To have a centralized personnel management system, you can import AD security groups
into Security Center as user groups or cardholder
groups.
Before you begin
- If you are importing a universal group from a global catalog, read About universal groups and global catalogs.
- When importing an AD security group, you must import all members of that group,
including the subgroups. If you want to import only a subset of its members, for example,
only Security Center users, you must define a new AD security group with only the members
you want to import. For more information, see Creating security groups in Active Directory.
- Ensure that the workstation where Config Tool is running is using the same Security Center display language as the server that is
going to host the Active Directory role.
What you should know
- If you are integrating multiple Active Directory services into Security Center, they
must each belong to a different domain.
- To add multiple Active Directory roles, you need multiple Active Directory license
items.
- An AD security group can be imported as a user group, a cardholder group, or both.
Procedure
-
On the Properties page of the Active Directory role, select the AD
security groups you want to import.
-
Click Add an item ().
-
Select the security groups that you want to add to your Active Directory
role.
Use one of the following methods:
- (Recommended) Type the name of the group in Find Active Directory
groups, and click .
If the text you entered matches a single group, it is automatically added
to the Selected groups list.
If the text you
entered matches multiple group names, a second dialog box opens, listing all the
group names that match the text you entered.
Select the ones that you
want, and click OK to add them to the Selected
groups list.
- From the Selected groups list, click ().
The Active Directory members dialog box
opens.
Select a security group, and click OK. Only
security groups can be synchronized. If you selected an item that is not a
security group, the OK button remains disabled.
NOTE: The names shown in the dialog box are display names. Security
Center only synchronizes the account names because they are guaranteed to be unique.
Typically, the display names and the account names are the same. The only way to
tell them apart is that the display names contain spaces.
-
Repeat the previous step as often as needed until all security groups that you want
to synchronize with the AD are listed in Selected groups, and
then click OK.
The selected groups are listed under Synchronized groups in
the Properties page.
-
Choose which partition the entities are synchronized in.
-
For each of the synchronized groups, specify how you want to import them.
The following options are available:
- As user group
- Select this option to import the synchronized group as user group, and the group
members as users.
- Create user on first logon
- This is the default option, and it creates an empty user group. User entities
are only created when someone tries to log on the first time. This option avoids
having to create all user entities simultaneously, which can freeze up the
system.
- If you clear this option, all user entities are created at the same time as a
user group.
- As cardholder group
- Select this option to import the synchronized group as cardholder group, and the
group members as cardholders. All synchronized cardholders are created
simultaneously.
- Import credentials
- Select this option to import the credential information of the synchronized
cardholders. Multiple credentials can be imported for each cardholder.
-
If necessary, customize the
mapping of AD attributes to Security Center
fields.
-
If you are importing credentials, select which credential
fields to synchronize with the AD.
-
Click Apply, and then click Synchronize
now ().
Results
All synchronized groups and their members are imported as Security Center entities according to your specifications,
with a yellow arrow (
) superimposed on their icon.
After you finish
Some additional configuration might be required, depending on
what you synchronized with the AD:
After you create a scheduled task, the warning message No scheduled task
exists to synchronize this role disappears from the
Properties tab.