PRTG Manual: Active Directory Integration
PRTG offers a detailed access rights management via different user groups. For detailed information, see section User Access Rights.
To make user management easier, you can integrate an existing Active Directory in PRTG in four steps. During this process, you map an Active Directory (AD) group to a user group in PRTG. All members of your AD group can then log in to PRTG using their AD domain credentials.
You cannot add single AD users to PRTG, but only allow access for entire groups. PRTG automatically creates a user account for each AD user who successfully logs in to PRTG.
This feature is not available in PRTG hosted by Paessler.
- In your Active Directory, ensure that the users that you want to give access to PRTG are members of the same AD group.
- You can also organize users into different groups, for example, one group whose members have administrator rights within PRTG, and another one whose members have read-only rights within PRTG.
- Make sure that the computer running PRTG is a member of the domain that you want to integrate it in. To check this setting on your machine, open the Windows Control Panel and click the Change settings link under System, section Computer name, domain, and workgroup settings).
- In the PRTG web interface, choose Setup | System Administration | Core & Probes from the main menu.
- In section Active Directory Integration, enter the name of your local domain into the Domain Name field.
You can only integrate one AD domain in PRTG.
- Optional: PRTG uses the same Windows user account that a user uses to run the PRTG core server service. By default, this is the local system Windows user account. If this user does not have sufficient rights to query a list of all existing groups from the Active Directory, provide credentials of a user account with full AD access by using the Use explicit credentials option as Access Type.
If you cannot save changes to Core & Probes settings because you get an Error (Bad Request) with the message Active Directory Domain not accessible, select Use explicit credentials as Access Type and provide the correct credentials for your domain.
- Save your settings.
- Switch to the User Groups tab (see section System Administration—User Groups).
- Hover over and click Add User Group to add a new PRTG user group.
- Enter a meaningful User Group Name and set the Use Active Directory setting to Yes.
- From the Active Directory Group dropdown menu that appears, select the group of your Active Directory whose members have access to PRTG. If you have a very large Active Directory, you see an input field instead of a dropdown menu. In this case, you can only enter the group name, and PRTG automatically adds the prefix.
- For New User Type, define the access rights a user from the selected Active Directory group has when logging in to PRTG for the first time. You can choose between Read/Write User or Read-Only User (the latter is useful to only show data to a large group of users).
- Click Create.
All users in this Active Directory group can now log in to PRTG using their AD domain credentials. Their user accounts use the PRTG security context of the PRTG user group you just created.
- Active Directory users can log in to the web interface using their Windows username and password. Do not enter any domain information in the Login Name field in PRTG. When an AD user logs in, PRTG automatically creates a corresponding local account on the PRTG core server. Credentials are synchronized every hour.
- Active Directory queries are made in read-only mode and are compatible with Read-Only Domain Controllers.
- For performance reasons, all requests to Active Directory servers are cached for one hour. If a password is changed, if you add a new group in the Active Directory, or if you changed group membership of an AD user, you must either wait for an hour or manually clear the cache by choosing Setup | System Administration | Administrative Tools from the main menu and clicking the Go! button in the Clear Caches section.
- By default, no rights are set for the new PRTG user group. This is why initially, users in this group do not see any objects in the PRTG device tree. Edit your device tree object's settings and set access rights for your newly created user group in the Inherit Access Rights section.
The easiest way is to set access rights in the Root Group Settings.
- PRTG only supports explicit group rights. If your AD uses groups that are members of another group, PRTG does not regard inherited implicit rights of the parent group and therefore refuses login for members of these groups.
- PRTG ignores AD information about Organizational Units (OU). These values cannot be read by PRTG. However, if you use the AD in an auto-discovery group, you can restrict the search to computers that are part of an OU.
- PRTG does not support single sign on (SSO).
- You can integrate only one AD domain in PRTG.
- PRTG does not support trusted domains or AD subdomains.
- For very large Active Directories, you see an input field instead of a dropdown menu when you add or modify a user group. In this case, you can only enter the group name, and PRTG automatically adds the prefix.
- A PRTG user account for an AD user is only created if this AD user has successfully logged in to PRTG. So if you want to send email notifications to an AD user group (using the option Send to User Group in the notification settings), a member of this AD group has to log in to PRTG at least once to be able to receive an email notification. If you want to avoid this, enter the email address of the AD group in the Send to Email Address field in the notification settings and select None for the Send to User Group option.
- If you want to delete an AD group from PRTG (because of some changes to the AD, for example), you have to delete all users that are in this PRTG user group first. This is because AD users always have this group as their primary group, which cannot be changed.
- If you change the group membership of an AD user, this change is only reflected in the respective PRTG user groups if this AD user has logged in to PRTG again.
- If you delete an AD user from all groups in the Active Directory that are related to PRTG access, this user cannot log in to PRTG anymore. However, you still see the user in the PRTG user account list.
- Active Directory Integration
- Application Programming Interface (API) Definition
- Filter Rules for xFlow, IPFIX, and Packet Sniffer Sensors
- Channel Definitions for xFlow, IPFIX, and Packet Sniffer Sensors
- Define IP Ranges
- Define Lookups
- Regular Expressions
- Calculating Percentiles
- Add Remote Probe
- Failover Cluster Configuration
- Data Storage
- PRTG Housekeeping
- Using Your Own SSL Certificate