黑料海角91入口

The 黑料海角91入口 Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between 黑料海角91入口 and on-premise or off-premise AD. As covered in Get Started with the Active Directory Integration, the ADI uses two agents: an import agent and a sync agent that can be installed in three (3) configurations.  The configurations are determined by where you want to manage users, groups, and passwords.

1. Manage users, groups, and passwords in AD
2. Manage users and passwords in either system, or both
3. Manage users, groups, and passwords in 黑料海角91入口

This article covers how to leverage the ADI depending on your configuration and use case. 

Prerequisites

• You鈥檝e read and are familiar with the concepts in step 1 of this series, Get Started with the Active Directory Integration (ADI).
• The ADI agent(s) are installed and running on your AD servers. See Configure the Active Directory Integration.

Sync interval

The ADI agents check for updates from 黑料海角91入口 and the Domain Controller(s) every 90 seconds. Any changes made will be updated and reflected in the counterpart within that cadence. 

Use cases and workflows

The table shows a summary of the most common use cases and the ADI configurations that support them.  Reference Configure the Active Directory Integration for more information.

Workflow for Managing Users, Groups, and Passwords in AD

When the 黑料海角91入口 ADI is configured for AD Import only, the illustrations below show the user identity workflows for any user data changes or password updates in this configuration. This method allows Admins to extend their AD Users and Passwords to 黑料海角91入口. 黑料海角91入口 can then extend these identities out to resources, such as RADIUS WiFi or VPN networks, SSO Applications, LDAP resources, and more.

If you鈥檙e only using AD Import, continue to the Using AD Import section of this article and disregard the Using AD Sync section. 

AD Import Agent Only 鈥� Single Domain Workflow

AD Import Agent Only 鈥� Multiple Domain Workflow

Workflow for Managing Users, Groups, and Passwords in AD, 黑料海角91入口, or Both

When the 黑料海角91入口 ADI is configured for AD Import and AD Sync, the illustrations below show the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to not only extend their AD users and Passwords to 黑料海角91入口 but to also allow 黑料海角91入口 to manage identities and passwords within AD for synced users.

Two-way Sync 鈥� Single Domain Workflow

Two-way Sync 鈥� Multiple Domain Workflow

Workflow for Managing Users, Groups, and Passwords in 黑料海角91入口

When the 黑料海角91入口 ADI is configured for AD Sync only, the illustrations below show the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to manage identities and passwords within AD solely from 黑料海角91入口 for synced users.

AD Sync Agent Only 鈥� Single Domain Workflow

AD Sync Agent Only 鈥� Multiple Domain Workflow

Using the AD Import Agent

The AD import agent allows you to do the following in 黑料海角91入口 from AD:

1. Import users 
2. Update, and Deactivate users accounts

If the AD import agent is installed on a DC, it also allows you to:

• Activate the user鈥檚 password

To import users from AD into 黑料海角91入口

The AD Import Agent will only import users that you directly add as a memberOf the 黑料海角91入口 ADI Security Group within AD (i.e., the Security Group you created during the AD Import Agent installation).

There are two ways to specify which users to import from AD to 黑料海角91入口: 

1. through a direct membership to the 黑料海角91入口 ADI Security Group
2. through a Security Group that is a member of the 黑料海角91入口 ADI Security Group

To import a single user from AD to 黑料海角91入口

1. Open the Active Directory Users and Computers (ADUC) Menu by clicking the start button, typing 鈥渄sa鈥� and clicking the Active Directory Users and Computers icon.

2. Once ADUC is open, navigate to a user that you would like to import into 黑料海角91入口. 
3. Right-click on the target user and click Properties.

4. Navigate to the Member Of tab in the Properties menu. 

5. Click Add. Then add this user as a member of the 黑料海角91入口 ADI Security Group.

6. Click Apply. Wait up to 90 seconds and then check to see if the user has been fully imported into 黑料海角91入口. This validates that your AD Import Agent is working appropriately.

The user is created with a Password Status of Password Pending and will have an AD Integration badge below their email address. The user state is controlled by setting for Users>Settings>Default User State for User Creation> Manual/Single User API. See Manage User States for more information about this setting.

To import multiple users from AD into 黑料海角91入口:

This method allows you to import all users that are members of a specific Security Group. For example, if you want to export all AD users that are members of the Accounting Security Group, you would make the Accounting Security Group a memberOf the 黑料海角91入口 ADI Security Group. This will then import the Accounting Security Group and all users that are associated members.

1. Open the Active Directory Users and Computers (ADUC) Menu by clicking the start button, typing 鈥渄sa鈥� and clicking the Active Directory Users and Computers icon.

2. Once ADUC is open, navigate to a user that you would like to import into 黑料海角91入口. 
3. Right-click on the target Security Group and click Properties.

