{"id":97084,"date":"2023-10-26T20:42:21","date_gmt":"2023-10-27T00:42:21","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&#038;p=97084"},"modified":"2024-08-20T13:23:38","modified_gmt":"2024-08-20T17:23:38","slug":"configure-adi-two-way-sync","status":"publish","type":"support","link":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync","title":{"rendered":"Configure ADI: Manage users, groups and passwords in AD, JumpCloud, or both"},"content":{"rendered":"\n<p>The JumpCloud Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between JumpCloud and on-premise or off-premise AD. As covered in <a href=\"https:\/\/jumpcloud.com\/support\/get-started-adi\" target=\"_blank\" rel=\"noreferrer noopener\">Get Started: Active Directory Integration<\/a>, the ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations which are based on where you want to manage users, groups, and passwords:<\/p>\n\n\n\n<ol>\n<li>Manage users, groups, and passwords in AD<\/li>\n\n\n\n<li>Manage users, groups, and passwords in JumpCloud<\/li>\n\n\n\n<li>Manage users and passwords in either system, or both<\/li>\n<\/ol>\n\n\n\n<p>This article provides a step-by-step guide for configuring ADI to <strong>manage users, security groups, and passwords in AD, JumpCloud, or both<\/strong>. This configuration provides the greatest flexibility. It allows AD and JumpCloud to manage user credentials and attributes together in unison, a full two-way sync. Users are able to change passwords within either AD or JumpCloud. It also supports a hybrid approach where specific information is managed in one system and other information is managed in the other system. This configuration supports:<\/p>\n\n\n\n<ul>\n<li>Data syncs bidirectionally between JumpCloud and AD<\/li>\n\n\n\n<li>Passwords managed in either system or both<\/li>\n\n\n\n<li>Users created, updated, and deactivated in either system or both<\/li>\n\n\n\n<li>User (security) groups created and managed in either system or both<\/li>\n\n\n\n<li>Group membership managed in either system or both<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-deployment-configuration-overview\">Deployment Configuration Overview<\/h2>\n\n\n\n<ul>\n<li>Use both the ADI import agent and ADI sync agent<\/li>\n\n\n\n<li>Install agents on either domain controllers (DCs) or member servers<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>To sync passwords from AD to JumpCloud, the import agent must be installed on <em><strong>all<\/strong><\/em> DCs.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>Add users and security groups under the ADI security group in AD to sync from AD to JumpCloud<\/li>\n\n\n\n<li>Assign users and user groups to the ADI AD domain in JumpCloud to sync from JumpCloud to AD<\/li>\n<\/ul>\n\n\n\n<p>To explore the use cases and benefits of this configuration see&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/configure-the-active-directory-integration#manage-users-and-passwords-in-either-system,-or-both\" target=\"_blank\" rel=\"noreferrer noopener\">Manage users and passwords in either system, or both<\/a> in the&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/configure-the-active-directory-integration\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Active Directory Integration (ADI)<\/a>&nbsp;help center article.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-workflows\">Workflows<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-two-way-sync-single-domain\">Two-way sync &#8211; single domain<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"455\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png\" alt=\"\" class=\"wp-image-100296\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-300x133.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-768x341.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1536x682.png 1536w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain.png 1658w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-two-way-sync-multiple-domains\">Two-way sync &#8211; multiple domains<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"844\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-multi-domain-1024x844.png\" alt=\"\" class=\"wp-image-100297\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-multi-domain-1024x844.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-multi-domain-300x247.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-multi-domain-768x633.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-multi-domain-1536x1266.png 1536w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/two-way-sync-multi-domain.png 1682w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>To learn more about the general user identity workflow and expected behavior for any user, group, and password change after the AD Import and AD Sync agents have been configured, read&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/use-the-Active-Directory-Integration\" target=\"_blank\" rel=\"noreferrer noopener\">Use and Manage the Active Directory Integration (ADI)<\/a>&nbsp;.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"system-requirements\">System Requirements<\/h2>\n\n\n\n<ul>\n<li>64-bit Windows Server (versions 2012, 2016, 2019, 2022)\n<ul>\n<li>Server Core installation is also supported for Windows Server versions 2016, 2019, and 2022. You will need to include the&nbsp;<strong>\/msiexec<\/strong>&nbsp;parameter when running the agent installer<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>15MB disk space<\/li>\n\n\n\n<li>10MB RAM<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-installation-steps-overview\">Installation Steps Overview<\/h2>\n\n\n\n<p>The main steps you will take to install and configure AD for bi-directional use are:<\/p>\n\n\n\n<ol>\n<li>Determine on which servers the AD import agents will be installed: member servers or domain controllers (DCs).<\/li>\n\n\n\n<li>Complete the prerequisite checklist.<\/li>\n\n\n\n<li>Determine the Root User container in AD.<\/li>\n\n\n\n<li>Create the JumpCloud ADI Integration Security Group in AD.<\/li>\n\n\n\n<li>Create the AD Import Service Account.<\/li>\n\n\n\n<li>Create the AD Sync Service Account.<\/li>\n\n\n\n<li>Delegate control for the AD Import and AD Sync Service Accounts.<\/li>\n\n\n\n<li>Create an AD domain instance in JumpCloud.<\/li>\n\n\n\n<li>Select your configuration and download the agents.<\/li>\n\n\n\n<li>Run the the AD Import Agent installation wizard.<\/li>\n\n\n\n<li>Reboot each AD server where the import agent was installed.<\/li>\n\n\n\n<li>Verify the Import Agent Service started.<\/li>\n\n\n\n<li>Complete post-installation AD import agent configuration on each DC.<\/li>\n\n\n\n<li>Run the AD Sync Agent installation wizard.<\/li>\n\n\n\n<li>Verify AD sync and AD import agents in the JumpCloud Admin Portal.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-considerations\">Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"agent-version-considerations\">Agent Version Considerations<\/h3>\n\n\n\n<p><strong>Import Agent<\/strong><\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>When upgrading from AD import agent v2.6.0 or lower, you must select&nbsp;<strong>Install New Agent<\/strong>&nbsp;from the Downloads dropdown menu in the ADI Details page to get the connect key, which is required to complete the upgrade of the agent on the AD server.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>Import agent v3.0.0 and higher supports delegated user authentication to AD<\/li>\n\n\n\n<li>As of import agent v2.2.1, the following changes were made:\n<ul>\n<li>The default location for all agent related installation, configuration, and log files is C:\\Program Files\\JumpCloud\\AD Integration.<\/li>\n\n\n\n<li>All references to AD Bridge changed to AD Import.<\/li>\n\n\n\n<li>The jcimport username &amp; password and the API key are stored in the registry instead of the ADI Import Agent configuration file. Both the password and API key are encrypted and the values in the registry are replaced with the encrypted value when the import agent starts.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Sync Agent<\/strong><\/p>\n\n\n\n<ul>\n<li>As of ADI sync agent version 4.5.1, the following changes were made:\n<ul>\n<li>The default location for all agent related installation, configuration, and log files is C:\\Program Files\\JumpCloud\\AD Integration\\<\/li>\n\n\n\n<li>The ADI sync agent can be installed independently of the ADI import agent<\/li>\n\n\n\n<li>The ADI sync agent connect key is encrypted and the value in the registry is replaced with the encrypted value when the agent starts<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"delegated-authentication-considerations\">Delegated Authentication Considerations<\/h3>\n\n\n\n<p>The delegated authentication functionality is specific to the ADI AD import agent. Review <a href=\"https:\/\/jumpcloud.com\/support\/adi-use-ad-delegated-authentication\">ADI: Use AD Delegated Authentication<\/a>&nbsp;for specific considerations and more information about delegated authentication to AD.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>When the delegated authentication setting,&nbsp;<strong>Delegated Password Validation<\/strong>, is enabled and <strong>Pending<\/strong> for the ADI configuration and the user&#8217;s<strong> Delegated Authority<\/strong> is <strong>Active Directory<\/strong>, the user will not be able to log in. An AD import agent, version 3.0 or higher, must be installed and active to change the status of <strong>Delegated Password Validation<\/strong> from <strong>Pending<\/strong> to <strong>Active<\/strong>. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>When upgrading the AD import agent to version 3.0, existing users connected to the domain will not have their log in delegated to AD unless the&nbsp;<strong>Delegated Authority<\/strong>&nbsp;is manually set to&nbsp;<strong>Active Directory<\/strong>&nbsp;for those existing users.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>The delegated authentication setting,&nbsp;<strong>Delegated Password Validation<\/strong>, is disabled by default but can be enabled.<\/li>\n\n\n\n<li>When the delegated authentication setting,&nbsp;<strong>Delegated Password Validation<\/strong>, is enabled and active: \n<ul>\n<li>All users imported from AD to JumpCloud by import agent v3.0.0 or higher will have their <strong>Delegated Authority<\/strong> automatically set to <strong>Active Directory<\/strong> and their login to the JumpCloud User Portal and SSO login delegated to AD for validation.