Importing security groups from an Active Directory

To have a centralized personnel management system, you can import AD security groups into Security Center as user groups or cardholder groups.

Before you begin

If you are importing a universal group from a global catalog, read About universal groups and global catalogs.

What you should know

  • When importing an AD security group, you must import all members of that group, including the subgroups. If you want to import only a subset of its members, for example, only Security Center users, you must define a new AD security group with only the members you want to import.
  • If you are integrating multiple ADs into Security Center, they must each belong to a different domain.
  • If you have servers in your system that are running an earlier version of Security Center, you must upgrade the servers to the current version before using them to host a new Active Directory role.
  • An AD security group can be imported as user group, cardholder group, or both.

To import a security group:

  1. Open the System task, and click the Roles view.
  2. Click Add an entity () and select Active Directory.
  3. On the Specific info page, do the following:
    1. (If you have multiple servers in your system) From the Server drop-down list, select the server on which you want to host the role.
    2. In the Active Directory field, enter the AD Fully Qualified Domain Name (FQDN), hostname, or IP address of the AD server.
      If you are not using a default port, you must append the port number you are using to the AD server name, separated by a colon. For example, ADServer.Genetec.com:123. The default ports are as follows:
      • Active Directory with no SSL: 389
      • Active Directory with SSL: 636
      • Global catalog no SSL: 3268
      • Global catalog with SSL: 3269
    3. Specify how you want the role to connect to the AD server.
      You must have read access to the selected AD service.
      • Use the Windows credentials assigned to the Genetec™ Server service that is running on the server hosting the Active Directory role.
      • Specify a different set of Windows credentials (username, password).
  4. On the Basic information page, enter the name, description, and partition where you want to create the Active Directory role.
  5. Click Next, Create, and Close.
    A new Active Directory role () is created. Wait a few seconds for the role to connect to the AD server.
  6. (Optional) If you are importing a universal group that connects to a global catalog, turn on the Use global catalog option.
  7. On the Properties tab, select the AD security groups you want to import.
    NOTE: There are two types of groups in Windows Active Directory: distribution groups and security groups. Security Center can only synchronize with security groups.
    1. Click Add an item ().
    2. Select the security groups you want to add to your Active Directory role.
      Use one of the following methods:
      • (Recommended) Type the name of the group in Find Active Directory groups, and click .

        If the text you entered matches a single group, it is automatically added to the Selected groups list.

        If the text you entered matches multiple group names, a second dialog box appears listing all the group names that match the text you entered.

        Select the ones you want, and click OK to add them to the Selected groups list.

      • From the Selected groups list, click ().

        The Active Directory members dialog box appears.

        Select a security group, and click OK. Only security groups can be synchronized. If you selected an item that is not a security group, the OK button remains disabled.

      NOTE: The names shown in the dialog box are display names. Security Center only synchronizes the account names because they are guaranteed to be unique. Typically, the display names and the account names are the same. The only way to tell them apart is that the display names contain spaces.
    3. Repeat the previous step as often as necessary until all security groups you want to synchronize with the AD are listed in Selected groups, and then click OK.
      The selected groups are listed under Synchronized groups in the Properties tab.
  8. For each of the synchronized groups, specify how you want to import them.
    The following options are available:
    • As user group: Click to hide description
      Select this option to import the synchronized group as user group, and the group members as users.
    • Create user on first logon: Click to hide description
      This is the default option, and it creates an empty user group. User entities are only created when someone tries to logs on the first time. This option avoids having to create all user entities simultaneously, which can freeze up the system.
      If you clear this option, all user entities are created at the same time as a user group.
    • As cardholder group: Click to hide description
      Select this option to import the synchronized group as cardholder group, and the group members as cardholders. All synchronized cardholders are created simultaneously.
    • Import credentials: Click to hide description
      Select this option to import the credential information of the synchronized cardholders.
  9. If you are importing the AD security group as cardholder group, select which cardholder fields you want to synchronize with the AD.
  10. (Optional) Map custom fields to synchronize with the AD.
  11. Click Apply, and then click Synchronize now ().
All synchronized groups and their members are imported as Security Center entities according to your specifications, with a yellow arrow () superimposed on their icon.

After you finish

Some additional configuration might be required, depending on what you synchronized with the AD:

After you create a scheduled task, the warning message No scheduled task exists to synchronize this role disappears from the Properties tab.

Browse
Integration with Windows Active Directory
Custom card formats
About federated entities
©2019 Genetec Inc. All rights reserved.Genetec