Active Directory Configuration Reference

This reference provides comprehensive explanations of all Active Directory account store configuration settings. For step-by-step connection procedures, see Connect to Active Directory. For conceptual information about the connector architecture, see Active Directory Connector Overview.

Settings Organization

Active Directory account store settings are organized into these categories:

• General Settings — Core connection and directory server configuration
• Authentication and Password Settings — Authentication methods and password management
• Provisioning Settings — Account lifecycle and attribute synchronization control
• Business Role and Location Settings — Organizational hierarchy management
• Group Settings — Group management and membership controls
• Directory Clean Up — Account termination and cleanup automation

---

General Settings

Core settings that control how EmpowerID connects to and identifies the Active Directory environment.

IT Environment Type

Specifies the type of environment in which the account store operates.

Purpose: Categorizes the account store for reporting and organizational purposes.

Common Values:

• Production
• Development
• Test
• Staging

When to Configure: Set during initial account store creation to match your environment classification.

Account Store Type

Identifies the type of external system being connected.

Purpose: Determines which connector code and processing logic EmpowerID uses for this account store.

Value: Active Directory Domain Services (ADDS)

When to Configure: Set automatically when selecting Active Directory as the system type during account store creation. This setting should not be changed after creation.

Account Proxy Credentials

Specifies the credentials EmpowerID uses to connect to and manage the Active Directory domain.

Two Options Available:

Option 1 - Specify an Account Proxy:

• Enter username and password directly
• Credentials stored encrypted in EmpowerID
• Use format: DOMAIN\username or username@domain.com

Option 2 - Select a Vaulted Credential:

• Use credentials stored in EmpowerID's credential vault
• Provides centralized credential management
• Supports credential rotation without updating account store

Required Permissions: The proxy account requires:

• Read access to all OUs being inventoried
• Write access for provisioning and deprovisioning operations
• Group membership management permissions
• Password reset permissions (if managing passwords)

When to Configure: During initial connection setup. Update when rotating credentials or changing proxy accounts.

Use Secure LDAPS Binding

Enables encrypted LDAP communication using SSL/TLS.

Purpose: Encrypts all LDAP traffic between EmpowerID and Active Directory, protecting sensitive data including credentials and attribute values.

Values:

• Enabled — All LDAP connections use LDAPS (port 636)
• Disabled — Standard LDAP (port 389)

Requirements When Enabled:

• Active Directory domain controllers must have valid SSL certificates
• Certificates must be trusted by the EmpowerID server
• Port 636 must be accessible

When to Configure: Enable for production environments to ensure secure communication. Required for compliance with security policies.

Inventoried Directory Server

Selects which domain controller EmpowerID uses for inventory operations.

Purpose: Designates the specific directory server from which EmpowerID reads account and group information during inventory.

Configuration:

• Select from connected directory servers
• Choose a domain controller with reliable connectivity
• Consider geographic proximity to EmpowerID server

Best Practices:

• Use multiple domain controllers in high-availability deployments
• Select domain controllers that replicate quickly
• Avoid using domain controllers with resource constraints

When to Configure: During initial setup. Update if changing target domain controllers or improving inventory performance.

Is Remote (Cloud Gateway Connection Required)

Indicates whether the Active Directory domain is accessible only through the Cloud Gateway.

Purpose: Enables EmpowerID cloud instances to manage on-premise Active Directory environments through the Cloud Gateway tunnel.

Values:

• Enabled — EmpowerID connects through Cloud Gateway
• Disabled — Direct network connectivity to domain controllers

When Enabled:

• Cloud Gateway must be installed on on-premise infrastructure
• Gateway establishes outbound connection to EmpowerID cloud
• All operations tunnel through the secure gateway connection

When to Configure: Enable when EmpowerID runs in the cloud and Active Directory is on-premise. See Installing the EmpowerID Cloud Gateway Client for setup instructions.

Is Visible in IAM Shop

Controls whether resources from this account store appear in self-service portals.

Purpose: Makes groups and other resources from this domain available for users to request through the IAM Shop.

