Fortinet FCP_FCT_AD-7.4 Exam - Topic 3 Question 4 Discussion

Based on the FortiClient EMS 7.2/7.4 Administration Guide and the EMS Administrator Study Guide, the integration with Active Directory (AD) provides several automated management capabilities.

1. Analysis of the True Statements:

B . FortiClient installations on domain endpoints can be deployed from FortiClient EMS:

FortiClient EMS allows administrators to create Deployment Profiles specifically for Windows endpoints discovered via AD.

By providing AD administrator credentials within the deployment profile, EMS can remotely push the FortiClient MSI installer to domain-joined endpoints that do not yet have the software installed.

C . Endpoint profiles can be assigned to endpoints based on domain groups:

The core benefit of AD integration is the ability to map Endpoint Policies to specific AD Organizational Units (OUs) or Security Groups.

When an endpoint policy is assigned to an AD group, all FortiClient endpoints belonging to that group automatically receive the associated security profiles (Antivirus, Web Filter, VPN, etc.) defined within that policy.

2. Why Other Options are Incorrect/Secondary:

A . FortiClient EMS has full read-write access on the AD server:

The curriculum states explicitly that the LDAP/AD connection is read-only.

EMS cannot modify AD objects, create users, or change group memberships; it only synchronized information from the AD server to the EMS database.

D . Imported AD endpoints cannot be directly deleted on FortiClient EMS:

While technically true in a functional sense (deleting a synced endpoint will result in it being re-added during the next sync unless it is removed from the AD OU), the curriculum typically prioritizes B and C as the primary functional 'features' of the integration.

Note that the guide specifies the 'Delete' action in the Endpoints pane is restricted to non-domain devices to prevent synchronization conflicts.

3. Summary of Integration Features:

Sync Schedule: EMS periodically syncs with AD (default every 10 minutes) to update the endpoint list.

Policy Automation: Moving a user or computer to a different group in AD will cause EMS to automatically update their security posture based on the new group's assigned policy.