Menu

FAQ: Active Directory Integration (ADI)

Avatar
Katie Brennan
Updated
Follow

Below are some commonly-asked questions about KnowBe4's ADI feature. If you don't see the answer you need, submit a ticket to our support team.

 

JUMP TO:

  1. What would be the advantage of AD integration with the KnowBe4 console? 
  2. What is our encryption method for the data that gets transferred between the ADI tool and KnowBe4 servers, and how is my user data protected on your servers?
  3. What is the purpose of 'Test mode' and when should I turn it off?
  4. Can I modify how often my AD information will sync to KnowBe4?
  5. How do I sync my AD groups with my KnowBe4 groups?
  6. What should I do if my AD is not structured in an ideal way for syncing with ADI? 
  7. How do I limit what data Active Directory syncs to KnowBe4? or How do I change which Active Directory fields the ADI Sync tool pulls data from?
  8. How do I set a user to not be AD-managed? 
  9. If I make changes to the KnowBe4 console, will any changes happen in my Active Directory?
  10. Can I use ADI if I'm using Azure?
  11. How can I enable LDAPS before syncing my Active Directory to KnowBe4?
  12. If I add a user to a Group in the KMSAT console, and the user is NOT in that Group in Active Directory, will the user be removed from the Group in the console the next time we sync?
  13. How do I enable detailed logging to discover what errors may be happening with my import?
  14. How do I manage my ADI if I have multiple source domains? or I have multiple domains and multiple domain controllers that do not talk to each other. Is it possible to sync everything to my one KnowBe4 account?
  15. My users have multiple email addresses in Active Directory. Which one will be the primary in my KnowBe4 console?
  16. What does enabling the "Show Group Domain" option in my Account Settings do?
  17. The ADI tool is not finding any email addresses for my users.
  18. I am having difficulties with including/excluding specific users and groups.
  19. The ADI sync file has a “post-URL” where the information is being sent to. Is that secure and what happens to the information?
  20. How can I add comments to my <domain>.conf file?
  21. My OUs did not get added as Groups in the KnowBe4 console during my sync.
  22. I am an MSP and I have a multi-tenant Active Directory domain. How can I set up ADI for my clients?
  23. Why can't I sync contact objects with ADI?
  24. I don't have Edit Permissions to save my <domain>.conf file so I can't configure my LDAP filter.
  25. My organization has proxy or firewall in place. How can I connect ADI successfully?
  26. I have lots of disabled users in my Active Directory environment. Will these users sync too?
  27. I need to change the initial credentials/login that were used to set up ADI for my organization. How can I do this?
  28. Will my users' passwords sync to the KnowBe4 console?
  29. I'm getting a "No Valid Email Address" error next to several users. What does this mean?
  30. I'm on the EU instance of KnowBe4 and my sync failed. What do I do?
  31. How can I exclude AD accounts from my sync that haven't logged on in the past XX number of days?
  32. How can I exclude expired AD accounts from my ADI sync?

 

 

1) Question: What would be the advantage of AD integration with the KnowBe4 console?

Answer: ADI will allow you to manage your user list in KnowBe4 through Active Directory. Changes to your AD will be reflected in your KnowBe4 console at each sync, meaning if users are archived in AD, they will be archived in KnowBe4. Additionally, user information can be automatically pulled into the KnowBe4 console which will allow you the benefit of using placeholders for user information in your phishing campaigns.

Back to Top

 

 

2) Question: What is your encryption method for the data that gets transferred between the ADI tool and KnowBe4 servers, and how is my user data protected on your servers

Answer:  We use HTTPS/SSL for the data that gets transferred between the ADI tool and our servers. We use LDAP/LDAPS to communicate between your domain controller and our ADI tool. By default, your tool will utilize LDAP unless you enable SSL at the time you are setting up the ADI tool. To enable SSL, you MUST already have LDAPS enabled. More details on that can be found here.

The username and password data supplied for use with the directory is stored and encrypted using XSalsa20 and Poly1305 mechanisms, the latter being a derivative technology of AES.  This is how we protect the account data stored in the <domain>.dat file on disk.

Once the data is on our side, it is granted the same data protection as other items as described in our privacy policy, which you can review here.

Back to Top

 

 

3) Question: My account is on "test mode". What is the purpose of test mode and when should I turn it off?

