Skip to main content
Skip table of contents

How to Configure Synchronization Templates for Automatic AD Groups

This guide describes the standard procedure for configuring synchronization templates to export automatic groups to an on-premises Active Directory.

When setting up a synchronization template for groups, you must configure three primary elements:

  1. Rule Set: Defines which groups the template will export.

  2. Object Path: Specifies the destination Organizational Unit (OU) in Active Directory where the groups will be created.

  3. Attribute Mappings: Determines how data from the source system populates the attributes of the group objects in Active Directory.


Rule Set

The first step is to select a rule set that identifies the specific groups this template should manage. For detailed information on how to configure rule sets for automatic and manual groups, please see this article.

The main information tab of the template provides a summary, including the selected rule set.

Field

Description

Name

A descriptive name for the template, e.g., "Automatic Department Groups".

Active

Determines if the template is enabled. Must be set to "Yes".

Object Type

Should be set to "Group".

Synchronization Step

Set to "Export AD".

Rule Set

The rule set that selects which groups to export.

Permanent Deletion

If set to "No", groups are disabled in AD upon deletion instead of being permanently removed.


Object Path

The object path defines the exact location within your Active Directory where the new groups will be created.

You must provide the full, absolute path to the target OU, including the domain components. It is common to use one or more absolute paths for this purpose.

Example:

OU=Security-Groups,OU=Utfjord,DC=utfjord,DC=kommune,DC=no


Attribute Mappings

Mappings define how attributes for the group object in Active Directory are populated. Below are recommended configurations for common attributes.

Target Attribute

Example Source Value

Comments

cn

[CNCLEAN; [description]]

The group's common name. The name is sourced from the description attribute and processed with the CNCLEAN function to sanitize the value and prevent errors from special characters.

samAccountName

sourceid

It is highly recommended to set the samAccountName to the sourceID, which is the unique internal serial number for the department or unit.

displayName

[OrgUnitNr] [CNCLEAN; [description]]

Sets a user-friendly display name, often combining the department number and the sanitized department name (e.g., "0123 Sales Department").

description

Security group for employees at [Description]

Provides a more detailed explanation of the group's purpose.

groupType

-2147483640

Defines the group type and scope in Active Directory. Common values include: <br> •-2147483646: Global Security Group <br> • -2147483644: Domain Local Security Group <br> • -2147483640: Universal Security Group

parent

[Name] (via foreign key)

Used to create nested groups (a group as a member of another group).

createScript

C:\eadm\scripts\mail-enable.ps1

Specifies the full path to a script that executes when a group is created. This can be used, for example, to mail-enable a new security group.

Warning: Nesting groups using the parent attribute is not recommended for security groups that are linked to firewalls or for groups that are synchronized to Azure AD.

Note: You can use sub-rulesets to apply different attribute mappings for different selections of groups within the same template.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.