Chat now with support
Chat with Support

Directory Sync Pro for Active Directory 20.11.3 - User Guide

AD Built-in Groups Handling

Directory Sync Pro for Active Directory automatically ignores certain AD built-in groups during sync. The definition of which built-in groups to ignore is held in the database table DirSync_GroupsToIgnore_PK. This table is created and populated during the install process of Directory Sync Pro for Active Directory and is not configurable from the product UI. This list of groups can be modified only with direct access and permissions to SQL. When Directory Sync Pro for Active Directory performs a sync, any group encountered that matches with a group named in the DirSync_GroupsToIgnore_PK table is skipped and not entered into the database. This built-in group handling functionality is separate from the blacklisting functionality for groups which can be configured by an operator through the product UI, so when ignored these built-in groups are not considered to be ‘blacklisted’.

How to Process GDPR Requests

What is a GDPR Request?

The General Data Protection Regulations (GDPR) is the new European Union (EU) data protection regulations which go into effect May 25th, 2018. Under the GDPR individuals have certain rights to their personal data. They can make requests to exercise those rights to the data controller, and the controller must respond within 1 month. It is expected that the controller will verify the identity of the requestor.

 

There are four primary types of GDPR requests:

 

  1. Export – Request for a copy of all personal data about an individual held by this controller and any related processors. Must be in a commonly accepted portable data format.
  2. Update – Request to rectify inaccurate personal data.
  3. Delete – Request to remove all personal data about an individual from our systems. Can be initiated by an individual or by a revocation of consent process. Includes burden of proof. (Ideally follow a delete with an export to show no remaining data)
  4. Hold – Request to halt processing of personal data but not delete that data.

 

How to handle GDPR Requests for Directory Sync Pro for Active Directory

When Directory Sync Pro for Active Directory is installed, the data associated with the application is hosted locally within the client’s environment. The client has full control over this data. By default, the user and configuration data is stored in the SQL database called, “DirectorySyncPro_<date>”. It is assumed the operator has the proper administrative SQL Permissions to execute the following methods outlined.

 

SQL Tables containing User data:

  • [DirectorySyncPro_<Date>].[dbo].[BT_Person]

    Unique Key Look-up Columns:

         [SAMAccountName]

         [TargetSAMAccountName]

         [TargetUserPrincipalName]

         [OriginalSAMAccountName]

         [OriginalUserPrincipalName]

         [UserPrincipalName]

    If user data is used for matching (e.g. SAMAccountName, UserPrincipalName, etc.) then those values will also appear in one of the following columns:

         [MatchValue1]

         [MatchValue2]

         [MatchValue3]

         [MatchValue4]

  • [DirectorySyncPro_<Date>].[dbo].[BT_Groups]

    Unique Key Look-up Columns:

         [MatchValue1]

         [MatchValue2]

         [MatchValue3]

         [MatchValue4]

Be aware that data can be mapped to different Internal Fields (table columns) depending on customer specific configuration, so just about any SQL column could theoretically contain user data if so configured. For example, if SAMAccountName has been mapped to Custom001 or to any other Internal Field selectable in the mappings. Therefore this process should be undertaken by someone knowledgeable about the schema and attribute mappings in use. It may also be helpful to work with Support when completing these requests if you are not comfortable with the database.

Where does the Directory Sync Pro for Active Directory get its user data?

All user data within Directory Sync Pro for Active Directory is derived from the source Active Directory Forest configured in the product. Therefore, the authoritative source of any user related data stored in Directory Sync Pro for Active Directory is Active Directory. Any remediation required from a GDPR request should first be remediated in Active Directory or the source feeding Active Directory. Once that user data is updated in the source directory, running a new discovery within the product will update those values as well.

 

The following sections will provide guidance on fulfilling the 4 primary GDPR request types.

 

1. Exports – Request for a copy of all personal data about an individual held by this controller and any related processors. Must be in a commonly accepted portable data format.

 

 

For the purposes of this document, using PowerShell with the SQLPS Module is the recommended method to refine the results of the output. One may export any SQL Query result to a CSV file. Below is an example script to do so. Replace the variables to conform to your environment.

 

     Import-Module sqlps

     $SQLquery='SELECT * FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]'

     $result=invoke-sqlcmd -query $SQLquery -serverinstance <servername> -database <dbname>

     $result |export-csv c:\temp\ExportQueryResults.csv -notypeinformation

 

2. Updates – Request to rectify inaccurate personal data.

 

As previously stated, all user data within Directory Sync Pro for Active Directory is derived from the source Active Directory Forest configured in the product. Therefore, the authoritative source of user data is Active Directory. Any remediation required from a GDPR request should first be remediated in Active Directory or the source feeding Active Directory.

