Find an Answer
Provisioning users in the Active Directory Connector (ADC) for the first time, or when you add groups of users, allows for review of the user accounts before you provision. This procedure gives you the opportunity to review your users, fix any errors, and provision only when you're ready. After this, provisioning is automatic, assuming the Active Directory data values are valid. Also make sure you have Production status for your developer account before proceeding.
For a detailed overview of this process, see Managing Users in the ADC Overview.
The process to provision for the first time, or for newly added Active Directory groups, is:
Start the ADC - This queries the linked Active Directory groups and your GoTo account and displays all the users in the ADC Users page. You can now work with your users in three basic steps.
1. Recognize existing account holders to avoid reprovisioning. To do this, use Automatic matching to link Active Directory users to existing accounts where the emails are identical. Then manually match accounts where the same user has different credentials for the two accounts. (Alternately, you can delete the user's non-matching account and reprovision the user under their Active Directory credentials.)
2. Provision all new Active Directory users. This clears the Active Directory queue (unmatched AD users) of all but users with incorrect Active Directory data. Fix the data and these users will be provisioned automatically the next time you start the ADC.
3. Finally, review and correct as needed users with accounts and no Active Directory account. These may be Unix or Mac users, contractors, or other special cases. Create equivalent Active Directory accounts if you want to ensure all account management can be done by managing your Active Directory groups.
Users provisioned through the ADC receive an enrollment email. They login to change their password, and they then have access to a GoTo account. They can login on their Windows desktop, through a browser, or on a mobile device. They can also access their accounts through extensions for applications such as Outlook, SalesForce and Google Calendar.
For small changes of one to several users, the provisioning or deprovisioning can occur in a matter of minutes. If you are provisioning hundreds or thousands of users, a general rule of thumb for a average system is 1000 provisioning requests per hour.
Any changes to users in the provisioned Active Directory groups or users is reflected in the ADC and passed to the Admin Center. Provisioning is fully automated and your users have full access to GoTo business tools.
1. On the Operations tab, click Start.
This starts the queries against the Active Directory and the GoTo account you used to connect through the Developer account.
Once the queries run, all linked Active Directory users new to the ADC display in the Unmatched Active Directory users pane on the Users tab. All existing users on your corporate account display in the Unmatched users pane on the Users tab.
When you open the Users tab after adding a new group, you'll see a message: This service does not automatically provision your users yet. The ADC is in Edit mode, allowing you to review the users before provisioning.
Start by matching new Active Directory users to existing GoTo user accounts.
2. Click Automatic Matching. This finds all users with identical email addresses between the two unmatched lists, AND who have valid Active Directory data. It automatically moves these users to the Matched users pane.
The users in the matched pane have accounts already, and these accounts match the Active Directory accounts correctly (they use identical email addresses for the credentials).
Review the two unmatched panes. Look for Active Directory users who match users with GoTo accounts, but who were not identified during automatic matching. These users have different email addresses for the two accounts.
You have two choices for how to manage these users. You can require identical email credentials (steps 3 & 4) or match the two accounts (step 5).
3. To force identical emails, delete the GoTo account. Right-click the user from the Unmatched users list, and select Delete User. This removes the user and any product provisioning for the user from the ADC and the product portals.
4. Click Apply changes. You'll see a Provisioning successful message, and the status(es) will no longer say Pending. If you deactivate edit mode before applying changes, any unsaved changes will be lost.
Or match the two accounts:
5. To match two accounts, select each pair of matching accounts - one in Unmatched AD users and one in Unmatched users - and click Match Selected.
6. If for any reason you decide to unmatch a matched user, select the desired user(s) in the Matched users table and click Revoke selected user matchings. The entries return to the Unmatched Active Directory users and Unmatched users tables.
7. Click Apply changes.
You can provision all unmatched AD users, or provision selected users.
8. To provision all users, click Provision all unmatched AD Users.
9. To provision selected users, select the desired user(s) from the Unmatched AD users list (Ctrl-Shift selects multiple users) and right-click to select Provision user. The provisioning status changes to Pending, and the entries are moved to the Matched users list (also Pending).
You will be alerted that you are in Edit mode. Click Deactivate edit mode to begin provisioning.
IMPORTANT: Provisioning may take time. Assume approximately 1 hour per 1000 users.
When the provisioning step is completed, all valid Active Directory users - new users and those with a pre-existing GoTo account - are all in the Matched users pane.
If you have unmatched users remaining in either pane, continue on to the next section. However, if you do have users in the Unmatched AD users pane at this point, these should now be only users with invalid Active Directory data.
10. Correct the errors in the Active Directory. For a list of the data values the ADC queries, see ADC Requirements.
11. After a few minutes, the users will refresh in the Unmatched AD users pane. You can provision them, or match them with GoTo accounts.
All users should be cleared from the Unmatched AD users pane at this point.
The remaining users in the Unmatched users pane have a GoTo account, but do not have an Active Directory account. These may be Unix or Mac users, contractors, or other special cases. For unmatched account users, you can leave them unmatched, or set up Active Directory matching.
12. Add them to the Active Directory using the same credentials as the existing GoTo account. This ensures that you can manage all provisioning through the Active Directory.
The changes to Active Directory will, unless you place the ADC back in Edit mode in the User tab, get provisioned automatically.