Synchronize User Groups With Active Directory

By default, the user property values and group memberships in Meridian are managed manually as described in Create and Edit User Accounts and Create and Edit User Groups. Those methods are satisfactory for small numbers of users and groups or when Microsoft Active Directory is not used extensively to manage users' privileges. However, many medium to large organizations rely on Active Directory to manage all users' access to network resources through Active Directory groups. Managing similar or identical Meridian groups separately can be inconvenient and error-prone.

Meridian Enterprise includes a program to synchronize Meridian user information and group memberships. The program allows you to map Active Directory groups to corresponding Meridian groups. The members of the mapped Active Directory groups will be synchronized with the Meridian groups and the user information for each user can also be synchronized. The program provides options that control what information is synchronized to Meridian.

The program can run in interactive mode as described in the following task. It can also be run in silent mode as a scheduled task to maintain synchronization by configuring its initialization file as described in the following topics.

ClosedNotes about functionality

  • The program is installed on a computer only when the Administrator components are selected during Meridian installation.

  • The maximum number of group mappings that can be synchronized is limited to 65520/AD group name length in characters + Accruent group name length in characters + 1. For example, given the names ADGroup1 (8) and BCGroup1 (8):

    8 + 8 + 1 = 17

    65520/17=3854 mappings

  • User accounts in nested Active Directory groups will be synchronized with their associated Accruent user accounts but Accruent groups may not be nested.

  • If Meridian Enterprise Server is also deployed, users and groups may be defined and synchronized with Active Directory in the Meridian Enterprise Server Administration Console instead.

    They are then available in Meridian Enterprise if the Use Enterprise Server for user management option is enabled as described in Configure the Connection To Meridian Enterprise Server. If Meridian Enterprise Server is not also deployed, use the instructions in this topic.

ClosedProcedures

To run the program interactively:

  1. Run ADSyncUsers.exe.

    It is located at C:\Program Files\BC-Meridian\Program by default. The Active Directory User Synchronizer dialog box appears.

  2. Click options or type values using the descriptions in the following table.

    Configuration options
    Option Description

    AD server

    The IP address of the LDAP server where Active Directory information is stored.

    AD admin

    Account name under which to query user information from the server specified in AD Server.

    Password

    Password for the account specified in User.

    AD groups

    Names of the Active Directory groups found on the server specified in AD Server.

    To sort the names in ascending or descending order, click the corresponding button.

    To filter the names, type text in the Filter box.

    Meridian groups

    Names of the Meridian groups found on the Meridian Enterprise server.
    Always Updates all mapped user properties in Meridian with the information stored in Active Directory upon every synchronization.

    Primary account only

    Only updates the Meridian user account if the Windows account is the primary account associated with the Meridian user. For information on associating multiple Windows accounts to a single Meridian user, see Create and Edit User Accounts.
    Never Does not update user information fields from Active Directory. Only group memberships will be synchronized.

    Update properties only if the user is a group member

    Only updates the Meridian user properties if the user is already a member of the mapped Meridian group.

    Rename duplicate Meridian user accounts

    If a Windows account name is found associated with more than one Meridian user account, renames subsequent Meridian user accounts to match the first Meridian user account found.
  3. Click Get Groups to retrieve the Active Directory group names and fill the AD groups list.

  4. To create a new group mapping:

    1. Select an Active Directory group from AD groups that you want to map to a Meridian group.

      You may map the same AD group to multiple Meridian groups.

    2. Select a group from Meridian groups that you want to map to the group specified in AD groups.

    3. Click Add Mapping to create a mapping between the two selected groups.

  5. To delete a group mapping, select a mapping in Mapped groups and click Delete Mapping.

  6. Click Synchronize to begin synchronization using the current settings.

  7. Click Exit to close the tool.

    Only the account credentials are saved. The other options can be set in the file ADSyncUsersConfig.ini that is located in the same folder as the program. You may edit the configuration file in any text editor.

2022 R2