 

If editing the user data within SQL is still required, using any SQL editor such as SQL Server Management Studio, run an update command against one or more columns for one or more records. Below are examples to accomplish this. Note however, that any new discovery will update the values based on the source Active Directory.

 

     Update multiple columns for a single record:

     UPDATE [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     SET <Column1 Name> = <New Value1>, <Column2 Name> = <New Value2>

     WHERE userPrincipalName='<Unique ID>'

 

     UPDATE [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     SET <Column1 Name> = <New Value1>, <Column2 Name> = <New Value2>

     WHERE userPrincipalName='<Unique ID>'

 

     Update multiple columns for multiple records:

     UPDATE [DirectorySyncPro_<Date>].[dbo].[CMTEUP_Person]

     SET <Column1 Name> = <New Value1>, <Column2 Name> = <New Value2>

     WHERE DistinguishedName='<Unique ID>' OR DistinguishedName='<Unique ID>'

      

     UPDATE [DirectorySyncPro_<Date>].[dbo].[CMTEUP_PersonADData]

     SET <Column1 Name> = <New Value1>, <Column2 Name> = <New Value2>

     WHERE userPrincipalName='<Unique ID>' OR userPrincipalName='<Unique ID>'

 

     Update multiple columns for multiple records using a list:

     UPDATE [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     SET <Column1 Name> = <New Value1>, <Column2 Name> = <New Value2>

     WHERE DistinguishedName IN ('<Unique ID1>', '<Unique ID2>', '<Unique ID3>')

 

     UPDATE [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     SET <Column1 Name> = <New Value1>, <Column2 Name> = <New Value2>

     WHERE userPrincipalName IN ('<Unique ID1>', '<Unique ID2>', '<Unique ID3>')

 

3. Deletes – Request to remove all personal data about an individual from our systems. Can be initiated by an individual or by a revocation of consent process. Includes burden of proof. (Ideally follow a delete with an export to show no remaining data.)

 

Using any SQL editor such as SQL Server Management Studio, run a Delete command against one or more records. Below are examples to accomplish this. However, as previously stated, if the user is not deleted in the source Active Directory during any subsequent new discovery the user will be re-populated into SQL. The only way to truly remove the data is to delete the source user or delete the entire SQL database when it is no longer required.

 

     Delete a single record then verify:

     DELETE FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE SAMAccountName='<Unique ID1>'

 

     SELECT * FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE SAMAccountName='<Unique ID1>'

 

     DELETE FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE userPrincipalName='<Unique ID1>'

 

     SELECT * FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE userPrincipalName='<Unique ID1>'

 

     Delete multiple records then verify:

     DELETE FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE SAMAccountName='<Unique ID1>' OR SAMAccountName='<Unique ID2>'

 

     SELECT * FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE SAMAccountName='<Unique ID1>' OR SAMAccountName='<Unique ID2>'

 

     DELETE FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE userPrincipalName='<Unique ID1>' OR userPrincipalName='<Unique ID2>'

 

     SELECT * FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE userPrincipalName='<Unique ID1>' OR userPrincipalName='<Unique ID2>'

 

     Delete multiple records then verify:

     DELETE FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE SAMAccountName IN ('<Unique ID1>', '<Unique ID2>', '<Unique ID3>')

 

     SELECT * FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE SAMAccountName IN ('<Unique ID1>', '<Unique ID2>', '<Unique ID3>')

 

     DELETE FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE userPrincipalName IN ('<Unique ID1>', '<Unique ID2>', '<Unique ID3>')

 

     SELECT * FROM [DirectorySyncPro_<Date>].[dbo].[BT_Person]

     WHERE userPrincipalName IN ('<Unique ID1>', '<Unique ID2>', '<Unique ID3>')

 

4. Holds – Request to halt processing of personal data but not delete that data.

This can also be accomplished using the product interface. Halting a user from processing can be achieved using the Exclusion List feature.

 

 

Third-party contributions

 

This product contains the following third-party components. For third-party license information, go to https://www.quest.com/legal/license-agreements.aspx. Source code for components marked with an asterisk (*) is available at https://opensource.quest.com.

