How to Configure Synchronization Templates for Automatic AD Groups

This guide describes the standard procedure for configuring synchronization templates to export automatic groups to an on-premises Active Directory.

When setting up a synchronization template for groups, you must configure three primary elements:

Rule Set: Defines which groups the template will export.
Object Path: Specifies the destination Organizational Unit (OU) in Active Directory where the groups will be created.
Attribute Mappings: Determines how data from the source system populates the attributes of the group objects in Active Directory.

Rule Set

The first step is to select a rule set that identifies the specific groups this template should manage. For detailed information on how to configure rule sets for automatic and manual groups, please see this article.

The main information tab of the template provides a summary, including the selected rule set.

Field	Description
Name	A descriptive name for the template, e.g., "Automatic Department Groups".
Active	Determines if the template is enabled. Must be set to "Yes".
Object Type	Should be set to "Group".
Synchronization Step	Set to "Export AD".
Rule Set	The rule set that selects which groups to export.
Permanent Deletion	If set to "No", groups are disabled in AD upon deletion instead of being permanently removed.

Object Path

The object path defines the exact location within your Active Directory where the new groups will be created.

You must provide the full, absolute path to the target OU, including the domain components. It is common to use one or more absolute paths for this purpose.

Example:

OU=Security-Groups,OU=Utfjord,DC=utfjord,DC=kommune,DC=no

Attribute Mappings

Mappings define how attributes for the group object in Active Directory are populated. Below are recommended configurations for common attributes.

Target Attribute	Example Source Value	Comments
`cn`	`[CNCLEAN; [description]]`	The group's common name. The name is sourced from the `description` attribute and processed with the `CNCLEAN` function to sanitize the value and prevent errors from special characters.
`samAccountName`	`sourceid`	It is highly recommended to set the `samAccountName` to the `sourceID`, which is the unique internal serial number for the department or unit.
`displayName`	`[OrgUnitNr] [CNCLEAN; [description]]`	Sets a user-friendly display name, often combining the department number and the sanitized department name (e.g., "0123 Sales Department").
`description`	`Security group for employees at [Description]`	Provides a more detailed explanation of the group's purpose.
`groupType`	`-2147483640`	Defines the group type and scope in Active Directory. Common values include: <br> •-2147483646: Global Security Group <br> • -2147483644: Domain Local Security Group <br> • -2147483640: Universal Security Group
`parent`	`[Name]` (via foreign key)	Used to create nested groups (a group as a member of another group).
`createScript`	`C:\eadm\scripts\mail-enable.ps1`	Specifies the full path to a script that executes when a group is created. This can be used, for example, to mail-enable a new security group.

Warning: Nesting groups using the parent attribute is not recommended for security groups that are linked to firewalls or for groups that are synchronized to Azure AD.

Note: You can use sub-rulesets to apply different attribute mappings for different selections of groups within the same template.