This article provides an overview of Active Directory (AD) Security Groups sync. Enabling Security Groups in Network Glue allows technicians to check AD user permissions directly in IT Glue without having to navigate to their AD server. This streamlines the workflow and allows technicians to solve simple tickets in a shorter amount of time.
- You must have enabled Active Directory during the initial setup of the Network Glue Collector. For more details on this, please refer to our Setting Up Network Glue for an IT Glue Organization KB article.
- You must have Administrator or Manager-level permissions in IT Glue.
- Ensure your Active Directory users sync is enabled. Without this sync in place, tags and related items cannot be created.
There are two ways to enable AD Security Groups. You can enable the setting on an individual Network Glue collector’s create or edit pages, or bulk edit several or all existing Network Glue collectors at once on the Account > Network Glue page.
Enabling for Individual Collector
- In IT Glue, navigate to Account > Network Glue > Collector. At the top of the page, click the Edit button.
- Alternatively, navigate to Account > Network Glue. Locate the collector in the table and click the Edit (pencil) icon.
- In the Active Directory tab, select the Security Groups checkbox in the Flexible Assets sync section.
- Click Save.
Bulk Enabling for Multiple Collectors
- Navigate to Account > Network Glue.
- Select the collectors that you would like to edit. To select all collectors, click the Select All checkbox at the top of the checkbox column.
- Click the down arrow next to the Select All checkbox and then Edit.
- An Update collector settings pop-up confirmation window will appear and show the following:
- The Security Groups checkbox will be selected by default. Enabling this will sync Security groups from on-premises AD into Flexible Assets.
- Number of selected collectors that do not have AD credentials or have this setting activated already, if any. If AD credentials do not exist for this collector, then security group data will not be synced. To enable AD sync, refer to our KB article. If the security group setting was already enabled for the collector, then no changes will occur.
- Number of selected collectors that will be updated, if any.
- To disable AD Security Groups, uncheck the Security Groups checkbox instead in step 4a above. The pop-up window will then show the following:
- Number of selected collectors that do not have AD credentials or have this setting deactivated already, if any.
- Number of selected collectors for which this setting will be deactivated, if any.
- Click OK. A confirmation banner will appear with the message "Your settings are updated. Data changes in your IT Glue account will be visible after scans are finished."
Configuring the AD Security Groups Flexible Asset Type
Once you have enabled AD Security Groups for at least one Network Glue collector, a new Flexible Asset Type called AD Security Groups will be automatically created after the automatic scan is complete if:
- AD is set to YES in the collector(s),
- AD credentials exist and are valid, and
- Organization ID, Location, Domain Controller Hostname, and Admin User FDQN exist and are valid for the collector(s).
If multiple collectors use the same set of AD credentials within the same organization and location, then Security Groups Flexible Assets will be deduplicated. If multiple collectors use the same AD credentials across multiple organizations or multiple locations within the same organization, then deduplication will not take place and Security Groups Flexible Assets will be shown for each organization and each location.
You can edit and manage the Flexible Asset Type on the Account > Flexible Asset Types page. The following elements can be configured:
- Icon - The default icon is the Network Glue icon. Select a different icon if desired.
- Enabled checkbox - This is checked by default. When checked, the Flexible Asset Type is displayed in the IT Glue sidebar and on the Global page. To hide the Flexible Asset Type in the sidebar or Global, simply click again to uncheck the checkbox.
- Show in list checkbox - All automated Flexible Asset fields are checked by default. When checked, Flexible Asset Types are displayed in the Flexible Assets list view. You can disable it for any field of your choice if you no longer want to see a specific field in the AD Security Groups list view.
- + New field button - Click to add a new field to the Flexible Asset Type. You can also remove any new fields you have manually added previously.
Automated AD Security Groups Flexible Assets
AD Security Groups collected by Network Glue will be automatically created as Flexible Assets within the AD Security Groups Flexible Asset Type. The following fields will be filled with data coming from your client’s AD environment:
- Group Name - Security Group name. Only groups that have a name in AD will be synced with Network Glue.
- Description - Security Group description, if available. If not available, this field will remain empty.
- Nested Groups - If a Security Group has other groups as members, they will be created as tags. Otherwise, it will remain empty.
- Members (matched to a Contact) - First and last names of the Security Group members that are matched with IT Glue contacts from the Network Glue AD users sync. If the AD users sync is turned on with Network Glue, then group members will be created as tags in Members (matched to a Contact) field. If the AD users sync is not turned on, or Network Glue will find group members that are not matched to IT Contacts, then these members will be added as text in the Members (not matched to a Contact) field.
