Configuring Active Directory Settings

If your organization uses Microsoft Active Directory to manage network user accounts, you can configure PolicyTech to use Active Directory (AD) for the initial user import, user list maintenance (daily synchronization), and user login.

Note: The alternatives to using AD to create and maintain the PolicyTech user list are to define and maintain users manually or to export a user list from another database and import that list into PolicyTech.

Considerations

There are factors to consider when deciding how to configure PolicyTech to connect to and use AD. The more common considerations include the following:

  • How much AD user information do you want pulled into PolicyTech user records?
  • If AD does not include all of the user data needed for PolicyTech user definitions, do you want to import the missing information from another database (see Importing Users from Another Database) or possibly add it to AD before syncing?

    Important: If you already have users defined in PolicyTech, contact NAVEX Customer Support by submitting a request in the Community before starting a sync setup to avoid many issues that could result from syncing existing PolicyTech users with AD users.

  • If a user is deactivated or deleted in AD, do you also want that user deactivated or deleted in PolicyTech?
  • If you do not want all of the users in an AD domain synced with PolicyTech, how are you going to filter out those you don't want synced? Are the AD organizational units and containers set up in a way that accommodates efficient syncing of a specific set of users?
  • Do you know which organizational unit in the AD hierarchy to access so that all of the users you want synced with PolicyTech are contained in that organizational unit or in the ones below it?
  • Do you know which AD user credentials you are going to use to allow the PolicyTech sync process to access AD? Will you use a service account or a normal user?
  • Will your PolicyTech site be required to use SSL to authenticate to AD and, if so, is SSL set up correctly on the server hosting PolicyTech?

How the Sync Works

Knowing how the AD sync works can help you make decisions about how to set it up and when to run it. The following process is performed for each user profile that PolicyTech pulls from each AD domain you specify.

Step 1: Attempt to match the AD GUID. PolicyTech users that are synced with AD users include an extra field of data in their PolicyTech user profile for storing the user's Globally Unique Identifier, or GUID, that is assigned by AD whenever an object is created. When you perform a sync, PolicyTech first checks to see if the AD user's GUID has already been added to a PolicyTech user profile.

  • If a matching GUID is found, the process skips to step 4 below.
  • If a matching GUID is not found, the process continues with step 2.

Note: Adding a GUID to a PolicyTech user profile can only be done by the AD sync feature. The GUID property is not available in the PolicyTech user profile in User Manager.

Step 2: Attempt to match user names. If a matching GUID is not found, the sync next searches for a PolicyTech user name that is the same as the user logon name in the AD profile.

  • If a matching user name is found, the process skips to step 4.
  • If a matching user name is not found, the process continues with step 3.

Step 3: Create a new PolicyTech user.

If the sync finds no matching GUID or user name, it creates a new PolicyTech user and pulls at least the following properties from the AD user profile.

Note: Because these are the minimum required properties (except Domain) for creating a PolicyTech user, these properties are used regardless of whether or not they are enabled and mapped in the domain information you will later add in PolicyTech Login Settings.

PolicyTech User Property Added

From AD User Property

First Name

First name

Last Name

Last name

Username

User logon name (sAMAccountName)

Password

Random placeholder*

Unique Employee ID

AD GUID

Site

Mapped property in PolicyTech Login Settings

Department

Mapped property in PolicyTech Login Settings

Domain

Domain specified in PolicyTech Login Settings in the Organization Unit (OU) definition that included this user in the sync

*When AD sync is enabled, PolicyTech ignores whatever is stored in the Password field of the PolicyTech user profile and uses the password from the AD user profile instead. However, because the Password field is required, the sync places a random string in that field when creating a new user.

When you later specify the AD domains to sync with PolicyTech, you will be required to specify a default site for adding new users and will have the opportunity to map AD user properties to PolicyTech user properties. If you choose not to enable and map the site and department properties, users added during a sync will be assigned to the specified default site and to a department called Unassigned Department.

Step 4: If necessary, create a new job title, department, or site.

If the PolicyTech job title, department, or site property is mapped for the sync, PolicyTech will compare the property value in the AD user profile to the existing PolicyTech job titles, departments, or sites.

  • If the job title, department, or site already exists in PolicyTech, the process moves on immediately to step 5.
  • If the job title, department, or site does not exist in PolicyTech, then PolicyTech creates a new job title, department, or site and names it with the value from the corresponding AD user property.

Step 5: Update mapped properties.

  • If the sync found a matching user, it compares the properties from the AD user profile to any corresponding PolicyTech user properties that you chose to include in the sync. If any properties do not match, PolicyTech overwrites the information in the PolicyTech user property with the information from the mapped AD user property.
  • If the sync created a new user, in addition to the required properties listed in step 3 above, it adds any optional properties you chose to include in the sync.

Important: The PolicyTech/AD sync feature will create new users, job titles, departments, and sites if they don't already exist in PolicyTech. If you add or modify any of these objects manually in PolicyTech, make sure the site reference IDs, department reference IDs, job title names, or user names exactly match the names of the corresponding objects in AD. If the PolicyTech object name varies even by a single character, a new, duplicate object will be created in PolicyTech when AD is synced.

Enter Domain and Organizational Unit Information

PolicyTech uses the information you enter in the Domain Information form to communicate with AD and perform the user sync. This information is divided into Connection Settings and Synchronization Mapping.