Sync with AD

Synchronization is defined as automatic maintenance of all staff's and company's data integrity that are saved in the software suite configuration in the current state. Everything is designed in such way that administrators do not need to do double work in Active Directory - there will be no need to change this data in suite configuration. Examples: An employee leave the job or added new one, company structure has been changed, a manager has now more subordinates, etc.
The administrator sets up automatic synchronization once and after there will be no need for administrator to visit settings tabs "Database users", "Company structure", "Dossier of employees". By setting up synchronization once everything will be done automatically (by receiving data from Active Directory and writing them down into suite configuration database).

Important:
- Synchronization is only possible when using Microsoft SQL Server (without additional settings) or PostgreSQL (to synchronize rights, you need advanced settings).
- The administrator may perform synchronization settings as well as synchronization itself from his computer which is join or not join to the company's domain.
- If there are several administrators in the company each of them can work on his computer with these settings.
- Logging into the Global Settings program can be performed within DB administrator account or by a specially created user through the "Utilities" main menu item.
- An account is required in a domain that has read permissions from Active Directory.
- If during synchronization you need to synchronize client installations, then the machine used for synchronization must be joined to the domain, and also account in the domain must additionally have rights to copy files, write to the registry and start services on the remote machines within domain.
- For remote access to the domain controller, you must open an LDAP port on it (usually TCP 636 for secure LDAPS, or 389 for unsecured connection).
- During the synchronization of the company hierarchy, all manual changes made earlier in this section will be deleted!
- During the synchronization of access rights, all logins from AD (not SQL-logins) previously added manually in this section will be deleted!
- During the synchronization of employees dossiers, all previously manually added in this section will be deleted!

"Login" tab

If the Windows user used to execute global settings program does not have needed rights in the domain for synchronization, you can specify the domain logon settings in this tab.

"Domains" tab

The list of company's domains is specified here that need to be synchronized.
Trust must be established between domains.
Domain's controller is not required for indication (required only for remote access).
Software suite server may be only one for all domains or different (in case of using several servers).

"Objects" tab

Groups, OU or single computers/users are specified in this tab for the next synchronization types:

1) Clients' installs synchronization - groups/computers are specified where client app has to be installed. So in the process of synchronization client app is installed on those computers where it is not installed before. It is also possible to delete clients' app automatically although settings are performed in the settings tab "Common settings" for computer. The option clients' app automatic update is also there.

2) Synchronization of selected monitoring - groups/users are specified for which selective monitoring will be performed. Thus, list of users on this page will not need to be filled in manually. During synchronization the list will be updated automatically!

3) Manager' rights synchronization - groups/users are specified in one out of next roles.
Managers' roles :
"Supervisor" - reports about all company's staff are accessible for this director (all domains).
"Super user" - access only to reports about staff of current domain.
"User" - rights are set manually. After synchronization in the settings tab "Database users" it is necessary to choose departments or staff manually that will be monitored by this manager.
"Manager" - access to reports about himself and his staff. What does it mean? If "Manager" is set in AD for some staff then the field directReports will appear for this manager. It will be used to set access rights. E.g. this manager can monitor only his subordinates and their subordinates (and so on recursively on subordination hierarchy below).
Sometimes it is convenient to synchronize the "Manager" role using reverse search logic, i.e. do not specify specific managers, but search for them through all domain users by analyzing a certain AD attribute (usually manager) of each employee (i.e. from employee to his manager). In this case you need to select the type "AD-attribute for "Manager" role" and specify the desired AD attribute (usually manager). If it is allowed to have several managers for a single employee in the AD structure, you need to add each attribute as a separate object.
Role priorities: if one manager has few roles at the same time the priorities are set in the above mentioned order.
In the synchronization process data in the tab "Database users" are filled.

Attention! Do not use standard groups "Domain computers" and "Domain users"! Specify domain itself in the same format (DC=...,DC=...) instead.