Values:

• Enabled — Resources visible and requestable
• Disabled — Resources hidden from self-service

When to Enable:

• Groups should be requestable by users
• Self-service access workflows are configured
• Resources have appropriate approval processes

When to Disable:

• System or service account groups
• Administrative or privileged access groups
• Resources requiring alternative request processes

When to Configure: Enable after configuring approval workflows and access policies for domain resources.

---

Authentication and Password Settings

Settings that control authentication methods and password management for accounts in the domain.

Use for Authentication

Enables pass-through authentication using credentials from this Active Directory domain.

Purpose: Allows users to authenticate to EmpowerID using their Active Directory credentials without requiring separate EmpowerID passwords.

How It Works:

1. User enters credentials at EmpowerID login
2. EmpowerID passes credentials to Active Directory for validation
3. Successful AD authentication grants EmpowerID access

When to Enable:

• Users should use existing AD credentials
• Single sign-on experience desired
• Centralized authentication required

When to Disable:

• EmpowerID manages authentication independently
• Alternate authentication methods required (SAML, OAuth)

When to Configure: Enable for domains providing user authentication. Disable for service account or resource-only domains.

Allow Search for User Name in Authentication

Enables username search across account stores during authentication when no domain is specified.

Purpose: Allows users to log in without specifying a domain name, improving user experience in multi-domain environments.

How It Works:

1. User enters username without domain (e.g., "jsmith" instead of "CORP\jsmith")
2. EmpowerID checks local Identity Warehouse first
3. If not found or authentication fails, searches enabled account stores
4. Attempts authentication against matching accounts

When to Enable:

• Multiple Active Directory domains exist
• Users don't know their domain name
• Simplified login experience desired

When to Disable:

• Single domain environment
• Security policy requires domain specification
• Performance concerns with large directories

When to Configure: Enable in multi-domain environments after enabling "Use for Authentication."

Allow Password Sync

Enables synchronization of password changes between EmpowerID Person objects and Active Directory accounts.

Purpose: Keeps passwords synchronized when changed in EmpowerID, ensuring consistent credentials across systems.

How It Works:

• Password changed in EmpowerID Person object flows to linked AD accounts
• Password changed in another linked account can flow to AD account
• Synchronization respects attribute flow rules and authority scores

When to Enable:

• EmpowerID or another system is authoritative for passwords
• Centralized password management required
• Integrated password change workflows used

When to Disable:

• Active Directory manages passwords independently
• Users change passwords directly in AD only
• Security policy prohibits automated password changes

Important: This setting does not prevent password resets through EmpowerID workflows. Workflow-based password resets can still modify AD passwords regardless of this setting.

When to Configure: Enable when EmpowerID coordinates password management across multiple systems.

Queue Password Changes

Determines whether password changes process immediately or queue for batch processing.

Purpose: Manages password change processing to handle high volumes or integrate with approval workflows.

Values:

• Enabled — Password changes queue in Account Password Reset Inbox
• Disabled — Password changes process immediately

When to Enable:

• Approval workflows required for password changes
• Batch processing preferred for performance
• Coordinated password changes across multiple systems

When to Disable:

• Immediate password changes required
• Real-time synchronization critical
• No approval processes needed

Processing: When enabled, the Account Password Reset Inbox Permanent Workflow processes queued password changes.

When to Configure: Enable if password change approval or batching required. Most deployments leave this disabled for immediate processing.

Password Manager Policy for Accounts without Person

Specifies the password policy for Active Directory accounts not linked to an EmpowerID Person.

Purpose: Applies password complexity, history, and expiration rules to unmanaged accounts (service accounts, system accounts) discovered during inventory.

Configuration:

• Select from configured Password Manager Policies
• Policy defines requirements: length, complexity, expiration, history

When to Configure: Set a policy that matches your organization's requirements for unmanaged accounts. Required if inventorying accounts that may not link to Person objects.

---

Provisioning Settings

Settings that control account lifecycle operations, attribute synchronization, and provisioning behavior.

Allow Person Provisioning (Joiner Source)

Enables provisioning of EmpowerID Person objects from Active Directory user accounts.