<\/li>\n\n\n\n<li>Existing AD users imported from AD to JumpCloud no longer have to reset their password in AD to log in to JumpCloud managed resources when delegation is enabled for them.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>When the delegated authentication setting,&nbsp;<strong>Delegated Password Validation<\/strong>, is disabled:\n<ul>\n<li>All users imported by import agent v3.0.0 or higher will have their <strong>Delegated Authority<\/strong> automatically set to <strong>Active Directory<\/strong> and their login to the JumpCloud User Portal and SSO login delegated to AD for validation.<\/li>\n\n\n\n<li>Existing AD users imported from AD to JumpCloud no longer have to reset their password in AD to log in to JumpCloud managed resources when delegation is enabled for them.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">General Installation Considerations<\/h3>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>All installed agents should be the same version to avoid unexpected behavior or the potential for users not being able to log in if the primary agent is switched.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>You must reboot the servers after the AD Import Agent installation.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>You DO NOT need to reboot the servers after the AD Sync Agent installation.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>The AD sync agent does not need to be installed on all servers.<\/li>\n\n\n\n<li>Connect Keys are one-time use keys required for installing the agents on a new AD server. They <strong>expire<\/strong> in seven days.<\/li>\n\n\n\n<li>The AD Domain and Root User container DN must be the same for both the AD import agent and AD sync agent&nbsp;<\/li>\n\n\n\n<li>Non-standard ASCII characters are not supported in the Root User DN.<\/li>\n\n\n\n<li>When upgrading an agent, the installation wizard prompts for minimal information:\n<ul>\n<li>Directory for where the installation should occur.<\/li>\n\n\n\n<li>Finish screen.<\/li>\n\n\n\n<li>Upgrading from AD import agent v2.6.0 or lower to v3.0.0 or higher will also prompt for the import agent connect key.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>An ADI integration specific Security Group (e.g., \u201cJumpCloud\u201d) must be configured within the root user container or root OU to import and sync users from AD to JumpCloud:<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p> In multi-domain environments, the security group must have a unique name within each domain (e.g., \u201cJumpCloud (mydomain1)\u201d and \u201cJumpCloud (mydomain2)\u201d)<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>Demoting a DC installation to a member server and promoting a member server installation to a DC aren\u2019t supported.&nbsp; The agent(s) must be uninstalled first and then installed on the other type of server.<\/li>\n\n\n\n<li>A reinstall of the same ADI import agent is treated as an update.<\/li>\n\n\n\n<li>When multiple AD agents are installed, one is designated as the primary agent by the ADI service. All create and change requests are sent to that agent. If that agent becomes unavailable, another active agent is automatically designated as the primary.<\/li>\n\n\n\n<li>When updating an existing agent installation, only minimal installation screens are shown:\n<ul>\n<li>Directory for where the installation should occur<\/li>\n\n\n\n<li>Finish screen<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"member-server-installation-considerations\">Member Server Installation Considerations<\/h3>\n\n\n\n<p>The following are considerations only if you choose to install the ADI agents on member servers:<\/p>\n\n\n\n<p><strong>Import Agent<\/strong><\/p>\n\n\n\n<ul>\n<li>The AD password&nbsp;<strong>does<\/strong>&nbsp;<strong>NOT<\/strong>&nbsp;sync from AD to JumpCloud. Users imported and synced from AD will not have a password in JumpCloud.<\/li>\n\n\n\n<li>A server reboot is required.<\/li>\n<\/ul>\n\n\n\n<p><strong>Sync Agent<\/strong><\/p>\n\n\n\n<ul>\n<li>If you have member servers in your AD environment, installing the sync agent on member servers is the recommended option.<\/li>\n\n\n\n<li>All sync agent functionality works when the agent is installed on member servers.<\/li>\n\n\n\n<li>A server reboot is NOT required.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"domain-controller-(dc)-installation-considerations\">Domain Controller (DC) Installation Considerations<\/h3>\n\n\n\n<p>The following are considerations only if you choose to install the agents on DCs:<\/p>\n\n\n\n<p><strong>Import Agent<\/strong><\/p>\n\n\n\n<ul>\n<li>Downtime should be scheduled. The installation requires a server reboot.<\/li>\n\n\n\n<li>An import agent must be installed on&nbsp;<strong><em>all<\/em><\/strong>&nbsp;Domain Controllers.<\/li>\n\n\n\n<li>AD passwords&nbsp;<strong>will<\/strong>&nbsp;sync from AD to JumpCloud. <\/li>\n<\/ul>\n\n\n\n<p><strong>Sync Agent<\/strong><\/p>\n\n\n\n<ul>\n<li>A sync agent does NOT need to be installed on&nbsp;<strong><em>all<\/em><\/strong>&nbsp;Domain Controllers.<\/li>\n\n\n\n<li>Installing the sync agent on more than one DC is recommended for redundancy and high-availability .<\/li>\n\n\n\n<li>The installation does not require a server reboot.<\/li>\n\n\n\n<li>JumpCloud passwords&nbsp;<strong>will<\/strong>&nbsp;sync from JumpCloud to AD.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security Considerations<\/h3>\n\n\n\n<ul>\n<li>It is <strong>STRONGLY<\/strong> recommended to <a href=\"https:\/\/jumpcloud.com\/support\/configure-adi-to-use-ldaps\">install and use LDAPS<\/a> for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users<\/li>\n\n\n\n<li> We recommend periodically rotating the passwords for the server accounts used by the integration e.g., <strong>jcimport<\/strong> and <strong>jcsync<\/strong>) for security reasons.<\/li>\n\n\n\n<li>API tokens are specific to each Admin account. Use a separate, dedicated account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>If the JumpCloud Administrator Account associated with the import is deleted or the API key is rotated, the import will stop working.  All imports will fail until a valid API key is generated and updated in the registry on the AD servers.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Password Considerations<\/h3>\n\n\n\n<ul>\n<li>Password complexity requirements in AD and JumpCloud should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Users imported from AD to JumpCloud will have their <strong>Password Authority<\/strong> set to <strong>None (JumpCloud)<\/strong>. This setting can be changed from <strong>Users&gt;More Actions&gt;Set External Password Authority<\/strong> or directly from the User Details page.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>When the JumpCloud AD import agent is installed on <strong>member servers<\/strong>, the AD password <strong>does NOT <\/strong>sync to JumpCloud.\n<ul>\n<li>This configuration is used when user passwords are managed in JumpCloud.<\/li>\n\n\n\n<li>Users imported from AD will not have their AD password stored on their initial login to JumpCloud nor will the password sync from AD to JumpCloud.<\/li>\n\n\n\n<li>Users imported from AD will have<\/li>\n\n\n\n<li>When a user&#8217;s <strong>Password Authority<\/strong> is set to <strong>None (JumpCloud)<\/strong> the password can set and managed in JumpCloud.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>Users will not be able to log in to JumpCloud User Portal or SSO apps if JumpCloud AD import agent is installed on <strong>member servers<\/strong>, the user&#8217;s <strong>Password Authority<\/strong> is set to <strong>Active Directory<\/strong>, and the user&#8217;s <strong>Delegated Authority<\/strong> is set to <strong>None<\/strong>. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>When the JumpCloud AD import agent is installed on <strong>all DCs<\/strong>, the AD password <strong>does<\/strong> sync from AD to JumpCloud. This means that the password will be saved in both AD and JumpCloud. \n<ul>\n<li>When a user&#8217;s <strong>Password Authority<\/strong> is set to <strong><strong>None (JumpCloud)<\/strong><\/strong>:\n<ul>\n<li>Passwords can be managed in AD, JumpCloud, or both.<\/li>\n\n\n\n<li>Password expiration notifications are sent from JumpCloud.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>When a user&#8217;s <strong>Password Authority<\/strong> is set to <strong><strong>Active Directory<\/strong><\/strong>:\n<ul>\n<li>The password cannot be set or changed password in JumpCloud, with the exception of the link from the password expiration notification.<\/li>\n\n\n\n<li>Passwords must be managed in AD.<\/li>\n\n\n\n<li>Password expiration notifications are sent from JumpCloud.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-user-sync-considerations\">User Sync Considerations<\/h3>\n\n\n\n<ul>\n<li>Synced users must have values for &lt;First Name&gt; and &lt;Last Name&gt;, i.e., the first name and last name fields cannot be empty, otherwise the users will fail to sync.<\/li>\n\n\n\n<li>The JumpCloud ADI import and sync agent services use TLS for all communication. If no network connectivity exists to JumpCloud, the ADI won\u2019t work properly&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Sync from AD to JumpCloud<\/strong><\/p>\n\n\n\n<ul>\n<li>We recommend that all users you plan to import from AD into JumpCloud live in a single OU or be nested underneath a chosen OU (Root user container) in AD. This can be the default CN=Users container in AD or an alternate custom OU in the directory.\n<ul>\n<li>If you relocate users in AD outside of the Root User Container, you could disrupt password synchronization, or remove users and groups from your JumpCloud instance, along with any associated data and resource associations.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>To sync users from AD to JumpCloud, users must be members of the ADI specific Security Group (e.g., \u201cJumpCloud\u201d or &#8220;JumpCloud -Domain1&#8221;) or of a Security Group nested under this Security Group<\/li>\n\n\n\n<li>Users who are imported from AD to JumpCloud will automatically have their <strong>Password Authority<\/strong> set to <strong>Active Directory<\/strong> by default and the attributes that sync will be read-only in both the Admin Portal and in User Portal. These fields become restrictedFields.