Active Directory Sync: User Guide
- Ian MacRae
- Chris Savage
- James Overell
- Steve Lynch (Deactivated)
v70.16+ upgrade will require updated files as attached
These will need to be added to the domain controller under C:\SynergeticADSync
Please contact Professional Services for assistance
The Active Directory Sync tool is used to perform a one way Synergetic to AD synchronisation of active staff, students, and community members. Synergetic becomes the "Source of Truth" for the managed users and groups. All changes made to the managed objects will be overwritten during the next synchronisation process.
The synchronisation key between Active Directory and Synergetic is the Synergetic NetworkLogin field and Active Directory sAMAccountName
If the NetworkLogin field has not been completed, the name portion of the occupation email address is used.
If both the NetworkLogin and the email address are missing an error is generated.
Current version
The current version is 19.05.09.01
Features
- Option to globally enable or disable synchronisation
- Report is sent to administrator each synchronisation detailing
- Newly created users (including their password)
- Modified users
- Modified groups
- Errors
- Three separate sync options
- Staff
- Student
- Community
- Optionally create on premise Exchange email mailbox on new account creation
- Optionally create Home Drive directory and network share on new account creation
- Optionally set password to be changed on first logon for new accounts
- Up to six separate Organisation Units per sync that can be managed
- Run a "What If" test where only the report is produced, but no actual changes are made
- Run a sync only on nominated users
Setup
Configuration Maintenance
All global active directory synchronisation settings are set in Systems | Configuration Maintenance in the keys System | ADSync
| Key3 | Key4 | Purpose |
|---|---|---|
| Enabled | Flag to determine if AD Sync is active. If true then AD sync will run on next schedule. | |
| DisabledCommunityOUDN* | Distinguished name (DN) for the disabled community users in Active Directory. | |
| DisabledStaffOUDN | Distinguished name (DN) for the disabled staff users in Active Directory. | |
| DisabledStudentOUDN | Distinguished name (DN) for the disabled student users in Active Directory. | |
| NewPasswordMinLength | The minimum password length of new passwords. | |
| NotificationEmailAddress | The email address to receive notifications about synchronisation activities. | |
| CommunitySearchBase | DN1* | Distinguished name (DN) for the first searchbase for the community users in Active Directory. |
| CommunitySearchBase | DN2* | Distinguished name (DN) for the optional second searchbase for the community users in Active Directory. |
| CommunitySearchBase | DN3* | Distinguished name (DN) for the optional third searchbase for the community users in Active Directory. |
| CommunitySearchBase | DN4* | Distinguished name (DN) for the optional fourth searchbase for the community users in Active Directory. |
| CommunitySearchBase | DN5* | Distinguished name (DN) for the optional fifth searchbase for the community users in Active Directory. |
| CommunitySearchBase | DN6* | Distinguished name (DN) for the optional sixth searchbase for the community users in Active Directory. |
| CommunityLiveTest | Enabled | Enable the live test option for the community sync. |
| CommunityLiveTest | NetworkLoginNames | A comma separated list of NetworkLogins to be tested. At least one required. |
| CommunityUsePreferredNameInGivenNameAttribute | Use the community preferred name field in the given name attribute as opposed to the given name field. | |
| SenderEmailAddress | The email address of the syncronisation service. | |
| ForcePasswordChangeOnNextLogon | Community | Force password change on next logon for all new community accounts |
| ForcePasswordChangeOnNextLogon | Staff | |
| ForcePasswordChangeOnNextLogon | Students | |
| StaffSearchBase | DN1 | Distinguished name (DN) for the first searchbase for the staff users in Active Directory. |
| StaffSearchBase | DN2 | Distinguished name (DN) for the optional second searchbase for the staff users in Active Directory. |
| StaffSearchBase | DN3 | Distinguished name (DN) for the optional third searchbase for the staff users in Active Directory. |
| StaffSearchBase | DN4 | Distinguished name (DN) for the optional fourth searchbase for the staff users in Active Directory. |
| StaffSearchBase | DN5 | Distinguished name (DN) for the optional fifth searchbase for the staff users in Active Directory. |
| StaffSearchBase | DN6 | Distinguished name (DN) for the optional third searchbase for the staff users in Active Directory. |
| StaffHomeDirectory | DriveLetter | Home directory drive letter for new staff users in Active Directory. |
| StaffHomeDirectory | BaseFolder | Home directory drive base for the staff users in Active Directory. |
| StaffHomeDirectory | CreateNetworkShare | Create a network share for the home directory. |
| StaffHomeDirectory | CreateHiddenNetworkShare | Create the network share as a hidden share. |
| StaffHomeDirectory | NetworkShareServerName | The server name for the network share, e.g. \\server |
| StaffHomeDirectory | ServerName | The server name for the Staff Home Directory. If the server is remote, then Remote Powershell must be enabled (WinRM QuickStart). |
| StaffLiveTest | Enabled | Enable the live test option for the staff sync. |
| StaffLiveTest | NetworkLoginNames | A comma separated list of NetworkLogins to be tested. At least one required. |
| StaffLogonScript | Logon script for the new staff users in Active Directory. Granular logon scripts can be specified in uluADStaffLogonScript. | |
