Active Directory Synchronization Rules

The Active Directory synchronization process requires an understanding of the following:

  • Synchronizing User Accounts
  • Synchronizing Groups
  • Synchronizing Group Membership
  • Managing User Account Information in InterAction
  • Starting and Stopping User or Group Synchronization

Synchronizing User Accounts

When synchronizing user accounts between Active Directory and InterAction, the following fields are populated in InterAction through Active Directory Sync:

  • Account Name
  • Status
  • First Name
  • Last Name
  • Professional

Note: Group membership is also managed through Active Directory on a per user account basis. However it is handled slightly different. See Synchronizing Group Membership for information.

Note that Active Directory does not require the name fields to be populated. Active Directory only requires a user account. Because InterAction requires a value in both the First Name and Last Name fields, some additional processing must occur. Review the table below for details.

Synching First Name and Last Name Fields
AD User Account AD First Name AD Last Name InterAction First Name InterAction Last Name
EMROBERTS Edward Roberts Edward Roberts
EMROBERTS <blank> Roberts EMROBERTS Roberts
EMROBERTS Edward <blank> Edward EMROBERTS
EMROBERTS <blank> <blank> EMROBERTS EMROBERTS

Synchronizing User Accounts for the First Time

When you run the Active Directory Sync wizard for the first time, the wizard determines if there are any existing user accounts in InterAction and then attempts to match them with user accounts in Active Directory. For sites that are upgrading from a version of InterAction that did not support Active Directory, you will probably have a lot of InterAction user accounts that need to be matched. If you are a new InterAction customer, you may have only added a few user accounts in InterAction manually. If there are no user accounts in InterAction, this process is skipped in the wizard.

Note: The Active Directory Sync wizard is run from within InterAction Administrator. It is used to configure your Active Directory/InterAction synchronization environment. See Configuring Active Directory Synchronization for more details.

If the wizard does find user accounts, it matches all InterAction user accounts with Active Directory accounts by account name. Any user accounts that are mistakenly matched can be undone through the wizard.

If a user account in InterAction does not match with a corresponding user account in Active Directory, some of the user account information is probably slightly different in one system. From within the Active Directory Sync wizard you can match these accounts manually. The wizard updates the information in InterAction to match the information in Active Directory.

Note: If the information that is updated in InterAction includes the account name, the applicable user must be notified. He or she must now use the new account name to log in to InterAction.

For additional information on first time matching, see Setting up Active Directory Synchronization.

Synchronizing User Accounts on an Ongoing Basis

Once the initial synchronization between Active Directory and InterAction is complete, ongoing synchronization occurs for all InterAction users through InterAction Process Manager. The Active Directory Sync process continues to match up users between Active Directory and InterAction.

If an account is added in Active Directory, is marked for synchronization with InterAction, and there is no match in InterAction, the new account is added to InterAction through Active Directory Sync.

If your organization adds a user account to Active Directory that already exists in InterAction, Active Directory Sync attempts to match these. However, during an ongoing synchronization, the synchronization process checks the following:

Identifying Users to Synchronize with InterAction

The synchronization process only works for user accounts that you mark for synchronization with InterAction in the InterAction Snap-in for Active Directory. See Configure and Use IA Snap-in for Active Directory for details.

If you do not mark the user account for synchronization, Active Directory Sync does not process the user account.

Do First and Last Names Match?

If you did mark the user account for synchronization with InterAction in the InterAction Snap-in for Active Directory, the synchronization process then compares the first and last names in Active Directory and InterAction. Unlike bringing new user accounts into InterAction from Active Directory where the resulting InterAction account may not match the Active Directory account in terms of first name and last name (see "Synching First Name and Last Name Fields” in Synchronizing User Accounts), ongoing matches must match identically.

  • If the first and last names match identically, the user accounts are matched up and synchronization occurs.

  • If the first and last names do not match, the user accounts are not matched and no synchronization occurs.

    A message is written to the log file c:\WINNT\Intrface\IAADLog.txt and an email is sent to the administrator email address. See Troubleshooting for details on emailing the system administrator.

