General information

In principle, there are no special requirements for connecting primedocs to the local Active Directory (AD). primedocs also has read-only access to the AD, so no write permissions are required.

For authentication

primedocs can access the AD for authentication and reads the displayName, the objectSid (as the primary identifier) and the tokenGroups for group membership information, among other things.
Access takes place with the set account of the server (see primedocs Server Installation).

With a “standard AD configuration”, all required properties are readable for all users without further configuration.

If this does not work, it must be ensured that the server account has read permission to the following properties in AD:

• objectSid

• displayName

• name

• userPrincipalName

• sAMAccountName

• distinguishedname

• msds-principalName

• tokenGroups (this is particularly necessary for determining group membership),

• msds-memberOfTransitive (this is necessary if distribution lists are to be loaded during group membership determination)

For user synchronization

The AD (LDAP / AD ) can also be accessed via User synchronization.
Depending on the configuration, access is via the server account or via the stored user. Access also requires read permission to the configured properties.

Granting of permissions

If a permission assignment is required to read the properties, you can set the respective authorization in AD, e.g. for all users or in the entire domain.

The command line tool “dsacls.exe” can be used as an aid.
In the following example, the tokenGroups property is enabled for all users of the Users OU for the primedocs_service service account:

dsacls “OU=Users,DC=company,DC=local” /I:S /G “primedocs_service”:rp;tokenGroups;user