{"id":85417,"date":"2023-06-05T13:09:03","date_gmt":"2023-06-05T17:09:03","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&#038;p=85417"},"modified":"2025-03-03T11:52:28","modified_gmt":"2025-03-03T16:52:28","slug":"troubleshoot-adi","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi","title":{"rendered":"Troubleshoot: Active Directory Integration (ADI)"},"content":{"rendered":"\n<p>If you experience an issue when performing an Active Directory Integration&nbsp;(ADI) with JumpCloud, review these common resolutions.<\/p>\n\n\n\n<p id=\"file_locations\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#where_do_i_find_the_ad_import_and_sync_agent_logs_and_configuration_files_\" data-action=\"collapse\">Where do I find the AD Import and Sync Agent logs and configuration files?<\/a><div id=\"where_do_i_find_the_ad_import_and_sync_agent_logs_and_configuration_files_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<ul>\n<li><strong>AD Import Agent:<\/strong><br>Log File Location: \u00a0C:\\Windows\\Temp\\JumpCloud_AD_Integration.log<br>Configuration File Location: C:\\Program Files\\JumpCloud\\AD Integration\\JumpCloud AD Import\\jcadimportagent.config<br>Registry: HKLM\\SOFTWARE\\JumpCloud\\AD Integration Import Agent<\/li>\n\n\n\n<li><strong>AD Sync Agent:\u00a0<\/strong><br>Log File Location: C:\\Program Files\\JumpCloud\\AD Integration\\JumpCloud AD Sync\\adsync.log<br>Configuration Details Location: HKLM\\SOFTWARE\\JumpCloud\\AD Integration Sync Agent<\/li>\n<\/ul>\n\n\n\n<p>Here is an excellent reference for common LDAP Result Code error meanings.<br><a href=\"https:\/\/ldap.com\/ldap-result-code-reference\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/ldap.com\/ldap-result-code-reference\/<\/a><\/p>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"no_user_import\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#users_added_to_the_jumpcloud_adi_security_group_in_ad__or_added_to_a_security_group_which_is_memberof_the_jumpcloud_adi_security_group__do_not_appear_in_user_list_in_the_jumpcloud_tenant_\" data-action=\"collapse\">Users added to the JumpCloud ADI Security Group in AD (or added to a Security Group which is memberOf the JumpCloud ADI Security Group) do not appear in User list in the JumpCloud tenant.<\/a><div id=\"users_added_to_the_jumpcloud_adi_security_group_in_ad__or_added_to_a_security_group_which_is_memberof_the_jumpcloud_adi_security_group__do_not_appear_in_user_list_in_the_jumpcloud_tenant_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<ol>\n<li>Verify that the JumpCloud AD Import agent in ADI is active. A green indicator is active while yellow or red indicate that there is a problem. In the JumpCloud Admin Portal, go to&nbsp;<strong>Directory Integrations<\/strong>&nbsp;&gt;&nbsp;<strong>Active Directory<\/strong>&nbsp;and select the AD Domain.&nbsp;\n<ul>\n<li>If an agent is inactive or offline, (red), see&nbsp;<a href=\"#import-red\">Import agent showing red in AD Integration side of JC Admin Portal<\/a>.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p id=\"reset-service\"><\/p>\n\n\n\n<ol start=\"2\">\n<li>Verify that the Active Directory user account (often referred to as the service account) is utilized to connect to JumpCloud:\n<ul>\n<li>The AD User Logon Name cannot be named \u201cJumpCloud\u201d.<\/li>\n\n\n\n<li>Reset the service account password:\n<ol class=\"is-lower-alpha\">\n<li>Open&nbsp;<strong>AD Users &amp; Computers<\/strong>, and manually set the password on the service account.<\/li>\n\n\n\n<li>On all DCs, open&nbsp;<strong>services.msc<\/strong>&nbsp;and stop the JumpCloud AD Bridge Agent service.&nbsp;<\/li>\n\n\n\n<li>As an administrator on all DCs, edit the&nbsp;<kbd>C:\\Program Files\\JumpCloud AD Bridge\\adint.config.json<\/kbd>&nbsp;file. Manually change the&nbsp;<strong>Password<\/strong>&nbsp;value to match the password set above. Your password should be bracketed by the existing quote marks. For example, \u201cNewPassword\u201d.<br><br><kbd>&#8220;SSLPort&#8221;: 636,<br>\u201cPort&#8221;: 389,<br>&#8220;UserName&#8221;: &#8220;contoso.org\\JCimport&#8221;,<br>&#8220;Password&#8221;:<\/kbd><br><\/li>\n\n\n\n<li>Start theJumpCloud AD Bridge Agent service on all DCs.<\/li>\n\n\n\n<li>Delegate read-only rights to the specified Root User Container according to the&nbsp;<em>To Delegate Read-Only Control for the AD Import Service Account<\/em>&nbsp;section in&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/Configure-the-Active-Directory-Integration\" target=\"_blank\" rel=\"noreferrer noopener\">Configure the Active Directory Integration<\/a>. Then restart the JumpCloud AD Bridge Agent&nbsp;service on all DCs.