How to Configure Synchronization Templates for Automatic AD Groups
This guide describes the standard procedure for configuring synchronization templates to export automatic groups to an on-premises Active Directory.
When setting up a synchronization template for groups, you must configure three primary elements:
Rule Set: Defines which groups the template will export.
Object Path: Specifies the destination Organizational Unit (OU) in Active Directory where the groups will be created.
Attribute Mappings: Determines how data from the source system populates the attributes of the group objects in Active Directory.
Rule Set
The first step is to select a rule set that identifies the specific groups this template should manage. For detailed information on how to configure rule sets for automatic and manual groups, please see this article.
The main information tab of the template provides a summary, including the selected rule set.
Field | Description |
---|---|
Name | A descriptive name for the template, e.g., "Automatic Department Groups". |
Active | Determines if the template is enabled. Must be set to "Yes". |
Object Type | Should be set to "Group". |
Synchronization Step | Set to "Export AD". |
Rule Set | The rule set that selects which groups to export. |
Permanent Deletion | If set to "No", groups are disabled in AD upon deletion instead of being permanently removed. |
Object Path
The object path defines the exact location within your Active Directory where the new groups will be created.
You must provide the full, absolute path to the target OU, including the domain components. It is common to use one or more absolute paths for this purpose.
Example:
OU=Security-Groups,OU=Utfjord,DC=utfjord,DC=kommune,DC=no
Attribute Mappings
Mappings define how attributes for the group object in Active Directory are populated. Below are recommended configurations for common attributes.
Target Attribute | Example Source Value | Comments |
---|---|---|
|
| The group's common name. The name is sourced from the |
|
| It is highly recommended to set the |
|
| Sets a user-friendly display name, often combining the department number and the sanitized department name (e.g., "0123 Sales Department"). |
|
| Provides a more detailed explanation of the group's purpose. |
|
| Defines the group type and scope in Active Directory. Common values include: <br> •-2147483646: Global Security Group <br> • -2147483644: Domain Local Security Group <br> • -2147483640: Universal Security Group |
|
| Used to create nested groups (a group as a member of another group). |
|
| Specifies the full path to a script that executes when a group is created. This can be used, for example, to mail-enable a new security group. |
Warning: Nesting groups using the parent
attribute is not recommended for security groups that are linked to firewalls or for groups that are synchronized to Azure AD.
Note: You can use sub-rulesets to apply different attribute mappings for different selections of groups within the same template.