Synchronizing Microsoft Active Directory Groups with FileHold Groups

The following describes how Microsoft Active Directory users and groups are synchronized with FileHold users and groups. This article applies to customers who use the optional Active Directory integration module, and have it setup with the help of FileHold support. This article is meant for experienced Active Directory administrators who wish to make it easier for FileHold Library administrators to effectively manage the system, especially with larger numbers of users.

Active Directory in the Document Management System

When updates are made to Active Directory groups in terms of user membership, they can be synchronized with FileHold. The Microsoft Synchronization Engine on the document management server is triggered to run an hourly task which imports the users and groups from the Microsoft Lightweight Directory Services into FileHold with updated users and groups. This merging happens within a few seconds to a few minutes seconds depending on the volume, number of changes or size of the enterprise domain. If you ever run the task manually, keep in mind that the Microsoft synchronization engine connects to the first available domain controller to look for new users / groups or changed user / group objects. If your domain has not yet replicated this information to all domain controllers, you may need to force the updates on your domain controllers.

Instead of importing individual users from Active Directory on a continual basis, it is recommended to create specific a Active Directory administration group that correspond to specific FileHold group and role in FileHold. Continuing this with each FileHold group then can provide a complete process.

Document management software security is based on Cabinet, Folder and Document schema / type permissions. These 3 areas are required for users to access documents. By using FileHold group membership in these 3 areas, you can reduce administration overhead.

For example, if you create FileHold specific groups in Active Directory:

FileHold groups in Active Directory

The FileHold Active Directory groups each have corresponding FileHold groups that includes the Active Directory group as a member:

Active Directory groups in FileHold

If you look at the properties of the FileHold groups, you can see that the Active Directory objects make up the membership. This way the Active Directory membership in each Active Directory group can be reflected or synchronized down to their corresponding FileHold group. Users can belong to multiple FileHold groups.

FileHold Active Directory Groups

The Active Directory groups that are synchronized into FileHold are listed in System Administrator > Users area. They are disabled because they cannot login as a group but are synchronized objects that will merge in the users from Active Directory.

Disabled active directory group users

  • If you open the Properties of one of the Active Directory group "users", you can join an Active Directory group synchronization object to multiple FileHold groups/roles.
  • You can have a one-to-one group relationship or a one-to-many group relationship.

FileHold groups in Active Directory groups

The member list of the Active Directory group synchronization object is 100% determined by the Active Directory group membership.

Each hour a scheduled task will merge the users and groups with FileHold from Active Directory. This can also be manually run if a user is needing immediate access to the document management software. Remember that Active Directory may not have completed replication of whatever change(s) were made in AD, so this may take some time before FileHold can see this change in Active Directory and then synchronize this information into FileHold.