Active Directory Synchronisation

Similar documents
Secure Enterprise Search - SES

Application User Configuration

Application User Setup

ACS 5.x: LDAP Server Configuration Example

Integration Configuration

Trusted Login Connector (Hosted SSO)

SelectHR Installation & Upgrade Instructions

Embedded Web Server. Administrator's Guide

User Management Tool

Function. Description

NETWRIX GROUP POLICY CHANGE REPORTER

Service Account Manager

Setup and Reconfiguration Guide

EveryonePrint Integration with Equitrac. Configuration Guide. EveryonePrint Integration with Equitrac Page 1 of 14

Integration Configuration

Cloud Compute. Backup Portal User Guide

NETWRIX ACTIVE DIRECTORY CHANGE REPORTER

Polycom CMA System Upgrade Guide

Microsoft Exchange Server 2007 and 2010 Operations

AD Sync Service. AD Sync Service User Manual. Version 9.9. By UC Logic. For Worksite Import Users and Groups from Active Directory

Export and Import Authority Records

How to configure Sophos for all other clients

Managing Administrative Settings for Cisco DMS Components and Users

Release Personnel Module Guide

Setup Service Account in AD

"Charting the Course to Your Success!" MOC B Implementing Forefront Identity Manager 2010 Course Summary

e-lms Electronic Lodgement of Mailing Statements User Guide Version 4.5

Instant HR Auditor Installation Guide

Chimpegration for The Raiser s Edge

LDAP Directory Integration

CLIQ Web Manager. User Manual. The global leader in door opening solutions V 6.1

INTEGRATED WORKFLOW COPYEDITOR

ASX Clear (Futures) Static Data Portal User Manual ETD only Clearing Participants

NETWRIX PASSWORD EXPIRATION NOTIFIER

Obtaining the LDAP Search string (Distinguished Name)?

End User Setup. About End User Setup

Contents OVERVIEW... 3

This chapter provides information about managing end user directory information.

CA GovernanceMinder. CA IdentityMinder Integration Guide

VIEVU Solution AD Sync and ADFS Guide

Lightweight Directory Access Protocol (LDAP)

NTP Software VFM Administration Web Site For Microsoft Azure

RELEASE NOTES. Practice Management. Version

NTP Software VFM. Administration Web Site for NetAppS3. User Manual. Version 5.1

CA Agile Vision and CA Product Vision. Integration Guide

IMPLEMENTING DATA.COM CLEAN FOR ACCOUNTS, CONTACTS, AND LEADS

NTP Software VFM Administration Web Site

Data Protection Guide

Data Collection Tool

Release Notes. Oracle E-Business Suite. Desktop Reporting (Edition 1) & Hubble Suite (Edition 2) Version

SMS 2.0 SSO / LDAP Launch Kit

EMS WEB APP Configuration Guide

BounceBack 18. User Manual

Classroom Practice Labs Administration Portal User Guide

Configuration Guide. Requires Vorex version 3.9 or later and VSA version or later. English

GALSYNC V7.4. Upgrade Instructions. NETsec. NETsec GmbH & Co.KG Schillingsstrasse 117 DE Düren. 14. September 2018

Administration Guide. Lavastorm Analytics Engine 6.1.1

Eloqua Integration User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

NTP Software VFM. Administration Web Site for Atmos. User Manual. Version 5.1

Data Collection Tool

LDAP Directory Integration

Cisco Expressway Authenticating Accounts Using LDAP

DSS User Guide. End User Guide. - i -

One Identity Manager Target System Synchronization Reference Guide

Training Manual for HR Managers ( Business Unit Admin level)

Change and Configuration Management Administration

End User Manual. December 2014 V1.0

CONTENT. regipay manual 2/10

PowerCenter Repository Maintenance

Entropy Software General Administration & Configuration

Users. LDAP Synchronization Overview

Cisco TelePresence Management Suite Extension for Microsoft Exchange

File Archiving. Whitepaper

Deploy Hybrid Calendar Service for Microsoft Exchange

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

OSCA Tutorials. 1. Overview. 2. Start Up. 3. Reporting Schedule. 4. Uploading a Form: File Upload. 5. Uploading a Form: Online Editor

Dockit Migrator. Release Notes

Administration Of Active Directory Schema Attribute Greyed Out

About One Identity Quick Connect for Base Systems 2.4.0

NTP Software VFM. Administration Web Site for EMC Atmos User Manual. Version 6.1

File Archiving Whitepaper

Publication date: December 17, 2012, updated Feb. 10, Product version: Windows Server 2003, Windows Server 2008, Windows Server 2012

Expense Management for Microsoft Dynamics NAV

NetBackup TM for VMware configuration

Implementing Forefront Identity Manager 2010

RescueAssist. Administrator Guide. LogMeIn, Inc. 320 Summer St., Boston MA LogMeIn, Inc. All rights reserved.