Purpose: Creates Person objects in the EmpowerID Identity Warehouse when new accounts are discovered in Active Directory during inventory.

How It Works:

1. Inventory discovers new AD user account
2. EmpowerID evaluates join rules to find matching Person
3. If no match found and this setting enabled, creates new Person
4. Links Person to AD account

When to Enable:

• Active Directory is authoritative for identity data
• Person objects should be created from AD accounts
• Joiner workflows source from Active Directory

When to Disable:

• HR system or other source creates Person objects
• Person provisioning managed by separate process
• This domain contains only service or resource accounts

When to Configure: Enable when Active Directory is an identity source for creating People. Typically disabled when HR systems are authoritative.

Allow Attribute Flow

Enables ongoing attribute synchronization between EmpowerID and Active Directory.

Purpose: Controls whether attribute flow rules execute for this account store, synchronizing attribute changes bidirectionally or unidirectionally based on configured flow directions.

Values:

• Enabled — Attribute flow rules execute during synchronization
• Disabled — No ongoing attribute synchronization (initial provisioning still occurs)

When to Enable:

• Attributes should synchronize between systems
• Attribute flow rules are configured
• Data consistency across systems required

When to Disable:

• Attributes managed independently after initial provisioning
• No ongoing synchronization needed
• Attribute conflicts need to be prevented

Related: See Configure Attribute Flow for Active Directory for attribute flow rule configuration.

When to Configure: Enable after configuring attribute flow rules. Disable temporarily to troubleshoot synchronization issues.

Allow Provisioning (By RET)

Enables automatic account provisioning through Resource Entitlement (RET) policies.

Purpose: Allows RET policies to automatically create Active Directory accounts for users when policies grant them AD access.

How It Works:

1. RET policy grants user an AD account
2. User doesn't have existing account in this domain
3. System automatically provisions new account if this setting enabled

When to Enable:

• RET policies manage AD account assignments
• Automated provisioning workflows configured
• Just-in-time account creation desired

When to Disable:

• Manual account provisioning required
• Approval workflows gate all provisioning
• Service accounts should not auto-provision

Processing: Resource Entitlement Inbox Permanent Workflow processes automatic provisioning operations.

When to Configure: Enable when implementing policy-based access management for Active Directory.

Allow Deprovisioning (By RET)

Enables automatic account deprovisioning when Resource Entitlement policies no longer grant access.

Purpose: Automatically removes or disables Active Directory accounts when RET policies determine users should no longer have access.

How It Works:

1. User no longer receives RET policy granting AD account
2. Account marked for deprovisioning if this setting enabled
3. Deprovisioning action executes based on RET policy configuration (disable, delete, or move)

Requirements:

• RET policy must specify deprovisioning action
• Account must be RET-policy-provisioned
• Approval workflows (if configured) must complete

When to Enable:

• Automated account lifecycle desired
• RET policies manage access completely
• Leaver processes defined and tested

When to Disable:

• Manual deprovisioning review required
• Complex approval processes needed
• Service accounts managed separately

Important: Deprovisioning only occurs when RET policy specifies a deprovisioning action. Policies without deprovisioning actions leave accounts unchanged.

When to Configure: Enable after thoroughly testing RET policies and deprovisioning workflows. Start with disable actions before implementing deletion.

Default User Creation Path

Specifies the default Organizational Unit for newly provisioned accounts.

Purpose: Determines where EmpowerID creates user accounts when no specific location is selected during provisioning.

Configuration:

• Enter distinguished name of target OU
• Example: OU=Users,OU=Employees,DC=corp,DC=example,DC=com

When to Configure: Set during initial setup to match your organizational structure. Update if changing account organization patterns.

Max Accounts per Person

Limits the number of accounts from this domain that can link to a single Person object.

Purpose: Prevents runaway errors caused by misconfigured join rules that incorrectly link many accounts to one Person.

