Synchronize user and group details with Active Directory

If the PaperCut server is a member of an Active Directory domain, you should use the Windows Active Directory option. The advantages over the Windows Standard option include:

• Allows use of Active Directory organizational units.
• Supports nested groups for simplified user management.
• Allows importing users from other trusted Active Directory domains.

PaperCut NG/MF’s Active Directory integration is performed at a native level and supports advanced features, such as nested groups and OU’s.

To synchronize your user data with Active Directory:

• Set the primary sync source
• Add card/identity numbers
• Set the secondary sync source (optional)
• Set the sync options

Set the primary sync source

1. Select Options > User/Group Sync. The User/Group Sync page is displayed.

2. In the Sync Source area, in Primary sync source, select Windows Active Directory.

   

3. Complete the following fields as required:

   • Import disabled users— If set, all users, including disabled accounts are imported from the domain. In an education environment, select this option as student accounts are sometimes disabled for disciplinary actions, so removing the account from PaperCut NG/MF is not appropriate. This option is normally off by default.

   • Enable multi-domain support—Select this option for larger sites running multiple trusted domains. For example, in an education environment it is common to have separate domains for students and staff/teachers with a one-way trust relationship. This option can bring in groups, OU’s, and users from both domains.

     The list of domains is semicolon separated (;). This list should contain the name of the domains in DNS dot notation, and should include the name of the current domain if you want to import from this domain.

     Trust domain relationships is a complex area. Click Test to verify that the settings result in the desired behavior. The total number of user accounts is a good measure.

4. Select the users to import:

   • Import all users
   • Import users from selected groups—If you select the option, click Select Groups; then select the groups/OUs you want to import. This option is useful if the domain contains old users or users who do not print.

Synchronizing Card/ID Numbers

Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find on the User List page. PaperCut can synchronize this information from a field in your directory.

Detailed information can be found on our page: Synchronize Card/Identity Numbers from a directory .

Set the secondary sync source (optional)

Enabling a secondary sync source allows PaperCut to merge the results from two independent sources. Examples of where this is useful include:

• A school with an Active Directory domain for the majority of users and a separate LDAP server that is used and managed by one department.
• An organization with a new LDAP server and an old legacy LDAP server with separate but unique users who have not been migrated to the new server.
• A university with an Active Directory for the Windows student workstations and an Open Directory for the staff Mac workstations.

When enabled, PaperCut queries both sources to find users and groups. Usernames are treated as globally unique, so the same username existing in both sources is treated as the same user (in this case, the details for the user are merged, with the primary sync source taking priority). If there is an error connecting to or synchronizing against either source, then no actions takes place.

To set a secondary sync source:

1. In the Secondary Sync Source (Advanced) area, select the Enable secondary sync source check box.
2. Complete the secondary sync source details as described above. These fields are the same as those for the primary sync source.

Set the sync options

The options listed in the Sync Options area control how the synchronization will take place.

1. In the Sync Options area, select any of the following options as appropriate:

   • Update users’ full-name, email, department and office when synchronizing—if a user’s details in PaperCut do not match those in the synchronization source, update the details in PaperCut NG/MF.

   • Import new users and update details overnight—synchronization automatically occurs each night at approximately 12:55am. This option never deletes users from PaperCut.

   • Delete users that do not exist in the selected source—deletes users from PaperCut if they no longer exist in the selected synchronization source.

     This option affects only users added via the synchronization source (for example, the domain) and does not delete Guest and anonymous user management . Users that do not exist in the Sync source are deleted only when you manually synchronize (click Synchronize Now).

     This option does not delete users when automatically synchronizing overnight.

2. To test the operation, click Test Settings. A Testing sync settings popup dialog box displays the details of users and user groups that will be modified (updated, added, or deleted) when the actual sync operation is run.

3. Click Apply.

Troubleshooting AD sync issues

For more help in resolving AD sync issues, check out our knowledgebase articles:

• Troubleshooting Standard AD Sync Issues
• Troubleshooting Active Directory Authentication / AD login issues