Pronestor supports Active Directory integration, so you can import your users directly from Active Directory instead of creating them inside Pronestor. This allows your IT administrators to maintain Pronestor users through Active Directory groups, simplifying their jobs.
You can have several user imports in Pronestor. You can have multiple types of user imports. The only limitation is, if you have an Exchange integration all your users have to be from the same Exchange environment.
Table of contents
- Requirements
- Service accounts
- Setting up active directory
- Configuration of the Active Directory import tool for on-premise customers
- Configuration of the Active Directory import tool for cloud customers
- First import
- Group linking
Requirements
To fulfill this guide you need:
- Administration rights to your active directory for preparing your active directory.
- Know which users needs which access in Pronestor (though it can be changed later, all imported users will get accesses as part of this guide). This guide will tell you what the different access roles in Pronestor does Pronestor Roles
- An account in your Active Directory with read rights to the entire Active Directory. You can limit what is imported within the import tool.
- The users in Active Directory needs to have:
- Firstname
- Lastname
- Initial
- Mobile phone (only if you use sms notifications with Visitor)
- Administration rights in your Pronestor.
For Cloud you also need:
- Access to setup an powershell script task.
Service accounts
If your Pronestor server is hosted by Pronestor
If your Pronestor server is on-premise
If your Pronestor server is hosted by Pronestor
Create a Service Account with permissions to read from the Active Directory and run a scheduled task. It is important that the password is set to never expire and that the service account has read rights to the entire Active Directory.
If your Pronestor server is on-premise
Pronestor uses a Service Account in the Active Directory import. Set the Service Account’s password to never expire and give the service account read rights to the entire Active Directory.
- Using Windows authenticated database connection:
Create a Service Account with permissions to read from the Active Directory, write to the Pronestor SQL database, and run a scheduled task.
Please note: We recommend to use the same Service Account as when creating the Pronestor database.
- Using SQL authenticated database connection:
Create a Service Account with permissions to read from the Active Directory and run a scheduled task.
Please note: We recommend to use the Pronestor SQL user account for the Pronestor database.
Setting up active directory
Groups
Every access that can be given in Pronestor can also be linked to Active Directory groups.
It is possible to use whichever Organizational Unit and Active Directory group structure you prefer. This guide describes best practice for setting up your active directory. You can add additional departments and VIP groups as needed. There is a simplified setup for those who have one location, and a setup for those with multiple locations.
Both setups require you to create a Organizational Unit (referred to here in the guide as PronestorOU) in your Active Directory. Please note down the path of your PronestorOU for later reference.
Next step is to create a group per role in Pronestor. The groups should be placed in the PronestorOU. A role represents a permission in Pronestor for each of the following roles: secretary, facility manager, catering manager or booker, as well as departments, secretary departments and VIP groups.
Groups in AD can be either user or security groups.
The naming of each group is not fixed - we do however recommend a naming convention that makes it easy to read and understand the groups maintained in Active Directory.
One location only - if Pronestor is configured to manage resources on one location only:
Create in Active Directory the following groups within the PronestorOU:
- Local_secretary
- Local_facility_manager
- Local_catering_manager
- Local_booker
- Department_A
- Department_A_secretary
- Department_B
- Department_B_secretary
- VIP_A
- VIP_B
Your users will need more than one Active Directory group to get the necessary rights. A user is only created when they have a local booker group. The other groups add additional connections to the user. For example, a normal user might need Local_booker, Department_A and VIP_B.
Every user needs a department, since departments grant Billing account and meeting type, which are required to complete a booking.
If you book on behalf of shared calendars, please remember to import them as if they were a regular user.
Once your users have been connected to the new groups, your Active directory is ready to be imported.
Multiple locations - if Pronestor is configured to manage resource at multiple locations:
Create in Active Directory a set of groups for each role per location and groups for departments and VIP groups as needed.
Ex. If Pronestor is configured with resources on three locations - London, Stockholm, and Copenhagen - then the following groups must be created within the PronestorOU:
- Administrator
- Global_secretary
- Global_facility_manager
- Global_catering_manger
- Global_booker
- London_secretary
- London_facility_manager
- London_catering_manager
- London_booker
- Stockholm_secretary
- Stockholm_facility_manager
- Stockholm_catering_manager
- Stockholm_booker
- Copenhagen_secretary
- Copenhagen_facility_manager
- Copenhagen_catering_manager
- Copenhagen_booker
- Department_A
- Department_A_secretary
- Department_B
- Department_B_secretary
- VIP_A
- VIP_B
Your users will need more than one Active Directory group to get the necessary rights. A user is only created when they have a local booker group. The other groups add additional connections to the user. For example, a user from Copenhagen might need Copenhagen_booker, Department_A and VIP_B. This user will only be allowed to book meetings on the Copenhagen location.
Another user needs to book on both Copenhagen and Stockholm. This user could get Stockholm_booker, Global_Booker and Department_A. This user can now book on every location. It is not possible for a user to get Stockholm_booker and Copenhagen_booker. If they need to book on more than one location, they need the Global_Booker group.
If you have a user with Global_booker, department_B and VIP_A the user won't be created. This is because the user doesn't have a local booker group, such as Copenhagen_booker, Stockholm_booker and London_booker.
If you have auser who needs to be catering manager on location London, then they need to have London_booker, London_catering_manager and Department_A.
If you give the user Copenhagen_booker, Global_booker, London_catering_manager and Department_A the user won't get the catering manager access. This is because the users "Home" location is Copenhagen, and you can't get a local right on a location that isn't your home location. If you want the user to have Catering manager access on London, then give them London_booker, Global_booker, London_catering_manager and Department_A instead.
