You are here: Administration > System management > Synchronize user and group details > Synchronize user and group details with Active Directory

Synchronize user and group details with Active Directory

If the PaperCut server is a member of an Active Directory domain, you should use the Windows Active Directory option. The advantages over the Windows Standard option include:

  • Allows use of Active Directory organizational units.

  • Supports nested groups for simplified user management.

  • Allows importing users from other trusted Active Directory domains.

PaperCut NG's Active Directory integration is performed at a native level and supports advanced features, such as nested groups and OU's.

To synchronize your user data with Active Directory:

Set the primary sync source

  1. Select Options > User/Group Sync.

    The User/Group Sync page is displayed.

  2. In the Sync Source area, in Primary sync source, select Windows Active Directory.

  3. Complete the following fields as required:

    • Import disabled users—If set, all users, including disabled accounts are imported from the domain. In an education environment, select this option as student accounts are sometimes disabled for disciplinary actions, so removing the account from PaperCut NG is not appropriate.

    • Enable multi-domain support—Select this option for larger sites running multiple trusted domains. For example, in an education environment it is common to have separate domains for students and staff/teachers with a one-way trust relationship. This option can bring in groups, OU's, and users from both domains.

      The list of domains is semicolon separated (;). This list should contain the name of the domains in DNS dot notation, and should include the name of the current domain if you want to import from this domain.

      Trust domain relationships are a complex area. Click Test to verify that the settings result in the desired behavior. The total number of user accounts is a good measure.

  4. Select the users to import:

    • Import all users
    • Import users from selected groups—If you select the option, click Select Groups; then select the groups/OUs you want to import. This option is useful if the domain contains old users or users who do not print.

The following Config keys are available for Active Directory synchronization:

Card/identity numbers sync

Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. See User card and ID numbers for more information.

In PaperCut NG, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. You can automatically import or generate these card/ID numbers for each user.

Often card/ID numbers are already assigned by other systems, in which case you must import these numbers into PaperCut from Active Directory or LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model.. Unlike other fields, such as full-name and email address, there is no standard field used exclusively for card numbers. For this reason PaperCut allows specifying the field from which to import the card/ID number.

You can either:

Generate random card/ID numbers

PaperCut also allows you to generate a random card/ID number for either the primary or secondary card/ID number. To auto-generate card numbers:

  1. In the Sync Source area, complete the following fields:

    • Primary number—select Auto-generate random ID (if blank).

    • Length—enter the number of digits.

      Short numbers are easier to remember and faster to key in, but it is also easier to guess someone else's number. If your number is too short, PaperCut cannot generate sufficient numbers to cover all your users.

  2. Click Apply.


The card/ID number must uniquely identify a user, so you should ensure that no two users have the same card/ID number. Make sure the card/ID numbers you have defined in your user source are unique. If PaperCut NG finds a non-unique card/ID number it does not update the user's details, and displays a warning in the synchronization results. When generating card/ID numbers, you are asked to specify the length or number of digits you require in the generated numbers.

Import the card/identity number from Active Directory

Active Directory has a number of user fields that can store the user's card/ID number. Some of these fields are editable in the user's properties in the Active Directory Users and Computer tool, but others can be updated only with other tools.


In the Sync Options area, ensure the Update users' full-name, email, home directory, department and office when synchronizing check box is selected to import card/Id numbers.

  1. In Primary number, select Sync from AD/LDAP field.
  2. In AD/LDAP field name, enter the name of the field containing the card/ID numbers. By default, PaperCut NG imports the primary card/ID number from the user's pager number field (i.e. the pager field). This field was chosen because it is rarely used and is also editable in the Windows user interface. If this field is not suitable, you can choose any valid Active Directory user field.


    The list of standard Active Directory user fields is on the Microsoft web site here: The field name entered in PaperCut NG must be in the LDAP display name format. For example, if you want to use the Employee-Number field, then the field name entered into PaperCut NG should be employeeNumber as shown on the Employee-Number attribute page here:

  3. If required, import the secondary Card/ID numbers.

    1. In Secondary number, select Sync from AD/LDAP field.
    2. In AD/LDAP field name, enter the name of the field containing the card/ID numbers.


