Active Directory User Management

Overview

Active Directory (AD) User Management in Integriti allows for the automated synchronization of cardholders from a corporate directory into the Integriti database. This integration ensures that user records, credential data, and access permissions are kept in sync with the primary HR or IT directory.

Licensing Requirements

• Active Directory Users License: This is a required feature license.
• Note: The DUIM (Dynamic User Import Module) is a separate CSV-based import handler and is not used for AD synchronization. AD sync uses its own dedicated Communications Handler type.

Synchronization Architecture

The Integriti Application Server service requires read access to Active Directory. This can be achieved by:

• Joining the Integriti Server PC to the domain and ensuring it belongs to a group with AD read permissions.
• Running the Application Server service under a domain user account with appropriate read/write permissions.
• Explicitly providing Windows credentials (Username/Password) within the AD Synchronization setup.

Synchronization Schedule

• Full Sync: A comprehensive synchronization that occurs once per day at a scheduled time (e.g., 12:00 AM).
• Partial Sync: An incremental update that picks up changes at a configurable frequency (expressed in hours, minutes, and seconds).

Configuration and Field Mapping

Synchronization is configured via the Active Directory Synchronisation Communications Handler.

Attribute Mapping

Integriti user fields are mapped to AD attributes using the Import Configuration Table. A unique key is stored in each user’s ActiveDirectoryGuid custom field — modifying this field will break synchronization.

Common mapping examples:

• Name → common-name (or name)
• Expiry Date Time → accountExpires
• Cards → Map to a custom AD field containing card numbers (requires a “Constant Value” transformation for the Card Type).

Access Level Assignment

Active Directory Security Groups can be mapped directly to Integriti Permission Groups.

• Transformation Type: Use Map String to Entity to manually match AD Group names to Integriti Permission Groups.
• Name Lookup: If group names are identical in both systems, Name Lookup can be used for automatic matching.
• Action If Not Found: Set to Skip to only map existing groups, or Add/Add If Match Regex to auto-create missing Permission Groups.

Export to Active Directory

Changes made to Integriti users can be pushed back to Active Directory using the Export To AD tab in the handler configuration.

• Setup: An import mapping must be configured first to link Integriti users to their AD counterparts. Export mappings are then configured in the Export Configuration Table.
• Card Export: Card numbers can be exported to a custom AD field by mapping the Cards property to the target AD column.
• Skip If Blank: Prevents clearing AD fields when the corresponding Integriti field is empty.
• Trigger: After the initial sync, any future changes to mapped Integriti user properties are automatically exported to AD.

Handling Disabled/Deleted Accounts

• Resynchronize Option: If enabled, Integriti will delete user records from the database if they no longer exist in the Domain Controller.
• Skip If Blank: If enabled, this prevents Integriti fields from being cleared if the corresponding AD attribute contains no data.

Related Pages

• Access Levels and Schedules
• Integriti Software Editions
• Integriti Operator Guide
• Credential Types