v8.01 (build: Jan 4 2020)

Sync with AD

Synchronization is defined as automatic maintenance of all staff's and company's data integrity that are saved in the software suite configuration in the current state. Everything is designed in such way that administrators do not need to do double work in Active Directory - there will be no need to change this data in suite configuration. Examples: An employee leave the job or added new one, company structure has been changed, a manager has now more subordinates, etc.
The administrator sets up automatic synchronization once and after there will be no need for administrator to visit settings tabs "Database users", "Company structure", "Dossier of employees". By setting up synchronization once everything will be done automatically (by receiving data from Active Directory and writing them down into suite configuration database).

Important:
- Synchronization is only possible when Microsoft SQL Server is used (MySQL is not supported!).
- The administrator may perform synchronization settings as well as synchronization itself from his computer which is join or not join to the company's domain.
- If there are several administrators in the company each of them can work on his computer with these settings.
- Logging into the Global Settings program can be performed within DB administrator account or by a specially created user through the "Utilities" main menu item.
- An account is required in a domain that has read permissions from Active Directory.
- If during synchronization you need to synchronize client installations, then the machine used for synchronization must be joined to the domain, and also account in the domain must additionally have rights to copy files, write to the registry and start services on the remote machines within domain.
- For remote access to the domain controller, you must open an LDAP port on it (usually TCP 389).


"Login" tab

If the Windows user used to execute global settings program does not have needed rights in the domain for synchronization, you can specify the domain logon settings in this tab.


"Domains" tab

The list of company's domains is specified here that need to be synchronized.
Trust must be established between domains.
Domain's controller is not required for indication (required only for remote access).
Software suite server may be only one for all domains or different (in case of using several servers).


"Objects" tab

Groups, OU or single computers/users are specified in this tab for the next synchronization types:

1) Clients' installs synchronization - groups/computers are specified where client app has to be installed. So in the process of synchronization client app is installed on those computers where it is not installed before. It is also possible to delete clients' app automatically although settings are performed in the settings tab "Common settings" for computer. The option clients' app automatic update is also there.

2) Synchronization of selected monitoring - groups/users are specified for which selective monitoring will be performed. Thus, list of users on this page will not need to be filled in manually. During synchronization the list will be updated automatically!

3) Manager' rights synchronization - groups/users are specified in one out of next roles.
Managers' roles :
"Supervisor" - reports about all company's staff are accessible for this director (all domains).
"Super user" - access only to reports about staff of current domain.
"User" - rights are set manually. After synchronization in the settings tab "Database users" it is necessary to choose departments or staff manually that will be monitored by this manager.
"Manager" - access to reports about himself and his staff. What does it mean? If "Manager" is set in AD for some staff then the field directReports will appear for this manager. It will be used to set access rights. E.g. this manager can monitor only his subordinates and their subordinates (and so on recursively on subordination hierarchy below).
Role priorities: if one manager has few roles at the same time the priorities are set in the above mentioned order.
In the synchronization process data in the tab "Database users" are filled.

Attention! Do not use standard groups "Domain computers" and "Domain users"! Specify domain itself in the same format (DC=...,DC=...) instead.


"Profiles" tab

Same as "Objects" tab, but specify only groups, OU or single computers/users to link them with cliets' profile settings. See section "Groups" in suite settings.
This tab serves for synchronization with Active Directory, istead of fill in section "Groups" in suite settings manually.


"Departments" tab

In big companies sometimes it is required to perform synchronization only with chosen departments/subdivisions in AD and not with its full hierarchy. In such case it is necessary to choose needed AD departments in this tab (chosen department will automatically include all departments of the lower level!). Whether this list is empty then synchronization will be done for all domain(s) hierarchy completely.


"Client machines" tab

It is possible to see the list of workstations with already installed clients' apps and those workstations where clients' app has to be installed.
There is an option to choose and install clients' apps manually.
Remote installation is performed in this way.


"Settings" tab

Synchronization parameters are set up here:
"Ignore disabled accounts" - if computer's account or AD user is disabled then synchronization won't run for it.
"Ping machines before client setup" - recommended to make installation faster (if computers are turned off).
"Company title" - used with hierarchy synchronization as its upper level.
"Dossiers sync options" - specify AD fields names for profile synchronization.
"Log cleanup settings" - log clearance also happens during synchronization process.


"Sync" tab

Synchronization may be performed manually (new console process will be created) or to add the task to Windows job scheduler for automatic synchronization according to the timetable.
Important: the task in the planner must be performed from Windows current user's account!


"Log" tab

It is possible to look through the automatic and manual synchronization results as well as to trace settings changes.


After successful synchronization it will be possible to change manually the following parameters that are not liable to synchronization:
- in the tab "Database users" all users with SQL logins (not Windows logins).
- in the tab "Database users" for users with Windows logins "Basic rights".
- in the tab "Database users" for users with Windows logins "Additional restrictions" for roles "Users".
- in the tab "Dossier of employees" all users profile that are not included into domain(s).
- in the tab "Dossier of employees" parameter "Profile".


How to set up automatic reports sending to the managers/employees

After successful synchronization it is possible to set up managers' rights for reports sending automatically (tab "Database users") if required.
Then these managers have to login into their "Personal cabinet" at least once (via web-interface BOSS) and enable reports auto-generator there.
It is required to specify e-mail address in the AD personal card for staff to be able to receive reports on e-mail about their own activities. It is also necessary to enable corresponding settings in their manager's rights (It is preferable to enable this permission for the manager from upper hierarchy subordination level and not for many lower managers).
Reports generator options must be set up in the server settings ("Reports generator" section).

© Mirobase