https://connect.hyland.com/t5/alfresco-archive/sync-ing-users-in-multiple-ad-directory-trees/m-p/293621#M246751 <HTML><HEAD></HEAD><BODY><SPAN>Hello,</SPAN><BR /><BR /><SPAN>I have been able to sync Active Directory Users and Groups to Alfresco, but there is a sub tree of test user accounts outside of the main directory tree that we would like to use for development and testing that I cannot sync. I could expand the search to an even greater scope, but this would sync way too much data. </SPAN><BR /><BR /><SPAN>Is it possible to sync users, groups from different Base OU's in Active Directory? </SPAN><BR /><BR /><SPAN>For Example…</SPAN><BR /><BR /><SPAN>The Real Users live here.</SPAN><BR /><BR /><SPAN>DN: CN=Users,OU=Corporate,DC=myco,DC=net</SPAN><BR /><BR /><SPAN>The Test Users live here.</SPAN><BR /><BR /><SPAN>DN: OU=Service Accounts,OU=Corporate,DC=myco,DC=net</SPAN><BR /><BR /><SPAN>My naive assumption is that in order to sync from 2 different sub trees, the userSearchBase in the ldap-ad-authentication.properties file would look like this.</SPAN><BR /><BR /><SPAN>ldap.synchronization.userSearchBase=OU\=Service Accounts,OU\=Users,OU\=Corporate,DC\=wgenhq,DC\=net</SPAN><BR /><BR /><SPAN>But the Service Accounts don't come across the wire.</SPAN><BR /><BR /><SPAN>The only subtle difference is that the Real Users have a userAccountControl Number = 512, which is the AD Default. </SPAN><BR /><BR /><SPAN>… while the Service Accounts have a userAccountControl Number = 66048</SPAN><BR /><BR /><SPAN>and when I changed the following parameters to the Service Account userAccountControl Number…</SPAN><BR /><BR /><SPAN># The query to select all objects that represent the users to import.</SPAN><BR /><SPAN>ldap.synchronization.personQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=66048))</SPAN><BR /><BR /><SPAN># The query to select objects that represent the users to import that have changed since a certain time.</SPAN><BR /><SPAN>ldap.synchronization.personDifferentialQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=66408)(!(whenChanged&lt;\={0})))</SPAN><BR /><BR /><SPAN>Nothing happened.</SPAN><BR /><BR /><SPAN>So, is it possible to have Alfresco read from different parts of AD, and if so, how would I configure this?</SPAN><BR /><BR /><SPAN>Thanks in advance for any assistance you can give me.</SPAN><BR /><BR /><SPAN>~jj</SPAN></BODY></HTML> Fri, 28 Jun 2013 20:51:40 GMT jbecker-amplify 2013-06-28T20:51:40Z https://connect.hyland.com/t5/alfresco-archive/sync-ing-users-in-multiple-ad-directory-trees/m-p/293621#M246751 Hello,I have been able to sync Active Directory Users and Groups to Alfresco, but there is a sub tree of test user accounts outside of the main directory tree that we would like to use for development and testing that I cannot sync. I could expand the search to an even greater scope, but this would Fri, 28 Jun 2013 20:51:40 GMT https://connect.hyland.com/t5/alfresco-archive/sync-ing-users-in-multiple-ad-directory-trees/m-p/293621#M246751 jbecker-amplify 2013-06-28T20:51:40Z https://connect.hyland.com/t5/alfresco-archive/sync-ing-users-in-multiple-ad-directory-trees/m-p/293622#M246752 <HTML><HEAD></HEAD><BODY><SPAN>I think you can do this with two separate authenticaton subsystems.&nbsp;&nbsp; The first one is your regular users and groups the second one is for your test users.</SPAN><BR /><BR /><SPAN>There are details on the wiki of how to configure subsystems, and the authentication chain.</SPAN></BODY></HTML> Fri, 28 Jun 2013 21:26:52 GMT https://connect.hyland.com/t5/alfresco-archive/sync-ing-users-in-multiple-ad-directory-trees/m-p/293622#M246752 mrogers 2013-06-28T21:26:52Z