While Movere can still be used to query AD for user objects (default behavior), there are situations when this data is not required. Movere now supports the exclusion of user objects when querying AD. The steps below detail how to exclude user objects from an AD scan and the impact this has on the results presented via the Movere website.
IMPORTANT: Excluding user objects from a Movere AD scan can ONLY be performed from a command prompt. We currently do not offer this option via the Movere Console.
In the example below, we will be performing an AD scan of the ‘io.priv’ domain.
Enter AND assign the credentials you intend to use to query the target domain(s) either via the Movere Console from the ‘Manage Credentials’ and ‘Credential Mapping’ tabs OR use the ‘-credentials’ flag via a command prompt.
Open a command prompt as Administrator and navigate to the folder housing the Movere Console:
From the command prompt enter: movere.service.exe -ad -domain:(domainname) -nouser
- service.exe -ad -domain:io.priv -nouser: This command will query the io.priv domain but will skip the extraction of user objects.
- service.exe -ad -domain:io.priv -nouser -credentials: This command will query the io.priv domain, skip the extraction of user objects and prompt for the credentials to be used. If the ‘-credentials’ flag is not used, Movere will use the credentials entered in the Movere Console in step 1.
- service.exe -ad -domain:io.priv -nouser -upload: If the Token.txt file has already been downloaded via the Movere Console then adding the ‘-upload’ flag will automatically upload to Movere the AD payload this command produces.
IMPORTANT: If you have any concerns at all about querying AD without user objects, then we recommend NOT using the ‘-upload’ flag OR to be completely safe deleting the Token.txt file from the folder housing the Movere Console, if it has already been downloaded. This will allow you to review the Movere service log BEFORE anything is uploaded to confirm that user objects were correctly skipped as part of the AD scan.
NOTE: Movere operates at an individual payload level. If you inadvertently upload user objects, then simply rerun the AD extraction with the ‘-nouser’ flag (refer below) and the payload containing the user data will be purged from Movere and replaced with the AD payload that doesn’t contain any user objects.
Here is what the service log should look like using the second option i.e. nouser data and prompting for credentials:
If you do not see the ‘Skipping user data for domain’ line then the payload contains user objects. If this occurs then review the command entered to confirm that the ‘-nouser’ flag was correctly set.
If no user data was collected then the payload can be uploaded by opening the Movere Console and from the ‘Upload Scans’ tab select ‘Upload’. NOTE: This tab will only appear if the Movere Console is opened AFTER the scan has been completed. If it was already open, then close the Console and re-open it to reveal the ‘Upload Scans’ tab:
Alternatively, if the Token.txt file is still in place, the extraction can be re-run after adding the ‘-upload’ flag:
NOTE: Movere will still list the accounts logging into each device as part of the inventory and Actual Resource Consumption (ARC) scanning process, but it will not resolve them against Active Directory i.e. the users first name, last name, email address, company, employee number/ID, country etc. will be blank as Movere won’t have this data. This will impact products like SharePoint, Skype, Exchange, RDS, CRM and Project Server from a user perspective only i.e. Movere will still see the server(s) running these products, but it will not present the users accessing them. Everything else, including ARC data will be unaffected, which is consistent with Movere’s primary purpose being a cloud migration platform.