Configure Directory Synchronization
Directory Synchronization
To copy the objects and users of your directory service to the Directory service structure of the Console, synchronize the Console with the directory service domain controllers. If only the structure of your directory service has changed, synchronize the structure. Only domains, OUs and folders are considered. Synchronization of domains or organizational units refers to objects (users, computers, groups) that physically exist locally. Synchronization of groups, on the other hand, only applies to the group membership, but the group members / objects (users, computers, groups) do not physically exist locally.
Connection settings
Synchronization requires account information of the domain controller/server of the directory service. You can define or change these settings. If no user is specified, synchronization will be performed under the system account. The performing account must have at least read permission.
- Go to Administration | Synchronization | Directory service settings.
- Near User authentication, select how EgoSecure Agents identify users from your directory services: using Windows Sid or Novell Guid. The most common way is Windows authentication.
Novell authentication must be used only when the Novell Client is installed on all computers with EgoSecure Agents.
- In the Domain controllers area, click Add on the toolbar and select a directory service type from the drop-down menu:
- Active Directory (By default, AD doesn't use LDAP protocol. If you use LDAP protocol in your AD, select LDAP instead of AD.)
- Azure AD
- LDAP (Any directory service, which works via Lightweight Directory Access Protocol).
- Novell eDirectory.
- Define the name of the domain controller or of the NDS/LDAP Server. For details about filling in the fields for Azure AD, see Setting up Azure Active Directory and getting credentials in the EgoSecure Console Manual.
- Enter the account information of the directory service user.
- Select where to start a directory service synchronization:
- For Active Directory, enter the organizational unit of in the Start OU field.
- For NDS / LDAP directory services, specify the server context in the Context field.
- Click Check.
- Once the connection is tested successfully, click OK to confirm and close the dialog.
- Click Save to save the changes.
- Click Synchronize to perform the synchronization of the selected domain controller with the settings defined under Administration | Synchronization | Synchronization.
Synchronization Setup
You can select the scope of synchronization and define which products to automatically enable for new users, computers, or groups of the directory service, and how to deal with deleted users .For details, see Activating products
Synchronization settings
Option |
Description |
---|---|
Synchronize directory structure only |
Synchronizes only the directory service structure. For details, see Setting up synchronization of the structure. |
Synchronize only active users/computers |
Synchronizes only active users and computers of the directory service. If disable account action has been performed for a user or a computer, such objects are not synchronized. |
Synchronize only changes in AD for the last [number] days |
Synchronizes the directory service changes of a specific time period. Enter the number of days. This option does not take deleted directory service objects into account during synchronization. To detect objects deleted from AD/NDS, full synchronization is required. |
Delete objects that were removed from the Directory after [number] days |
Removes deleted directory service objects from the console after a certain period of time (Administration | AD Synchronization | Deleted objects). This option is available only if the option Synchronize only changes in AD for the last [number] days is disabled. |
Detailed log file of the synchronization |
Records all synchronization events into a separate synchronization log file. One log file is created for one day under C:\ProgramData\EgoSecure\EgoSecureServer\LOG. |
Automatic product activation settings
Automatic product activation takes care about activating and deactivating products for users and computers shortly after each synchronization according to defined settings. The following settings are available:
Option |
Description |
---|---|
Activate products for new users/computers |
Activates all selected products for new users/computers. Activates only the products both selected in the list and already activated for a group. A group must be synchronized with server before adding new users/computers there. Otherwise, users/computers in this group are not considered as new ones. The option is available only if the options Synchronize directory structure only and Match product activation with the activated products of the group are not enabled. |
Deactivate products for inactive users/computers |
Deactivates products for inactive users/computers. Inactive users/computers are the objects of a directory service, for which the disable account operation has been performed. The option is available only if the options Synchronize only active users/computers and Synchronize directory structure only are not checked. |
Match product activation with the activated products of the group |
Automatically activates only the products, which are already enabled for a group. Products are activated for both new and existing users/computers. Groups are:
EgoSecure groups created in the domain can contain only AD users/computers while EgoSecure groups created in the Own directory can contain only local users/computers. Products previously enabled for a user/computer become disabled if they are not enabled for a group. The option is available only if the options Synchronize directory structure only and Activate products for new users/computers are not enabled. |
Setting up a full synchronization of the directory service
- Go to Administration | Synchronization | Synchronization.
- Specify the synchronization settings.
- To exclude certain objects from the synchronization,
- Select the directory element in the Directory service structure section.
- Click Add.
- The excluded objects appear in the Objects to exclude from synchronization area.
It might be not convenient to define the objects, which must be excluded from the synchronization each time. Use the Active Directory attribute for the reasons of convenience. To exclude certain directory objects during all synchronizations, add the esSyncIgnored attribute with the value 0 for directory objects directly in the Active Directory.
- In the Directory service structure section, select a directory object in the tree, from which to start the synchronization. Select All domains to synchronize all domain controllers of a user authentication type specified under Administration | Synchronization | Directory service settings.
- Click Save.
Setting up synchronization of the structure (Domains, OUs and folders) of the directory service
- Go to Administration | Synchronization | Synchronization.
- Enable the Synchronize directory structure only check box.
- Other check boxes become disabled and the Include groups check box appears.
- To synchronize directory service groups, enable the Include groups check box.
- Specify synchronization settings.
- To exclude certain objects from the synchronization,
- Click Add.
- Select the directory objects and click OK.
- The excluded objects appear in the Objects to exclude from synchronization area.
- Click Save.
Performing synchronizations
You can perform synchronization manually or use a scheduler to perform synchronization automatically.
Performing synchronization manually
- Go to Administration | AD(NDS/LDAP) Synchronization | Synchronization.
- In the Directory service structure area, select a directory object in the tree from which to start the synchronization.
- Select All domains to synchronize all domain controllers of a user authentication type specified under Administration | Synchronization | Directory service settings.
- Edit the settings. For details see Setting up synchronization.
- Click Start.
The synchronization starts and the Directory service structure of the Console becomes updated.
Performing synchronization at a specific time
- Go to Administration | Synchronization | Schedule.
- In the Directory service structure area, select a directory object from which to start the synchronization. Select All domains to synchronize all domain controllers of a user authentication type specified under Administration | Synchronization | Directory service settings.
- In the Server drop-down, select an EgoSecure Server for performing a scheduled synchronization (applies for all tasks in the list).
- Click +Add in the work area.
- Define the name and time or period for the synchronization.
- Edit the settings. For details, see Setting up synchronization.
- Click Save.
The synchronization will be performed at the specified period of time.