<\/li>\n\n\n\n<li>You can manage users in 2 ways:\n<ul>\n<li>Individually by adding them to the security group created for this integration, located in the designated OU&nbsp;<\/li>\n\n\n\n<li>Using groups located in or nested in the designated Root user container by adding those groups as a member of the JumpCloud Integration Security Group<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>ADI Import Agent settings in the <strong>jcadimportagent.config.json<\/strong> file control the behaviors that occur in JumpCloud when certain actions are taken on the user in AD\n<ul>\n<li>Removing users from the JumpCloud integration Security Group within AD will either delete those users in JumpCloud and deprovision them from all bound resources or disconnect them from the AD integration, leaving them active in JumpCloud and allowing them to be managed in JumpCloud directly. The behavior is controlled by the UserDissociationAction setting in AD Import Agent configuration file<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Removing users from the JumpCloud Integration Security Group within AD will either delete those users in JumpCloud and deprovision them from all bound resources or disconnect them from the AD integration, leaving them active in JumpCloud and allowing them to be managed in JumpCloud directly. The behavior is controlled by the UserDissociationAction setting in AD Import Agent configuration file&nbsp;<\/li>\n\n\n\n<li>Importing <a href=\"https:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx\" target=\"_blank\" rel=\"noreferrer noopener\">privileged user accounts<\/a>, such as Domain Admins and accounts with \u201cadminCount=1\u201d, into JumpCloud from AD, isn\u2019t supported. <\/li>\n\n\n\n<li>The <strong>Password Authority<\/strong> setting can be changed for a specific user from their user record directly or for multiple users from <strong>Users<\/strong> &gt;<strong>More Actions<\/strong>&gt;<strong>Set External Password Authority<\/strong>. <\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p><strong>Export and sync from JumpCloud to AD<\/strong><\/p>\n\n\n\n<ul>\n<li>Users created in AD from JumpCloud are created in the AD root container. <\/li>\n<\/ul>\n\n\n\n<p><strong>Regular<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-migrating-device-accounts-from-ad-managed-to-jumpcloud-managed\">Migrating device accounts from AD Managed to JumpCloud Managed<\/h3>\n\n\n\n<ul>\n<li>JumpCloud has a tool, called the <a href=\"https:\/\/github.com\/TheJumpCloud\/jumpcloud-ADMU\/wiki\" target=\"_blank\" rel=\"noreferrer noopener\">ADMU<\/a>, which is used to migrate end-user Windows computers from AD to JumpCloud<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"attributes\">Attributes<\/h2>\n\n\n\n<p>The user attributes that sync from AD to JumpCloud are:<\/p>\n\n\n\n<ul id=\"block-574e89ae-3346-43d1-b1c7-a6a49e5a890d\">\n<li>First Name<\/li>\n\n\n\n<li>Last Name<\/li>\n\n\n\n<li>Username<\/li>\n\n\n\n<li>Email<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>These attributes become read-only (restrictedFields) in JumpCloud when a user&#8217;s&nbsp;<strong>Password Authority<\/strong>&nbsp;is set to&nbsp;<strong>Active Directory<\/strong>. The&nbsp;<strong>Password Authority<\/strong>&nbsp;setting can be changed for a specific user directly from their User Details page or for multiple users from&nbsp;<strong>Users<\/strong>&nbsp;&gt;<strong>More Actions<\/strong>&gt;<strong>Set External Password Authority<\/strong>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-prerequisite-checklist\"><strong>Prerequisite Checklist<\/strong><\/h2>\n\n\n\n<p>Before installing the AD import and AD sync agents, we recommend completing each of the following checklist items before continuing.<\/p>\n\n\n\n<ol>\n<li>Know your AD Domain Admin credentials.<\/li>\n\n\n\n<li>Decide whether you want to install the sync agents on your AD domain\u2019s non-DC Domain Member Servers (member servers) or Domain Controllers (DCs).\n<ul>\n<li>When installing the <strong>import agent on DCs<\/strong>, <strong>schedule downtime. <\/strong>Installation requires server reboot!&nbsp;<\/li>\n\n\n\n<li>If <strong>installing the AD sync agent on DCs<\/strong>, we recommend that you install the AD Sync agent on your Primary DC and any DC impacted by extended replication delays.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Verify you have access to <em>all<\/em> DCs or member servers in the AD domain.<\/li>\n\n\n\n<li>Ensure your DCs or member servers are running on a JumpCloud supported 64-bit Windows Server version (2012, 2016, 2019, 2022).<\/li>\n\n\n\n<li>Verify DCs or member servers have networking access to the internet and are able to communicate outbound to <strong>console.jumpcoud.com<\/strong> over HTTPS port 443.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/jumpcloud.com\/support\/manage-admin-accounts#creating-jumpcloud-administrators\" target=\"_blank\" rel=\"noreferrer noopener\">Create a dedicated Administrator account<\/a> in JumpCloud that is specifically for the ADI.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>API tokens are specific to each Admin account. Create a separate, dedicated account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"7\">\n<li><a href=\"https:\/\/jumpcloud.com\/support\/jumpcloud-apis\" target=\"_blank\" rel=\"noreferrer noopener\">Generate and securely store the API key<\/a> for the ADI dedicated Administration account.<\/li>\n\n\n\n<li>Verify all users to be synced from AD to JumpCloud and JumpCloud to AD have a value for first name and last name.<\/li>\n\n\n\n<li>Align password complexity requirements between AD and JumpCloud as closely as possible. Otherwise, passwords may not replicate if they\u2019re rejected by the destination directory\u2019s complexity requirements.<\/li>\n\n\n\n<li>(<strong>Recommended<\/strong>) Verify all users you plan to import into JumpCloud live in a single OU or are nested underneath a chosen OU (Root user container) in AD. This can be the default CN=Users container in AD or an alternate custom OU in the directory.&nbsp;<\/li>\n\n\n\n<li>Review <a href=\"https:\/\/jumpcloud.com\/support\/advanced-configurations-for-active-directory-ad-import\" target=\"_blank\" rel=\"noreferrer noopener\">Advanced Configurations for the Active Directory Import Agent<\/a> to understand the configuration settings available for the import agent and note any default values that need to be changed as part of the installation.<\/li>\n\n\n\n<li>(<strong>Strongly recommended<\/strong>) Install LDAPS.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>We <strong>strongly<\/strong> recommend <a href=\"https:\/\/jumpcloud.com\/support\/configure-adi-to-use-ldaps\">installing and using LDAPS<\/a> for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-prepare-ad-for-the-agent-installations\">Prepare AD for the Agent Installations<\/h2>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-determine-root-user-container\">Determine Root User Container<\/h4>\n\n\n\n<p>Prepare for the agent installations in AD by determining the Root User Container.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>The AD Domain and Root User container DN needs to be the same for both the AD import agent and AD sync agent.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-ad-import-agent\">AD Import Agent<\/h4>\n\n\n\n<p>The JumpCloud AD Import agent is designed to integrate with AD\u2019s default \u2018Users\u2019 container (CN=Users) which is pre-populated in the AD Users and Computers (ADUC) interface and labeled as \u201cUsers\u201d as shown in the following image. (This is a default domain with no custom containers. In this use-case the Root Container is CN=Users;DC=example;DC=com).&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"717\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/ad-users-and-computers-1024x717.png\" alt=\"\" class=\"wp-image-100301\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-users-and-computers-1024x717.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-users-and-computers-300x210.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-users-and-computers-768x538.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-users-and-computers-1536x1076.png 1536w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-users-and-computers.png 1770w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The import agent installation wizard assumes that this is the Root User container and uses this path in your AD Import agent configuration file. During installation, you\u2019re prompted for the domain components (DC) used in your AD Domain (i.e., DC=example;DC=com). The installation wizard uses this base level domain information to construct the following Root user container DN (Distinguished Name).<\/p>\n\n\n\n<p>EXAMPLE: CN=Users;DC=example;DC=com<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>If CN=Users isn\u2019t the Root User Container you want to use in your AD instance, you can update the path in the agent configuration file, <strong>jcadimportagent.config.json<\/strong>, after the AD Import agent install completes. This is covered in the Configure AD Import Agent section below<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-ad-sync-agent\">AD Sync Agent<\/h4>\n\n\n\n<p>The AD sync agent installation wizard prompts you to enter the Root User Container during the JumpCloud AD sync agent installation.&nbsp;<\/p>\n\n\n\n<p>If you want to use AD\u2019s default Root User container for the JumpCloud AD Integration, the value you will need to enter during the AD sync agent installation is <kbd>CN=Users;DC=example;DC=com<\/kbd><\/p>\n\n\n\n<p>If AD\u2019s default Root User container (CN=Users) isn\u2019t the Root User Container you want to use for your JumpCloud AD integration, follow the steps below to get the distinguishedName value you will need to enter during the AD sync agent installation. You will need to follow similar steps to update the Root User Container value in the AD import after the AD Import agent install completes.<\/p>\n\n\n\n<ol>\n<li>Verify the full LDAP path for the chosen Root user container you have selected in ADUC:\n<ol style=\"list-style-type:lower-alpha\" class=\"is-lower-alpha\">\n<li>From the ADUC panel\u2019s <strong>View<\/strong> menu, enable <strong>Advanced Features<\/strong>.&nbsp;<\/li>\n\n\n\n<li>Right-click the container and select <strong>Properties<\/strong>.&nbsp;<\/li>\n\n\n\n<li>Select the <strong>Attribute Editor<\/strong> tab.&nbsp;<\/li>\n\n\n\n<li>Select the \u201c<strong>distinguishedName<\/strong>\u201d attribute, then click <strong>View<\/strong>.<\/li>\n\n\n\n<li>Note the value.&nbsp;It will need to be entered during the AD sync agent installation.