PRTG Manual: Active Directory Integration
PRTG offers a detailed access rights management via different user groups. For detailed information, see section User Access Rights.
To make user management easier, you can integrate an existing Active Directory in PRTG in four steps. During this process, you map an Active Directory (AD) group to a user group in PRTG. All members of your AD group can then log in to PRTG using their AD domain credentials.
You cannot add single AD users to PRTG. You can only allow access for entire groups. PRTG automatically creates a user account for each AD user that successfully logs in to PRTG.
This feature is not available in PRTG hosted by Paessler.
- In your Active Directory, ensure that the users that you want to give access to PRTG are members of the same AD group.
- You can also organize users into different groups, for example, one group whose members have administrator rights in PRTG, and one group whose members have read-only rights in PRTG.
- Make sure that the PRTG core server system is a member of the domain that you want to integrate it in. To check this setting, open the Windows Control Panel and click the Change settings link under System, section Computer name, domain, and workgroup settings).
- In the PRTG web interface, select Setup | System Administration | Core & Probes from the main menu.
- In section Active Directory Integration, enter the name of your local domain into the Domain Name field.
You can only integrate one AD domain in PRTG.
- As LDAP Transport Security, select if the connection to the LDAP server uses encryption.
- Optional: PRTG uses the same Windows user account that a user uses to run the PRTG core server service. By default, this is the local system Windows user account. If this user does not have sufficient rights to query a list of all existing groups from the Active Directory, provide credentials of a user account with full AD access by using the Use explicit credentials option as Access Type.
If you cannot save changes to Core & Probes settings because you get an Error (Bad Request) with the message Active Directory Domain not accessible, select Use explicit credentials as Access Type and provide the correct credentials for your domain.
- Save your settings.
- Switch to the User Groups tab (see section System Administration—User Groups).
- Hover over and click Add User Group to add a new user group.
- Enter a meaningful User Group Name and set the Use Active Directory setting to Yes.
- From the Active Directory Group dropdown menu that appears, select the group of your Active Directory whose members have access to PRTG. If you have a very large Active Directory, you see an input field instead of a dropdown menu. In this case, you can only enter the group name, and PRTG automatically adds the prefix.
- For New User Type, define the access rights a user from the selected Active Directory group has when logging in to PRTG for the first time. You can choose between Read/write user or Read-only user (the latter is useful to only show data to a large group of users).
- Click Create.
All users in this Active Directory group can now log in to PRTG using their AD domain credentials. Their user accounts use the security context of the user group you just created.
- Active Directory users can log in to the PRTG web interface using their Windows username and password. Do not enter any domain information in the Login Name field. When an AD user logs in, PRTG automatically creates a corresponding local account on the PRTG core server. Credentials are synchronized every hour.
- Active Directory queries are made in read-only mode and are compatible with Read-Only Domain Controllers.
- For performance reasons, all requests to Active Directory servers are cached for one hour. If a password is changed, if you add a new group in the Active Directory, or if you changed group membership of an AD user, you must either wait for an hour or manually clear the cache by choosing Setup | System Administration | Administrative Tools from the main menu and clicking the Go! button in the Clear Caches section.
- By default, no rights are set for the new user group in PRTG. This is why, initially, users in this group do not see any objects in the device tree. Edit your device tree object's settings and set access rights for your newly created user group in the Inherit Access Rights section.
The easiest way is to set access rights in the Root Group Settings.
- PRTG only supports explicit group rights. If your AD uses groups that are members of other groups, PRTG does not regard inherited implicit rights of the parent group and therefore refuses login for members of these groups.
- PRTG ignores AD information about Organizational Units (OU). PRTG cannot read these values. However, if you use the AD in an auto-discovery group, you can restrict the search to computers that are part of an OU.
- PRTG does not support single sign on (SSO).
- You can integrate only one AD domain in PRTG.
- PRTG does not support trusted domains or AD subdomains.
- For very large Active Directories, you see an input field instead of a dropdown menu when you add or modify a user group. In this case, you can only enter the group name, and PRTG automatically adds the prefix.
- A user account for an AD user is only created if this AD user has successfully logged in to PRTG. So if you want to send email notifications to an AD user group (using the option Send to User Group in the notification settings), a member of this AD group has to log in to PRTG at least once to be able to receive an email notification. If you want to avoid this, enter the email address of the AD group in the Send to Email Address field in the notification settings and select None for the Send to User Group option.
- If you want to delete an AD group from PRTG (because of some changes to the AD, for example), you have to delete all users that are in this user group first. This is because AD users always have this group as their primary group, which cannot be changed.
- If you change the group membership of an AD user, this change is only reflected in the respective user groups in PRTG if this AD user has logged in to PRTG again.
- If you delete an AD user from all groups in the Active Directory that are related to PRTG access, this user cannot log in to PRTG anymore. However, you still see the user in the user account list in PRTG
- Active Directory Integration
- Application Programming Interface (API) Definition
- Filter Rules for xFlow, IPFIX, and Packet Sniffer Sensors
- Channel Definitions for xFlow, IPFIX, and Packet Sniffer Sensors
- Define IP Ranges
- Define Lookups
- Regular Expressions
- Calculating Percentiles
- Add Remote Probe
- Failover Cluster Configuration
- Data Storage
- PRTG Housekeeping
- Using Your Own SSL Certificate