CTC Accounts Active Directory
Synchronizer User Guide
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 2 of 32
Contents
Overview ........................................................................................................................................................................................... 3
System Requirements ....................................................................................................................................................................... 4
Additional Notes ............................................................................................................................................................................... 5
Installation and Configuration ........................................................................................................................................................... 6
Running the Synchronizer Interactively ............................................................................................................................................. 7
Automatic Updates ................................................................................................................................................................................ 7
Logging In .............................................................................................................................................................................................. 8
Options .................................................................................................................................................................................................. 9
Download from CTC Accounts ............................................................................................................................................................. 12
Update from Active Directory .............................................................................................................................................................. 13
Publish to CTC Accounts ....................................................................................................................................................................... 13
Adding Active Directory Groups ........................................................................................................................................................... 14
Deleting Active Directory Groups ......................................................................................................................................................... 20
Adding Active Directory Users ............................................................................................................................................................. 22
Unlinking an Active Directory User ...................................................................................................................................................... 24
Scheduling the Synchronizer............................................................................................................................................................ 28
Appendix A – Permissions to Read from Active Directory ................................................................................................................ 29
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 3 of 32
Overview
CTC Software (CTC) offers products and services which allow our customers to control who has access to their data
stored in these services. This is controlled by the CTC Accounts system. An example of one of these services is the HIVE
product.
For each customer organization, the CTC Accounts system has “CTC users” defined. Each user is identified by their email
address, which is their login ID to the CTC service. For every CTC customer (organization), at least one of these CTC users
must be defined as a “company administrator” A company administrator can define and manage other CTC users that
are linked to their organization, including defining users as additional company administrators.
A company administrator can also define groups of users (“CTC groups”), and then assign CTC groups various
permissions to access different sets of data within the service CTC provides. As the company administrator moves CTC
users in and out of CTC groups, the permissions for those users in the CTC system will change accordingly.
For example, in the HIVE product a CTC group may be assigned permissions to access 3 different libraries of content
files. Adding a CTC user to the CTC group will give the user access to all 3 libraries in one step.
Organizations typically have to go through defining users and groups within their company network just to run their
business. For example, they must define a user account for each employee that logs into their network. These
definitions are most commonly stored in a Microsoft Active Directory system on a Windows Server domain.
CTC offers the ability to import (replicate) selected definitions of groups and users from an organization’s Active
Directory-based network, with the ability to periodically resynchronize changes from Active Directory into the CTC
Accounts system.
For example, in HIVE you may have created a library which contains files that work with Autodesk® Revit® design
software. You may further have an Active Directory group already in your organization called “Revit Users” which
contains all the Active Directory users in your organization that use the Revit modeling software.
With the CTC Accounts Active Directory Synchronizer tool you can “link” the Active Directory group “Revit Users” to the
CTC Accounts system, which will then define a CTC group named “Revit Users” and will also define CTC users for all the
Active Directory user accounts that are members of the Active Directory group “Revit Users.”
By default, only Active Directory users who are enabled in Active Directory would have CTC user accounts created in the
CTC Accounts system. If an Active Directory user account is disabled, a matching CTC user account would NOT be
created.
As a further example, if at a later time an Active Directory user account is disabled or deleted (for example, an employee
leaves the company) the next time the CTC Accounts system is updated from Active Directory, the CTC User account will
automatically be placed in a disabled state, so they won’t be able to login to the CTC resource again using their old
credentials.
This will prevent the former employee from logging into the CTC resource on their own, for example if they go to work
for a competitor that also uses CTC systems.
The CTC Accounts Active Directory Synchronizer CAN be run silently, so you can set it up as a scheduled task to run
periodically, for example every night.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 4 of 32
The synchronizer will also update changes to Active Directory user definitions automatically. For example, if a user’s
email address changes in Active Directory, when synchronized with the CTC Accounts system their email address (and
thus login ID) will be updated to match. This can be useful, for example, if someone gets married and changes their
name.
If an Active Directory group being synchronized with the CTC Accounts system is deleted from Active Directory, the
synchronizer will automatically delete the group from the CTC Accounts system as well.
If an Active Directory user is removed from an Active Directory group, the synchronizer will automatically remove their
CTC user account from the same CTC group.
