Skip to main content

Active Directory Connector Overview

The Active Directory Connector enables organizations to integrate their on-premise Active Directory infrastructure with EmpowerID, creating a unified identity and access management platform. By connecting Active Directory (AD) to EmpowerID, you can centralize user lifecycle management, synchronize group memberships, enable single sign-on, and automate provisioning while maintaining your existing directory services.

This article explains what the Active Directory Connector is, why you would use it, how it works, and the core capabilities it provides.

What is the Active Directory Connector?

The Active Directory Connector is EmpowerID's integration component for Active Directory Domain Services (AD DS). It establishes a secure connection between EmpowerID and your Active Directory environment, enabling bidirectional synchronization of user accounts, groups, organizational units, and computers.

The connector operates through an account store — EmpowerID's representation of an external identity system. Once configured, the account store continuously monitors Active Directory for changes and synchronizes data between the two systems.

When to Use the Active Directory Connector

The Active Directory Connector is designed for scenarios where you need to inventory existing AD accounts and groups into EmpowerID without manual data entry, synchronize account attributes bidirectionally between Active Directory and EmpowerID Person objects, and manage group memberships through EmpowerID policies rather than direct AD modification. It enables provisioning of new AD accounts through EmpowerID workflows with automatic attribute population, authenticates users against Active Directory credentials in EmpowerID applications, and monitors AD changes continuously through scheduled inventory rather than manual audits. For organizations running EmpowerID SaaS, the connector supports connecting cloud-based EmpowerID to on-premise Active Directory through Cloud Gateway.

The connector is appropriate for organizations that maintain Active Directory as an identity source and need to integrate it with EmpowerID's identity governance capabilities.

Architecture

The Active Directory Connector architecture consists of three main components working together to synchronize identity data.

Components

Active Directory Domain Controllers Your existing AD infrastructure containing user accounts, groups, organizational units, and computers. EmpowerID reads from and writes to domain controllers using LDAP protocols.

Connection Layer The connector supports two connection modes. For on-premise EmpowerID deployments with direct network access to domain controllers, a direct LDAP connection is used. For EmpowerID SaaS deployments connecting remotely to on-premise Active Directory, the connection is established through a secure Cloud Gateway.

EmpowerID Account Store The configuration object that defines how EmpowerID connects to and manages Active Directory. The account store stores connection settings, proxy credentials, inventory schedules, and operational policies.

Inventory Process The scheduled job that discovers and synchronizes objects from Active Directory into EmpowerID's Identity Warehouse. Inventory runs use Update Sequence Numbers (USNs) for efficient delta processing.

Core Capabilities

Account Management

The connector enables comprehensive account lifecycle management. It inventories user accounts from Active Directory into EmpowerID, creates new accounts in Active Directory through EmpowerID workflows, updates account attributes with bidirectional synchronization, and disables or enables accounts based on lifecycle events. When users are deprovisioned, the connector can delete accounts according to configured policies.

Group Management

The connector provides comprehensive group synchronization capabilities. It inventories groups and their membership relationships, creates and deletes groups in Active Directory, adds and removes members based on policy-driven assignments, and reconciles memberships automatically on schedule.

Attribute Flow

EmpowerID synchronizes attributes between Active Directory user accounts and EmpowerID Person objects. Attribute flow can be configured as bidirectional (changes in either system update the other), account store changes only (changes originate in AD and flow to EmpowerID), EmpowerID changes only (changes originate in EmpowerID and flow to AD), or no sync (attribute is not synchronized). Each attribute flow rule can be weighted by CRUD operation (Create, Update, Delete) when multiple account stores contain the same identity data.

Authentication

When enabled, the connector allows EmpowerID to authenticate users against Active Directory credentials, supporting single sign-on scenarios across connected applications.

Delta Inventory with USN Tracking

The connector uses Active Directory's Update Sequence Numbers (USNs) to perform efficient delta inventory, processing only changed objects instead of scanning the entire directory on each run.

How Delta Inventory Works

Understanding delta inventory is critical to appreciating the connector's efficiency and scalability.

Update Sequence Numbers (USNs)

Active Directory maintains Update Sequence Numbers (USNs) — numeric counters that increment whenever a directory object is created, modified, or deleted. Each domain controller maintains its own USN sequence independently.

When an object changes in Active Directory, the USN value for that object increases. EmpowerID tracks these USN values to identify which objects have changed since the last inventory run.

