<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: Active Directory Integration
PRTG offers a detailed rights management via different user groups. For detailed information please see User Access Rights.
To make user management easier, you can integrate an existing Active Directory into PRTG in four steps. During this process, you connect an Active Directory (AD) group with a user group in PRTG. All members of your AD group will then be able to log into PRTG using their AD domain credentials.
Note: You cannot add single AD users to PRTG, but only allow access for entire groups. A PRTG user account will be created automatically for each AD user who logs in to PRTG successfully.
- In your Active Directory, enure users you want to give access to PRTG are member of the same AD group.
- You can also organize users in different groups, for example, one group whose members will have administrator rights within PRTG, and another one whose members will have read-only rights within PRTG.
- Make sure that the computer running PRTG is member of the domain you want to integrate it to. You can check this setting in your machine's System Properties (for example, Control Panel | System and Security | System, click on Change settings link).
- In the PRTG web interface, switch to the System Administration—Core & Probes settings.
- In section Active Directory Integration, enter the name of your local domain into the Domain Name field.
Note: You can only integrate one AD domain into PRTG.
- Optional: PRTG will use the same Windows user account used to run the "PRTG Core Server Service". By default, this is the "local system" Windows user account. If this user does not have sufficient rights to query a list of all existing groups from the Active Directory, provide credentials of a user account with full AD access by using the Use explicit credentials option as Access Type.
- Save your settings.
- Switch to the User Groups tab (see System Administration—User Groups).
- Click on the New User Group button to add a new PRTG user group.
- In the dialog appearing, enter a meaningful name and set the Use Active Directory setting to Yes.
- From the Active Directory Group drop down menu, select the group of your Active Directory whose members will have access to PRTG. If you have a very large Active Directory, you will see an input field instead of a drop down. In this case, you can enter the group name only; PRTG will add the prefix automatically.
- With the New User Type setting, define the access rights a user from the selected Active Directory group will have when logging in to PRTG for the first time. You can choose between Read/Write User or Read Only User (latter is useful to show data only to a large group of users).
- Save your settings.
That's it. All users in this Active Directory group can now log in to PRTG using their AD domain credentials. Their user accounts will use the PRTG security context of the PRTG user group you just created.
- Active Directory users can log on to the web interface using their Windows username and password (please do not enter any domain information in PRTG's Login Name field). When such a user logs in, PRTG will automatically create a corresponding local account on the PRTG core server. Credentials are synchronized every hour.
- All requests to the Active Directory servers are cached for one hour, for performance reasons. If a password is changed in the Active Directory, you must either wait for 1 hour or clear the cache manually by clicking on the Clear Caches button on the System Administration—Administrative Tools page in the Setup menu).
- By default, there are not set any rights for the new PRTG user group. Initially, users in this group will not see any objects in the PRTG device tree. Edit your device tree object's settings and set access rights for your newly created user group in the Inherit Access Rights section.
Note: The easiest way is to set these rights in the Root Group Settings.
- PRTG only supports explicit group rights. If your AD uses groups which are member of another group, PRTG will not regard inherited implicit rights of the parent group and therefore refuse login for members of those groups.
- PRTG ignores AD information about Organizational Units (OUs). These values cannot be read by PRTG. However, if you use the AD in an auto-discovery group, you can restrict the search to computers which are part of an OU.
- PRTG does not support SSO (single sign-on).
- You can integrate only one AD domain into PRTG.
- For very large Active Directories, you will see an input field instead of a drop down when you add or modify a user group. In this case, you can enter the group name only. PRTG will add the prefix automatically.
- A PRTG user account for an AD user is only created if this AD user logs on to PRTG successfully! So if you want to send email notifications to an AD user group (using the option "Send to User Group" in the notification settings), for example, by choosing the default notification "Email to all members of group [AD group name]", a member of this AD group has to log on to PRTG at least once to be able to receive an email notification. If you want to avoid these single logons of your AD group members to create user accounts, enter the email address of the AD group into the "Send to Email Address" field in the notification settings and choose "None" for the "Send to User Group" option.