Active Directory Structure
Active Directory Structure Update Frequency
Change this to modify how often OVERLAPS performs a full scan of Active Directory for changes to its structure. Changes it looks for include: new Organisational Units (OUs), removed OUs, and moved or renamed OUs.
Finding the correct values for this will depend on many things including the overall size of your domain, and how frequently it changes.
Note that this only covers the full scan and refresh of the AD structure. In addition to this, OVERLAPS runs a smaller scan for specific changes every 30 minutes.
By default this is set to “Every day (during the night only)”.
Automatically Scan On Service Start
Check this box to have OVERLAPS automatically carry out a full Active Directory structure scan whenever the service reloads. This is not usually needed but can be used in combination with the Update Frequency to more accurately control when a scan takes place.
Schedule Scan Now
Check this box to request an Active Directory structure scan at the next available opportunity (usually within a few minutes).
Active Directory Groups Refresh
Group Refresh Frequency
To decrease overhead on the login process, OVERLAPS periodically scans any groups that have been added for new users or users that have been removed. Set this value to control how often this happens.
**Note that this is not required for new group members logging in the first time, but is more important for preventing users who have been removed from a group from logging in. **
Queue Group Refresh Operations
If checked, group refresh triggers are added to a queue and processed sequentially. Otherwise the operations are handled in a multithreaded manner.
Active Directory Domains
Here you will see a list of all domains that OVERLAPS has detected in your forest, and any forests with which you have a trust relationship. Each domain can be enabled or disabled for use or access within OVERLAPS.
Note that the current root domain cannot be disabled.
Active Directory Credentials
By default, the OVERLAPS server’s LOCAL SYSTEM account is used to query Active Directory. However, in environments where this is not practical, you can provide the credentials of an alternate Service Account here. OVERLAPS will then use this account when retrieving any information from Active Directory.
**Note that these credentials are stored encrypted in the OVERLAPS database. **
Directory Connection Priority
In order to provide the maximum the level of support for all possible Active Directory configurations, OVERLAPS supports all three principal means of querying it:
Directory Searchers
Lightweight Directory Access Protocol (LDAP)
Security Principals
By default, OVERLAPS will prefer the Directory Searchers protocol. However, if you are having domain connectivity issues then you can try the others for User, Group and Computer operations as best suit your environment.
Generally speaking, these should be left as the defaults unless you are experiencing problems when adding users or getting the members of groups. If you have any doubts, please contact our Support Team for assistance (Getting Support).
Permissions Snapshot Settings
Permissions snapshots are used to capture the state of your container permissions prior to making any changes so that the permissions can be restored if something goes wrong.
Snapshot Container Names
If checked, along with the permissions, the snapshot will also record the new names of any renamed containers.
Fully Revert Container Names
If the above has been checked as well, when restoring a snapshot it will fully replace all container names with those from the snapshot. If the snapshot does not contain a new name for a container, but that container has subsequently been renamed, then it will revert it back to the default. Leaving this unchecked means that this latter situation will retain the new name.
Scheduled Snapshots
If checked, a snapshot of your permissions is automatically capture every night.
Remove automatic snapshots once they are old than this many days
Specify how long to keep automatic snapshots if they are enabled above.
Domain Controller Settings
Enable Domain Controller Caching
By default, OVERLAPS will scan your network for Domain Controllers and maintain an internal cache of them so it knows which ones to use. However, if you regularly have DCs going offline, this can lead to errors where OVERLAPS doesn’t realise this and continues trying to query it. For this reason you can uncheck this box to make OVERLAPS stop using its cache and instead request a DC from AD for each request.
Domain Controller Health Check
If enabled, OVERLAPS will periodically scan known Domain Controllers to make sure it can talk to them. If it can’t then the DC is automatically blacklisted so that no further attempts are made to use it. This can be used as an alternative to disabling the Cache, but generally shouldn’t be required.
Workarounds
This section is provided for current and future workarounds we may deploy to resolve issues in very specific domain environments. These options should generally only be modified if you encounter an issue that you feel may be related, or if you want to try out one of the experimental features. If you have any doubts, or would like to know more about a specific setting, please contact our Support Team (Getting Support).
Enable Multi-Forest Authentication
For environments with more than one Active Directory forest and the need for users of different (trusted) forests to login to OVERLAPS. Enabling this feature will allow you to add groups and users from the other forests in your network.
Measure Query Performance
If checked, most Active Directory operations will be measured to help locate bottlenecks. This information is only written to the log, and only if the Log Level is set to Debug. Note that enabling this feature may also impact the performance of your OVERLAPS server.
Allow users with the Read Computer Information permission to access Bitlocker Recovery Keys
If checked, any users who have the “Read Computer Information” permission to a container will also be able to retrieve a computer’s Bitlocker Recovery Key from the Computer Information window.
This requires additional Active Directory permissions for the OVERLAPS service. For more information on the permissions and how to set them, see Installation and Configuration -> Active Directory -> Bitlocker Recovery Key Permissions.
Default Search Container
Sets the default container that the Search window will be set to use when looking up computers (this container and any children beneath it). Note that users can override this setting when performing a search.
Click Browse to show a tree for you to select a container from. Clicking Clear Setting removes this default.