&nbsp;<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>The password listed in the <strong>adint.config.json <\/strong>will likely be a secure hash, enter the new password between quotes.<\/p>\n\n\n\n<p>After the service has started, the password will be re-hashed in the&nbsp;.json&nbsp;file.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"3\">\n<li>Verify that the Root User Container is configured properly:\n<ol start=\"1\" class=\"is-lower-alpha\">\n<li>All users or security groups added to the JumpCloud ADI Security Group must be located in the organizational unit (OU) specified as your Root User Container as defined in&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/Configure-the-Active-Directory-Integration\" target=\"_blank\" rel=\"noreferrer noopener\">Configure the Active Directory Integration<\/a>.&nbsp;They can also be located within a child OU of the Root User Container.<\/li>\n\n\n\n<li>An integration specific Security Group has been created and is located in the Root User Container.<\/li>\n\n\n\n<li>The CN value in the AD import configuration file, C:\\Program Files\\JumpCloud AD Bridge\\adint.config.json, matches the name of the JumpCloud ADI security group you created.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"689\" height=\"180\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/Modify-file.jpg\" alt=\"\" class=\"wp-image-91982\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Modify-file.jpg 689w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Modify-file-300x78.jpg 300w\" sizes=\"(max-width: 689px) 100vw, 689px\" \/><\/figure>\n\n\n\n<ol start=\"4\">\n<li>Verify that the information in the JSON file is correct.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card tip\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Tip:<\/strong> \n<p>The separator for DN is a semicolon and not a comma.&nbsp; For example, CN=Users;DC=contoso;DC=com.<\/p>\n <\/div><\/div><\/div><\/div>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"import-red\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#_the_import_agent_is_invalid__red__in_the_active_directory_integration_section_of_the_admin_portal_\" data-action=\"collapse\"> The Import agent is invalid (red) in the Active Directory Integration section of the Admin Portal.<\/a><div id=\"_the_import_agent_is_invalid__red__in_the_active_directory_integration_section_of_the_admin_portal_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<ol>\n<li>On all DCs, start&nbsp;<strong>services.msc<\/strong>&nbsp;and verify that the&nbsp;JumpCloud AD Bridge Agent&nbsp;service is started.<\/li>\n\n\n\n<li>The password has changed for the service account which was used when setting up Import Agent on DC. Follow the steps to&nbsp;Reset service account password:\n<ul>\n<li>Open&nbsp;<strong>AD Users &amp; Computers<\/strong>, and manually set the password on the service account.<\/li>\n\n\n\n<li>On all DCs, open&nbsp;<strong>services.msc<\/strong>&nbsp;and stop the JumpCloud AD Bridge Agent service.&nbsp;<\/li>\n\n\n\n<li>As an administrator on all DCs, edit the&nbsp;<kbd>C:\\Program Files\\JumpCloud AD Bridge\\adint.config.json<\/kbd>&nbsp;file. Manually change the&nbsp;<strong>Password<\/strong>&nbsp;value to match the password set above. Your password should be bracketed by the existing quote marks. For example, \u201cNewPassword\u201d.<br><br><kbd>&#8220;SSLPort&#8221;: 636,<br>\u201cPort&#8221;: 389,<br>&#8220;UserName&#8221;: &#8220;contoso.org\\JCimport&#8221;,<br>&#8220;Password&#8221;:<\/kbd><\/li>\n\n\n\n<li>Start theJumpCloud AD Bridge Agent service on all DCs.<\/li>\n\n\n\n<li>Delegate read-only rights to the specified Root User Container according to the&nbsp;<em>To Delegate Read-Only Control for the AD Import Service Account<\/em>&nbsp;section in&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/Configure-the-Active-Directory-Integration\" target=\"_blank\" rel=\"noreferrer noopener\">Configure the Active Directory Integration<\/a>. Then restart the JumpCloud AD Bridge Agent&nbsp;service on all DCs.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Verify internet connectivity for all DCs. Allowed traffic must use ports 443, 389, 636.