Trustelem AD Connect

On your Windows Server, in « Active Directory Users and Groups »

  • Create a technical user (eg. trustelem@mycompany.com) with default privileges (if Self-Service Password Reset is not to be setup) and a strong password, with no password update on next login and which never expires.

In Trustelem admin dashboard, « Directory » tab

  • Click on « Create » and select « Active Directory »
  • Give a name to the new directory, and optionnally a description
  • Ensure « Use a connector » is checked
  • Download the connector installer (latest release is v1.50)
  • Write down the synchronization ID, then click on « Save »

On each AD domain controller (typically 2 or 3)

  • Launch the installation software (enter the synchronization ID)
  • Configure the Trustelem Windows Service
    • Open Windows Services Manager
    • Select « Trustelem AD Connect »
    • Right-click, select « Properties »
    • On « General » tab, make sure that « Startup type » is set to « Automatic »
    • On « Log On » tab, select « This account » and enter the technical user’s credentials

Launch the service

Get back to the Trustelem admin dashboard, « Directory » tab

  • Select the new directory
  • The connector should show up in the table (use « Refresh » button if necessary)
  • Once the connector is up, check the IP address, the server name and the service account (to avoid spoofing), then activate the connector by pushing the organe button
  • Setup the appropriate synchronization rate (nota: a high frequency increases the load of your domain controllers)
  • Select the groups to be synchronized
  • Click on « Save »

The synchronization starts. It lasts a few seconds

The Trustelem connector can be updated without any service interruption:

  • Install the latest release of the connector v1.50 in parallel with your current connector
  • In the directory tab of the Trustelem administration console, select the relevant directory and ensure the new connector is listed first in order to be used in priority
  • Ensure that the new connector is working fine by checking its usage statistics, then you can disable the previous connector in the administration console
  • Finally, you can uninstall the previous connector from your server and then it can be deleted from the Trustelem administration console

On some restricted configurations, the user running the Trustelem connector may not have enough rights to correctly list all users/groups from the directory.

To ensure that this user has the required rights:

  • On Windows Server 2008
    • Open “Active Directory Users and Groups”
    • Right-click on your domain object
    • Go to Properties”

      read

    • Go to Security tab and click on Advanced
    • Click on “Add”
    • Enter the user name used to run the connector
    • Click the “Properties” tab
    • In “Apply Onto” change the type to User
    • Ensure the “Read MemberOf” checkbox is checked

      read

  • On Windows Server 2012
    • Open ADSI Edit
    • Right-click on your domain object
    • Go to Properties

      read

    • Go to Security tab and click on Advanced
    • Click on “Add”
    • Click on “Select a Principal” and pick the user used by the connector

      read

    • In ‘Apply Onto’ change the type to “This object only”
    • Scroll to “Properties”, find “Read MemberOf” and ensure it is checked

SSPR service requires the Trustelem connector’s service account to be granted with privilege delegation for user’s password reset.

  • Open the ‘Active Directory Users and Groups’ panel and right-click on target domain. Then select item ‘Delegate Control…’

    sspr

  • In the delegation wizard, click on ‘Next’, then click on ‘Add…’. Click on ‘Next’

    sspr

  • Choose the service account executing Trustelem AD Connect. Click on ‘Next’

    sspr

  • Select the following permission to delegate: ‘Reset user password and force password change at next logon’. Click on ‘Next’

    sspr

  • Check summary and click on ‘Finish’

    sspr

  • You’re done !