You can use the following links below to quickly navigate to a specific section in this document. To quickly return to this index simply use the Return to Index link located at the end of any section.
Introduction and Creating an Active Directory User
When setting up a connection between the Password Reset app and Microsoft AD you will first need to create a new user in your Active Directory with the following assigned roles:
- Replicating directory changes.
- Replicating directory changes in filtered set.
- Replicating directory changes all.
Important Note:You will need to complete this step before proceeding. If you are unfamiliar with how to grant these specific permissions to a user then please refer to the following Microsoft help guide on Giving Users Replicating Directory Changes Permissions.
Downloading SYNC and Configuration Files
Now you will need to download the Microsoft AD connector executable file (IncidentIQ.Connectors.MicrosoftAd.exe). On the Password Assistant Overview tab click on the Download Local AD Password Assistant Executable button.
This application will need to be downloaded on a machine that has network access to reach your AD server. You can run it on the AD server itself, but that’s not a requirement. Additionally, the machine that runs the application will need to have the .NET framework v4.5.1 or higher.
Next, you will need to download the PasswordAssistant.conf file. In the Overview tab, click on the Download Configuration Template button. Once this file has been downloaded, save this file with the name PasswordAssistant.conf, and place in the folder with the password assistant application.
When setting up a policy to utilize the AD connector, you will need to ensure that the password reset requests are being directed to AD from accounts created by your AD/SSO integration.
This can be done by checking the box next to your app in the Login Providers section and then selecting Local AD in the corresponding drop-down menu. Additionally, you will need to select the look up field in the User Lookup Map for Local Ad section to utilize between iiQ and AD, as well.
Please note, we support routing to AD from the following integrations:
- ClassLink SSO
- Enboard SSO
- Google SSO
- Microsoft Active Directory
- Microsoft ADFS
- Microsoft Azure
- Rapid Identify
Configuring the Active Directory Integration
After you have created your AD user and downloaded the necessary files, you will now need to extract the Microsoft AD Connectors file. Once all files have been extracted, move the UserSync.conf file into the unzipped folder containing the sync application.
Next, run the application titled IncidentIQ.Connectors.MicrosoftAd.exe. This will open up a new application window.
In the top section of the application window, you will need to modify the following default settings: ad.username, ad.password, ad.domain, and ad.ip.
Important Note: All fields must be kept inside of quotation marks. Data entered without these quotations will not configure properly.
The ad.password value should be encrypted. To get the encrypted value to fill into the settings, click the Common tab and enter the ad.password in the text field labeled Clear text. Copy the Encrypted value and paste it as the value for the ad.password setting.
Once all of your settings have been entered, click Save configuration.
After you’ve confirmed that the configuration has successfully saved, click Run now. Running the application can take a while depending on the number of users in your AD (syncing about 10,000 users takes roughly 10-15 minutes).
Upon completion, you will see a message stating “Completed sending data to IncidentIQ.”
Creating a Scheduled Sync Task
To schedule the sync to occur automatically, you’ll need to create a task in Windows Task Manager. You can do so by searching for Administrative Tools and selecting Task Scheduler. This will open the Task Scheduler window.
In the Task Scheduler window, start by clicking on Action > Create Basic Task…
This will open the Create Basic Task Wizard. At the very least, you will need to provide a name for the new task. You can also add a task if desired. Once complete, click Next.
In the next step, you will be asked to select when this task should Trigger. We recommend running it daily (overnight) for the most accurate user data. Please ensure you set the task to run regardless of whether a user is logged in or not on the server. Once complete, click Next.
For the next step, you will need to specify what action the task will take when running. Select Start a Program and then click on Next.
When specifying the action to perform, locate the file IncidentIQ.Connectors.MicrosoftAd.exe in the Program/script file browser. Supply the argument -passwordreset in the Add arguments field. And finally, you will need to indicate the path you unzipped the files to in the Start in field. Once complete, click Next.
In the final step, you may review all of the settings of your task. Once you have completed your review, check the Open the Properties dialog for this task when I click Finish option and then click Finish.
In the properties pop-up window, begin by selecting Run whether user is logged on or not. Additionally, you will also need to check Run with highest privileges. Failure to check both of these options can prevent the connector from processing password reset requests.
Next, select the Triggers tab at the top of the window and then click on the Daily trigger for this task.
Next, you will want to click on Repeat task every 5 minutes for the duration of 1 day. Once this is complete, click on OK to complete the setup.