The InterAction administrator must do one of the following:

  • If the accounts need to be synchronized, the first and last name fields in both systems must match exactly. Determine how the name should appear and edit the first and last name fields in the applicable system. The next time the sync is run, the user accounts will match.
  • If the user account should not be matched up, edit the existing InterAction user account name so the user account from Active Directory can be brought in as a new user account into InterAction during the next synchronization.

How Could the Same User Account be Assigned to Two Different Users?

For example, Ed Roberts worked for your organization and had a user account of EROBERTS. This was stored in Active Directory and synchronized with InterAction. Ed Roberts left the organization and was deleted from Active Directory. The corresponding EROBERTS user account in InterAction remains and is automatically set to Inactive and released for editing.

Now, Erica Roberts joins the organization and is given a user account of EROBERTS in Active Directory. The new EROBERTS user account is then marked for synchronization. When the synchronization process runs, Active Directory Sync attempts to add EROBERTS to InterAction. Because the first and last names do not match between Active Directory and InterAction, no synchronization occurs.

Running Out of User Account Licenses

You can only synchronize as many active user accounts as you have available licenses in InterAction. If you attempt to synchronize more active user accounts than you have licenses, the following occurs:

  • An error is written to the process log.
  • An email is sent to the administrator email address. See Troubleshooting for details on emailing the system administrator.
  • A message displays in Active Directory indicating that the user account cannot log into InterAction due to insufficient licenses. Note that this message only displays if the Active Directory Sync process has the access rights to update the Active Directory user account.

  • All user accounts that exceed the available licenses are brought into InterAction as inactive and the applicable users will not be able to log into InterAction.

Note: Inactive InterAction user accounts are still updated through Active Directory Sync, but they do not count against your available licenses. As more licenses are made available or purchased, the user accounts become active the next time Active Directory Sync is run.

The InterAction Snap-in for Active Directory lets you specify which user accounts should be synchronized with InterAction as well as which of those should be active or inactive. See Configure and Use IA Snap-in for Active Directory for more information.

Managing User Account Information in InterAction

User and group information that is synchronized into InterAction is externally owned by Active Directory. However, there is some account information that must be maintained within InterAction. This includes the following information:

  • Contact Records - When new accounts are brought into InterAction from Active Directory, InterAction attempts to match the user account with a contact record with the Our Personnel contact type in InterAction. Active Directory Sync does not create a new contact record for the user account if one does not exist.

    If a new account is not matched with a contact record, an error is written to the process log. With each, subsequent synchronization, Active Directory Sync attempts to find a matching contact record.

  • Proxies - Microsoft Outlook delegates from Active Directory are not synchronized with proxies within InterAction. Therefore user account proxies must be maintained within InterAction.
  • Private Folder Settings - No private folder settings are synchronized between Active Directory and InterAction. Private folders only affect InterAction customers that have upgraded from a 4.x version of InterAction.
  • InterAction Passwords - Active Directory user passwords are not synchronized with InterAction. Users must maintain a separate, InterAction password.

If you attempt to modify user account or group information in InterAction that is managed by Active Directory, you are prompted with a warning in InterAction. For example, if you attempt to remove a synchronized user account from a synchronized group in InterAction Administrator, you receive a warning that the action cannot be completed.

How Can I Tell in InterAction Administrator Which Users and Groups are managed by Active Directory?

In all the InterAction Administrator user and group dialog boxes, there is an Active Directory column in the grid. If the applicable user or group is managed by Active Directory, the Active Directory icon ( ) displays in the columns.

 

 

Synchronizing Groups

When synchronizing groups between Active Directory and InterAction, the following information is brought into InterAction through Active Directory:

  • Group Name
  • Email
  • Status - See “Configuring and Using the InterAction Snap-in for Active Directory” on page 185 for more information.
  • Group Membership - This information obeys slightly different synchronization rules. See “Synchronizing Group Membership” below for more information.

The Group Name, E-mail, and Status fields are managed in Active Directory, letting you update them in one place. Any change to these fields in Active Directory are realized in InterAction after the next synchronization.

Synchronizing Group Membership

Active Directory Sync treats group membership synchronization separately from user and group synchronization. How group membership synchronization works is dependent upon two factors:

  • User and Group Synchronization
  • Groups Within Groups

User and Group Synchronization

Even though group membership synchronization is set apart from user and group synchronization, the behavior of how group membership works in InterAction is dependent upon what user and group information is being synchronized.