<br><img decoding=\"async\" width=\"1674\" height=\"1164\" class=\"wp-image-100302\" style=\"width: 1200px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/string-attribute-editor.png\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/string-attribute-editor.png 1674w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/string-attribute-editor-300x209.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/string-attribute-editor-1024x712.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/string-attribute-editor-768x534.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/string-attribute-editor-1536x1068.png 1536w\" sizes=\"(max-width: 1674px) 100vw, 1674px\" \/><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-create-the-jumpcloud-adi-integration-security-group-in-ad\">Create the JumpCloud ADI Integration Security Group in AD<\/h4>\n\n\n\n<p>A Security Group for the integration must be created within the Root User Container you\u2019ve defined in the previous step. This Security Group is required. Any member of this group will be synced from AD to JumpCloud.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>If you do not create this group or give it a unique name across domains, the ADI sync from AD to JumpCloud will fail to function properly.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol>\n<li>Open the ADUC Menu, click the Start button, type \u201cdsa\u201d and click the <strong>Active Directory Users and Computers<\/strong> icon. <img decoding=\"async\" width=\"467\" height=\"87\" class=\"wp-image-88905\" style=\"width: 150px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/aduc_icon.jpeg\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/05\/aduc_icon.jpeg 467w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/05\/aduc_icon-300x56.jpeg 300w\" sizes=\"(max-width: 467px) 100vw, 467px\" \/><\/li>\n\n\n\n<li>Find your Root User Container.<\/li>\n\n\n\n<li>Right-click the Root User Container\u2019s folder and click <strong>New<\/strong> &gt; <strong>Group<\/strong>.\n<ol style=\"list-style-type:lower-alpha\" class=\"is-lower-alpha\">\n<li>Ensure the Security Group is a Global Security Group.<\/li>\n\n\n\n<li>Give the Security Group a name that helps identify it as the group used by the ADI (e.g., \u201cJumpCloud\u201d for single domain environments, \u201cJumpCloud (Domain)\u201d for multi-domain environments).<br><img decoding=\"async\" width=\"1264\" height=\"1176\" class=\"wp-image-100306\" style=\"width: 600px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/ad-new-obj-group.png\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-group.png 1264w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-group-300x279.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-group-1024x953.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-group-768x715.png 768w\" sizes=\"(max-width: 1264px) 100vw, 1264px\" \/><\/li>\n\n\n\n<li>Click <strong>OK<\/strong>.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>In multi-domain environments, the security group must have a unique name within each domain (e.g., \u201cJumpCloud (mydomain1)\u201d and \u201cJumpCloud (mydomain2)\u201d).<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-create-the-ad-import-service-account-in-ad\">Create the AD Import Service Account in AD<\/h3>\n\n\n\n<p>After you identify the \u2018Root user DN\u2019 that you want to use with your JumpCloud integration, you proceed by creating a new AD-based service account (standard user account) that allows the JumpCloud AD import agent to manage users and groups.<\/p>\n\n\n\n<ol>\n<li>Open the ADUC Menu, click the Start button, type \u201cdsa\u201d and click the <strong>Active Directory Users and Computers<\/strong> icon.<\/li>\n\n\n\n<li>Find your Root User Container.<\/li>\n\n\n\n<li>Right-click the container and click <strong>New<\/strong> &gt; <strong>User<\/strong>.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>This user cannot:<\/p>\n\n\n\n<ul>\n<li>Be a Domain Administrator<\/li>\n\n\n\n<li>Be a member of the JumpCloud integration security group<\/li>\n\n\n\n<li>Have a username of \u201cJumpCloud\u201d<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"4\">\n<li>Enter the following values for the JumpCloud Import Service Account user:\n<ol style=\"list-style-type:lower-alpha\" class=\"is-lower-alpha\">\n<li>First Name: JumpCloud<\/li>\n\n\n\n<li>Last Name: Import<\/li>\n\n\n\n<li>User logon name: jcimport<br><img decoding=\"async\" width=\"1354\" height=\"1174\" class=\"wp-image-100309\" style=\"width: 600px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/ad-new-obj-user.png\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-user.png 1354w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-user-300x260.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-user-1024x888.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-user-768x666.png 768w\" sizes=\"(max-width: 1354px) 100vw, 1354px\" \/><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>Use <strong>jcimport<\/strong> to distinguish what this user is for and to which agent it is attached. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"5\">\n<li>Enter a password for the <strong>jcimport<\/strong> user and ensure that it is set to <strong>Never Expire<\/strong> since this will be a service account for the Import Agent.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>This password should still be rotated periodically for security reasons.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"6\">\n<li>Click <strong>Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-create-the-ad-sync-service-account-in-ad\">Create the AD Sync Service Account in AD<\/h3>\n\n\n\n<p>After you identify the Root User Container (\u2018Root user DN\u2019)&nbsp;that you want to use with your JumpCloud AD integration, create a new AD-based service account (standard user account) that allows the JumpCloud AD sync agent to manage users and groups.<\/p>\n\n\n\n<ol>\n<li>Open the ADUC Menu, click the <strong>Start <\/strong>button, type \u201cdsa\u201d and click the <strong>Active Directory Users and Computers<\/strong> icon.<\/li>\n\n\n\n<li>Find your Root User Container, right-click the container and click <strong>New<\/strong> &gt; <strong>User<\/strong>.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>This user cannot:<\/p>\n\n\n\n<ul>\n<li>Be a Domain Administrator.<\/li>\n\n\n\n<li>Have a username of \u201cJumpCloud\u201d.<\/li>\n\n\n\n<li>Be a member of the JumpCloud security group.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"3\">\n<li>Enter the following values for the JumpCloud Import Service Account user:\n<ol style=\"list-style-type:lower-alpha\" class=\"is-lower-alpha\">\n<li>First Name: JumpCloud<\/li>\n\n\n\n<li>Last Name: Sync<\/li>\n\n\n\n<li>User logon name: jcsync<br><img decoding=\"async\" width=\"1342\" height=\"1166\" class=\"wp-image-100312\" style=\"width: 600px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/ad-new-obj-user-sync.png\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-user-sync.png 1342w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-user-sync-300x261.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-user-sync-1024x890.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-new-obj-user-sync-768x667.png 768w\" sizes=\"(max-width: 1342px) 100vw, 1342px\" \/><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>Use <strong>jcsync<\/strong> to distinguish what this user is for and to which agent it is attached. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"4\">\n<li>Click <strong>Next<\/strong><\/li>\n\n\n\n<li>Enter a password for the <strong>jcsync<\/strong> user and ensure that it is set to <strong>Never Expire<\/strong> since this will be a service account for the Sync Agent.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>This password should still be rotated periodically for security reasons.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"6\">\n<li>Click <strong>Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-delegate-control-for-the-ad-import-and-sync-service-accounts-in-ad\">Delegate Control for the AD Import and Sync Service Accounts in AD<\/h4>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>If you will be using a Root user container DN other than the \u2018Users\u2019 default, you need to do these steps on that chosen container in your AD.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol>\n<li>Navigate to the Root User Container in ADUC that you have selected, right-click the container and select <strong>Delegate<\/strong> <strong>Control<\/strong>. This launches the <strong>Delegation of Control<\/strong> <strong>Wizard<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Next<\/strong>.<\/li>\n\n\n\n<li>Add the newly created service account user to the Delegation of Control Wizard.<br><img decoding=\"async\" width=\"1454\" height=\"1136\" class=\"wp-image-100315\" style=\"width: 600px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/ad-delegation-of-control-wiz.png\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-delegation-of-control-wiz.png 1454w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-delegation-of-control-wiz-300x234.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-delegation-of-control-wiz-1024x800.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/ad-delegation-of-control-wiz-768x600.png 768w\" sizes=\"(max-width: 1454px) 100vw, 1454px\" \/><\/li>\n\n\n\n<li>Click <strong>Next<\/strong>, then select the following tasks:\n<ol style=\"list-style-type:lower-alpha\" class=\"is-lower-alpha\">\n<li>Create, delete, and manage user accounts.<\/li>\n\n\n\n<li>Reset user passwords and force password change at next logon.<\/li>\n\n\n\n<li>Read all user information.<\/li>\n\n\n\n<li>Create, delete, and manage groups.<\/li>\n\n\n\n<li>Modify the membership of a group.<br><img decoding=\"async\" width=\"1454\" height=\"1138\" class=\"wp-image-100316\" style=\"width: 600px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/tasks-to-delegate.png\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/tasks-to-delegate.png 1454w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/tasks-to-delegate-300x235.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/tasks-to-delegate-1024x801.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/tasks-to-delegate-768x601.png 768w\" sizes=\"(max-width: 1454px) 100vw, 1454px\" \/><\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Click <strong>Next<\/strong>, then click <strong>Finish<\/strong> at the final screen.<\/li>\n\n\n\n<li>Right-click the Root User Container in ADUC again and select <strong>Delegate Control<\/strong>.&nbsp;<\/li>\n\n\n\n<li>Click <strong>Next<\/strong>.