-
Create two new Organizational Unit groups [1] in AD as shown below. In this example, two groups, QAGroup1 and QAGroup2, are created.
-
Get the distinguished name using ADSI Edit in AD then copy the name to group the policy:
- Click the group node under default naming context.
- Right-click and select Properties.
- Click the Attribute Editor tab and find the <distinguishedName> attribute.
-
Copy the distinguished name to the group policy.
You can get two similar distinguished names like the following:
OU=QAGroup1,DC=qatd1,DC=local
OU=QAGroup2,DC=qatd1,DC=local
-
Go to Policy Server MMC and configure the active directory synchronization of the group policies. You can set multiple Organizational Unit groups in the same group.
- Locate Active Directory Synchronization. Right-click it then click Enable.
- Locate Distinguished Name then configure the distinguished name "OU=QAGroup1,DC=qatd1,DC=com" from step 2.
- Enter the user name and password. The user is a domain user who has permission to access the OU group.
-
Enter the domain name and hostname.
All users of the organization unit will sync into this group. You can trigger the AD sync with either of the following:
- Restart PolicyWindowsService. After starting PolicyServerWindowService and passing 15 seconds, the first AD sync is running.
- Or wait for about 45 minutes. The AD sync is triggered every 45 minutes.
Frequently Asked Questions
To modify the Sync Interval time:
- Open the database table "PolicyServerSettings".
- In the row "ADSyncPollingInterval", change the value of the column to "ParameterValue". The unit is minute.
- The next run of AD sync will still occur with the interval of 45 minutes and the new interval time is set in this run. Therefore, the new interval time will be applied on the next run or you could just restart the PolicyServerWindowService to apply the new value immediately.
To retrieve exisitng users that disappeared from the encryption group, remove all domain users from the recyle bin on the enteprise level or group level.
-
Navigate to Users node and right-click and then click Remove All Users.
-
Tick the Remove from Enterprise checkbox.
When you delete any user(s) from the Policy Server, there will be a flag in the database that will show that the user(s) were deleted. The moment that the AD sync happens, it will see that the user(s) were deleted and it will not pull them back in. To pull any user(s) back in after being deleted, is to run the external browser, search for the user(s) and manually add them.
Workaround
If these domain users exist in the enterprise level but there is no option to remove from the reclycle bin, there is a workaround.
You can create a group and add all domain users into this group and then select remove all users from group again.
- Create a group. Right-click it then click Add existing Users.
- Click Search.
- Add all of domain users on the left plane and then click OK.
- Right-click then select Remove all users from group and tick the Remove from Enteprise checkbox.
- Restart PolicyWindowsService.
- Wait for AD sync and all of the domain users will pulled back into the group.
Yes. Change the same distinguished name to DC=qatd1,DC=local. AD sync will sync the entire domain users list into a group.
| User management by MMC | Add | Remove from group and enterprise | Only remove from group |
| AD Sync result | User keep in group | Add user back to group | Do not add user back to group |
If you already added some domain users into the group or after AD syncing, the domain users only are removed from the group. You have to remove all domain users from the recycle bin and restart PolicyWindowServices, then all of domain users will back in the group.
Yes, you can sync from the Security group level and the distinguished name should be changed to CN=QAGroup3,DC=qatd1,DC=local. You can check the distinguished name using ADSI Edit tool in AD.