Admin Reporting Kit for Active Directory

MyCalyx Getting Started User Guide

NetMotion Integration with GreenRADIUS - Quick Start Guide

Active Directory Auditing Guide

SchoolBooking LDAP Integration Guide

Genesys Administrator Extension Help. Profile Menu

User Guide. Version 3.0

CORNERSTONE. Applicants for Volunteer Adjunct Instructor/Facilitator College Credit Plus

Configuring EMC Isilon

Configuring User Access for the Cisco PAM Desktop Client

Windows Server 2008 Active Directory Resource Kit

Configuring User Access for the Cisco PAM Desktop Client

Manually Remove Failed Exchange 2007 Server From Active Directory

Cloud Attached Storage

Transcription:

Active Directory Synchronisation

Table of Contents Overview... 3 Important Notes... 3 Installation & Configuration... 4 Configuration & Field Mappings... 4 Attribute Mappings... 7 Adding New Mappings... 8 Changing Existing Mappings... 8 Removing Mappings... 8 Synchronisation Processing... 9 2

Overview Active Directory (AD) functionality previously available in SelectHR was a simple read only facility to enable bulk creation of self-service SelectHR accounts by querying AD data, and mapping email addresses and other details to HR data to provide a positive link between an AD user and an HR employee record. It is now possible to maintain AD account information as part of a scheduled SelectHR process. Windows user accounts can be created (if desired) and maintained as part of the nightly employee snapshot process. SelectHR comes with a number of pre-configured mappings between HR data and AD data or attributes. Additional mappings can be added from any field available in the employee snapshot table to any compatible AD attribute. Individual field mappings can be enabled or disabled, giving the flexibility to update any number of AD attributes. This functionality is available in the Web Edition administrator tool. Important Notes Only employees linked to a Web Edition user that has a Windows user name will be updated. Creating AD accounts is a time-intensive process. If this option is enabled and there are many pending HR employees it may be necessary to create them in batches by modifying the SelectHR.ZZSystemEmployee.[Snapshot With User] view to provide a filtered set of snapshot records. After initial population, provided large numbers of employees are not added to SelectHR at once, this option may be left on without a noticeable impact on performance. Employee changes are only sent to AD if the Pending Changes flag is set in the staging table SelectHR.ZZSystemEmployee.[LDAP Sync Employees]. Once changes have been sent across this flag is cleared until a mapped, enabled attribute changes. If it becomes necessary to force an update (for example, changes have been made directly in AD that need to be overwritten) this can be achieved by setting this flag or deleting the employee s record from the table. 3

Installation & Configuration Configuration & Field Mappings The AD synchronisation configuration options and mappings are found with the other HR system parameters, under the Configuration Options section in the SelectHR Administrator: Then double-click the HR configuration item in the list to open the HR options dialog. At the bottom of the HR configuration form there is an Active Directory Synchronisation section which should be populated with the parameters to enable AD synchronisation. An example set of parameters is displayed below: All boxes on this screen have tool tips for help and hints. Enabled Mappings Displays the number of attribute mappings currently enabled. If this is zero, no updates will take place. HR to AD Synchronisation Enabled Check this option to enable the synchronisation. If this is unchecked no updates will take place even if there is a scheduled job and enabled mappings. LDAP Domain 4