Default Value: Typically 1

When to Increase:

• Users legitimately have multiple accounts in the domain
• Admin accounts separate from regular accounts
• Test accounts linked to production Person

Safety Feature: If inventory attempts to link more accounts than this limit, it logs an error and stops linking rather than creating incorrect relationships.

When to Configure: Set to 1 unless users require multiple accounts. Increase cautiously after validating join rule logic.

---

Business Role and Location Settings

Settings that control Business Role and Location assignment, organizational unit mapping, and external role provisioning.

Allow Business Role and Location Re-Evaluation

Enables recalculation of Business Role and Location assignments for accounts in this store.

Purpose: Allows the Role and Location Compiler to evaluate and assign Business Roles and Locations to Person objects based on their accounts in this domain.

How It Works:

1. Role and Location Compiler job runs on schedule
2. Evaluates Person objects with accounts in enabled stores
3. Compares account attributes to Business Role and Location policies
4. Assigns matching roles and locations

When to Enable:

• Account store participates in RBAC assignments
• Dynamic role assignment desired
• Account attributes drive role/location determination

When to Disable:

• HR system exclusively assigns roles and locations
• Static assignments don't change
• This is resource-only account store

Important: For Active Directory, HR systems typically drive Business Role and Location assignment, so this setting often remains disabled. Enable only if AD account attributes should influence role/location determination.

When to Configure: Disable for typical deployments where HR systems assign roles and locations. Enable only in AD-authoritative identity scenarios.

Business Role and Location Re-Evaluation Order

Specifies the priority order when multiple account stores can assign roles and locations.

Purpose: Determines precedence when Person objects have accounts in multiple stores that all enable re-evaluation.

Configuration:

• Lower numbers evaluate first
• Higher numbers override earlier evaluations

When to Configure: Set only when "Allow Business Role and Location Re-Evaluation" is enabled and multiple stores participate in assignments.

Inventory Auto Provision OUs as IT System Locations

Automatically creates EmpowerID Location objects from Active Directory Organizational Units.

Purpose: Imports AD organizational structure into EmpowerID as Locations for organizational hierarchy and access scoping.

How It Works:

1. Inventory discovers OUs in Active Directory
2. Creates corresponding Location objects in EmpowerID
3. Links accounts to Locations based on OU membership

When to Enable:

• AD OU structure reflects organizational hierarchy
• Location-based access scoping desired
• Automated location management preferred

When to Disable:

• HR system provides location data
• Manual location management required
• OU structure doesn't match organizational hierarchy

When to Configure: Enable if AD OU structure should define EmpowerID Locations. Disable for typical deployments where HR systems provide location data.

Inventory Auto Provision External Roles as Business Roles

Automatically creates EmpowerID Business Role objects from Active Directory group memberships.

Purpose: Imports AD security groups as Business Roles, enabling role-based access based on existing AD group structure.

How It Works:

1. Inventory discovers security groups in Active Directory
2. Creates corresponding Business Role objects in EmpowerID
3. Assigns roles based on group memberships

When to Enable:

• AD groups define organizational roles
• Existing AD group structure should become RBAC model
• Migration from AD groups to formal RBAC desired

When to Disable:

• HR system provides role data
• Custom Business Role design required
• AD groups are resource-based, not role-based

When to Configure: Enable during initial EmpowerID deployment if leveraging existing AD group structure. Typically disabled once formal RBAC model established.

Default Person Business Role

Specifies a default Business Role automatically assigned to Person objects provisioned from this account store.

Purpose: Ensures all Person objects created from AD accounts receive at least one Business Role.

Configuration:

• Select from existing Business Roles
• Typically a "Basic User" or "Employee" role

When to Configure: Set when "Allow Person Provisioning" is enabled and a baseline role should apply to all provisioned People.

Default Person Location

Specifies a default Location automatically assigned to Person objects provisioned from this account store.

Purpose: Ensures all Person objects created from AD accounts receive at least one Location assignment.

Configuration:

• Select from existing Locations
• Leave blank to use account's OU as location

When to Configure: Set when "Allow Person Provisioning" is enabled and a baseline location should apply to all provisioned People. Leave blank if OU-based location assignment preferred.

