探花大神

Help Center Home > Active Directory > Use and Manage the Active Directory Integration (ADI)

Use and Manage the Active Directory Integration (ADI)

The 探花大神 Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between 探花大神 and on-premise or off-premise AD. As covered in Get Started with the Active Directory Integration, the ADI uses two agents: an import agent and a sync agent that can be installed in three (3) configurations.  The configurations are determined by where you want to manage users, groups, and passwords.

  1. Manage users, groups, and passwords in AD
  2. Manage users and passwords in either system, or both
  3. Manage users, groups, and passwords in 探花大神

This article covers how to leverage the ADI depending on your configuration and use case. 

Prerequisites

Sync interval

The ADI import agents check for updates to users and security groups in the ADI security group (typically named 探花大神 or) in AD every 90 seconds, by default.

The ADI sync agent checks for updates to users and user groups connected to ADI in 探花大神 every 5 seconds.

Use cases and workflows

The table shows a summary of the most common use cases and the ADI configurations that support them.  Reference Configure the Active Directory Integration for more information.

ADI Configuration Use case User and Group Authority Password authority Data sync direction Server type(s) on which agent(s) can be installed Install Import Agent Install Sync Agent
Manage users, groups and passwords in AD Extend AD Domain Controllers
Manage users and passwords in either system, or both Extend AD Domain Controllers, Member Servers
Minimize AD footprint Domain Controllers
Migrate away from AD Domain Controllers, Member Servers (Sync agent only)
Manage users, groups, and passwords in 探花大神 Minimize AD footprint Domain Controllers, Member Servers
Migrate away from AD Domain Controllers, Member Servers

Workflow for Managing Users, Groups, and Passwords in AD

When 探花大神 ADI is configured for AD Import only, the illustrations below show the user identity workflows for any user data changes or password updates in this configuration. This method allows Admins to extend their AD Users and Passwords to 探花大神. 探花大神 can then extend these identities out to resources, such as RADIUS WiFi or VPN networks, SSO Applications, LDAP resources, and more.

If you鈥檙e only using AD Import, continue to the Using AD Import section of this article and disregard the Using AD Sync section. 

AD Import Agent Only 鈥 Single Domain Workflow

AD Import Agent Only 鈥 Multiple Domain Workflow

Workflow for Managing Users, Groups, and Passwords in AD, 探花大神, or Both

When the 探花大神 ADI is configured for AD Import and AD Sync, the illustrations below show the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to not only extend their AD users and Passwords to 探花大神 but to also allow 探花大神 to manage identities and passwords within AD for synced users.

Two-way Sync 鈥 Single Domain Workflow

Two-way Sync 鈥 Multiple Domain Workflow

Workflow for Managing Users, Groups, and Passwords in 探花大神

When the 探花大神 ADI is configured for AD Sync only, the illustrations below show the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to manage identities and passwords within AD solely from 探花大神 for synced users.

AD Sync Agent Only 鈥 Single Domain Workflow

AD Sync Agent Only 鈥 Multiple Domain Workflow

Using the AD Import Agent

The AD import agent allows you to do the following in 探花大神 from AD:

  1. Import, update, suspend, and delete users 
  2. Create groups
  3. Manage group membership
  4. Delegate authentication (AD validates the user's credentials)

If the AD import agent is installed on a DC, it also allows you to:

  • Sync the user鈥檚 password from AD to 探花大神

Important:

 When the import agent is installed on a member server, the password is not synced from AD to 探花大神 and is never stored in 探花大神.

To import users from AD into 探花大神

The AD Import Agent will only import users that you directly add as a memberOf the 探花大神 ADI Security Group within AD (i.e., the Security Group you created during the AD Import Agent installation).

There are two ways to specify which users to import from AD to 探花大神: 

  1. through a direct membership to the 探花大神 ADI Security Group
  2. through a Security Group that is a member of the 探花大神 ADI Security Group

Important:

How passwords are handled for users added in AD who already exist in 探花大神 is controlled by the setting for the UserTakeoverAction in the AD import configuration file. The default value is deactivate, which will cause the user鈥檚 探花大神  password to be removed and set to a password pending status.    The user will temporarily lose access to their 探花大神 provisioned resources (such as RADIUS, LDAP, SSO apps, etc.) until the password is updated within AD. See the Advanced Configurations for AD Import article for more information around UserTakeoverAction.

