Configure Active Directory Sync

#1

Active Directory Sync

Table of Contents

Introduction

Infosec IQ provides the capability to synchronize users in your Active Directory with learners in your Infosec IQ account. This article will guide you through the configuration and use of the Infosec IQ Active Directory Synchronizer tool. To download and configure your Active Directory/Infosec IQ sync, navigate to Learners > Sync Tools.

Return to Table of Contents

System Requirements

The Infosec IQ Active Directory Synchronizer tool can be installed on any Windows machine that can connect to your Active Directory. The Active Directory sync tool will need “Directory Reader” access to connect to the directory. The machine running the AD sync tool must also meet the following requirements:

  • Windows 7 SP1 or higher or Windows Server 2008 R2 or higher
  • PowerShell 4.0 or higher

Each account or sub-account will have its own unique “secret key” that will need to be entered into the utility. You will need to configure multiple instances of the AD Sync utility in order to sync one Active Directory to multiple Infosec IQ accounts.

Return to Table of Contents

Download the Active Directory Synchronizer

  1. Navigate to Learners > Sync Tools.
  2. Copy your secret key.
  3. Click the button to the right of “Download standard local Active Directory sync utility.”
  4. Extract the downloaded ActiveDirectorySynchronizer.zip file to the desired folder.

Configure the Active Directory Synchronizer

2023-11-02%2014_23_30-Infosec%20IQ_%20Initech%20Targets%20%E2%80%94%20Mozilla%20Firefox
2023-11-02 14_23_30-Infosec IQ_ Initech Targets — Mozilla Firefox.png1267×966 83.6 KB

You can configure some aspects of the AD sync operations from the same page where the sync utility is downloaded.

  1. In the Learner Info section, choose how you would like the Synchronizer to combine your Active Directory users with Infosec IQ:
    • Only Add New Learners: When an AD Sync is processed, new AD users will be added to IQ as learners, but existing learners will not be updated.
    • Update Existing Learners: When an AD Sync is processed, new AD users will be added to IQ as learners, and changed AD attributes will also be synced over to existing learners. For example if a user’s title changes in AD, that change would sync over to IQ.
      • Flag Learners For Deletion: If a learner is no longer present in AD, but is a learner in IQ, the learner will be flagged for deletion. Learners in this state are still active and can still access training. Learners are never permanently deleted until an admin reviews the flagged learners and opts to delete them. See below for more information.
  2. The Safety Switch will halt any AD Sync operation that will modify 10% of your learners. The Safety Switch is on by default, but should be disabled the first time syncing your Active Directory with Infosec IQ or any time you are syncing a large number of new users.
  3. Click Save.

Return to Table of Contents

Use Active Directory Synchronizer With a GUI

2023-11-02%2015_14_45-Clipboard
2023-11-02 15_14_45-Clipboard.png642×798 141 KB

  1. Navigate to the folder where you extracted the ActiveDirectorySynchronizer.zip file (step 4 in Download the Active Directory Synchronizer above.)
  2. Right click on GUI-AD-Import.exe and select Run as administrator.
  3. Once the UI loads the first box will contain a list of your Active Directory domains. Use the drop-down arrow to choose your desired domain and click the Select button.
  4. Copy the secret key from your Infosec IQ account and click Paste button to paste it into the tool.
  5. (Optional) Select an AD attribute to map into the Custom field. For example, you could map an Employee ID to this field.
  6. Select the groups to import into Infosec IQ by double-clicking the box next to the group name. Only AD Security Groups will be available here.
  7. Sync to EU Server: This must be enabled if your account is on the EU instance of Infosec IQ.
  8. Remove Group Names: Selecting this option will prevent AD groups from getting added as Infosec IQ groups. It is typically recommended that you leave this option enabled to avoid importing unwanted groups into Infosec IQ. If this option is not selected, then all groups that all AD users belong to will be created in IQ.
  9. Click Load. This may take some time depending on the number of learners in active directory. It is normal to see a “Not Responding” message in the UI.
  10. The sync process will import all users in the selected security group(s). To prevent a subset of learners from being imported, click the Exclude button to create an exclusion list.
    • In the upper left corner, you can configure the filter criteria. Select users by clicking on their name. Select multiple users by holding Ctrl or Shift while clicking.
    • Click OK after selecting excluded users. A file will be created called Exclusions.csv containing the list of excluded users. These users will not be imported into IQ for as long as they are on the exclusion list.
      3exclusions
      Sync5.3exclusions.png724×341 26.3 KB
  11. (Optional) Click Save CSV to create a csv file containing a list of all users that will be uploaded.
  12. Click Save Config to save the current configuration. You must save a configuration file if you wish to set up the AD/Infosec IQ synchronization as a scheduled task.
  13. Click the Upload button to sync your Active Directory users to Infosec IQ.