Answer: Each account will begin Active Directory Integration (ADI) on test mode. It is very important that you leave your account on test mode to begin with so that you can review what will happen when you actually integrate your KB4 console with Active Directory. Test mode will show you all of the changes that are going to take place, and gives you an opportunity to make changes or correct items as needed. Once you are fully satisfied with the proposed changes you see on test mode, then you can move forward with unchecking the test mode option on your account. 

Back to Top

 

 

4) Question: Can I modify how often my AD information will sync to KnowBe4?

Answer: By default, the service will run every six hours. If you need to force the sync immediately, you can restart the service. If you'd like to modify the sync interval you can do so by changing the sync-interval field in your ADIsync.conf file.

The minimum sync interval is 4 hours (4h0m0s).

Back to Top

 

 

5) Question: How do I sync my AD groups with my KnowBe4 groups?

Answer:  The groups are based on security groups and distribution groups in AD.  If you have a group in AD called “Southeast”, for example, and you want to sync the users of that group, you need to include that group in the [sync.groups] portion of the <domain>.conf.  

There are two ways to include a group for membership synchronization: 1) either includeOUs if you have all the groups you want to sync in one place, or 2) includeGroups if you want to explicitly call out groups to synchronize. It’s important to note that the [sync.groups] section is only for finding group membership of the users that are found in the [sync.users] portion of the config. For example, let’s say that your “Southwest” group in AD has 100 members, either directly or because there are other groups of users inside it. If only 85 of those people are picked up because of the settings in [sync.users] then you’ll only have those 85 users in the “Southwest” group in the console once you add “Southwest” under the [sync.groups] config.

If you do sync a group called “Southwest” then the existing group in the console will become AD-managed, meaning its membership is driven entirely by AD.

Back to Top

 

 

6) Question: The groups/users in my AD are not structured the way I want them to be on the KB4 console. What should I do?

Answer: One option is to create a new OU in AD and then create a set of new KnowBe4-centric groups in this OU. This way you can simply specify the one OU for [sync.groups] and/or [sync.users] and then manage the AD groups that are in that OU, adding/changing/removing as you want.
 
For example, you could name the groups “KB4-department” and then just put existing AD groups and/or users as members of those groups so that they would have consistent names in the console. This way you wouldn't have to alter existing groups in AD to make the names standard. ADI does not support nested groups, but does support nested users. 

Back to Top

 

 

7) Question: How do I limit what data Active Directory syncs to KnowBe4? (Or: How do I change which Active Directory fields the ADI Sync tool pulls data from?)

Answer: You can reduce the amount of synchronized information that syncs to KnowBe4. Inside the <your domain here>.conf file you will see an area with settings like this:

first-name = "givenName"
last-name = "sn"
phone-number = "telephoneNumber"
mobile-number = ""
location = "physicalDeliveryOfficeName"
division = "division"
manager = "manager"
employee-number = “employeeNumber"

You can remove the data on the right of the equal sign and just leave the double quotes. This will effectively send nothing over for those fields.

You can also change the data within the quotes to reflect the proper field in Active Directory where your user information exists. Keep in mind this field is case sensitive and should be edited with caution.

Note, the mobile field is purposely left blank as there is no mobile field in Active Directory. Here you can decide which field you'd like to pull by filling in between the quotations.

Back to Top

 

 

8) Question: How do I set a user to not be AD-managed?

Answer: There are two ways of doing this. You can set it up for each user individually, or you can gather a list of user email addresses who should not be managed by AD and place them in a CSV which contains only two fields: "Email" and "AD Managed". 

An example of this set-up is below:

Email AD Managed
user1@domain.com false
user2@domain.com false
user3@domain.com false
user4@domain.com false

Once you import that CSV through the normal means of Importing users via a CSV file, you can set those users to not be AD-managed.

Back to Top

 

 

9) Question: If I make changes to the KB4 console, will any changes happen in my Active Directory?

Answer: No. KB4's ADI feature is a one-way process of synchronization, and only changes made in Active Directory will affect the KnowBe4 console. 

Back to Top

 

 

10) Question: Can I use ADI if I'm using Azure?

Answer: Yes, this is possible. Follow these instructions: Using ADI With Azure Active Directory Domain Services

You can also set up Azure for single sign-on with KnowBe4. For more information on this, check out our article: Configuring Single Sign-on with Azure AD

Back to Top

 

 

11) Question: I want to enable LDAPS before syncing my Active Directory to KnowBe4. What is the best way to go about this?