The Delta Inventory Process

How it works:

  1. Retrieve Last USN: EmpowerID queries its Directory Server record for the highest USN values processed during the last successful inventory
  2. Query for Changes: EmpowerID sends LDAP queries to the domain controller requesting all objects with USNs higher than the stored values
  3. Process Changes: EmpowerID updates its Identity Warehouse with new accounts, groups, OUs, and computers, and modifies existing records as needed
  4. Update USN Values: EmpowerID records the highest USN values from this inventory run for use in the next cycle

This approach ensures that only changed objects are processed, dramatically reducing processing time, network traffic, load on domain controllers, and resource usage in EmpowerID.

Multi-Domain Controller Environments

In Active Directory environments with multiple domain controllers, USN values do not synchronize across controllers — each maintains its own independent sequence. To handle this, EmpowerID designates one domain controller as the Inventoried Directory Server for consistency, tracks the highest USN values from all enabled domain controllers, and allows administrators to switch to another controller without losing synchronization if the primary becomes unavailable. Because EmpowerID tracks USNs across all controllers, inventory resumes exactly where it left off.

Best Practices for Domain Controller Selection

For optimal performance in multi-domain controller environments, enable 3-4 domain controllers for EmpowerID to use rather than all controllers, select controllers central to your replication topology to minimize latency, avoid enabling remote or high-latency controllers that may cause replication delays, and use controllers with reliable uptime to ensure consistent inventory processing.

When EmpowerID provisions an account or resets a password, it randomly selects from enabled domain controllers. If you enable too many controllers, including remote ones, EmpowerID may write to a controller whose changes haven't replicated to other controllers yet, potentially causing subsequent operations to fail when they query a different controller.

Configuration vs. Execution

The Active Directory account store is a configuration object that defines how EmpowerID should connect to and manage Active Directory. It does not process identity operations itself.

Configuration objects include the Account Store definition, connection settings, proxy credentials, inventory schedules, and attribute flow rules — these are the blueprints you create that stay in place. Execution processes include inventory jobs that scan Active Directory, Group Membership Reconciliation jobs, account provisioning workflows, and password synchronization operations — these are the automated processes that run on schedule or in response to events.

The account store configuration remains in place while execution processes run on schedule or in response to events.

Connection Requirements

Proxy Account Permissions

EmpowerID requires a privileged proxy account to connect to Active Directory. This account needs read access to all objects EmpowerID will inventory (users, groups, OUs, computers), read access to the AD Configuration Partition for topology discovery, read access to the Deleted Items container for deleted object detection, write permissions for any objects EmpowerID will provision or modify, and permission to reset passwords if password management is enabled.

The proxy account typically requires Domain Admin privileges for full functionality, though access can be scoped more narrowly if needed.

warning

In multi-domain forests, create the account store for the forest root domain first. The proxy account must have read access to the AD Configuration Partition for topology discovery to succeed.

Cloud Gateway for Remote Connections

When connecting EmpowerID SaaS to on-premise Active Directory, you must install and configure the EmpowerID Cloud Gateway. The Cloud Gateway establishes secure outbound connections from your network to EmpowerID, requires no inbound firewall rules, acts as a proxy for all LDAP communication, and supports multiple account stores through a single gateway instance.

Account Store Settings

The account store configuration controls how EmpowerID connects to and manages Active Directory. Connection and security settings include Secure LDAPS Binding for encrypted communication, Cloud Gateway selection for remote connectivity, and Inventoried Directory Server selection for targeting specific domain controllers.

For identity management, you can enable inventory and set its schedule (default: every 10 minutes), enable group membership reconciliation for automated group management, and configure attribute flow rules for bidirectional synchronization. Authentication and provisioning settings control whether to use AD for authentication, allow provisioning via Resource Entitlement (RET) for policy-based account creation, and enable password sync to maintain credential consistency.

Visibility and access settings determine whether the account store shows in the IAM Shop to enable resource requests through the self-service portal, and whether to automatically create Persons on inventory or route new accounts to the Account Inbox for review.

Each setting is documented in detail in the Active Directory Account Store Configuration Settings reference.

Next Steps

After understanding the Active Directory Connector architecture and capabilities, you're ready to:

  1. Review prerequisites in Getting Started with Directory Systems
  2. Create your first connection by following Connect to Active Directory
  3. Configure advanced settings using the Active Directory Account Store Configuration Settings reference