"Profiles" tab

Same as "Objects" tab, but specify only groups, OU or single computers/users to link them with cliets' profile settings. See section "Groups" in suite settings.
This tab serves for synchronization with Active Directory, istead of fill in section "Groups" in suite settings manually.
See also the "delete before sync" option in the "Settings" tab!

"Departments" tab

In big companies sometimes it is required to perform synchronization only with chosen departments/subdivisions in AD and not with its full hierarchy. In such case it is necessary to choose needed AD departments in this tab (chosen department will automatically include all departments of the lower level!). Whether this list is empty then synchronization will be done for all domain(s) hierarchy completely.

"Client machines" tab

It is possible to see the list of workstations with already installed clients' apps and those workstations where clients' app has to be installed.
There is an option to choose and install clients' apps manually.
Remote installation is performed in this way.

"Settings" tab

Synchronization parameters are set up here:
"Ignore disabled accounts" - if computer's account or AD user is disabled then synchronization won't run for it.
"Ping machines before client setup" - recommended to make installation faster (if computers are turned off).
"Ping timeout" - time in msec waiting for response from the client machines. If there are frequent 11010 errors in the logs when machines are turned on, then it makes sense to increase this value.
"Company title" - used with hierarchy synchronization as its upper level.
"Build groups-based hierarchy" - ignore the actual location of computers/users in the Active Directory hierarchy and instead build a hierarchy using the groups in which the computers/users are located.
"Dossiers sync options" - specify AD attributes names for profile synchronization.
"Default base rights for roles (rights sync)" - optionally you can set the basic rights by default when synchronizing rights for a particular role. To do this, create a database user with an SQL-login (not a Windows-login!) on the tab "Database users" and set the basic rights you need, next select or enter its login in acc. field for the desired role on this page. It is important to note that these rights will be assigned to the database user when it is first created during synchronization, but not subsequent updates (if it has already been created) during the next synchronization cycles!
"Delete before synchronization" (for the clients settings profiles) - By default, before synchronizing client settings profiles, all user-profile and computer-profile mappings already set in the database are deleted and then synchronization with the addition to the database is carried out. In such scenario, manually set mappings for machines and users outside the domain (as an example) will be removed every time after the successfull synchronization with the domain. To solve the problem, specify the masks for users/computers separated by commas, which should be removed before synchronization. For example, you want to update only the mappings for the users/computers of the domain named "COMPANY" when synchronizing, and you are going to configure the rest manually, in this case, you need to specify in the config line: *.COMPANY,COMPANY\* (for the computer, the format is NAME.DOMAIN, and for the user DOMAIN\NAME).
"Log cleanup settings" - log clearance also happens during synchronization process.

"Sync" tab

Synchronization may be performed manually (new console process will be created) or to add the task to Windows job scheduler for automatic synchronization according to the timetable.
Important: the task in the planner must be performed from Windows current user's account!

"Log" tab

It is possible to look through the automatic and manual synchronization results as well as to trace settings changes.

After successful synchronization it will be possible to change manually the following parameters that are not liable to synchronization:
- in the tab "Database users" all users with SQL logins (not Windows logins).
- in the tab "Database users" for users with Windows logins "Basic rights".
- in the tab "Database users" for users with Windows logins "Additional restrictions" for roles "Users".
- in the tab "Dossier of employees" all users profile that are not included into domain(s).
- in the tab "Dossier of employees" parameter "Profile".

How to set up automatic reports sending to the managers/employees

After successful synchronization it is possible to set up managers' rights for reports sending automatically (tab "Database users") if required.
Then these managers have to login into their "Personal cabinet" at least once (via web-interface BOSS) and enable reports auto-generator there.
It is required to specify e-mail address in the AD personal card for staff to be able to receive reports on e-mail about their own activities. It is also necessary to enable corresponding settings in their manager's rights (It is preferable to enable this permission for the manager from upper hierarchy subordination level and not for many lower managers).
Reports generator options must be set up in the server settings ("Reports generator" section).

