Administration Guide

Configuring Active Directory Synchronization Jobs

If you want Alloy Navigator to import Active Directory data from a single Active Directory container (for example, the Users container of the domain you are currently logged in to), you must create a single Active Directory Synchronization job. In order to import data from multiple Active Directory containers, you must create multiple Active Directory Synchronization jobs, one for each container.

To configure an Active Directory Synchronization job, follow these steps:

  1. From the Sidebar, navigate to Services > Active Directory Integration > Synchronization and click New. The Active Directory Synchronization dialog box opens
  2. Leave the default job name or type a different name in the Name field. If you plan to have multiple Active Directory Synchronization jobs, you should assign distinctive names to each job.
  3. Under Active Directory, specify an Active Directory domain and container to import records from.
    1. In the Domain list, choose an Active Directory domain:
      • To import data from the domain you are currently logged in to, select Currently logged-in domain.
      • To import data from another Active Directory domain or other directory service, select its name from the Domain list. The list contains the Domain Credentials records that you specified earlier in the Services > Active Directory Integration > Domain Credentials section.

        INFO: For details, see Managing Domain Credentials.

    2. Click the ellipsis button, browse for an Active Directory container (typically, you would want to choose the Users container), and click OK. The LDAP path to this container appears in the LDAP Path field.
  4. Click Check Path to make sure that Alloy Navigator can connect to the specified Active Directory container.
  5. If needed, customize the default schedule as follows:
    • Under Schedule, click Change and specify a new job schedule. You can set the occurrence (daily, weekly, monthly, or yearly), daily frequency, and duration (start and end date).
  6. By default, synchronization jobs run under the Automation Server’s startup account. If you consider having all resources available under the same Automation Server startup account a security risk, use a separate Windows account for each job.

    IMPORTANT: To run each job under a dedicated Windows account, this account must have the Log on as a batch job user right on the Automation Server computer.

    Under Connect as, specify a Windows account to access the Active Directory as follows:

    • If you want the Automation Server to run the Active Directory Import tool under another Windows account, click This account, and then click the Find button, to select a user.

    You can assign user rights to the account as follows:

    1. Log on as an administrator on the computer hosting the Automation Server.
    2. Open the Local Security Policy.
    3. In the Local Policies, go to User Rights Assignment.
    4. Right click the user right to assign (for example, Log on as batch job) and choose Properties.
    5. Click Add User or Group... and include the relevant account.
    6. Click OK.
    7. Restart the Automation Server.

      INFO: For instructions, see Starting and stopping the Automation Server.

    • Otherwise, leave The Automation Server startup account selected.
  7. Click Test Account Settings to make sure that the Automation Server can run the job as specified.
  8. Click OK to save your changes.
  9. Click the Processing tab and specify how the Active Directory Synchronization job should create and update Alloy Navigator objects. Under Workflow, choose Service Actions for the Active Directory Import tool.
    1. Specify a Service Action for creating Person records: click the ellipsis button in the Create Persons field, select the Create Service Action for the Active Directory Import tool, and click OK. We recommend that you use the default "New Person (Active Directory Sync)" Action #2238.
    2. Specify a Service Action for updating existing Person records with the Active Directory data: click the ellipsis button in the Update Persons field, select the Update Service Task for the Active Directory Import tool, and click OK. We recommend that you use the default "Update Person (Active Directory Sync)" Action #2252.
    3. If you want to apply additional filtering criteria to ignore irrelevant user accounts and generic system accounts, under Ignore user records where, select any of the following check boxes:
      • By default, when the Active Directory Synchronization job updates Person records, it does not ignore accounts that are disabled in the Active Directory. If a disabled user account matches an active Person record in Alloy Navigator, the job runs the corresponding Service Action to update that Person. Depending on your workflow configuration, this job makes Persons retired or inactive when corresponding user accounts are disabled in the Active Directory.
      • NOTE: Service Actions for Active Directory Import that update Persons have the "Disabled" attribute available for field mapping. This attribute contains the status of Active Directory user accounts as a logical value (TRUE or FALSE). The default "Update Person (Active Directory Sync)" #2252 action uses this attribute to set Persons inactive when corresponding user accounts are disabled in the Active Directory. For information on field mapping, see Creating Service Actions.

        If you want to ignore disabled accounts when the job updates Person records, select the User account is disablecheck box.

        IMPORTANT: This option applies only when the synchronization job performs an update of a Person record. When a record to update cannot be found, the synchronization job checks the state of the original record in the Active Directory. If the record is disabled, the synchronization job skips it to prevent creating Person records for people that may no longer work in the company.

      • To ignore user accounts with no e-mail address, select the 'E-Mail’ Field is empty check box;
      • To ignore user accounts with no office information, select the 'Office’ field is empty check box;
      • To ignore user accounts whose Logon name is in uppercase, which is typical for system accounts, select the Logon name is in UPPERCASE check box.
    1. Under Processing Options, specify whether the job will create other records:
      • To automatically create SSP Customer accounts for new Persons, select the Create Self Service Portal accounts check box.

        INFO: For details on the automatic creation of SSP Customer accounts, see Creating SSP Customer Accounts Automatically.

      • To automatically create Organizations that are referenced by Persons records, select the Create Organizations check box.

        NOTE: Selecting this check box sets the "Create Organizations" system macro to TRUE. This macro is used in Service Actions for creating and updating Person records. The default "New Person (Active Directory Sync)" Action #2268 uses this macro to trigger a special Function. The Function creates Organizations for new Persons, when corresponding user accounts have the "Company" and "Department" attributes in the Active Directory. The default "Update Person (Active Directory Sync)" Action #2252 also uses this macro to create the Organizations for updated Person records, if they do not exist. For details on system macros, seeSystem Macros. For information on conditional workflow operations, see Building Conditional Statements.

      • To automatically create Locations that are referenced by Persons records, select the Create Locations check box.

        NOTE: Selecting this check box sets the "Create Locations" system macro to TRUE. The default Service Actions for creating and updating Person records use this macro in the same way as they use the "Create Organizations"macro described above, in the previous Step.

  10. Click OK.

    IMPORTANT: Before running the Active Directory Synchronization job, you must properly configure and start the Automation Server. For details, see Automation Server.