[toc]
Users can be added to specific Telligent Community groups or via site roles. Active Directory group members can also be added via LDAP and will keep Telligent Community in sync with Active Directory. As members are added to Active Directory groups, they will be added to the corresponding role in Telligent Community. As members are removed from Active Directory groups, they will be removed from the corresponding role in Telligent Community.
It may take up to 24 hours for a change to take effect.
Ensure that your system meets the prerequisites before adding Active Directory groups as members to Telligent Community:
- Telligent Community is installed. The functionality for adding members of an Active Directory group is only available with Telligent Community.
- Windows Authentication is configured.
- LDAP is configured.
Things to consider
There are several decisions to take into consideration when setting up Active Directory syncing in Telligent Community:
- When is the job to be run? Default configuration for the job is set to run at 4 a.m. daily. IT may want to decide when the job will run.
- Active Directory users must have valid email addresses in their Active Directory records for Telligent Community to create an account for the community.
- The default configuration maps the Active Directory Administrators group to the Telligent Community Administrators group. To change this:
- Navigate to the web folder.
- Edit communityserver.config:
- Find the line starting with 'adminWindowsGroup="Administrators"'.
- Change 'Administrators' to the name of whatever Active Directory group you would like to map as site administrators on your Telligent site.
Validate LDAP is configured to add Active Directory groups as members
After completing the prerequisite steps, validate that the functionality is available:
- As an administrator, navigate to Management > Administration > Membership > Roles.
- Verify the Create an LDAP mapped role button is visible. If so, LDAP has been successfully configured.
Add Active Directory group users to a Telligent Community group
You may add Active Directory group members to groups. Each user will receive a welcome email from the group after their account has been created. A new site role will also be created that is synced to this group.
Any site role permissions granted will be overridden by the group permissions.
To add Active Directory group members to a group:
- Select your group:
- For a Joinless group, click Manage Group Owners.
- For all other groups, click Manage Members.
- In the User Name(s) or Role(s)input box, type the Active Directory group name.
- Select the membership type.
- Click Add Member(s).
- Click on the Role Members tab.
The group name will be present with the text "- Synced" after it. If the group you added has less than 500 members, the account creation for each user will begin immediately. Users will receive an email, after their account has been created, welcoming them to the group. The creation of individual accounts for groups with 500 or more members will begin when the CommunityServer.Components.LdapSyncJob, CommunityServer.Components job runs next.
Add Active Directory group users to Telligent Community
You may add Active Directory group members to Telligent Community without adding them to specific groups. This will create an account for each user. For Active Directory groups smaller than 500, the accounts will be created immediately. User will not receive an email after their account has been created. The creation of individual accounts for groups with 500 or more members will begin when the CommunityServer.Components.LdapSyncJob, CommunityServer.Components job runs next.
- As an Administrator, navigate to Management > Administration > Membership > Roles.
- Click Create an LDAP mapped role.
- Type your LDAP group name in the input panel.
- Click Create role. This will create a new site role for your community. A new site role has been created. Additional permissions can be granted to this site role if desired. Note: The name and description for the Active Directory roles may not be changed.
Nesting of Active Directory groups
When adding an Active Directory group that contains other Active Directory groups, only the users of the parent group will be added to the community. The child group and its users will not be added. This is for security purposes
The only way to add the child group is to perform a separate import operation. (In this example, you would import 5Users into EvoGroupOwner.
Active Directory group scope and type
AD groups of any combination of group scope and group type may be used.
Remove Active Directory group users from Telligent Community
Remove an Active Directory group from a Telligent Community group
Removing an Active Directory group from a Telligent Community group requires the same steps as removing an individual member:
- Access the group (in the User Name(s) or Role(s) panel, type the Active Directory group name).
- Select the membership type.
- Click on the Role Members tab.
- Click Remove. Note: The individual members will no longer have membership to the group, but their Telligent Community accounts will remain active.
Remove an Active Directory group by deleting the site role
You may also remove an Active Directory group by deleting the site role. This will also remove the memberships from any groups.
- As an Administrator, navigate to Management > Administration > Membeship > Roles.
- Select the role in the drop-down list.
- Click Delete.
The role will be deleted and any groups the role was mapped to will be deleted.
If you delete the site role to remove the Active Directory group, the individual Telligent Community accounts will continue to be active. The users will be able to access the community, but all of their memberships related to the Active Directory group will be removed.
Deleting or disabling Active Directory users
Removing an Active Directory group from a Telligent Community group or site role will leave all the accounts intact. The easiest way to deny access to your community is to delete the account from Active Directory. Then the user(s) will not be able to log in. Another option is to disable the account(s); this will also prevent users from logging in.
Removing LDAP synced roles from individual users
From the Membership > Members Panel, you can view a user's roles:
- Navigate to Management > Administration > Membership > Members.
- Search for the user in the text field.
- Click Roles.
If you select an LDAP-mapped role and attempt to remove it from the user, a warning message will render, "One (or more) of the selected roles is mapped to an Active Directory group and cannot be moved." To remove the role from the user, you must access Active Directory and remove the user from the Active Directory group.
Synchronize Active Directory groups with Telligent Community
Job: Ldap Sync Job
The default configuration for the job is to run every morning at 4 a.m. The time can be changed in the Administration panel.
Changing when the job runs
- Navigate to Management > Administration > Jobs > Job Status.
- Click Jobs.
- Locate the LDAP Sync job.
- Change the run frequency or time.
- Click Save.
- Restart the Telligent Job Service.
Upgrade
<add WindowsGroupName="DOMAIN\Sales" AuthorizationRole="Sales" />
- Navigate to Management > Administration > Membership > Roles.
- For each AD group in the config groups:
- Click Create an LDAP mapped role.
- Enter the name of the AD group (yellow above).
- After creating the new role, copy the permissions from the previous role it was mapped to (green above).
- Remove the entries from communityserver.config.
If multiple AD groups are being mapped to a single role, additional steps will need to be taken. Synced AD groups do not support mapping multiple AD groups to a role; only a one-to-one correlation is allowed.
There are two ways to achieve the effect of mapping multiple AD groups to a role:
- Add the AD groups individually and then copy permissions from the original mapped role to all of the new mapped roles.
For example, say a Sales department was split into North, East, South, and West, each with its own AD group. With the first option, each AD group is mapped to its own role (“North - Synced,” “East - Synced,” “South - Synced,” “West - Synced”). The permissions from the “Sales” role are then copied to each of these four. - Create a new AD group that contains all the groups and then map that group, copying over the permissions.
For example, a new group in Active Directory is created, “All Sales.” Then “All Sales” is mapped using the syncing feature, which will create the “All Sales - Synced” role. Finally, the permissions from “Sales” are copied to “All Sales - Synced.”
Support for Active Directory groups with more than 10,000 users
Active Directory groups with more than 500 users will be updated every 24 hours. Following our recommended configuration, you can add Active Directory groups with up to 10,000 members. For Active Directory groups with more than 10,000 users, please contact Customer Support.