This KB contains the following information on using AD Sync:
- Operation and Usage
- User Experience
Operation and Usage
AD Sync provides one way synchronization of passwords from JumpCloud to Active Directory. Synchronization runs at approximately 90 second intervals.
- Required: The AD Import agent is required to use AD Sync. Passwords are written to AD from JumpCloud for all groups of users in the JumpCloud security group that are configured with the AD Import agent.
- Users imported directly from the JumpCloud security group aren’t synced by the sync agent. The sync agent is only aware of users imported from nested groups under the JumpCloud security group.
- After imported, AD managed users and groups in JumpCloud can be connected to JumpCloud managed resources such as Systems, RADIUS, LDAP, etc. Users can then update their passwords directly in JumpCloud and have them sync back into AD.
- Password changes are rejected in AD if a password satisfies JumpCloud's complexity requirements, but doesn't satisfy AD's complexity requirements. We recommend that you set the same complexity requirements for the JumpCloud Security Group in AD and for JumpCloud.
JumpCloud writes back the following data fields with AD Sync and are editable in JumpCloud:
Verifying Successful Configuration
- User accounts should automatically appear in the JumpCloud Admin Portal after being placed in the JumpCloud security group in Active Directory.
- Synchronization starts at approximately 90 second intervals, and takes up to a couple of minutes to complete, depending on the number of users and groups in JumpCloud and AD. Allow time for users to appear in the Admin Portal.
- After a user is successfully imported, they appear in the JumpCloud Admin Portal with an AD Bridge icon underneath their email address.
- The Password field is editable by users in the JumpCloud User Portal, Mac system application, or by an administrator in the JumpCloud Admin Console.
Warning: Users are deleted from JumpCloud and any data or resource bindings associated with the user is lost in the following conditions:
- If you change a User logon name in the Account tab of the User Properties window. In this case, a new user is created with the new username and resource bindings are maintained.
- Disabling a user in AD.
- Removing a user from the JumpCloud group.
You can temporarily disable AD Bridge operation by selecting Deactivate in the Active Directory tab of the Directories object. Deactivation stops all synchronization between AD and JumpCloud.
The agent is registered as a service to start automatically.
- Display name: JumpCloud AD Bridge Sync Agent
- Service name: JCADBridgeAgent
- Log located at C:\Program Files\JumpCloud\AD Bridge\agent
- Similar to when users are newly added to JumpCloud, as the user is added to the JumpCloud security group, a Welcome email is sent to the email address of the identity.
- User passwords can be updated in JumpCloud or Active Directory.
- Users are unable to access any resources controlled by JumpCloud until they activate their JumpCloud account