Table 1: List of Third-Party Contributions

Component Copyright Notice License
ANTLR 3.5.0.2 Copyright © 2011 Terence Parr; C# Port (c) 2011 Sam Harwell, Tunnel Vision Laboratories, LLC Antlr 3.5.0.2
Bootstrap 3.4.1 Copyright (c) 2011-2016 Twitter, Inc. MIT N/A
clipboard.js 1.5.5   MIT N/A
commonservicelocator 2.0.7.0   Microsoft Permissive License (Ms-PL) N/A
csvhelper 27.1.1 Copyright 2009-2021 Jose Close Apache 2.0
Data-tier Application Framework (DACFx) 17.3.0   MICROSOFT SOFTWARE LICENSE TERMS MICROSOFT SQL SERVER DATA-TIER APPLICATION FRAMEWO
DnsClient 1.8.0   Apache 2.0
DotNetZip 1.13.8 Copyright (c) 2000,2001,2002,2003 ymnk, JCraft, Inc Microsoft Permissive License (Ms-PL) N/A
EntityFramework 6.400.420.21404   Apache 2.0
EntityFramework.SqlServer 6.400.420.21404 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ Apache 2.0
jquery 3.5.1 Copyright OpenJS Foundation and other contributors, https://openjsf.org/ MIT N/A
JQuery UI 1.13.2   MIT N/A
Knockout 3.5.1 Copyright (c) 2010 Steven Sanderson, the Knockout.js team, and other contributors http://knockoutjs.com/ MIT N/A
knockout.validation 2.0.3   MIT N/A
metismenu 2.0.2   MIT N/A
Microsoft Visual C++ 2013 Redistributables 2013 same as 2012 and previous Microsoft Visual C++ 2012 Runtime Libraries N/A
Microsoft.AspNet.WebApi.Client 5.1.2   MS-.NET-Library-JS License N/A
Microsoft.AspNet.WebApi.Core 5.1.2   MS-.NET-Library-JS License N/A
Microsoft.AspNet.WebPages 3.2.3 © Microsoft Corporation. All rights reserved. MICROSOFT .NET LIBRARY 1.0
Microsoft.Bcl 1.1.9 © Microsoft Corporation. All rights reserved. MICROSOFT .NET LIBRARY 1.0
Microsoft.Bcl.AsyncInterfaces 5.0.0 Licensed under MIT License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/574d3188-f16d-44a8-93d8-ed52390af52e License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/cdad7f75-ec30-4e77-b4bc-9e1bd7103cd7 License terms can be found at: https://licenses.nuget.org/MIT Copyright .NET Foundation and Contributors Copyright Microsoft Corporation MIT Template 2020
Microsoft.Bcl.Build 1.0.14 © Microsoft Corporation. All rights reserved. MICROSOFT .NET LIBRARY 1.0
Microsoft.Bcl.HashCode 4.700.20.56604 Licensed under MIT License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/122619ce-79e4-4fd3-830e-4dd29de3b416 License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/d056fa1a-00d9-4199-8455-100c86725d02 License terms can be found at: https://licenses.nuget.org/MIT Copyright ", "© Microsoft Corporation ----- Licensed under MIT License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/122619ce-79e4-4fd3-830e-4dd29de3b416 License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/d056fa1a-00d9-4199-8455-100c86725d02 License terms can be found at: https://licenses.nuget.org/MIT Copyright ", "© Microsoft Corporation MIT Template 2020
Microsoft.Build.Framework 14.0   MICROSOFT .NET LIBRARY 1.0
Microsoft.Build.Tasks.Core 14.0   MICROSOFT .NET LIBRARY 1.0
Microsoft.Build.Utilities.Core 14.0   MICROSOFT .NET LIBRARY 1.0
Microsoft.ReportingServices.ReportViewerControl.WebForms 140.1.291.2731477   MICROSOFT REPORT VIEWER RUNTIME FOR MICROSOFT SQL SERVER 140.1.291.2731477
Microsoft.SqlServer.Types 14.0.314.76   Microsoft.SqlServer.Types 14.0.314.76
Microsoft.Web.Administration 10.0.17025.1000 Licensed under Microsoft .NET Library License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/fc2bb128-ca69-4eb6-8195-18f715a00cc4 License terms can be found at: https://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm Copyright Microsoft Corporation MICROSOFT .NET LIBRARY 1.0
Microsoft.Web.Infrastructure 1.0.20105.407   MICROSOFT ASP.NET MODEL VIEW CONTROLLER TOOLS UPDATE 3
Microsoft.Web.Infrastructure 2.0.61129.10   MICROSOFT .NET LIBRARY 1.0
Microsoft.Win32.Registry 5.0.20.51904 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved. MIT Template 2020
Modernizr 2.8.3 Copyright 2013 Modernizer MIT N/A