<\/li>\n\n\n\n<li>The Admin Portal account used to set up the ADI import has been removed from your account. This action invalidates the API key. Create a unique or dedicated Admin account specifically for ADI. Use an API key from this newly created Admin account in&nbsp;C:\\Program Files\\JumpCloud AD Bridge\\adint.config.json&nbsp;on all AD DCs.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<ul>\n<li>Go to&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/jumpcloud-apis\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud APIs<\/a>&nbsp;and reference the&nbsp;<em>Obtaining Your API Key<\/em>&nbsp;section. <\/li>\n\n\n\n<li>Reference the following step <a href=\"#rotate_api_key\">The API key used to configure AD Import <\/a>is rotated for steps to replace the key.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"rotate_api_key\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#the_api_key_used_to_configure_ad_import_is_rotated_\" data-action=\"collapse\">The API key used to configure AD Import is rotated.<\/a><div id=\"the_api_key_used_to_configure_ad_import_is_rotated_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<p>As in the previous step, if the API key associated with a JumpCloud administrator used to set up AD Import is rotated, or the admin is deleted, the import service will stop working. This means password changes and new user imports will no longer work as expected. <\/p>\n\n\n\n<p>See <a href=\"https:\/\/jumpcloud.com\/support\/rotate-the-ad-import-api-key\">Rotate the AD Import API Key<\/a> for steps on how to update the API key in the AD Import configuration.<\/p>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"sync-red\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#_the_sync_agent_is_invalid__red__in_the_active_directory_integration_section_of_the_admin_portal_\" data-action=\"collapse\"> The Sync agent is invalid (red) in the Active Directory Integration section of the Admin Portal.<\/a><div id=\"_the_sync_agent_is_invalid__red__in_the_active_directory_integration_section_of_the_admin_portal_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<p><strong>RESOLUTION 1:<\/strong><\/p>\n\n\n\n<ol>\n<li>On DCs, start&nbsp;<strong>services.msc<\/strong>&nbsp;and verify that the JumpCloud AD Integration Sync Agent service started.<\/li>\n\n\n\n<li><a href=\"#reset-service\">Reset service account password<\/a>.\n<ol start=\"1\" class=\"is-lower-alpha\">\n<li>Stop the JumpCloud AD Integration Sync Agent service.<\/li>\n\n\n\n<li>Open&nbsp;<strong>AD Users &amp; Computers<\/strong>, and manually set the password on the service account.<\/li>\n\n\n\n<li>Open the&nbsp;<strong>regedit.exe&nbsp;<\/strong>file.<\/li>\n\n\n\n<li>Browse to&nbsp;Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\JumpCloud\\AD Sync\\ldap.<\/li>\n\n\n\n<li>Add a new String Value entry called&nbsp;bind_password.<\/li>\n\n\n\n<li>Edit the key, and add the password to the value data field.<\/li>\n\n\n\n<li>Start the JumpCloud AD Integration Sync Agent service.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>Starting the service will update the&nbsp;bind_pw_encrypted&nbsp;hash and remove the&nbsp;bind_password&nbsp;key.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"3\">\n<li>Verify internet connectivity for all DCs. Allowed traffic must use ports 443, 389, 636.<\/li>\n<\/ol>\n\n\n\n<p><strong>RESOLUTION 2:&nbsp;<\/strong><strong>Error:agent no longer registered, Please uninstall and re-install with a valid connect key<\/strong><\/p>\n\n\n\n<ol>\n<li>From the JumpCloud Admin Console:\n<ol start=\"1\" class=\"is-lower-alpha\">\n<li>Browse to the Domain Agents section in your Active Directory configuration. If it exists, delete the non-functioning Sync Agent.<\/li>\n\n\n\n<li>Under the Details section, click Install a new Sync Agent. Copy the new Connect Key.<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>On the Domain Controller:\n<ol start=\"1\" class=\"is-lower-alpha\">\n<li>Delete the contents of the following folder: C:\\Program Files\\JumpCloud\\AD Sync\\cfg\\<\/li>\n\n\n\n<li>Open regedit.exe<\/li>\n\n\n\n<li>Browse to \u2018Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\JumpCloud\\AD Sync\u2019<\/li>\n\n\n\n<li>Edit the \u2018connect_key\u2019 registry entry and replace the current value with the new connect key you just generated.<\/li>\n\n\n\n<li>Start the JumpCloud AD Integration Sync Agent service.