Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How to Edit Your CONF File for Active Directory Integration (ADI)

Updated:

Created:

Editing Your CONF File for ADI

If you would like to manage users through Active Directory Integration (ADI), you will need to define which users and groups to sync to your KMSAT console. To define which users and groups to sync, you can edit the ADI configuration (CONF) file that you download during the configuration process.  

In this article, you'll learn how to edit your CONF file to sync specific users, groups, and user information. For general information about ADI, see our Active Directory Integration (ADI) Configuration Guide. If you would prefer to use SCIM, see our SCIM Configuration Guide.

Jump to:

Defining Which Users to Sync

Defining Which Groups to Sync

Syncing Other User Information

     Sync Use Cases

 

Defining Which Users to Sync

In this section, you’ll learn how to edit your CONF file to define which users to sync to your KMSAT console from your AD. These AD users will populate as users in your KMSAT console. You will need to sync specific users before you can sync groups.

To edit your CONF file to define which users you would like to sync, follow the steps below:

  1. Open your ADI CONF file in a text editor. For more information about finding your CONF file, see our Active Directory Integration (ADI) Configuration Guide.

  2. Edit the following fields in the [sync.users] section of the file. For more information about these fields, see the table below.
Note: If your organizational units (OUs) or group names contain characters that are not part of the standard English alphabet, replace the quotation marks (") with single quotation marks ('). Escape special characters such as commas (,), number signs (#), and plus signs (+) by using a double backslash (\\). For more information, see our How to Use Escape Characters with Active Directory Integration article.
Field Name

Field Description
includedOUs

In this field, enter the list of OUs that should be searched to sync your users.

  • The specified OUs will be searched for any users that have mail-enabled turned on. 
    Note: This field will not include users within groups, within the specified OUs. To sync users within these groups, see the information for the includedGroups row below.
  • If you would like to specify an OU that is beneath another OU, you must write the name of the OU location using reverse syntax and separate the file path with a forward slash. For example, if you would like to specify an OU called “Accounting” that is under an OU called “All Users”, you would format the syntax as "Accounting/All Users".
  • If you would like to include multiple OUs in your list of included OUs, you will need to format this text in a specific way. You will need to enclose the OUs in quotation marks, separate the OUs with commas, and enclose the OUs in brackets. For an example of the syntax for this field, see below:
    • includedOUs = ["Accounting/All Users","Development/All Users"]
excludedOUs

In this field, enter the list of OUs that will be searched for users that will be excluded.

  • If excluded users are found during the search, they will override any corresponding OU users that were going to be included in the sync.
  • For an example of the syntax of this field, see below:
    • excludedOUs = ["Contractors/Development/All Users"]
includedGroups

In this field, enter the list of groups that users should be synced from. These groups must be either AD security groups or distribution groups.

  • Users found the includedGroups field will override any corresponding users defined in the excludedOUs field.
  • If you include multiple groups in this field, make sure that you format the syntax correctly. You will need to enclose the groups in quotation marks, separate the groups with commas, and enclose the groups in brackets. For an example of the syntax for multiple groups, see below:
    • includedGroups = ["Accounting","Human Resources"]
excludedGroups

In this field, enter the list of groups that will exclude users that are members of the specified AD security or distribution groups.

  • If excluded users are found during this search, they will override corresponding users that are found in either includedOUs or includedGroups.
  • For an example of the syntax for this field, see below:
    • excludedGroups = ["Contract Employees"]
includedUsers

In this field, enter the list of users who should be explicitly included.

  • Users specified in this field will override any corresponding users in the excludedGroups field or the excludedOUs field.
  • Specify each user by entering their email address. You can specify as many users as you would like.
  • For an example of the syntax for this field, see below:
    • includedUsers = ["user@example.com"]
excludedUsers

In this field, enter the list of users who should be explicitly excluded.

  • Users specified in this field will be excluded, regardless of any other inclusion rules.
  • Specify each user by entering their email address. You can specify as many users as you would like. For an example of the syntax for this field, see below:
    • excludedUsers = ["user@example.com","user2@example.com"]

If you would like to sync groups, see the Defining Which Groups to Sync section below.

Back to top

 

Defining Which Groups to Sync

After you have defined the criteria for syncing specific users, you can also edit your CONF file to define the criteria for any AD groups that you want to sync. These AD groups will populate as groups in your KMSAT console.

If a user is a member of a group in AD, then they will be a member of the corresponding group in your KMSAT console. KnowBe4 does not support groups within groups, or nested groups.

It’s important to note that you must sync users first before they can be included in synced groups. If you would like to sync a group but the group does not include any synced users, the group will not sync.

Note: The only types of groups that will sync to your KMSAT console are security groups and distribution groups. Groups within included OUs will be added or synced as groups in the console. However, the OU itself will not be synced with the console.

To edit your CONF file to define the groups that you would like to sync, follow the steps below:

  1. Make sure that you have synced specific users. For more information, see the Defining Which Users to Sync section above.
  2. Edit the following fields in the [sync.groups] section of your CONF file. For more information about these fields, see the table below.
Field Name

Field Description
includedOUs

In this field, enter the list of OUs that you would like to search to sync your security or distribution groups.

