To add users to groups you have multiple options to choose from, which one you want to use depends on how you are presenting your data and also down to personal preference.
You have the option to either add groups to users or add users to groups. You can also connect to security groups and distribution groups.
The Active Directory V2 - GroupMembers
connector manages users into your AD groups. This connector does not add or remove groups from your AD, it is there to simply add existing users to the groups you need.
Enter in your Windows Credentials you use to connect to AD. If you leave these blank, then the current process/user credentials are used.
To add your credentials, click onto the ellipsis (...
) to open the credential window.
Connect to the specific OU you want to target in your LDAP Path, this will look something like: LDAP://OU=Test,DC=demo,DC=simego,DC=com
.
Please see our main AD page for more guidance on finding your LDAP Path.
If your AD has SSL enabled you can connect using SSL by changing this to True
by selecting the value from the drop down list.
Additionally you can use an LDAP filter to filter the results for specific groups. By default the filter is set to (&(objectClass=group))
to return all groups within the connected OU.
To filter the groups that are returned add the groups you want to target into the LDAP Filter e.g. (&(objectClass=group)(sAMAccountName=Managers))
To make sure you do not accidentally remove users please apply a filter that will only return the groups you want to modify or disable deletes. Otherwise if you connect to all groups and the source only shows a few groups against a user, then that user will be removed from any groups the source does not list for them. Please double check that your project is doing what you expect before synchronising and that delete is disabled if you do not want to remove users.
In your source data you want to have the group name and the user to be added to that group.
This connector requires two key columns, that are the group name and the account name (sAMAccountName) to be added. Because of this, this connector does not support incremental sync.
Your schema map should look similar to the screen capture below but your source may have different column names.
You then need to run the compare and sync the results, to apply the changes.
If you want to remove users from groups you will need to enable delete as this is disabled by default to prevent accidental deletion.
You can use the Active Directory V2 - Users/Contacts/Groups/Computers
provider to return groups by selecting Groups
from the DefaultAttributes
drop down list.
This connector will enable you to add and remove groups from your Active Directory. However please note that you can only add existing users, this will not add user accounts whilst targeting groups.
Map the group name (this should be the same as the sAMAccountName) from your source to DS-SAMAccountName
and set this to be your key column. You then need map the array of users that should be members of that group to Members
.
In your source data you can list the groups to be updated/added and the list of users that should be members of each of those groups. The users need to be listed in alphabetical order for their sAMAccountName and be separated by a semi-colon (;
).
Please make sure there are no unwanted spaces as this will affect the results. For example, if you have user1; user2;user3
the space will be counted as part of user2
's name.
Any groups that do not currently exist will be added to your AD.
Your schema map should end up looking something like:
Alternatively, you can use the Active Directory V2 - Users/Contacts/Groups/Computers
provider and select Users
from the DefaultAttributes
drop down list.
With this connector you can add users to their respective groups whilst adding or updating them in your AD.
Note: Whilst targeting users you cannot add/remove groups from your AD only add/remove users to/from a group.
This method assumes you have a column with an array of the group names that the user should be a member of. Your groups need to be listed in alphabetical order and be separated by a semi-colon (;
). Please make sure there are no spaces after the semi colon unless that is part of the group name.
If the user currently exists in a group that is now not listed against their name they should be removed from that group.
To do this map your source columns to your target columns and make sure to map your Group column to DS-User-MemberOf
.
If you have lots of users in your AD and you are matching on columns that are doing a lookup to get the values then you may find the preview, compare and sync can take longer than you may have hoped.
To improve your performance you can map the DN, this will be faster as it does not need to lookup within each user account to find the other values.