By default, the user property values and group memberships in Meridian are managed manually as described in Creating and editing user accounts and Creating and editing user groups. Those methods are satisfactory for small numbers of users and groups or when Microsoft Active Directory is not used extensively to manage users' privileges. However, many medium to large organizations rely on Active Directory to manage all users' access to network resources through Active Directory groups. Managing similar or identical Meridian groups separately can be inconvenient and error-prone.
Meridian Enterprise includes a program to synchronize Meridian user information and group memberships. The program allows you to map Active Directory groups to corresponding Meridian groups. The members of the mapped Active Directory groups will be synchronized with the Meridian groups and the user information for each user can also be synchronized. The program provides options that control what information is synchronized to Meridian.
The program can run in interactive mode as described in the following task. It can also be run in silent mode as a scheduled task to maintain synchronization by configuring the its initialization file as described in the following topics.
The maximum number of group mappings that can be synchronized is limited to 65520/AD group name length in characters + BlueCielo group name length in characters + 1. For example, given the names ADGroup1 (8) and BCGroup1 (8):
8 + 8 + 1 = 17
65520/17=3854 mappings
To run the program interactively:
| Option | Description |
|---|---|
|
AD server |
The IP address of the LDAP server where Active Directory information is stored. |
|
AD admin |
Account name under which to query user information from the server specified in AD Server. |
|
Password |
Password for the account specified in User. |
|
AD groups |
Names of the Active Directory groups found on the server specified in AD Server. To sort the names in ascending or descending order, click the corresponding button. To filter the names, type text in the Filter box. |
|
Meridian groups |
Names of the Meridian groups found on the Meridian Enterprise server. |
|
Always |
Updates all mapped user properties in Meridian with the information stored in Active Directory upon every synchronization. |
|
Primary account only |
Only updates the Meridian user account if the Windows account is the primary account associated with the Meridian user. For information on associating multiple Windows accounts to a single Meridian user, see Creating and editing user accounts. |
|
Never |
Does not update user information fields from Active Directory. Only group memberships will be synchronized. |
|
Update properties only if the user is a group member |
Only updates the Meridian user properties if the user is already a member of the mapped Meridian group. |
|
Rename duplicate Meridian user accounts |
If a Windows account name is found associated with more than one Meridian user account, renames subsequent Meridian user accounts to match the first Meridian user account found. |
Select an Active Directory group from AD groups that you want to map to a Meridian group.
Note You may map the same AD group to multiple Meridian groups.
Click Synchronize to begin synchronization using the current settings. Click Exit to close the tool.
Note Only the account credentials are saved. The other options can be set in the file ADSyncUsersConfig.ini that is located in the same folder as the program. You may edit the configuration file in any text editor.
Related concepts
Understanding the command line parameters
About Meridian support for Microsoft Active Directory
Understanding Active Directory security problems
Using Meridian with nested groups
Using Meridian with multiple domains
Related tasks
Granting domain privileges with a service account
Granting domain privileges to the Meridian server
Granting membership query access