Version: 5.x and newer
Models: Elite, Sentry, & Scout kiosks
Date Updated: 9/1/2013
How to use "Import from Active Directory" using the Administrative Utility - Version 5
The Directory tab of the Administrative Utility provides the interface for configuring your LobbyGuard employee directory service. The first step is to create a Directory group and the next step is to add employees to that group. See section labeled "Directory" of the online User Manual for more information about creating a Directory group. You must then associate this group with a lobbyguard Station in order for this group to appear in the sign-in process. See section labeled “Stations” of the online User Manual for more information.
This feature uses port 389 and the kiosk must be able to communicate bi-directionally with your Active Directory. The customer must place the LobbyGuard kiosk on the same network and behind the same firewall as their Active Directory server, as the software will no longer have the ability to communicate with customer's Active Directory servers that exist outside of the same network as the kiosks.
The first step is to create a new directory on the "Directory" tab of the customer portal. Upon creating a Directory group for employees, you need to add employees/entries to this group. Choose the "Import from Microsoft Active Directory" option to perform an LDAP Active Directory importation. There are three options currently available:
- Add Manually
- Import from Excel Spreadsheet
- Import from Microsoft Active Directory
You will then be presented with a few fields that must be filled out, including:
- Server Path - the full LDAP path for the "OU" that you would like to import
- User Name - an administrative login username for your server
- Password - the password for that account
- Filter - an optional field by which you can filter per object class, etc.
Fill out all required fields and click on the "SAVE" button to begin the process. The Active Directory listing is not actually imported, but rather, the kiosk is now granted with a live stream to the server. If you encounter any kind of error or warning message, please verify that the server path is correct and complete, that your firewall port is open to receive this request, and that the username and password is correct. An entire active directory group cannot be imported if it contains a significantly large number of employees. Only that building's employees--or a specific OU of employees--should be used if a large number of employees exist as there are limitations to total employees allowed. Additional prerequisites and guidelines are below.
- LDAP port 389 must be open on the firewall
- The server path must begin with a capital “LDAP” prefix. Using a lower case “ldap” is not allowed.
- The distinguished name path, after the server address, must begin with the lowest level OU. The path should start with the lowest OU on the tree, followed by the parent OU’s, and ending with the highest level DC’s.
- If a port other than 389 is preferred, it must be specified in the server path using a “:”, at the end of the server address.
- The server can either be specified by friendly name or by its IP Address
- The credentials (username/password) used must be administrator-level
- The username credential must have rights and privileges to the OU’s that are being called upon
- Active Directory “Users” can be imported but “Computers” and “Groups” are ignored
- An entire active directory group cannot be imported if it contains a significantly large number of employees. Only that buildings employees--or specific OU's of employees--should be used if a large number of employees exist.
- The “Active Directory Explorer” application should be used as a third party utility, by the client, if the Admin Utility cannot communicate with the client's LDAP server.
- Popular "filters" includes:
AD Explorer screenshot: