Directory Service Structure Objects

Organizational units (OUs)

An organizational unit (OU) is a directory service object contained in domains. Once the directory service is synchronized, the OUs and objects contained there (OUs, users, and computers) appear in the directory service structure of the Console. If you use no directory service, but use your Own directory, you can manually create OUs for structuring.

Assigning access rights to OU subobjects

In the Directory service structure area, select an object to which OU belongs.
In the User management or Computer management work area, select the OU whose objects you want to grant permissions.
Define access rights in the Control tab. For details, see: Controlling access
A warning message appears.
Click OK to confirm the message.
The changes apply to all objects of the OU. These changes are not visible in the OU settings. The changes are visible only when selecting objects separately.
The rights are not inherited to newly added OU objects.
To restore default rights, activate inheritance for individual objects.

Groups

A group is a directory service object consisting of users and/or computers. The group receives the default rights of users and computers for its members. These rights can be changed. For details, see: Controlling access The group members can inherit different permissions of the group. However, individual permissions of users and computers have priority over the group rights. For details, see: Rights concept If you activate a product for the group, it becomes activated for all group members. For details, see: Activating products When performing a directory service synchronization, you can enable the options to automatically activate products for new users/computers of a group. For details, see: Synchronizing directory service If you use no directory service, but use your Own directory you can manually create groups.

Viewing and adding group members

In the Directory service structure area of the User management or Computer management menu, right-click a group.
Select Group members from the context menu.
The Group members dialog appears. The group members are listed in the right pane of the dialog.
Select a user or a computer from the directory structure and click .
The new group member appears in the right pane.
Click OK to confirm.
The group member inherits the permissions of the group.
If a user is a member of more than one group, permissions may differ. You can define, whether permissions or restrictions have a priority.

Rights priority for membership in several groups

Under Product settings | Control | Inheritance settings, define rights priorities:
- If you want permissions defined for the Access Control product to have priority, enable Access permissions have priority. Otherwise, enable Access restrictions have priority.
- If you want permissions defined for encryption products to have priority, enable Access permissions have priority. Otherwise, enable Access restrictions have priority.
Define, in which groups users inherit permissions:
- EgoSecure groups: only EgoSecure groups inherit permissions.
- AD/Novell groups: only directory service groups inherit permissions.
- EgoSecure groups and AD/Novell groups: all groups inherit permissions.
Click Save.
The inheritance settings are applied.

Creating EgoSecure groups

Under User management/Computer management, in the Directory Service structure area, right-click a directory object, under which you want to create a group.

Select Create EgoSecure group from the context menu.
The Add - EgoSecure Group dialog appears.
Define a group name and click OK to confirm.
The dialog closes and the new group appears in the directory structure.
Right-click a group and select Group members from the context menu.
The Group members dialog appears.
Select the directory objects to add them to the group.
Click OK to confirm.
You can now assign inheritable group rights and activate products.

User and computer

Users and computers are automatically subordinated to the corresponding directory service objects during synchronization. The following metadata is recorded (if available):

Name
SID
E-mail

If you use no directory service, but the Own Directory, you can edit this data. For details, see: Own Directory

Deleting objects from directory service structure

If you use a directory service and the object still exists in the directory service, it will reappear in the directory service tree at the next synchronization. Delete the object first in the directory service and then in the EgoSecure Console.

Right-click the object and select Delete from the context menu.

Own Directory

If you do not use a directory service, but selected Own Directory during the installation, a computer appears in the directory service tree only after installing EgoSecure Agent on the computer and a user appears only after logging in to an EgoSecure Agent computer. By default, they appear in the Unsorted objects folder.
Without an existing directory service, you can create OUs and EgoSecure groups to sort computers and users.

Editing user/computer name, SID or e-mail

In the User management/Computer management work area, double-click a user/computer.
The Edit - <object name> dialog appears.
Edit the data. Several mail addresses are added with a semicolon.
Click OK.
New data is saved.

Adding objects to directory service tree

Right-click an element of the directory service tree to add an object there.
Select Add | Organizational Unit (EgoSecure Group/User/Computer) from the context menu.
The Add - <Object type> dialog appears.
Enter the valid meta data.
Click OK to confirm.
The dialog closes and the new object appears in the directory service structure.

Moving objects

In the Directory service structure, select the element that contains the object you want to move.
In the User management/Computer management area, right-click the object and select Move into... from the context menu.
The Move dialog appears.
Select an element of the directory service tree where you want to move the object.
Click OK to confirm.
The dialog closes and the object is moved.

Transferring an Own Directory account to a directory service object

Transfer an Own Directory account to a directory service object for moving activated products with settings and permissions, encryption keys, audit and revision data, group membership. The own directory account is automatically deleted after a transfer.

Right-click an object under User management/Computer management.
Select Transfer account to... from the context menu.
The Transfer account to... dialog appears.
Select a directory service object to which to transfer the account.
Click OK.
The Own directory account is transferred to the selected directory service object. The Own Directory account is deleted.

Device type icons in directory service structure

Agents can be installed on notebooks, desktop computers, server computers and virtual machines. Depending on a device group, different icons are displayed. For each device group, several chassis values belong (according to Microsoft Chassis Types).

Agent installation on Windows

Icon	Device group	Microsoft chassis value
	Desktop computers	3, 4, 5, 6, 7, 15, 16
	Notebook	8, 9, 10, 11, 12, 14, 18, 21
	Server	17, 23
	All-in-one	13
	Tablet	30
	Mini PC	35
	Stick PC	36
	Virtual machine	1
	Unknown	2

Agent installation on IoT

Icon	Device Type
	IoT devices

Connection type icons

Icon	Description
	Secure connection.
	Secure connection, which demands attention. The client has a valid but not an up-to-date certificate, which must be replaced.
	Connection is insecure. No certificate on the client side.
	Connection is insecure. The client has a certificate, information about which is not in the database or the certificate has expired or the private key has been compromised.