Connecting to Active Directory Users
The Active Directory provider in Data Sync is a read-write connector for Active Directory User, Contact, Group, and Computer objects. The connector also supports incremental sync.
When you click onto the Active Directory section in the connection window you will have a few options to choose from.
- Active Directory V2- Group Members is the connector you can use to connect and return groups and the users that are members of those groups.
- Active Directory V2- Users/Contacts/Groups/Computers is the connector you can use to connect to users, groups and computers. It is likely that this is the connector you will use most frequently to connect to Active Directory. This will be the connector discussed in the sections below.
You can find the general connection details for connecting to user records below and further details for each connector and additional guidance are available on their respective pages in the menu..
To connect to Active Directory User records you need to enter your Credentials and LDAP Path, at a minimum.
Add your Credentials
Your credentials are the Windows Credentials you use to connect to AD. If you leave these blank, then the current process/user credentials are used.
To add your credentials, click onto the ellipsis (...) to open the credential window.
Enter the LDAP Path to the OU
You can enter in either the full LDAP Path or simply the server name/domain controller name.
If you want to use just the server name/domain controller name your connection would look similar to: LDAP://dc01
Otherwise examples of full LDAP Paths are:
You can connect to your global OU by omitting any OU's from the path, note that you will need your domain controller name to be listed:
LDAP://dc01/dc=demo,dc=simego,dc=comYou can connect to a specific OU by adding the OU to the path, note that you will need your domain controller name to be listed:
LDAP://dc01/OU=Test,DC=demo,DC=simego,DC=com
If you are struggling to find your LDAP Path you can use ADSI Edit to help you.
Finding your LDAP Path
In ADSI Edit locate and select the OU you want to connect to, right click and select Properties from the list.
You can then scroll through the property list to find the distinguished name attribute. This will give you the components for the LDAP Path to that specific OU.
UseSecureSocketsLayer
If your AD has SSL enabled you can connect using SSL by selecting True from the drop down list.
Connection Properties
Int he datasource window below the columns you will find the connection properties. You can edit these to meet your requirements as needed and a breif explanation for the main properties can be found below.
Attributes
If an attribute you want to use from your Active Directory system is not listed in the default list you can use this to add it to the column list. You will need to know the internal AD name and data type expected by AD.
You can learn more about adding attributes here.
LDAPFilter
You can apply an LDAP filter to your connection to limit the results on the server side.
The default filter is set as (&(objectCategory=person)(objectclass=user)) for the User connection.
You can find the Microsoft LDAP Filter Syntax here.
You can also find more details on using the LDAP Filter here.
Group Filter
You can use an LDAP Filter to limit the results returned from Active Directory.
The LDAP filter below is an example filter that returns users that are members of the CRM Team Users Active Directory group
(&(objectClass=User)(memberOf=CN=CRM Team Users,CN=Users,DC=corp,DC=litware,DC=inc))
PageSize
The PageSize property is the number of Active Directory objects to return in each query request. The default is 1000 but you can change this as needed. Remember to consider the size of the OU you are connecting to and if your system will be affected by more requests.
SchemaClassName
The SchemaClassName property allows you to specify the object type to use when creating new object. This is used when creating Active Directory objects. It specifies the type of object to create either:
- User
- Contact
- Group
- Computer
OnCreateChangePasswordNextLogon
With the OnCreateChangePasswordNextLogon property you can require newly created users to change their password.
By default this is set to True so that if a user account is created and a password is set then set the flag in AD to require the user to change their password at the next logon.
Performance Optimisation
If you have lots of users in your AD and you are matching on columns that are doing a lookup to get the values (e.g. manager email, id etc) then you may find the preview, compare and sync can take longer than you may have hoped.
To improve your performance you can map the DN, this will be faster as it does not need to lookup within each user account to find the other values.