Administration Guide

Configuring Active Directory Synchronization Jobs

If you want Alloy Navigator to import Active Directory data from a single Active Directory container (for example, the Users container of the domain you are currently logged in to), you must create a single Active Directory Synchronization job. In order to import data from multiple Active Directory containers, you must create multiple Active Directory Synchronization jobs, one for each container.

To configure an Active Directory Synchronization job, follow these steps:

  1. From the Sidebar, navigate to Services > Active Directory Integration > Synchronization and click New or select an existing job and click Open. The Active Directory Synchronization dialog box opens.

    NOTE: For an existing Active Directory synchronization job: Select the Enabled check box if it is not selected. For details, see Disabling or Enabling Active Directory Synchronization Jobs.

  2. Leave the default job name or type a different name in the Name field. If you plan to have multiple Active Directory Synchronization jobs, you should assign distinctive names to each job.
  3. Under Active Directory, specify an Active Directory domain and container to import records from.
    1. In the Domain list, choose an Active Directory domain:
      • To import data from the domain you are currently logged in to, select Currently logged-in domain.
      • To import data from another Active Directory domain or other directory service, select its name from the Domain list. The list contains the Domain Credentials records that you specified earlier in the Services > Active Directory Integration > Domain Credentials section.

        INFO: For details, see Managing Domain Credentials.

    2. Click the ellipsis button, browse for an Active Directory container (typically, you would want to choose the Users container), and click OK. The LDAP path to this container appears in the LDAP Path field.
  4. Click Check Path to make sure that Alloy Navigator Express can connect to the specified Active Directory container.
  5. If needed, customize the default schedule as follows:
    • Under Schedule, click Change and specify a new job schedule. You can set the occurrence (daily, weekly, monthly, or yearly), daily frequency, and duration (start and end date).
  6. By default, the Automation Server runs the Active Directory Import tool under the Automation Server’s startup account. This configuration is usually sufficient and does not require any changes. However, you can use a dedicated Windows account for the job.

    IMPORTANT: To run a job under a dedicated Windows account, this account must have the Log on as a batch job user right on the Automation Server computer.

    Under Connect as, specify a Windows account to access the Active Directory as follows:

    • If you want the Automation Server to run the Active Directory Import tool under another Windows account, click This account, and then click the Find button, to select a user.

    You can assign user rights to the account as follows:

    1. Log on as an administrator on the computer hosting the Automation Server.
    2. Open the Local Security Policy.
    3. In the Local Policies, go to User Rights Assignment.
    4. Right click the user right to assign (for example, Log on as batch job) and choose Properties.
    5. Click Add User or Group... and include the relevant account.
    6. Click OK.
    7. Restart the Automation Server.

      INFO: For instructions, see Starting and stopping the Automation Server.

    • Otherwise, leave The Automation Server startup account selected.
  7. Click Test Account Settings to make sure that the Automation Server can run the job as specified.
  8. Click OK to save your changes.
  9. Click the Processing tab to specify additional processing options.
    1. If you want to apply additional filtering criteria to ignore irrelevant user accounts and generic system accounts, under Ignore user records where, select any of the following check boxes:
      • By default, when the Active Directory Synchronization job updates Person records, it does not ignore accounts that are disabled in the Active Directory. If a disabled user account matches an active Person record in Alloy Navigator Express, the job runs the corresponding Service Action to update that Person. Depending on your workflow configuration, this job makes Persons retired or inactive when corresponding user accounts are disabled in the Active Directory.
      • NOTE: Active Directory data mapping for updating Person records have the "Disabled" attribute. This attribute contains the status of Active Directory user accounts as a logical value (TRUE or FALSE).

        If you want to ignore disabled accounts when the job updates Person records, select the User account is disablecheck box.

        IMPORTANT: This option applies only when the synchronization job performs an update of a Person record. When a record to update cannot be found, the synchronization job checks the state of the original record in the Active Directory. If the record is disabled, the synchronization job skips it to prevent creating Person records for people that may no longer work in the company.

      • To ignore user accounts with no e-mail address, select the 'E-Mail’ Field is empty check box;
      • To ignore user accounts with no office information, select the 'Office’ field is empty check box;
      • To ignore user accounts whose Logon name is in uppercase, which is typical for system accounts, select the Logon name is in UPPERCASE check box.
    1. Under Processing Options, specify whether the job will create other records:
      • To automatically create SSP Customer accounts for new Persons, select the Create Self Service Portal accounts check box.

        INFO: For details on the automatic creation of SSP Customer accounts, see Creating SSP Customer Accounts Automatically.

      • To automatically create Organizations that are referenced by Persons records, select the Create Organizations check box.
      • To automatically create Locations that are referenced by Persons records, select the Create Locations check box.
  10. Click OK.

    IMPORTANT: Before running the Active Directory Synchronization job, you must properly configure and start the Automation Server. For details, see Automation Server.