For customers who wish to synchronize user information and password information from Windows Server Active Directory on to HENNGE Access Control in the cloud.
※ If there are only Windows Server 2016 in your Domain or there is only one targeted Organization Unit (OU) for synchronization, this procedure is not required.
There are two purposes of running Assign-HDEOnePasswrdSyncGroup.bat in the Active Directory.
1. To add the users targeted for synchronization into the [ HDE One Password Sync Group ] security group.
2. For Windows Server 2008R2, 2012, 2012R2 machines, the password will be hashed and stored into the the [ UnixUserPassword ] attribute when the password has been reset. (Caution Point 1)
1. HENNGE Access Control allows password to be synchronized via the [ UnixUserPassword ] attribute. However, since Microsoft has disabled the [ Unix ID Component Service ([ Unix Microsoft ID Management Component ]) feature on Windows Server 2016, HENNGE has developed a tool called DLL that is required to be installed by all Windows Server Active Directory.
2. Please perform the following procedure with a user account that has [ Domain Admins ] or [ Enterprise Admins ] permissions.
3. This article was last updated on 2019 March.
We will provide the Assign-HDEOnePasswrdSyncGroup.bat file exclusively for each customer once the users targeted for synchronization and the conditions of synchronization has been decided after meeting.
After the file is received and executed, the users targeted for synchronization will be added to the security group [ HDE One Password Sync Group ] and will be targeted for synchronization to the cloud.
1. Please ensure that[ Unix ID Component ([ Unix Microsoft ID Manage Component ]) has already been enabled for Windows Server 2008R2, 2012, 2012R2.
2. Please copy and place the [HDEOne] folder within the [ HDEOneDirectorySyncTool ] folder provided by our consultants either in the same Windows Server machine that HENNGE Directory Sync Tool was installed on or in any Windows Server that is within the Domain Controller.
First Time Execution
1. Open the PowerShell with Admin permission.
2. Run the following command.
> cd <[HDEOne] Folder Path>
> cd C:\work\HDEOne
3. Please check the [ logs ] folder in the [ HDEOne ] for log generated after execution.
Please ensure that [ ERROR OCCURED ] or [ command fail ] are not displayed in the log.
Regular Execution (Task Scheduler)
Each time a new user is added to the Active Directory, Assign-HDEOnePasswrdSyncGroup.bat will needed to be executed again.
To prevent this procedure being missed out, we will add this Assign-HDEOnePasswrdSyncGroup.bat to the Windows Task Scheduler and let it run automatically at regular time intervals.
The following procedure of adding to the Task Scheduler requires user of [ Domain Admins ] or [ Enterprise Admins ] permissions.
1. Login to the Windows Server with the [ HDEOne ] folder path.
2. Click on [ Start ] → [ Windows Management Tool ] → [ Task Scheduler ].
3. Click on [ Add Task ].
4. Click on the [ General ] Tab and enter the following details.
・ [ Name ] : Any preferred Task Name
・ [ When running the task use the following user account ] : A user account that has Admin permissions
・ [ Run whether user is logged on or not ] : Checked On
・ [ Run with highest privileges ] : Checked On
5. Click on the [ Trigger ] Tab and click on the [ New ] button.
6. Enter the following details and click on [ OK ] to save.
・ [ タスク実行の設定 ] : Daily
・ [ タスクの開始日時 ] : この設定の実施日 0:00:00
・ [ タスク実行の間隔 ] : 1 Day
・ [ Repeat task every ] : 1 Hour
・ [ タスクの継続時間 ] : 1 日間
・ [ Enabled ] : Checked On
7. Click on the [ Actions ] Tab and click on [ New ] button.
8. Enter the following details and click on [ OK ] to save.
・ [ Program/Script ] : Path of Assign-HDEOnePasswrdSyncGroup.bat