Skip to main content

EP5: What attributes are queried and what permissions are required for AD synchronization

Article # 3016089 - Page views: 303


Using Equitrac Professional 5, what attributes are queried and what permissions are required for Active Directory (AD) synchronization?


Equitrac AD Synchronization uses the service account running the Equitrac CAS service to query the Microsoft Active Directory server unless specified credentials are added to the AD Synchronization settings in the Equitrac System Manager.

In a default environment, a standard Windows domain account is sufficient to query all of the atttributes Equitrac uses however permissions can be restricted in the Active Directory Schema. Equitrac requires the authority to query all of the attributes noted below.   The following Active Directory attributes are included in all Equitrac AD synchronization queries: cn displayName isDeleted mail msDS-PrincipalName objectCategory objectClass objectGUID sAMAccountName userAccountControl uSNChanged  

The following fields may be queried when using LDAP synchronization: description fullname logindisabled uid Additional fields can be configured by the customer in System Manager in the field mapping configuration. Any attributes added to field mappings will be added to Equitrac AD synchronization queries if not already included.  

Additional information:

In the Microsoft Active Directory schema, there are various permission settings that allow a qualified domain account to query specific AD attributes. Please consult Microsoft resources to determine which AD permissions must be set to enable the Equitrac service account or provided credentials with the ability to query the attributes noted above.

  • Was this article helpful?