4. In the Security Group Properties Menu, click the Member Of tab and click Add.

5. Add this Security Group to the 黑料海角91入口-named Security Group and click Apply.
6. Wait 90 seconds for both the Security Group and the Users within that Security Group to be created in 黑料海角91入口. You will see both the user accounts and user groups within 黑料海角91入口鈥檚 Admin Portal marked by an AD Integration badge.

To sync users passwords from AD to 黑料海角91入口

When existing AD users are imported from AD into 黑料海角91入口, there is no password associated with their account in 黑料海角91入口 until the user resets their password in AD. You鈥檒l see the newly imported users in 黑料海角91入口 marked with an AD badge and in an orange Password Pending password status within the user menu.

Users created in AD post install of the 黑料海角91入口 AD Import Agent will arrive in your 黑料海角91入口 tenant with a green Active state and do not require a password reset from with in AD.

To sync a password from AD to 黑料海角91入口

1. Users will need to change their password in AD or on an AD-managed resource. 
2. In 90 seconds, in the 黑料海角91入口 Admin Portal Users page, you should now see the user鈥檚 Password Status change orange Password Pending state to a green check-marked active status with the expiry date from  AD.

3. All Password changes moving forward will need to be done within AD or on AD-bound resources. 

To create, update, and disable user accounts

Now that AD Import has been successfully installed and configured, AD Admins will be able to manage 黑料海角91入口 user accounts and the following attributes within AD for any CrUD updated (Create, Update, and Deactivate/Disable):

• firstname
• lastname
• username
• email
• password, and
• user state (active or disabled)

Creating new users in AD

Follow the same process outlined above for importing users from AD into 黑料海角91入口.

1. Create a new user account in AD
2. Add the user to the 黑料海角91入口 ADI security group
3. Wait 90 seconds
4. Verify the user was created in 黑料海角91入口.

Updating user attributes in AD

When you change any attributes of an AD user which is currently synced via the AD Import Agent, this will reflect within your 黑料海角91入口 tenant in approximately 90 seconds. For example, if you change the First or Last Name of a user, this will reflect on the 黑料海角91入口 user鈥檚 First or Last Name attribute in 90 seconds. 

Disabling users in AD

When deleting, suspending, or deactivating users within AD, this will in turn delete the users from 黑料海角91入口 thus removing access to any of the 黑料海角91入口-managed resources he or she had access to such as RADIUS, LDAP, or SSO Applications.

Using AD Sync

If you鈥檙e choosing to also leverage the functionality of AD Sync Agent with your AD Integration, this allows 黑料海角91入口 to push CrUD changes of synced users down to AD. With the AD Sync Agent in place, you will be able to do the following: 

1. Create users in 黑料海角91入口 which will then push down to AD.
2. When users change passwords in 黑料海角91入口, this new password will be pushed down to their AD user account. 
3. When you suspend or delete a user in 黑料海角91入口, this will disable the user Account in AD. 

To sync an existing user from 黑料海角91入口 to AD 

This functionality allows 黑料海角91入口 users to be created in AD if they don鈥檛 exist or allows 黑料海角91入口 to either take over management of the user if you have configured a one-way sync from 黑料海角91入口 to AD (only the AD sync agent is running) or co-manage the user with AD in a 2-way sync configuration (both the AD import and AD sync agents are running).

Follow the steps below to sync users from 黑料海角91入口 to AD.

1. Navigate to your user in 黑料海角91入口 and open up their Details. 
2. Click on the user groups tab on the user aside. 
3. Assign user to a 黑料海角91入口 group and click Save.
4. Wait for Active Directory badge to appear.

5. Bind this user to the user group which they need to be a memberOf in AD (that is also synced using the ADI). In our example, we can see the Accounting User Group is tied to AD via the Directories in the drop-down menu.

6. Click Save User. The user will then be created in the Root User Container within your AD domain. This can take up to 90 seconds.

To create, update and deactivate user accounts

The following section covers how to manage AD user accounts from 黑料海角91入口. With the AD Sync in place, 黑料海角91入口 Admins are able to manage AD users from the 黑料海角91入口 Admin Portal. This makes user onboarding, off-boarding, and management much easier. Additionally, this may help with removing the need to remotely access the DC for simple tasks within the Identity Lifecycle for user accounts.

Creating Users in 黑料海角91入口

黑料海角91入口 Admins can create users in AD by binding any 黑料海角91入口 user to an AD Integrated User Group within 黑料海角91入口. For example, if you鈥檝e synced the Accounting group from AD to 黑料海角91入口 via the Import Agent, then any 黑料海角91入口 user bound to this synced user group will be created within AD under the Root User Container. 

The user is created within AD, is a memberOf the associated user group (Security Group in AD), and their AD user account will use their 黑料海角91入口 Password. 

Suspending or deleting users in 黑料海角91入口

Suspending or deleting users within 黑料海角91入口 will Disable the user account within AD. 黑料海角91入口 in any form will never remove or delete user accounts in any of the 3rd party integrations. (This also includes SAML, LDAP, AD, GWS, and M365). These changes will reflect in 90 seconds.

