Synchronized Users and Groups
Users
The following table describes how users in IIJ ID Service are updated by Directory Sync requests.
Active Directory (Trigger) | IIJ ID Service Before an Update | IIJ ID Service After Directory Sync Update |
|---|---|---|
| Create and enable new user | User does not exist | User is created and enabled |
| Create new user without being enabled | User does not exist | User is created without being enabled |
| Update user | User exists | User is updated |
| Delete user | User exists | User is updated as pending deletion |
| Disable user | User exists | User is disabled |
| Enable user | User exists | User is enabled |
| Stop synchronizing user | User exists | User is updated as pending deletion |
| Start synchronizing user again | User exists and is pending deletion | User is restored per Active Directory information (*1, *2, *3) |
| Recreate user | User exists and is pending deletion | Error (no processing is performed) (*1 *4) |
*1 The "ID" and the "External ID" for the user must match in Active Directory and in the IIJ ID Service. A mismatch of this information will result in an error.
*2 When a user is restored, user attributes in the IIJ ID Service are overwritten by the Active Directory values retrieved by Directory Sync.
*3 When a user is restored, the IIJ ID Service user password is the password that is synchronized. When this is used together with Password Sync, the IIJ ID Service is not synchronized with password updates for users that are not synchronized by Directory Sync. As such, passwords in Active Directory may not match those in the IIJ ID Service during the restoral process. In such scenarios, user's updating the password in Active Directory before using the IIJ ID Service will enable the same password to be used again.
*4 Before synchronizing a user recreated via Active Directory, make sure to access the IIJ ID Service management screen and delete the user from "Viewing and Deleting Users Pending Deletion."
Groups
The following table describes how groups in IIJ ID Service are updated by Directory Sync requests.
Active Directory (Trigger) | IIJ ID Service Before an Update | IIJ ID Service After Directory Sync Update |
|---|---|---|
| Create new group | Group does not exist | Group is created |
| Update group members (*1, *2) | Group exists | Group members are updated |
| Delete group | Group exists | Group is deleted |
*1 Child groups within a parent group are not synchronized by Directory Sync.
*2 Users registered as members in child groups within a parent group are not registered as members of the parent group.