In this Article

Users can be added to specific Telligent Enterprise groups or via site roles. Active Directory group members can also be added via LDAP and will keep Telligent Enterprise in sync with Active Directory. As members are added to Active Directory groups, they will be added to the corresponding role in Telligent Enterprise. As members are removed from Active Directory groups, they will be removed from the corresponding role in Telligent Enterprise.

It may take up to 24 hours for a change to take effect.

Ensure that your system meets the prerequisites before adding Active Directory groups as members to a Telligent Enterprise:

  1. Telligent Enterprise is installed. The functionality for adding members of an Active Directory group is only available with Telligent Enterprise.
  2. Windows Authentication is configured.
  3. LDAP is configured.

Things to consider

There are several decisions to take into consideration when setting up Active Directory syncing in Telligent Enterprise:

  1. When is the job to be run? Default configuration for the cron expression is set to run at 4 a.m. daily. IT may want to decide when the job will run.
  2. Active Directory users must have valid email addresses in their Active Directory records for Telligent Enterprise to create an account for the community.
  3. The default configuration maps the Active Directory Administrators group to the Telligent Enterprise Administrators group. To change this:
    1. Navigate to the web folder.
    2. Edit communityserver.config:
      1. Find the line starting with 'adminWindowsGroup="Administrators"'.
      2. Change 'Administrators' to the name of whatever Active Directory group you would like to map as site administrators on your Telligent Evolution site.

Validate LDAP is configured to add Active Directory groups as members

After completing the prerequisite steps, validate that the functionality is available:

  1. As an administrator, navigate to Control Panel Dashboard > System Administration > Membership Administration > Members and Roles > Manage Site Roles.
  2. Verify the Create an LDAP mapped role button is visible. If so, LDAP has been successfully configured.

Add Active Directory group users to a Telligent Enterprise group

You may add Active Directory group members to groups. Each user will receive a welcome email from the group after their account has been created. A new site role will also be created that is synced to this group. 

Any site role permissions granted will be overridden by the group permissions. For more information on how group and site role permissions work, see User roles and permissions.

To add Active Directory group members to a group:

  1. Select your group:
    • For a Joinless group, click Manage Group Owners.
    • For all other groups, click Manage Members.
  2. In the User Name(s) or Role(s)input box, type the Active Directory group name.
    1. Select the membership type.
    2. Click Add Member(s).
    3. Click on the Role Members tab.

      The group name will be present with the text "- Synced" after it. If the group you added has less than 500 members, the account creation for each user will begin immediately. Users will receive an email, after their account has been created, welcoming them to the group. The creation of individual accounts for groups with 500 or more members will begin when the CommunityServer.Components.LdapSyncJob, CommunityServer.Components job runs next.

      Example: The Active Directory group Guests is listed as Guests (D).

Add Active Directory group users to Telligent Enterprise

You may add Active Directory group members to Telligent Enterprise without adding them to specific groups. This will create an account for each user. For Active Directory groups smaller than 500, the accounts will be created immediately. User will not receive an email after their account has been created. The creation of individual accounts for groups with 500 or more members will begin when the CommunityServer.Components.LdapSyncJob, CommunityServer.Components job runs next.

  1. As an Administrator, navigate to Control Panel Dashboard > System Administration > Membership Administration > Members and Roles > Manage Site Roles.
  2. Click Create an LDAP mapped role.

  3. Type your LDAP group name in the input box.
  4. Click Create role. This will create a new site role for your community.

     

    A new site role has been created. Additional permissions can be granted to this site role if desired. Note: The name and description for the Active Directory roles may not be changed.

Nesting of Active Directory groups

When adding an Active Directory group that contains other Active Directory groups, only the users of the parent group will be added to the community. The child group and its users will not be added. This is for security purposes.

For example, the screen shot below shows an Active Directory group, EvoGroupOwner, which contains ten users and one child group named 5Users. The child group has five users. When EvoGroupOwner is imported into the community, only its ten users will be added. Neither the child group (5Users) nor its members will be added to the community.

The only way to add the child group is to perform a separate import operation. (In this example, you would import 5Users into EvoGroupOwner.)

Active Directory group scope and type

AD groups of any combination of group scope and group type may be used.

