Active Directory Sync Overview
DocMgt Active Directory Sync is a command-line tool that is designed to synchronize Users and Groups from Active Directory to DocMgt. Use this tool when you need to be able to manage your users and teams from AD but do not require active AD integration such as single sign on.
Installation is very straight forward. Copy and extract the ZIP file onto a Windows computer that is running in the domain. Configure the settings by editing the “docMgt.ADSync.exe.config” file in Notepad, Notepad++ or similar text editor. Then simply run the application to start the sync process.
The following settings are available:
dmServerURL – The URL of the DocMgt server to sync with AD. This must be the complete URL. For example, https://yourserver.domain.com.
dmSyncUser – This is the login name of the user to use for managing DocMgt. This MUST be an existing DocMgt user with Administrator rights in order to sync with the domain.
dmSyncPassword – This is the password of the user to use for managing DocMgt.
DirectoryType – Set to Domain, ApplicationDirectory, Machine depending on where you are syncing users from.
SyncGroup – This is the name of the AD group that holds the users that will be synced into DocMgt. Use this ONLY if you wish to only sync a specific group to DocMgt. If this is left blank then all AD users will be synced into DocMgt.
dmAdminGroup – This is the name of the AD group that holds the users that will be synced from AD to DocMgt as DocMgt Administrators. Any user in this AD group will have its ADMIN flag set to ON so they will be an administrator in DocMgt. If you later remove the user from this AD group then that user will have its Administrator flag in DocMgt removed when this sync happens again.
dmReportingGroup – This is the name of the AD group that holds the users that will be synced from AD to DocMgt as DocMgt Reporting Users. Any user in this AD group will have its REPORTING flag set to ON so they will be able to run reports in DocMgt. If you later remove the user from this AD group then that user will have its Reporting flag in DocMgt removed when this sync happens again.
LockToADGroups – Set to “true” so synced users can only have DocMgt Teams that match their AD groups. Set to “false” so synced users can also have separate DocMgt teams.
RecursiveGroups – Set to “true” to have the process check each user’s groups in a nested fashion. Set to “false” to only check each user’s direct group memberships. Recursive is slower than direct but there are times when you want to be able to get to all the user’s nested groups as well.
DefaultPassword – This is the password that will be assigned to any users that are created in DocMgt via the AD Sync process. Newly-created users will be forced to change their DocMgt password upon their first login but ONLY if they are not logging in user AD or Azure AD integrated logins.
UserNameProperty – This is the property of the AD User objects that you wish to use for the UserName. The choices are SamAccountName, Name, EmailAddress, DisplayName and UserPrincipalName. The default is to use SamAccountName but it is sometimes better to use EmailAddress if you are integrating with other systems such as Azure AD.
DebugMode – Set to “true” to run through the process and log the changes that would be made but NOT actually make them. This is useful during testing to be sure all the users and groups you expect to see are there. Set it to “false” to actually sync the users and groups.
PauseMode – Set to “true” to have the process stop at the end of the sync and wait for a key to be pressed before exiting. This is useful to review the output while testing. Set it to “false” to have the program exit immediately when finished. You should set this to “true” in production.
RemoveInactive – Set to “true” to have the process remove any users that are no longer in the sync group. For this to work you need Server version 3.46 or higher. This can only remove users that were added into the system by the sync tool on or after the 3.46 release as well.
Running the Sync Tool
Since Active Directory Sync is a command-line tool it can be run manually by simply double-clicking the application. If you want to schedule it to run every day or every week then it can be scheduled using Windows Task Scheduler or similar scheduling application. This way your changes to AD will come over to DocMgt automatically.
Active Directory Sync Processing
When the Active Directory Sync tool processes users, it compares the Groups in AD to the Teams in DocMgt. If a user is in a Group in AD and that user has access to a Team with the same name in DocMgt then the user is placed in that Team in DocMgt. If there is a Group in AD that the user is NOT in that has the same name in DocMgt then that user is removed in DocMgt. With this mechanism you can control users’ Team memberships via your AD system.
The names of the Groups in AD must match the names of the Teams in docMgt for the sync to know which Teams the user belongs in. If you have Groups in AD that do not have a match in docMgt then that Group is not used in docMgt security. By the same logic, if you have Teams in docMgt that do not have a match in AD then that Team membership is not altered with the AD sync. This allows you to have some Teams that are docMgt only and some Groups that are AD only.