About the Active Directory Connector (On Premise)
EmpowerID Active Directory connector allows organizations to bring the user and group data in their Active Directory to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:
-
Account Management
-
Inventory user accounts
-
Create, Update and Delete user accounts
-
Enable and Disable user accounts
-
-
Group Management
-
Inventory groups
-
Inventory group memberships
-
Create and Delete groups
-
Add and Remove members to and from groups
-
-
Attribute Flow
Users in Active Directory are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of Active Directory user attributes to EmpowerID Person attributes.Active Directory Attribute EmpowerID Person Attribute carLicense CarLicense l City company Company co Country thumbnailPhoto CustomAttribute27 department Department departmentNumber DepartmentNumber description Description division Division mailNickname EmailAlias employeeID EmployeeID employeeType EmployeeType extensionAttribute1 - 15 and 20 ExtensionAttribute1 - 27 facsimileTelephoneNumber Fax givenName FirstName displayName FriendlyName generationQualifier GenerationalSuffix homePhone HomeTelephone initials Initials sn LastName samAccountName Login middleName MiddleName mobile MobilePhone info Notes physicalDeliveryOfficeName Office postOfficeBox POBox pager Pager personalTitle PersonalTitle postalCode PostalCode province Province st State streetAddress StreetAddress telephoneNumber telephone title Title
EmpowerID “Proxy” or Connection Account Requirements
EmpowerID uses highly privileged user accounts when connecting to user directories such as Active Directory, LDAP, or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc).
If you will be managing an Active Directory Domain, the proxy account must be able to access the deleted items container in AD. Access to the Deleted Items container requires Domain Admin access unless the container security is edited to allow non-domain admins to read it. Instructions for editing the security of the deleted items container can be found in Microsoft’s article “How to let non-administrators view the Active Directory deleted objects container” which can be viewed in full at http://support.microsoft.com/kb/892806.
If you are connecting to an Active Directory Forest with multiple domains, you must first create an account store for the forest root domain before creating account stores for other domains in the forest. The proxy account used when adding your AD account store, must have read access to the AD Configuration Partition in order for topology discovery to succeed. Errors will occur if this process and its required access are not followed.
You do not need to enable inventory on the account store created for the forest root domain.