The AD Bridge provides one way synchronization of users and groups from Active Directory to JumpCloud. Synchronization runs at approximately 90 second intervals.
- Required: A security group named "JumpCloud". This group must be a member of the default Users OU within Active Directory. A user or group must be a member of this group in order to synchronize.
- Optional: A security group named "JumpCloud Admins". Any user that is a member of this group and also a member of the JumpCloud group will have Global Administrator permissions enabled within JumpCloud. This function does not support members of nested groups.
- Once mirrored, AD managed users and groups within JumpCloud can be bound to JumpCloud managed resources such as Systems, RADIUS, LDAP, etc.
The maximum number of users that can be imported or synced is determined by the AD server's LDAP configuration MaxPageSize value, which is 1000 by default. The AD Bridge only processes the first page of LDAP results.
LDAP is queried one group at a time, so any number of users can be imported as long as each nested group has less than the MaxPageSize number of users. Only groups whose direct user membership exceeds that number will fail to import.
User SynchronizationJumpCloud mirrors the following data fields and will be read-only in JumpCloud:
- First and Last Name
- Email address* - This value is obtained from either the E-mail field on the General tab OR the User logon name from the Account tab of the user properties. If both values are populated the value on the General tab takes precedence. Note: This value will be used to sync the AD user to the JumpCloud user going forward.
Verifying Successful Configuration
- User accounts should automatically appear in the JumpCloud User Console after being placed in the JumpCloud OU in Active Directory.
- Synchronization starts at approximately 90 second intervals, and takes up to a couple of minutes to complete, depending on the number of users and groups in JumpCloud and AD. Allow time for users to appear in the Admin Portal.
- After a user is successfully synchronized, they'll appear in the JumpCloud Admin Portal with an AD Bridge icon underneath their email address as shown in the following image:
Users will be deleted from JumpCloud and any data or resource bindings associated with the user will be lost in the following conditions:
- If you change the User logon name in the Account tab of the User Properties window (A new user will be created with the new username, resource bindings are maintained in this case).
- Disabling the user in AD.
- Removing the user from the JumpCloud group.
- Groups that are a member of the JumpCloud group will be mirrored to the JumpCloud directory, Users that are a member of these groups will be mirrored and bound to the group.
- Nested groups will be traversed recursively and their structure will be flattened. E.g., in AD, Group1 is a member of JumpCloud with members User1, User2 and Group2. Group2 is a member of Group1 and contains members User3 and User4. In JumpCloud, Group2 will be mirrored and have User3 and User4 bound. Group 1 will be mirrored and have User1, User2, User3 and User4 bound.
- JumpCloud managed users may be bound to AD mirrored groups. Their membership will be unaffected by subsequent synchronizations.
You can temporarily disable AD Bridge operation by selecting "Deactivate" in the Active Directory tab of the Directories object. Deactivation will cease all synchronization between AD and JumpCloud.
The agent is registered as a service to start automatically.
- Display name: JumpCloud AD Bridge Agent
- Service name: adint
- Log located at c:\Windows\Temp\JumpCloud_AD_Integration.log
- Similar to when users are newly added to JumpCloud, as the user is added to the JumpCloud security group a "Welcome" email will be delivered to the email address of the identity.
- Users will be unable to access any resources controlled by JumpCloud until they reset their password on their Windows workstation or on a domain controller.