You can use ADI to manage your user list in KMSAT through Active Directory. The changes that you make to your AD account will affect your KMSAT account at each sync. For example, if you archive a user in your AD account, the ADI sync will archive that user in your KMSAT account.

Additionally, you can specify which user information is automatically synced into your KMSAT account. Then, you can use some of this information in user placeholders when you create phishing campaigns. For more information about user placeholders, see the User Information Placeholders section of our How to Use Placeholders article.

Yes. To use ADI with Azure, follow the instructions in our How to Use ADI with Azure Active Directory Domain Services article. 

You can also set up Azure for single sign-on (SSO) with KMSAT. For more information, see our How Do I Configure SSO/SAML with Azure Active Directory (AD)? article.

To change your ADI login credentials, follow the instructions below:

1. From your computer, navigate to the ADIsync folder.
2. Delete the .dat file from the folder.
3. Open an elevated command prompt window.
4. Navigate to the ADIsync folder in the command prompt.
5. Enter ADIsync.exe config into the command prompt.
6. Enter your new credentials during the configuration.

When you turn on ADI, users who are added to your KMSAT account will be enrolled in phishing or training campaigns if you have enabled automatic enrollment for new users in the campaign. To enable automatic enrollment for new users when you create a campaign, set the Enroll Groups option to All Users, and select the Enable automatic enrollment for new users check box.

New users will also be enrolled in phishing or training campaigns if they are members of groups that are enrolled in campaigns with the Enable automatic enrollment for new users setting enabled. Before you turn on ADI, we recommend that you check the settings for each of your campaigns to enable or disable the Enable automatic enrollment for new users setting as needed.

No. While the changes you make in Active Directory will affect your KMSAT account, the changes you make in your KMSAT account will not affect Active Directory.

If your users have multiple email addresses in Active Directory, ADI will use the reply-to email address as your users' primary email address. 

We use HTTPS/SSL to encrypt the data that is transferred between ADI and KnowBe4 servers. Unless you enable SSL when you set up ADI, ADI uses LDAP/LDAPS to communicate between your domain controller and ADI. To enable SSL, you must already have LDAPS enabled.

To learn how to enable LDAPS, see question 2 in the Getting Started section below.

Yes. To disable user provisioning for an individual user, follow the instructions in the Disabling User Provisioning for a Single User section of our How to Disable User Provisioning for a User article. To disable user provisioning for a group of users, follow the instructions in the Disabling User Provisioning for a Group of Users section of our How to Disable User Provisioning for a User article.

To learn how to enable LDAPS, see TechNet's LDAP over SSL (LDAPS) Certificate article. The article also includes instructions for testing the LDAPS connection so that you can verify if it was enabled successfully. 

You can add comments to your <domain>.conf file by entering the hash special character (#). However, you cannot add a comment at the beginning of a line or in the middle of a line.

For an example of a comment in a <domain>.conf file, see the section below:

[sync.users]
includedOUs = ["Users", "Managers", "East Coast/Managers"] #I am commenting on my .conf file.
excludedOUs = [""]
includedGroups = ["Tech","KnowBe4 Group"]
excludedGroups = [""]
includedUsers = [""]
excludedUsers = [""]

If your users are split between multiple source domains, you will need to set up a configuration for each domain that you want to sync to your KMSAT account. To learn how to set up a configuration for each domain, see the Multiple Source Domain Support section of our Active Directory Integration (ADI) Configuration Guide.

You will need to install ADI for each KMSAT account. For a successful installation, you'll need to install ADI on a separate machine for each domain that you want to sync with. At this time, you cannot use a single installation for multiple KMSAT accounts.

In Active Directory, you can create a new organizational unit, or OU, and add groups that are named after your KMSAT groups to the OU. For example, if you have a KMSAT group that is named "Group 1", you could create an AD group that is named “KB4-Group 1”. Then, you could add the AD users or groups that belong to that KMSAT group to the "KB4-Group 1" group. When you finish setting up this group, you can use this OU for the [sync.groups] or [sync.users] section of your <domain>.conf file. This method may be preferable because you will not need to change the existing groups in your AD account.

You can integrate with Active Directory even if you're using a firewall or proxy. For more information, see our Can I Use to Active Directory Integration (ADI) While Using a Proxy? article.

The users.json file is being sent directly to the same servers that process imports when you import users with a CSV file. No other information is being sent for to the servers for processing. We intentionally leave the configuration data local to your system.

When you enable the Show Group Domain setting, ADI will add your domain name to your AD-synced KMSAT groups. For example, a KMSAT group named "Accounting" that is synced with the domain "knowbe4.com" would be named "knowbe4.com\Accounting". If your users are split between multiple domain sources, this setting can help you organize your users.

After you set up ADI, your KMSAT account will be on test mode until you turn it off. It's important that you leave your account on test mode so that you can preview what will happen when you sync your KMSAT account with Active Directory. To view this preview, sign in to your KMSAT account, and navigate to Users > Provisioning. From the Provisioning tab, you can view the changes that will be made after you enable ADI. Then, you can resolve any potential issues without affecting the users that you have in your KMSAT account.

