Use and Manage the Active Directory Integration (ADI)

The JumpCloud Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between JumpCloud and on-premise or off-premise AD. As covered in Get Started with the Active Directory Integration, the ADI uses two agents: an import agent and a sync agent that can be installed in three (3) configurations.  The configurations are determined by where you want to manage users, groups, and passwords.

  1. Manage users, groups, and passwords in AD
  2. Manage users and passwords in either system, or both
  3. Manage users, groups, and passwords in JumpCloud

This article covers how to leverage the ADI depending on your configuration and use case. 

Prerequisites

Sync interval

The ADI agents check for updates from JumpCloud and the Domain Controller(s) every 90 seconds. Any changes made will be updated and reflected in the counterpart within that cadence. 

Use cases and workflows

The table shows a summary of the most common use cases and the ADI configurations that support them.  Reference Configure the Active Directory Integration for more information.

ADI Configuration Use case User and Group Authority Password authority Data sync direction Server type(s) on which agent(s) can be installed Install Import Agent Install Sync Agent
Manage users, groups and passwords in AD Extend AD Domain Controllers
Manage users and passwords in either system, or both Extend AD Domain Controllers, Member Servers
Minimize AD footprint Domain Controllers
Migrate away from AD Domain Controllers, Member Servers (Sync agent only)
Manage users, groups, and passwords in JumpCloud Minimize AD footprint Domain Controllers, Member Servers
Migrate away from AD Domain Controllers, Member Servers

Workflow for Managing Users, Groups, and Passwords in AD

When the JumpCloud ADI is configured for AD Import only, the illustrations below show the user identity workflows for any user data changes or password updates in this configuration. This method allows Admins to extend their AD Users and Passwords to JumpCloud. JumpCloud can then extend these identities out to resources, such as RADIUS WiFi or VPN networks, SSO Applications, LDAP resources, and more.

If you’re only using AD Import, continue to the Using AD Import section of this article and disregard the Using AD Sync section. 

AD Import Agent Only – Single Domain Workflow

AD Import Agent Only – Multiple Domain Workflow

Workflow for Managing Users, Groups, and Passwords in AD, JumpCloud, or Both

When the JumpCloud ADI is configured for AD Import and AD Sync, the illustrations below show the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to not only extend their AD users and Passwords to JumpCloud but to also allow JumpCloud to manage identities and passwords within AD for synced users.

Two-way Sync – Single Domain Workflow

Two-way Sync – Multiple Domain Workflow

Workflow for Managing Users, Groups, and Passwords in JumpCloud

When the JumpCloud ADI is configured for AD Sync only, the illustrations below show the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to manage identities and passwords within AD solely from JumpCloud for synced users.

AD Sync Agent Only – Single Domain Workflow

AD Sync Agent Only – Multiple Domain Workflow

Using the AD Import Agent

Important:

 When the import agent is installed on a member server, the password is not synced from AD to JumpCloud.

The AD import agent allows you to do the following in JumpCloud from AD:

  1. Import users 
  2. Update, and Deactivate users accounts

If the AD import agent is installed on a DC, it also allows you to:

  • Activate the user’s password

To import users from AD into JumpCloud

The AD Import Agent will only import users that you directly add as a memberOf the JumpCloud ADI Security Group within AD (i.e., the Security Group you created during the AD Import Agent installation).

There are two ways to specify which users to import from AD to JumpCloud: 

  1. through a direct membership to the JumpCloud ADI Security Group
  2. through a Security Group that is a member of the JumpCloud ADI Security Group

Important:

How passwords are handled for users added in AD who already exist in JumpCloud is controlled by the setting for the UserTakeoverAction in the AD import configuration file. The default value is deactivate, which will cause the user’s JumpCloud  password to be removed and set to a password pending status.    The user will temporarily lose access to their JumpCloud provisioned resources (such as RADIUS, LDAP, SSO apps, etc.) until the password is updated within AD. See the Advanced Configurations for AD Import article for more information around UserTakeoverAction.

To import a single user from AD to JumpCloud

  1. Open the Active Directory Users and Computers (ADUC) Menu by clicking the start button, typing “dsa” and clicking the Active Directory Users and Computers icon.

  1. Once ADUC is open, navigate to a user that you would like to import into JumpCloud. 
  2. Right-click on the target user and click Properties.
  1. Navigate to the Member Of tab in the Properties menu. 
  1. Click Add. Then add this user as a member of the JumpCloud ADI Security Group.
  1. Click Apply. Wait up to 90 seconds and then check to see if the user has been fully imported into JumpCloud. This validates that your AD Import Agent is working appropriately.

