PRTG Manual: Active Directory Integration
PRTG offers a detailed rights management via different user groups. For detailed information, see section User Access Rights.
To make user management easier, you can integrate an existing Active Directory into PRTG in four steps. During this process, you connect an Active Directory (AD) group with a user group in PRTG. All members of your AD group can then log in to PRTG using their AD domain credentials.
You cannot add single AD users to PRTG, but only allow access for entire groups. PRTG automatically creates a user account for each AD user who logs in to PRTG successfully.
This feature is not available in PRTG hosted by Paessler.
- In your Active Directory, ensure users you want to give access to PRTG are members of the same AD group.
- You can also organize users in different groups, for example, one group whose members will have administrator rights within PRTG, and another one whose members will have read-only rights within PRTG.
- Make sure the computer running PRTG is a member of the domain you want to integrate it to. You can check this setting in your machine's System Properties (for example, Control Panel | System and Security | System, click Change settings link).
- In the PRTG web interface, open the System Administration—Core & Probes settings.
- In section Active Directory Integration, enter the name of your local domain into the Domain Name field.
You can only integrate one AD domain into PRTG.
- Optional: PRTG uses the same Windows user account that you use to run the PRTG Core Server Service. By default, this is the local system Windows user account. If this user does not have sufficient rights to query a list of all existing groups from the Active Directory, provide credentials of a user account with full AD access by using the Use explicit credentials option as Access Type.
If you cannot save changes to Core & Probes settings because you get an Error (Bad Request) with the message Active Directory Domain not accessible, change from "local user" to Use explicit credentials for Active Directory Integration and provide the correct credentials for your domain.
- Save your settings.
- Switch to the User Groups tab (see section System Administration—User Groups).
- Hover over and click Add User Group to add a new PRTG user group.
- In the dialog appearing, enter a meaningful name and set the Use Active Directory setting to Yes.
- From the Active Directory Group dropdown menu, select the group of your Active Directory whose members will have access to PRTG. If you have a very large Active Directory, you will see an input field instead of a dropdown. In this case, you can enter the group name only; PRTG will add the prefix automatically.
- With the New User Type setting, define the access rights a user from the selected Active Directory group will have when logging in to PRTG for the first time. You can choose between Read/Write User or Read-Only User (latter is useful to show data only to a large group of users).
- Click Create to create the new user group.
That's it. All users in this Active Directory group can now log in to PRTG using their AD domain credentials. Their user accounts will use the PRTG security context of the PRTG user group you just created.
- Active Directory users can log on to the web interface using their Windows username and password (please do not enter any domain information in the Login Name field in PRTG). When such a user logs in, PRTG will automatically create a corresponding local account on the PRTG core server. Credentials are synchronized every hour.
- All requests to the Active Directory servers are cached for one hour, for performance reasons. If a password is changed or if you add a new group in the Active Directory, you must either wait for 1 hour or clear the cache manually by clicking on the Clear Caches button on the System Administration—Administrative Tools page in the Setup menu).
- By default, no rights are set for the new PRTG user group. Initially, users in this group will not see any objects in the PRTG device tree. Edit your device tree object's settings and set access rights for your newly created user group in the Inherit Access Rights section.
The easiest way is to set access rights in the Root Group Settings.
- PRTG only supports explicit group rights. If your AD uses groups that are members of another group, PRTG will not regard inherited implicit rights of the parent group and therefore refuse login for members of those groups.
- PRTG ignores AD information about Organizational Units (OUs). These values cannot be read by PRTG. However, if you use the AD in an auto-discovery group, you can restrict the search to computers that are part of an OU.
- PRTG does not support SSO (single sign-on).
- You can integrate only one AD domain into PRTG.
- PRTG does not support trusted domains or AD subdomains.
- For very large Active Directories, you will see an input field instead of a dropdown when you add or modify a user group. In this case, you can enter the group name only. PRTG will add the prefix automatically.
- A PRTG user account for an AD user is only created if this AD user successfully logs in to PRTG! So if you want to send email notifications to an AD user group (using the option Send to User Group in the notification settings), for example, by choosing the default notification "Email to all members of group [AD group name]", a member of this AD group has to log in to PRTG at least once to be able to receive an email notification. If you want to avoid these single logons of your AD group members to create user accounts, enter the email address of the AD group in the Send to Email Address field in the notification settings and choose None for the Send to User Group option.
- If you want to delete an AD group from PRTG (due to some changes to the AD, for example), you have to delete all users that are in this PRTG user group first. This is because AD users always have this group as their primary group, which cannot be changed.
- If you want to reflect changes to your AD in PRTG, you have to delete the AD user group and all members first. Then add the AD group anew. This is because PRTG does not synchronize with your AD automatically.
- Active Directory Integration
- Application Programming Interface (API) Definition
- Filter Rules for xFlow, IPFIX, and Packet Sniffer Sensors
- Channel Definitions for xFlow, IPFIX, and Packet Sniffer Sensors
- Define IP Ranges
- Define Lookups
- Regular Expressions
- Add Remote Probe
- Failover Cluster Configuration
- Data Storage
- Using Your Own SSL Certificate
- Calculating Percentiles