Help Center Home > Active Directory > Use and Manage the Active Directory Integration (ADI)

Use and Manage the Active Directory Integration (ADI)

The JumpCloud Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between JumpCloud and on-premise or off-premise AD. As covered in Get Started with the Active Directory Integration, the ADI uses two agents: an import agent and a sync agent that can be installed in three (3) configurations.  The configurations are determined by where you want to manage users, groups, and passwords.

  1. Manage users, groups, and passwords in AD
  2. Manage users and passwords in either system, or both
  3. Manage users, groups, and passwords in JumpCloud

This article covers how to leverage the ADI depending on your configuration and use case. 

Prerequisites

Sync interval

The ADI import agents check for updates to users and security groups in the ADI security group (typically named JumpCloud or) in AD every 90 seconds, by default.

The ADI sync agent checks for updates to users and user groups connected to ADI in JumpCloud every 5 seconds.

Use cases and workflows

The table shows a summary of the most common use cases and the ADI configurations that support them.  Reference Configure the Active Directory Integration for more information.

ADI Configuration Use case User and Group Authority Password authority Data sync direction Server type(s) on which agent(s) can be installed Install Import Agent Install Sync Agent
Manage users, groups and passwords in AD Extend AD Domain Controllers
Manage users and passwords in either system, or both Extend AD Domain Controllers, Member Servers
Minimize AD footprint Domain Controllers
Migrate away from AD Domain Controllers, Member Servers (Sync agent only)
Manage users, groups, and passwords in JumpCloud Minimize AD footprint Domain Controllers, Member Servers
Migrate away from AD Domain Controllers, Member Servers

Workflow for Managing Users, Groups, and Passwords in AD

When JumpCloud ADI is configured for AD Import only, the illustrations below show the user identity workflows for any user data changes or password updates in this configuration. This method allows Admins to extend their AD Users and Passwords to JumpCloud. JumpCloud can then extend these identities out to resources, such as RADIUS WiFi or VPN networks, SSO Applications, LDAP resources, and more.

If you’re only using AD Import, continue to the Using AD Import section of this article and disregard the Using AD Sync section. 

AD Import Agent Only – Single Domain Workflow

AD Import Agent Only – Multiple Domain Workflow

Workflow for Managing Users, Groups, and Passwords in AD, JumpCloud, or Both

When the JumpCloud ADI is configured for AD Import and AD Sync, the illustrations below show the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to not only extend their AD users and Passwords to JumpCloud but to also allow JumpCloud to manage identities and passwords within AD for synced users.

Two-way Sync – Single Domain Workflow

Two-way Sync – Multiple Domain Workflow

Workflow for Managing Users, Groups, and Passwords in JumpCloud

When the JumpCloud ADI is configured for AD Sync only, the illustrations below show the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to manage identities and passwords within AD solely from JumpCloud for synced users.

AD Sync Agent Only – Single Domain Workflow

AD Sync Agent Only – Multiple Domain Workflow

Using the AD Import Agent

The AD import agent allows you to do the following in JumpCloud from AD:

  1. Import, update, suspend, and delete users 
  2. Create groups
  3. Manage group membership
  4. Delegate authentication (AD validates the user's credentials)

If the AD import agent is installed on a DC, it also allows you to:

  • Sync the user’s password from AD to JumpCloud

Important:

 When the import agent is installed on a member server, the password is not synced from AD to JumpCloud and is never stored in JumpCloud.

To import users from AD into JumpCloud

The AD Import Agent will only import users that you directly add as a memberOf the JumpCloud ADI Security Group within AD (i.e., the Security Group you created during the AD Import Agent installation).

There are two ways to specify which users to import from AD to JumpCloud: 

  1. through a direct membership to the JumpCloud ADI Security Group
  2. through a Security Group that is a member of the JumpCloud ADI Security Group

Important:

How passwords are handled for users added in AD who already exist in JumpCloud is controlled by the setting for the UserTakeoverAction in the AD import configuration file. The default value is deactivate, which will cause the user’s JumpCloud  password to be removed and set to a password pending status.    The user will temporarily lose access to their JumpCloud provisioned resources (such as RADIUS, LDAP, SSO apps, etc.) until the password is updated within AD. See the Advanced Configurations for AD Import article for more information around UserTakeoverAction.