The user is created with a Password Status of Password Pending and will have an AD Integration badge below their email address. The user state is controlled by setting for Users>Settings>Default User State for User Creation> Manual/Single User API. See Manage User States for more information about this setting.

Note:

Users who existed in AD before the AD import agent was installed must update their password in AD or an AD-managed resource for the Password Status to become active in JumpCloud. 

If the import agent is installed on your DCs, users created in AD after the AD import agent was installed will have their passwords automatically imported/updated in JumpCloud and their Password Status will be active.

To import multiple users from AD into JumpCloud:

This method allows you to import all users that are members of a specific Security Group. For example, if you want to export all AD users that are members of the Accounting Security Group, you would make the Accounting Security Group a memberOf the JumpCloud ADI Security Group. This will then import the Accounting Security Group and all users that are associated members.

  1. Open the Active Directory Users and Computers (ADUC) Menu by clicking the start button, typing “dsa” and clicking the Active Directory Users and Computers icon.

  1. Once ADUC is open, navigate to a user that you would like to import into JumpCloud. 
  2. Right-click on the target Security Group and click Properties.

  1. In the Security Group Properties Menu, click the Member Of tab and click Add.

  1. Add this Security Group to the JumpCloud-named Security Group and click Apply.
  2. Wait 90 seconds for both the Security Group and the Users within that Security Group to be created in JumpCloud. You will see both the user accounts and user groups within JumpCloud’s Admin Portal marked by an AD Integration badge.

Note:

Users who existed in AD before the AD import agent was installed must update their password in AD or an AD-managed resource for the Password Status to become active in JumpCloud. 

If the import agent is installed on your DCs, users created in AD after the AD import agent was installed will have their passwords automatically imported/updated in JumpCloud and their Password Status will be active.

To sync users passwords from AD to JumpCloud

Important:

Syncing passwords from AD to JumpCloud is only applicable when the import agent is installed on DCs. When the import agent is installed on member servers, the password is not synced from AD to JumpCloud.

When existing AD users are imported from AD into JumpCloud, there is no password associated with their account in JumpCloud until the user resets their password in AD. You’ll see the newly imported users in JumpCloud marked with an AD badge and in an orange Password Pending password status within the user menu.

Important:

Users MUST change their AD user password within AD or a domain-managed resource to set a password JumpCloud account. This is a required step. If the user never resets their password in AD, then JumpCloud will never receive a password and the JumpCloud user will never be able to access their JumpCloud managed resources. 

Users created in AD post install of the JumpCloud AD Import Agent will arrive in your JumpCloud tenant with a green Active state and do not require a password reset from with in AD.

To sync a password from AD to JumpCloud

  1. Users will need to change their password in AD or on an AD-managed resource. 
  2. In 90 seconds, in the JumpCloud Admin Portal Users page, you should now see the user’s Password Status change orange Password Pending state to a green check-marked active status with the expiry date from  AD.

Note:

The password expiry date for AD-managed users is the expiry date from AD as the expiry is managed by AD, not JumpCloud.

  1. All Password changes moving forward will need to be done within AD or on AD-bound resources. 

Note:

If you’re planning on using AD Sync alongside AD Import, Passwords can be updated in JumpCloud after this required initial password change has taken place within the steps outlined above. This is a requirement for both AD Import only and AD Import & Sync use cases. 

To create, update, and disable user accounts

Note:

These changes on a user or user group will be reflected within JumpCloud in approximately 90 seconds. 

Now that AD Import has been successfully installed and configured, AD Admins will be able to manage JumpCloud user accounts and the following attributes within AD for any CrUD updated (Create, Update, and Deactivate/Disable):

  • firstname
  • lastname
  • username
  • email
  • password, and
  • user state (active or disabled)

Creating new users in AD

Follow the same process outlined above for importing users from AD into JumpCloud.

  1. Create a new user account in AD
  2. Add the user to the JumpCloud ADI security group
  3. Wait 90 seconds
  4. Verify the user was created in JumpCloud.

Updating user attributes in AD

When you change any attributes of an AD user which is currently synced via the AD Import Agent, this will reflect within your JumpCloud tenant in approximately 90 seconds. For example, if you change the First or Last Name of a user, this will reflect on the JumpCloud user’s First or Last Name attribute in 90 seconds. 