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"passwords_yellow\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#new_users_are_added_to_ad_and_appear_in_jumpcloud_admin_portal__but_passwords_are_invalid__yellow__because_passwords_are_not_synchronizing_from_ad_to_jumpcloud_\" data-action=\"collapse\">New users are added to AD and appear in JumpCloud Admin Portal, but passwords are invalid (yellow) because passwords are not synchronizing from AD to JumpCloud.<\/a><div id=\"new_users_are_added_to_ad_and_appear_in_jumpcloud_admin_portal__but_passwords_are_invalid__yellow__because_passwords_are_not_synchronizing_from_ad_to_jumpcloud_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<ol>\n<li>When adding new users to Active Directory JumpCloud ADI Security Group (or added to a Security Group which is memberOf the JumpCloud ADI Security Group), verify that the JumpCloud AD Bridge Agent&nbsp;is running (green) in the&nbsp; Admin Portal.<\/li>\n\n\n\n<li>Users created&nbsp;<em>before<\/em> the installation of the JumpCloud AD Bridge Agent will require a password change in order to update JumpCloud with the corresponding password from the AD User Account.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card tip\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Tip:<\/strong> \n<p>If users were created after the AD Import Agent\u2019s install, then no password change is required by that AD User. The password is immediately exported to JumpCloud.&nbsp;<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"3\">\n<li>Password changes from Active Directory-bound resources, like Windows devices, will not update consistently to JumpCloud if there are&nbsp;<em>any<\/em>&nbsp;DCs in the environment that do not currently have the JumpCloud AD Bridge Agent installed and running.<\/li>\n\n\n\n<li>Verify that password complexity requirements between AD and JC match exactly.<\/li>\n<\/ol>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"passwords_not_syncing\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#users_or_passwords_are_not_synchronizing_from_jumpcloud_to_active_directory_\" data-action=\"collapse\">Users or passwords are not synchronizing from JumpCloud to Active Directory.<\/a><div id=\"users_or_passwords_are_not_synchronizing_from_jumpcloud_to_active_directory_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<ol>\n<li>Verify that the JumpCloud AD Integration Sync Agent&nbsp;is installed and running properly. If not, see&nbsp;<a href=\"#sync-red\">Sync agent showing red in&nbsp;AD Integration side of JC Admin Portal<\/a>.<\/li>\n\n\n\n<li>Verify the username of the user in JumpCloud is 20 characters or less.<\/li>\n\n\n\n<li>Verify that the users are added to an AD-bound group in the JumpCloud Admin Portal.<\/li>\n\n\n\n<li>Verify that the JumpCloud AD Integration Sync Agent Root User container is configured correctly.\n<ol start=\"1\" class=\"is-lower-alpha\">\n<li>Open the file &#8220;C:\\Program Files\\JumpCloud AD Bridge\\adint.config.json&#8221; and make note of the DN field.<br><img decoding=\"async\" width=\"472\" height=\"132\" class=\"wp-image-85873\" style=\"width: 472px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/adintconfigjson_dn_field.png\" alt=\"\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/adintconfigjson_dn_field.png 472w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/05\/adintconfigjson_dn_field-300x84.png 300w\" sizes=\"(max-width: 472px) 100vw, 472px\" \/><\/li>\n\n\n\n<li>Open the Windows registry and browse to HKEY_LOCAL_MACHINE\\SOFTWARE\\JumpCloud\\AD Sync\\ldap<\/li>\n\n\n\n<li>Compare the user_root_dn value and confirm it matches what is configured within the highlighted section of the file above.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>Ensure the use of semicolons to separate the DN fields. Using commas will result in the application failing to sync.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"5\">\n<li>Verify that the service account used for the JumpCloud AD Integration Sync Agent&nbsp;has been delegated the proper rights to the Root User Container:\n<ol start=\"1\" class=\"is-lower-alpha\">\n<li>Stop the&nbsp;JumpCloud AD Integration Sync Agent&nbsp;service from&nbsp;services.msc.<\/li>\n\n\n\n<li>Delegate the following rights to the JumpCloud AD Integration Sync Agent service account user for the appropriate target (OU or CN=Users, depending on your AD Import Configuration).<br><img decoding=\"async\" width=\"296\" height=\"233\" class=\"wp-image-85874\" style=\"width: 296px\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/delegation_of_control_wizard.jpeg\" alt=\"\"><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<ol start=\"6\">\n<li>Start the AD Sync Service&nbsp;from&nbsp;services.msc.<strong>&nbsp;<\/strong><\/li>\n<\/ol>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"externally_managed\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#after_removing_active_directory_integration_from_jumpcloud__jumpcloud_users_still_appear_with_ad_icon_and_are_externally_managed_by_the_nonexistent_active_directory_\" data-action=\"collapse\">After removing Active Directory Integration from JumpCloud, JumpCloud users still appear with AD icon and are externally managed by the nonexistent Active Directory.<\/a><div id=\"after_removing_active_directory_integration_from_jumpcloud__jumpcloud_users_still_appear_with_ad_icon_and_are_externally_managed_by_the_nonexistent_active_directory_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<p>See&nbsp;the article <a href=\"https:\/\/jumpcloud.com\/support\/convert-ad-managed-user-accounts\" target=\"_blank\" rel=\"noreferrer noopener\">Convert AD-managed User Accounts<\/a>.<\/p>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"service_start\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#after_rebooting_the_domain_controller__the_import_or_sync_agent_services_do_not_start_automatically_\" data-action=\"collapse\">After rebooting the Domain Controller, the Import or Sync agent services do not start automatically.<\/a><div id=\"after_rebooting_the_domain_controller__the_import_or_sync_agent_services_do_not_start_automatically_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<p>This can be due to the default service timeout being too short.<\/p>\n\n\n\n<ol>\n<li>Launch&nbsp;<strong>Windows Registry Editor<\/strong>.<\/li>\n\n\n\n<li>Locate this registry subkey:&nbsp;HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control.<\/li>\n\n\n\n<li>Right-click this key and select&nbsp;<strong>New &gt; DWORD (32-bit) Value<\/strong>.&nbsp;A new value named&nbsp;<em>New Value #1<\/em>&nbsp;appears on the right.<\/li>\n\n\n\n<li>Change the name of this new value to&nbsp;<strong>ServicesPipeTimeout<\/strong>.<\/li>\n\n\n\n<li>Right-click the&nbsp;<strong>ServicesPipeTimeout<\/strong>&nbsp;value you created, and choose&nbsp;<strong>Modify<\/strong>. The Edit DWORD Value window opens.<\/li>\n\n\n\n<li>Change Base to&nbsp;<strong>Decimal<\/strong>.&nbsp;<\/li>\n\n\n\n<li>For&nbsp;<strong>Value<\/strong>, type&nbsp;<strong>180000 service<\/strong>&nbsp;to start, then click&nbsp;<strong>OK<\/strong>.<\/li>\n<\/ol>\n<\/div><\/div><\/div>\n\n\n\n<p id=\"sudo_permissions\"><\/p>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#ad_users_losing_sudo_permissions_\" data-action=\"collapse\">AD users losing sudo permissions.<\/a><div id=\"ad_users_losing_sudo_permissions_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<p>If you are using JumpCloud with your Active Directory server, leveraging the JumpCloud ADI, you may find that sudo\/administrator permissions are periodically lost after you set them within JumpCloud. The AD Import agent controls user attributes and membership in JumpCloud via AD security groups, and this is the case for the sudo\/admin user setting.<\/p>\n\n\n\n<p>When using the JumpCloud AD Import agent, there are two AD security groups that you use to control behavior in JumpCloud. Both need to be created in the Users OU.<\/p>\n\n\n\n<ol>\n<li><strong>An integration specific security group<\/strong> &#8211; any user or group (or group of groups) placed in this group will be sync&#8217;d into JumpCloud.&nbsp;<\/li>\n\n\n\n<li><strong>JumpCloud Admins<\/strong>&nbsp;&#8211; any user or group (or group of groups) placed in this group will set sudo\/administrator permissions on the user in JumpCloud.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>The&nbsp;<strong>JumpCloud Admins<\/strong>&nbsp;group must be a member of the&nbsp;<strong>JumpCloud<\/strong>&nbsp;ADI security group.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<p>By adding user admins to the &#8220;JumpCloud Admins&#8221; group, the AD Bridge will automatically set and maintain the sudo permissions on the user from that point forward.<\/p>\n<\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#random_issues_with_users__passwords_not_syncing_after_they_change_them_\" data-action=\"collapse\">Random issues with users&#8217; passwords not syncing after they change them.<\/a><div id=\"random_issues_with_users__passwords_not_syncing_after_they_change_them_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<p>Check the password complexity settings in JC match those set in AD.