TABLE OF CONTENTS
Introduction
The Active Directory (AD) connector in ManagementStudio is used to import data from Active Directory. The AD connector includes several configurable panels:
- AD Discovery Status
- Import User Options
- User Update Options
- Import Machine Options
- Machine Update Options
- Application Update Options
- Troubleshooting
An administrator can toggle each panel on or off as required.
AD Discovery Status
The following table describes the elements in the AD Discovery Status panel:
| UI Element | Description |
|---|---|
Run AD Discovery Now | Button to initiate AD Discovery immediately. |
Schedule AD Discovery #1 | Specify times for scheduled AD Discovery. See the scheduled task article for details. |
Schedule AD Discovery #2 | Additional schedule for AD Discovery. See the same scheduled task article for details. |
Last Discovery Date | Displays the last successful AD Discovery run date and time. |
Domain | NETBIOS name of the domain, e.g., GLOBAL. To find it, run set userdomain in Command Prompt. Use the value from the USERDOMAIN variable. |
Distinguished Name | Distinguished name of the domain, e.g., DC=Global,DC=COM. |
Emails Logs To | Comma-separated list of email addresses to receive sync logs. Use semicolons for multiple recipients (e.g., t@blogg.com;Accounts@blogg.com). |
Overall Progress | Displays overall progress of the import operation. |
Current Task Progress | Indicates progress of the current import task. |
Import Log | Text field displaying AD import logs. |
Import User Options
Description of elements within the Import User Options panel:
| UI Element | Description |
|---|---|
User Last Login < X Days | Imports only users that logged in within the last X days. Use 0 to import all users. |
Exclude Disabled User Accounts | Prevents import of disabled AD user accounts (recommended enabled). |
Import User Accounts from Sub-Domains | Imports user accounts from Sub-Domains (requires separate connector for each sub-domain). |
Import User Accounts from Foreign Domains | Imports user accounts from foreign domains (requires separate connector for each). |
Users to Examine | Specify OU or group using distinguished name. Example: Type: OUDN: OU=Users,OU=Lab,DC=ms,DC=LocalOptions: Nested Members, Direct Members, Exclude Members |
Exclude User Accounts | Explicitly exclude specified users. Use wildcards (e.g., *SRV*, *Service accounts*). |
User Update Options
Elements in the User Update Options panel:
| UI Element | Description |
|---|---|
Don't Update Locked Users | Skips updating ManagementStudio user records that are locked (not linked to AD lock status). |
Import User OU Path as Blueprint | Converts user OU to Blueprints (e.g., AD Info\Computer\UK). |
If User Blueprint is Blank | Choose action if department is blank: skip, use AD Info\Name, or AD Info\<blank>\Name |
Start User Blueprint Folder Path | Prefix Blueprint mappings with this root path (e.g., AD Info\). |
User Field Mappings | Map AD attributes to ManagementStudio fields. - Target: Field in ManagementStudio (detail, custom, or blueprint field) - MS Field: ManagementStudio field name/path - AD Field: AD user attribute (see user AD attributes or calculated User Fields) |
Import Machine Options
Description of Import Machine Options panel:
| UI Element | Description |
|---|---|
Machine Last Login < X Days | Only imports machines that have logged in within the last X days. Use 0 to import all machines. |
Exclude Disabled Machine Accounts | Excludes disabled machines from import. |
Machines to Examine | Specify OU or group for machines using DN (e.g., OU=Computers,OU=Lab,DC=ms,DC=Local); type: OU or Group. Options: Nested Members, Direct Members, Exclude Members |
Exclude Machine Accounts | Explicitly exclude specified machines. Use wildcards (e.g., *SRV*, *Printers*). |
Machine Update Options
Elements in the Machine Update Options panel:
| UI Element | Description |
|---|---|
Don't Update Locked Machines | Skips updating ManagementStudio machine records that are locked (not linked to AD lock status). |
Import Machine OU Path as Blueprint | Converts machine OU to Blueprint (e.g., AD Info\Computer\UK). |
If Machine Blueprint is Blank | On blank department, skip or use AD Info\Name or AD Info\<blank>\Name. |
Start Machine Blueprint Folder Path | Prefix Blueprint mappings with this root path (e.g., AD Info\). |
Machine Field Mappings | Map AD attributes to ManagementStudio machine fields. - Target: ManagementStudio field - MS Field: Field name/path - AD Field: AD machine attribute (computer AD attributes or calculated Computer Fields). |
Application Update Options
Elements in the Application Update Options panel:
| UI Element | Description |
|---|---|
Link Users to Apps via AD Groups | Link: Adds user-app association if user exists in ManagementStudio. Remove: Unlinks app if user removed from AD group. |
User Name Format | Displays format for imported users from AD group. |
Link Devices to Apps via AD Groups | Link: Adds device-app association if device exists. Remove: Unlinks app if device removed from AD group. |
Device Name Format | Displays format for imported devices from AD group. |
Recurse Nested App Groups | Searches nested AD sub-groups for users/devices; can be resource-intensive. |
Exclude by Process Status | Exclude apps from update/link if specific process status is not required. |
Import Application OU Path as Blueprint | Converts app to blueprint, e.g., AD Info\User\UK\Front Office. |
If App Blueprint is Blank | If department is blank, skip or use AD Info\Name or AD Info,<blank>,Name. |
Starting App Blueprint Folder Path | Prefix for Blueprint mappings (e.g., AD Info\). |
Connection Options
Elements in the Connection Options table:
| UI Element | Description |
|---|---|
Integrated Security | Default is enabled. If Use MS Server Account is selected, ManagementStudio uses the IIS App Pool account to connect to AD. |
AD Account UsernameAD Account Password | Optional: Untick Use MS Server Account to enter credentials for AD authentication. |
Domain Controller Hostname | Optional: Specify the domain controller for connection. |
LDAP Port | Optional: If blank, uses port 389 (default). Specify port 636 for secure LDAP if required. |
Global Catalog Port | Optional: If Domain Controller Hostname is set, specify a custom global catalog port if needed. |
Troubleshooting
Elements in the Troubleshooting panel:
| UI Element | Description |
|---|---|
Notes | Free-text field for environment or project information. |
Online Help | Link to ManagementStudio's online solutions article. |
Verbose Logging | Enables detailed logging; generates large files and should be used only for troubleshooting. |
| Anonymise Data | Anonymised data will only import bare minimum data to be able to create User-App-Device links. The SamAccount/Device name will be scrambled. |
Adding a New AD Connector
Overview
This section describes how to add a new Active Directory connector in ManagementStudio.