While the synchronizer can create CTC user accounts, it will NEVER delete CTC user accounts. The most it can do is
disable an existing CTC user account and remove a CTC user account from a CTC group that came from Active Directory.
System Requirements
The following system requirements are necessary to successfully use the CTC Accounts Active Directory Synchronizer:
1) Every time the synchronizer is started you will be prompted to login to the CTC Accounts system. You MUST be
a company administrator user for your organization in order to successfully login to the system and use the
synchronizer.
2) If the synchronizer is run as an unattended scheduled task, the settings being used must include the login
information for a company administrator as well.
3) All Active Directory user accounts to be imported and later resynchronized with the CTC Accounts system MUST
have the user’s email address defined, as well as the first name and last name. If no email address, first name or
last name are found in Active Directory for a user, their CTC user account cannot be created or an existing
account manually created cannot be linked to the Active Directory account.
4) The person running the synchronizer must have permissions to read and search Active Directory for users and
groups. If the synchronizer is set up as a Scheduled Task in Windows, the credentials with which the task is
running must have the same permissions. By default most users have sufficient permissions to read what is
needed except the ability to read the Enabled state of an Active Directory user account. Please refer to
Appendix A for more information about gaining the ability to read this value.
5) The default usage of the Active Directory Synchronization tool requires that all user and group accounts be
defined within the same Active Directory forest (ideally within the same Active Directory domain, for simplicity
and speed). However, spanning multiple domains, even if defined in different forests, is now supported as well.
This is explained further in the Options section, below.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 5 of 32
Additional Notes
1) The synchronizer can create CTC groups from either Active Directory security groups or Active Directory (email)
distribution groups.
2) Only CTC groups that are linked to Active Directory groups will be available in the synchronizer. Other, manually
created CTC groups will not appear in the synchronizer.
3) Active Directory is the “single source of truth” for CTC group definitions and CTC group member definitions
which initially came from Active Directory. When an Active Directory group is imported, ALL non-disabled user
members of a group (including inherited members) will be brought into the CTC Accounts system. If, for
example, you don’t want some users in a CTC group which was imported from Active Directory to be in that CTC
group, the only way to remove the users is to remove them from the original Active Directory group and
resynchronize. In some cases it may be best to either create a new group in Active Directory with fewer
members and add that new group to the CTC Accounts system, or create and manage the CTC group manually,
using the standard CTC Accounts management tools.
4) To enforce the “single source of truth” for groups from Active Directory, there is no way to convert a manually
created CTC group to an Active Directory-linked group. For example, you may manually create a CTC group
called “Revit Users” and assigned it to have permissions in 5 different HIVE libraries. If you have an Active
Directory group called “Revit Users,” in order to import it into the CTC Accounts system you must delete the
manually created version from CTC Accounts first (which removes its library associations), import the AD group,
then reassign it manually to the same libraries.
5) CTC Users that are disabled in the CTC Accounts system WILL NOT be available in the synchronizer, and thus
their CTC user account will not be changeable by the synchronizer. A disabled CTC User account must be
manually enabled in the CTC Accounts system before it will appear (or reappear) in the synchronizer.
6) The standard CTC Accounts editor will not let you edit a CTC group or CTC user that is linked to Active Directory,
with the exception of changing the enabled state of a CTC user and the ability to reset the CTC user’s password.
You can only delete a CTC group that is linked to an Active Directory group using the synchronizer, either by
deleting it in Active Directory and resynchronizing, or by manually deleting it in the synchronizer (breaking the
synchronization link).
7) IMPORTANT: Any time a CTC user account is created by the synchronizer, either by Active Directory group
membership or by manually adding an Active Directory user, the user will get a “welcome” email message with
information about changing the default password provided.
8) IMPORTANT: Only the barest minimum of information about users and groups from Active Directory is stored
in the CTC Accounts system. For users, this includes their first name, last name, email address and the cryptic
system ID values that allow finding their account in Active Directory again in the future, for resynchronizations.
For groups only the name and cryptic system ID values are stored.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 6 of 32
Installation and Configuration
The CTC Accounts Active Directory Synchronizer tool has its own installation program, which must be run with
Administrative privileges:
CTCAccountsADSynchronizerSetup.msi
This program is extremely simple to install, with no visible options.
It does, however, support a silent install by providing the command line parameter /q
For example:
CTCAccountsADSynchronizerSetup.msi /q
The synchronizer stores configuration information in the folder:
C:\ProgramData\CTC\CTC Accounts
By default, activity logs are stored in a Logs subfolder:
C:\ProgramData\CTC\CTC Accounts\Logs
After installation these folders will be empty. Once the synchronizer has been run the first time, a default settings file
called ActiveDirectorySynchSettings.xml will be created.
Everything in this file except an encrypted password (explained below) can be edited with a text editor, though it’s
strongly recommended to use the Options portion of the synchronizer itself to make changes to this settings file.
The logs folder location can be changed in the settings file. Log files can be centralized, e.g. placed on a network drive,
which is a good idea if more than one person will be making synchronizations between Active Directory and the CTC
Accounts system. If the location is not changed, log files will be stored in the Logs subfolder shown above by default.
The creation of log files can also be turned off in the Options portion of the synchronizer, as well as setting the number
of days after which old log files will be automatically deleted when the synchronizer runs.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 7 of 32
Running the Synchronizer Interactively
The synchronizer can be run visually, like most Windows applications, or can be run silently on a schedule (discussed
below). To run the CTC Accounts Active Directory Synchronizer visually, launch it from the icon in the Start Menu.
It’s located under CTC Software:
A desktop icon is also added when installing the software.
Automatic Updates
When you first launch the synchronizer, it will check to see if an update is either available or required. For example, you
may see a dialog like this:
Or an equivalent message that says an optional update is available.
If running the synchronizer silently (e.g. on a scheduled basis, see below) and an update is required, a synchronization
will not occur, but the log file that is created will explain it is because a newer version of the synchronizer is required.
In the examples below, this tool will be run without any manually created CTC users in the CTC Accounts system, except
for the company admin account that was set up when the service created for the organization.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 8 of 32
Logging In
When you first launch the synchronizer, you will be required to login to the CTC Accounts system. You must provide the
email address and password of a company administrator for your organization:
Once you successfully login, the dialog will show three lists, which come from the CTC Accounts system:
1) The list of CTC groups that are linked to Active Directory group accounts
2) The list of CTC users that are linked to Active Directory user accounts
3) The list of CTC users that are NOT linked to Active Directory user accounts
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 9 of 32
Options
Clicking the “Options” button in the toolbar across the top will allow you to change how the synchronizer functions.
These are the default settings:
“Automatically refresh from Active Directory on startup” will try to resynchronize the data for the CTC Accounts system
to match the current state of Active Directory. These changes ARE NOT automatically saved back to the CTC Accounts
system, but instead the log of the changes to be made will be presented to you for your review before you later choose
to save the changes to the CTC Accounts system.
“Automatically link unlinked CTC Accounts to matching Active Directory users” will examine the unlinked CTC Accounts
users for your organization and will search your Active Directory looking for users with matching email addresses. For
those CTC Users that are found to have a matching user email address in Active Directory, those CTC Users will
automatically be associated with, and updated from, their Active Directory user counterparts.
“Allow CTC user accounts to be created or linked to users that are disabled in Active Directory” will, if enabled, associate
disabled user accounts in Active Directory with CTC user accounts. For CTC user accounts that don’t already exist, this
would wind up creating CTC user accounts which are immediately disabled upon creation.
“Automatically disable CTC Accounts users if the linked user account has been disabled in Active Directory” will simply
mirror the fact the user account is disabled in Active Directory in the CTC Accounts system as well. Once disabled in the
CTC Accounts system, a CTC user account can only be re-enabled manually in the CTC Accounts system using the
standard CTC groups and user management tools.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 10 of 32
“Automatically disable CTC Accounts users if the linked user account has been deleted in Active Directory” will disable a
CTC User that had been linked to an Active Directory account if the Active Directory user account can no longer be found
in Active Directory. Once disabled in the CTC Accounts system, a CTC user account can only be re-enabled manually in
the CTC Accounts system using the standard CTC groups and user management tools.
If “Show progress dialogs” is selected, a progress dialog with a cancel button during resynchronizations.
If “Show the legend on startup” is selected, the color legend (with instructions) will appear below the 3 lists on startup,
as seen in the image above.
If “Show processing logs” is selected, after every action a window will appear which lists all of the details of events that
occurred during the processing of the action. Examples will be shown below.
If “Save log files” is selected, the logs that appear during processing will be saved to files as well.
If “Delete log files older than ___ days” is selected, log files older than the specified number of days at the time the
synchronizer is run will be automatically deleted.
The “Log files folder” determines where the log files to be saved will be written.
The “Log detail level” determines the level of detail the data in the log files will have. Most of the time “Low” is
appropriate, but if there is an unexpected or unexplained issue then setting this value to “High” may be helpful.
“Use strict Active Directory search checking” should only ever be turned off if you need to recreate Active Directory user
and group definitions and don’t want to lose their meaning in the CTC Accounts system. This may happen, for example,
if two companies merge.
When strict checking is enabled (the default), the Active Directory identifiers stored with user and group definitions in
the CTC Accounts system that were originally imported from Active Directory must be found in the Active Directory
domain forest being synchronized. This ensures beyond any doubt that the exact same Active Directory user or group
originally imported has been found and any changes will be updated correctly in the CTC Accounts system.
Strict checking will automatically work correctly even if user or group definitions are moved to a different domain, for
example within the same Active Directory forest. When moving AD definitions, their original identifiers are stored and
accessible from within Active Directory. New identifiers are assigned when in the new domain, but the AD Synchronizer
will update its copy of the identifiers to match the new identifiers from the new domain. The synchronization log will
show these changes and turn the affected items yellow to indicate changes should be published back to the CTC
Accounts system.
If you run the synchronizer with strict checking turned on and you’re on a new domain where users and groups have
been recreated, all users and groups will appear red in the synchronizer, indicated they were not found in the current
Active Directory and if you publish changes back to the CTC Accounts system the groups will be deleted from the CTC
Accounts system and the users will be “unlinked” from Active Directory in the CTC Accounts system.
However, if this option is turned off and you “Download from CTC Accounts” again and “Update from Active Directory”
again, if a user is NOT found using strict checking, it will search Active Directory users again, but this time using only the
e-mail address stored in the CTC Account system for that user. If a user is found in Active Directory with that e-mail
address, it will update their recorded system identifiers and again log the change and turn that item yellow in the list.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 11 of 32
If this option is turned off and a group being searched for is NOT found using strict checking, it will search Active
Directory groups again, but this time using only the display name of the group stored in the CTC Account system for that
group. If a group is found in Active Directory with that name, it will update its recorded system identifiers and again log
the change and turn that item yellow in the list.
So for this to work, recreated users must have the same email addresses as the originals and recreated groups must
have the same names as the originals.
Once the updated items are republished to the CTC Accounts system, strict checking should be turned back on.
“When synchronizing with Active Directory” has multiple settings:
- “Search all domains in the current forest” is the default, and the most broad for organizations with a single
Active Directory forest but perhaps multiple domains within the forest. This option is needed when groups
contain users or groups from different domains within the same forest. In this scenario, only the one forest can
be used for all Active Directory-linked users and groups for an organization.
- “Only search the current domain” allows linking multiple domains, even if they are defined in different forests.
This can be very useful, for example, if one organization acquires another and wants Active Directory users and
groups from both organizations to be linked to their one organization definition in the CTC Accounts system.
The way this works is that the synchronizer only receives group and user information from the CTC Accounts
system for those groups and users who are defined in the same domain as the user currently running the
synchronizer, plus it receives information about all unlinked users, in case a match can be found in the current
domain.
However, this requires that all members of a group in the domain also be defined in that same domain. This is
because members of a group that are located in another domain within the same forest will not be found.
The way multiple domains in multiple forests is supported requires the Active Directory synchronizer to be run
multiple times, once while the user running the tool is logged in to Windows on each domain. The same CTC
Account company administrator credentials can be used regardless of who is logged in to Windows when
running the tool.
For example, with this option selected a person at the home office could run the tool to synchronize groups and
users from the parent company’s domain, and a person at the acquired company’s office can run the tool while
logged into their domain to synchronize their users and groups. Of course if run on a schedule, the domain
account running the synchronizer would need to be from the correct domain to be synchronized.
Another use for the “Only search the current domain” option is for performance. If you have multiple domains
in a forest but you know all of your users and groups are defined in the current domain, selecting this option will
prevent the tool from even trying to find groups or users (for example, unlinked users or groups/users that may
have been moved when they were actually deleted) in other domains within the forest, which can make the tool
run faster.
- “Generate a debug log” is an option which will create a very highly detailed log of activities that occur when
querying Active Directory. This can be used to see more of what happened, perhaps what actions took the most
time, etc. The log file generated is:
C:\ProgramData\CTC\CTC Accounts\Logs\LastActiveDirectoryQueryLog.csv
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 12 of 32
This log gets deleted and recreated every time the synchronizer updates from Active Directory.
These settings are stored in the file: C:\ProgramData\CTC\CTC Accounts\ActiveDirectorySynchSettings.xml
Download from CTC Accounts
The “Download from CTC Accounts” button in the toolbar across the top will retrieve the data from the CTC Accounts
system for your organization.
The three columns will be populated with the data from the CTC Accounts system.
This button can be used as a “cancel changes” button, should you start making changes by mistake. For example, if you
accidentally selected the wrong Active Directory group to synchronize.
Downloading the data from the CTC Accounts system always happens automatically when the application starts up and
you have successfully logged in as a company administrator.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 13 of 32
Update from Active Directory
The “Update from Active Directory” button in the toolbar across the top will read information from Active Directory and
apply any changes needed to the data seen on screen.
For example, if you have been synchronizing an Active Directory group and additional Active Directory users have been
added to the group since the last synchronization, CTC user accounts will automatically be created as needed and linked
to the new Active Directory user members.
If those new Active Directory group members were already in the CTC Accounts system as CTC users, the corresponding
existing CTC user accounts will automatically be added to the matching CTC group.
Updating from Active Directory can happen automatically when starting up the application and logging in successfully as
a company administrator if the options setting for this is enabled. This setting is enabled by default.
Publish to CTC Accounts
The “Publish to CTC Accounts” button saves any changes made back to the CTC Accounts system. Once the save is
complete, all data will be re-read from the CTC Accounts system and updated in the 3 columns. This is necessary to
ensure what is seen on screen matches the CTC Accounts data, in case there were any errors that occurred when trying
to publish the changes.
Any errors that occur when publishing the changes, as is the case with all actions in the synchronizer, will be reflected in
the logs.
Publishing changes to CTC Accounts is never performed automatically when the application starts up.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 14 of 32
Adding Active Directory Groups
While adding Active Directory users individually to the CTC Accounts system can be done manually (discussed in the
section below), the fastest way to get exactly and only the Active Directory users needed into the CTC Accounts system
is often to bring them in automatically with those Active Directory group definitions which will be applicable in the CTC
Accounts system.
To begin adding Active Directory groups, either right-click in the “CTC Groups Linked to Active Directory” list and select
the “Add Active Directory groups to CTC Accounts” choice from the pop-up menu list, or click on the button with the
green plus symbol:
This will display the Active Directory browser:
Once an organizational unit container has been selected in the left column, the groups defined within that container will
be visible in the middle column.
To help confirm the correct group will be selected, the members of a group can be seen by right-clicking on the group
and selecting the “Show Group Members” choice:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 15 of 32
In this example we want groups in the CTC Accounts system which mirror everyone in the Human Resources department
and everyone in management.
If we use the Ctrl key and click to select the two security groups and then click the button with the right arrow, they will
get added to the list of groups to ultimately add to the CTC Accounts system:
Once added to the last column, you can right-click on a group to again preview all the user members in it which will also
be imported into the CTC Accounts system:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 16 of 32
Note in this example that some users have Active Directory user accounts that are disabled. Normally they’re not
labeled this way, but they’ve been labeled this way here for demonstration purposes.
Back on the Active Directory browser screen, we can also click the “Search” button to search for groups by name as well:
Let’s presume that we also need a group which represents the Sales employees at office location number 1. If we are
not sure where in Active Directory that group is defined, we can set the search criteria to “Contains” and the search
term to “Sales” --
Double-clicking (or right-clicking and selecting “Show All Users”) on any group in this list will display the Active Directory
user members of that group, which can be used to verify the correct users will be configured in the CTC Accounts system
before proceeding:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 17 of 32
Again, notice that one user is disabled in Active Directory. By default, this user won’t be added to the CTC Accounts
system.
