Skip to content

tags: - General - Onboarding

Nanitor AD Data collections

Nanitor has three different AD data-collection features (plus LDAP login, which is separate), only one of which can be considered an AD sync. This article will cover these differences.

Different types of AD interactions

1. Device system check-in (includes OU)

The device's Distinguished Name (DN) is one of many fields the agent collects during its regular system info check-in (defaulting every 6h). The server parses the DN to extract the OU, which is then populated in the OU column in Asset Inventory. This isn't a separate AD feature - it's just part of the normal system info payload alongside hostname, OS, IPs, etc. If the device is off, none of these updates, including the OU, will update. Once the device goes inactive, nothing about it is updated, including the OU, and all information becomes stale.

2. AD Computer Discovery

A nominated Domain Controller queries LDAP for computer objects in the domain. This creates "unmonitored" (Authorized status) device records in Nanitor for computers that don't have agents. Gives visibility into all domain machines. Does NOT update any existing device, just creates new assets when it doesn't find a match. Enabled under Organization Management > Assets & collectors > Active Directory discovery.

3. AD User/Identity Discovery

This is the only sync function; it's one-way, from AD to Nanitor.

A nominated DC queries LDAP for user objects, collecting attributes such as group membership, password policies, delegation rights, account status, etc. This populates the Identity Inventory. Supports incremental sync (only fetches changes since last run) and manual forced sync from the UI. Also enabled under Organization Management > Assets & collectors. Runs automatically every 6h or on demand.

Both #2 and #3 use a nomination system: only one DC per domain and per organization is selected to perform discovery. If that DC goes offline, another is nominated automatically.

4. AD Authentication (LDAP login)

Using AD/LDAP credentials to log into the Nanitor UI. This is about user authentication, not data collection. Completely separate from the above. Documented in KB 41.

Summary

While there are four ways Nanitor can interact with or display Active Directory objects, only user identity discovery actually syncs with AD.

The AD discovery mechanism only identifies machines that are missing an agent; there is no actual information collection.

Any AD/OU information in the asset information comes directly from the machine, not from AD.

LDAP login, is authentication against the AD. No syncing or information collection occurs here.