Connecting to Active Directory
Before creating an AD connector, ensure you have:
- Appropriate permissions on the domain.
- Required data source information (domain name, credentials, etc).
Creating a New AD Connector
- Navigate to
Administration → Extensions → Connectors (1). - Click
Add New Connectors (2). - Select the connector type
[AD-Domain](3).
- Enter the name of the AD Domain (1).
- Click
OKto create the AD connector (2).
- The new connector appears in the left navigation.
- Ensure the toggle next to
AD Discovery Statusis on. - Populate the following fields (1):
DomainDistinguished Name
ClickSave Changes (2).ClickRun AD Discovery Now (3).Confirm when prompted to run AD Discovery.
On completion:
- You will receive a notification when the connection is established.
- Use the
Import Logfield to review import activity (4). - Review the
Last Discovery Datefor confirmation of the last successful run (5).
At this stage, you may configure import settings for users, devices, and applications as required.
Scheduling the Connector
- Go to
Administration → Scheduled Tasks Manager (1). - Click
Click here to add new item, name the task, set the schedule times and days (2). - Click
Save Changes (3).
- Return to
Administration → Extensions → Connectors (1). - Select the AD tab (2).
- In the
Schedule AD Discovery #1dropdown, select the newly created schedule task (3). - Click
Save Changes (4).
ManagementStudio AD Calculated Fields
ManagementStudio provides a set of calculated fields for AD user and device imports.
Users
| Field | Description |
|---|---|
MS_UserSID | User SID converted from binary to string. |
| Email Related | |
MS_EmailFromProxyAddresses | Email derived from proxyAddresses attribute. |
MS_CloudHostedEmail | Returns Yes/No based on the targetAddress AD attribute. |
| Distinguished Name | |
MS_DistinguishedNamePathDC | Distinguished name path including domain. |
MS_DistinguishedNamePath | Distinguished name path excluding domain. |
| Member Of | |
MS_MemberOfName | Group names user is a member of. |
MS_MemberOfPathCN | Group paths including Common Name (CN), excluding domain. |
MS_MemberOfPathDCCN | Group paths including Domain and CN. |
| Current Connector | |
MS_ConnName | Name of the current AD tab. |
| Direct Reports | |
MS_DirectReportsSam | Direct reports' samAccountName values. |
MS_DirectReportsFN | Direct reports' full names. |
MS_DirectReportsFNSam | Direct reports' full names and samAccountName values. |
| Password Expires | |
MS_PasswordNeverExpiresYN | Yes/No if password never expires. |
MS_PasswordNeverExpiresTF | True/False if password never expires. |
| Account Enabled | |
MS_AccountEnabledYN | Yes/No if account is enabled. |
MS_AccountEnabledED | Enabled/Disabled state. |
MS_AccountEnabledTF | True/False if account is enabled. |
| Manager Details | |
MS_ManagerFN | Manager's full name. |
MS_ManagerFNSamAccount | Manager's full name and samAccountName. |
MS_ManagerSamAccount | Manager's samAccountName. |
MS_ManagerDetails_UPN | Manager's User Principal Name. |
MS_ManagerDetails_FirstName | Manager's first name. |
MS_ManagerDetails_Surname | Manager's surname. |
MS_ManagerDetails_Email | Manager's email address. |
MS_ManagerEmailDetails | Manager’s first name, surname, and email. |
Devices
| Field | Description |
|---|---|
MS_MachineSID | Device SID converted from binary to string. |
| Account Enabled | |
MS_AccountEnabledYN | Yes/No if device account is enabled. |
MS_AccountEnabledTF | True/False if device account is enabled. |
MS_AccountEnabledED | Enabled/Disabled state of the device account. |
| Distinguished Name | |
MS_DistinguishedNamePathDC | Distinguished name path including domain. |
MS_DistinguishedNamePath | Distinguished name path excluding domain. |
| Member Of | |
MS_MemberOfPathDCCN | Group paths including domain and CN. |
MS_MemberOfPathCN | Group paths including CN, excluding domain. |
MS_MemberOfName | Group names device is a member of. |
Further Support
For additional assistance, visit the ManagementStudio Service Desk to search the knowledge base or raise a support ticket.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article