In Nova Delegation & Policy Control (DPC) an on-premise agent can be deployed to interact with Active Directory in a hybrid environment. The agent executes a task called ‘Get On-Premises entities’ and this has some important options which should be considered. ¬†These options are:

  • Match Group Organizational Unit
  • Match User Organiational Unit

These are visible on the properties of the job, as shown below:

These checkboxes affect the way that objects are placed in the hierarchy. When the options are selected on-premise entities (like users, groups, contacts) from the Users container (in on-premise Active Directory) are placed in the domain root else they’re stored in the tenant root.

Here is an example to illustrate this:

Domain A
Domain B
Domain C

Domain D
Domain E

When ‘tenant 1’ is scanned and the checkboxes are deselected – all entities are stored in the ‘Tenant 1’ Organizational Unit.

When ‘tenant 1’ is scanned and the checkboxes are selected – all entities are stored based on their on-premise location in Domain A, Domain C, root Organizational Units.