<\/li>\n\n\n\n<li>Add the JumpCloud Import Agent account to the Delegation of Control Wizard.<br><img decoding=\"async\" width=\"1436\" height=\"1114\" class=\"wp-image-100318\" style=\"width: 600px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/add-import-to-delegation-of-control.png\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/add-import-to-delegation-of-control.png 1436w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/add-import-to-delegation-of-control-300x233.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/add-import-to-delegation-of-control-1024x794.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/add-import-to-delegation-of-control-768x596.png 768w\" sizes=\"(max-width: 1436px) 100vw, 1436px\" \/><\/li>\n\n\n\n<li>Click <strong>Next<\/strong>, then select <strong>Read all user information<\/strong>.<br><img decoding=\"async\" width=\"1454\" height=\"1138\" class=\"wp-image-100319\" style=\"width: 600px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/delegation-of-tasks-import.png\" alt=\"\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/delegation-of-tasks-import.png 1454w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/delegation-of-tasks-import-300x235.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/delegation-of-tasks-import-1024x801.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/delegation-of-tasks-import-768x601.png 768w\" sizes=\"(max-width: 1454px) 100vw, 1454px\" \/><\/li>\n\n\n\n<li>Click <strong>Next<\/strong>, then click <strong>Finish<\/strong> at the final screen.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-install-the-ad-import-and-sync-agents\">Install the AD Import and Sync Agents<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-create-an-adi-ad-domain-in-jumpcloud\"><strong>Create an ADI AD Domain in JumpCloud<\/strong><\/h3>\n\n\n\n<p>Create a new ADI domain instance in JumpCloud if one does not already exist.<\/p>\n\n\n\n<ol>\n<li>Log in to the <a href=\"https:\/\/console.jumpcloud.com\/login\/admin\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n<li>Go to <strong>Directory Integrations <\/strong>&gt;<strong> Active Directory<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/11\/adi-instance.jpg\" alt=\"\" \/><\/figure>\n\n\n\n<ol start=\"3\">\n<li>Click<strong> ( + Add ADI Domain )<\/strong>.<\/li>\n\n\n\n<li>Select&nbsp;<strong>Manage users and passwords in JumpCloud<\/strong>, <strong>AD or both.<\/strong><\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/Snag_1f23d5cb-1024x511.png\" alt=\"\" \/><\/figure>\n\n\n\n<ol start=\"3\">\n<li>Enter the name of an Active Directory domain that you want to integrate with your JumpCloud tenant. For example, \u201c<kbd>DC=example;DC=com<\/kbd>\u201d.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>The \u201cDC\u201d must be in capital letters. Each value must be separated with a semicolon (<strong>;<\/strong>) not a comma. There should be no spaces. The domain case must be the same as it is in the AD import configuration file.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/Snag_1f26802b-1024x608.png\" alt=\"\" \/><\/figure>\n\n\n\n<ol start=\"6\">\n<li>Click <strong>Save<\/strong>.<\/li>\n\n\n\n<li>If you want to use delegated authentication, select the checkbox for <strong>Delegated Password Validation<\/strong>.\n<ul>\n<li>This option may be useful when importing existing users from AD to JumpCloud.  It allows them to log in to the JumpCloud User Portal using their existing AD credentials for the first time. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"471\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2Way-Step3_DelegationEnabled_Focus-1024x471.png\" alt=\"\" class=\"wp-image-114456\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2Way-Step3_DelegationEnabled_Focus-1024x471.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2Way-Step3_DelegationEnabled_Focus-300x138.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2Way-Step3_DelegationEnabled_Focus-768x354.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2Way-Step3_DelegationEnabled_Focus-1536x707.png 1536w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-download-the-agents\"><strong>Download the agents <\/strong><\/h3>\n\n\n\n<ol start=\"1\">\n<li>Click <strong>Download Import Agent<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"610\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/New ADI domain_2Way-Step3-1024x610.png\" alt=\"\" class=\"wp-image-114332\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New%20ADI%20domain_2Way-Step3-1024x610.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New%20ADI%20domain_2Way-Step3-300x179.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New%20ADI%20domain_2Way-Step3-768x458.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New%20ADI%20domain_2Way-Step3.png 1440w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ol start=\"2\">\n<li>The Import Agent installer will automatically save to your local <strong>Downloads <\/strong>folder.<\/li>\n\n\n\n<li>After downloading the agent, note and store the 3 values needed for the agent installation:\n<ul>\n<li>Your JumpCloud Organization ID<\/li>\n\n\n\n<li>Your Import Agent Connect Key<\/li>\n\n\n\n<li>The API key for the dedicated admin account for the integration<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"636\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_ImportAgentDownload-1024x636.png\" alt=\"\" class=\"wp-image-114697\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_ImportAgentDownload-1024x636.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_ImportAgentDownload-300x186.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_ImportAgentDownload-768x477.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_ImportAgentDownload.png 1407w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ol start=\"4\">\n<li>Copy and securely store the values.<\/li>\n\n\n\n<li>If you already generated an API key but didn\u2019t store it, you will need to regenerate it.&nbsp;Regenerating an API key will break any currently installed import agents and all other integrations using that API key.&nbsp;Be cautious with this option.&nbsp;See <a href=\"https:\/\/jumpcloud.com\/support\/rotate-the-ad-import-api-key\">Rotate the Active Directory Import API Key<\/a> for more information.<\/li>\n\n\n\n<li>Click <strong>Close<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Download Sync Agent<\/strong>.<\/li>\n\n\n\n<li>The Sync Agent installer will automatically save to your local <strong>Downloads <\/strong>folder.<\/li>\n\n\n\n<li>The <strong>Install Sync Agent<\/strong> modal appears and you will be presented with the <strong>AD Sync Agent Installation Connect Key<\/strong>. This is the unique one-time use key that is required to connect the Sync Agent to your JumpCloud Org and this AD domain Integration within JumpCloud. You will input this key during the AD Sync Agent install in the steps below. <\/li>\n\n\n\n<li>Click <strong>Copy<\/strong> and save it to a password manager for later use.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"636\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_SyncAgentDownload-1024x636.png\" alt=\"\" class=\"wp-image-114698\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_SyncAgentDownload-1024x636.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_SyncAgentDownload-300x186.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_SyncAgentDownload-768x477.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2way-Step2_SyncAgentDownload.png 1407w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ol start=\"6\">\n<li>Click <strong>Close<\/strong>.&nbsp;<\/li>\n\n\n\n<li>Save the downloaded installers to the AD servers.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>The Connect Key will expire in 7 days if it is not used.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-run-the-ad-import-agent-installation-wizard\"><strong>Run the AD Import Agent Installation Wizard<\/strong><\/h3>\n\n\n\n<p>Now you are ready to install the JumpCloud AD import agent.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>If you are installing the AD import agent on your DCs, the AD import agent must be installed on <strong><em>all<\/em><\/strong> of the write capable DCs within the domain. This <strong>does not<\/strong> apply to Read-Only DCs (RODCs).&nbsp;<\/p>\n\n\n\n<p>If you are installing the AD import agent on non-DC domain member servers, we recommend installing on at least 2 servers.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol>\n<li>Browse to where you saved the AD Import installer file on the server.&nbsp;<\/li>\n\n\n\n<li>Right-click the file, then select <strong>Run as administrator<\/strong>.<\/li>\n\n\n\n<li>The Install Wizard will start and prompt you to agree to the&nbsp;C++ license terms and conditions.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" width=\"425\" height=\"262\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/image-3.png\" alt=\"\" class=\"wp-image-100349\" style=\"width:487px;height:auto\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-3.png 425w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-3-300x185.png 300w\" sizes=\"(max-width: 425px) 100vw, 425px\" \/><\/figure>\n\n\n\n<ol start=\"4\">\n<li>Select the type of server on which you are installing the AD import agent:<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"619\" height=\"474\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1_ServerType.png\" alt=\"\" class=\"wp-image-114312\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1_ServerType.png 619w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1_ServerType-300x230.png 300w\" sizes=\"(max-width: 619px) 100vw, 619px\" \/><\/figure>\n\n\n\n<ol start=\"5\">\n<li>If you selected <strong>Domain Controller<\/strong>, skip to step 9.<\/li>\n\n\n\n<li>If you selected <strong>Member Server<\/strong> for the server type, provide the FQDN or IP address for that server.&nbsp;We recommend using FQDN.