How to Configure Synchronization Templates for Automatic AD Groups

This guide describes the standard procedure for configuring synchronization templates to export automatic groups to an on-premises Active Directory.

When setting up a synchronization template for groups, you must configure three main elements:

Rule Set: Defines which groups the template will export.
Object Path: Specifies the destination Organizational Unit (OU) in Active Directory where the groups will be created.
Attribute Mappings: Determines how data from the source system is mapped to the attributes of the group objects in Active Directory.

Rule Set

The first step is to select a rule set that identifies the specific groups this template should manage. For detailed information on how to configure rule sets for automatic and manual groups, please see this article.

The "Main Information" tab of the template provides a summary, including the selected rule set.

Field	Description
Name	A descriptive name for the template, e.g., "Automatic Department Groups".
Active	Determines whether the template is enabled. Must be set to "Yes".
Object Type	It should be set to "Group".
Synchronization Step	Set to "Export AD".
Rule Set	The rule set that determines which groups to export.
Permanent Deletion	If set to "No", groups are disabled in AD upon deletion instead of being permanently removed.

Object Path

The object path specifies the exact location within your Active Directory where the new groups will be created.

You must provide the full, absolute path to the target OU, including the domain components. It is common to use one or more absolute paths for this purpose.

Example:

OU=Security-Groups,OU=Utfjord,DC=utfjord,DC=kommune,DC=no

Attribute Mappings

Mappings define how attributes for the group object in Active Directory are populated. Below are recommended configurations for common attributes.

Target Attribute	Example Source Value	Comments
`cn`	`[CNCLEAN; [description]]`	The group's common name. The name is derived from the `description` attribute and processed using the `CNCLEAN` function to sanitize the value and prevent errors caused by special characters.
`samAccountName`	`sourceid`	It is highly recommended to set the `samAccountName` to the `sourceID`, which is the unique internal serial number for the department or unit.
`displayName`	`[OrgUnitNr] [CNCLEAN; [description]]`	Sets a user-friendly display name, often combining the department number and the abbreviated department name (e.g., "0123 Sales Department").
`description`	`Security group for employees at [Description]`	Provides a more detailed explanation of the group's purpose.
`groupType`	`-2147483640`	Defines the group type and scope in Active Directory. Common values include: <br> •-2147483646: Global Security Group <br> • -2147483644: Domain Local Security Group <br> • -2147483640: Universal Security Group
`relative`	`[Name]` (via foreign key)	Used to create nested groups (a group that is a member of another group).
`createScript`	`C:\eadm\scripts\mail-enable.ps1`	Specifies the full path to a script that runs when a group is created. This can be used, for example, to enable email for a new security group.

Warning: Nesting groups using the relative This attribute is not recommended for security groups linked to firewalls or for groups that are synchronized with Azure AD.

Note: You can use sub-rulesets to apply different attribute mappings to different selections of groups within the same template.