Disabling users in AD

When deleting, suspending, or deactivating users within AD, this will in turn delete the users from JumpCloud thus removing access to any of the JumpCloud-managed resources he or she had access to such as RADIUS, LDAP, or SSO Applications.

Using AD Sync

If you’re choosing to also leverage the functionality of AD Sync Agent with your AD Integration, this allows JumpCloud to push CrUD changes of synced users down to AD. With the AD Sync Agent in place, you will be able to do the following: 

  1. Create users in JumpCloud which will then push down to AD.
  2. When users change passwords in JumpCloud, this new password will be pushed down to their AD user account. 
  3. When you suspend or delete a user in JumpCloud, this will disable the user Account in AD. 

To sync an existing user from JumpCloud to AD 

This functionality allows JumpCloud users to be created in AD if they don’t exist or allows JumpCloud to either take over management of the user if you have configured a one-way sync from JumpCloud to AD (only the AD sync agent is running) or co-manage the user with AD in a 2-way sync configuration (both the AD import and AD sync agents are running).

Follow the steps below to sync users from JumpCloud to AD.

Warning:

If you are managing users in both JumpCloud and AD (two-way  sync), and you left the default setting for UserTakeoverAction, which is deactivate, when you sync user with passwords from JumpCloud to AD, the AD import agent will change the JumpCloud user passwords status from Active to Password Pending.  This results in these users losing access to any resources assigned to them in JumpCloud. To prevent this, we recommend to see Advanced Configurations for AD Import and change the UserTakeoverAction attribute to retain.

  1. Navigate to your user in JumpCloud and open up their Details. 
  2. Click on the user groups tab on the user aside. 
  3. Assign user to a JumpCloud group and click Save.
  4. Wait for Active Directory badge to appear.
  1. Bind this user to the user group which they need to be a memberOf in AD (that is also synced using the ADI). In our example, we can see the Accounting User Group is tied to AD via the Directories in the drop-down menu.
  1. Click Save User. The user will then be created in the Root User Container within your AD domain. This can take up to 90 seconds.

Note:

Users who are created in AD from JumpCloud are automatically put into the Root User Container you configured during the installation of the AD Import & Sync Agents. If you need to move the user to the appropriate OU or sub OU, you’ll have to do this within AD on the DC.

To create, update and deactivate user accounts

The following section covers how to manage AD user accounts from JumpCloud. With the AD Sync in place, JumpCloud Admins are able to manage AD users from the JumpCloud Admin Portal. This makes user onboarding, off-boarding, and management much easier. Additionally, this may help with removing the need to remotely access the DC for simple tasks within the Identity Lifecycle for user accounts.

Creating Users in JumpCloud

JumpCloud Admins can create users in AD by binding any JumpCloud user to an AD Integrated User Group within JumpCloud. For example, if you’ve synced the Accounting group from AD to JumpCloud via the Import Agent, then any JumpCloud user bound to this synced user group will be created within AD under the Root User Container. 

The user is created within AD, is a memberOf the associated user group (Security Group in AD), and their AD user account will use their JumpCloud Password. 

Suspending or deleting users in JumpCloud

Suspending or deleting users within JumpCloud will Disable the user account within AD. JumpCloud in any form will never remove or delete user accounts in any of the 3rd party integrations. (This also includes SAML, LDAP, AD, GWS, and M365). These changes will reflect in 90 seconds.

Managing ADI

Update agents

We recommend keeping your agents current to ensure you have the latest security updates, bug fixes, and functionality and to retain support. 

To update the agents:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. From your selected use case (the section marked “This is my use case”), click the download button for the agent.
  5. Select a download location
  6. Upload the agent installation file to the server where the agent is already installed
  7. Run the installation wizard
  8. Only minimal installation screens are shown.
    1. Directory for where the installation should occur
    2. Finish screen
  9. Restart the service.

Rotate ADI service account passwords in AD

The ADI import and sync service account passwords should be rotated on a regular basis for security purposes.  

To rotate the ADI import service account (jcimport) password:

  1. Log in to a Domain Controller with an AD domain admin account
  2. Open the registry
  3. Navigate to HKLM\SOFTWARE\JumpCloud\AD Integration Import Agent\ldap
  4. Edit bind_password
  5. Enter the new password in the Value data field
  6. Click OK
  7. Open services.msc
  8. Restart the JumpCloud AD Integration Import Agent service.

