When you import an AD security group, you must import all members of that group. If you only want to import a subset of its members, for example, only Security Center users, then you need to define a new AD security group with only the members you wish to import.
IMPORTANT
•
If multiple AD’s are to be integrated into Security Center, they must all belong to different domains.•
If you have servers in your system that are still running an older version of Security Center, you should upgrade them to the current version before using them to host a new Active Directory role.Integrating with Windows Active Directory
gtap.genetec.com | Security Center Administrator Guide 5.2 144
EN.500.003-V5.2.C1(1) | Last updated: April 19, 2013
To import security groups:
1 From the Home page in Config Tool, open the System task.
2 Click the Roles view, then click Add an entity ( ) and select Active Directory.
3 In the Specific info page, do the following:
a From the Server drop-down list, select the server where this role will be hosted.
b In the Active Directory field, enter the hostname or the IP address of the AD server.
NOTE If encrypted communication is used, the default port is 636. If you selected a different port, you need to append it to the AD server name, separated by a colon (‘:’), c Specify how you want the role to connect to the AD server.
With both choices, you must have read access to the selected AD service.
Use the Windows credentials assigned to the Genetec Server service running on the server hosting the Active Directory role.
Specify a different set of Windows credentials (username, password).
4 In the Basic information page, enter the name, description, and partition where the Active Directory role will be created.
For more information, see "Common entity attributes" on page 38.
5 Click Next, Create, and Close.
A new Active Directory role ( ) is created. Wait a few seconds for the role to connect to the AD server.
6 In the Properties tab, select the AD security groups to import.
NOTE There are two types of groups in Windows Active Directory: distribution groups and security groups. Security Center can only synchronize with security groups.
a Click Add an item ( ).
Integrating with Windows Active Directory
b Select the security groups to add to your Active Directory role.
Use one of these two methods:
(Recommended) Type text in Find Active Directory groups, and click .
If the text you entered matches a single group, it is automatically added to the Selected groups list.
If the text you entered matches multiple group names, a second dialog box will appear listing all the group names that match the text you entered.
Select the ones you want, and click OK to add them to the Selected groups list.
Under the Selected groups list, click ( ).
The Active Directory members dialog box appears.
Select a security group, and click OK. Only security groups can be synchronized. If you selected an item that is not a security group, the OK button remains disabled.
NOTE The names shown in that dialog box are display names. Security Center only synchronizes the account names because they are guaranteed to be unique. Typically, the display names and the account names are the same. The only way to tell them apart is that the display names contain spaces.
c Repeat the previous step as often as necessary until all security groups you wish to synchronize with the AD are listed in Selected groups, then click OK.
The selected groups are listed under Synchronized groups in the Properties tab. For more information about the Properties tab, see Active Directory – "Properties" on page 517.
7 For each of the synchronized groups, specify how you want to import them.
You have the following options:
As user group. Select this option to import the synchronized group as user group, and the group members as users.
Create user on first logon. This is the default option, and it creates an empty user group.
User entities will only be created when someone tries to log on with it. It avoids having to create all user entities at once, which can freeze up the system.
If you clear this option, all user entities will be created at the same time as a user group.
Integrating with Windows Active Directory
gtap.genetec.com | Security Center Administrator Guide 5.2 146
EN.500.003-V5.2.C1(1) | Last updated: April 19, 2013
As cardholder group. Select this option to import the synchronized group as cardholder group, and the group members as cardholders. There is no delayed creation for cardholders. All synchronized cardholders are created at once.
Import credentials. Select this option to import the credential information of the synchronized cardholders
8 If you are importing the AD security group as cardholder group, select which cardholder fields you want to synchronize with the AD. See "Select which cardholder fields to synchronize with the AD" on page 146.
9 (Optional) "Map custom fields to synchronize with the AD" on page 148.
10 Click Apply, and then click Synchronize now ( ).
All synchronized groups and their members are imported as Security Center entities according to your specifications, with a yellow arrow ( ) superimposed on their icon.
After you are done: Some additional configuration might be required, depending on what you synchronized with the AD:
•
If you already had entities configured in your system, you might need to resolve some conflicts due to the import. See "Resolve conflicts due to imported entities" on page 149.•
(Optional) Configure the imported user groups with proper privileges and security options so when new user entities are created, they can automatically inherit those properties from their parent user group. For more information, see "Defining user groups" on page 96.•
(Optional) Configure the imported cardholders and cardholder groups. For more information, see "Configuring cardholders and cardholder groups" on page 283.•
(Optional) Create a scheduled task to synchronize imported entities with the AD on a regular basis. For more information, see "Create a scheduled task" on page 109.After you create a scheduled task, the warning message No scheduled task exists to synchronize this role disappears from the Properties tab.