Answer: This TechNet article will be able to walk you through steps to enable LDAPS: LDAP over SSL (LDAPS)

You can test out that LDAPS was implemented successfully. Once you are set up with LDAPS, you can proceed with your ADI setup. Ensure you set the enable-SSL field to ''true" if you're using LDAPS. 

Back to Top

 

 

12) Question:  If I add a user to a Group in the KMSAT console, and the user is NOT in that Group in Active Directory, will the user be removed from the Group in the console the next time we sync?

Answer: Yes, if the Group in question is an AD-synced Group. For example, if you have a “Clickers” Group in the console only, you can do whatever you like with membership of the Group and include both AD-enabled accounts and non-AD enabled accounts. However, if you then sync an AD Group called “Clickers”, it will be driven by AD for AD enabled accounts.

Non-AD managed users can also be put into AD-managed Groups, however, and the AD sync won’t do anything with those users' Group membership. 

Back to Top

 

 

13) Question: How do I enable detailed logging to discover what errors may be happening with my import?

Answer: Navigate to your ADISync directory and open your ADISync.conf file. Set the logging level from log-level = "ERROR" to log-level = "TRACE" in this file. The next time the sync occurs, you'll see more detailed information on what may have happened to cause errors with your sync. To view your error logs, navigate to the directory KnowBe4\ADISync\logs.

Back to Top

 

 

14) Question: How do I manage my ADI if I have multiple source domains but want to sync everything to a single KnowBe4 account? (Or: I have multiple domains and multiple domain controllers that do not talk to each other. Is it possible to sync everything to my one KnowBe4 account?)

Answer: If your users are split between multiple domain sources you will need to setup a configuration for each domain to be queried. This is done by running “ADIsync.exe config” as an Administrator in the installation directory for each of the additional domains.

To run ADI Sync again:

  • Open Command Prompt
  • Browse to the \ADIsync system directory
  • Enter ADIsync.exe config
  • Enter the details for your additional domain/DC

Check out our Service Configuration steps for more details.

This will create the additional <domain>.conf files which may be edited with filter criteria, with what OUs, users, and groups you'd like to include/exclude as you normally would. 

NOTE: The system where ADI sync is installed must be able to connect to both DCs.  

Back to Top

  

 

15) Question: If I have multiple domains in AD and I am importing users into the console with ADI, how does it determine which address to use as the primary?

Answer: When a user has multiple email addresses in exchange there can only be one “Primary” which is the reply-to address. We attempt to use that one as the primary for the user. 

Back to Top

 

 

16) Question: What does enabling the "Show Group Domain" option in my Account Settings do?

Answer: If your users are split between multiple domain sources, enabling this option will allow you add the root domain to each of the AD-synced group names in the KnowBe4 console so that you can better organize your users. For example, an "Accounting" group synchronized from the domain of KnowBe4.com would be called KnowBe4.com\Accounting once the sync took place.

 

Back to Top

 

 

17) Question: The ADI tool is not finding any email addresses for my users.

Answer: Are you using a mail server other than Exchange or Office 365? If so, this means your proxy address field in AD is most likely blank. The proxy address is what we will typically pull the email addresses from in AD to add to the KnowBe4 console.

To work around this, we’ll need to get the email address from another field in AD (typically, you'll want to use the mail attribute in these situations). Click here to view steps for how to change where we pull email addresses from in Active Directory: How Do I Change Where to Pull the Email Addresses from Active Directory?

Back to Top

 

 

18) Question: I am having difficulties with including/excluding specific users and groups.

Answer: Occasionally, issues with including/excluding certain users/groups in the sync can be caused because the person who is attempting to sync is not a Domain Admin.

You can use a Domain Admin to authenticate the ADI Sync tool to your Active Directory, or set up a new user in AD with the following permissions:

  • read all user information
  • read all inetOrgPerson information

See our article for instructions on How To Create An ADI Service Account In Active Directory

Using an account that is a member of Domain Admins will ensure adequate permissions but is not typically required. The account used to setup the AD Integration tool must have high enough permissions to query all data. (if not, this could result in some information not syncing) 

So, if you do have minor issues with your sync, try to switch the service to use your full Domain Admin (DA) account or the account that you're using ADUC (AD Users and Computers) with. To do so, delete the <domain>.dat file and re-run “adisync.exe config” (as an administrator).