To import a single user from AD to 探花大神

  1. Open the Active Directory Users and Computers (ADUC) Menu by clicking the start button, typing 鈥渄sa鈥 and clicking the Active Directory Users and Computers icon.

  1. Once ADUC is open, navigate to a user that you would like to import into 探花大神. 
  2. Right-click on the target user and click Properties.
  1. Navigate to the Member Of tab in the Properties menu. 
  1. Click Add. Then add this user as a member of the 探花大神 ADI Security Group.
  1. Click Apply. Wait up to 90 seconds and then check to see if the user has been fully imported into 探花大神. This validates that your AD Import Agent is working appropriately.

The user is created with a Password Status of Password Pending and will have an AD Integration badge below their email address. The user state is controlled by setting for Users>Settings>Default User State for User Creation> Manual/Single User API. See Manage User States for more information about this setting.

Note:

Users who existed in AD before the AD import agent was installed can log in to 探花大神 using their existing AD password. Their credentials will be validated by AD through delegated authentication.

If the import agent is installed on your DCs, user passwords will automatically be imported/updated in 探花大神.

The Password Status for imported users will be Delegated by default unless you manually change the Delegated Authority setting on the user record.

To import multiple users from AD into 探花大神:

This method allows you to import all users that are members of a specific Security Group. For example, if you want to export all AD users that are members of the Accounting Security Group, you would make the Accounting Security Group a memberOf the 探花大神 ADI Security Group. This will then import the Accounting Security Group and all users that are associated members.

  1. Open the Active Directory Users and Computers (ADUC) Menu by clicking the start button, typing 鈥渄sa鈥 and clicking the Active Directory Users and Computers icon.

  1. Once ADUC is open, navigate to a user that you would like to import into 探花大神. 
  2. Right-click on the target Security Group and click Properties.

  1. In the Security Group Properties Menu, click the Member Of tab and click Add.

  1. Add this Security Group to the 探花大神-named Security Group and click Apply.
  2. Wait 90 seconds for both the Security Group and the Users within that Security Group to be created in 探花大神. You will see both the user accounts and user groups within 探花大神鈥檚 Admin Portal marked by an AD Integration badge.

Note:

When the delegated authentication setting, Delegated Password Validation, is disabled, users who existed in AD before the AD import agent was installed must update their password in AD or an AD-managed resource for the Password Status to become active in 探花大神 and allow them to log in to the 探花大神 user portal and use 探花大神 SSO. 

If the import agent is installed on your DCs, users created in AD after the AD import agent was installed will have their passwords automatically imported/updated in 探花大神.

To manage passwords

To manage passwords in a one-way sync from AD to 探花大神 (Managing Users, Groups, and Passwords in AD)

In this configuration, the delegated authentication setting, Delegated Password Validation, is enabled by default and cannot be disabled in the ADI configuration. This means whenever an AD imported user logs in to the 探花大神 user portal or performs a 探花大神 SSO login, their password is validated by AD and not 探花大神.

New users

Users imported from AD into 探花大神, can log in to 探花大神 immediately using their company email address and AD password.

When AD users are imported from AD into 探花大神, there is no password associated with their account in 探花大神. The Password Authority and Delegated Authority are automatically set to Active Directory on their user record. The Password Status will be Delegated and show as "Managed by AD".

If the import agent is installed on a member server:

  • The user's password will never sync from AD to 探花大神 and will never be stored in 探花大神.

If the import agent is installed on a DC:

  • The user's AD password will be stored in 探花大神 the first time the user logs into the 探花大神 user portal and will sync from that point forward.

To manage passwords in a two-way sync from AD to 探花大神 (Managing Users, Groups, and Passwords in AD, 探花大神, or Both)

In this configuration, the delegated authentication setting, Delegated Password Validation, is disabled by default and is editable. This means the user must have an active password in 探花大神 to log in to the 探花大神 user portal or performs a 探花大神 SSO login.

When AD users are imported from AD into 探花大神, there is no password associated with their account in 探花大神. The Password Authority is set to None (探花大神) and Delegated Authority is set to None on their user record by default.

Until the user sets a password in 探花大神 or changes their password in AD if the import agent is installed on a DC, You鈥檒l see the newly imported users in 探花大神 marked with an AD badge and in an orange Password Pending password status within the user menu.