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"619\" height=\"474\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A_DC-for-MemberSever.png\" alt=\"\" class=\"wp-image-114313\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A_DC-for-MemberSever.png 619w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A_DC-for-MemberSever-300x230.png 300w\" sizes=\"(max-width: 619px) 100vw, 619px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"619\" height=\"474\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A1_FQDN-for-DC.png\" alt=\"\" class=\"wp-image-114314\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A1_FQDN-for-DC.png 619w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A1_FQDN-for-DC-300x230.png 300w\" sizes=\"(max-width: 619px) 100vw, 619px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"619\" height=\"474\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A2_IP-for-DC.png\" alt=\"\" class=\"wp-image-114315\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A2_IP-for-DC.png 619w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_1A2_IP-for-DC-300x230.png 300w\" sizes=\"(max-width: 619px) 100vw, 619px\" \/><\/figure>\n\n\n\n<ol start=\"6\">\n<li>Confirm your LDAP connection type and decide if you want to allow the use of LDAP if the connection using secure LDAP fails.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>We <strong>STRONGLY recommend against<\/strong> allowing the use of LDAP if the connection using secure LDAP fails. LDAP is not secure and increases your potential risk of cyberattacks as it sends unencrypted data. Attackers can spy on the connection and intercept packets sent over the network. We <strong>STRONGLY<\/strong> recommend the use of LDAPS only for this integration.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>If are installing the AD import agent on a DC and have not or cannot install LDAPS or TLS, you&nbsp;<strong>must<\/strong>&nbsp;select the &#8220;Allow insecure connection (LDAP) to a Domain Controller if secure connection fails&#8221;option. Otherwise, the integration will fail.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"619\" height=\"474\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_2_LDAP-vs-LDAPS.png\" alt=\"\" class=\"wp-image-114316\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_2_LDAP-vs-LDAPS.png 619w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_2_LDAP-vs-LDAPS-300x230.png 300w\" sizes=\"(max-width: 619px) 100vw, 619px\" \/><\/figure>\n\n\n\n<ol start=\"7\">\n<li>If you checked <strong>Allow insecure connection (LDAP) to a Domain Controller, if secure connection fails<\/strong>, you must confirm that you&nbsp;understand the risk before you can proceed.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"619\" height=\"474\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_2A_Insecure-LDAP.png\" alt=\"\" class=\"wp-image-114317\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_2A_Insecure-LDAP.png 619w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_2A_Insecure-LDAP-300x230.png 300w\" sizes=\"(max-width: 619px) 100vw, 619px\" \/><\/figure>\n\n\n\n<ol start=\"8\">\n<li>Enter the AD Distinguished Name (DN) of the domain and click <strong>Next<\/strong>.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>The domain name should match the case of the domain name entered in the JumpCloud Admin Portal. For example, example.com should be entered as &#8220;DC=example;DC=com&#8221;.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"627\" height=\"480\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_3_AD-Domain.png\" alt=\"\" class=\"wp-image-114318\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_3_AD-Domain.png 627w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_3_AD-Domain-300x230.png 300w\" sizes=\"(max-width: 627px) 100vw, 627px\" \/><\/figure>\n\n\n\n<ol start=\"9\">\n<li>Enter the jcimport account and password, then click <strong>Next<\/strong>. Be sure to use the NetBIOS domain format and not the full DNS name. (For example, example\\jcimport and the user password).<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card tip\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Tip:<\/strong> \n<p>If you\u2019re unsure of the NetBIOS name, right-click the domain name in ADUC and select Properties. Use the value labeled Domain name (pre-Windows 2000).<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"627\" height=\"480\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_4_jcimport-Creds.png\" alt=\"\" class=\"wp-image-114319\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_4_jcimport-Creds.png 627w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_4_jcimport-Creds-300x230.png 300w\" sizes=\"(max-width: 627px) 100vw, 627px\" \/><\/figure>\n\n\n\n<ol start=\"10\">\n<li>Enter the JumpCloud API Key for the dedicated Admin account created for the ADI, then click <strong>Next<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"622\" height=\"476\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_7_JC-APIKey.png\" alt=\"\" class=\"wp-image-114322\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_7_JC-APIKey.png 622w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_7_JC-APIKey-300x230.png 300w\" sizes=\"(max-width: 622px) 100vw, 622px\" \/><\/figure>\n\n\n\n<ol start=\"11\">\n<li>Enter your JumpCloud Organization ID, then click <strong>Next<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"627\" height=\"480\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_5_JC-OrgID.png\" alt=\"\" class=\"wp-image-114320\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_5_JC-OrgID.png 627w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_5_JC-OrgID-300x230.png 300w\" sizes=\"(max-width: 627px) 100vw, 627px\" \/><\/figure>\n\n\n\n<ol start=\"12\">\n<li>On Selecting the File Destination, leave the defaults and click Next.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"622\" height=\"476\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_8_Install-Folder.png\" alt=\"\" class=\"wp-image-114323\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_8_Install-Folder.png 622w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_8_Install-Folder-300x230.png 300w\" sizes=\"(max-width: 622px) 100vw, 622px\" \/><\/figure>\n\n\n\n<ol start=\"13\">\n<li>Click <strong>Install<\/strong>. The import agent will take about 1 to 2 minutes to install.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"622\" height=\"476\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_9_Ready-to-Install.png\" alt=\"\" class=\"wp-image-114324\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_9_Ready-to-Install.png 622w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_9_Ready-to-Install-300x230.png 300w\" sizes=\"(max-width: 622px) 100vw, 622px\" \/><\/figure>\n\n\n\n<ol start=\"14\">\n<li>Select <strong>Yes, restart the computer now<\/strong> and click <strong>Finish<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"620\" height=\"475\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_10_Finish-Installation.png\" alt=\"\" class=\"wp-image-114325\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_10_Finish-Installation.png 620w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/08\/Import-Agent_10_Finish-Installation-300x230.png 300w\" sizes=\"(max-width: 620px) 100vw, 620px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>You must reboot your AD servers after the AD Import Agent installation!<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-verify-the-jumpcloud-ad-import-agent-service-started\">Verify the JumpCloud AD Import Agent Service Started<\/h3>\n\n\n\n<p>Once your DC restarted, verify that the service started by confirming display name: \u201cJumpCloud AD Integration Import Agent\u201d ; service name: \u201cJCADImportAgent\u201d; is running in services.msc. If the service fails to start, you can review the agent logs at C:\\Program Files\\JumpCloud\\AD Integration\\JumpCloud_AD_Import.log&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"857\" height=\"270\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/image-14.png\" alt=\"\" class=\"wp-image-100362\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-14.png 857w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-14-300x95.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-14-768x242.png 768w\" sizes=\"(max-width: 857px) 100vw, 857px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-configure-ad-import-agent\">Configure AD Import Agent<\/h3>\n\n\n\n<p>There are several configuration options that you should implement post-installation of the AD import agent. The recommended configuration updates are:&nbsp;<\/p>\n\n\n\n<ul>\n<li>Update LDAPS configuration file<\/li>\n\n\n\n<li>Modify the Root User Container Used by AD Import<\/li>\n\n\n\n<li>Update the security group name if your environment has multiple domains<\/li>\n<\/ul>\n\n\n\n<p>Verify and update default import settings described in <a href=\"https:\/\/jumpcloud.com\/support\/advanced-configurations-for-active-directory-ad-import\">Advanced Configurations for AD Import<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card tip\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Tip:<\/strong> \n<p>To change any of the configuration options, start by opening the AD Import Agent configuration file using a text editor: C:\\Program Files\\JumpCloud\\AD Integration\\AD Import\\jcadimportagent.config.json.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-modify-the-root-user-container-used-by-ad-import\">Modify the Root User Container used by AD Import<\/h4>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>&nbsp;The AD Domain and Root User container DN needs to be the same for both the AD import agent and AD sync agent.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<p>If your Root User Container is the default CN=Users;DC=company;DC=com, you can skip this section.<\/p>\n\n\n\n<p>If you\u2019re using a different Root user container for managing AD resources with the AD Import agent, follow the steps below to modify the User container location in the agent configuration json file.&nbsp;<\/p>\n\n\n\n<ol>\n<li>Verify the full LDAP path for the chosen Root user container you have selected in ADUC:\n<ol class=\"is-lower-alpha\">\n<li>From the ADUC panel\u2019s View menu, enable <strong>Advanced Features<\/strong>.&nbsp;<\/li>\n\n\n\n<li>Right-click the container and select <strong>Properties<\/strong>.&nbsp;<\/li>\n\n\n\n<li>Select the <strong>Attribute Editor<\/strong> tab.&nbsp;<\/li>\n\n\n\n<li>Select the \u201cdistinguishedName\u201d attribute, then click <strong>View<\/strong>.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"772\" height=\"569\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/image-15.png\" alt=\"\" class=\"wp-image-100363\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-15.png 772w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-15-300x221.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-15-768x566.png 768w\" sizes=\"(max-width: 772px) 100vw, 772px\" \/><\/figure>\n\n\n\n<ol start=\"2\">\n<li>In the AD Import Agent configuration file, replace the <kbd>CN=Users;DC=company;DC=com<\/kbd> reference in the LDAP section of the json configuration file with the \u201cdistinguishedName\u201d value from ADUC, leaving the CN=JumpCloud security group reference in place. See the example below.