ADI FAQ
In this article, you can find frequently asked questions about using Active Directory Integration (ADI) to integrate your Active Directory (AD) with your KMSAT account. If you have additional questions that this article does not include, please submit a ticket to our support team.
To learn more about using ADI to integrate your AD account with KMSAT, see our Active Directory Integration (ADI) Configuration Guide.
Jump to:
General Information
You can use ADI to manage your user list in KMSAT through Active Directory. The changes that you make to your AD account will affect your KMSAT account at each sync. For example, if you archive a user in your AD account, the ADI sync will archive that user in your KMSAT account.
Additionally, you can specify which user information is automatically synced into your KMSAT account. Then, you can use some of this information in user placeholders when you create phishing campaigns. For more information about user placeholders, see the User Information Placeholders section of our How to Use Placeholders article.
Yes. To use ADI with Azure, follow the instructions in our How to Use ADI with Azure Active Directory Domain Services article.
You can also set up Azure for single sign-on (SSO) with KMSAT. For more information, see our How Do I Configure SSO/SAML with Azure Active Directory (AD)? article.
- From your computer, navigate to the ADIsync folder.
- Delete the .dat file from the folder.
- Open an elevated command prompt window.
- Navigate to the ADIsync folder in the command prompt.
- Enter ADIsync.exe config into the command prompt.
- Enter your new credentials during the configuration.
When you turn on ADI, users who are added to your KMSAT account will be enrolled in phishing or training campaigns if you have enabled automatic enrollment for new users in the campaign. To enable automatic enrollment for new users when you create a campaign, set the Enroll Groups option to All Users, and select the Enable automatic enrollment for new users check box.
New users will also be enrolled in phishing or training campaigns if they are members of groups that are enrolled in campaigns with the Enable automatic enrollment for new users setting enabled. Before you turn on ADI, we recommend that you check the settings for each of your campaigns to enable or disable the Enable automatic enrollment for new users setting as needed.
We use HTTPS/SSL to encrypt the data that is transferred between ADI and KnowBe4 servers. Unless you enable SSL when you set up ADI, ADI uses LDAP/LDAPS to communicate between your domain controller and ADI. To enable SSL, you must already have LDAPS enabled.
To learn how to enable LDAPS, see question 2 in the Getting Started section below.
Getting Started
You can add comments to your <domain>.conf file by entering the hash special character (#). However, you cannot add a comment at the beginning of a line or in the middle of a line.
For an example of a comment in a <domain>.conf file, see the section below:
[sync.users]
includedOUs = ["Users", "Managers", "East Coast/Managers"] #I am commenting on my .conf file.
excludedOUs = [""]
includedGroups = ["Tech","KnowBe4 Group"]
excludedGroups = [""]
includedUsers = [""]
excludedUsers = [""]
After you set up ADI, your KMSAT account will be on test mode until you turn it off. It's important that you leave your account on test mode so that you can preview what will happen when you sync your KMSAT account with Active Directory. To view this preview, sign in to your KMSAT account, and navigate to Users > Provisioning. From the Provisioning tab, you can view the changes that will be made after you enable ADI. Then, you can resolve any potential issues without affecting the users that you have in your KMSAT account.
We recommend that you wait until you are fully satisfied with the preview before you turn off test mode. You can find the Test Mode setting in the User Provisioning section of your Account Settings.
Syncing Information
[sync.fields]
comment = ""
custom-date-1 = ""
custom-date-2 = ""
custom-field-1 = ""
custom-field-2 = ""
custom-field-3 = ""
custom-field-4 = ""
department = "department"
division = ""
employee-number = "employeeNumber"
employee-start-date = "whenCreated"
first-name = "givenName"
last-name = ""
location = "physicalDeliveryOfficeName"
manager = "manager"
mobile-number = ""
organization = "o"
phone-number = "telephoneNumber"
title = "employeeNumber"
If you don't want ADI to pull data for a field, you can leave the field blank or delete the field that is listed between the double quotation marks. Removing fields will not overwrite the existing data for those fields. If you want ADI to pull data from a different field, you can change the field between the double quotation marks to a different field where your user information exists. Fields are case-sensitive and must match the attribute name in your AD.
- If the groups you want to sync are in one or more OUs, enter the OUs into the includedOUs field of your <domain>.conf file.
- If you want to sync specific groups, enter the groups into the includedGroups field of your <domain>.conf file.
To exclude AD accounts from syncing to your KMSAT account based on the expiration date of the accounts, follow the steps below:
- Identify a date that expired accounts will be excluded before or on.
- Convert the date to Integer8 syntax.