Important:

When ADI delegated authentication setting, Delegated Password Validation, is set to None, users who existed in AD before the AD import agent was installed must set a password in 探花大神 to match their AD password or, if the import agent is installed on DCs, update their password in AD or an AD-managed resource for the Password Status to become active in 探花大神 and enable them to access 探花大神 managed resources. 

To sync a password from AD to 探花大神

Important:

Syncing passwords from AD to 探花大神 is only applicable when the import agent is installed on DCs. When the import agent is installed on member servers, the password is not synced from AD to 探花大神.

  1. When a user's Delegated Authority is set to Active Directory,
    • The user's AD password will be stored in 探花大神 the first time the user logs into the 探花大神 user portal and will sync from that point forward.
    • Password changes will sync within 90 seconds after the user changes their password in AD or on an AD-managed resource
  2. When a user's Delegated Authority is set to None,
    • The user will need to change their password in AD or on an AD-managed resource before they can log in to the 探花大神 user portal or with 探花大神 SSO. 
    • Password changes will sync within 90 seconds after the user changes their password in AD or on an AD-managed resource. In the 探花大神 Admin Portal Users page, the user鈥檚 Password Status will be a green check-marked active statuswith the expiry date from  AD.

Note:

The password expiry date for AD-managed users is the expiry date from AD as the expiry is managed by AD, not 探花大神.

  1. All Password changes moving forward will need to be done within AD or on AD-bound resources. 

Note:

If you鈥檙e planning on using AD Sync alongside AD Import, Passwords can be updated in 探花大神 after this required initial password change has taken place within the steps outlined above. This is a requirement for both AD Import only and AD Import & Sync use cases. 

To create, update, and disable user accounts

Note:

These changes on a user or user group will be reflected within 探花大神 in approximately 90 seconds. 

Now that AD Import has been successfully installed and configured, AD Admins will be able to manage 探花大神 user accounts and the following attributes within AD for any CrUD updated (Create, Update, and Deactivate/Disable):

  • firstname
  • lastname
  • username
  • email
  • password, and
  • user state (active or disabled)

If the SyncAdditionalAttributes setting is true in the jcadimportagent.config.json file, the following attributes are also updated:

  • displayname
  • description
  • JobTitle
  • department
  • company
  • location
  • employeeType
  • phoneNumbers
  • addresses
  • manager 

Creating new users in 探花大神 from AD

Follow the same process outlined above for importing users from AD into 探花大神.

To create new users in AD and 探花大神:

  1. Create a new user account in AD
  2. Add the user to the 探花大神 ADI security group
  3. Wait 90 seconds
  4. Verify the user was created in 探花大神.

To import an existing AD user in 探花大神:

  1. Add an existing AD user to the 探花大神 ADI security group
  2. Wait 90 seconds
  3. Verify the user was created in 探花大神.

Updating user attributes in 探花大神 from AD

When you change any attributes of an AD user which is currently synced via the AD Import Agent, this will reflect within your 探花大神 tenant in approximately 90 seconds. For example, if you change the First or Last Name of a user, this will reflect on the 探花大神 user鈥檚 First or Last Name attribute in 90 seconds. 

Suspending or deleting users in 探花大神 from AD

When deleting, suspending, or deactivating users within AD, this will in turn either suspend or delete the users in 探花大神 thus removing access to any of the 探花大神-managed resources he or she had access to such as RADIUS, LDAP, or SSO Applications. The specific behavior is determined by the settings in the jcadimportagent.config.json file.

Using AD Sync

If you鈥檙e choosing to also leverage the functionality of AD Sync Agent with your AD Integration, this allows 探花大神 to push CrUD changes of synced users down to AD. With the AD Sync Agent in place, you will be able to do the following: 

  1. Create users in 探花大神 which will then push down to AD.
  2. When users change passwords in 探花大神, this new password will be pushed down to their AD user account. 
  3. When you suspend or delete a user in 探花大神, this will disable the user Account in AD. 

To sync an existing user from 探花大神 to AD 

This functionality allows 探花大神 users to be created in AD if they don鈥檛 exist or allows 探花大神 to either take over management of the user if you have configured a one-way sync from 探花大神 to AD (only the AD sync agent is running) or co-manage the user with AD in a 2-way sync configuration (both the AD import and AD sync agents are running).

Follow the steps below to sync users from 探花大神 to AD.

Warning:

If you are managing users in both 探花大神 and AD (two-way  sync), and you left the default setting for UserTakeoverAction, which is deactivate, when you sync user with passwords from 探花大神 to AD, the AD import agent will change the 探花大神 user passwords status from Active to Password Pending.  This results in these users losing access to any resources assigned to them in 探花大神. To prevent this, we recommend to see Advanced Configurations for AD Import and change the UserTakeoverAction attribute to retain.

  1. Navigate to your user in 探花大神 and open up their Details. 
  2. Click on the user groups tab on the user aside. 
  3. Assign user to a 探花大神 group and click Save.
  4. Wait for Active Directory badge to appear.
  1. Bind this user to the user group which they need to be a memberOf in AD (that is also synced using the ADI). In our example, we can see the Accounting User Group is tied to AD via the Directories in the drop-down menu.
  1. Click Save User. The user will then be created in the Root User Container within your AD domain. This can take up to 90 seconds.

Note:

Users who are created in AD from 探花大神 are automatically put into the Root User Container you configured during the installation of the AD Import & Sync Agents. If you need to move the user to the appropriate OU or sub OU, you鈥檒l have to do this within AD on the DC.

To create, update and deactivate user accounts

The following section covers how to manage AD user accounts from 探花大神. With the AD Sync in place, 探花大神 Admins are able to manage AD users from the 探花大神 Admin Portal. This makes user onboarding, off-boarding, and management much easier. Additionally, this may help with removing the need to remotely access the DC for simple tasks within the Identity Lifecycle for user accounts.

Creating Users in 探花大神

探花大神 Admins can create users in AD by binding any 探花大神 user to an AD Integrated User Group within 探花大神. For example, if you鈥檝e synced the Accounting group from AD to 探花大神 via the Import Agent, then any 探花大神 user bound to this synced user group will be created within AD under the Root User Container. 

The user is created within AD, is a memberOf the associated user group (Security Group in AD), and their AD user account will use their 探花大神 Password. 

Suspending or deleting users in 探花大神

Suspending or deleting users within 探花大神 will Disable the user account within AD. 探花大神 in any form will never remove or delete user accounts in any of the 3rd party integrations. (This also includes SAML, LDAP, AD, GWS, and M365). These changes will reflect in 90 seconds.

Managing ADI

To update agents

We recommend keeping your agents current to ensure you have the latest security updates, bug fixes, and functionality and to retain support. 

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. In the Downloads section, select
  5. Select a download location
  6. Upload the agent installation file to the server where the agent is already installed
  7. Run the installation wizard
  8. Only minimal installation screens are shown.
    1. Directory for where the installation should occur
    2. Finish screen
  9. Restart the service.

To manage agents in 探花大神

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. Click the pause to temporarily stop the agent.

Note:

This prevents information from flowing between 探花大神 and AD. For the AD sync agent, changes are still queued.

  1. Click delete to remove the agent from 探花大神.

Important:

Deleting an agent in 探花大神 does not stop the service in AD nor uninstall it.

To change the Primary AD Import Agent Role to another Domain Controller

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Pause all the running agents except for the the Domain Controller that you would like to designate as the Primary Import Agent.
  5. After a short time period, the currently running Import agent will become the Primary Import agent.
  6. Unpause the remaining agents.

To rotate ADI service account passwords in AD

The ADI import and sync service account passwords should be rotated on a regular basis for security purposes.  

Rotating the ADI import service account (jcimport) password:

  1. Log in to a Domain Controller with an AD domain admin account
  2. Open the registry
  3. Navigate to HKLM\SOFTWARE\探花大神\AD Integration Import Agent\ldap
  4. Edit bind_password
  5. Enter the new password in the Value data field
  6. Click OK
  7. Open services.msc
  8. Restart the 探花大神 AD Integration Import Agent service.

Rotating the AD sync service account (jcsync) password:

  1. Log in to a Domain Controller with an AD domain admin account
  2. Open the registry
  3. Navigate to HKLM\SOFTWARE\探花大神\AD Integration Sync Agent\ldap
  4. Edit bind_password
  5. Enter the new password in the Value data field
  6. Click OK
  7. Open services.msc
  8. Restart the 探花大神 AD Integration Import Agent service.

