MachPanel ADSync module is the directory synchronization tool that consolidates one Active Directory with another. It performs one-way synchronization and keeps your cloud user accounts updated.
This article provides you information regarding the configuration of ADSync.
Applies to ADSync v4.2 - v6.
- ADSync latest version is 6.0.
- Latest MachPanel Build v7.2.35 supports latest ADSync v6
You need following information:
- You have to Enable ADSync from MachPanel before configuring your ADSync at the local Active Directory.
- Navigate to the following path: Home » Service Director » Active Directory » Active Directory Organizations
- Click on Enable ADsync link as shown in the snapshot below:
- Service Username and Service Password i.e. Login Name and Password to Access the Control Panel customer account who is owner of Hosted Organization which needs to be synced with Client-AD. This can either be a Customer Account or a Contact of Customer in control panel.
Yes, it is required to Reboot ALL Client Domain Controllers (Primary and Additional) at least once where ADSync tool is installed.
- MachPanel Service URL should be accessible from Client-AD.
ADSync is a utility consisting of multiple components used to
synchronize local active directory objects with Hosted/Cloud Active
Directory objects. ADSync utility v6.0 will sync Multiple OU's in a client/local AD with Hosted OU.
Types of object(s) which are currently synchronized.
The data fields which are being synchronized through this utility for User Accounts are:
- proxyAddresses ‘[EUM addresses Only]’
The data fields which are being synchronized through this utility for Groups are:
- Display Name
MachSol ADSync utility is a one way synchronization tool, that enables the synchronization of AD users from local/on-premises to the hosted/cloud AD and vice versa is not currently possible. Editing through MachPanel is disabled for a mailbox enabled for ADSync.
The reason to disable the AD user editing in MachPanel for those organizations which are selected to be synchronized with on-premises ADs is that the information updated on MachPanel shall not be available on client’s on-premises AD. And also as ADSyncSvc periodically updates data from local to hosted AD, the changes done through MachPanel will be voided with the synchronization process.
When installation finishes on Primary Domain Controller, ADSync Configuration Studio appears, fill form according to instructions below and save settings.
- From the Home page you can click settings
Terms used to reference ADs are as under: Please note the difference between Two AD’s:
- Local-AD / Client-AD / On-Premises:
This is the AD where you have installed MachPanel ADSync Utility. Once
ADSync is enabled you can access this local AD and modify user
properties on this AD. These changes will automatically replicate/sync
with the Provider’s AD (hosted AD).
- Provider AD / Hosted AD / Cloud AD: This is the AD that is managed directly by MachPanel Control Server via MachPanel Remote Servers.
Settings will show General & Advanced Setting of ADSync:
Fields of the above screen are described below:
- Control Panel Url: This is the URL to Control Panel Web Service (provided
by host). This can be a Web or IP based address. Check "Tooltip" next to input field for example.
- Domain NetBios name: Local-AD domain NetBios name input field.
- Service Account: Local-AD administrator account with permissions to perform local operations.
- Password: Password for local-ad admin user provided in above field.
- Sync Data Attribute:
Sync Data Attribute’ is used to capture the updating password info and
store its hash in this attribute. Previously this was fixed to
‘division’ attribute of Active Directory User, but now can be customized
to any valid writable Active Directory User attribute. Note
that this attribute is used to temporarily store (encrypted hash)
password before syncing it to hosted user and as soon as user
password/info is synced in next sync cycle it is cleared from the active
- Sync Data every: You can specify Sync interval or use Sync Now option.
- Logging Enabled: Enable/Disable logging. Simple check/uncheck input to whether to enable logging or not.
- Logs Folder: This is Log Path. Select
log folder to create log files in there if logging is required. The log
folder path of ADSync logs should not be of PDC desktop, and the
provided log path should also be present on all ADC.
- Purge Logs after: Select number of days after which logs are cleared from the ADSync folder.
Then under Profiles you can click 'Add Profile' to add a new profile.
Add Profile will display following fields:
- Organization: Input field to set Local-AD/On-Premises
organization LDAP, or use Icon on the right to list all
local organizations and select one of the organizations. This
field is editable so you can even specify the ROOT so that ALL USERS
under this AD get listed all at once. You can specify the ROOT if users
are under different OUs and you want to list all of them in a single
go. In case of large ADs it is recommended to use specific OUs only to
keep this quick as it will take long time to load all users in case of
- User custom filter: Define a filter for Users.
- Sync Security Groups: In order to Sync security Groups from MachPanel for ADSync Enabled organization check option Sync Security Groups.
- Group custom filter: Define a custom filter for security groups.
- Auto Create New User: Allows you to enable / disable auto creation of Local-AD user on the Hosted AD.
This option enables the customer that any new user created in local OU
for this profile will be automatically created on hosted.
- Enable Auto Mapping: Enable/Disable Auto Mapping of all Existing users.
This option enables the customer that all the existing users will be
auto mapped to selected hosted organization on the basis of UPN and
- User Name: Login Name to access the customer account in MachPanel in format: firstname.lastname@example.org. This is owner of
Hosted Organization which needs to be synced with Client-AD. This can
either be a Customer Account or a Contact of Customer. (In
ADSync we need Customer credentials not Reseller/Provider credentials
to fetch list of OU’s. List of all OU’s related to Customer are fetched.)
- Password: Password for user login provided in service user name.
- Target OU: Once
above service credentials are
provided then hosted organizations enabled for ADSync are listed in
the selection input box, select one of the organizations to
synchronize its contents. Only the organization(s) owned by single
customer (whose credentials are provided) are shown.
Add: Adds a profile to the below profiles listing and is saved in configuration file on pressing the Save button on the configuration screen.
Click Save to save all settings.
Add Custom Filters
In "Custom Filter" for user and groups we need to specify sync group and sync user in the group and users description (Any attribute can be used). Below are examples to use Custom Filter for Users and Group which uses "sync user" and "sync group" description. In below snapshot UserA, UserB, UserC, GroupA and GroupB, GroupC are created in Active Directory.
In this example we have specified "sync user" and "sync group" description in custom filter and as a result UserA, UserB and GroupA and GroupB (which have description set accordingly) will get synced. See below snapshots:
Users custom filter: (description=sync user)
Groups custom filter: (description=sync group)
When we specify below custom filter settings in sync group and sync user description that we need not to sync (any number of attributes can be used) for e.g.
- Specify something in company for users that I don’t want to sync
- Specify something in display name for groups that I don’t want to sync
only UserA and GroupA will get synced as shown below:
Users custom filter: (&(description=sync user)(!(company=*)))
Groups custom filter: (&(description=sync group)(!(displayName=*)))