There is an easy way to change the specified user that the ADI uses to connect to your DC:
  • To change the specified user:
    • Browse to the \ADIsync folder and delete the file named: <domain>.dat
    • Then, open an elevated CMD and browse to the \ADIsync folder, and then type: ADIsync.exe config

 

Back to Top

 

 

19) Question: The ADI sync file has a “post-URL” where the information is being sent to. Is that secure and what happens to the information?

Answer: It’s going directly to the same server(s) that process the other method of importing users (CSV uploads) and thus, it's using the same security processes associated with that. The users.json is what is getting sent over for processing. No other information is sent--we explicitly leave configuration data local to your system.

 

Back to Top

 

20) Question: How can I add comments to my <domain>.conf file?

Answer: You can do this by using a hash mark (#). You can comment anywhere except for in the middle of a line or at the beginning of a line

For example:
[sync.users]
includedOUs = ["Users", "Managers", "East Coast/Managers"] #I am commenting on my .conf file.
excludedOUs = [""]
includedGroups = ["Tech","KnowBe4 Group"]
excludedGroups = [""]
includedUsers = [""]
excludedUsers = [""]

Back to Top

 

21) Question: My OUs did not get added as Groups in the KnowBe4 console during my sync.

Answer: Only security and distribution groups will be added or synced as Groups in the console. When you include OUs in your sync (beneath the Sync Groups area of your domain.conf file), only groups within that OU will be added or synced as Groups in the console, not the OU itself. 

Back to Top

 

22) Question: I am an MSP and I have a multi-tenant Active Directory domain. How can I set up ADI for my clients?

Answer: Because you will need to have an ADI installation for each KnowBe4 account, you will have to install the tool on a separate machine for each domain that you want to sync with. It's not possible at this time to have a single installation across multiple KnowBe4 accounts.

 
 

23) Question: Why can't I sync contact objects with ADI?

Answer: ADI can sync users or groups that are members of your Active Directory domain. Contact Objects represent users who do not log into your domain (and are not part of your domain). A contact object is just an object that can be looked up in the domain or Exchange. There are no permissions that can be assigned and the email address is an external address.

Because Contact Objects are not actually part of your domain, they cannot be synced with ADI.

See: Distinguishing between contacts and users

 

Back to Top

 

24) Question: I don't have Edit Permissions to save my <domain>.conf file so I can't configure my LDAP filter.

Answer: If you're receiving an error that you "cannot save due to edit permissions" and are unable to/unsure of how to grant permissions, contact your IT team or administrator to allow you to edit the folder containing your ADIsync files (Program Files/KnowBe4/ADI Sync).

If you have the ability to edit the Permissions of the ADISync folder, do the following steps:

STEP 1) Navigate to your ADIsync folder. It may be located under Program Files (x86)/KnowBe4 OR Program Files/KnowBe4.

 

STEP 2) Right-click your ADIsync folder, and click Properties.

STEP 3) Click Security, then click Edit

STEP 4) Click Add to add your user account.

 

STEP 5) Type in your username, and click Check Names.

 

STEP 6) If your account is showing correctly after clicking Check Names, click OK.

 

STEP 7) Beneath your username, toggle on the Allow checkbox next to Full control, giving you full permissions over the ADIsync folder. Click OK, then click OK on the ADIsync Properties box. You will now have the required permission to edit the <domain>.conf file.

 

Back to Top

 

 

25) Question: My organization has proxy or firewall in place. How can I connect ADI successfully?

Answer: You can integrate with Active Directory even if you're using a firewall or proxy. See this article for more details: How Do I Connect to Active Directory Integration ADI Through a Proxy?

Back to Top

 

 

26) Question: I have lots of disabled users in my Active Directory environment. Will these users sync too?

Answer: No, users with disabled accounts in Active Directory will NOT sync over.

Back to Top

 

 

27) Question: I need to change the initial credentials/login that were used to set up ADI for my organization. How can I do this?

Answer: First, browse to the \ADIsync folder and delete the .dat file you see there. Next, open an elevated command prompt window and browse to the \ADIsync folder, and then type: ADIsync.exe config 
You will need to enter your new credentials during the configuration.

 

Back to Top

 

28) Question: Will my users' passwords sync to the KnowBe4 console?

Answer: No. The ADI sync does not query your AD passwords, therefore they are not synced back to your KnowBe4 account.

 

Back to Top

 

29) Question: I'm getting a "No Valid Email Addresses" error next to several users. What does this mean?