  • Only groups found under the specified OU will be added as groups in your KMSAT console.
  • If you are including multiple OUs, make sure that you format the syntax correctly. You will need to enclose the OUs in quotation marks, separate the OUs with commas, and enclose the OUs in brackets. For an example of the syntax for multiple OUs, see below:
    • includedOUs = ["Accounting/All Users","Development/All Users"]
excludedOUs 

In this field, enter the list of OUs that you would like to search for security or distribution groups that will not be synced.

  • For an exampled of the syntax for this field, see below:
    • excludedOUs = ["Contractors/Development/All Users"]
includedGroups

In this field, enter the list of specific AD security or distribution groups that you would like to sync.

  • When these groups sync, only users that you included in the users sync will be added to the corresponding KMSAT group.
    This option overrides any excluded groups from the excludedOUs field in the sync.groups section.
  • For an example of the syntax for this field, see below:
    • includedGroups = ["Sales","Accounting"]
excludedGroups

In this field, enter the list of specific groups that you would like to exclude from the sync.

  • This option overrides any groups in the includedOUs field or the includedGroups field in the sync.groups section.
  • For an example of the syntax for this field, see below:
    • excludedGroups = ["Consultants"]

 

Once you have edited these fields to your liking, save the CONF file. To save the file, you will need write permissions.

Back to top

 

Syncing Other User Information

Once you have selected the specific users and groups that you would like to sync, you can also edit your CONF file to define which user information syncs from your AD account to your KMSAT account. To define which user information to sync, you can edit the [sync.fields] section of the file. By default, the fields in the [sync.fields] section will automatically populate the user information fields in your KMSAT console with the information defined in your AD. 

To include the field in AD where your user information exists, you can edit the value in the quotation marks for each field. If a field is blank, there is no matching field in AD. You can define which AD fields you would like sync to KMSAT by manually adding a value in between the quotation marks for each field.

If you would like to prevent specific fields from syncing, you can delete the value in the quotation marks for that field. However, make sure that you do not delete the quotation marks or the whole line of text. If you delete the whole line of text, AD will automatically add the line of text back to the field and sync the value.

Please note that all of these fields are case-sensitive.

Note: You also have the option to limit the data that your AD syncs to your KMSAT console. For more information, see the Syncing Information section of our Active Directory Integration (ADI) FAQ article.

For a list of all the available fields in the [sync.fields] section of your CONF file, see below.

[sync.fields]
comment = ""
custom-date-1 = ""
custom-date-2 = ""
custom-field-1 = ""
custom-field-2 = ""
custom-field-3 = ""
custom-field-4 = ""
department = "department"
division = ""
employee-number = "employeeNumber"
employee-start-date = "whenCreated"
first-name = "givenName"
last-name = ""
location = "physicalDeliveryOfficeName"
manager = "manager"
mobile-number = ""
organization = "o"
phone-number = "telephoneNumber"
title = "title"

 

Sync Use Cases

Below are example use cases for controlling which AD fields sync to your KMSAT console.

Use Case: Exclude Fields from Your AD Sync

If you would like to manage custom fields in your KMSAT console, you can exclude those fields from your AD sync. To exclude fields from your AD sync, include the following syntax in the [sync.fields] section your CONF file. In the syntax below, all of the custom fields are blank or the values in the quotation marks have been removed:

[sync.fields]
comment = ""
custom-date-1 = ""
custom-date-2 = ""
custom-field-1 = ""
custom-field-2 = ""
custom-field-3 = ""
custom-field-4 = ""
department = "department"
division = ""
employee-number = "employeeNumber"
employee-start-date = "whenCreated"
first-name = "givenName"
last-name = ""
location = "physicalDeliveryOfficeName"
manager = "manager"
mobile-number = ""
organization = "o"
phone-number = "telephoneNumber"
title = "title"

 

Use Case: Exclude Users' Divisions and Locations

If you would like to sync your users’ departments but not their divisions or locations, include the following syntax in the [sync.fields] section of your CONF file. In the syntax below, the division and location fields are blank, or the values in the quotation marks have been removed:

[sync.fields]
comment = ""
custom-date-1 = ""
custom-date-2 = ""
custom-field-1 = ""
custom-field-2 = ""
custom-field-3 = ""
custom-field-4 = ""
department = "department"
division = ""
employee-number = "employeeNumber"
employee-start-date = "whenCreated"
first-name = "givenName"
last-name = ""
location = ""
manager = "manager"
mobile-number = ""
organization = "o"
phone-number = "telephoneNumber"
title = "title"

 

Use Case 3: Include All Fields in Your AD Sync

If you would like to include all fields in your AD sync, include the following syntax in the [sync.fields] section of your CONF file. In the syntax below, all fields have a value in quotation marks:

[sync.fields]
comment = “This is a comment!“
custom-date-1 = “This is my custom-date-1 field.“
custom-date-2 = "This is my custom-date-2 field."
custom-field-1 = "This is my custom-field-1”
custom-field-2 = "This is my custom-field-2.”
custom-field-3 = "This is my custom-field-3”
custom-field-4 = "This is my custom-field-4”
department = "department"
division = “division”
employee-number = "employeeNumber"
employee-start-date = "whenCreated"
first-name = "givenName"
last-name = “last-name”
location = "physicalDeliveryOfficeName"
manager = "manager"
mobile-number = “5555555555“
organization = "o"
phone-number = "telephoneNumber"
title = "title"

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles