Trustelem AD Connect

Trustelem AD Connect Setup

On your Windows Server, in « Active Directory Users and Groups »

  • Create a technical user (eg. with default privileges (if Self-Service Password Reset is not to be setup) and a strong password, with no password update on next login and which never expires.

In Trustelem admin dashboard, « Directory » tab

  • Click on « Create » and select « Active Directory »
  • Give a name to the new directory, and optionnally a description
  • Ensure « Use a connector » is checked
  • Download the connector installer (latest release is v1.50)
  • Write down the synchronization ID, then click on « Save »

On each AD domain controller (typically 2 or 3)

  • Launch the installation software (enter the synchronization ID)
  • Configure the Trustelem Windows Service
    • Open Windows Services Manager
    • Select « Trustelem AD Connect »
    • Right-click, select « Properties »
    • On « General » tab, make sure that « Startup type » is set to « Automatic »
    • On « Log On » tab, select « This account » and enter the technical user’s credentials

Launch the service

Get back to the Trustelem admin dashboard, « Directory » tab

  • Select the new directory
  • The connector should show up in the table (use « Refresh » button if necessary)
  • Once the connector is up, check the IP address, the server name and the service account (to avoid spoofing), then activate the connector by pushing the organe button
  • Setup the appropriate synchronization rate (nota: a high frequency increases the load of your domain controllers)
  • Select the groups to be synchronized
  • Click on « Save »

The synchronization starts. It lasts a few seconds

Updating the connector

The Trustelem connector can be updated without any service interruption:

  • Install the latest release of the connector v1.50 in parallel with your current connector
  • In the directory tab of the Trustelem administration console, select the relevant directory and ensure the new connector is listed first in order to be used in priority
  • Ensure that the new connector is working fine by checking its usage statistics, then you can disable the previous connector in the administration console
  • Finally, you can uninstall the previous connector from your server and then it can be deleted from the Trustelem administration console

Problem of missing users/groups from Active Directory sync/import

On some restricted configurations, the user running the Trustelem connector may not have enough rights to correctly list all users/groups from the directory.

To ensure that this user has the required rights:

  • On Windows Server 2008
    • Open “Active Directory Users and Groups”
    • Right-click on your domain object
    • Go to Properties" read
    • Go to Security tab and click on Advanced
    • Click on “Add”
    • Enter the user name used to run the connector
    • Click the “Properties” tab
    • In “Apply Onto” change the type to User
    • Ensure the “Read MemberOf” checkbox is checked read
  • On Windows Server 2012
    • Open ADSI Edit
    • Right-click on your domain object
    • Go to Properties read
    • Go to Security tab and click on Advanced
    • Click on “Add”
    • Click on “Select a Principal” and pick the user used by the connector read
    • In ‘Apply Onto’ change the type to “This object only”
    • Scroll to “Properties”, find “Read MemberOf” and ensure it is checked

Self-Service password Reset

SSPR service requires the Trustelem connector’s service account to be granted with privilege delegation for user’s password reset.

  • Open the ‘Active Directory Users and Groups’ panel and right-click on target domain. Then select item ‘Delegate Control…’ sspr
  • In the delegation wizard, click on ‘Next’, then click on ‘Add…’. Click on ‘Next’ sspr
  • Choose the service account executing Trustelem AD Connect. Click on ‘Next’ sspr
  • Select the following permission to delegate: ‘Reset user password and force password change at next logon’. Click on ‘Next’ sspr
  • Check summary and click on ‘Finish’ sspr
  • You’re done !