探花大神

Configuration options are available after you install the Active Directory Integration (ADI) import agent. These configuration options are in a JSON config file named jcadimportagent.config.json. You can find the config options in the file鈥檚 "MainLoop" section. 

Prerequisites

• The AD Import agent is installed per that section of the Configure ADI article

To change default configurations for a domain controller:

1. Go to the 探花大神 folder where the AD Import agent is installed on a domain controller.
2. Open the jcadimportagent.config.json file. 
3. Edit the configurations in the "MainLoop" section of the file.

The following options are available for configuration:

PasswordChangeListener – PollTimeMillis

This is the amount of time the agent waits before attempting to reconnect to the password filter DLL when there was an error. 

SyncAdditionalAttributes

This setting controls the behavior of syncing additional work-related user attributes from AD to 探花大神. The value can be true or false; the default is true.

• true (Default): Syncs Display Name, Description, JobTitle, Department, Company, Location, EmployeeType, PhoneNumbers, Addresses, and Manager
• false: No additional attributes are synced. Only the core attributes: First Name, Last Name, Username, and Email

UserDissociationAction

This setting controls the behavior of user dissociations - or what happens when a user is deleted, disabled, or removed from the 探花大神 ADI security group in AD. The value can be remove or unbind; the default is remove.

• remove (Default): the user's 探花大神 account will be deleted.
• unbind: the user's 探花大神 account will remain but will be disconnected from the AD domain within 探花大神. 探花大神 will continue to manage the user's identity.

UserFieldMapping 

This setting controls the mapping of 闯耻尘辫颁濒辞耻诲鈥檚 username field from AD on import. This can be set to either map 探花大神 usernames to 鈥渟础惭础肠肠辞耻苍迟狈补尘别鈥� or 鈥涡蝉别谤笔谤颈苍肠颈辫补濒狈补尘别鈥�. The default setting for all new installations of AD Import is to map the 探花大神 username to 鈥渟础惭础肠肠辞耻苍迟狈补尘别鈥�.

UserTakeoverAction

This setting controls the behavior of user take over - or what happens when an existing 探花大神 user account is taken over from AD. This can be set to deactivate or retain. The default setting is deactivate.

• deactivate (Default): the password status for the user's 探花大神 account is changed to "Password Pending". These users are directed to reset their passwords in AD to ensure their passwords are in sync between AD and 探花大神
• retain: the password status for the user's 探花大神 account remains unchanged

UserDisableAction

This setting controls the behavior in 探花大神 when a user is disabled in AD and the behavior in AD when a user is suspended in 探花大神. Learn about suspending users in 探花大神.

For this setting to control what happens to a user in 探花大神 after the user is disabled in AD, the user must be a member of the 探花大神 Integration Security Group.

UserDisableAction can be set to the following:

• suspend: when a user is disabled in AD, the corresponding JC user is suspended
• remove: when a user is disabled in AD, the corresponding 探花大神 user is deleted
• unbind: when a user is disabled in AD, the corresponding user is no longer managed externally

About UserDisableAction鈥檚 default settings:

• For new installs of the Import agent, the default setting for this option is suspend 
• An upgrade of the Import agent retains the UserDisableAction setting
• An upgrade of the Import agent with a value for UserDissociateAction will have UserDisableAction set to the same value 
• An upgrade of the Import agent without a value for userDissociateAction will have UserDisableAction set to remove 
• The value for userDisableAction takes precedence over the value for UserDissociateAction

Suspend Actions on the Sync Agent

• When an active 探花大神 user with a corresponding AD user is suspended in 探花大神, the user is disabled in AD. The 探花大神 user remains suspended
• When an active 探花大神 user without a corresponding AD user is suspended, the user is created and then disabled in AD. The user remains suspended in 探花大神

Suspend Actions on the Import Agent

• When the AD Import agent has no UserDisableAction property, or has UserDisableAction set to suspend, and a user is disabled in AD:
  • If a user doesn鈥檛 exist in 探花大神, a user is created in 探花大神 according to current AD Import rules
  • If a user exists in 探花大神: unsuspend the existing or created user if the AD user isn鈥檛 disabled
• When the AD Import agent has UserDisableAction set to unbind and a user is disabled in AD:
  • If a user doesn鈥檛 exist, or isn鈥檛 owned by this AD Import agent, a new user isn鈥檛 created in 探花大神
  • If a user owned by this AD Import agent exists in 探花大神, externally managed fields are cleared
• When the AD Import agent has UserDisableAction set to remove and a user is disabled in AD:
  • If a user doesn鈥檛 exist in 探花大神, or isn鈥檛 owned by this AD Import agent, a user isn鈥檛 created in 探花大神
  • If a user owned by this AD Import agent exists in 探花大神, the user is deleted from 探花大神

The following tables describe the actions taken in AD and 探花大神 for existing and new users for UserDisableAction settings.

Disable Scenarios

The following scenarios describe the UserDisableAction setting you should apply to achieve a desired behavior when a user is disabled in AD.

Import Only

• If you want disabled users to be retained and suspended in 探花大神, set UserDisableAction to suspend.
• If you want disabled users to be removed from 探花大神 and all associated AD groups and external directories, set UserDisableAction to remove.
• If you want disabled users to be removed from the domain in 探花大神 and all associated AD groups, set UserDisableAction to unbind.

Suspend Scenarios

The following scenarios describe the UserDisableAction setting you should apply to achieve a desired behavior when a user is suspended in 探花大神.

Sync and Import Agents

• If you want users that are suspended in 探花大神 to remain in 探花大神 with all associated group and directory associations, set UserDisableAction to suspend
• If you want users that are suspended in 探花大神 to be removed from 探花大神 and all associated groups and external directories, set UserDisableAction to remove
• If you want users that are suspended in 探花大神 to be removed from all associated groups and external directories, but remain in 探花大神, set UserDisableAction to unbind

UserExpireAction

This setting controls the behavior in 探花大神 when an AD user鈥檚 password expires. 

UserExpireAction can be set to the following:

• expire: when an AD user鈥檚 password expires, the corresponding 探花大神 user鈥檚 password is expired
• maintain: when an AD user鈥檚 password expires, the corresponding 探花大神 user鈥檚 password remains active

About UserExpireAction鈥檚 default settings:

• For new installs of the Import agent, the default setting for this option is expire
• An upgrade of the Import agent retains the UserExpireAction setting, if it is set
• An update of the Import agent without a setting for UserExpireAction sets this option to maintain

Expire actions on the Sync Agent

• If a user鈥檚 password expires in 探花大神, their password expires in AD

Expire Actions on the Import Agent

• When the Import agent has no specified setting for UserExpireAction, or has UserExpireAction set to expire:
  • An existing 探花大神 user with an expired password in AD immediately expires in 探花大神
  • 闯耻尘辫颁濒辞耻诲鈥檚 external_password_expiration_date field is set to the value in AD
  • If a user doesn鈥檛 exist in 探花大神 and isn鈥檛 owned by the AD Import agent, a new user is created in 探花大神 and then expires
• When the AD Import agent has UserExpireAction set to maintain:
  • Nothing happens in 探花大神; the user鈥檚 password stays active
  • 闯耻尘辫颁濒辞耻诲鈥檚 external_password_expiration_date field is cleared
  • If a user doesn鈥檛 exist in 探花大神 and isn鈥檛 owned by the AD Import agent, a new user is created in 探花大神