<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: Active Directory Integration
You can add PRTG user groups to PRTG, or you can add user groups from an Active Directory (AD). When you integrate the AD into PRTG, you map a user group from the AD to a user group in PRTG. All members of the AD group can then log in to PRTG with their AD domain credentials.
You cannot add single AD users to PRTG. You can only allow access for entire AD groups. PRTG automatically creates a user account for each AD user that successfully logs in to PRTG.
This feature is not available in PRTG Hosted Monitor.
Step 1: Prepare the AD
- In the AD, make sure that the users that you want to give access to PRTG are members of the same user group in the AD.
- You can also organize users into different user groups, for example, one user group whose members have administrative rights in PRTG, and one user group whose members only have read access in PRTG.
Step 2: Prepare the PRTG Core Server
- Make sure that the PRTG core server system is a member of the domain that you want to integrate it into. To check this setting, open the Windows Control Panel and click the Change settings link under System, section Computer name, domain, and workgroup settings.
Step 3: Add AD Domain and Credentials (optional) to System Settings
- In the PRTG web interface, select Setup | System Administration | Core & Probes from the main menu.
- In section Active Directory Integration, enter the name of the local AD domain in the Domain Name field.
You can only integrate one AD domain into PRTG.
- The following process is optional. PRTG uses the same Windows user account from which a user runs the PRTG core server service. By default, this is the local system Windows user account. If this user does not have sufficient rights to query a list of all user groups from the AD, provide the credentials of a user account that has full AD access by using the Use explicit credentials option as Access Type.
If you cannot save changes to the Core & Probes settings because you get an Error (Bad Request) with the message Active Directory Domain not accessible, select Use explicit credentials as Access Type and provide the correct credentials for your AD domain.
- Save your settings.
Step 4: Add a New User Group
- Go to the User Groups tab.
- Hover over and click Add User Group to add a new user group.
- Enter a User Group Name to identify the group and select Use Active Directory integration under Active Directory or Single Sign-On Integration.
- From the Active Directory Group dropdown list, select the group in the AD whose members have access to PRTG. If you have a very large AD with more than 1,000 entries, you see an input field instead of a dropdown list. In this case, you can only enter the name of the user group in the AD. PRTG automatically adds the domain name prefix.
- For User Type, define the access rights that a user from the selected AD group has when they log in to PRTG for the first time. You can choose between Read/write user and Read-only user. Read-only access is useful to only show data to a large group of users.
- Click Create.
All users in this newly created AD group can now log in to PRTG with their AD domain credentials. Their user accounts have the group access rights of the user group that you just created.
Notes and Restrictions
- AD users can log in to the PRTG web interface with their Windows user name and password. Do not enter any domain information in the Login Name field. When an AD user logs in, PRTG automatically creates a corresponding local account on the PRTG core server. PRTG synchronizes credentials every hour.
- Do not change the Login Name in PRTG for AD users unless the name changes in the AD. If you change the Login Name in PRTG, it has no effect on the name in the AD.
- AD queries are in read-only mode and are compatible with Read-only Domain Controllers (RODC).
- For performance reasons, PRTG caches all requests to AD servers for one hour. If a password changes, if you add a new user group in the AD, or if you change the group membership of an AD user, you must either wait one hour or manually clear the cache by selecting Setup | System Administration | Administrative Tools from the main menu and clicking Go! in the Clear Caches section.
- By default, no access rights for monitoring objects, libraries, maps, or reports are set for the new user group in PRTG. This is why, initially, users in this user group do not see monitoring objects, libraries, maps, or reports. This does not apply if the new user group has administrative rights. Edit the monitoring object's settings and the settings of libraries, maps, and reports, and set access rights for the newly created user group in the respective Access Rights section.
We recommend that you set these access rights in the root group settings and use the inheritance of settings.
- PRTG only supports explicit user group rights. If the AD uses groups that are members of other user groups, PRTG does not regard the inherited implicit rights of the parent group and therefore refuses the login for members of these user groups.
- PRTG ignores AD information about organization units (OU). PRTG cannot read these values. However, if you use the AD in an auto-discovery group, you can restrict the auto-discovery to machines that are part of an OU.
- You can integrate only one AD domain into PRTG.
- PRTG does not support trusted domains or AD subdomains.
- If you have a very large AD with more than 1,000 entries, you see an input field instead of a dropdown list. In this case, you can only enter the name of the user group in the AD. PRTG automatically adds the domain name prefix.
- A local user account for an AD user is only created if this AD user has successfully logged in to PRTG. If you want to send email notifications to an AD group in PRTG using the option Send to User Group in the notification settings, a member of this AD group has to log in to PRTG at least once to receive email notifications. To avoid this, enter the email address of the AD group in the Send to Email Address field in the notification settings and select None for the Send to User Group option.
- If you want to delete an AD group from PRTG because of some changes to the AD, for example, you must delete all users that are in this user group first. This is because AD users always have this user group set as their primary group, and user accounts must have a primary group.
- If you change the group membership of an AD user, this change is only reflected in the respective user groups in PRTG if this AD user has logged in to PRTG again.
- If you delete an AD user from all user groups in the AD that are related to PRTG access, this user cannot log in to PRTG anymore. However, you still see the user in the user account list in PRTG.
More
KNOWLEDGE BASE
How to integrate Azure Active Directory into PRTG?