| StaffSyncPostalAddress | Synchronise the staff postal address fields to the address attributes in Active Directory | |
| StaffUsePreferredNameInGivenNameAttribute | Use the staff preferred name field in the given name attribute as opposed to the given name field. | |
| StudentSearchBase | DN1 | Distinguished name (DN) for the first searchbase for the student users in Active Directory. |
| StudentSearchBase | DN2 | Distinguished name (DN) for the optional second searchbase for the student users in Active Directory. |
| StudentSearchBase | DN3 | Distinguished name (DN) for the optional third searchbase for the student users in Active Directory. |
| StudentSearchBase | DN4 | Distinguished name (DN) for the optional fourth searchbase for the student users in Active Directory. |
| StudentSearchBase | DN6 | Distinguished name (DN) for the optional fifth searchbase for the student users in Active Directory. |
| StudentSearchBase | DN6 | Distinguished name (DN) for the optional sixth searchbase for the student users in Active Directory. |
| StudentHomeDirectory | DriveLetter | Home directory drive letter for new student users in Active Directory. |
| StudentHomeDirectory | BaseFolder | Home directory drive base for the student users in Active Directory. |
| StudentHomeDirectory | CreateNetworkShare | Create a network share for the home directory. |
| StudentHomeDirectory | CreateHiddenNetworkShare | Create the network share as a hidden share. |
| StudentHomeDirectory | NetworkShareServerName | The server name for the network share, e.g. \\server |
| StudentHomeDirectory | ServerName | The server name for the Student Home Directory. If the server is remote, then Remote Powershell must be enabled (WinRM QuickStart). |
| StudentLiveTest | Enabled | Enable the live test option for the student sync. |
| StudentLiveTest | NetworkLoginNames | A comma separated list of NetworkLogins to be tested. At least one required. |
| StudentLogonScript | Logon script for the new student users in Active Directory. | |
| StudentUsePreferredNameInGivenNameAttribute | Use the student preferred name field in the given name attribute as opposed to the given name field. | |
| DefaultUPNSuffix | The default domain UPN suffix to be added to all usernames. Must include the '@' symbol. | |
| Exchange | Server | The On Premise Exchange Server. |
| Exchange | EnableMailOnNewAccounts+ | Enable exchange mail on new accounts. For use in environments that use Microsoft Exchange email. |
| Exchange | EnableMailOnNewCommunityAccounts+ | Enable exchange mail on new community accounts. For use in environments that use Microsoft Exchange email. |
| ExchangeVersion+ | Version of Microsoft Exchange installed.
| |
| Exchange | CommunityDatabase | The On Premise Exchange Database for the Community Exchange mailbox creation. |
| Exchange | StaffDatabase | The On Premise Exchange Database for the Staff Exchange mailbox creation. Granular databases can be specified in uluADStaffExchange. |
| Exchange | StudentDatabase | The On Premise Exchange Database for the Student Exchange mailbox creation. Granular databases can be specified in uluADStudentExchange. |
| UpdateSynergeticEmail | Update Synergetic Occupation email of newly created Active Directory accounts |
* Community options require additional on site configuration
+ Exchange actions require appropriate roles on Exchange server
The synchronisation process sends a completion email and uses email settings from Synergetic.
| Key1 | Key2 | Key3 | Key4 |
|---|---|---|---|
| System | Server | Name | |
| System | Server | Port |
Lookup tables
There are six sets of lookup tables for each of of the staff and students sync options and one for community that determine how members will be synchronised
- Category (uluADCommunityCategory, uluADStaffCategory and uluADStudentCategory)
- Group (uluADStaffGroup and uluADStudentGroup)
- Default UPN Override (uluADCommunityUPN, uluADStaffUPN, uluADStudentUPN)
- Default Exchange Mailbox Override (uluADStaffExchange, uluADStudentExchange)
- Default AD Home Directory Override (uluADStaffDirectory, uluADStudentDirectory)
- Default ad Logon script override (uluADStaffLogonScript, uluADStudentLogonScript
For Community, there is only the category option (uluCommunityCategory)
Category
The category lookup tables determine the Organisational Unit location in Active Directory of new accounts. New accounts can be based on one (and only one) field option;
For staff the field options are:
- Category
- Department
- Staff campus
- Form
- House
For students the field options are:
- Boarder
- Campus
- Form
- House
- Peer Year
- Tutor
- Year level
For community, there is only one option
- (Not selected) - The default option
There must be a default (blank value) option where users not matching any rules will fall into. This may be a generic Organisational Unit in Active Directory.
Group
The group lookup tables map fields to groups. Multiple mappings are permitted (with field and value combination being unique).
Group membership of groups nominated in the Group Distinguished name will be purged prior to synchronisation.
A global group option is available for an all staff or all student group
This will synchronise all active members to the nominated group
Default UPN Override
The UPN override tables allow for individual category override of the default UPN. If the table remains blank the default UPN from the System Configuration is used.
All UPN values must start with the '@' symbol.
Default Exchange Database Override
The default exchange database override allows for individual category override of the Exchange database specified in the System Configuration. If the table remains blank, the default value from the System Configuration is used.