To import a single user from AD to JumpCloud

  1. Open the Active Directory Users and Computers (ADUC) Menu by clicking the start button, typing “dsa” and clicking the Active Directory Users and Computers icon.

  1. Once ADUC is open, navigate to a user that you would like to import into JumpCloud. 
  2. Right-click on the target user and click Properties.
  1. Navigate to the Member Of tab in the Properties menu. 
  1. Click Add. Then add this user as a member of the JumpCloud ADI Security Group.
  1. Click Apply. Wait up to 90 seconds and then check to see if the user has been fully imported into JumpCloud. This validates that your AD Import Agent is working appropriately.

The user is created with a Password Status of Password Pending and will have an AD Integration badge below their email address. The user state is controlled by setting for Users>Settings>Default User State for User Creation> Manual/Single User API. See Manage User States for more information about this setting.

Note:

Users who existed in AD before the AD import agent was installed can log in to JumpCloud using their existing AD password. Their credentials will be validated by AD through delegated authentication.

If the import agent is installed on your DCs, user passwords will automatically be imported/updated in JumpCloud.

The Password Status for imported users will be Delegated by default unless you manually change the Delegated Authority setting on the user record.

To import multiple users from AD into JumpCloud:

This method allows you to import all users that are members of a specific Security Group. For example, if you want to export all AD users that are members of the Accounting Security Group, you would make the Accounting Security Group a memberOf the JumpCloud ADI Security Group. This will then import the Accounting Security Group and all users that are associated members.

  1. Open the Active Directory Users and Computers (ADUC) Menu by clicking the start button, typing “dsa” and clicking the Active Directory Users and Computers icon.

  1. Once ADUC is open, navigate to a user that you would like to import into JumpCloud. 
  2. Right-click on the target Security Group and click Properties.

  1. In the Security Group Properties Menu, click the Member Of tab and click Add.

  1. Add this Security Group to the JumpCloud-named Security Group and click Apply.
  2. Wait 90 seconds for both the Security Group and the Users within that Security Group to be created in JumpCloud. You will see both the user accounts and user groups within JumpCloud’s Admin Portal marked by an AD Integration badge.

Note:

When the delegated authentication setting, Delegated Password Validation, is disabled, users who existed in AD before the AD import agent was installed must update their password in AD or an AD-managed resource for the Password Status to become active in JumpCloud and allow them to log in to the JumpCloud user portal and use JumpCloud SSO. 

If the import agent is installed on your DCs, users created in AD after the AD import agent was installed will have their passwords automatically imported/updated in JumpCloud.

To manage passwords

To manage passwords in a one-way sync from AD to JumpCloud (Managing Users, Groups, and Passwords in AD)

In this configuration, the delegated authentication setting, Delegated Password Validation, is enabled by default and cannot be disabled in the ADI configuration. This means whenever an AD imported user logs in to the JumpCloud user portal or performs a JumpCloud SSO login, their password is validated by AD and not JumpCloud.

New users

Users imported from AD into JumpCloud, can log in to JumpCloud immediately using their company email address and AD password.

When AD users are imported from AD into JumpCloud, there is no password associated with their account in JumpCloud. The Password Authority and Delegated Authority are automatically set to Active Directory on their user record. The Password Status will be Delegated and show as "Managed by AD".

If the import agent is installed on a member server:

  • The user's password will never sync from AD to JumpCloud and will never be stored in JumpCloud.

If the import agent is installed on a DC:

  • The user's AD password will be stored in JumpCloud the first time the user logs into the JumpCloud user portal and will sync from that point forward.

To manage passwords in a two-way sync from AD to JumpCloud (Managing Users, Groups, and Passwords in AD, JumpCloud, or Both)

In this configuration, the delegated authentication setting, Delegated Password Validation, is disabled by default and is editable. This means the user must have an active password in JumpCloud to log in to the JumpCloud user portal or performs a JumpCloud SSO login.

When AD users are imported from AD into JumpCloud, there is no password associated with their account in JumpCloud. The Password Authority is set to None (JumpCloud) and Delegated Authority is set to None on their user record by default.

Until the user sets a password in JumpCloud or changes their password in AD if the import agent is installed on a DC, You’ll see the newly imported users in JumpCloud marked with an AD badge and in an orange Password Pending password status within the user menu.

