Active Directory Integration
ENPS staff accounts can optionally be created and disabled in Active Directory (AD) and without the use of System Maintenance. AD Security Groups are used to assign the user's Home folder. Nominated email accounts are notified when a new user is added to the Staff table, deactivated, reactivated, or moved to a different Home folder.
This integration is designed to allow the initial set up and configuration of user accounts in AD that are not already in the ENPS Staff table. It does not prevent a user’s Staff table metadata from being subsequently edited with System Maintenance.
When using AD integration, users can only be added and deleted to ENPS through the AD interface. Users cannot be added or deleted using the Staff table in System Maintenance.
Users in the Staff table without active AD accounts will be deactivated.
To simply import users from AD rather than fully integrate with ENPS AD, see Import from Active Directory.
Pre-requisites
The following pre-requisites apply for ENPS AD integration:
-
You must be using an AD domain account for the ENPS servers, not a local account.
-
The account must have Write privileges to the AD database.
-
Optionally, there should be an account on the mail server which can be used to notify administrators of changes.
Set up email notifications
Specified recipients such as administrators can be notified by email when user accounts:
-
are created and homed to the server
-
are activated
-
are deactivated
-
have their Home folder changed
Enable these email notifications by setting up a sender and list of recipients.
Set up sender
To set up the account that will send the email notifications, follow these steps:
-
Open System Maintenance.
-
Click Global Configuration Options.
-
Click the SMTP Settings button to open the SMPT Settings dialog.
-
Configure the settings:
-
Host - e.g. smtp.office365.com
-
Port - typically 587
-
Username and Password - the account that will send the emails, e.g. ADENPSChanges@domain.com
-
-
Click Save in the dialog.
-
Add the SmtpFromEmail key to the Global Configuration Options.
-
Set the SmtpFromEmail key value to the account that will send the emails.
For example, ADENPSChanges@domain.com.
-
Click Save.
These values are saved to the SMTP key in Global Configuration Options.
Note that the stored values will not be displayed in the SMTP Settings dialog if you press the SMTP Settings button again.
Set up recipients
To set up the accounts that will receive the email notifications, follow these steps:
-
Open System Maintenance.
-
Click Servers.
Note the Admin Emails column at the end of table.
-
For each server in the server list that houses at least one Home folder, enter a list of recipient email addresses in the Admin Emails column.
The addresses must be separated by semi-colons. For example, ana@domain.com;bob@domain.com;cat@domain.com
-
Click Save.
The sender and recipients are now set up to send and receive notifications respectively.
Create Active Directory Security Groups
The next step is to create the AD security groups that represent users’ Home folders.
To create the AD security groups using the export function, follow these steps.
-
Open System Maintenance > Groups.
-
Click the Export Groups to AD button to open a new page in the Groups pane.
The Active Users column shows how many users are homed to each group.
-
Tick each group that you want to export.
When setting up for the first time, we recommend selecting the groups by clicking the Select Groups with Active users button to tick all folders that have at least one user homed to them. Exporting folders without homed users adds clutter in AD and serves no purpose, unless you plan to home users to that group in future.
You can also filter this list to find a particular folder. This can be useful if a new group is added to the table after AD integration has been set up, as in this scenario you only want to export the new folder.
-
Click OK to export the selection to AD.
Refresh the view in AD to see the new security groups with the naming convention ENPS_GROUPID_GROUPDESCRIPTION at the root of the domain.
If desired, you can move these groups out of the root and into Organizational Units. For example, in the following screenshot, they have been moved into an Organizational Unit called ENPS.
Each of these exported groups will contain all user accounts homed to that group.
Activate Integration
Once email configuration and security groups have been set up, ENPS AD integration can be activated. To do so:
-
Open System Maintenance.
-
Click Global Configuration Options.
-
Click the button marked "Enable AD Sync".
-
Click Save.
ENPS AD Integration is now active.
Users can now only be added to ENPS and deactivated / reactivated / given a new Home Folder through the AD interface. These actions are not permitted in the System Maintenance > Staff table.
Users in the Staff table without active AD accounts are now deactivated.
Creating a new user in ENPS via Active Directory
To create a new user in ENPS via AD, follow these steps:
-
Create a new user account in Active Directory.
-
Assign the new user to an ENPS group.
-
Right-click the user in AD and select Add to a Group... to open the Select Groups dialog.
-
Enter ENPS in the Enter the object names to select textbox.
-
Click OK to see a list all ENPS groups.
-
Select one group to add the user to, then click OK.
Although AD does not prevent a user being added to more than one ENPS security group, ENPS only supports a single Home folder per user.
Adding an account to multiple ENPS security groups will generate an error condition, and AD synchronization will be suspended until the problem is resolved.
-
After a few seconds the user will appear in the Staff table with the correct Home folder, and an email is sent to the address(es) configured for the relevant server.
After the initial account creation in AD that populates the Staff table, subsequent changes to the user's name in AD are not reflected in the Staff table.
Rehoming a User Created via Active Directory
To rehome a user, follow these steps.
-
Find the user in AD.
-
Right-click the user.
-
Select Properties and open the Member of tab.
-
Select the existing ENPS group, which starts with ENPS in the Name column.
-
Click Remove to remove the user from that group.
-
Click Add....
-
Enter ENPS in the Enter the object names to select textbox.
-
Click OK to see a list all ENPS groups.
-
Select one group to add the user to, then click OK.
The user is now rehomed to the selected AD group.
Error conditions
Logfiles provide a history of transactions. They are saved to the \NOM\Logs directory on your Central Server.
Real-time status reporting can be seen at https://<CentralServer>/:10505/adsync.aspx.
The following unsupported scenarios can stall AD synchronization and cause an error to be displayed on that webpage:
-
Adding a user to more than one AD group.
-
Creating a user without a first name and last name.
You need to resolve any errors to allow AD Synchronization to continue.
Deactivating ENPS/Active Directory Integration
To stop using Active Directory to manage staff in your ENPS system, disable integration as follows:
-
Open System Maintenance > Global Configuration Options.
-
Delete the ADSync setting.
-
Click Save.