Answer: Are you receiving this exact error? (Shown below)

 

This error typically occurs if you do not have all of the domains in your Active Directory "allowed" on your KnowBe4 account (for example, ABC.com and ABC.co.uk).

To fix this, contact Support to request to add your additional domains to your account. Once the additional domains are added, this error will be corrected upon the next sync.

 

Back to Top

 

30) Question: I'm on the EU instance of KnowBe4 and my sync failed. What do I do?

Answer: If this happens, please edit the ADIsync.conf file and update the post-URL.

Currently, it is:
post-url = "https://training.knowbe4.com/api/v1/ldap/user_upload"

It needs to be:
post-url = "https://eu.knowbe4.com/api/v1/ldap/user_upload"

Once that is done, please save the file and restart the service. If this does not solve your issue, or if the post-url is already correct and your sync is still failing, please contact Support.

Back to Top

 

31) Question: How can I exclude AD accounts from my sync that haven't logged on in the past XX number of days?

Answer: You can exclude AD user accounts from syncing to KnowBe4 based on the lastLogonTimeStamp AD account attribute. You'll do so by adding a lastLogonTimeStamp parameter to the following two LDAP filters in your domain.conf file:

  • filter_users_by_ou
  • filter_users_by_group

The lastLogonTimeStamp must be in Integer8 syntax. Integer8 values represent the number of 100-nanosecond intervals since 12:00 am January 1, 1601.
Integer8 syntax example:

Standard Format Integer 8 Syntax
5/21/2017 10:41:52 am Eastern Time 131398513120000000

Here are two sources you can use to convert date/time to Integer8 syntax:
https://www.epochconverter.com/ldap
http://www.silisoftware.com/tools/date.php

Follow the steps below to exclude users from your sync based on the last login date of your choice:

  1. Decide on the last login date/timestamp to use as the cutoff parameter for not syncing users to the console. (For example, MM/DD/YYYY, three months prior to today)
  2. Convert this date to Integer8 syntax.
  3. Add this parameter to the following two fields in the domain.conf file, as shown in red below (where XXXXXXXXXXXXXXXXXX is the timestamp, in Integer8 syntax).

filter_users_by_ou =
"(&(lastLogonTimeStamp>=XXXXXXXXXXXXXXXXXX)(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*))"

filter_users_by_group =
"(&(lastLogonTimeStamp>=XXXXXXXXXXXXXXXXXX)(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(|{DYNAMIC_CONTENT}))"

Keep the remaining filters in this portion of the domain.conf file, as is.
NOTE: Keeping this exclusion current will require a manual update every so often. For example, if you want to omit accounts that haven't logged in for 90 days, every 90 days you'll have to edit the domain.conf file to change the timestamp (lastLogonTimeStamp>=XXXXXXXXXXXXXXXXXX) to 90 days prior to the present day.

 

Back to Top

 

32) Question: How can I exclude expired AD accounts from my ADI sync?

Answer: You can exclude expired AD accounts from syncing to KnowBe4 by adding a parameter to the following two LDAP filters in your domain.conf file:

  • filter_users_by_ou
  • filter_users_by_group

Follow the steps below to exclude AD accounts from your sync based on the expiration date of the account(s):

  1. Decide on the date/timestamp to use as the cutoff parameter for not syncing users to the console. (i.e., accounts expired on or before MM/DD/YYYY will not be synced)
  2. Convert this date/timestamp to Integer8 syntax. See the previous question for more information on Integer8 syntax.
  3. Add this parameter to the following two fields in the domain.conf file, as shown in red below (where XXXXXXXXXXXXXXXXXX is the timestamp, in Integer8 syntax).

filter_users_by_ou =
"(&(l(accountExpires>=XXXXXXXXXXXXXXXXXX)(accountExpires=0))(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*))"

filter_users_by_group =
"(&(l(accountExpires>=XXXXXXXXXXXXXXXXXX)(accountExpires=0))(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!cn=HealthMailbox*)(!cn=SystemMailbox*)(|{DYNAMIC_CONTENT}))"

Keep the remaining filters in this portion of the domain.conf file, as is.
NOTE: Keeping this exclusion current will require manual updates. The admin will have to update the timestamp (accountExpires>=XXXXXXXXXXXXXXXXXX) in the domain.conf file to exclude accounts that expired after this initial exclusion has been made.

Back to Top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles