Synchronizing user accounts with Active Directory and G Suite
Large organizations often use Microsoft Active Directory or Google G Suite to manage employee accounts on a company network. Pyrus works with both, and lets you easily manage the list of accounts synchronizing users with your identity provider.
This synchronization saves an administrator’s time, reduces the number of errors in creating new accounts, and enhances security by blocking access to former employees’ accounts across all systems.
Synchronizing Pyrus with Microsoft Active Directory
The user automatically receives an invitation to Pyrus when a new account is created in Active Directory.
Setting up user synchronization
Launch Pyrus Sync, then click Active Directory Sync in the left panel.
Select the Active Directory data source.
If necessary, select the group that includes users whose data you’re going to sync with Pyrus employees’ data.
For that press Pick Group button on field of choice.
In the window that opens, check the boxes next to the user’s groups to be sync.
Pyrus Sync will prepare the accounts to be synced, and show you what user data will be transferred from the Active Directory to Pyrus.
If your organization structure has several hierarchy levels, you need to manually create those levels first in the Pyrus orgchart. Pyrus Sync will map the user attributes in Active Directory to the Pyrus organization structure during synchronization. If there are departments in Active Directory that aren’t listed in the organizational structure in Pyrus, they will appear in Pyrus after synchronization.
Note: Every two hours, Pyrus Sync tracks changes in Active Directory and prepares them for synchronization. If any changes should be sent immediately to Pyrus, click Update now before synchronizing.
Click Sync and the program will show the changes that it found.
- Add — this adds a list of new users. They will be added to Pyrus after synchronization.
- Update — if any changes have been made since the last synchronization (like a change in name or position), you will find them in this section.
- Block — this group includes users who have been blocked in Active Directory. When blocked in Active Directory, they lose access to their Pyrus account, and all their active sessions are terminated across all devices.
The status indicated in the Status column shows why some users will be added and why others will be updated or blocked.
- New is for the new users. They will be added to Pyrus after synchronization.
- Update — if any changes have been made since the last synchronization, like a change in name or position, you will see updated details in Pyrus after synchronization.
- Block — this status is for the users who aren’t found and users who have been blocked in Active Directory or located in an organizational unit whose name doesn’t include “user” or “users.” They won’t be able to access their Pyrus accounts after synchronization.
- Unblock — these are users who are blocked in Pyrus. They will be added to Pyrus again.
- Bind — these are Pyrus users who haven’t been synchronized with AD. After synchronization, they will be binded to the AD users by their email address.
Pyrus Tip: The list of updated elements may include hundreds of entries. For example, when a company goes international, employee names should be transliterated into English. To find the right person on a large list, use the Search users field. The search supports regular expressions. Let’s suppose titles of some user accounts start with a number. To quickly find them, enter ^[0-9] in the search box.
If you don’t want certain accounts to be synchronized in Pyrus, use one of two ways to exclude a user from the sync:
Go to the To sync section and check the box next to the users to be excluded, then press Add to exceptions.
Open the Exceptions section. Click Add filter in the row you need, then enter the text presence of which will exclude the AD user from the syncing. Hit Save.
Click Sync to start synchronizing.
Setting up group sync
Not only individual users can sync with Pyrus, but also whole subdivisions of organizations. In the Active Directory they are called Groups.
In Pyrus, these groups are reflected as roles: when a new group such as MarketingGroup is created in the Active Directory, a new role appears in Pyrus after syncing.
When users are added or deleted from the group, the personnel changes are reflected in Pyrus.
To set up group sync, launch Pyrus Sync and open the Roles section in left panel.
Select the Active Directory data source.
Select the group whose data will be synced with the Pyrus role data and hit Sync.
There are two ways to exclude a group from the sync:
- Go to the To sync section and check the box next to the group to be excluded, then press Add to exceptions.
- Open the Exceptions section. Click Add filter in the row you need, then enter the text presence of which will exclude the AD group from the syncing. Hit Save.
- Synchronize with Pyrus Sync every time you add or block a user in Active Directory, or at least once a day.
- When your organization changes its primary domain name (for example, from moscow.company.com to company.com), it can appear that some users have two email addresses (firstname.lastname@example.org and email@example.com). For correct synchronization with Pyrus, make sure that each user in Active Directory has one email address for the new domain.
If a user tries to start synchronization without Pyrus Administrator rights, they will see this error
Solution: give the user Administrator rights, or log in to Pyrus Sync as an Administrator and run the synchronization.
The error message appears when opening Active Directory Sync in Pyrus Sync on a machine that is not in the Active Directory domain.
Solution: start synching on a machine that is in your Active Directory domain.