Prerequisites

• Zoho Vault account with super admin credentials.
  
• A verified domain name in Zoho Vault
  
• Windows system with .NET Framework 2.0
  

How does it work?

The Provisioning app will query the Active Directory and import users. It will also sync your organization's users from Zoho Accounts. The app will compare the users imported from LDAP queries and Zoho accounts. 

• If your users are available in Active Directory but not in Zoho, they will be added to Zoho Vault.
  
• If your users are available in Zoho, but not in Active Directory, they will be deleted or disabled from Zoho Vault, based on the sync preference set in the provisioning tool.

LDAP queries

Because the provisioning app can add or delete users from your organization's Zoho Vault account, it's important to configure LDAP queries and exclusion rules in the app. Determine the users you wish to sync from your LDAP server and Zoho Vault, then  configure LDAP queries in the provisioning app that match only those users.
Here are a few examples:

To import or sync all users in AD/LDAP	Base DN : DC=zillum,DC=com Query : (objectClass=user)
To import or sync all users in an Organization Unit (OU) named Austin	Base DN : OU=Austin,DC=zillum,DC=com Query : (objectClass=user)
To import or sync only the users in a specific department (For example, 'ITAdmin') belonging to Austin OU	Base DN : OU=Austin,DC=zillum,DC=com Query : (&(objectClass=user)(department=ITAdmin))

User authentication for imported accounts

• Zoho Vault will automatically create a new user account for every imported user from AD/LDAP
  
• Your users can log in to Zoho Vault using the default password set in the provisioning app during the initial setup.
  
• Soon after the users log in with the default password, they will be forced to set a new password.
  

The different types of synchronization

There are three ways in which you can sync your AD/LDAP with Zoho Vault.

Manual sync

• You can run the provisioning app, then manually select Sync. You will find the list of users to be added, deleted, or disabled.
  
• Select the users you wish to sync and select Sync.
  

Command-line sync

To sync your AD/LDAP using the command line, you must have manually synced your AD/LDAP at least once. To do so:

1. Run the provisioning app and enter the requested details.
   
2. Select the type of sync (to delete or disable users deleted in AD/LDAP) you wish to perform. 
   
3. You can simulate sync to preview the list of users to be added or deleted.
   
4. Click Save settings for sync to save all your options to a file (sync.conf).
   
5. Use this file as an argument for the ProvisioningApp.exe.
   
6. Execute the following commands from the command prompt to initiate sync:
   
   ProvisioningApp.exe --action=sync 

--conf=D:\Users\Administrator\ZohoProvisioning\provisioning.conf  

Scheduled sync

Configure the above command in the Windows Task Scheduler for periodic syncing. An email will be sent to the given address whenever new users are added, deleted, or disabled.

Importing users from multiple domains

You can import users from multiple domains to Zoho Vault in two ways. 

Single Forest

Use a Global Catalog to query multiple domains in a single forest. Instead of LDAP://, enter GC:// in the provisioning tool to search the Global Catalog and import or sync all users in the same forest with Zoho Vault.

Multiple Forests

To import users from multiple forests, you will have to run the Provisioning tool multiple times. You cannot sync users from multiple forests.

Troubleshooting

If you face any issues while importing users or syncing your AD/LDAP with Zoho Vault, please send us your log files from the Windows user profiles directory (e.g., D:\Users\Admininstrator.Domain\ZohoProvisioning\logs) to help us troubleshoot the issues better.