v9.80 (build: Jul 4 2023)
Introduction +Software suite structure +Software suite installation +Software suite uninstall +Software suite update -Global settings Database users +Software suite settings Company structure Work schedules Dossier of employees Sync with AD Risk analyzer Report templates File hashes Tariffs List of users DB maintenance SQL-console Journal +Other +FAQ +Technical support	Sync with AD Synchronization is defined as automatic maintenance of all staff's and company's data integrity that are saved in the software suite configuration in the current state. Everything is designed in such way that administrators do not need to do double work in Active Directory - there will be no need to change this data in suite configuration. Examples: An employee leave the job or added new one, company structure has been changed, a manager has now more subordinates, etc. The administrator sets up automatic synchronization once and after there will be no need for administrator to visit settings tabs "Database users", "Company structure", "Dossier of employees". By setting up synchronization once everything will be done automatically (by receiving data from Active Directory and writing them down into suite configuration database). Important: - Synchronization is only possible when using Microsoft SQL Server (without additional settings) or PostgreSQL (to synchronize rights, you need advanced settings). - The administrator may perform synchronization settings as well as synchronization itself from his computer which is join or not join to the company's domain. - If there are several administrators in the company each of them can work on his computer with these settings. - Logging into the Global Settings program can be performed within DB administrator account or by a specially created user through the "Utilities" main menu item. - An account is required in a domain that has read permissions from Active Directory. - If during synchronization you need to synchronize client installations, then the machine used for synchronization must be joined to the domain, and also account in the domain must additionally have rights to copy files, write to the registry and start services on the remote machines within domain. - For remote access to the domain controller, you must open an LDAP port on it (usually TCP 636 for secure LDAPS, or 389 for unsecured connection). - During the synchronization of the company hierarchy, all manual changes made earlier in this section will be deleted! - During the synchronization of access rights, all logins from AD (not SQL-logins) previously added manually in this section will be deleted! - During the synchronization of employees dossiers, all previously manually added in this section will be deleted! "Login" tab If the Windows user used to execute global settings program does not have needed rights in the domain for synchronization, you can specify the domain logon settings in this tab. "Domains" tab The list of company's domains is specified here that need to be synchronized. Trust must be established between domains. Domain's controller is not required for indication (required only for remote access). Software suite server may be only one for all domains or different (in case of using several servers). "Objects" tab Groups, OU or single computers/users are specified in this tab for the next synchronization types: 1) Clients' installs synchronization - groups/computers are specified where client app has to be installed. So in the process of synchronization client app is installed on those computers where it is not installed before. It is also possible to delete clients' app automatically although settings are performed in the settings tab "Common settings" for computer. The option clients' app automatic update is also there. 2) Synchronization of selected monitoring - groups/users are specified for which selective monitoring will be performed. Thus, list of users on this page will not need to be filled in manually. During synchronization the list will be updated automatically! 3) Manager' rights synchronization - groups/users are specified in one out of next roles. Managers' roles : "Supervisor" - reports about all company's staff are accessible for this director (all domains). "Super user" - access only to reports about staff of current domain. "User" - rights are set manually. After synchronization in the settings tab "Database users" it is necessary to choose departments or staff manually that will be monitored by this manager. "Manager" - access to reports about himself and his staff. What does it mean? If "Manager" is set in AD for some staff then the field directReports will appear for this manager. It will be used to set access rights. E.g. this manager can monitor only his subordinates and their subordinates (and so on recursively on subordination hierarchy below). Sometimes it is convenient to synchronize the "Manager" role using reverse search logic, i.e. do not specify specific managers, but search for them through all domain users by analyzing a certain AD attribute (usually manager) of each employee (i.e. from employee to his manager). In this case you need to select the type "AD-attribute for "Manager" role" and specify the desired AD attribute (usually manager). If it is allowed to have several managers for a single employee in the AD structure, you need to add each attribute as a separate object. Role priorities: if one manager has few roles at the same time the priorities are set in