Return to Table of Contents

Use Active Directory Synchronizer With Windows Task Scheduler

You can invoke the Active Directory Synchronizer using a Windows task to automate AD sync.

Note: Before proceeding, run the sync tool at least one time as described in the previous section and save the configuration.

Follow the steps below to set up a synchronization schedule.

  1. Run the Windows Task Scheduler service.
    AD%2BSync%2BTask%2B1
  2. Under Action, click Create Basic Task.
    AD%2BSync%2BTask%2B2
  3. In the Create Basic Task Wizard, enter a name for your task (and optionally a description) and click Next.
    AD%2BSync%2BTask%2B3
    AD+Sync+Task+3.png700×494 10.8 KB
  4. Select the desired trigger to invoke the sync task. There will be additional options to configure depending on your selection. Click Next to continue with the configuration.
    AD%2BSync%2BTask%2B4
    AD+Sync+Task+4.png699×491 11.3 KB
  5. Click Next after configuring your trigger and in the Action window, select “Start a program” and click Next.
    AD%2BSync%2BTask%2B6
    AD+Sync+Task+6.png700×491 9.83 KB
  6. Click Browse and select Scheduled-AD-Import.exe that was extracted in the previous section Download the Active Directory Synchronizer.
    rtaImage
    rtaImage.png1207×870 126 KB
  7. Populate the “Start in (optional)” field with the file path where the Scheduled AD sync is located on the computer (e.g. C:\Users\Administrator\Desktop\ActiveDirectorySynchronizer5.3\ActiveDirectorySynchronizer) and click Next.
  8. Review the current task settings and click Finish to create the task.

Return to Table of Contents

Delete Learners Flagged by Active Directory Sync

Note: Deleting a learner also deletes all their associated reporting data. Learner deletion is permanent and cannot be undone. Be sure to review the list carefully before deleting learners.

When an AD sync is initiated, learners will be flagged for deletion if an AD user is deleted, disabled, or removed from the AD group(s) being synced to IQ. To review flagged learners:

  1. Navigate to Learners > Sync Tools.
  2. Click Learners to Delete.
  3. On the “Learners Flagged for Deletion” page, click the Delete button on an individual learner, or click “Delete All” to delete all flagged learners.
  4. To view details about a specific learner, click the Learner Profile button.

Return to Table of Contents

View the Active Directory Synchronizer Change Log

The AD Sync Change Log displays the 10 most recent AD syncs. If any changes were made during a sync, you’ll be able to download a csv file in the Changes column. If there were any errors, a csv download will be available in the Errors column. These files provide details of changes or errors that took place during the sync. To view the Change Log, navigate to Learners > Sync Tools and click the Log of Changes button.

2023-11-02%2016_45_02-Infosec%20IQ_%20Initech%20Targets%20%E2%80%94%20Mozilla%20Firefox
2023-11-02 16_45_02-Infosec IQ_ Initech Targets — Mozilla Firefox.png1233×600 62 KB