Remove Active Directory group users from Telligent Enterprise

Remove an Active Directory group from a Telligent Enterprise group

Removing an Active Directory group from a Telligent Enterprise group requires the same steps as removing an individual member:

  1. Access the group (in the User Name(s) or Role(s) input box, type the Active Directory group name).
  2. Select the membership type.
  3. Click on the Role Members tab.
  4. Click Remove. Note: The individual members will no longer have membership to the group, but their Telligent Enterprise accounts will remain active.

Remove an Active Directory group by deleting the site role

You may also remove an Active Directory group by deleting the site role. This will also remove the memberships from any groups.

  1. As an Administrator, navigate to Control Panel Dashboard > System Administration > Membership Administration > Members and Roles > Manage Site Roles.
  2. Select the role in the drop-down list.
  3. Click Delete.

The role will be deleted and any groups the role was mapped to will be deleted.

If you delete the site role to remove the Active Directory group, the individual Telligent Enterprise accounts will be active. The users will be able to access the community, but all of their memberships related to the Active Directory group will be removed.  

Deleting or disabling Active Directory users

Removing an Active Directory group from a Telligent Enterprise group or site role will leave all the accounts intact. The easiest way to deny access to your community is to delete the account from Active Directory. Then the user(s) will not be able to log in. Another option is to disable the account(s); this will also prevent users from logging in.

Removing LDAP synced roles from individual users

From the Control Panel, you can view a user's roles:

  1. Navigate to Control Panel Dashboard > System Administration > Membership Administration > Members and Roles > Manage Users.
  2. Search for the user in the text field.
  3. Click Roles.

If you select an LDAP mapped role and attempt to remove it from the user, a warning message will render, "* One (or more) of the selected roles is mapped to an Active Directory group and cannot be moved." To remove the role from the user, you must access Active Directory and remove the user from the Active Directory group.

Synchronize Active Directory groups with Telligent Enterprise

Job: CommunityServer.Components.LdapSyncJob, CommunityServer.Components

The default configuration for the CommunityServer.Components.LdapSyncJob, CommunityServer.Components job is to run every morning at 4 a.m. The cron expression may be changed.

Changing when the job runs

  1. Navigate to the directory where Telligent Job Scheduler is installed.
  2. Edit the tasks.config file.
  3. Change the cron expression for CommunityServer.Components.LdapSyncJob, CommunityServer.Components. Note: The following site provides helpful information for cron expressions: http://quartznet.sourceforge.net/tutorial/lesson_6.html.
  4. Save the changes.
  5. Restart the Telligent Job Scheduler service.

Upgrade

If the site was using Active Directory group mappings under a previous version of Telligent Enterprise, it is recommended that the functionality be migrated to use the new Active Directory syncing described in this article. This involves adding the AD Groups from the communityserver.config mapping (config groups) as synced roles on the site.
Each mapped AD group entry will look like this:
<add WindowsGroupName="DOMAIN\Sales" AuthorizationRole="Sales" />
  1.  Navigate to Control Panel Dashboard > System Administration > Membership Administration > Members and Roles > Manage Site Roles.
  2. For each AD group in the config groups:
    1. Click Create an LDAP mapped role.
    2. Enter the name of the AD group (yellow above).
    3. After creating the new role, copy the permissions from the previous role it was mapped to (green above).
    4. Remove the entries from communityserver.config.

If multiple AD groups are being mapped to a single role, additional steps will need to be taken.  Synced AD groups do not support mapping multiple AD groups to a role; only a one-to-one correlation is allowed.

There are two ways to achieve the effect of mapping multiple AD groups to a role:

  • Add the AD groups individually and then copy permissions from the original mapped role to all of the new mapped roles.

    For example, say a Sales department was split into North, East, South, and West, each with its own AD group. With the first option, each AD groups is mapped to its own role (“North - Synced,” “East - Synced,” “South - Synced,” “West - Synced”). The permissions from the “Sales” role are then copied to each of these four.
  •  Create a new AD group that contains all the groups and then map that group, copying over the permissions.

    For example, a new group in Active Directory is created, “All Sales.” Then “All Sales” is mapped using the new syncing feature, which will create the “All Sales - Synced” role. Finally, the permissions from “Sales” are copied to “All Sales - Synced.”

Support for Active Directory groups with more than 10,000 users

Active Directory groups with more than 500 users will be updated every 24 hours. Following our recommended configuration, you can add Active Directory groups with up to 10,000 members. For Active Directory groups with more than 10,000 users, please contact Customer Support.