---

Group Settings

Settings that control group management, membership monitoring, and recertification.

Allow Account Creation on Membership Request

Enables automatic account provisioning when users request group membership.

Purpose: Automatically creates AD accounts for users who don't have one when they request membership in a group from this domain.

How It Works:

1. User without AD account requests group membership
2. System provisions new AD account if this setting enabled
3. Adds newly created account to requested group

When to Enable:

• Self-service group access allowed
• Just-in-time account provisioning desired
• Request workflows configured

When to Disable:

• Manual account creation required
• Accounts pre-provisioned through other processes
• Group access limited to existing accounts

When to Configure: Enable if implementing self-service group access with automated provisioning.

Recertify External Group Changes as Detected

Enables automatic recertification when group membership changes are detected.

Purpose: Triggers access recertification workflows when group memberships change outside of EmpowerID, ensuring all access remains authorized.

How It Works:

1. Inventory detects group membership change
2. Change triggers recertification workflow if this setting enabled
3. Recertification sent to appropriate reviewers

When to Enable:

• Strict access governance required
• Changes outside EmpowerID need review
• Compliance requires recertification

When to Disable:

• EmpowerID manages all group changes
• Recertification on scheduled cycles only
• Performance concerns with high-change groups

Requirements: The Continuous Group Membership Recertification Permanent Workflow must be enabled.

When to Configure: Enable when implementing continuous access certification for critical resources.

SetGroup of Groups to Monitor for Real-Time Recertification

Specifies which groups trigger recertification when membership changes.

Purpose: Limits real-time recertification to specific groups rather than all groups in the domain.

Configuration:

• Enter GUID of SetGroup or Query-Based Collection
• SetGroup must contain groups to monitor
• Leave empty to process all security groups (if recertification enabled)

When to Configure: Set when enabling "Recertify External Group Changes as Detected" to limit scope to specific groups. Use for privileged or sensitive access groups requiring immediate recertification.

Default Group Creation Path

Specifies the default Organizational Unit for newly created groups.

Purpose: Determines where EmpowerID creates groups when no specific location is selected.

Configuration:

• Enter distinguished name of target OU
• Example: OU=Groups,OU=Resources,DC=corp,DC=example,DC=com

When to Configure: Set during initial setup. Update if group organization changes.

EmpowerID Group Creation Path

Specifies the Organizational Unit for EmpowerID Resource Role groups.

Purpose: Designates a specific location for groups that represent EmpowerID Resource Roles, separating them from regular groups.

Configuration:

• Enter distinguished name of target OU
• Example: OU=EmpowerID,OU=Groups,DC=corp,DC=example,DC=com

When to Configure: Set when Resource Role groups are provisioned to Active Directory. Useful for separating EmpowerID-managed groups from manually managed groups.

---

Directory Clean Up

Settings that control automated account termination and directory cleanup processes.

Directory Clean Up Enabled

Enables automated account termination processing for this account store.

Purpose: Activates the SubmitAccountTermination Permanent Workflow to automatically disable, move, and delete accounts that meet termination criteria.

How It Works:

1. Workflow identifies accounts meeting termination criteria
2. Moves accounts to designated termination OU
3. Disables accounts
4. Initiates approval process
5. Deletes accounts after final approval

Requirements:

• Multiple system settings must be configured
• Designated termination OU must exist
• Approval workflows must be defined
• Approvers must be assigned

When to Enable:

• Automated leaver processes required
• Compliance requires documented account removal
• Multiple approval layers desired before deletion

When to Disable:

• Manual account termination preferred
• Leaver processes not yet defined
• Testing termination workflows

Important: This is a complex feature requiring significant configuration. Enable only after thorough planning, configuration, and testing.

When to Configure: Enable after fully configuring and testing account termination workflows. Start in non-production environment first.

---

Related Articles

• Connect to Active Directory — Step-by-step connection procedure
• Configure Attribute Flow for Active Directory — Attribute synchronization setup
• Active Directory Attribute Reference — Complete attribute mapping reference
• Active Directory Connector Overview — Architecture and capabilities