Here are the three synchronization scenarios to consider:

  • The user and group are both synchronized with Active Directory.
  • The group is synchronized with Active Directory, but the user account is not synchronized. For example, you may have some temporary user accounts only used for InterAction.
  • The group is not synchronized with Active Directory, but the user account is synchronized. For example, the groups in InterAction only apply in InterAction.

The following table defines the behavior based on these scenarios:

Group Membership Synchronization Based on User and Group Synchronization
What is synchronized? What can you do in InterAction? Example
Both user and group are being synchronized between Active Directory and InterAction. Nothing in terms of group membership for the applicable user and group. You cannot add the applicable user to the group or remove the applicable user from the group in InterAction.

The Marketing group is synchronized through Active Directory Sync. This group includes Ed Roberts whose account is also synchronized. The group does not include Jane Tarnoff whose account is synchronized.

In InterAction you cannot remove Ed from the Marketing group or add Jane to the Marketing group. These tasks can be accomplished from within Active Directory.
The group is synchronized, but the user account is not synchronized.

The user account membership in the group can be changed in InterAction, as long as the user account is not being synchronized through Active Directory Sync.

Note that the user account is not added to Active Directory when it is added to a group that is being synchronized.

The Marketing group is synchronized through Active Directory Sync. The group does not include the user account Marketing-Temp, which was set up in InterAction and is not being synchronized.

The group does include other user accounts which are being synchronized through Active Directory Sync.

The Marketing-Temp user account can be added to the Marketing group in InterAction since it is not managed in Active Directory.
The group is not synchronized, but the user account is synchronized.

The user account membership in the group can be changed in InterAction, as long as the group is not being synchronized through Active Directory Sync.

Note that the group is not added to Active Directory when a user account that is being synchronized is added to the group.

 The Marketing group is not synchronized through Active Directory Sync. Ed Roberts’s and Jane Tarnoff’s user accounts are synchronized. They are also members of the Marketing team and can be added to the Marketing group through InterAction.

 

Groups Within Groups

Nested groups or groups within groups is supported in Active Directory, but not in InterAction. If a synchronized group contains one or more groups as members, the following occurs during synchronization:

  • All members of the sub-groups in Active Directory become members of the top-level synchronized group in InterAction.
  • Only the top-level group in Active Directory is added to InterAction unless a sub-group is also marked for synchronization. If the sub-group is marked for synchronization, it is also added to InterAction.
Nested Groups Example
Active Directory Groups to be Synchronized with InterAction Resulting Groups in InterAction

Marketing*

  • Chicago Marketing*

    • Ed Roberts

    • Jane Tarnoff

  • NY Marketing

    • Matthew Edwards
    • Michael Allen

Marketing

  • Ed Roberts
  • Jane Tarnoff
  • Matthew Edwards

  • Michael Allen

Chicago Marketing

  • Ed Roberts
  • Jane Tarnoff
* Since Marketing and Chicago Marketing are both marked for synchronization in Active Directory, they are both added to InterAction. NY Marketing is not marked for synchronization, so it is not added.

 

Starting and Stopping User or Group Synchronization

Users and groups are designated for synchronization in one of two places:

Once Active Directory Sync begins, only the users and groups with the Add to InterAction check box selected are synchronized, provided that you have adequate InterAction licenses.

Note: The Add to InterAction check box is located on the InterAction tab of the InterAction Active Directory Snap-in extension.

In order to stop synchronization in InterAction for a single user account, the user logged into InterAction Administrator must have write access to Active Directory to ensure that the setting in Active Directory is also cleared. Otherwise the user account or group is matched up during the next synchronization.

On the Edit User Account dialog box, Cleanup tab in InterAction Administrator, select the Clear link to Active Directory check box to stop synchronization.

Edit User Account - Cleanup Tab

What Happens to the User's Group Membership if You Stop Synchronizing the User Account?

Nothing. The user remains in the group in InterAction and Active Directory. If you remove the user from the group in either Active Directory or InterAction, it will not affect the other system.