Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    EMS Administration Guide

    Home FortiClient 7.4.3 EMS Administration Guide
    7.4.3
    7.4.5
    7.4.4
    7.4.3
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Adding endpoints using an AD domain server

    Adding endpoints using an AD domain server

    To add endpoints using an Active Directory (AD) domain server, you must add an AD server to EMS in Administration > Authentication Servers. See Adding an ADDS server.

    To add endpoints using an AD domain server:
    1. Go to Endpoints > Manage Domains > Add
    2. From the Authentication Server dropdown list, select the desired AD server.
    3. In the Sync every field, enter the desired sync schedule for the server.
    4. Under Select Base DN, select the desired DNs to import. You can also add specific organizational units (OUs) and containers from the AD server to EMS. The Changes to Selected Base DN pane summarizes the changes to your selected base DNs.

      EMS does not support adding individual groups from an AD server. EMS allows importing users, devices, and subgroup members of a group that are contained in an imported OU. Review EMS import logic example, which provides an example of the EMS import logic, to ensure that you are able to import all desired endpoints to your EMS.

      EMS supports adding individual groups from Microsoft Entra ID. See Adding endpoints using an Entra ID server.

    5. Click Save.

    EMS import logic example

    The following provides an example of EMS import logic using an example AD server with the following OU structure:

    Root: myAD
├── OU: Premium
│   ├── Sub-OU: Department 1
│   │    ├── Sub-OU: Region-Americas
│   │		├── Group A
│   │			├── Group B
│   │			├── Group C
│   ├── Sub-OU: Department 2
│       ├──  Group B
│		├── Group D
├── OU: Basic
│   ├── Group C

    Consider that on EMS, you only explicitly select the Premium OU and Sub-OU: Region-Americas to import. The OU structure shows these in bold. In this case, EMS imports the following:

    Item

    Reason imported

    OU: Premium

    Explicitly imported

    Sub-OU: Region-Americas

    Sub-OU: Department 1

    Sub-OUs of OU: Premium, which you explicitly imported

    Sub-OU: Department 2

    Group A

    Contained by Sub-OU: Region-Americas, which you explicitly imported

    Group B

    Contained by Group A,which is contained by Sub-OU: Region-Americas, which you explicitly imported

    Group C

    EMS does not import the following:

    Item

    Reason not imported

    Group D

    Although EMS imports Group B, since EMS does not import based on group membership, it does not import Group D, which is a member of Group B.

    OU: Basic

    Not selected to import

    The following shows the OU tree with all items that EMS imports when you explicitly import OU: Premium and Sub-OU: Region-Americas bolded. Group C is shown bolded where Group A contains it:

    Root: myAD
├── OU: Premium
│   ├── Sub-OU: Department 1
│   │    ├── Sub-OU: Region-Americas
│   │		├── Group A
│   │			├── Group B
│   │			├── Group C
│   ├── Sub-OU: Department 2
│       ├──  Group B
│		├── Group D
├── OU: Basic
│   ├── Group C

    If you remove Sub-OU: Region-Americas from OU: Premium's subtree, EMS still imports Sub-OU: Region-Americas. This is because you explicitly imported Sub-OU: Region-Americas.

    If you remove Sub-OU: Department 2 from OU: Premium's subtree, EMS does not import Sub-OU: Department 2. This is because you did not explicitly import Sub-OU: Department 2. EMS only imported it because it was in OU: Premium's subtree.

    Previous
    Next

    Adding endpoints using an AD domain server

    Adding endpoints using an AD domain server

    To add endpoints using an Active Directory (AD) domain server, you must add an AD server to EMS in Administration > Authentication Servers. See Adding an ADDS server.

    To add endpoints using an AD domain server:
    1. Go to Endpoints > Manage Domains > Add
    2. From the Authentication Server dropdown list, select the desired AD server.
    3. In the Sync every field, enter the desired sync schedule for the server.
    4. Under Select Base DN, select the desired DNs to import. You can also add specific organizational units (OUs) and containers from the AD server to EMS. The Changes to Selected Base DN pane summarizes the changes to your selected base DNs.

      EMS does not support adding individual groups from an AD server. EMS allows importing users, devices, and subgroup members of a group that are contained in an imported OU. Review EMS import logic example, which provides an example of the EMS import logic, to ensure that you are able to import all desired endpoints to your EMS.

      EMS supports adding individual groups from Microsoft Entra ID. See Adding endpoints using an Entra ID server.

    5. Click Save.

    EMS import logic example

    The following provides an example of EMS import logic using an example AD server with the following OU structure:

    Root: myAD
├── OU: Premium
│   ├── Sub-OU: Department 1
│   │    ├── Sub-OU: Region-Americas
│   │		├── Group A
│   │			├── Group B
│   │			├── Group C
│   ├── Sub-OU: Department 2
│       ├──  Group B
│		├── Group D
├── OU: Basic
│   ├── Group C

    Consider that on EMS, you only explicitly select the Premium OU and Sub-OU: Region-Americas to import. The OU structure shows these in bold. In this case, EMS imports the following:

    Item

    Reason imported

    OU: Premium

    Explicitly imported

    Sub-OU: Region-Americas

    Sub-OU: Department 1

    Sub-OUs of OU: Premium, which you explicitly imported

    Sub-OU: Department 2

    Group A

    Contained by Sub-OU: Region-Americas, which you explicitly imported

    Group B

    Contained by Group A,which is contained by Sub-OU: Region-Americas, which you explicitly imported

    Group C

    EMS does not import the following:

    Item

    Reason not imported

    Group D

    Although EMS imports Group B, since EMS does not import based on group membership, it does not import Group D, which is a member of Group B.

    OU: Basic

    Not selected to import

    The following shows the OU tree with all items that EMS imports when you explicitly import OU: Premium and Sub-OU: Region-Americas bolded. Group C is shown bolded where Group A contains it:

    Root: myAD
├── OU: Premium
│   ├── Sub-OU: Department 1
│   │    ├── Sub-OU: Region-Americas
│   │		├── Group A
│   │			├── Group B
│   │			├── Group C
│   ├── Sub-OU: Department 2
│       ├──  Group B
│		├── Group D
├── OU: Basic
│   ├── Group C

    If you remove Sub-OU: Region-Americas from OU: Premium's subtree, EMS still imports Sub-OU: Region-Americas. This is because you explicitly imported Sub-OU: Region-Americas.

    If you remove Sub-OU: Department 2 from OU: Premium's subtree, EMS does not import Sub-OU: Department 2. This is because you did not explicitly import Sub-OU: Department 2. EMS only imported it because it was in OU: Premium's subtree.

    Previous
    Next