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>Be sure to place semicolons ( ; ) between the values, e.g., \u201cCN=JumpCloud;OU=Corporate Users;DC=contoso;DC=com\u201d<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<p>An example of the configuration file that has been changed from the Defaults to match what\u2019s actually the true Root User Container. In the below example config, Example\u2019s Root User Container needs to be, CN=JumpCloud;OU=Corporate Users;DC=example;DC=com.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>You must create or relocate the JumpCloud security group to this Root user container and grant delegated control to the service account for AD Import agent integration. The LDAP values noted in this DN specify the explicit path to the location of the JumpCloud security group in your AD environment.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-modify-the-security-group-used-by-ad-import\">Modify the Security Group used by AD Import<\/h4>\n\n\n\n<p>You will need to update the security group name in the AD import configuration file to match the name you gave the JumpCloud integration Security Group in the Create the JumpCloud ADI Integration Security Group in AD above.<\/p>\n\n\n\n<ol>\n<li>Update the security group reference in the DN, CN=JumpCloud, to match the name you gave the JumpCloud integration security group.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"814\" height=\"235\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/11\/cn-jumpcloud.jpg\" alt=\"\" class=\"wp-image-100620\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/11\/cn-jumpcloud.jpg 814w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/11\/cn-jumpcloud-300x87.jpg 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/11\/cn-jumpcloud-768x222.jpg 768w\" sizes=\"(max-width: 814px) 100vw, 814px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-modify-default-advanced-configuration-settings-for-ad-import\">Modify default Advanced Configuration settings for AD Import<\/h4>\n\n\n\n<p>Adjust the default configuration settings to control how the import works and what happens to users in JumpCloud when certain actions are taken in AD.&nbsp;These settings are considered advanced configurations.&nbsp;See <a href=\"https:\/\/jumpcloud.com\/support\/advanced-configurations-for-active-directory-ad-import\">Advanced Configurations for AD Import<\/a> for more information.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-save-the-configuration-changes-and-restart-the-ad-import-agent-service\">Save the configuration changes and restart the AD import agent service<\/h4>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>You do not need to restart the DC only restart the service to apply configuration changes.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<p>Once all configuration changes have been made save them and restart the service.<\/p>\n\n\n\n<ol>\n<li>Save the jcadimportagent.config.json file.<\/li>\n\n\n\n<li>Restart the JumpCloud AD Import Agent service using the Windows Service Manager.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-run-the-ad-sync-agent-installation-wizard-nbsp\">Run the AD Sync Agent Installation Wizard&nbsp;<\/h3>\n\n\n\n<p>Now you are ready to install the JumpCloud Sync Agent on one or more member servers or your Primary DC and any DC within the domain that could experience replication delays.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>If you are installing the AD sync agent on DCs, do not install the AD Sync Agent on Read-Only DCs (RODCs).<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol>\n<li>Browse to where you saved the AD Integration Sync installer file on your DC.&nbsp;<\/li>\n\n\n\n<li>Right-click the file, then select <strong>Run as administrator<\/strong>.<\/li>\n\n\n\n<li>Once the Installer Wizard appears, click <strong>Next<\/strong>.<\/li>\n\n\n\n<li>On the Destination Folder screen, click <strong>Next<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" width=\"1111\" height=\"813\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828dcf2c6.png\" alt=\"\" class=\"wp-image-108450\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828dcf2c6.png 1111w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828dcf2c6-300x220.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828dcf2c6-1024x749.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828dcf2c6-768x562.png 768w\" sizes=\"(max-width: 1111px) 100vw, 1111px\" \/><\/figure>\n\n\n\n<ol start=\"5\">\n<li>Select the type of server on which you are installing the agent, DC or non-DC member server, then click <strong>Next<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1111\" height=\"813\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8298ab5ec.png\" alt=\"\" class=\"wp-image-108453\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8298ab5ec.png 1111w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8298ab5ec-300x220.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8298ab5ec-1024x749.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8298ab5ec-768x562.png 768w\" sizes=\"(max-width: 1111px) 100vw, 1111px\" \/><\/figure>\n\n\n\n<ol start=\"6\">\n<li>If you chose <strong>Domain Controller<\/strong>, skip to step 9.<\/li>\n\n\n\n<li>If you chose <strong>Member Server<\/strong> as your server type, enter the information for the DC to which the member server should connect to sync data from JumpCloud to AD. We recommend using the FQDN for your DC.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1081\" height=\"813\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8275df0ba.png\" alt=\"\" class=\"wp-image-108444\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8275df0ba.png 1081w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8275df0ba-300x226.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8275df0ba-1024x770.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8275df0ba-768x578.png 768w\" sizes=\"(max-width: 1081px) 100vw, 1081px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1081\" height=\"813\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82915811a.png\" alt=\"\" class=\"wp-image-108451\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82915811a.png 1081w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82915811a-300x226.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82915811a-1024x770.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82915811a-768x578.png 768w\" sizes=\"(max-width: 1081px) 100vw, 1081px\" \/><\/figure>\n\n\n\n<ol start=\"7\">\n<li>Confirm your LDAP connection type and decide if you want to allow the use of LDAP if the connection using secure LDAP fails.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>We <strong>STRONGLY recommend against<\/strong> allowing the use of LDAP if the connection using secure LDAP fails. LDAP is not secure and increases your potential risk of cyberattacks as it sends unencrypted data. Attackers can spy on the connection and intercept packets sent over the network. <br>We <strong>STRONGLY<\/strong> recommend the use of LDAPS only for this integration.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1081\" height=\"813\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829f68e57.png\" alt=\"\" class=\"wp-image-108455\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829f68e57.png 1081w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829f68e57-300x226.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829f68e57-1024x770.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829f68e57-768x578.png 768w\" sizes=\"(max-width: 1081px) 100vw, 1081px\" \/><\/figure>\n\n\n\n<ol start=\"8\">\n<li>If you checked <strong>Allow insecure connection (LDAP) to a Domain Controller, if secure connection fails<\/strong>, you must confirm that you&nbsp;understand the risk before you can proceed.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1081\" height=\"813\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828a964e3.png\" alt=\"\" class=\"wp-image-108449\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828a964e3.png 1081w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828a964e3-300x226.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828a964e3-1024x770.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e828a964e3-768x578.png 768w\" sizes=\"(max-width: 1081px) 100vw, 1081px\" \/><\/figure>\n\n\n\n<ol start=\"9\">\n<li>Enter in the Root User Container you noted in the&nbsp;<strong>Determine the Root User Container in AD<\/strong> section above. If you\u2019re using the default AD Root User Container, the value will be CN=Users;DC=company;DC=com. If you\u2019ve chosen another Root User Container, enter the value you noted.\n<ul>\n<li>In this example, we\u2019ve modified the Root User Container. The value is:&nbsp;OU=Corporate Users;DC=example;DC=com<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>The AD Domain and Root User container DN needs to be the same for both the AD import agent and AD sync agent.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>Case is important when entering the User Root DN, always use capital \u201cOU\u201d, \u201cCN\u201d, and \u201cDC\u201d.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"770\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82723678a-1024x770.png\" alt=\"\" class=\"wp-image-108443\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82723678a-1024x770.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82723678a-300x226.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82723678a-768x578.png 768w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e82723678a.png 1081w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ol start=\"10\">\n<li>Enter the AD Sync Agent\u2019s Service Account you\u2019ve created. This should be the jcsync User Account you created in the <strong>Create the AD Sync Service Account<\/strong> section above. Then click <strong>Next<\/strong>.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>Case is important when entering the Windows Login Domain, use the same case that was used when creating the AD domain instance in JumpCloud.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1081\" height=\"813\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8294bd19e.png\" alt=\"\" class=\"wp-image-108452\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8294bd19e.png 1081w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8294bd19e-300x226.