Links

Active Directory change detection trigger

Summary

AutoSync has built-in support for automatically detecting changes in Active Directory and triggering an import. This trigger type works with both Active Directory Domain Services and Lightweight Directory Services (LDS).

Configuration

This trigger can only be used on an "Active Directory Domain Services' or 'Active Directory Lightweight Directory Services" management agent type. From the triggers page, select Add trigger... and the AD/LDS change detection trigger will be available from the drop down list. Please note that only a single instance of the AD/LDS trigger can be added.
Setting
Value
Default
Base DN
The base DN that you are interested in getting change notifications for
The base DN specified in the MA configuration
Host Name
The Active Directory server to bind to
The hostname as specified in the MA configuration
Object classes
The object classes to receive change notifications from
The object classes specified in the MA configuration
Credentials
Optional. The credentials to use to bind to the target directory
The identity of the AutoSync service is used if no credentials are specified
Minimum amount of time to wait in between exections
Prevents continuous import loops by only passing through changes in the directory once per specified interval
1 minute
Ignore changes where the last logon timestamp attributes have been modified within the following time period
A change event is raised by the directory when any attribute changes - even if it is something like one of the last logon timestamp attributes. Updates to these attributes can be very frequent, and may trigger a continuous cycle of imports, defeating the purpose of change detection (you might as well have the MA on a continuous import loop). The setting tells AutoSync that if a change comes in, and the object has a last logon timestamp value in the last 5 minutes then ignore the change completely.
5 minutes

Permissions

The AD Change Listener does not require any permissions over and above a standard user account. Read permissions to the base DN are all that are required.