User Synchronization

This Server Task synchronizes the Users and User Group information from a source such as Active Directory, LDAP parameters, etc. To run this task, click More > Server Tasks > User Synchronization > New.


In this section, you can enter basic information about a task, such as a Name and Description (optional). You can also select from the following task trigger settings:

Run task immediately after finish - Select this option to have the task run automatically after you click Finish.

Configure trigger - Select this option to enable the Trigger section, where you can configure trigger settings.

To set the trigger later, leave this check box deselected.



Common Settings

User Group Name - by default, the root for synchronized users will be used (by default, this is the All group). Alternatively, you can create a new User Group.

User Creation Collision Handling - two types of conflict that might occur:

There are two users with the same name in the same group.

There is an existing user with the same SID (anywhere in the system).

You can set collision handling to:

Skip - user is not added to ESMC during synchronization with Active Directory.

Overwrite - existing user in ESMC is overwritten by the user from Active Directory, in the case of an SID conflict the existing user in ESMC is removed from its previous location (even if the user was in a different group).

User Extinction Handling - If a user no longer exists, you can either Remove this user or Skip it.

User Group Extinction Handling - If a user group no longer exists, you can either Remove this user group or Skip it.


If you use custom attributes for a user set User Creation Collision Handling to Skip. Otherwise the user (and all details) will be overwritten with the data from Active Directory loosing custom attributes. If you want to overwrite the user, change User Extinction Handling to Skip.

Server Connection Settings

Server - Type the Server name or IP address of your domain controller.

Login - Type the login credentials for your domain controller in the format DOMAIN\username (Windows) or username@FULL.DOMAIN.NAME (Linux).

Password - Type the password used to log on to your domain controller.

Use LDAP Parameters - If you want to use LDAP, select the check box next to Use LDAP instead of Active Directory and enter the information for your server. Alternatively you can select Presets by clicking Custom... and the attributes will be populated automatically:

Active Directory

Mac OS X Server Open Directory (Computer Host Names)

Mac OS X Server Open Directory (Computer IP Addresses)

OpenLDAP with Samba computer records - setting up the parameters DNS name in Active Directory.

Synchronization Settings

Distinguished Name - Path (Distinguished Name) to the node in the Active Directory tree. Leaving this option empty will synchronize the entire AD tree.

User Group and User Attributes - User's default attributes are specific to the directory to which the user belongs. If you want to synchronize Active Directory attributes, select the AD parameter from the drop-down menu in the appropriate fields or enter a custom name for the attribute. Next to each synchronized field is an ESMC placeholder (for example: ${display_name}) that will represent this attribute in certain ESMC policy settings.

Advanced User Attributes - If you want to use advanced custom attributes select Add New. These fields will inherit the user's information, which can be addressed in a policy editor for iOS MDM as a placeholder.

validation-status-icon-warning IMPORTANT

If you get the error: Server not find in Kerberos database after clicking Browse, use the server's AD FQDN instead of the IP address.


The Trigger section contains information about the trigger(s) which would run a task. Each Server Task can have up to one trigger. Each trigger can run only one Server Task. If Configure trigger is not selected in the Basic section, a trigger is not created. A task can be created without trigger. Such a task can be run afterward manually or a trigger can be added later.

Advanced Settings - Throttling

By setting Throttling, you can set advanced rules for the created trigger. Setting throttling is optional.


All configured options are displayed here. Review the settings and click Finish if they are ok. The task is now created and ready to be used.