Important:

When ADI delegated authentication setting, Delegated Password Validation, is set to None, users who existed in AD before the AD import agent was installed must set a password in JumpCloud to match their AD password or, if the import agent is installed on DCs, update their password in AD or an AD-managed resource for the Password Status to become active in JumpCloud and enable them to access JumpCloud managed resources. 

To sync a password from AD to JumpCloud

Important:

Syncing passwords from AD to JumpCloud is only applicable when the import agent is installed on DCs. When the import agent is installed on member servers, the password is not synced from AD to JumpCloud.

  1. When a user's Delegated Authority is set to Active Directory,
    • The user's AD password will be stored in JumpCloud the first time the user logs into the JumpCloud user portal and will sync from that point forward.
    • Password changes will sync within 90 seconds after the user changes their password in AD or on an AD-managed resource
  2. When a user's Delegated Authority is set to None,
    • The user will need to change their password in AD or on an AD-managed resource before they can log in to the JumpCloud user portal or with JumpCloud SSO. 
    • Password changes will sync within 90 seconds after the user changes their password in AD or on an AD-managed resource. In the JumpCloud Admin Portal Users page, the user’s Password Status will be a green check-marked active statuswith the expiry date from  AD.

Note:

The password expiry date for AD-managed users is the expiry date from AD as the expiry is managed by AD, not JumpCloud.

  1. All Password changes moving forward will need to be done within AD or on AD-bound resources. 

Note:

If you’re planning on using AD Sync alongside AD Import, Passwords can be updated in JumpCloud after this required initial password change has taken place within the steps outlined above. This is a requirement for both AD Import only and AD Import & Sync use cases. 

To create, update, and disable user accounts

Note:

These changes on a user or user group will be reflected within JumpCloud in approximately 90 seconds. 

Now that AD Import has been successfully installed and configured, AD Admins will be able to manage JumpCloud user accounts and the following attributes within AD for any CrUD updated (Create, Update, and Deactivate/Disable):

  • firstname
  • lastname
  • username
  • email
  • password, and
  • user state (active or disabled)

If the SyncAdditionalAttributes setting is true in the jcadimportagent.config.json file, the following attributes are also updated:

  • displayname
  • description
  • JobTitle
  • department
  • company
  • location
  • employeeType
  • phoneNumbers
  • addresses
  • manager 

Creating new users in JumpCloud from AD

Follow the same process outlined above for importing users from AD into JumpCloud.

To create new users in AD and JumpCloud:

  1. Create a new user account in AD
  2. Add the user to the JumpCloud ADI security group
  3. Wait 90 seconds
  4. Verify the user was created in JumpCloud.

To import an existing AD user in JumpCloud:

  1. Add an existing AD user to the JumpCloud ADI security group
  2. Wait 90 seconds
  3. Verify the user was created in JumpCloud.

Updating user attributes in JumpCloud from ad

When you change any attributes of an AD user which is currently synced via the AD Import Agent, this will reflect within your JumpCloud tenant in approximately 90 seconds. For example, if you change the First or Last Name of a user, this will reflect on the JumpCloud user’s First or Last Name attribute in 90 seconds. 

Suspending or deleting users in JumpCloud from AD

When deleting, suspending, or deactivating users within AD, this will in turn either suspend or delete the users in JumpCloud thus removing access to any of the JumpCloud-managed resources he or she had access to such as RADIUS, LDAP, or SSO Applications. The specific behavior is determined by the settings in the jcadimportagent.config.json file.

Using AD Sync

If you’re choosing to also leverage the functionality of AD Sync Agent with your AD Integration, this allows JumpCloud to push CrUD changes of synced users down to AD. With the AD Sync Agent in place, you will be able to do the following: 

  1. Create users in JumpCloud which will then push down to AD.
  2. When users change passwords in JumpCloud, this new password will be pushed down to their AD user account. 
  3. When you suspend or delete a user in JumpCloud, this will disable the user Account in AD. 

To sync an existing user from JumpCloud to AD 

This functionality allows JumpCloud users to be created in AD if they don’t exist or allows JumpCloud to either take over management of the user if you have configured a one-way sync from JumpCloud to AD (only the AD sync agent is running) or co-manage the user with AD in a 2-way sync configuration (both the AD import and AD sync agents are running).

