探花大神

Import Agent

Configuration options are available after you install the Active Directory Integration (ADI) import agent. These configuration options are in a JSON config file named jcadimportagent.config.json. You can find the config options in the file鈥檚 "MainLoop" section. 

Prerequisites

• The AD Import agent is installed per that section of the Configure ADI article

Changing default configurations for a domain controller

1. Go to the 探花大神 folder where the AD Import agent is installed on a domain controller.
2. Open the jcadimportagent.config.json file. 
3. Edit the configurations in the "MainLoop" section of the file.

Optional Configurations

Sync Agent

Active Directory (AD) Sync provides one-way synchronization of passwords and other attributes from 探花大神 to AD. This agent allows password updates to be written back to AD from the 探花大神 Admin Portal, the 探花大神 User Portal, or any 探花大神-managed device. Full bidirectional synchronization is facilitated by the use of both the AD Import and AD Sync agents. 

Prerequisites

• Domain Controllers are prepared for Active Directory Integration (ADI):
  • A 探花大神 ADI group has been created and is located in your designated Root User container in AD. This is needed for full bidirectional synchronization and management. This group is synced to your 探花大神 Administrator Portal and is indicated with an AD Integration icon
  • An AD service account (standard domain user account) named "jcimport" has been created and has been granted Read all user information permissions using the Delegation of Control Wizard on the selected Root User container, or inherited from an OU further up in the hierarchy. This user cannot be a domain admin, have the user name of "探花大神" or be a member of the above-mentioned 探花大神 ADI security group
  • See Configure ADI for this information
• The AD Import agent is installed. See Configure ADI

Recommendations

• We recommend creating a security group named 探花大神 Admins. This group isn鈥檛 synced to the 探花大神 Administrator Portal, but is used to identify any accounts that you want to be Global Administrators or Sudo users in 探花大神. Any user that is a member of this group and also a member of the 探花大神 group will be granted Admin/Sudo privileges on all device associations to which they are bound by default. This function doesn't support members of nested groups
• For full bidirectional synchronization, we recommend that all Users and Groups be synchronized with 探花大神, live under a single OU (Root User Container) in Active Directory. This can be the default CN=Users container in AD or an alternate custom OU within the directory
• To manage users in different OUs, we recommend that these OUs be located underneath the primary Root User container. Users or groups located in these containers that are made members of the 探花大神 ADI security group allow AD Sync to properly synchronize passwords and attributes associated with those users 
• We recommend that you align password complexity requirements between AD and 探花大神 as closely as possible. Otherwise passwords may not replicate if they鈥檙e rejected by the destination directory鈥檚 complexity requirements
• We recommend that you set the service account you use to authorize AD Sync's access to AD with a password that doesn't expire if your security requirements allow this. If this isn't permissible with your security compliance levels, then we recommend scheduling a maintenance window to reinstall the AD sync agent every time the service account password changes

Considerations

• If you relocate users in AD, you could disrupt password synchronization
• If you remove users or groups from the 探花大神 ADI security group in AD they鈥檙e removed from the 探花大神 Admin Portal per the default AD Sync configuration options
• Managing privileged user accounts such as Domain Admins in AD isn't supported, see . Active Directory flags privileged accounts with 鈥渁dminCount=1鈥� in the directory, which results in any inherited permissions granted to the 探花大神 AD agent services to be removed. This prevents 探花大神 from being able to effectively manage those privileged accounts. 
• Synchronization runs at approximately 90 second intervals
• If the password of the service account that is used to Authorize AD Sync's access to AD is changed, the AD Sync agent will need to be uninstalled and reinstalled with the updated password
• When using both AD Sync and AD Import agents, password expiration notifications are not sent to the end user or administrator. This can be counterintuitive due to the fact that AD Sync gives 探花大神 control over the user attributes and password

User Attribute Synchronization

探花大神 AD Sync can manage the following data fields in AD:

• Password
• First Name
• Last Name
• Email
• Windows UserAccountControl flag for ACCOUNTDISABLE - this field is used for syncing the 探花大神 account status. Currently, 探花大神 only writes back a suspend status to AD. When a user is suspended in 探花大神, 探花大神 disables the user in AD through the Sync agent. Learn more about Configure ADI.
• MemberOf - this field is used to track group membership in AD. For this field to be synced, you need to install Sync agent v 2.26.0 or later. Learn how to Configure ADI.

探花大神 Users are associated with Active Directory Users based on the alignment of the Username and Email fields of users in 探花大神 and Active Directory. See Configure ADI for UserFieldMapping settings configured in the AD Import agent that define the username field of the AD User.

