Support Center

AD Bridge User and Group Synchronization Use Cases

As discussed in the Using AD Bridge article, when Active Directory users and security groups are added as members to the JumpCloud security group in AD, JumpCloud will either create, or bind to pre-existing objects in JumpCloud and maintain their synchronization. Conversely, objects that are modified, deleted or removed from the JumpCloud security group, JumpCloud will honor various synchronization use cases. This article will demonstrate these synchronization schemes.
 

Creating New Objects in JumpCloud
 

To demonstrate a simple object creation use case, we’ll use Figure 1 below. In this model, you can see that the JumpCloud group exists and it contains two objects: a security group, ‘Sales’ and a single user, ‘Jim’. Each object has an explanation of what, exactly is created. Note specifically the nested group ‘Sales - Boulder’ and the creation behavior within JumpCloud.

 

Figure 1:

Assume in the model above that the user object ‘Jim’ pre-existed in JumpCloud. When all qualifying metadata of the incoming AD user matches a user object in JumpCloud (via email if defined or logon - username@domain.com), the incoming AD user will commandeer the pre-existing JumpCloud user and take ownership of it. Groups will behave in the same way (matching by Group Name).
 

Removing Objects from JumpCloud
 

When an AD administrator modifies User and Group members of the ‘JumpCloud’ AD Security Group, this will perform reverse behavior to the creation and syncing of user and group objects in JumpCloud. The use cases below will illuminate these use cases:
 

Users
 

When an AD user is removed from JumpCloud sync:

  • If the corresponding User in JC is not bound to any other AD synced Groups, the User will be removed (deleted) from JumpCloud.​
  • If the corresponding User in JC is bound to an AD security Group synced with JumpCloud, the user will not be removed from JumpCloud (the user must be removed from any and all AD groups synced with JumpCloud).
 

Tags:
 

When an AD security Group is removed from JumpCloud sync:

  • If the corresponding Tag in JC has been associated with some systems, it is disowned; the Tag is not deleted and is now managed by JC.
  • If the corresponding Tag in JC only contains AD managed users, the tag is deleted
  • If the corresponding Tag in JC contains JC managed users, it is disowned; the Tag is not deleted and is now managed by JC
 

Groups:
 

When an AD security Group is removed from JumpCloud sync:

  • If the corresponding Group in JC only contains AD managed users, the Group is deleted from JC
  • If the corresponding Group in JC contains some JC managed users, it is disowned, the Group is not deleted and is now managed by JC
 

Last Updated: Sep 11, 2017 11:27AM MDT

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete