The Microsoft Active Directory App allows administrators to integrate Incident IQ with a local AD server. This allows districts the ability to automatically populate and update user data in iiQ directly from their AD server.
The following guide is designed to provide step-by-step instructions on the following:
You can use the following links below to quickly navigate to a specific section in this document. To quickly return to this index simply use the Return to Index link located at the end of any section.
Before beginning the installation process you will need to ensure you have the following:
- Ability to create and edit user permission in your active directory.
- A machine that runs .NET Framework v.4.5.1 or higher and also has network access to reach your district’s AD server.
Begin by selecting Incident IQ Apps > Browse on the left navigation bar.
Click on the Microsoft Active Directory App (v2) and then select Install to begin.
Step one of the installation process simply provides an overview of how installing the Microsoft Active Directory app will affect your Incident IQ installation. Select Continue once you are ready to proceed to step two.
The first phase of step two will ask you to assign a default role for users that have not already been assigned a group mapping. By default, this is set to Guest unless otherwise changed. Once you have assigned the default role select Continue.
At this time you may make changes to any section by clicking on any of the checked settings. Click Continue when you are ready to proceed.
In step three, you will be asked to review all of the changes that are about to be made to your Incident IQ site. Before moving on please keep in mind that after the installation process begins it cannot be stopped. Once you have completed your review select Install App to begin the integration process.
Once the installation has been completed you can now begin creating an active directory user.
Creating an Active Directory User
Once you’ve installed the Microsoft AD app in Incident IQ, you will now need to create a new user in your Active Directory. This user will need the following roles assigned to it:
- Replicating directory changes.
- Replicating directory changes in filtered set.
- Replicating directory changes all.
Important Note:You will need to complete this step before proceeding. If you are unfamiliar with how to grant these specific permissions to a user then please refer to the following Microsoft help guide on Giving Users Replicating Directory Changes Permissions.
Configuring and Downloading the App Executable
Now you will need to download the application for the AD-iiQ sync. This application will need to be downloaded on a machine that has network access to reach an AD server (you can run it on the AD server itself, but that’s not a requirement). Additionally, the machine that runs the app will need to have the .NET framework v4.5.1 or higher.
You can download this file from the Microsoft Active Directory (v2) app in Incident IQ. To access this file, begin by selecting Incident IQ Apps > Manage on the left navigation bar.
On the Installed Apps tab, find Microsoft Active Directory (v2) and click on Manage.
This will take you to the app Overview tab. From here, you will need to click on Enable User Login and Enable User Sync to enable the integration app. Once these have been enabled click Save.
Next, you will need to configure and then download the executable file. To do so, begin by clicking on the Sync Executable tab.
From here, you will need to input the following information to configure your executable download:
- AD Username
- AD Password
- AD Domain
- AD Server IP
- Group OU Searches (Optional)
- User OU Searchers (Optional)
- Additional AD Attributes to copy (Optional)
Once you have completed entering your configuration information, click on Download Executable to download the connector app. Please note, you will want to download this connector app to a device that has access to your AD server and also runs overnight.
After downloading the connector file, you will want to run a manual sync to test the connection as well as download user data to Incident IQ. To do this, run the IncidentIQ.Connectors.MicrosoftAd application (ignore the CONFIG File and PDB File in this case.) In the connector app window that appears, click Run now.
If the app runs successfully, a data packet of user data will be sent to Incident IQ that can then be used to run a system sync.
Creating a Scheduled Sync Task
To schedule the sync to occur automatically, you’ll need to create a task in Windows Task Manager. You can do so by searching for Administrative Tools and selecting Task Scheduler. This will open the Task Scheduler window.
In the Task Scheduler window, start by clicking on Action > Create Basic Task…
This will open the Create Basic Task Wizard. At the very least, you will need to provide a name for the new task. You can also add a task if desired. Once complete, click Next.
In the next step, you will be asked to select when this task should Trigger. We recommend running it daily (overnight) for the most accurate user data. Please ensure you set the task to run regardless of whether a user is logged in or not on the server. Once complete, click Next.
For the next step, you will need to specify what action the task will take when running. Select Start a Program and then click on Next.
When specifying the action to perform, locate the file IncidentIQ.Connectors.MicrosoftAd.exe in the Program/script file browser. Supply the argument -usersync in the Add arguments field. And finally, you will need to indicate the path you unzipped the files to in the Start in field. Once complete, click Next.
In the final step, you may review all of the settings of your task. Once you have completed your review, click Finish to complete the task set up.
Mapping User Roles and Locations
At this point in time you will want to log back into the Incident IQ Microsoft Active Directory app to set your user roles and location mappings. These will indicate automatic role and location assignments for users during system syncs. You can find these settings in the Role Mappings and Location Mappings tabs.
You will want to immediately set a default Role and Location for users. These settings will act as fallback options in the event a user account does not match any custom mappings you set further down down in these tabs. We recommend using the following for these options:
- Default Role: During your initial setup you will want to set this to Guest. Once all of your custom mappings have been completed and user roles verified, you will most likely want to then set this to No Access instead.
- Default Role: You will want most likely want to either use the Central/District Office location for this, or create another specific location (such as Unassigned) for this.
When mapping to roles and locations, you may use groups, OU fragments, location name, or any combination of the three. Please note, you do not have to map locations and role by the same method.
The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective roles. Please note, when using OUs you will want to structure them in the same format as the examples below:
- OU=Staff and Faculty
- OU=IT Staff