The name of the AD domain containing the user accounts. Add To Paths The Add To Paths link splits the domain name into its DC components and appends that part to the LDAP paths lower in the screen. If the AD path cannot be generated from the domain name (they do not necessarily have the same components) it can be manually appended to the LDAP Search Path and LDAP Path For New Users (see below). LDAP User Name The Windows administrator account name with sufficient permissions to update all mapped attributes in the AD and, if necessary, create and enable users. LDAP Password The password for the specified administrator account. This password is held encrypted. LDAP Search Path The path to the AD organisational unit (OU) or container holding existing users to update. The LDAP search path should be in a format which specifies the lowest level user container first and works back up the AD tree to the root DC. In the example above, all users can be found within the Offices OU. This path should be suffixed with the domain components of the specified domain (see Add To Paths ). Create New Users If a user account cannot be found for the Windows user name of the employee and this option is checked, a new Windows account will be created with the employee s details. Enable New Users Indicates whether newly created user accounts will be enabled or require enabling manually. LDAP Path For New Users The path to the AD OU or container for creating new users. This is only required if the Create New Users option is checked. In the example above, new users will be created within the Offices\Unassigned\Users OU, and so is specified from the lowest level up. The DC components of the path are added at the end. This path should be suffixed with the domain components of the specified domain (see Add To Paths ). The user specified must have permission to create users in this path. Path format rules are the same as for the search path above. 5

Test User The Windows account name of a user to allow validation of attribute mappings. This account should be created specifically for test purposes and enables mappings to be validated when they are amended. This account must exist within the search path. If left blank, mappings will not be tested and updates may fail. If a single attribute fails the user will not be saved so it is recommended to validate mappings. NOTE: This should not be a live user account as arbitrary values are written to the user s attributes when validating mappings. 6

Attribute Mappings The Edit Mappings link opens the attribute mapping form where individual field mappings can be created, edited, removed and enabled or disabled. This shares settings with the HR configuration options screen. Therefore any changes to domain, paths or user credentials on the HR configuration screen are used when validating mappings in this screen. Mapping validation can only occur when there is a valid domain name, user name, password, search path and test user account entered. Validation can be disabled by clearing the test user name on the parameters form. To enable mappings check the box next to the item in the list. Uncheck items to prevent updates to specific attributes. There is an option to Restore default mappings if mappings have been broken or removed. This adds any missing mappings from the list shown above and if the option is checked it will also overwrite the snapshot column and data type. Uncheck this option to keep any mappings that have been edited. To restore specific attributes, uncheck the overwrite option and delete the attributes to be restored. They will be restored to their original values without affecting any edited mappings. Additional custom mappings will not be removed. 7

Adding New Mappings The Add mapping link opens the attribute dialog and requires an AD attribute name to be entered along with its data type and whether it can hold multiple values. This information must all be provided manually so access to the AD schema is required. Browser tools, such as ADSI Edit allow access to the attribute definitions within AD. The attribute name, type and whether it is single or multi-valued must match the attribute definition in AD. The snapshot column name can be any type-compatible column in the employee snapshot view. The view ([SelectHR].[ZZSystemEmployee].[Snapshot With User]) contains all employee snapshot columns plus user details and Windows user name from the associated system user (if any) and is specifically for this purpose. The list of column names is read directly from the view so this can be edited to include any related data not already in the snapshot. New mappings are created disabled and should be enabled in the list. NOTE: If a new mapping is created with the same attribute name as an existing mapping, it will overwrite the existing mapping. Changing Existing Mappings The Change mapping link opens the same dialog but with the attribute name read-only. Changes can be made to the attribute type and whether it holds multiple values if these are incorrect. The attribute can be mapped to any compatible column in the snapshot view. NOTE: If there are any errors in validating the mapping it will be disabled. This includes entering an invalid test user. Invalid mappings can be enabled but will fail during updates if the AD attributes do not match their settings. Removing Mappings The Remove mapping link deletes all selected mappings. This should be used where AD attributes have been removed or will never be used. Otherwise it is recommended to disable any mappings that are not being used so their settings are not lost. Default mappings for common attributes can be restored using the Restore default mappings link if they are deleted in error. 8

Synchronisation Processing A pre-configured batch job ( SYSTEM Update Active Directory ) schedules a workflow of the same name to perform the AD synchronisation. This should be scheduled to run after the employee snapshot batch job as the AD synchronisation relies on up-to-date snapshot data. Alternatively, the AD synchronisation method can be configured into the workflow SYSTEM - Update Employee Snapshot workflow to ensure changes are propagated as quickly as possible and to ensure the jobs do not clash. 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback