Adding Organizational Units or Active Directory Security Groups to a Machine Group

Companies often split up Active Directory entities by creating multiple Organizational Units (OUs) or Active Directory Security Groups. A machine group in Security Controls can be configured to include specific organization units or Active Directory Security Groups from Active Directory. For example, you might create a machine group that includes all machines from the 'Sales' organizational unit. The machines in the OU will be automatically enumerated when the machine group is scanned.

Adding an Individual Organizational Unit

The easiest way to add an organizational unit to a machine group is as follows:

  1. Access the machine group.
  2. Select the Organizational Unit tab.
  3. Type the name of the organizational unit in the Enter an individual OU name box.
    An OU is added in full LDAP format. For example, to add the Sales OU from the domain, the format is 'ou=sales,dc=example,dc=com'. If you specify a parent OU, all children OUs will be included in the scan.
  4. Choose whether you will allow SSH server connections to the machines in this organizational unit.
    The SSH protocol may be used when the console initiates a connection with the specified machines. The primary use cases are when a power status scan or a push installation of an agent are initiated from the console to a Linux machine. Security Controls does not currently support the use of SSH server authentication, so unless you are certain that the specified machines are trusted and safe, you should choose to block SSH server connections. For more detailed information, see the SSH Authentication topic.
  5. Click Add.

Importing OUs from an External Source

You can also add organizational units by using the Browse Active Directory button to import organizational unit names from an external source. This button opens a separate dialog that lists the contents of your Active Directory network. Locate the organizational units and/or machines you would like to add to the custom group, place a check mark in the desired check boxes, and then click Add checked items.

  • If your Active Directory network is not listed, click Addto manually define the network.
  • If you need to supply credentials in order to browse the Active Directory OUs on the available domains, in the Browse credential box at the bottom of the dialog select the appropriate credential and then click Assign.




Enables you to add an Active Directory forest that is not broadcasting its availability. You will need to provide credentials that are authorized to enumerate the forest. You can then add any items within that forest.

Edit Selected

Enables you to edit the selected entry.

Delete Selected

Enables you to delete the selected entry.

Browse Credential

To set credentials to use for browsing an Active Directory hierarchy on a remote domain:

  1. Select the domain.
  2. Select the proper credential.
    If you need to define a new credential, see Defining Credentials.
  3. Click Assign.

Include Child OUs

If enabled, for every parent OU selected, all children OUs will also be included in the machine group.


Removes the credentials currently defined for the selected domain.

When organizational units are added, the new entries are displayed within the bottom portion of the machine group pane.