Moment.js 2.29.1   MIT momentjs n/a
Newtonsoft.Json.Net 13.0.1   MIT Json.NET N/A
NLog 3.2.0   BSD 3-Clause License N/A
PAExec 1.0 https://www.poweradmin.com/paexec/paexec_eula.txt PowerAdmin 1.0
RestSharp 106.15.0   Apache 2.0
System.Buffers 4.6.28619.1 MIT License Copyright (c) Microsoft Corporation. MIT Template 2020
System.Diagnostics.DiagnosticSource 4.7.1 Licensed under MIT License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/17bb9beb-bd6d-4bce-a431-4a4dcd8babd8 License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/e6af58f8-9552-4c31-8367-114e7b6ae035 License terms can be found at: https://licenses.nuget.org/MIT Copyright © Microsoft Corporation Copyright .NET Foundation and Contributors Copyright © Microsoft Corporation MIT Template 2020
System.Memory 4.6.28619.1 MIT License Copyright (c) Microsoft Corporation. MIT Template 2020
System.Net.Http 2.2.29 © Microsoft Corporation. All rights reserved. MICROSOFT .NET LIBRARY 1.0
System.Net.Http 4.7.3062.0   Apache 2.0
System.Net.Http.Extensions 2.2.29.0   MS-.NET-Library License N/A
System.Net.Http.Formatting 5.2.61128.0 Microsoft Corporation MICROSOFT SOFTWARE LICENSE TERMS - ASPNET Component 1.0
System.Net.Http.Formatting 5.2.7   Apache 2.0
System.Net.Http.Primitives 2.2.29.0   MS-.NET-Library License N/A
System.Net.Http.WebRequest 2.2.29.0   MS-.NET-Library License N/A
System.Numerics 4.0.30319.17929 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved. MIT 1.0
System.Numerics.Vectors 4.6.26515.06 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved. MIT Template 2020
System.Reflection.TypeExtensions 4.6.26725.05 Licensed under MIT License terms can be found at: https://github.com/dotnet/corefx/blob/master/LICENSE.TXT Copyright © Microsoft Corporation. All rights reserved. MIT Template 2020
System.Runtime.CompilerServices.Unsafe 4.6.0 Licensed under MIT License terms can be found at: https://github.com/dotnet/corefx/blob/master/LICENSE.TXT License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/34cbcdc8-4766-4b7e-bcdb-b8194fa14210 License terms can be found at: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/70497add-6ea8-4427-aadc-879a99e8d672 Copyright © Microsoft Corporation Copyright .NET Foundation and Contributors Copyright © Microsoft Corporation MIT Template 2020
System.Runtime.CompilerServices.Unsafe 6.0.21.52210 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved MIT Template 2020
System.Security 4.0.3 Microsoft? .NET Framework Microsoft .Net Framework 4.5
System.Security.AccessControl 5.0.20.51904 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved. MIT Template 2020
System.Security.AccessControl 6.0.0 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved. MIT Template 2020
System.Security.Principal.Windows 5.0.20.51904 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved. MIT Template 2020
System.ServiceProcess.ServiceController 4.7.0   MIT N/A
System.Threading.Tasks.Extensions 4.6.28619.01 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved. MIT Template 2020
System.ValueTuple 4.6.26515.06 The MIT License (MIT) Copyright (c) .NET Foundation and Contributors All rights reserved. MIT Template 2020
System.Web.Helpers 3.0.7   Apache 2.0
System.Web.Http 5.2.7   Apache 2.0
System.Web.Http.WebHost 5.2.7   Apache 2.0
System.Web.Mvc 5.2.7   Apache 2.0
System.Web.Optimization 1.1.4   MS-.NET-Library License N/A
System.Web.Razor 3.0.7   Apache 2.0
System.Web.WebPages 3.0.7   Apache 2.0
System.Web.WebPages.Deployment 3.0.7   Apache 2.0
System.Web.WebPages.Razor 3.0.7   Apache 2.0
Unity 5.11.1 Copyright © Microsoft 2008 Apache 2.0
WebActivatorEx 2.2.0 Copyright © Microsoft 2010 Apache 2.0
WebGrease 1.6.5135.21930 Licensed under Microsoft .NET Library License terms can be found at: https://archive.codeplex.com/?p=webgrease Copyright © Microsoft 2013" MICROSOFT .NET LIBRARY 1.0

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating