Connecting to Active Directory

Active Directory is Microsoft's Directory Server that provides a LDAP-compliant database containing objects such as users, groups, and computers. Use Analytics's data connector to import your organization's Active Directory data.


You cannot use this connector independently of Analytics. You can configure a DSN for the connector driver using the Windows ODBC Data Source Administrator, however you must test the DSN connection from within Analytics and not from the connector's Windows DSN configuration dialog.

Before you start

To connect to Active Directory, you must gather the following:

  • the domain name or IP address of the Active Directory server
  • the correct connection port
  • the connecting user account, including the distinguished name of the user and the password

For help gathering the connection prerequisites, contact the Active Directory administrator in your organization. If your administrator cannot help you, you or your administrator should contact Active Directory Support.

Create an Active Directory connection

  1. From the Analytics main menu, select Import > Database and application.
  2. From the New Connections tab, in the ACL Connectors section, select Active Directory.


    You can filter the list of available connectors by entering a search string in the Filter connections box. Connectors are listed alphabetically.

  3. In the Data Connection Settings panel, enter the connection settings and at the bottom of the panel, click Save and Connect.

    You can accept the default Connection Name, or enter a new one.

The connection for Active Directory is saved to the Existing Connections tab. In the future, you can reconnect to Active Directory from the saved connection.

Once the connection is established, the Data Access window opens to the Staging Area and you can begin importing data. For help importing data from Active Directory, see Import data using the Data Access window .

Connection settings

Basic settings

Setting Description Example

The distinguished name of a user.

Together with Password, this field is used to authenticate against the Active Directory server.


The password for the distinguished name of the specified user.

Together with User, this field is used to authenticate against the Active Directory server.


You may connect without providing a password if your Active Directory server permits anonymous connections. Based on your server's security configuration, anonymous connections may be able to list available tables. However, such connections may not be able to select data from some or all of the tables listed. For more information about your Active Directory security configuration, contact your organization's administrator.


The domain name or IP of the Active Directory server.

This does not need to include the LDAP:\\ portion, only the server domain name or IP.

The port the Active Directory server is running on. The default value is 389.

Together with Server, this property is used to specify the Active Directory server.

Base DN

The base portion of the distinguished name, used for limiting results to specific subtrees.

Specifying a base DN may greatly improve performance when returning entries for large servers by limiting the number of entries that need to be examined.

LDAP Version The LDAP version used to connect to and communicate with the server. Valid options are 2 and 3 for LDAP versions 2 and 3. 2
Auth Mechanism

The authentication mechanism to be used when connecting to the Active Directory server:

  • SIMPLE (default) default plaintext authentication is used to log in to the server
  • DIGESTMD5 the more secure DIGEST-MD5 authentication is used
  • NEGOTIATE NTLM/Negotiate authentication will be used

Whether to limit the scope of the search to:

  • WholeSubtree the whole subtree (BaseDN and all of its descendants)
  • SingleLevel a single level (BaseDN and its direct descendants)
  • BaseObject the base object (BaseDN only)


Limiting scope can greatly improve the search performance.


Advanced settings

Setting Description Example
Use Default DC Used to connect to the default Domain Controller and authenticate using the current user credentials. false
Convert Datetime to GMT

Converts datetime fields to GMT time zone during import. If false, the datetime value is converted to the operating system time zone of the machine running Analytics.

Limit Key Size

The maximum length of a primary key column. Setting the size to 0 will make the key length revert to the original length.

This property makes the connector override the reported length of all the primary key columns.

Map to Long Varchar

Controls whether or not a column is returned as SQL_LONGVARCHAR.

Use this setting to map any column larger than the specified size so they are reported as SQL_LONGVARCHAR instead of SQL_VARCHAR.

Map to WVarchar

Controls whether or not string types map to SQL_WVARCHAR instead of SQL_VARCHAR. It is set by default.

String columns must be mapped to SQL_WVARCHAR to accommodate various international character sets, so MapToWVarchar is set to true by default. You may set it to false to use SQL_VARCHAR instead.

Pseudo Columns

Indicates whether or not to include pseudo columns as columns to the table.

This setting is particularly helpful in Entity Framework, which does not allow you to set a value for a pseudo column unless it is a table column.

The value of this connection setting is of the format "Table1=Column1, Table1=Column2, Table2=Column3". You can use the "*" character to include all tables and all columns.

Upper Case Identifiers Report all identifiers in uppercase, including table and column names. false
SSL Server Cert

The certificate to be accepted from the server when connecting using TLS/SSL. You can specify any of the following:

  • full PEM certificate
  • path to a local file containing the certificate
  • the public key
  • the MD5 Thumbprint (hex values can also be either space or colon separated)
  • the SHA1 Thumbprint (hex values can also be either space or colon separated)

If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine will be rejected.

Support Enhanced SQL

Enhances SQL functionality beyond what can be supported through the API directly, by enabling in-memory client-side processing:

  • true the connector offloads as much of the SELECT statement processing as possible to Active Directory and then processes the rest of the query in memory. In this way the driver can execute unsupported predicates, joins, and aggregation
  • false the connector limits SQL execution to what is supported by the Active Directory API


This setting must be false to support filtering using the where clause syntax.

Execution of predicates

The connector determines which of the clauses are supported by the data source and then pushes them to the source to get the smallest superset of rows that would satisfy the query. It then filters the rest of the rows locally. The filter operation is streamed, which enables the driver to filter effectively for even very large datasets.

Execution of Joins

The connector uses various techniques to join in memory. The driver trades off memory utilization against the requirement of reading the same table more than once.

Execution of Aggregates

The connector retrieves all rows necessary to process the aggregation in memory.


Filtering the rows returned

The Active Directory connector uses an SQL filtering syntax that aligns closely with the LDAP search syntax. Some fields contain delimited data that represents multiple object attributes. Your WHERE clause must account for each value in these delimited fields as if they are distinct values, rather than a single string.

For more information about LDAP search filters, see MSDN Search Filter Syntax.

Filtering User on ObjectCategory and ObjectClass


You are working with the User table and you want to import records where the ObjectClass has the following attributes:

  • person
  • user

You also want to limit the records to those where the ObjectCategory has the Computer attribute, and not Person.

Connecting to the table

First, you connect to the Active Directory server, and select the User table (subset of fields shown).

Filtering the records

To limit the records to those you want to import, you apply a filter that treats each delimited value as a discrete field.

You then use SQL Mode to verify the WHERE clause that the filter constructs:

    "User"."ObjectClass" = N'person' AND
    "User"."ObjectClass" = N'user' AND
    "User"."ObjectCategory" = N'Computer'

Filter results

Once the filter is applied, the table includes records that match the WHERE clause and you import the table.

Joining Active Directory tables

Due to the data model used in LDAP-compliant databases such as Active Directory, SQL joins are not recommended. Joins may yield unexpected results.

If you need to join one or more tables from an Active Directory data source, you can import multiple tables using the Data Access window and then join them in Analytics. Use filters to limit the number of records and increase efficiency.

Analytics 14.1 Help