We recommend that you wait until you are fully satisfied with the preview before you turn off test mode. You can find the Test Mode setting in the User Provisioning section of your Account Settings. 

Yes. By default, the ADI sync service will sync your AD account to your KMSAT account every six hours. If you need to force the sync to happen immediately, you can restart the ADI sync service. If you want to change the sync interval, you can change the information in the sync-interval field of your ADIsync.conf file.

Yes, you can limit the data that syncs to your KMSAT account. In your <domain>.conf file, you will see an area with the settings below:

[sync.fields]
comment = ""
custom-date-1 = ""
custom-date-2 = ""
custom-field-1 = ""
custom-field-2 = ""
custom-field-3 = ""
custom-field-4 = ""
department = "department"
division = ""
employee-number = "employeeNumber"
employee-start-date = "whenCreated"
first-name = "givenName"
last-name = ""
location = "physicalDeliveryOfficeName"
manager = "manager"
mobile-number = ""
organization = "o"
phone-number = "telephoneNumber"
title = "employeeNumber"

If you don't want ADI to pull data for a field, you can leave the field blank or delete the field that is listed between the double quotation marks. Removing fields will not overwrite the existing data for those fields. If you want ADI to pull data from a different field, you can change the field between the double quotation marks to a different field where your user information exists. Fields are case-sensitive and must match the attribute name in your AD.

The groups that sync to KMSAT are based on security groups and distribution groups in Active Directory.  If you want to sync AD groups with your KMSAT account, you can add those groups to the [sync.groups] section of your <domain>.conf file. To add AD groups to your <domain>.conf file, you can use one of the methods below:

• If the groups you want to sync are in one or more OUs, enter the OUs into the includedOUs field of your <domain>.conf file.
• If you want to sync specific groups, enter the groups into the includedGroups field of your <domain>.conf file.

For more information about syncing users and groups, see the Defining Which OUs, Groups, and Users to Sync section of our Active Directory Integration (ADI) Configuration Guide. 

If test mode is enabled for your account, you can start and stop the ADI service as frequently as you'd like. Once you have turned off test mode, your ADI API sync request frequency is limited to once every six hours. 

To exclude AD accounts from syncing to your KMSAT account based on the expiration date of the accounts, follow the steps below:

1. Identify a date that expired accounts will be excluded before or on.
2. Convert the date to Integer8 syntax.
   • If you need help converting the date to Integer8 syntax, you can use the conversion tools that are linked below: 
     
     • LDAP, Active Directory & Filetime Timestamp Converter
     • Date format converter
   • For an example of Integer8 syntax, see the table below: 

     Standard Format	Integer 8 Syntax
     5/21/2017 10:41:52 AM Eastern Time (ET)	131398513120000000

3. Add the converted date to the filter_users_by_ou and filter_users_by_group fields in your <domain>.conf file. For example, see the section below, where XXXXXXXXXXXXXXXXXX represents the date in Integer8 syntax:
filter_users_by_ou =
"(&(l(accountExpires>=XXXXXXXXXXXXXXXXXX)(accountExpires=0))(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*))"

filter_users_by_group =
"(&(l(accountExpires>=XXXXXXXXXXXXXXXXXX)(accountExpires=0))(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(|{DYNAMIC_CONTENT}))"

You can exclude AD user accounts from syncing to your KMSAT account based on the lastLogonTimeStamp AD account attribute.

To exclude users from your sync based on a last login date, follow the steps below:

1. Identify a date that you want to use as the last login date limit. 
2. Convert the date to Integer8 syntax.
   • If you need help converting the date to Integer8 syntax, you can use the conversion tools that are linked below:
     • LDAP, Active Directory & Filetime Timestamp Converter
     • Date format converter
   • For an example of Integer8 syntax, see the table below:

     Standard Format	Integer 8 Syntax
     5/21/2017 10:41:52 AM Eastern Time (ET)	131398513120000000

3. Add the converted date to the filter_users_by_ou and filter_users_by_group fields in your <domain>.conf file. For example, see the section below, where XXXXXXXXXXXXXXXXXX represents the timestamp in Integer8 syntax:  
filter_users_by_ou =
"(&(lastLogonTimeStamp>=XXXXXXXXXXXXXXXXXX)(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*))"

filter_users_by_group =
"(&(lastLogonTimeStamp>=XXXXXXXXXXXXXXXXXX)(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(|{DYNAMIC_CONTENT}))"


Yes, if the group is synced with your AD account. For example, if you add a user to a KMSAT group that is not synced with your AD account, the user will remain in the KMSAT group unless you remove the user. You can add both AD-managed and non AD-managed users to the KMSAT group. However, if you sync the KMSAT group with an AD group, the group will be managed by AD for AD-managed users. You can also add non AD-managed users to AD-managed groups, but the AD sync won’t affect those users.