So at this stage, the following groups will be added:
When we click the “Add These Groups” button, the selected groups and all of their associated user definitions from
Active Directory will be added to the lists.
This first thing that will be shown is the activity log:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 18 of 32
The errors that appear in the list confirm that users who are disabled in Active Directory will not be added to the CTC
Accounts system.
The list can be filtered by message type. In the above example, to see only the errors click on the “Successful” button to
turn off the Success messages:
Once we close the log window, the changes made can be seen in the list.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 19 of 32
As the legend shows, the blue items are to be added to the CTC accounts system.
To save these changes to the CTC Accounts system, click the “Publish to CTC Accounts” button in the toolbar.
IMPORTANT: For each CTC user account that is created the user will get a “welcome” email message with information
about changing the default password provided. This doesn’t happen until the changes are published to the CTC
Accounts system.
Once the save is complete, the log will be displayed showing the details of what happened. In this case, we can see that
there were no errors:
As is always the case, after the save is complete all the data from the CTC Accounts system is downloaded and displayed.
We can see the color of the items that were to be added have changed to now indicate they are there, but in an
unchanged (green) state:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 20 of 32
Deleting Active Directory Groups
After one or more CTC groups in the first list are selected, the option to delete them will be available in either the right-
click pop-up menu choices for the list or by using the red “X” button below the list:
Once you confirm you want to delete one or more groups, the log will appear confirming the deletion and the selected
groups will turn red in the list:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 21 of 32
Note that the users that had been added for this group DO NOT get deleted or disabled just because the group for which
they were originally added is being deleted. This is because these users may also be given individual permissions on
other libraries or for other systems, so the synchronizer will never attempt to delete their CTC user accounts.
Clicking on the “Publish to CTC Accounts” button will then actually remove the group definition from the CTC Accounts
system.
After the automatic refresh from the CTC Accounts system, we can see that the group has been deleted:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 22 of 32
Adding Active Directory Users
It is possible to create CTC user accounts by importing them from Active Directory without requiring them to belong to
any Active Directory groups. This is done in either the right-click pop-up menu choices for the middle list, or by using the
green “plus” button below the list:
Using this tool will launch a window to use to search for users. The process is very similar to searching for groups.
In this example we’ll be selecting two I.T. users from Office #1:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 23 of 32
When the OK button is clicked, the log is displayed:
And the new users now show up on the list as added:
When these changes are published to the CTC Accounts system, they turn green in the list.
IMPORTANT: For each CTC user account that is created the user will get a “welcome” email message with information
about changing the default password provided. This doesn’t happen until the changes are published to the CTC
Accounts system.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 24 of 32
Unlinking an Active Directory User
Active Directory user accounts that have been imported into the CTC Accounts system can be “unlinked” as well. This
removes the association between the CTC user account and the original Active Directory user account, so changes made
to the Active Directory user account won’t be made to the CTC user account during the next synchronization. The CTC
user account will receive no further updates from the Active Directory user account, for example should that Active
Directory user account’s email address change, or that Active Directory user account be put into a disabled or deleted
state.
IMPORTANT: Unlike removing an Active Directory group link, which deletes the CTC group definition, unlinking an
Active Directory user link DOES NOT delete or disable the associated CTC user account.
IMPORTANT: The setting to “Automatically link unlinked CTC Accounts to matching Active Directory users” is turned ON
by default. When on, with every synchronization the system will try to find and link every unlinked CTC user account to
an Active Directory user account with matching email address. If for any reason you want to maintain one or more CTC
user accounts in an unlinked state that has a matching Active Directory user account, you’ll want to turn off this option.
To unlink one or more users, first select the user(s) to unlink and then either use the right-click pop-up menu choice for
the middle list, or use the gray “unlink” button below the list:
A confirmation message will appear:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 25 of 32
Clicking Yes results in the log being displayed and the users appearing in the unlinked list as modified:
With the option for automatic linking turned off, clicking the “Publish to CTC Accounts” button results in these CTC user
accounts being no longer linked to their original Active Directory user accounts:
Linking Selected Unlinked CTC Users
By default, the option to automatically look for Active Directory user accounts that have the same email address as an
unlinked CTC user account is turned on. As discussed above, you may wish to turn off this option, but there may be
times when it is useful to automatically link only selected users.
