Fortinet black logo

Control Manager

Home FortiNAC 8.5.0 Control Manager

Active Directory setup for passive registration

8.5.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0
Copy Link
Copy Doc ID c0e495af-7299-11e9-81a4-00505692583a:547
Download PDF
Active Directory setup for passive registration

Passive registration can be set up for one or more groups of users.

  1. Copy the following files from the runtime area

    <Host Name>/ui/runTime/config/ldap

    to the AD shared directory, generally located at:

    /WINNT/SYSVOL/<domainname>/sysvol/scripts

    Files to be copied:

    sendLogIn.vbs, sendLogOut.vbs

    Permissions should be set such that all users may read and execute on all the files.

  2. To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

  3. If you have not already done so, customize the scripts so that they take into account your network setup. See Customize log in and log out scripts for detailed information.

  4. Configure AD to use the following scripts:

    sendLogIn.vbs and sendLogOut.vbs

    1. Start the Active Directory Users & Computers application.

    2. Click the domain name in the Tree panel to select it.

    3. Right-click and select Properties.

    4. In the Properties window, click the Group Policy tab.

    5. Double-click the policy (Default Domain Policy) that will enable the scripts.

    6. In the Group Policy window click the plus sign (+) next to the User Configuration folder, then click the plus sign (+) next to the Windows Settings folder, and click Scripts (Logon/Logoff).

    7. In the right panel of the Group Policy view, double-click the logon script to launch the Logon Properties view. Click the Add button, then click the Browse button and navigate to the sysvol folder where files were copied in step 1. Select the following:

      sendLogIn.vbs

    8. Once the script file has been added, click OK.

    9. In the right panel of the Group Policy view, double-click the logoff script to launch the Logoff Properties view. Click the Add button, then click the Browse button and navigate to the sysvol folder where the files were copied in step 1. Select the following:

      sendLogOut.vbs

    10. Once the script file has been added, click OK.

  5. In the Group Policy view, click New to add a new policy for each group of users.

    For FortiNAC users change the name to CM_Policies.

    For Guest users change the name to Guest_Policies.

  6. Double-click the new policy. The Group Policy window appears.

  7. In the Group Policy window click the plus sign (+) next to the User Configuration folder, then click the plus sign (+) next to the Windows Settings folder, and click Scripts (Logon/Logoff).

    1. In the right panel of the Group Policy view, double-click the logon script to launch the Logon Properties view. Click the Add button, then click the Browse button and navigate to the NETLOGON directory on the domain controller. Select the following:

      sendLogIn.vbs

    2. Once the script file has been added, click OK.

    3. In the right panel of the Group Policy view, double-click the logoff script to launch the Logoff Properties view. Click the Add button, then click the Browse button and navigate to the NETLOGON directory on the domain controller. Select the following:

      sendLogOut.vbs

    4. Once the script file has been added, click OK.

  8. In the Group Policy window for the Group Policy created in step 3 Click the plus sign (+) in front of the User Configuration folder.

  9. Click the plus sign (+) in front of the Administrative Templates folder, and then click the plus sign (+) in front of the System folder. Click the Logon/Logoff folder.

  10. Enable the following policies by double-clicking on them, clicking Enable, and then clicking OK.

    Run logon scripts visible

    Run logoff scripts visible

    Run logon scripts synchronously

    Visible mode only needs to be enabled for the testing period. Once the Administrator has determined that the logon/logoff scripts are working, running in visible mode can be disabled.

  11. Roll the policy changes to the host. AD has built-in delays so reboot the hosts if the scripts fail to run. The delay can be shortened by setting the "Group Policy refresh interval for user" to a shorter time period. The policy is located in the User Configuration folder.

  12. This MS link explains the above in detail:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241

Previous
Next
Active Directory setup for passive registration

Passive registration can be set up for one or more groups of users.

  1. Copy the following files from the runtime area

    <Host Name>/ui/runTime/config/ldap

    to the AD shared directory, generally located at:

    /WINNT/SYSVOL/<domainname>/sysvol/scripts

    Files to be copied:

    sendLogIn.vbs, sendLogOut.vbs

    Permissions should be set such that all users may read and execute on all the files.

  2. To receive traps from the scripts, you must have the latest versions of snmptrap.exe and libsnmp.dll on the directory server in the same directory that contains the scripts. These two files are part of a package that can be downloaded and installed on your directory server from http://www.net-snmp.org/download.html . Select the latest binaries. From the list of download files select the file that is in the following format: net-snmp-<version number>.exe.

  3. If you have not already done so, customize the scripts so that they take into account your network setup. See Customize log in and log out scripts for detailed information.

  4. Configure AD to use the following scripts:

    sendLogIn.vbs and sendLogOut.vbs

    1. Start the Active Directory Users & Computers application.

    2. Click the domain name in the Tree panel to select it.

    3. Right-click and select Properties.

    4. In the Properties window, click the Group Policy tab.

    5. Double-click the policy (Default Domain Policy) that will enable the scripts.

    6. In the Group Policy window click the plus sign (+) next to the User Configuration folder, then click the plus sign (+) next to the Windows Settings folder, and click Scripts (Logon/Logoff).

    7. In the right panel of the Group Policy view, double-click the logon script to launch the Logon Properties view. Click the Add button, then click the Browse button and navigate to the sysvol folder where files were copied in step 1. Select the following:

      sendLogIn.vbs

    8. Once the script file has been added, click OK.

    9. In the right panel of the Group Policy view, double-click the logoff script to launch the Logoff Properties view. Click the Add button, then click the Browse button and navigate to the sysvol folder where the files were copied in step 1. Select the following:

      sendLogOut.vbs

    10. Once the script file has been added, click OK.

  5. In the Group Policy view, click New to add a new policy for each group of users.

    For FortiNAC users change the name to CM_Policies.

    For Guest users change the name to Guest_Policies.

  6. Double-click the new policy. The Group Policy window appears.

  7. In the Group Policy window click the plus sign (+) next to the User Configuration folder, then click the plus sign (+) next to the Windows Settings folder, and click Scripts (Logon/Logoff).

    1. In the right panel of the Group Policy view, double-click the logon script to launch the Logon Properties view. Click the Add button, then click the Browse button and navigate to the NETLOGON directory on the domain controller. Select the following:

      sendLogIn.vbs

    2. Once the script file has been added, click OK.

    3. In the right panel of the Group Policy view, double-click the logoff script to launch the Logoff Properties view. Click the Add button, then click the Browse button and navigate to the NETLOGON directory on the domain controller. Select the following:

      sendLogOut.vbs

    4. Once the script file has been added, click OK.

  8. In the Group Policy window for the Group Policy created in step 3 Click the plus sign (+) in front of the User Configuration folder.

  9. Click the plus sign (+) in front of the Administrative Templates folder, and then click the plus sign (+) in front of the System folder. Click the Logon/Logoff folder.

  10. Enable the following policies by double-clicking on them, clicking Enable, and then clicking OK.

    Run logon scripts visible

    Run logoff scripts visible

    Run logon scripts synchronously

    Visible mode only needs to be enabled for the testing period. Once the Administrator has determined that the logon/logoff scripts are working, running in visible mode can be disabled.

  11. Roll the policy changes to the host. AD has built-in delays so reboot the hosts if the scripts fail to run. The delay can be shortened by setting the "Group Policy refresh interval for user" to a shorter time period. The policy is located in the User Configuration folder.

  12. This MS link explains the above in detail:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241

Previous
Next