Skip to main content

EO/EE: What attributes are queried and what permissions are required for AD synchronization


Using Equitrac Office and Equitrac Express, what attributes are queried and what permissions are required for Active Directory (AD) synchronization?


Equitrac AD Synchronization uses the service account running the Equitrac CAS service to query the Microsoft Active Directory server unless specified credentials are added to the AD Synchronization settings in the Equitrac System Manager. In a default environment, a standard Windows domain account is sufficient to query all of the atttributes Equitrac uses however permissions can be restricted in the Active Directory Schema. Equitrac requires the authority to query all of the attributes noted below.   The following Active Directory attributes are included in all Equitrac AD synchronization queries: cn displayName isDeleted mail msDS-PrincipalName objectCategory objectClass objectGUID sAMAccountName userAccountControl uSNChanged   The following fields may be queried when using LDAP synchronization: description fullname logindisabled uid Additional fields can be configured by the customer in System Manager in the field mapping configuration. Any attributes added to field mappings will be added to Equitrac AD synchronization queries if not already included.  

Additional information:

In the Microsoft Active Directory schema, there are various permission settings that allow a qualified domain account to query specific AD attributes. Please consult Microsoft resources to determine which AD permissions must be set to enable the Equitrac service account or provided credentials with the ability to query the attributes noted above.

  • Was this article helpful?