K12 Panel can communicate with Microsoft Active Directory (AD) to import user login profile names and map them to current person structure in Panel.
K12 Panel can communicate with Microsoft Active Directory (AD) to import user login profile names and map them to current person structure in Panel. This mapping is done by using user email addresses in AD user profiles and matching them to existing people with same email addresses. A powershell script along with task scheduling is run on the domain controller to perform the sync from there with the Panel.
This allows for logins to be monitored on computer assets using AD logins rather than Google Credential Provider for Windows assets. Multiple AD Syncs from multiple domain controllers can be setup either for redundancy or to cover various different domains in a forest.
This requires Cloud Sync to be enabled first to populate Panel with the necessary OU structure and people. This sync only maps user profile names to people in the
Add AD Sync
To setup a new AD Sync, click on the Add AD Sync Settings button. In the domain name, enter the simple domain name without the .local or other extensions that you are using. For example, if your domain is company.com, enter company as the domain name. Enter the external IP where this sync will come from.
Once this is completed, you will have a new section as shown below. Click on show details to show more information. This includes important information such as your AD Sync key which you will need to copy or write down for the steps further below and also shows the sync report summary.
Domain Controller Script
Open Panel with your organization selected download the Powershell script from the Settings - Software Tab page.
Make sure you have the correct organization selected in the upper right if you manage multiple organizations. The script version may vary among organizations and your download links may be redirected to to the incorrect version if you have the incorrect organization selected.
Place the script in an administrative location on the domain controller itself (where common users cannot access or modify).
Obtain your Org ID from your Org Overview tab in Settings in Panel and your AD Sync key from your AD Sync tab in Settings before continuing below.
Open Task Scheduler on that machine and create a task with the following settings:
-
Name “Panel - AD Sync”
-
Enable checkbox for “Run whether user is logged on or not”
-
Enable checkbox for “Run with highest privileges”
-
Set the Trigger to be Daily with Repeat Task Every 1 hour
-
Enable and change “Stop task if it runs longer than” and value at “1 day” (optional but recommended to kill frozen processes)
-
Program: powershell
-
Add arguments: -NoProfile -ExecutionPolicy Bypass -NonInteractive -Command "& 'filepathtothescripthere' 'Enter ORG GUID here' 'AD Sync GUID Here'“
Pay close attention to the single quotes around ORG GUID and the AD SYNC GUID values. And also make sure to include the double quotes right after -Command and at the very end. This is very easy to miss!
-
Edit conditions as needed based on your environment. Defaults usually are ok for common setups.
Otherwise, you can fire up administrative PowerShell (run as admin) on the domain controller then copy this command into notepad, edit the ORG GUID and the AD SYNC GUID values then paste it into PowerShell to create the task schedule with a single command. EXAMPLE LEFT BLANK FOR NOW.
Run the task once to trigger it immediately if needed.