黑料海角91入口

Active Directory (AD) Sync provides one-way synchronization of passwords and other attributes from 黑料海角91入口 to AD. This agent allows password updates to be written back to AD from the 黑料海角91入口 Admin Portal, the 黑料海角91入口 User Portal, or any 黑料海角91入口-managed device. Full bidirectional synchronization is facilitated by the use of both the AD Import and AD Sync agents. 

Prerequisites

• Domain Controllers are prepared for Active Directory Integration (ADI):
  • A 黑料海角91入口 ADI group has been created and is located in your designated Root User container in AD. This is needed for full bidirectional synchronization and management. This group is synced to your 黑料海角91入口 Administrator Portal and is indicated with an AD Integration icon. 
  • An AD service account (standard domain user account) named "jcimport" has been created and has been granted Read all user information permissions using the Delegation of Control Wizard on the selected Root User container, or inherited from an OU further up in the hierarchy. This user cannot be a domain admin, have the user name of "黑料海角91入口" or be a member of the above-mentioned 黑料海角91入口 ADI security group.
  • See Configure the ADI for this information.
• The AD Import agent is installed. See Configure the ADI.

Recommendations

• We recommend creating a security group named 黑料海角91入口 Admins. This group isn鈥檛 synced to the 黑料海角91入口 Administrator Portal, but is used to identify any accounts that you want to be Global Administrators or Sudo users in 黑料海角91入口. Any user that is a member of this group and also a member of the 黑料海角91入口 group will be granted Admin/Sudo privileges on all device associations to which they are bound by default. This function doesn't support members of nested groups.
• For full bidirectional synchronization, we recommend that all Users and Groups be synchronized with 黑料海角91入口, live under a single OU (Root User Container) in Active Directory. This can be the default CN=Users container in AD or an alternate custom OU within the directory.
• To manage users in different OUs, we recommend that these OUs be located underneath the primary Root User container. Users or groups located in these containers that are made members of the 黑料海角91入口 ADI security group allow AD Sync to properly synchronize passwords and attributes associated with those users.  
• We recommend that you align password complexity requirements between AD and 黑料海角91入口 as closely as possible. Otherwise passwords may not replicate if they鈥檙e rejected by the destination directory鈥檚 complexity requirements.
• We recommend that you set the service account you use to authorize AD Sync's access to AD with a password that doesn't expire if your security requirements allow this. If this isn't permissible with your security compliance levels, then we recommend scheduling a maintenance window to reinstall the AD sync agent every time the service account password changes.

Considerations

• If you relocate users in AD, you could disrupt password synchronization.
• If you remove users or groups from the 黑料海角91入口 ADI security group in AD they鈥檙e removed from the 黑料海角91入口 Admin Portal per the default AD Sync configuration options.
• Managing privileged user accounts such as Domain Admins in AD isn't supported, see . Active Directory flags privileged accounts with 鈥渁dminCount=1鈥� in the directory, which results in any inherited permissions granted to the 黑料海角91入口 AD agent services to be removed. This prevents 黑料海角91入口 from being able to effectively manage those privileged accounts. 
• Synchronization runs at approximately 90 second intervals.
• If the password of the service account that is used to Authorize AD Sync's access to AD is changed, the AD Sync agent will need to be uninstalled and reinstalled with the updated password.
• When using both AD Sync and AD Import agents, password expiration notifications are not sent to the end user or administrator. This can be counterintuitive due to the fact that AD Sync gives 黑料海角91入口 control over the user attributes and password.

User Attribute Synchronization

黑料海角91入口 AD Sync can manage the following data fields in AD:

• Password
• First Name
• Last Name
• Email
• Windows UserAccountControl flag for ACCOUNTDISABLE - this field is used for syncing the 黑料海角91入口 account status. Currently, 黑料海角91入口 only writes back a suspend status to AD. When a user is suspended in 黑料海角91入口, 黑料海角91入口 disables the user in AD through the Sync agent. Learn more about Configure the ADI.
• MemberOf - this field is used to track group membership in AD. For this field to be synced, you need to install Sync agent v 2.26.0 or later. Learn how to Configure the ADI.

黑料海角91入口 Users are associated with Active Directory Users based on the alignment of the Username and Email fields of users in 黑料海角91入口 and Active Directory. See Configure the ADI for UserFieldMapping settings configured in the AD Import agent that define the username field of the AD User.

Group Attribute Synchronization

黑料海角91入口 syncs the following data fields with AD Sync for groups:

• Group Name

User and Group Management

To provision users to AD

The 黑料海角91入口 ADI security group that鈥檚 created during AD Import installation is the primary management group for AD integration. This group is used to define the scope of user management with AD and allows full bidirectional synchronization between AD and 黑料海角91入口.

User Creation

You can create users in 黑料海角91入口 and connect them to an AD Domain using AD Sync. You can connect users to an AD Domain from the following places in the Admin Portal:

• User panel Directories tab
• Directories panel User tab

When you connect a user to an AD Domain, 黑料海角91入口 determines if a user with the same username exists on the domain. If a user with the same username doesn't exist, 黑料海角91入口 creates a user with the 黑料海角91入口 username on the AD Domain and generates a random password for the user. If a user with the same username exists on the domain, 黑料海角91入口 takes over the account, but doesn't generate a random password for the user.

To add a user to an AD Domain from the Users panel

1. Go to USER MANAGEMENT > Users.
2. Select a user to view their details.
3. Select the Directories tab.
4. Select the AD Domain you want to connect the user to.
5. Click save user.

To add a user to an AD Domain from the Directories panel

1. Go to DIRECTORY INTEGRATIONS > Active Directory.
2. Select an AD Domain to view its details.
3. Select the Users tab.
4. Select a user to connect to the AD Domain.
5. Click save.

Group Synchronization: Managing Groups from AD

• Groups added to the 黑料海角91入口 ADI security group in AD are replicated to the 黑料海角91入口 Admin Portal along with all of the users that are a member of that group. Because 黑料海角91入口 doesn鈥檛 support nested groups directly, any groups in AD that are nested in another group are traversed recursively and their structure is flattened. Users are made a member of their primary group in 黑料海角91入口 and a member of the group in which they鈥檙e nested in in AD. For example, in AD, Group1 is a member of the 黑料海角91入口 group with members User1, User2 and Group2. Group2 is a member of Group1 and contains members User3 and User4. In 黑料海角91入口, Group2 is mirrored and User3 and User4 are bound. Group 1 is mirrored and User1, User2, User3 and User4 are bound.
• To manage group membership from 黑料海角91入口 to AD, and assign the memberOf attribute to a user account in AD, the AD bound groups in 黑料海角91入口 are required to live under the configured Root User container as configured during AD Sync agent installation with the proper delegated controls and permissions.
• Users that only exist in 黑料海角91入口 may also be bound to these groups in your 黑料海角91入口 Administrator Portal. 
• For alternate authoritative scenarios or more details regarding synchronization use cases, see use cases in Get Started: ADI or contact 黑料海角91入口 for additional support.

Service Details

The agent is registered as a service to start automatically.

• Display name: 黑料海角91入口 AD Sync Agent
• Service name: JCADSyncAgent
• Log located at C:\Program Files\黑料海角91入口\AD Sync\adsync.log

User Experience

Flow for Active Users

An active user is a user in an 'active' user state, has a password, and that password status is 'active'. After an administrator binds an active user to an external directory, the user receives an email telling them the directory they鈥檝e been added to, and to sync their password by logging into their User Portal.

Users That are Bound to More Than One External Directory

They will receive a new email for each individual external directory that they are bound to. The flow for users bound to more than one external directory is the same as for active users. 

Flow for New Users

A new user is a user in an 'active' user state with a password status of 'password pending'. After an administrator binds a new user without a password to an external directory, the user receives a Welcome to 黑料海角91入口 (activation) email that takes them through how to register their new account. After the user registers their account, creates an account password, and logs in to their User Portal, their password is sent to the directories they鈥檙e bound to, and 黑料海角91入口 will manage their password.

Integration with Entra Connect

When AD Sync and/or AD Import tools are installed on the Windows Server that also has Entra Connect or Entra Connect cloud sync installed, your 黑料海角91入口 tenant can NOT be bound to your Entra ID or Microsoft O365 tenant. If Entra ID Connect is the only AD tool installed on the Windows Server this too will NOT work with an Entra ID tenant bound to a 黑料海角91入口 tenant.

When 黑料海角91入口 is bound to an Entra ID tenant, password syncing will not correctly propagate from 黑料海角91入口 to Entra ID. Additionally, it will cause unintended interference with Microsoft鈥檚 Entra ID password policy, which will prevent Microsoft users from resetting their own passwords using Microsoft鈥檚 Self Service Password Reset (SSPR) portal. 聽Lastly, there will be two password authorities, (on-prem) Active Directory & 黑料海角91入口, constantly in conflict with one another鈥攖rying to write the same changes to Entra ID.

Bearing all of this in mind, you may have Microsoft and 黑料海角91入口 AD tools concurrently installed on a Windows Server on the premise 黑料海角91入口 is NOT bound to an Entra ID tenant.

Lastly, we have confirmed that enabling both 鈥楶assword writeback鈥� and 鈥楽ync password hashes鈥� in Entra Connect & Entra Connect Cloud Sync tools does not prevent our AD Integration tools from updating passwords for user identities managed both in your on-prem AD domain and 黑料海角91入口 tenant.