No, users with disabled AD accounts will not sync to your KMSAT account. However, if you want to sync disabled manager accounts, you can modify the LDAP filters in the ADIsync.conf file.

ADI can only sync users or groups that are members of your Active Directory domain. Contact objects typically represent external users. Often, the primary purpose of contact objects is to appear in your organization's email address book so your users can send emails to external users. Contact objects are not part of your domain, and you cannot assign permissions to them. 

No. ADI does not query your AD passwords, so no passwords will sync to your KMSAT account.

Navigate to your ADISync folder, and open your ADISync.conf file. In the file, change the logging level from log-level = "ERROR" to log-level = "TRACE". The next time the sync occurs, you will be able to see more detailed information about what actions may have occurred to cause errors with your sync. To view your error logs, navigate to the KnowBe4\ADISync\logs folder.

This issue may occur because the person who is attempting to sync is not a domain admin. Domain admins will typically have the necessary permissions for including and excluding users and groups, but you can use any account that has permission to query all data. If you do not have access to an account with the necessary permissions, you can create a service account with the Read all user information and Read all inetOrgPerson information permissions. To learn how to create an ADI service account, see our How to Create an ADI Service Account in Active Directory article.

If you need to change the user that the ADI sync service is using to connect to your domain controller, follow the instructions below:

1. Navigate to your ADIsync folder. 
2. Delete the <domain>.dat file from the folder.
3. Open an elevated command prompt window.
4. Navigate to your ADIsync folder in the command prompt.
5. Enter ADIsync.exe config into the command prompt.

This error typically occurs if all of the domains in your Active Directory are not added to your KMSAT account.

To learn how to add domains to your KMSAT account, see our How to Add and Verify Allowed Domains article. After you add all of your domains and the next sync occurs, the "No valid email addresses" error should be resolved.

If you need further assistance, contact our support team.

You should resolve this issue by updating the post-URL in your ADIsync.conf file. The default location for the ADIsync.conf file is Program Files\KnowBe4\ADISync. Currently, the post-URL is most likely "https://training.knowbe4.com/api/v1/ldap/user_upload". You will need to change the post-URL to "https://eu.knowbe4.com/api/v1/ldap/user_upload". Then, save the ADIsync.conf file, and restart the ADI sync service.

If your error persists or the post-url was already correct, contact our support team.

If you are unable to give yourself edit permissions, request that your IT team or administrator gives you permission to edit the ADIsync folder.

To give yourself edit permissions for the ADISync folder, follow the steps below:

1. Navigate to your ADIsync folder (Program Files/KnowBe4\ADIsync).
2. Right-click the ADIsync folder, and select Properties.
3. Select the Security tab.
4. Click the Edit button. 
5. Click the Add button. 
6. Enter your username, and click the Check Names button. 
7. If your account is showing correctly after clicking Check Names, click the OK button.
8. Under your username, click the check box next to Full control to give yourself full permissions for the ADIsync folder.
9. In the ADIsync Properties window, click the OK button. Now, you should have the permissions you need to edit the <domain>.conf file.

This error typically occurs if you did not specify the location where ADI can pull your users from. You can specify this location in the [sync.users] section of your <domain>.conf file. For more information, see the Defining Which OUs, Groups, and Users to Sync section of our Active Directory Integration (ADI) Configuration Guide.

If you need further assistance, contact our support team.

First, make sure that you meet the ADI prerequisites that are listed in the Prerequisites section of our Active Directory Integration (ADI) Configuration Guide. If you meet the prerequisites and are still getting this error, we recommend that you install the latest version of Windows Server 2019.

If Windows Server 2019 is already installed or installing Windows Server 2019 does not resolve this error, contact our support team.

Yes. You can download a text file that includes information about all of the sync changes and detailed information about any errors. You can download this file from the sync's Details page. To navigate to this file, follow the instructions below:

1. From your KMSAT navigation panel, navigate to the Users > Provisioning.
2. Click the Details button that is in the same row as the sync.
3. Near the top-right corner of the page, click the Sync and Error Details link.

For more information about the Details page, see our How to Use the Provisioning Tab article.

OUs cannot be added as groups to KMSAT. Only security and distribution groups will be added or synced as groups in KMSAT. When you include OUs in the [sync.groups] section of your <domain.conf> file, only groups that are included in that OU will be added and synced to KMSAT. 

ADI finds your users' email addresses in the proxyAddresses field of your Active Directory. If you are using a mail server other than Microsoft Exchange or Microsoft 365, the proxyAddresses field is most likely blank.

To solve this issue, you will need to change the field where KMSAT pulls email addresses from in your Active Directory, such as the mail attribute field. To learn how to change this field, see the How Do I Change Where to Pull the Email Addresses from Active Directory? section of our Active Directory Integration (ADI) Configuration Guide. 

If you need further assistance, contact our support team.