IMPORTANT: When searching Active Directory users for a matching email address to the one used in the CTC Accounts
system, both the primary email address and all email addresses in the proxy mail addresses list for the Active Directory
user accounts are checked. This allows matching by any aliased address.
The right-most column lists the CTC Accounts users who are not linked to Active Directory user accounts.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 26 of 32
Specific unlinked CTC users can be automatically link to Active Directory users by first selecting them in the right-most
list, then either using the “Automatically link selected CTC Accounts to Active Directory User(s)” choice from the right-
click popup menu, or use the “link” button below the list:
A confirmation dialog will appear:
The log of actions is displayed, then those CTC users for which an Active Directory user account with a matching email
address is found will appear as modified in the middle list:
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 28 of 32
Scheduling the Synchronizer
The synchronizer has the ability to run silently, without a user interface. This allows it to be configured as a scheduled
operation using the Task Scheduler that is built into Windows.
This is done by creating a scheduled task and having the Action for the task execute the program:
C:\Program Files (x86)\CTC Software\Accounts AD Synchronizer\CTC.Account.ActiveDirectory.Synchronizer.exe
There are two command-line parameters the executable supports:
unattended
- This tells the synchronizer to run without a user interface, required for being scheduled
settingsfile=
- Optional alternate configuration file to use. If not specified, the same configuration file the user interface uses
will be used when running unattended. Using the standard configuration file is the most normal case.
For example, the command line parameters might be:
unattended “settingsfile=L:\My Folder\ActiveDirectorySynchSettings.xml”
In this example the settingsfile value is within double quotes because the path to the settings file has a space in it (“My
Folder”).
If the location of the settings file to use does not have a space in it (recommended), the double quotes are not needed.
The only way to fully edit a settings file is using the Options functionality in the synchronizer when it is run interactively.
This will only ever read or update the settings file located here:
C:\ProgramData\CTC\CTC Accounts\ActiveDirectorySynchSettings.xml
This settings file can then be copied to another location for use with running the synchronizer unattended.
If a scheduled task is defined for unattended synchronization, for the typical case of using the default configuration file
the Action definition would use the executable file listed above, with the argument: unattended
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 29 of 32
As seen above, it’s a good idea to list the same folder in which the executable is located for the “Start in (optional)” field:
C:\Program Files (x86)\CAD Technology Center\Accounts AD Synchronizer
When defining the task, be sure to specify that it runs as a user account with enough permissions to read what is needed
from Active Directory and write to the logs folder, and set it so it can “Run whether user is logged on or not”
IMPORTANT: If saving log files is turned on in the settings, when running as an unattended scheduled task the log
files will be written to an “Unattended” subfolder within the specified log files folder. By default the location will be:
C:\ProgramData\CTC\CTC Accounts\Logs\Unattended
Appendix A – Permissions to Read from Active Directory
In order to browse or search Active Directory for groups or users, the person running the synchronizer must have the
ability to read from Active Directory. This also applies to the Active Directory user account that a scheduled task is
running as.
It is common for all users to be able to read group and user definitions from Active Directory, however it is more likely
that users will NOT be able to read the enabled/disabled state of user accounts.
CTC Accounts Active Directory Synch User Guide
February 25, 2022
https://www.ctcsoftware.com
Page 30 of 32
If a user running the synchronizer is not allowed to read the enabled/disabled state of user accounts, when adding or
updating users a warning will appear in the log explaining this and stating that the user accounts being read are assumed
to be enabled.
To gain the full functionality of the system by being able to read the enabled/disabled state of user accounts, special
permissions may need to be granted to the user running the synchronizer to read the enabled/disabled state of users.
A best practice is to have a domain administrator create an Active Directory group which contains the user accounts that
will be running the synchronizer, and then delegate that group permissions to “Read all user information” in the
appropriate Active Directory organizational units that contain user definitions.
For example, an Active Directory group named CTC AD Synchronizer Users may be created, containing the users accounts
of those who will run the synchronizer (including unattended).
In the Active Directory Users and Computers tool, right click on the organizational unit which contains user definitions
and select Delegate Control:
On the first screen, just click Next.
