Adding Active Directory users and groups as FileHold users
In FileHold, users can be added and managed locally or users that exist in a Windows domain can be added locally and managed from the domain.
- When users are managed in the domain, information about a user is updated in one place, the active directory administration, and changes can automatically affect any systems that use that central information. With respect to FileHold, this allows for things like name, title, or other contact details for the user to be automatically updated.
- Users can be quickly added to FileHold directly from the domain via a pre-configured domain group or a user's permissions with FileHold objects can be updated by adding or removing them from a domain group.
- If a user is disabled in the domain they will be immediately prevented from logging into FileHold.
- Integrated Windows Authentication (IWA), also known as single sign on, can be used by domain users to bypass re-entering their user id and password after they have logged into their Windows workstation.
Domain users can only be added when the active directory synchronization option has been licensed. Contact [email protected] to purchase this option.
When adding domain users, domain users have the option to be added with a “full user”, “limited”, or “portal alias” license type. When adding domain groups, proxy users can be added as “full user” or “limited” license types. If a user belongs to two domain groups and the proxy users for each group have a different license, a configuration setting determines the license type. See Changing the User License Type for Domain Proxy Users for more information. Domain group proxies can never have a portal alias license type.
Manually adding a domain user or domain group to FileHold
Complete the following steps to add an active directory domain managed user or group as a FileHold object.
You will only be able to add a domain object to FileHold after that domain has been synchronized with FileHold. After the initial synchronization the domain will be checked every hour for changes by default. Users' login credentials are not synchronized with FileHold, they are always requested in real time when a user logs in to FileHold.
To add a domain user or group to FileHold
In the Web Client, go to Administration > System Management > User Management > Users and click Add User(s).
- Alternatively, in FDA, log in with System Administrator rights and go to Administration > User Management > Users.
- For FileHold 16.0 and higher versions, click Add .
- For FileHold 15.2.1 and lower versions, click Add User(s).
Select the domain name from the list and click Next.
To search for a domain user or group in the list, enter the name in the search field and click Search.
Select the check boxes for the users or groups you want to add and click Add.
The icon for domain users is a single person and the icon for a group is two people.
Assign the user license type:
A Full user license is a user that has been assigned to a group with a role of read-only or higher. Full users consume the full concurrent sessions.
A Limited user is a user that has been assigned to a group with a role of Limited. A single limited registered user account can be used by a single user or shared amongst many people. Limited registered users consume the limited concurrent sessions.
A Portal alias user is a user that has been assigned to a group with the role of Limited and is used in conjunction with the Anonymous portal. Portal alias users consume the limited concurrent sessions.
If adding domain groups, select one of the following and click OK:
Add the group and the group members. Keep both synchronized with the domain. See using domain groups to automatically add and set permissions for users for more information.
Add just the group members and do not add the group. Only the user accounts is synchronized with the domain.
If adding domain groups, assign the user license type:
A confirmation message appears stating how many domain groups and users were added to FileHold. Click OK.
Continue to add more users and groups to FileHold.
To return to the user list, click Back to the User List.
To set viewer, guaranteed access, scanning inbox (Web Cap) licenses, and multi-factor authentication exclusions, select Properties next to the user name and go to Account Settings. See Creating Locally Managed Users for more information.
When you add a user from the domain they are always added as a full user. If you want them to be a limited user you can make the change after they have been added.
Domain groups have a special purpose after they are added to FileHold. They are managed in the FileHold users list as for any user, but they do not take a FileHold license and no one can login using the user id (group name). When adding the domain group and choosing the option to keep the group synchronized, the domain group becomes a proxy for all domain users in the domain group. This means you can add the domain group to a FileHold group and automatically grant all domain users in the domain group the same permissions in FileHold. Likewise, removing them from the domain group will remove the associated permissions in FileHold.
Existing FileHold domain users will be automatically associated with a domain group that is added to FileHold when they are already members of that domain group. For example, you might manually add domain user "jessica" to FileHold and manually add her to a FileHold group called Accounting giving her access to the accounting documents. Later, you might manually add a domain group called "HumanResources" to FileHold and add that group to the FileHold Human Resources group giving all users associated with that group permission to the human resources documents. If the user "jessica" already belongs to the "HumanResources" domain group, she will automatically have access to the human resources documents in FileHold.
If a domain group has been added to FileHold and a user is added to that domain group in the active directory management, that user will automatically be added as a FileHold user. If they are removed from the domain group they will not be removed from FileHold, but their permissions associated with the domain group will be removed in FileHold. A user must be disabled in the domain for them to be automatically disabled in FileHold. This is an option set via Administration panel > System configuration > Settings > General. Users will never be automatically deleted in FileHold regardless of how they are added.
Using multiple domains
There is no specific limit to the number of domains that can be synchronized with FileHold. A single OU must be chosen when the domain is setup to be synchronized with FileHold. This will be the top of the domain tree that will be visible when adding users. For very large domains it is recommended that an OU be setup to limit the number of users to those that are likely to be used in FileHold. Very large domains may require more than an hour to synchronize depending on network and server performance and it is unlikely that hundreds of thousands of domain objects will need to be synchronized with any one FileHold system.
A single domain can be chose as the default domain during login.
Domain proxy users for domain groups allow automatic assignment of FileHold groups to users. However, this has the potential to cause a conflict if a limited user is assigned to a non-limited group. If a limited user is assigned to a not limited role or a full user is only assigned to limited role group(s) via a domain proxy user, a web.config setting “DomainProxyUser.AutomaticUserTypeChange” in C:\Program Files\FileHold Systems\Application Server\UserRoleManager can determine the outcome:
- Elevate – Automatically convert the limited user to full user type and assign group if license is available. Leave user type as is if no license available.
- Lower – Automatically convert the full user to limited user type and assign group if license is available. Leave user type as is if no license available.
- Both – Elevate + Lower.
- None – Do not change the user type. This is the default value.
The System audit log captures if user type was changed or if it failed due to no license or due to configuration.
If the assignment failed or if a limited user is assigned to a full group, a notification email can be sent to system administrators according to the setting in a new web.config setting “DomainProxyUser.SendChangeWarning” in C:\Program Files\FileHold Systems\Application Server\UserRoleManager. When the setting is true, a notification email is sent. For example:
- “Limited user is assigned to full group(s). No full licenses are available so they cannot be converted to full. They will not be able to log in.”
- “Full user is only assigned to limited group(s). No limited licenses are available so they cannot be converted to limited.”
- “Limited user is assigned to a full group. Configuration prevents them from being converted to a full user. They will not be able to log in.”