To change ADI Use Case

For detailed instructions on changing your ADI deployment configuration, read ADI: Change Configuration.

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. Click Update Configuration
  5. Select the new deployment configuration
  6. Click Next
  7. Follow the steps on each screen.
Use case New Use Case Changes
Manage users, groups, and passwords in AD Manage users and passwords in either system, or both Manage users, groups, and passwords in 探花大神
Manage users, groups, and passwords in 探花大神 x 1. Delete the sync agent from the Admin Portal 2. Uninstall sync agents on all servers 3. Follow the instructions in to download and install the import agent(s)聽
x Follow the instructions in to download and install the import agent(s)聽
Manage users, groups, and passwords in AD x Follow the instructions in Download and install sync agent(s) on server(s)
x 1. Delete the sync agent from the Admin Portal 2. Uninstall sync agents on all servers 3. Follow the instructions in to download and install the import agent(s)聽
Manage users and passwords in either system, or both x Follow the instructions in to download and install the import agent(s)聽
x 1. Delete the import agent(s) from the Admin Portal 2. Uninstall import agents from all servers

To manage ADI services in AD

  1. Open services.msc
  2. Select the AD service (探花大神 AD integration Sync Agent or 探花大神 AD integration Import Agent)
  3. Select the desired action: start, stop, restart

To modify agent configuration

Modifying the AD Import Agent Configuration

Note:

The default configuration settings for the the AD import agent are:

  • UserDissociateAction = remove
  • UserTakeoverAction = deactivate
  • UserDisableAction = suspend
  • UserExpireAction =  expire
  1. Review Advanced Configurations for the Active Directory Import Agent to understand the configuration settings available for the import agent.
  2. In AD, go to the 探花大神 folder where the AD Import agent is installed on a domain controller.
  3. Open the adint.config.json file using a text editor
  4. Edit the configurations in the 鈥淢ainLoop鈥 section of the file.
  5. Repeat this process for the configuration file on every AD server (DC controller on which AD Import is installed.

To modify the Root User container 

If you decide to use a different Root user container for managing AD resources then you will want to modify or validate the configured Root User container location.

Verifying the full LDAP path for the chosen Root user container you have selected in ADUC

  1. From the ADUC panel鈥檚 View menu, enable Advanced Features. 
  2. Right-click the container and select Properties. 
  3. Select the Attribute Editor tab. 
  4. Select the 鈥渄istinguishedName鈥 attribute, then click View.

Modifying the Root User container in AD sync configuration settings

Stop the 探花大神 AD Integration Sync service and make the required Sync Agent config changes:

  1. Open Registry Editor by clicking the Start button and typing in regedit. Click on the Registry Editor icon.

Registry Editor.jpg

  1. Navigate to the following Registry Folder: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\探花大神\AD Sync.
  2. There should be a Key (looks like a folder) named ldap. If there is not, please create this Key in the registry and name it ldap.
  3. Open the ldap Key.

regedit window.jpg

  1. You should see a Key labeled user_root_dn. You should also see the value with the targeted Root User Container you specified during install of the AD Sync Agent. If the user_root_dn value does not look correct, you can update it by double-clicking the key and updating the value to match your Root User Container. 
  2. Once updated, you need to start the 探花大神 AD integration Sync Agent service within services.msc.

Note:

These changes should coincide with relocating the 探花大神 ADI security group in AD, as well as using the Delegation Wizard to set the associated agent service accounts.

To uninstall agents from AD servers

  1. Open Program Files.
  2. Find the program associated with the agent you want to uninstall (探花大神 AD Import or 探花大神 AD Sync)
  3. Uninstall

Want additional assistance from 探花大神?

If you鈥檙e having issues with getting 探花大神鈥檚 AD Integration working, see the Troubleshooting Guide.探花大神 now offers a myriad professional services offerings to assist customers with implementing and configuring 探花大神. If you鈥檙e looking for assistance with Migrating from AD, or to integrate AD with 探花大神, we recommend you reach out to 探花大神鈥檚 Professional Services team on the following page: Professional Services - 探花大神.

Back to Top

List IconIn this Article

Notebook IconLearn More

Get Started with the Active Directory Integration

Configure the Active Directory Integration

Advanced Configurations for AD Import

Advanced Configurations for AD Sync

Troubleshoot: ADI

Convert AD-Managed User Accounts

Use AD Import with RADIUS

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case