Group Attribute Synchronization

探花大神 syncs the following data fields with AD Sync for groups:

• Group Name

User and Group Management

To provision users to AD

The 探花大神 ADI security group that鈥檚 created during AD Import installation is the primary management group for AD integration. This group is used to define the scope of user management with AD and allows full bidirectional synchronization between AD and 探花大神.

User Creation

You can create users in 探花大神 and connect them to an AD Domain using AD Sync. You can connect users to an AD Domain from the following places in the Admin Portal:

• User panel Directories tab
• Directories panel User tab

When you connect a user to an AD Domain, 探花大神 determines if a user with the same username exists on the domain. If a user with the same username doesn't exist, 探花大神 creates a user with the 探花大神 username on the AD Domain and generates a random password for the user. If a user with the same username exists on the domain, 探花大神 takes over the account, but doesn't generate a random password for the user.

To add a user to an AD Domain from the Users panel

1. Go to USER MANAGEMENT > Users.
2. Select a user to view their details.
3. Select the Directories tab.
4. Select the AD Domain you want to connect the user to.
5. Click save user.

To add a user to an AD Domain from the Directories panel

1. Go to DIRECTORY INTEGRATIONS > Active Directory.
2. Select an AD Domain to view its details.
3. Select the Users tab.
4. Select a user to connect to the AD Domain.
5. Click save.

Group Synchronization: Managing Groups from AD

• Groups added to the 探花大神 ADI security group in AD are replicated to the 探花大神 Admin Portal along with all of the users that are a member of that group. Because 探花大神 doesn鈥檛 support nested groups directly, any groups in AD that are nested in another group are traversed recursively and their structure is flattened. Users are made a member of their primary group in 探花大神 and a member of the group in which they鈥檙e nested in in AD. For example, in AD, Group1 is a member of the 探花大神 group with members User1, User2 and Group2. Group2 is a member of Group1 and contains members User3 and User4. In 探花大神, Group2 is mirrored and User3 and User4 are bound. Group 1 is mirrored and User1, User2, User3 and User4 are bound
• To manage group membership from 探花大神 to AD, and assign the memberOf attribute to a user account in AD, the AD bound groups in 探花大神 are required to live under the configured Root User container as configured during AD Sync agent installation with the proper delegated controls and permissions
• Users that only exist in 探花大神 may also be bound to these groups in your 探花大神 Administrator Portal. 
• For alternate authoritative scenarios or more details regarding synchronization use cases, see use cases in Get Started: ADI or contact 探花大神 for additional support

Service Details

The agent is registered as a service to start automatically.

• Display name: 探花大神 AD Sync Agent
• Service name: JCADSyncAgent
• Log located at C:\Program Files\探花大神\AD Sync\adsync.log

User Experience

Flow for Active Users

An active user is a user in an 'active' user state, has a password, and that password status is 'active'. After an administrator binds an active user to an external directory, the user receives an email telling them the directory they鈥檝e been added to, and to sync their password by logging into their User Portal.

Users That are Bound to More Than One External Directory

They will receive a new email for each individual external directory that they are bound to. The flow for users bound to more than one external directory is the same as for active users. 

Flow for New Users

A new user is a user in an 'active' user state with a password status of 'password pending'. After an administrator binds a new user without a password to an external directory, the user receives a Welcome to 探花大神 (activation) email that takes them through how to register their new account. After the user registers their account, creates an account password, and logs in to their User Portal, their password is sent to the directories they鈥檙e bound to, and 探花大神 will manage their password.

Integration with Entra Connect

When AD Sync and/or AD Import tools are installed on the Windows Server that also has Entra Connect or Entra Connect cloud sync installed, your 探花大神 tenant can NOT be bound to your Entra ID or Microsoft O365 tenant. If Entra ID Connect is the only AD tool installed on the Windows Server this too will NOT work with an Entra ID tenant bound to a 探花大神 tenant.

When 探花大神 is bound to an Entra ID tenant, password syncing will not correctly propagate from 探花大神 to Entra ID. Additionally, it will cause unintended interference with Microsoft鈥檚 Entra ID password policy, which will prevent Microsoft users from resetting their own passwords using Microsoft鈥檚 Self Service Password Reset (SSPR) portal.  Lastly, there will be two password authorities, (on-prem) Active Directory & 探花大神, constantly in conflict with one another鈥攖rying to write the same changes to Entra ID.

Bearing all of this in mind, you may have Microsoft and 探花大神 AD tools concurrently installed on a Windows Server on the premise 探花大神 is NOT bound to an Entra ID tenant.

Lastly, we have confirmed that enabling both 鈥楶assword writeback鈥� and 鈥楽ync password hashes鈥� in Entra Connect & Entra Connect Cloud Sync tools does not prevent our AD Integration tools from updating passwords for user identities managed both in your on-prem AD domain and 探花大神 tenant.