On a periodic basis, certain user attributes are synchronized with Active Directory, and thus these properties cannot be modified manually.
The following properties are synchronized with Active Directory:
• User Name, Full Name, and Description.
• Group membership except for Administrators. Users in the Administrator Group are only in the Administrator group.
|
Passwords are never stored in this mode, so they cannot be modified. |
• If authentication mode is Symphony, logon will fail because the credentials cannot be authenticated.
• If authentication mode is Active Directory - after the credentials have been successfully authenticated against Active Directory - a new Symphony user is created and associated with the specified Active Directory user. This user is added to the Symphony Users group, and thus inherits all security permissions from that group.
When the authentication mode is set to Active Directory, groups can optionally be associated with Active Directory groups. Groups with Active Directory associations have their group membership periodically synchronized with Active Directory.
|
Example |
|
Symphony Group A is associated with Active Directory group 1 Symphony Group B is associated with Active Directory group 2
If group 1 is a member of group 2, then Symphony Group A will become a member of Symphony Group B when group membership is synchronized. |
|
Membership |
Symphony Group |
Symphony Group with Active Directory Association |
|
Member of another Symphony group |
Allowed |
Allowed |
|
Member of another Active Directory group |
Not-allowed |
Allowed |
|
Explicitly leave an Active Directory group |
|
Not-allowed |
|
Explicitly join an Active Directory group |
|
Not-allowed |