Skip to main content
Druva Documentation

AD Mapping FAQs

This article applies to:

  • inSync Cloud and On-Premise 

 FAQs

What does Druva recommend while configuring AD mapping?

Druva recommends to use a dedicated AD group to create AD mapping. This way a user can be moved across the entire domain, and as long as the user is a part of the AD group, the user will not get disabled.

How many nested level of OUs can my user reside in to be detected by inSync?

inSync can detect users up to 3 levels of OU.

If you have OU A, B, and C, where B is nested in OU A and C is nested in OU B, users in all OU A, B and C will be detected. However, if you have users in another OU D, which is nested under OU C, then the users in OU D will not be detected by inSync.

Can inSync Administrators be imported using AD Mapping?

No. inSync does not support importing inSync Administrators from AD Mapping.

Can multiple AD Mappings be linked to a single AD Connector (only for Cloud)?

Yes. You can link multiple AD Mappings to a single AD Connector.

Which options can be modified once an AD Mapping is created?

The following fields can be modified in AD Mapping once it has been created.

  • Name
  • Profile
  • Storage
  • Quota per user
  • Auto import new user

What will happen if a user is manually created in inSync and it also exists in the AD OU/Group in AD Mapping?

The user will not be linked with the AD Mapping automatically. Hence, “Auto preserve unmapped users” option will not work for them. You will not be able to import the same user from AD Mapping.

What will happen when the email ID and user name of a user are modified in the AD? Will Druva inSync update this change for the user? 

Provided the global option Auto update user details is enabled and the user is included within the scope of AD Mapping, inSync updates the following:

  • Email address of the user
  • AD login name
  • User name

inSync updates the user name only if the CN (Common Name) or UPN of the user based on the AD/LDAP Mapping configuration.

CN.png 

Which parameters are important to consider when enabling users to log in with their AD credentials?

For an inSync user to be able to log on to inSync Client or inSync Web, the AD/LDAP user name in the inSync Management Console should match with the CN (Common Name) or UPN attribute of the user in the AD. 

Will the user get disabled even if the user is moved between OUs but the AD group remains same?

It depends on the AD mapping configuration. If the OU is selected as a filter in AD Mapping and if the user is moved out from the OU, the user will get disabled. If All Users is set as a filter, the user will not get disabled even if the user is moved to a different OU. 

How is Druva protecting user info fetched from AD server?

For inSync Cloud, the user info is fetched via the AD Connector. The communication between the inSync Cloud and the AD Connector is over the SSL channel and AD Connector lies within the network. The fetched information is stored in the Config DB.

How does “ Auto-Preserve unmapped users” setting work?

A user is auto-preserved when the user is:

  • Disabled in AD/LDAP
  • Not a member of an AD group or OU
  • Mapped to the available AD/LDAP mapping defined in inSync

If a user belongs to multiple AD mappings, which AD mapping imports the user?

A user that belongs to multiple AD mappings is imported through the oldest of all the relevant AD/LDAP mappings of inSync.

Can I change the priority for inSync AD mappings?

When you define multiple AD/LDAP Mappings, inSync gives priority to the oldest AD/LDAP mapping by default. inSync provides an option to change the priority of an AD/LDAP mapping after you create it.

If the AD/LDAP mapping through which the user was imported is deleted, would my user be preserved?

Yes. inSync automatically scans the users that are part of the deleted AD Mapping, and if the users are not part of any other AD/LDAP Mapping, inSync marks them as Preserved’ 

Is there a limit to the number of AD mappings I can create?

There is no such limit and you can create as many AD mappings as you need.

If I enable a disabled user in AD, what effect does it have on a user preserved in inSync?

The impact on the manual and auto preserved user is as follows:

  • If the user was preserved manually, the change of AD account status does not have any effect on the preserved status of the user. 
  • If the “Auto-update user details” is enabled and the user was auto-preserved, the user will be activated again inSync.

 What are the different methods that you can use to define AD/ LDAP filter parameters?

The following table lists different methods that you can use to define AD/LDAP filter parameters:

Filter Method Description

Regular filter

Druva recommends this method for most AD/LDAP mappings.

This method allows you to select the options based on the values provided in the lists. inSync populates these lists with values after querying your AD/LDAP. You must select the values in a sequential order because selecting the previous field populates the list in the next field. 

Manual filter

This method allows you to enter the values for each field manually. Druva recommends this method only if you are well-informed about your organization's AD/LDAP structure.

To use this method, at the bottom of the AD/LDAP Configuration page, click Switch to manual AD/LDAP filters.

What is the maximum and minimum Auto Sync Interval that can be configured?

The minimum value is 1 hour and the maximum is 9999 hours.