How to Synchronize a Rescue Admin Group with Active Directory User Groups (on-prem)
Master Account Holders can import Active Directory users as Rescue Admins into their organization. Key user data in Rescue will be automatically updated when those change in Active Directory.
- Generate a service token and default password for new users in the Admin Center.
- Select the Global Settings tab.
- To generate a service token, click Generate and Copy under Active Directory Synchronization.
Result: A service token is generated and copied to your clipboard.
- Define the default password you want your new admins to use for their first login.
Note: Users are required to change this password upon their first login.
- At the bottom of the page click Save.
- Download and extract the server application.
- In the Rescue Administration Center, under Active Directory Synchronization, click Download to download the service installer.
Result: The service installer is downloaded to your computer in a zip file.
- Extract the zip file to a folder.
- In the Rescue Administration Center, under Active Directory Synchronization, click Download to download the service installer.
- Run the server application, and configure synchronization behavior.
Important: You need privileges to run the application as a system service. The computer running the application must be connected to Active Directory with sufficient permissions to access and query all Active Directory groups and users.
- Select the Microsoft AD service to be used.
- Submit the following credentials:
- Master Account Holder Rescue credentials
- Password
- The service token you previously generated on the Global Settings tab of the Admin Center.
- Region
Note: By checking Dry Run mode, a preview of the changes the synchronization will make to your Rescue account will be output in an Excel file.Important: If you select Dry Run mode, synchronization can ONLY be used as a Windows terminal application. - Master Account Holder Rescue credentials
- Click Next.
Note: The application runs in Admin mode.
- Enter a search criteria (for example 'support').
- Enter a search term (for example 'aid').
Result: AdSync searches for this term between the configured AD groups.
- Enter your Active Directory domain where you want to import users from, and click Next.
- Select the Microsoft AD service to be used.
- Select the Admin Groups/Master Admin Groups you want to synchronize.
- Click the Admin Groups/Master Admin Groups radio button under Technician Groups/Admin Groups
- The first column contains the AD Groups, select one Active Directory group you want to synchronize with a Rescue Admin Group.
- The second column contains the Rescue Admin Groups, select one group that will be synchronized with the AD group.
- Navigate to the Enable Full Group synchronization option:
- checked (default): The synchronization process performs a one-to-one synchronization, that is groups, users, and hierarchies inside Rescue will be exactly the same as in the on-prem AD hierarchy.
- unchecked: Only user status updates are synchronized. If a user is in a different group than the configured one, they will not be moved back to the configured group.
- Click the arrow button pointing to the third column to finalize the selection.
Note: If you want to select multiple groups, repeat step a. To cancel synchronization between two groups, select them in the third column, and click the arrow pointing towards the second column.Important: You can synchronize up to 999 groups, each consisting a maximum number of 999 members.
- Navigate to Group settings:
- Mobile license: a mobile license is assigned to the members of the group, if available.
- Mapping UPN to SSOID: When checked, the SSO IDs of the group members will directly correspond to their UPNs.
- Click Next.
Result: A pop-up window is displayed, prompting you to decide whether you want to start counting the number of users in the selected group. This additional step was introduced because, in certain scenarios of On-premises Active Directory Synchronization (AdSync), the user count process can be time-consuming.
- Select Yes in the confirmation pop-up window to continue with the synchronization.
Note: If you connected at least one Active Directory Group to a Rescue Admin Group check an option under Global settings to define the behaviour of the synchronized group.
- Select your preferences under Global settings:
- Use UPN instead of Email address: When checked, you can use "UserPrincipalName" instead of an email address in Rescue.
- Use Email address as a SSO ID: When checked, the SSO ID in Rescue gets the email address.
- Navigate to Group settings:
- Mobile license: a mobile license is assigned to the members of the group, if available.
- Mapping UPN to SSOID: When checked, the SSO IDs of the group members will directly correspond to their UPNs.
- Click the Admin Groups/Master Admin Groups radio button under Technician Groups/Admin Groups
- Click Next.
- In the resulting pop-up window click Yes to continue with the synchronization.
- Select how AdSync will run:
- Start Active Directory Synchronizer as a service.
- Start Active Directory Synchronizer as a Windows terminal application.
- Interval to send changes (minutes): You can enter your preferred frequency of the synchronization operation.
Important: Running the synchronizer as a Windows app will also place an icon resembling to the Rescue logo in the System tray. You can hide or unhide the application by right-clicking on it. If you want to the stop the synchronization process, use the Close the program option. - If the installation was successful, click Finish, and close the installer.
Result: The service application is installed as a Windows service provisioning users belonging to the selected Active Directory group(s) to the selected Rescue Admin Group(s).
Restriction: It is not possible to delete an admin from the LogMeIn Rescue Admin Center by using the Active Directory synchronization service. When a user is deleted or moved in Active Directory, the corresponding LogMeIn Rescue admin is disabled.Note: If an admin is moved to another LogMeIn Rescue Admin Group, subsequent synchronization will update the user's status and move the user back to its initial synchronization group.Note: If a user is disabled, deleted, or moved in Active Directory, the admin's mobile license is freed up, and becomes available for other members of the LogMeIn Rescue organization.Tip: If the synchronization service fails, you can get an error log by clicking Active Directory Logger at the bottom of the Active Directory Synchronization section on the Global Settings tab of the Admin Center.
How to Stop the AD Sync Service
Result: A confirmation window pops up, asking if you want to stop the service. Click Yes. Now the service is stopped, and you will see the starting window of Rescue AD Sync.