Using DisableActiveDSAPI for disabling AD information collection
search cancel

Using DisableActiveDSAPI for disabling AD information collection

book

Article ID: 369124

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

In some scenarios, there is the need to disable AD information that is sent by the Symantec Management Agent (aka Altiris Agent) so "AeX AC Location" dataclass is not reported.

Environment

ITMS 8.x

Resolution

Background information:

We use Active Directory queries using Win32 AD API passing info to ACTIVEDS.DLL (That is Win32 AD API calls ADsGetObject() into  ACTIVEDS.DLL, which is part of Windows OS. The parameter passed into it is either "LDAP://RootDSE" or "LDAP://<defaultNamingContext>", where defaultNamingContext is obtained from the previous ADsgetObject call), for example to get CN name of the user 'example\username' on the client's computer.

Here are some follow up questions about disabling AD API functionality from our Symantec Management Agent:

  1. Can ITMS engineering consider different methodology for what you’re accomplishing with the mentioned API call? 
    A: No, that's the only API Microsoft has that allows query info from Active Directory.

  2. Is there a way we could disable that particular functionality for our installation of ITMS and its agents? 
    A: The only way to do that is to remove activeds.dll for now. We can add a registry entry that will disable AD querying on the client machine.

  3. I understand we’d be losing out on ‘core’ inventory functionality most likely. 
    A: Not much - one field in AeX AC Location data class and AD CNs for asset master resources.

  4. But I’d like an understanding of it that might be possible, and what the ramifications could be?
    A: If these machines are not in AD then nothing will be lost.

  5. Can we get a brief write-up of the purpose behind Altiris agent’s use of that API call?  What are you doing with it, what is it solving / providing to the solution, etc?
    A: We are querying AD for information (like CNs) about logged in users and the machine.

Usage:

As a way to facility the use case where AD information is not collected/triggered by our Agent, you can try the following:

--Create manually the following regkey on any client machine.

--Set the following registry entry to 1 to disable activeds.dll usage

HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent

REG_DWORD: DisableActiveDSAPI = 1

The registry entry mentioned above should be manually added for ITMS any release. It is not be created automatically.
ITMS 8.7.3 Release will read the registry entry if it exists (there will be no command-line) and Basic Inventory NSEs that are sent to the SMP Server will skip "AeX AC Location" dataclass so it is not reported.