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8294bd19e-1024x770.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e8294bd19e-768x578.png 768w\" sizes=\"(max-width: 1081px) 100vw, 1081px\" \/><\/figure>\n\n\n\n<ol start=\"11\">\n<li>Enter the Connect Key that was presented to you within the JumpCloud Admin Portal after downloading the AD Sync Agent. Then click <strong>Next<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1081\" height=\"813\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829c0f209.png\" alt=\"\" class=\"wp-image-108454\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829c0f209.png 1081w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829c0f209-300x226.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829c0f209-1024x770.png 1024w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2024\/04\/660e829c0f209-768x578.png 768w\" sizes=\"(max-width: 1081px) 100vw, 1081px\" \/><\/figure>\n\n\n\n<ol start=\"12\">\n<li>Finally, click the <strong>Install <\/strong>button to install the AD Sync Agent. This could take up to 3 minutes.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>You DO NOT need to reboot the servers after the AD Sync Agent installation.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<p>Congratulations! You\u2019ve installed the AD Sync Agent. You are ready to verify that the AD Sync Agent is communicating properly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-verify-ad-import-and-ad-sync\">Verify AD Import and AD Sync<\/h3>\n\n\n\n<p>Once you\u2019ve installed the AD import and AD sync agents within your AD environment. You can easily verify that the JumpCloud AD Sync Agent is working. Please ensure the following are present and visible:&nbsp;<\/p>\n\n\n\n<ul>\n<li>The JumpCloud AD Sync Agent should be shown as green and active within the Admin Portal under <strong>Directory Integrations &gt; Active Directory &gt; Domain Integration &gt; Domain Agents tab<\/strong>.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"773\" height=\"198\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/image-20.png\" alt=\"\" class=\"wp-image-100368\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-20.png 773w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-20-300x77.png 300w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-20-768x197.png 768w\" sizes=\"(max-width: 773px) 100vw, 773px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>If the AD Sync Agent(s) or the AD Import Agent(s) are showing red or are in a non-connected state, please check services.msc to see if the services are running.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<p>Additionally,&nbsp;<\/p>\n\n\n\n<ul>\n<li>JumpCloud User Group is now within your JumpCloud organization. The JumpCloud User Group should have a User Group icon with an AD badge in the User Group Details pane. See the example below:\n<ul>\n<li>Navigate to <strong>User Management &gt; User Groups<\/strong>. You should see the JumpCloud User Group with a Microsoft badge next to it. Click on the User Group to open up its details<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"713\" height=\"125\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/image-21.png\" alt=\"\" class=\"wp-image-100369\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-21.png 713w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-21-300x53.png 300w\" sizes=\"(max-width: 713px) 100vw, 713px\" \/><\/figure>\n\n\n\n<ul>\n<li> When opened, you can see that the User Group has a Microsoft Badge and is also assigned to AD on the Directories tab.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"727\" height=\"221\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/image-22.png\" alt=\"\" class=\"wp-image-100370\" srcset=\"https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-22.png 727w, https:\/\/ti-1.jumpcloud.com\/wp-content\/uploads\/2023\/10\/image-22-300x91.png 300w\" sizes=\"(max-width: 727px) 100vw, 727px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-next-steps\">Next Steps<\/h2>\n\n\n\n<p>Please read the <a href=\"https:\/\/jumpcloud.com\/support\/use-the-Active-Directory-Integration\">Using and Managing the ADI<\/a> article next.<\/p>\n\n\n\n<p><strong>Want additional assistance from JumpCloud?&nbsp;<\/strong><\/p>\n\n\n\n<p>If you\u2019re having issues with getting JumpCloud\u2019s ADI working, try the <a href=\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi\">Troubleshooting Guide<\/a>. JumpCloud now offers myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you\u2019re looking for assistance with Migrating from AD, or to integrate AD with JumpCloud, we recommend you reach out to JumpCloud\u2019s Professional Services team on the following page: <a href=\"https:\/\/jumpcloud.com\/professional-services\">Professional Services &#8211; JumpCloud<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The JumpCloud Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between JumpCloud and on-premise or off-premise [&hellip;]<\/p>\n","protected":false},"author":205,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2904,2855,2954],"support_tag":[],"coauthors":[2839],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Configure ADI: Manage users, groups, and passwords in AD and JumpCloud<\/title>\n<meta name=\"description\" content=\"Learn how to configure JumpCloud&#039;s Active Directory Integration (ADI) to manage resources in either, or both, JumpCloud and Active Directory.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Configure ADI: Manage users, groups, and passwords in AD and JumpCloud\" \/>\n<meta property=\"og:description\" content=\"Learn how to configure JumpCloud&#039;s Active Directory Integration (ADI) to manage resources in either, or both, JumpCloud and Active Directory.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-20T17:23:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"joyjaswinski\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync\",\"url\":\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync\",\"name\":\"Configure ADI: Manage users, groups, and passwords in AD and JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/ti-1.jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#primaryimage\"},\"image\":{\"@id\":\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png\",\"datePublished\":\"2023-10-27T00:42:21+00:00\",\"dateModified\":\"2024-08-20T17:23:38+00:00\",\"description\":\"Learn how to configure JumpCloud's Active Directory Integration (ADI) to manage resources in either, or both, JumpCloud and Active Directory.\",\"breadcrumb\":{\"@id\":\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/ti-1.jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/ti-1.jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Configure ADI: Manage users, groups and passwords in AD, JumpCloud, or both\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/ti-1.jumpcloud.com\/#website\",\"url\":\"https:\/\/ti-1.jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/ti-1.jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/ti-1.jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/ti-1.jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/ti-1.jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/ti-1.jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/ti-1.jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Configure ADI: Manage users, groups, and passwords in AD and JumpCloud","description":"Learn how to configure JumpCloud's Active Directory Integration (ADI) to manage resources in either, or both, JumpCloud and Active Directory.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync","og_locale":"en_US","og_type":"article","og_title":"Configure ADI: Manage users, groups, and passwords in AD and JumpCloud","og_description":"Learn how to configure JumpCloud's Active Directory Integration (ADI) to manage resources in either, or both, JumpCloud and Active Directory.","og_url":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync","og_site_name":"JumpCloud","article_modified_time":"2024-08-20T17:23:38+00:00","og_image":[{"url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"joyjaswinski"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync","url":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync","name":"Configure ADI: Manage users, groups, and passwords in AD and JumpCloud","isPartOf":{"@id":"https:\/\/ti-1.jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#primaryimage"},"image":{"@id":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png","datePublished":"2023-10-27T00:42:21+00:00","dateModified":"2024-08-20T17:23:38+00:00","description":"Learn how to configure JumpCloud's Active Directory Integration (ADI) to manage resources in either, or both, JumpCloud and Active Directory.","breadcrumb":{"@id":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#primaryimage","url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png","contentUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/two-way-sync-single-domain-1024x455.png"},{"@type":"BreadcrumbList","@id":"https:\/\/ti-1.jumpcloud.com\/support\/configure-adi-two-way-sync#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ti-1.jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/ti-1.jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"Configure ADI: Manage users, groups and passwords in AD, JumpCloud, or both"}]},{"@type":"WebSite","@id":"https:\/\/ti-1.jumpcloud.com\/#website","url":"https:\/\/ti-1.jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/ti-1.jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ti-1.jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/ti-1.jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/ti-1.jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/ti-1.jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/ti-1.jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/support\/97084"}],"collection":[{"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/users\/205"}],"version-history":[{"count":2,"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/support\/97084\/revisions"}],"predecessor-version":[{"id":114710,"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/support\/97084\/revisions\/114710"}],"wp:attachment":[{"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/media?parent=97084"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=97084"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=97084"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/ti-1.jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=97084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}