By default, Movere collects both device and user objects from each Active Directory (AD) domain it queries. While this is the recommended approach, there are situations when this data is not required. Movere supports the exclusion of user objects when querying AD, but this can only be performed from a command prompt. This option is currently unavailable via the Movere Console. The steps below detail how to exclude user objects from an AD scan and the impact this has on the results presented via the Movere website.
If AD user data is suppressed, Movere will still list the accounts logging into each device as part of the inventory and ARC scanning process, but it will not resolve them against AD. The user’s first name, last name, email address, company, employee number/ID, country fields etc. will be blank as Movere won’t have this data. This impacts products like SharePoint, Skype for Business, Exchange, RDS, Dynamics CRM, and Project Server from a user perspective only (e.g. Movere will still see the server(s) running these products, but it will not present the users accessing them). Everything else, including ARC data, will be unaffected, which is consistent with Movere’s primary purpose – being a cloud migration platform.
IMPORTANT: Excluding the collection of user data from AD will not impact the user data collected during the Movere registration process, (including first name, last name, email address, job title and phone number), as this data is required to permit secure user access to the Movere website.
In the example below, we will be performing an AD scan of the ‘io.priv’ domain.
Enter AND assign the credentials you intend to use to query the target domain(s) either via the Movere Console from the ‘Manage Credentials’ and ‘Credential Mapping’ tabs OR use the ‘-credentials’ flag via a command prompt.
Open a command prompt as Administrator and navigate to the folder housing the Movere Console:
From the command prompt enter: Movere.service.exe -ad -domain:(domainname) -nouser.
NOTE: If you are using version 18.104.22.168 of the Movere Console or later, you will need to insert the -magicword flag before the -ad flag, and enter the Magic Word used to open the Console. For example: Movere.service.exe -magicword:(MagicWord) -ad -domain:(domainname) -nouser.
- Movere.service.exe -ad -domain:io.priv -nouser: This command will query the io.priv domain but will skip the extraction of user objects.
- Movere.service.exe -ad -domain:io.priv -nouser -credentials: This command will query the io.priv domain, skip the extraction of user objects and prompt for the credentials to be used. If the ‘-credentials’ flag is not used, Movere will use the credentials entered in the Movere Console in step 1.
- Movere.service.exe -ad -domain:io.priv -nouser -upload: If the Token.txt file has already been downloaded via the Movere Console then adding the ‘-upload’ flag will automatically upload to Movere the AD payload this command produces.
IMPORTANT: If you have any concerns at all about querying AD without user objects, then we recommend NOT using the ‘-upload’ flag OR to be completely safe deleting the Token.txt file from the folder housing the Movere Console, if it has already been downloaded. This will allow you to review the Movere service log BEFORE anything is uploaded to confirm that user objects were correctly skipped as part of the AD scan.
NOTE: Movere operates at an individual payload level. If you inadvertently upload user objects, then simply rerun the AD extraction with the ‘-nouser’ flag (refer below) and the payload containing the user data will be purged from Movere and replaced with the AD payload that doesn’t contain any user objects.
Here is what the service log should look like using the second option i.e. nouser data and prompting for credentials:
If you do not see the ‘Skipping user data for domain’ line then the payload contains user objects. If this occurs then review the command entered to confirm that the ‘-nouser’ flag was correctly set.
If no user data was collected then the payload can be uploaded by opening the Movere Console and from the ‘Upload Scans’ tab select ‘Upload’. NOTE: This tab will only appear if the Movere Console is opened AFTER the scan has been completed. If it was already open, then close the Console and re-open it to reveal the ‘Upload Scans’ tab:
Alternatively, if the Token.txt file is still in place, the extraction can be re-run after adding the ‘-upload’ flag:
NOTE: Movere will still list the accounts logging into each device as part of the inventory and Actual Resource Consumption (ARC) scanning process, but it will not resolve them against Active Directory i.e. the users first name, last name, email address, company, employee number/ID, country etc. will be blank as Movere won’t have this data. This will impact products like SharePoint, Skype, Exchange, RDS, CRM and Project Server from a user perspective only i.e. Movere will still see the server(s) running these products, but it will not present the users accessing them. Everything else, including ARC data will be unaffected, which is consistent with Movere’s primary purpose being a cloud migration platform.