If you enter the field name incorrectly, the synchronization will fail. It is therefore important to test your configuration changes. To test the changes, click Test Settings. If the card number is retrieved correctly, then it is the 4th user field in the test output.

Extract the card/id number from an LDAP/AD field using a regular expression

The vast majority of sites store the full card number in a single field in AD/LDAP. In this situation, you do not need to use a regular expression (regex) to extract the card number. A regular expression is required only under some specific circumstances, including:

  • The field contains more then just the card number. For example, if the field contained a card number and student number separated by a comma (e.g. 12345678,0003456).

  • The multi-valued LDAP/AD field contains multiple values and only one representing the card number. e.g. Some third party authentication management systems store external IDs (like card numbers) in a single multi-valued LDAP field.


    For multi-value fields, PaperCut imports all the field values separated by TABs. Use the regex to extract the required portion of the field.

To use a regular expression to extract the card/id number:

  1. In the Sync Source area, select the Apply regular expression to extract primary/secondary card number from AD/LDAP check box .
  2. Enter the regular expression used to extract the card number. The regular expression must contain a capture group (represented by parentheses), that represents the part of the field that the card number is extracted from.

The simplest way to create a regular expression is to start with one of the following examples.

Table 80: Example regular expressions to extract card numbers
Regular Expression Description
([\d]+) Extracts the first sequence of digits. e.g. if the field contains 12345678,005678 then 12345678 is extracted.
([\d]{5}) Extracts the first sequence of 5 digits. e.g. if the field contains 12345678 then 12345 is extracted.
=([\d]+) Extracts the sequence of digits after the = character. e.g. if the field contains 12345678=56789" then 56789 is extracted.
([\d]+)::abc Extracts the sequence of digits preceding the text ::abc. This is a common notation when storing identities in a multi-valued field in LDAP. The ::abc notation is used to indicate the different identity types. In this example, if the field contains 1234::xyz 5678:qrs 9876::abc then 9876 is extracted.

For more information on regular expressions and a test tool, see If you need assistance, please contact support.

Set the secondary sync source (optional)

Enabling a secondary sync source allows PaperCut to merge the results from two independent sources. Examples of where this is useful include:

  • A school with an Active Directory domain for the majority of users and a separate LDAP server that is used and managed by one department.

  • An organization with a new LDAP server and an old legacy LDAP server with separate but unique users who have not been migrated to the new server.

  • A university with an Active Directory for the Windows student workstations and an Open Directory for the staff Mac workstations.

When enabled, PaperCut queries both sources to find users and groups. Usernames are treated as globally unique, so the same username existing in both sources is treated as the same user (in this case, the details for the user are merged, with the primary sync source taking priority). If there is an error connecting to or synchronizing against either source then no actions takes place.

To set a secondary sync source:

  1. In the Secondary Sync Source (Advanced) area, select the Enable secondary sync source check box.
  2. Complete the secondary sync source details as described above. These fields are the same as those for the primary sync source.

Set the sync options

The options listed in the Sync Options area control how the synchronization will take place.

  1. In the Sync Options area, select any of the following options as appropriate:

    • Update users' full-name, email, department and office when synchronizing—if a user's details in PaperCut do not match those in the synchronization source, update the details in PaperCut NG.

    • Import new users and update details overnight—synchronization automatically occurs each night at approximately 12:55am. This option never deletes users from PaperCut.

    • Delete users that do not exist in the selected source—deletes users from PaperCut if they no longer exist in the selected synchronization source.

      This option affects only users added via the synchronization source (e.g. the domain) and does not delete Printing solutions for guests and anonymous users. Users that do not exist in the Sync source are deleted only when you manually synchronize (click Synchronize Now).

      This option does not delete users when automatically synchronizing overnight.

  2. To test the operation, click Test Settings.

    A Testing sync settings popup dialog box displays the details of users and user groups that will be modified (updated, added or deleted) when the actual sync operation is run.

  3. Tip: You can configure the maximum number of deletion candidates that are displayed in the Testing sync settings popup dialog box, via the config key user-source.test-sync.max-pending-deletion-entries-displayed.

    By default a maximum of 100 deletion candidates are displayed.

    For information about setting config keys, see Using the Config Editor.

  4. Click Apply.


Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.