Active directory Group Changes

Hello,

PRTG synchronizes with the Active Directory when the AD User tries to login the PRTG interface. The user will be shown in the AD-Group in PRTG after the first login.

Best regards

Hi,

yes, after the first logon, all users are in my groups. But after that first login, how can i push a group change? Background: our internal support structure will be redefined and users, that are actually in groups, have to move to other groups, to get other notifications.

Best regards

pstuerze

Hello pstuerze,

With the current version of PRTG the user will need to login after you changed your Active Directory groups and the user will be automatically assigned to the new AD groups of PRTG. I'll forward your wish for a manual check to our feature request list for future versions of PRTG.

Best regards

Any update on the manual check for AD group updates? Some of my users need to receive alerts but do not regularly login to the interface, so it would be very helpful if PRTG could accommodate changes to AD groups without requiring users to login. The ideal situation would be that PRTG periodically checks AD (e.g. daily) for updates to groups.

No updates on that part I'm afraid. Too little demand for that. Sorry! :(

Kind regards,
Stephan Linke, Tech Support Team

I would like to see this feature. We have a number of groups where the underlying AD account has been removed but the user still shows up as a member of the group. I don't think it's a good solution to recommend we recreate the account and attempt to login in order to remove the user from the group.

No other way as of now I'm afraid. For future reference, please use the vote button in the initial post in order to increase visibility for it. Thanks! :)

Kind regards,
Stephan Linke, Tech Support Team

Hello, I know Felix's comment is quite old, but if I correctly understand his last comment, I believe changes in AD group membership should be visible in PRTG after every login of a user, not only after the first login. Is this correct?

Currently I have removed an AD user from an AD group, but when this user logs in to PRTG no changes are made to his PRTG User Groups membership. Deleting the user and then logging in does make changes to PRTG User groups membership. It's impractical enough that a user needs to log on to register changes, but having to delete that user first is both impractical and extra work.

I can't vote yet to increase visibility for this topic, but I definitely feel AD synchronization should be included in PRTG.

Didier,

Is your test user a direct member of the usergroup which you chose in PRTG, or is the user a member of another AD group and the membership is nested?

Best regards, Felix

Hello Felix, the test user is a direct member of the usergroup. Some further tests showed that when I ADD a user to an AD group (that has a corresponding PRTG usergroup), and that user logs on in PRTG, then that user will be added to the PRTG usergroup. However, when I REMOVE that user from the AD group, and the user logs on in PRTG, the user is not removed from the PRTG usergroup.

Sufficient time was taken to prevent replication issues. The PRTG usergroup is not the primary group of the test user.

Best regards, Didier

Hello Didier,

Your findings are correct here, PRTG won't automatically delete existing users. I'll take this with me if we discuss improvements for the AD implementation.

Best regards, Felix

Hello Felix, just to be sure we understand each other correctly, I don't need PRTG to completely delete a user when I remove it from an AD group, I only want that user to be removed from the corresponding PRTG group. I suppose that is what you meant too, but I thought it was better to check.

Best regards, Didier

Hi Didier,

That's what I understood, don't worry. :)

Best regards, Felix

We also +1 for all manual AD polling for user and group profile updates. API forced polling as well.

Paessler should assume there is large support for such all such features related to interacting with Active Directory as we assumed that you would. We did not know you did NOT have it and were caught off guard (and in trouble) when we found out.

Add a toggle on and off for each polling feature -- giving full control to the prtg administrator is best.

Another feature would be a synced user status: if I deactivate a User in AD (if staff leaves the company), it should get inactive in PRTG. Also we changed our company Domain Name, so that email adressses changed to. These changes are not propagated from AD to PRTG. We have to change each Email manually or delete the users, so that a new profile gets generated. But then we loose notification and security context mappings.

Is this working yet? Is there a synchronization with AD and are the users removed in prtg from groups after they are removed from AD group?

Hello ArSo,

No updates yet to the existing functionality. Please stay tuned on the Release Notes page of future version.

Kind regards,
Felix Saure, Tech Support Team

Maybe you should update this line "If you change the group membership of an AD user, this change is only reflected in the respective user groups in PRTG if this AD user has logged in to PRTG again."

from https://www.paessler.com/manuals/prtg/active_directory_integration to match how it works at the moment

Hello ArSo,

Thanks for the feedback. The lines relate to the update which is done if the user account itself is used for the authentication. This will then update the group status. So this still applies, there is not automatic update though, that's what it means.

Kind regards,
Felix Saure, Tech Support Team