This content has been moved to:
https://trustelem-doc.wallix.com/books/trustelem-administration/page/active-directory-synchronization

On your Windows Server, in « Active Directory Users and Groups »

• Create a technical user (eg. trustelem@mycompany.com) with default privileges and a strong password, with no password update on next login and which never expires.

On Trustelem admin dashboard, « Directory » tab

• Click on « Create » and select « Active Directory ».

• Give a name to the new directory, and optionally a description.

• Ensure « Use a connector » is checked.

• Write down the synchronization ID, then click on « Save ».

On each AD domain controller (typically 2 or 3)

• Download the last version of the connector installer: https://dl.trustelem.com/adconnect/

• Launch the installation software and paste the synchronization ID.

• Configure the Trustelem Windows Service.
  • Open Windows Services Manager.
  • Select « Trustelem AD Connect ».
  • Right-click, select « Properties ».
  • On « General » tab, make sure that « Startup type » is set to « Automatic (Delayed Start) ».
  • On « Log On » tab, select « This account » and enter the technical user’s credentials.

Launch the service

Get back to the Trustelem admin dashboard, « Directory » tab

• Refresh the page: the connector should show up in the table.

• Once the connector is up, check the IP address, the server name and the service account (to avoid spoofing), then activate the connector by pushing the “No” button.

• Setup the appropriate synchronization frequency (nota: a high frequency increases the load of your domain controllers).

• Select the groups to be synchronized.

• By checking Advanced options, you can define a list of Custom attributes (title, memberOf,objectGUID,userPrincipalName…) to import with the users.

• Click on « Save ».

The synchronization starts. It lasts a few seconds

The connector ADConnect can be updated without any service interruption:

• Install the latest release of the connector in parallel with your current connector.

• In the directory tab of the Trustelem administration console, select the relevant directory and ensure the new connector is listed first in order to be used in priority.

• Ensure that the new connector is working fine by checking its usage statistics, then you can disable the previous connector in the administration console.

• Finally, you can uninstall the previous connector from your server and then it can be deleted from the Trustelem administration console.

On some restricted configurations, the user running the Trustelem connector may not have enough rights to correctly list all users/groups from the directory.

To ensure that this user has the required rights:

• On Windows Server 2008:

  • Open “Active Directory Users and Groups”.
  • Right-click on your domain object.
  • Go to Properties".
    
  • Go to Security tab and click on Advanced.
  • Click on “Add”.
  • Enter the user name used to run the connector.
  • Click the “Properties” tab.
  • In “Apply Onto” change the type to User.
  • Ensure the “Read MemberOf” checkbox is checked.
    

• On Windows Server 2012:

  • Open ADSI Edit.
  • Right-click on your domain object.
  • Go to Properties.
    
  • Go to Security tab and click on Advanced.
  • Click on “Add”.
  • Click on “Select a Principal” and pick the user used by the connector.
    
  • In ‘Apply Onto’ change the type to “This object only”.
  • Scroll to “Properties”, find “Read MemberOf” and ensure it is checked.