If you book on behalf of shared calendars, please remember to import them as if they were a regular user.
Once your users have been connected to the new groups, your Active directory is ready to be imported.
Configuration of the Active Directory import tool for on-premise customers
When running an on-premises solution the Active directory integration is an integrated part of the Administration Module in Pronestor. It just needs to be configured.
First create the Active Directory import in Pronestor.
- Click administration
- Click Settings
- Click import users
- Click New import job
Then you get the new window you can fill out. In this example I named it Active directory.
- Fill out the fields and save.
Relative path can just be *
- Open the import.
- Choose the "General" tab
- Enable automatic scheduling
Your import will now run daily at your chosen time.
Please note, if the import runs at the same time as any application pool recycling on the server, the import will fail. You can avoid this by moving the daily run time of the ad import.
Configuration of the Active Directory import tool for cloud customers
Go to https://downloads.pronestor.com/ and download ADIntegration.zip.
Unzip the ADIntegration.zip. Place the folder on a server that can run a scheduled task.
The folder contains a file named ADIntegration.exe.config
Edit it with a text editor like notepad. Edit this part:
<appSettings>
<add key="ADAdminUser" value="springfield\kasperh"/>
<add key="ADAdminPassword" value="Pro,Kasper"/>
<add key="ADFullPath" value="LDAP://10.0.53.3"/>
<add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>
<!--<add key="ProNestorOULocation" value="OU=small_pronestor,DC=springfield"/>-->
<!--<add key="ProNestorOULocation" value="OU=proNestorOU,DC=contoso,DC=com"/>-->
<add key="ADGroupSpecific" value="(cn=*)"/>
Usually the service running the scheduled task has read rights to the Active Directory, which allows us to leave the user and password blank. That means they should look like this:
<add key="ADAdminUser" value=""/>
<add key="ADAdminPassword" value=""/>
If the service doesn't have read rights to Active directory, you have to insert login and password instead.
The config file needs to know the path to the domain controller. It can be an IP address, a DNS name or similar. Please insert it here:
<add key="ADFullPath" value="LDAP://10.0.53.3"/>
This part here needs the path to the OU where you created the Active Directory groups. It is case sensitive.
<add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>
Lastly you can limit the groups that are read. This can be handy if you placed the Active Directory groups with other groups in your Active Directory. You do that here, by entering the prefix of the group. If you used our recommendations, that would be Pronestor
<add key="ADGroupSpecific" value="(cn=Pronestor*)"/>
Save and close the notepad. The Active Directory import is now configured, but it needs to be setup as a scheduled task and sent to your Planner site.
How to create the scheduled task for creating the userfile:
Open the Task Scheduler on the server, and create a new scheduled task
We are only interested in the first 3 tabs. Here is an example of how it could be set up. The task needs to call the ADIntegration.exe file in the folder you unzipped.
The general tab is where you name and describe the task. Please choose "Run whether user id logged on or not" since we want it to run on a schedule.
The next tab is Triggers. Please press "New"
In this example the task will run at 2am every night.
Then we go to the tab Actions and choose "New".
In "Program/script" please find the path for the ADIntegration.exe file and choose it. Then fill it out like this and press "OK".
Press "OK" again and the task is set up. This task will create an ADdump.txt file in the same folder as the ADIntegration.exe file. The ADdump.txt file contains the Active Directory information that Pronestor needs to import the users.
How to create the scheduled task:
Send:
- The name of your addump file, this is AdDump.txt by deafult
- The name of your import job
To helpdesk@Pronestor.com and ask for an AD import script.
We will send back a PowerShell script. The script imports your users whenever it is run
To run the script automatically you need to setup a scheduled task on the server. See this guide on how to setup a scheduled task : https://community.spiceworks.com/how_to/17736-run-powershell-scripts-from-task-scheduler
Consider when you want the import to run. You don't want it during business hours.
First import
For cloud customers this will happen automatically when you trigger the PowerShell script.
For on-premise customers this can be triggered manually. This can take some time, depending on the size of your Active directory. Open your import by pressing the pencil.
In the import, choose the tab called Sessions, then press "Perform import". This can take a long time, so just leave it to do it's thing. Please note that the users won't enter Pronestor until after the groups are linked as show in the next chapter.
Group linking
After the first import of your Active Directory, you need to link the Active Directory groups to Pronestor rights. This is handled inside Pronestors administration module.
- Click "Settings"
- Click "Import users"
- Find your import job
- Click "Edit"
- Click "Linking"
Here you can see all the accesses within Pronestor and you can connect them to a group. Please note that these pictures are from a demo solution with just one location and no departments nor VIP groups, so yours might have a lot more accesses in here.
- Click "Load AD structure"
Please link your Active Directory groups to the accesses you want them to give, by clicking the drop down menu.
- Link the groups as desired. Remember the rules about what accesses are needed for users to be imported as described in the chapter called Setting up active directory
- Do another import.
Scheduled task - for on-premise customers only
Once the active directory import is set up properly, it's time to make a scheduled task of it. If you are a cloud customer, you can skip this step as it's setup as part of the PowerShell script.
This is done here by clicking the box for "Enable automatic scheduling" and choosing a time for the import to run. Don't forget to press "Save schedule".
Now you're all done and the users will be imported daily. If you give new employees the relevant active directory groups, you won't have to edit their right or create them inside Pronestor.
Comments
0 comments
Please sign in to leave a comment.