&nbsp; This can happen when the user sets the password in JC with different complexity settings, and then it is rejected in AD due to it not meeting the AD&#8217;s password complexity settings.<\/p>\n<\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>If you experience an issue when performing an Active Directory Integration&nbsp;(ADI) with JumpCloud, review these common resolutions.<\/p>\n","protected":false},"author":205,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2904,2855,3135,2954,3127],"support_tag":[],"coauthors":[2839,3011],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Troubleshoot: Active Directory Integration (ADI) - JumpCloud<\/title>\n<meta name=\"description\" content=\"Understand how to identify and troubleshoot common issues with the JumpCloud AD Integration&#039;s Import and Sync agents.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Troubleshoot: Active Directory Integration (ADI)\" \/>\n<meta property=\"og:description\" content=\"Browse the JumpCloud Help Center by category, search for a specific topic, or check out our featured articles.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2025-03-03T16:52:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/Modify-file.jpg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"10 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"joyjaswinski, nickconrad\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi\",\"url\":\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi\",\"name\":\"Troubleshoot: Active Directory Integration (ADI) - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/Modify-file.jpg\",\"datePublished\":\"2023-06-05T17:09:03+00:00\",\"dateModified\":\"2025-03-03T16:52:28+00:00\",\"description\":\"Understand how to identify and troubleshoot common issues with the JumpCloud AD Integration's Import and Sync agents.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Modify-file.jpg\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Modify-file.jpg\",\"width\":689,\"height\":180},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Troubleshoot: Active Directory Integration (ADI)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Troubleshoot: Active Directory Integration (ADI) - JumpCloud","description":"Understand how to identify and troubleshoot common issues with the JumpCloud AD Integration's Import and Sync agents.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi","og_locale":"en_US","og_type":"article","og_title":"Troubleshoot: Active Directory Integration (ADI)","og_description":"Browse the JumpCloud Help Center by category, search for a specific topic, or check out our featured articles.","og_url":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi","og_site_name":"JumpCloud","article_modified_time":"2025-03-03T16:52:28+00:00","og_image":[{"url":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/Modify-file.jpg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"10 minutes","Written by":"joyjaswinski, nickconrad"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi","url":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi","name":"Troubleshoot: Active Directory Integration (ADI) - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/Modify-file.jpg","datePublished":"2023-06-05T17:09:03+00:00","dateModified":"2025-03-03T16:52:28+00:00","description":"Understand how to identify and troubleshoot common issues with the JumpCloud AD Integration's Import and Sync agents.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/support\/troubleshoot-adi"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Modify-file.jpg","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Modify-file.jpg","width":689,"height":180},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/support\/troubleshoot-adi#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"Troubleshoot: Active Directory Integration (ADI)"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/85417"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/205"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/85417\/revisions"}],"predecessor-version":[{"id":121752,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/85417\/revisions\/121752"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=85417"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=85417"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=85417"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=85417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}