Online Help | Desktop App

Creating or modifying Active Directory Synchronization jobs

You create or modify Active Directory Synchronization jobs in the Active Directory Synchronization window.

To create or modify an Active Directory Synchronization job:

  1. ClosedOn the Settings tab, configure the general job settings:

    • Name - Default names for Active Directory Synchronization jobs are "Active Directory Import", "Active Directory Import (1)", "Active Directory Import (2)", etc. You can assign a special name for every job, as needed.

    • Enabled - enables auto-running the job.

    • TIP: If you do not want the job to run by schedule, you can clear the Enabled check box, configure the job with any schedule, and then manually run the Active Directory Synchronization when needed. For details, see Managing all Automation Server jobs: To force a job to run.

    • Domain - choose a directory service or an Active Directory domain to synchronize with. You choose from the records specified in the Domain Credentials section. Alternatively, you can choose the domain you are currently logged in to.

    • LDAP Path - specify the LDAP path to the Users container:
      • For Microsoft Active Directory: LDAP://CN=Users,DC=toronto,DC=zeus,DC=com).

        To select a container, click the ellipsis button, browse through Active Directory containers, select the desired one, and click OK.

      • For LDAP Server: LDAP://<Server Name>:<Port>/<Users DN>.

    • If you want to make sure that the specified LDAP path is correct, click the Check Path button.

    • Under Schedule, you specify the schedule according to which the Active Directory Import tool imports data from Active Directory:

    • When you choose Currently logged-in domain in the Domain list, an additional Connect as section appears below the Schedule section.

    • Under Connect as, specify a Windows account to access the Active Directory as follows:

      • If you want the Automation Server to run the Active Directory Synchronization under the Automation Server startup account, leave The Automation Server startup account selected.

      • If you want the Automation Server to run the Active Directory Import tool under another Windows account, click This account, click the Find button, and select a dedicated Windows account.

        IMPORTANT: The Windows account must have permissions to ”Log on as a batch job” on the machine running the Automation Server.

    • Test Account Settings - allows you to make sure that the Automation Server can run as specified.

  2. ClosedOn the Processing tab, specify how the Active Directory Import tool creates and updates Alloy Navigator objects:

    • Under For new users, specify how the Active Directory Import tool creates Person records for new users:

    Create Persons - the Service Action for creating Persons (Create Action for Active Directory Import).

    • Under For existing users, specify how the Active Directory Import tool updates existing Person records with the Active Directory data:

    Update Persons - the Service Action for updating Persons (Update Action for Active Directory Import).

    • Under Options, specify additional import options:

      • Under Ignore user records where, you can apply additional filtering criteria to ignore irrelevant user account and generic system accounts:

        • User account is disabled - ignore disabled user accounts when updating Person records.

          NOTE: Service Actions for updating Persons have the ”Disabled” service attribute available for field mapping. This attribute contains the status of a user account in the logical format (TRUE or FALSE). You can use it, for example, to set Persons inactive when corresponding user accounts are disabled in the directory service. For more information, see Configuring Service Actions.

          IMPORTANT: This option applies only when updating existing Person records. When creating new Persons, disabled user accounts are always ignored.

        • 'E-Mail' field is empty - ignore user accounts with no e-mail address.

        • 'Office' field is empty - ignore user accounts with no office information.

        • Logon name is in UPPERCASE - ignore user accounts whose Logon name is in UPPERCASE, which is usual for system accounts.

      • Under Processing Options, check the boxes next to the items you want the job to create when processing Person data:

        • Create SSP Customer Accounts for Persons - enables the job to create SSP Customer accounts for Person records.

          NOTE: When all of your domain users can use the Self Service Portal, you may want to avoid duplicating user accounts in Alloy Navigator. You can do this by using LDAP Authentication for the Self Service Portal.

        • Create Organizations - enables the job to create Organizations for Person records.

        • Create Locations - enables the job to create Locations for Person records.

    When the check box is selected, the corresponding system macro evaluates to TRUE (see System Macros). The macros should be used in conditional workflow operations of the Service Action that the job employs for creating Persons. If TRUE, the Service Action should perform a corresponding workflow Function to create the items for newly created Person records. You can also use these macros in the Service Action for updating Persons. For details, see Service Actions.

  3. Click OK.

NOTE: In order to import data from multiple Active Directory containers, you must create multiple Active Directory Synchronization jobs, providing an individual job for each container. If you consider having all resources available under the same Automation Server startup account a security risk, use a dedicated Windows account for every job. The Windows account must have permissions to ”Log on as a batch job” on the machine running the Automation Server.