Default AD Home Directory Override
The default AD home directory override allows for individual category override of the Active Directory Home directory created on new account creation as specified in System Configuration. If the table remains blank, the default value from the System Configuration is used.
Default AD Logon Script Override
The default AD logon script override allows for individual category override of the Active Directory logon script set on new account creation as specified in System Configuration. If the table remains blank, the default value from the System Configuration is used.
Synchronisation executables
Prerequisites
- Windows PowerShell v5
- Windows Powershell extensions for SQL Server
- Windows Powershell extensions for Active Directory
- Exchange Powershell snap-in (For exchange mailbox creation only)
- Run as administrator
- Email server set up to allow logged on user to send email or accept anonymous email from the current machine
There is an executable for each type of synchronisation
- StaffSync.exe
- StudentSync.exe
- CommunitySync.exe
They each have the same input parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| SQLServer | String | Yes | The name and instance of the sql server |
| Database | String | Yes | The name of the database to use |
| UseWindowsAuthentication | Boolean | Yes | Use windows authentication ($true) or SQL authentication ($false). |
| SQLUser | String | Dependent | The username of the SQL user. Optional but required if using SQL authentication |
| SQLPassword | String | Dependent | The password of the SQL user. Optional but required if using SQL authentication |
| WhatIf | Switch | No | When present runs in WhatIf mode. No actual changes are made to active directory |
Example 1
Connects to the primary instance of the SQL server using SQL authentication without making any changes to Active Directory.
StaffSync.exe -SQLServer 'DBServer' -Database 'SynergyOne' -UseWindowsAuthentication:$false -SQLUser 'sa' -SQLPassword 'password' -WhatIf
Example 2
Connects to the instance named "Instance" on the database server using Windows authentication.
StaffSync.exe -SQLServer 'DBServer\Instance' -Database 'Synergetic_AUVIC_CDA_PRD' -UseWindowsAuthentication:$true
Syncronisation
The Synergetic fields are synchronised (via views) to the Active Directory attributes as listed below. These views are user customisable. Alternate fields can be mapped within the views as long as the field name remain consistent
Staff sync
View: uvStaffSync
| Synergetic Field | Active Directory Attribute |
|---|---|
| StaffID | EmployeeID |
| StaffTitle | Not used |
| StaffPreferred | Part of display name |
| StaffGiven1 | GivenName |
| StaffGiven2 | Not used |
| StaffSurname | sn / Surname / Part of display name |
| StaffPreferred <space> StaffSurname | DisplayName |
| StaffDepartment | Department |
| StaffOccupEmail | mail / EmailAddress |
| StaffOccupCompany | Company |
| StaffRoom | Office / PhysicalDeliveryOfficeName |
| Webpage | Not used |
| NetworkLogin | SamAccountName |
| OccupPhone | telephoneNumber |
| OccupMobilePhone | mobile |
| OccupFax | fax / facsimileTelephoneNumber |
| StaffJobPositionExistsFlag | Used to determine if the job position is defined |
| JobPositionDescription | Description title |
| OU | Account location |
| UPNOverride | SamAccountName |
| ExchangeDatabaseOverride | Exchange account creation |
| HomeDirectoryOverride | Home Directory Creation |
Student Sync
View: uvStudentSync
| Synergetic field | Active Directory Attribute |
|---|---|
| StudentID | EmployeeID |
| StudentTitle | Not used |
| StudentPreferred | Part of display name |
| StudentGiven1 | GivenName |
| StudentGiven2 | Not Used |
| StudentSurname | sn / Surname / Part of display name |
| StudentPreferred <space> StudentSurname | Displayname |
| StudentEmail | mail / EmailAddress |
| StudentForm | Part of description |
| StudentTutor | Part of description |
| StudentHouse | Part of description |
| StudentYearLevel | Part of description |
| StudentCampus | Part of description |
Concatenated field e.g. Year xx Student - Campus AA - Tutor BBB - Form CCC - House DDD | Description |
| StudentEntryDate | Not used but part of peer year calculations |
| YearsUntilGraduation | Not used but part of peer year calculations |
| StudentPeerYear | Not used but part of peer year calculations |
| NetworkLogin | SamAccountName |
| OU | Account location |
| UPNOverride | SamAccountName |
| ExchangeDatabaseOverride | Exchange account creation |
| HomeDirectoryOverride | Home Directory Creation |
Community Sync
View: uvCommunitySync
| Synergetic field | Active Directory Attribute |
|---|---|
| ContactGiven1<space>ContactSurname<space>(ContactID) | cn |
| ContactID | EmployeeID |
| ContactTitle | Not Used |
| ContactPreferred | Part of display name |
| ContactGiven1 | GivenName |
| ContactGiven2 | Not Used |
| ContactSurname | sn/ Surname / Part of display name |
| ContactPreferred <space> ContactSurname | Displayname |
| NetworkLogin | SamAccountName |
| DefaultEmail | mail / EmailAddress |
| Description | Description |
| OU | Account location |
| UPNOverride | SamAccountName |
* Community Sync can use ID number to avoid clashes