Follow the steps below to sync users from JumpCloud to AD.

Warning:

If you are managing users in both JumpCloud and AD (two-way  sync), and you left the default setting for UserTakeoverAction, which is deactivate, when you sync user with passwords from JumpCloud to AD, the AD import agent will change the JumpCloud user passwords status from Active to Password Pending.  This results in these users losing access to any resources assigned to them in JumpCloud. To prevent this, we recommend to see Advanced Configurations for AD Import and change the UserTakeoverAction attribute to retain.

  1. Navigate to your user in JumpCloud and open up their Details. 
  2. Click on the user groups tab on the user aside. 
  3. Assign user to a JumpCloud group and click Save.
  4. Wait for Active Directory badge to appear.
  1. Bind this user to the user group which they need to be a memberOf in AD (that is also synced using the ADI). In our example, we can see the Accounting User Group is tied to AD via the Directories in the drop-down menu.
  1. Click Save User. The user will then be created in the Root User Container within your AD domain. This can take up to 90 seconds.

Note:

Users who are created in AD from JumpCloud are automatically put into the Root User Container you configured during the installation of the AD Import & Sync Agents. If you need to move the user to the appropriate OU or sub OU, you’ll have to do this within AD on the DC.

To create, update and deactivate user accounts

The following section covers how to manage AD user accounts from JumpCloud. With the AD Sync in place, JumpCloud Admins are able to manage AD users from the JumpCloud Admin Portal. This makes user onboarding, off-boarding, and management much easier. Additionally, this may help with removing the need to remotely access the DC for simple tasks within the Identity Lifecycle for user accounts.

Creating Users in JumpCloud

JumpCloud Admins can create users in AD by binding any JumpCloud user to an AD Integrated User Group within JumpCloud. For example, if you’ve synced the Accounting group from AD to JumpCloud via the Import Agent, then any JumpCloud user bound to this synced user group will be created within AD under the Root User Container. 

The user is created within AD, is a memberOf the associated user group (Security Group in AD), and their AD user account will use their JumpCloud Password. 

Suspending or deleting users in JumpCloud

Suspending or deleting users within JumpCloud will Disable the user account within AD. JumpCloud in any form will never remove or delete user accounts in any of the 3rd party integrations. (This also includes SAML, LDAP, AD, GWS, and M365). These changes will reflect in 90 seconds.

Managing ADI

To update agents

We recommend keeping your agents current to ensure you have the latest security updates, bug fixes, and functionality and to retain support. 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. In the Downloads section, select
  5. Select a download location
  6. Upload the agent installation file to the server where the agent is already installed
  7. Run the installation wizard
  8. Only minimal installation screens are shown.
    1. Directory for where the installation should occur
    2. Finish screen
  9. Restart the service.

To manage agents in JumpCloud

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. Click the pause to temporarily stop the agent.

Note:

This prevents information from flowing between JumpCloud and AD. For the AD sync agent, changes are still queued.

  1. Click delete to remove the agent from JumpCloud.

Important:

Deleting an agent in JumpCloud does not stop the service in AD nor uninstall it.

To change the Primary AD Import Agent Role to another Domain Controller

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Pause all the running agents except for the the Domain Controller that you would like to designate as the Primary Import Agent.
  5. After a short time period, the currently running Import agent will become the Primary Import agent.
  6. Unpause the remaining agents.

To rotate ADI service account passwords in AD

The ADI import and sync service account passwords should be rotated on a regular basis for security purposes.  

Rotating the ADI import service account (jcimport) password:

  1. Log in to a Domain Controller with an AD domain admin account
  2. Open the registry
  3. Navigate to HKLM\SOFTWARE\JumpCloud\AD Integration Import Agent\ldap
  4. Edit bind_password
  5. Enter the new password in the Value data field
  6. Click OK
  7. Open services.msc
  8. Restart the JumpCloud AD Integration Import Agent service.

Rotating the AD sync service account (jcsync) password:

  1. Log in to a Domain Controller with an AD domain admin account
  2. Open the registry
  3. Navigate to HKLM\SOFTWARE\JumpCloud\AD Integration Sync Agent\ldap
  4. Edit bind_password
  5. Enter the new password in the Value data field
  6. Click OK
  7. Open services.msc
  8. Restart the JumpCloud AD Integration Import Agent service.

