- StartTLS – Encrypted connection but starts out as an encrypted connection where encryption is negotiated. Default port is 389 and will switch over to encrypted port (default 636) when negotiation is completed.
Optional. The root when binding to the DS. This specifies the starting point for all searches in the DS. It is recommended that this is always set to the root of the domain.
Limiting the scope of the searches can be done by using the advanced option Search Base Dn.
The Base Dn should always be entered as a Dn (Distinguished Name).
Example. Your domain is company.com. The base Dn should be entered as:
The Base Dn field can be left empty. vScope will attempt to find the base dn automatically. However, if there are multiple root Dns then vScope will not be able to determine which one to use. It is recommended that you always enter the base Dn.
Expanding the Advanced-section allows you to specify even more information.
Optional. If specified, vScope will use this port when connecting to the DS regardless of the Connection Type (Plain, LDAPS, StartTLS) being used.
If not specified, vScope will automatically use the default port for the Connection Type being used. It is recommended that this field is left empty to use default settings.
Search Base Dn
Optional. The Search Base Dns are used to limit the scope of the searches performed by vScope.
One example: You have a root domain named company.com. Within that domain you have three countries:
Just configuring Base Dn to company.com and not using Search Base Dn will make vScope search the entire DS tree from company.com. This includes all three countries.
If you are only interested in data contained in ou=sweden you can specify the following as Search Base Dn:
If you are interested in both ou=sweden and ou=norway you specify the following setting:
Multiple entries are separated by a semicolon (;). If a semicolon exists within a Dn then it must be escaped, otherwise vScope will treat it as a separator between entries. Example:
Is parsed by vScope to:
NOTICE Be careful using the Search Base Dn setting. If configured incorrectly, you might miss user group memberships.
Consider the following scenario:
swedishuser exists in the
It is member of the group
The credential settings used are:
Search Base Dn:
When vScope performs searches it will search for all objects existing within
However, the group
nordicgroup exists in
ou=nordic,dc=company,dc=com which is not included in the Search Base Dns. This group is never found in the searches performed by vScope. The group membership is not found by vScope.
Optional. If enabled, vScope will not report found client computers as potential new targets to scan. If disabled, client computers a reported as new targets and are scanned by credentials that match those targets.
An example: vScope finds the client computer ClientA during a scan of the DS. It is reported back as a new target and vScope resolves the IP of ClientA to 192.168.100.1.
In credential manager there is a WMI credential which is attached to the target range 192.168.100.0/24. This credential matches the IP of ClientA and ClientA is scanned using WMI.
Optional. If enabled, vScope will not report found server computers as potential new targets to scan. If disabled, server computers a reported as new targets and are scanned by credentials that match those targets.
Ignore Disabled Users
Optional. If enabled, vScope will not scan disabled user accounts. This means that these accounts will not be visible anywhere in the data presented by vScope.
Ignore Disabled Computers
Options. If enabled, vScope will not scan disabled computers. Data from the DS about disabled computers will not be visible in the data presented by vScope.