Documentation forSecurity Event Manager

Configure directory service groups in SEM

This section explains how to manage Active Directory groups for use with SEM rules and filters.

Complete the following tasks before you configure directory service groups for the first time:

  • Configure the Directory Service Query Connector
  • Sync Active Directory with SEM

See Configure Active Directory and SEM to work with SEM rules and filters for instructions.

About directory service groups

Active Directory groups that are configured to sync with SEM are called directory service groups. Directory service groups contain either Windows users or computer accounts. Any changes that you make in Active Directory propagate to SEM rules and filters.

If Active Directory is available, use directory service groups to add user and computer accounts to rules and filters. A user-defined group cannot be synchronized with Active Directory. Allowing SEM to access Active Directory directly via a directory service group means you do not have to maintain duplicate groups of user and computer records in SEM, saving time and reducing the risk of human error. Following integration, you can white-list or black-list select Active Directory groups using SEM rules and filters.

See About SEM groups to learn about the various group types that organize elements into logical units so that they can be used as parameters in rules and filters.

Create a directory service group and synchronize it with Active Directory

Complete these steps to select which Active Directory groups to synchronize with SEM. The synchronization process runs every five minutes if the connector is running.

Before you begin, the Directory Service Query connector must be configured on the SEM Manager.

  1. Open the SEM legacy Flash console. See Log in to the SEM web console for steps.

  2. On the SEM menu bar, navigate to Build > Groups.

  3. In the upper-right corner of the Groups toolbar, click , and then select Directory Service Group.

    The Select Directory Service Group form opens.

  4. From the list, select the SEM Manager that will use the DS groups.

  5. Use the folder tree on the left to populate the Available Groups pane on the right. The form displays the actual contents (folders and Group categories) of your directory service system.

    Each folder contains the group categories associated with that area of your directory service. You can maximize a folder to display the group categories within the folder.

    The Available Groups section lists a different set of group categories with each folder you select. For example, clicking the Users folder displays a different set of group categories compared to the Laptops folder.

  6. Select the DS groups that you want to import into SEM Manager.

  7. Repeat the previous two steps until you have selected all the groups that you want to import.

  8. Click Save.

    The system synchronizes the DS groups to SEM and adds them to the Groups grid.

    You can now use the DS groups with your rules and filters.

View a directory service group member on the SEM Console

The Groups grid displays various SEM groups, including each directory service group synchronized with SEM. Select a DS group in the grid to view the members of that group in the Directory Service Group pane.

  1. Open the SEM legacy Flash console. See Log in to the SEM web console for steps.

  2. On the SEM menu bar, navigate to Build > Groups.

  3. In the Groups grid, select the directory service group you want to view.

    To sort groups by group type, click the Type column heading.

    The Directory Service Group pane lists the group members.

Directory service group grid columns

The Directory Service Group pane lists each computer account and user account associated with the DS group. The following table describes each grid column.

Column Description


Displays an icon that shows if the group member is a user or a computer. The computer icon represents a computer account. The person icon represents a user account.


The name of the group member.


The description associated with the group member.

SAM Name

The account name of the member.

Principal Name

The principal name of the member.

Distinguish Name

The complete distinguished name of the member.


The email address of the member.

Remove a directory service group from SEM

Directory service groups can be deleted from SEM the same as any other group. See Delete a group for steps. Deleting a DS group does not remove the group from Active Directory, however. You can restore a DS group at any time.