Members (not matched to a Contact) - First and last names of the Security Group members that are not matched with IT Glue contacts from the Network Glue AD users sync.
Note: Once a previously unmatched AD user is matched to IT Glue contact, Network Glue will automatically create a tag for this member in the Members (matched to a Contact) field and the text will be removed from the Members (not matched to a Contact) field. This also applies vice versa.
- AD Domain - AD domain hostname.
It is also possible to add more Security Groups manually. Automated Flexible Assets within the AD Security Groups Flexible Asset Type will only be added to Organizations where Security Groups data is enabled and available.
Adding AD Security Groups Flexible Assets
In addition to automated data, you can also manually document missing Security Groups from other environments (e.g. Azure) into Flexible Assets within the AD Security Groups Flexible Asset Type. To add a new Security Group asset, navigate to Organization > AD Security Groups and click the + Add button in the top-right corner. Complete the following fields:
- Group Name - Give your Security Group a concise, logical name.
- Description - Briefly describe the role or purpose of the members within this Security Group.
- Nested Groups - Search for and tag any subgroups associated with this Security Group.
- Members (matched to a Contact) - Search for and tag any existing IT Glue Contact in this Organization.
- Members (not matched to a Contact) - Manually input the names of members that do not yet exist as an IT Glue Contact.
- AD Domain - Manually input the AD Domain.
- Any additional fields you configured in the Configuring the AD Security Groups Flexible Asset Type section of this KB article.
Syncing Security Groups with Network Glue
When syncing for the first time after enabling AD Security Groups, auto-scan for the AD Security Groups-enabled collector(s) will be initiated.
On the Security Group asset’s show page, you will see the Network Glue badge with the Last Updated Date and a Disable sync button. The sync status will show either:
- Syncing - Network Glue data exists for this Flexible Asset and is syncing. This will be indicated with a gray plug icon on the AD Security Groups list view. If you want to disable the sync, click the Disable sync button under the Network Glue sync badge.
- Orphaned - Network Glue data no longer exists for this Flexible Asset, or a user has manually turned off the Security Groups sync for the collector. This will be indicated with an orange plug icon on the Flexible Asset show page and list view.
- Disconnected - A user has manually disabled the Security groups sync for the collector. This will be indicated with a red plug icon on the Flexible Asset show page and list view. If you wish to enable a sync for this asset, click the Enable sync button under the Network Glue sync badge.
Deleting AD Security Groups Flexible Assets
To determine if you can delete a Security Group asset, check its sync status:
- If Syncing (gray plug icon) - You will not be able to delete if the asset is syncing.
- If Orphaned (orange plug icon) - You can delete the asset by clicking the Delete button. Once deleted, it will no longer appear in subsequent syncs.
- If Disconnected (red plug icon) - You can delete the asset by clicking the Delete button. Once deleted, it will no longer appear in subsequent syncs.
Related Items on IT Glue Contact Show Pages
- After the sync is complete, new Security Groups will be automatically added as Related Items to IT Glue Contacts that are matched with on-premises AD users sync from Network Glue. Related Items will be visible on the Contact’s asset show page.
- If an AD user is not matched to IT Glue Contact, then Security Groups will not be available as Related Items for this Contact.
- If a previously matched AD user contact is removed from the Security Group, then the Related Item on the Contact’s asset show page will be automatically removed after the next collector auto-scan or after a manual collector scan is completed.
- If a previously matched AD user contact is added to a Security Group, then the Related Item on the Contact’s asset show page will be automatically added after the next collector auto-scan or after a manual collector scan is completed.
AD Security Groups in the Activity Log
The Activity Log documents all instances there is a manual change to Security Group Flexible Assets and some automated actions. These include:
- Table created - When an AD Security Groups Flexible Asset Type is created.
- Table edited - If a Network Glue user clicked the Edit button on the AD Security Groups Flexible Asset Type.
- Table updated - If a Network Glue user clicked the Save button on the AD Security Groups Flexible Asset Type.
- Row deleted - If a Security Group Flexible Asset is manually deleted.
- Row viewed - If a Security Group Flexible Asset’s show page is viewed.
- Row edited - If a user clicked the Edit button on the Security Group Flexible Asset’s show page.
- Row updated - If a user clicked the Save button on the Security Group Flexible Asset’s show page.
- Export created - If a user clicked the Export button on the AD Security Group list view page.