To change ADI Use Case

For detailed instructions on changing your ADI deployment configuration, read ADI: Change Configuration.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain
  4. Click Update Configuration
  5. Select the new deployment configuration
  6. Click Next
  7. Follow the steps on each screen.
Use case New Use Case Changes
Manage users, groups, and passwords in AD Manage users and passwords in either system, or both Manage users, groups, and passwords in JumpCloud
Manage users, groups, and passwords in JumpCloud x 1. Delete the sync agent from the Admin Portal 2. Uninstall sync agents on all servers 3. Follow the instructions in to download and install the import agent(s) 
x Follow the instructions in to download and install the import agent(s) 
Manage users, groups, and passwords in AD x Follow the instructions in Download and install sync agent(s) on server(s)
x 1. Delete the sync agent from the Admin Portal 2. Uninstall sync agents on all servers 3. Follow the instructions in to download and install the import agent(s) 
Manage users and passwords in either system, or both x Follow the instructions in to download and install the import agent(s) 
x 1. Delete the import agent(s) from the Admin Portal 2. Uninstall import agents from all servers

To manage ADI services in AD

  1. Open services.msc
  2. Select the AD service (JumpCloud AD integration Sync Agent or JumpCloud AD integration Import Agent)
  3. Select the desired action: start, stop, restart

To modify agent configuration

Modifying the AD Import Agent Configuration

Note:

The default configuration settings for the the AD import agent are:

  • UserDissociateAction = remove
  • UserTakeoverAction = deactivate
  • UserDisableAction = suspend
  • UserExpireAction =  expire
  1. Review Advanced Configurations for the Active Directory Import Agent to understand the configuration settings available for the import agent.
  2. In AD, go to the JumpCloud folder where the AD Import agent is installed on a domain controller.
  3. Open the adint.config.json file using a text editor
  4. Edit the configurations in the “MainLoop” section of the file.
  5. Repeat this process for the configuration file on every AD server (DC controller on which AD Import is installed.

To modify the Root User container 

If you decide to use a different Root user container for managing AD resources then you will want to modify or validate the configured Root User container location.

Verifying the full LDAP path for the chosen Root user container you have selected in ADUC

  1. From the ADUC panel’s View menu, enable Advanced Features. 
  2. Right-click the container and select Properties. 
  3. Select the Attribute Editor tab. 
  4. Select the “distinguishedName” attribute, then click View.

Modifying the Root User container in AD sync configuration settings

Stop the JumpCloud AD Integration Sync service and make the required Sync Agent config changes:

  1. Open Registry Editor by clicking the Start button and typing in regedit. Click on the Registry Editor icon.

Registry Editor.jpg

  1. Navigate to the following Registry Folder: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\JumpCloud\AD Sync.
  2. There should be a Key (looks like a folder) named ldap. If there is not, please create this Key in the registry and name it ldap.
  3. Open the ldap Key.

regedit window.jpg

  1. You should see a Key labeled user_root_dn. You should also see the value with the targeted Root User Container you specified during install of the AD Sync Agent. If the user_root_dn value does not look correct, you can update it by double-clicking the key and updating the value to match your Root User Container. 
  2. Once updated, you need to start the JumpCloud AD integration Sync Agent service within services.msc.

Note:

These changes should coincide with relocating the JumpCloud ADI security group in AD, as well as using the Delegation Wizard to set the associated agent service accounts.

To uninstall agents from AD servers

  1. Open Program Files.
  2. Find the program associated with the agent you want to uninstall (JumpCloud AD Import or JumpCloud AD Sync)
  3. Uninstall

Want additional assistance from JumpCloud?

If you’re having issues with getting JumpCloud’s AD Integration working, see the Troubleshooting Guide.JumpCloud now offers a myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you’re looking for assistance with Migrating from AD, or to integrate AD with JumpCloud, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.

Back to Top

List IconIn this Article

Notebook IconLearn More

Get Started with the Active Directory Integration

Configure the Active Directory Integration

Advanced Configurations for AD Import

Advanced Configurations for AD Sync

Troubleshoot: ADI

Convert AD-Managed User Accounts

Use AD Import with RADIUS

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case