To rotate the AD sync service account (jcsync) password:

  1. Log in to a Domain Controller with an AD domain admin account
  2. Open the registry
  3. Navigate to HKLM\SOFTWARE\JumpCloud\AD Integration Sync Agent\ldap
  4. Edit bind_password
  5. Enter the new password in the Value data field
  6. Click OK
  7. Open services.msc
  8. Restart the JumpCloud AD Integration Import Agent service.

Change use case

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. Expand the desired use case
  5. Check “This is my use case” 
  6. Use the table below to determine the changes you  need to make
Use case New Use Case Changes
Manage users, groups, and passwords in AD Manage users and passwords in either system, or both Manage users, groups, and passwords in JumpCloud
Manage users, groups, and passwords in JumpCloud x 1. Delete the sync agent from the Admin Portal 2. Uninstall sync agents on all servers 3. Follow the instructions in to download and install the import agent(s) 
x Follow the instructions in to download and install the import agent(s) 
Manage users, groups, and passwords in AD x Follow the instructions in Download and install sync agent(s) on server(s)
x 1. Delete the sync agent from the Admin Portal 2. Uninstall sync agents on all servers 3. Follow the instructions in to download and install the import agent(s) 
Manage users and passwords in either system, or both x Follow the instructions in to download and install the import agent(s) 
x 1. Delete the import agent(s) from the Admin Portal 2. Uninstall import agents from all servers

Manage agents in JumpCloud

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. Click the Domain Agents tab
  5. Click the pause to temporarily stop the agent
    1. This prevents information from flowing between JumpCloud and AD. For the AD sync agent, changes are still queued.
  6. Click delete to remove the agent from JumpCloud.

Important:

Deleting an agent in JumpCloud does not stop the service in AD nor uninstall it.

Manage  ADI services in AD

  1. Open services.msc
  2. Select the AD service (JumpCloud AD integration Sync Agent or JumpCloud AD integration Impor Agent)
  3. Select the desired action: start, stop, restart

Modify agent configuration

Modify the AD Import Agent Configuration

Note:

The default configuration settings for the the AD import agent are:

  • UserDissociateAction = remove
  • UserTakeoverAction = deactivate
  • UserDisableAction = suspend
  • UserExpireAction =  expire
  1. Review Advanced Configurations for the Active Directory Import Agent to understand the configuration settings available for the import agent.
  2. In AD, go to the JumpCloud folder where the AD Import agent is installed on a domain controller.
  3. Open the adint.config.json file using a text editor
  4. Edit the configurations in the “MainLoop” section of the file.
  5. Repeat this process for the configuration file on every AD server (DC controller on which AD Import is installed.

Modify the Root User container 

If you decide to use a different Root user container for managing AD resources then you will want to modify or validate the configured Root User container location.

Verify the full LDAP path for the chosen Root user container you have selected in ADUC

  1. From the ADUC panel’s View menu, enable Advanced Features. 
  2. Right-click the container and select Properties. 
  3. Select the Attribute Editor tab. 
  4. Select the “distinguishedName” attribute, then click View.

Modify the Root User container in AD sync configuration settings

Stop the JumpCloud AD Integration Sync service and make the required Sync Agent config changes:

  1. Open Registry Editor by clicking the Start button and typing in regedit. Click on the Registry Editor icon.

Registry Editor.jpg

  1. Navigate to the following Registry Folder: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\JumpCloud\AD Sync.
  2. There should be a Key (looks like a folder) named ldap. If there is not, please create this Key in the registry and name it ldap.
  3. Open the ldap Key.

regedit window.jpg

  1. You should see a Key labeled user_root_dn. You should also see the value with the targeted Root User Container you specified during install of the AD Sync Agent. If the user_root_dn value does not look correct, you can update it by double-clicking the key and updating the value to match your Root User Container. 
  2. Once updated, you need to start the JumpCloud AD integration Sync Agent service within services.msc.

Note:

These changes should coincide with relocating the JumpCloud ADI security group in AD, as well as using the Delegation Wizard to set the associated agent service accounts.

Uninstall agents from AD servers

  1. Open Program Files.
  2. Find the program associated with the agent you want to uninstall (JumpCloud AD Import or JumpCloud AD Sync)
  3. Uninstall

Want additional assistance from JumpCloud?

If you’re having issues with getting JumpCloud’s AD Integration working, see the Troubleshooting Guide.JumpCloud now offers a myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you’re looking for assistance with Migrating from AD, or to integrate AD with JumpCloud, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case