- If you need help converting the date to Integer8 syntax, you can use the conversion tools that are linked below:
- For an example of Integer8 syntax, see the table below:
Standard Format Integer 8 Syntax 5/21/2017 10:41:52 AM Eastern Time (ET) 131398513120000000
- If you need help converting the date to Integer8 syntax, you can use the conversion tools that are linked below:
- Add the converted date to the filter_users_by_ou and filter_users_by_group fields in your <domain>.conf file. For example, see the section below, where XXXXXXXXXXXXXXXXXX represents the date in Integer8 syntax:
filter_users_by_ou =
"(&(l(accountExpires>=XXXXXXXXXXXXXXXXXX)(accountExpires=0))(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*))"
filter_users_by_group =
"(&(l(accountExpires>=XXXXXXXXXXXXXXXXXX)(accountExpires=0))(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(|{DYNAMIC_CONTENT}))"
You can exclude AD user accounts from syncing to your KMSAT account based on the lastLogonTimeStamp AD account attribute.
To exclude users from your sync based on a last login date, follow the steps below:
- Identify a date that you want to use as the last login date limit.
- Convert the date to Integer8 syntax.
- If you need help converting the date to Integer8 syntax, you can use the conversion tools that are linked below:
- For an example of Integer8 syntax, see the table below:
Standard Format Integer 8 Syntax 5/21/2017 10:41:52 AM Eastern Time (ET) 131398513120000000
- Add the converted date to the filter_users_by_ou and filter_users_by_group fields in your <domain>.conf file. For example, see the section below, where XXXXXXXXXXXXXXXXXX represents the timestamp in Integer8 syntax:
filter_users_by_ou =
"(&(lastLogonTimeStamp>=XXXXXXXXXXXXXXXXXX)(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*))"
filter_users_by_group =
"(&(lastLogonTimeStamp>=XXXXXXXXXXXXXXXXXX)(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(|{DYNAMIC_CONTENT}))"
Troubleshooting
This issue may occur because the person who is attempting to sync is not a domain admin. Domain admins will typically have the necessary permissions for including and excluding users and groups, but you can use any account that has permission to query all data. If you do not have access to an account with the necessary permissions, you can create a service account with the Read all user information and Read all inetOrgPerson information permissions. To learn how to create an ADI service account, see our How to Create an ADI Service Account in Active Directory article.
If you need to change the user that the ADI sync service is using to connect to your domain controller, follow the instructions below:
- Navigate to your ADIsync folder.
- Delete the <domain>.dat file from the folder.
- Open an elevated command prompt window.
- Navigate to your ADIsync folder in the command prompt.
- Enter ADIsync.exe config into the command prompt.
This error typically occurs if all of the domains in your Active Directory are not added to your KMSAT account.
To learn how to add domains to your KMSAT account, see our How to Add and Verify Allowed Domains article. After you add all of your domains and the next sync occurs, the "No valid email addresses" error should be resolved.
If you need further assistance, contact our support team.
You should resolve this issue by updating the post-URL in your ADIsync.conf file. The default location for the ADIsync.conf file is Program Files\KnowBe4\ADISync. Currently, the post-URL is most likely "https://training.knowbe4.com/api/v1/ldap/user_upload". You will need to change the post-URL to "https://eu.knowbe4.com/api/v1/ldap/user_upload". Then, save the ADIsync.conf file, and restart the ADI sync service.
If your error persists or the post-url was already correct, contact our support team.
If you are unable to give yourself edit permissions, request that your IT team or administrator gives you permission to edit the ADIsync folder.
To give yourself edit permissions for the ADISync folder, follow the steps below:
- Navigate to your ADIsync folder (Program Files/KnowBe4\ADIsync).
- Right-click the ADIsync folder, and select Properties.
- Select the Security tab.
- Click the Edit button.
- Click the Add button.
- Enter your username, and click the Check Names button.
- If your account is showing correctly after clicking Check Names, click the OK button.
- Under your username, click the check box next to Full control to give yourself full permissions for the ADIsync folder.
- In the ADIsync Properties window, click the OK button. Now, you should have the permissions you need to edit the <domain>.conf file.
This error typically occurs if you did not specify the location where ADI can pull your users from. You can specify this location in the [sync.users] section of your <domain>.conf file. For more information, see the Defining Which OUs, Groups, and Users to Sync section of our Active Directory Integration (ADI) Configuration Guide.
If you need further assistance, contact our support team.
First, make sure that you meet the ADI prerequisites that are listed in the Prerequisites section of our Active Directory Integration (ADI) Configuration Guide. If you meet the prerequisites and are still getting this error, we recommend that you install the latest version of Windows Server 2019.
If Windows Server 2019 is already installed or installing Windows Server 2019 does not resolve this error, contact our support team.
- From your KMSAT navigation panel, navigate to the Users > Provisioning.
- Click the Details button that is in the same row as the sync.
- Near the top-right corner of the page, click the Sync and Error Details link.
For more information about the Details page, see our How to Use the Provisioning Tab article.
ADI finds your users' email addresses in the proxyAddresses field of your Active Directory. If you are using a mail server other than Microsoft Exchange or Microsoft 365, the proxyAddresses field is most likely blank.
To solve this issue, you will need to change the field where KMSAT pulls email addresses from in your Active Directory, such as the mail attribute field. To learn how to change this field, see the How Do I Change Where to Pull the Email Addresses from Active Directory? section of our Active Directory Integration (ADI) Configuration Guide.
If you need further assistance, contact our support team.
Comments
0 comments
Article is closed for comments.