How to Configure AD sync
If you'd like to get an overview of what AD sync does, please review this article.
For this article, we're covering just AD Sync version 2. To confirm you're using version 2, you'll see a screen similar to this:
You'll have an option to Add a connection which allows you to sync from multiple domain controllers with Two-way trusts enabled.
- Types - Shows the types of objects you're syncing (i.e. Employees, Logins, Groups)
- #Targets - Shows how many targets are selected for this connection
- #Objects - How many total objects are targeted across all targets
Note: This screen shows the current live count of all targets and objects.
1. Ensure that you have a service account created in Active Directory for AD sync
2. Create a Security Group (example: IntranetUsers) and add all Intranet users to that group
3. If you do not wish to use Security Group, create an OU that contains all the Intranet users
4. All users need to have a First Name, Last Name and pre-windows 2000 username in Active Directory
Step 1 - Define Connection
Enabling AD Sync
- Click on the Admin icon on the Admin page
- Click Security
- Click Active Directory Synchronization
- Click Add Connection
- Enter your Domain Controller information
- Username must be in the format of Domain\Username
- Click Test Connection, and ensure that the connection is successful
- Click Save & Continue
Step 2 - Add Targets
On the next screen, you can define the scope of what you want synced over from AD.
Before syncing over your objects, you can determine which types of objects you're looking to add to your Intranet.
- Employees: This object brings over the login for access and security, as well as the employee's profile information such as Title, Location, Photo, etc., which will be displayed within the Employee/Staff Directory.
- Logins: This object brings over just the user's login for access and security within the intranet. They will not have an Employee profile created within the Employee Directory. Passwords are not stored in the database as their authentication happens against your domain controller.
- Groups: This object brings over Active Directory Groups within the targeted OU. These groups can be used to assign security for Apps, pages and Sites inside the product. It is not possible for nested groups to be included if they are not part of the scope defined within the 'Select Organizational Unit' section of this page.
Select Organizational Unit
In order for Employees, Logins, and Groups to come over from AD, they need to be part of the scope our software uses to pull them over and make updates within the Intranet for those accounts. We recommend selecting specific OUs or use a group filter containing no more than 1000 objects each. We do not recommend syncing more than 3000 Employee objects total across all targets.
- Select the OU where you want to start pulling in your accounts from (e.g. Gregerton as shown above)
- Select the Group Filter (if applicable) to reduce the scope to just the intended users/groups
- Confirm the correct users/groups are showing in the Object Preview window
- Click 'Add Target' (above the Object Preview window)
Group Filter - Often, you may have service accounts that don't need to be synced over to the intranet, but they live within the defined scope. To filter down to the list of desired Users, you can select a group that these users belong to using the Group Filter option shown above. In many cases, our customers create an "IntranetUsers" group in Active Directory and add all Users that will need access to the intranet, in this group.
Object Preview - If a User or Group is missing from this list, confirm they meet the user requirements mentioned in prerequisites listed above. If a user
The object preview window will allow you to preview what users you are bringing in to the Intranet. We recommend checking the Object Preview section before adding a target to ensure you are syncing in the right set of users. You can also check to see if a user(s) is active or inactive in Active Directory. A user with a down arrow on the profile icon means that the user is disabled in Active Directory, as shown below:
Sync Target List - The Sync Target list section has 4 columns:
- Type: This displays the object type that is added as a sync target
- Organizational Unit: This displays the Organizational Unit that is added as a sync target
- Filter: This displays the Security Group selected in the Group Filter
- Objects: This displays the number of users or groups brought into the Intranet