To set up Active Directory Integration, you must use a Domain Admin account, or set up a new user in AD with the following permissions for the ADI Sync setup:
- read all user information
- read all inetOrgPerson information
Below are instructions showing how to create an AD User with necessary read permissions:
- Open Active Directory. Right-click on your domain and select Delegate Control.
- On the Delegation of Control Wizard, add your ADI Service account (created previously).
- Delegate the following Tasks:
- Read all user information
- Read all inetOrgPerson
- Finally, you will need to reconfigure your ADI sync service if you want to use your new AD service account with ADI.
- To change the specified user browse to the C:\ProgramData\KnowBe4\ADI Sync\Config folder and delete the file named <domain>.dat. Then, open an elevated CMD and browse to the C:\Program Files\KnowBe4\ADI Sync folder, and then type: "adisync.exe config".