Managing ADI

Update agents

We recommend keeping your agents current to ensure you have the latest security updates, bug fixes, and functionality and to retain support. 

To update the agents:

1. Log in to the .
2. Go to Directory Integrations > Active Directory.
3. Select your AD domain
4. From your selected use case (the section marked 鈥淭his is my use case鈥�), click the download button for the agent.
5. Select a download location
6. Upload the agent installation file to the server where the agent is already installed
7. Run the installation wizard
8. Only minimal installation screens are shown.
   1. Directory for where the installation should occur
   2. Finish screen
9. Restart the service.

Rotate ADI service account passwords in AD

The ADI import and sync service account passwords should be rotated on a regular basis for security purposes.  

To rotate the ADI import service account (jcimport) password:

1. Log in to a Domain Controller with an AD domain admin account
2. Open the registry
3. Navigate to HKLM\SOFTWARE\黑料海角91入口\AD Integration Import Agent\ldap
4. Edit bind_password
5. Enter the new password in the Value data field
6. Click OK
7. Open services.msc
8. Restart the 黑料海角91入口 AD Integration Import Agent service.

To rotate the AD sync service account (jcsync) password:

1. Log in to a Domain Controller with an AD domain admin account
2. Open the registry
3. Navigate to HKLM\SOFTWARE\黑料海角91入口\AD Integration Sync Agent\ldap
4. Edit bind_password
5. Enter the new password in the Value data field
6. Click OK
7. Open services.msc
8. Restart the 黑料海角91入口 AD Integration Import Agent service.

Change use case

1. Log in to the .
2. Go to Directory Integrations > Active Directory.
3. Select your AD domain
4. Expand the desired use case
5. Check 鈥淭his is my use case鈥� 
6. Use the table below to determine the changes you  need to make

Manage agents in 黑料海角91入口

1. Log in to the .
2. Go to Directory Integrations > Active Directory.
3. Select your AD domain
4. Click the Domain Agents tab
5. Click the pause to temporarily stop the agent
   1. This prevents information from flowing between 黑料海角91入口 and AD. For the AD sync agent, changes are still queued.
6. Click delete to remove the agent from 黑料海角91入口.

Manage  ADI services in AD

1. Open services.msc
2. Select the AD service (黑料海角91入口 AD integration Sync Agent or 黑料海角91入口 AD integration Impor Agent)
3. Select the desired action: start, stop, restart

Modify agent configuration

Modify the AD Import Agent Configuration

1. Review Advanced Configurations for the Active Directory Import Agent to understand the configuration settings available for the import agent.
2. In AD, go to the 黑料海角91入口 folder where the AD Import agent is installed on a domain controller.
3. Open the adint.config.json file using a text editor
4. Edit the configurations in the 鈥淢ainLoop鈥� section of the file.
5. Repeat this process for the configuration file on every AD server (DC controller on which AD Import is installed.

Modify the Root User container 

If you decide to use a different Root user container for managing AD resources then you will want to modify or validate the configured Root User container location.

Verify the full LDAP path for the chosen Root user container you have selected in ADUC

1. From the ADUC panel鈥檚 View menu, enable Advanced Features. 
2. Right-click the container and select Properties. 
3. Select the Attribute Editor tab. 
4. Select the 鈥渄istinguishedName鈥� attribute, then click View.

Modify the Root User container in AD sync configuration settings

Stop the 黑料海角91入口 AD Integration Sync service and make the required Sync Agent config changes:

1. Open Registry Editor by clicking the Start button and typing in regedit. Click on the Registry Editor icon.

2. Navigate to the following Registry Folder: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\黑料海角91入口\AD Sync.
3. There should be a Key (looks like a folder) named ldap. If there is not, please create this Key in the registry and name it ldap.
4. Open the ldap Key.

5. You should see a Key labeled user_root_dn. You should also see the value with the targeted Root User Container you specified during install of the AD Sync Agent. If the user_root_dn value does not look correct, you can update it by double-clicking the key and updating the value to match your Root User Container. 
6. Once updated, you need to start the 黑料海角91入口 AD integration Sync Agent service within services.msc.

Uninstall agents from AD servers

1. Open Program Files.
2. Find the program associated with the agent you want to uninstall (黑料海角91入口 AD Import or 黑料海角91入口 AD Sync)
3. Uninstall

Want additional assistance from 黑料海角91入口?

If you鈥檙e having issues with getting 黑料海角91入口鈥檚 AD Integration working, see the Troubleshooting Guide.黑料海角91入口 now offers a myriad professional services offerings to assist customers with implementing and configuring 黑料海角91入口. If you鈥檙e looking for assistance with Migrating from AD, or to integrate AD with 黑料海角91入口, we recommend you reach out to 黑料海角91入口鈥檚 Professional Services team on the following page: Professional Services - 黑料海角91入口.