the above mentioned order. In the synchronization process data in the tab "Database users" are filled. Attention! Do not use standard groups "Domain computers" and "Domain users"! Specify domain itself in the same format (DC=...,DC=...) instead. "Profiles" tab Same as "Objects" tab, but specify only groups, OU or single computers/users to link them with cliets' profile settings. See section "Groups" in suite settings. This tab serves for synchronization with Active Directory, istead of fill in section "Groups" in suite settings manually. See also the "delete before sync" option in the "Settings" tab! "Departments" tab In big companies sometimes it is required to perform synchronization only with chosen departments/subdivisions in AD and not with its full hierarchy. In such case it is necessary to choose needed AD departments in this tab (chosen department will automatically include all departments of the lower level!). Whether this list is empty then synchronization will be done for all domain(s) hierarchy completely. "Client machines" tab It is possible to see the list of workstations with already installed clients' apps and those workstations where clients' app has to be installed. There is an option to choose and install clients' apps manually. Remote installation is performed in this way. "Settings" tab Synchronization parameters are set up here: "Ignore disabled accounts" - if computer's account or AD user is disabled then synchronization won't run for it. "Ping machines before client setup" - recommended to make installation faster (if computers are turned off). "Ping timeout" - time in msec waiting for response from the client machines. If there are frequent 11010 errors in the logs when machines are turned on, then it makes sense to increase this value. "Company title" - used with hierarchy synchronization as its upper level. "Build groups-based hierarchy" - ignore the actual location of computers/users in the Active Directory hierarchy and instead build a hierarchy using the groups in which the computers/users are located. "Dossiers sync options" - specify AD attributes names for profile synchronization. "Default base rights for roles (rights sync)" - optionally you can set the basic rights by default when synchronizing rights for a particular role. To do this, create a database user with an SQL-login (not a Windows-login!) on the tab "Database users" and set the basic rights you need, next select or enter its login in acc. field for the desired role on this page. It is important to note that these rights will be assigned to the database user when it is first created during synchronization, but not subsequent updates (if it has already been created) during the next synchronization cycles! "Delete before synchronization" (for the clients settings profiles) - By default, before synchronizing client settings profiles, all user-profile and computer-profile mappings already set in the database are deleted and then synchronization with the addition to the database is carried out. In such scenario, manually set mappings for machines and users outside the domain (as an example) will be removed every time after the successfull synchronization with the domain. To solve the problem, specify the masks for users/computers separated by commas, which should be removed before synchronization. For example, you want to update only the mappings for the users/computers of the domain named "COMPANY" when synchronizing, and you are going to configure the rest manually, in this case, you need to specify in the config line: *.COMPANY,COMPANY\* (for the computer, the format is NAME.DOMAIN, and for the user DOMAIN\NAME). "Log cleanup settings" - log clearance also happens during synchronization process. "Sync" tab Synchronization may be performed manually (new console process will be created) or to add the task to Windows job scheduler for automatic synchronization according to the timetable. Important: the task in the planner must be performed from Windows current user's account! "Log" tab It is possible to look through the automatic and manual synchronization results as well as to trace settings changes. After successful synchronization it will be possible to change manually the following parameters that are not liable to synchronization: - in the tab "Database users" all users with SQL logins (not Windows logins). - in the tab "Database users" for users with Windows logins "Basic rights". - in the tab "Database users" for users with Windows logins "Additional restrictions" for roles "Users". - in the tab "Dossier of employees" all users profile that are not included into domain(s). - in the tab "Dossier of employees" parameter "Profile". How to set up automatic reports sending to the managers/employees After successful synchronization it is possible to set up managers' rights for reports sending automatically (tab "Database users") if required. Then these managers have to login into their "Personal cabinet" at least once (via web-interface BOSS) and enable reports auto-generator there. It is required to specify e-mail address in the AD personal card for staff to be able to receive reports on e-mail about their own activities. It is also necessary to enable corresponding settings in their manager's rights (It is preferable to enable this permission for the manager from upper hierarchy subordination level and not for many lower managers). Reports generator options must be set up in the server settings ("Reports generator" section).
© Mirobase