PRTG Manual: Active Directory Integration

PRTG offers a detailed access rights management for user groups in combination with individual user access rights. For detailed information, see section Access Rights Management.

You can add PRTG user groups to PRTG, or you add user groups from your Active Directory. While integrating an Active Directory into PRTG, you map a user group from your Active Directory to a user group in PRTG.

You can integrate an Active Directory in PRTG in four steps. During this process, you map an Active Directory (AD) group to a user group in PRTG. All members of your Active Directory group can then log in to PRTG using their Active Directory domain credentials.

i_round_blueYou cannot add single Active Directory users to PRTG. You can only allow access for entire Active Directory groups. PRTG automatically creates a user account for each Active Directory user that successfully logs in to PRTG.

i_podThis feature is not available in PRTG hosted by Paessler.

Step 1: Prepare Your Active Directory

  • In your Active Directory, make sure that the users that you want to give access to PRTG are members of the same user group in your Active Directory.
  • You can also organize users into different user groups, for example, one user group whose members have administrative rights in PRTG, and one user group whose members only have read access in PRTG.

Step 2: Prepare Your PRTG Core Server

  • Make sure that the PRTG core server system is a member of the domain that you want to integrate it into. To check this setting, open the Windows Control Panel and click the Change settings link under System, section Computer name, domain, and workgroup settings.

Step 3: Add Active Directory Domain and Credentials (optional) to System Settings

  • In the PRTG web interface, select Setup | System Administration | Core & Probes from the main menu.
  • In section Active Directory Integration, enter the name of your local Active Directory domain into the Domain Name field.
    i_round_blueYou can only integrate one Active Directory domain into PRTG.
  • The following process is optional. PRTG uses the same Windows user account from which a user runs the PRTG core server service. By default, this is the local system Windows user account. If this user does not have sufficient rights to query a list of all user groups from the Active Directory, provide credentials of a user account with full Active Directory access by using the Use explicit credentials option as Access Type.
    i_round_blueIf you cannot save changes to the Core & Probes settings because you get an Error (Bad Request) with the message Active Directory Domain not accessible, select Use explicit credentials as Access Type and provide the correct credentials for your Active Directory domain.
  • Save your settings.

Step 4: Add a New User Group

  • Switch to the User Groups tab (see section User Groups).
  • Hover over b_add and click Add User Group to add a new user group.
  • Enter a meaningful User Group Name and set the Active Directory Integration setting to Yes.
  • From the Active Directory Group dropdown menu that appears, select the group in your Active Directory whose members have access to PRTG. If you have a very large Active Directory with more than 1,000 entries, you see an input field instead of a dropdown menu. In this case, you can only enter the name of the user group in your Active Directory, and PRTG automatically adds the domain name prefix.
  • For User Type, define the access rights a user from the selected Active Directory group has when logging in to PRTG for the first time. You can choose between Read/write user and Read-only user. Giving users read access only is useful to only show data to a large group of users.
  • Click Create.

Done

All users in this newly created Active Directory group can now log in to PRTG using their Active Directory domain credentials. Their user accounts have the group access rights of the user group you just created.

Notes and Restrictions

  • Active Directory users can log in to the PRTG web interface using their Windows username and password. Do not enter any domain information in the Login Name field. When an Active Directory user logs in, PRTG automatically creates a corresponding local account on the PRTG core server. Credentials are synchronized every hour.
  • Active Directory queries are made in read-only mode and are compatible with Read-only Domain Controllers (RODC).
  • For performance reasons, all requests to Active Directory servers are cached for one hour. If a password is changed, if you add a new user group in the Active Directory, or if you changed group membership of an Active Directory user, you must either wait for an hour or manually clear the cache by selecting Setup | System Administration | Administrative Tools from the main menu and clicking Go! in the Clear Caches section.
  • By default, no access rights for monitoring objects, libraries, maps, or reports are set for the new user group in PRTG. This is why, initially, users in this user group do not see monitoring objects, libraries, maps, or reports. This does not apply if the new user group has administrative rights. Edit the monitoring object's settings and the settings of libraries, maps, and reports, and set access rights for your newly created user group in the respective Access Rights section.
    i_round_blueThe easiest way is to set these access rights in the root group settings and use the inheritance of settings.
  • PRTG only supports explicit user group rights. If your Active Directory uses groups that are members of other user groups, PRTG does not regard the inherited implicit rights of the parent group and therefore refuses login for members of these user groups.
  • PRTG ignores Active Directory information about Organizational Units (OU). PRTG cannot read these values. However, if you use the Active Directory in an auto-discovery group, you can restrict the auto-discovery to machines that are part of an OU.
  • PRTG does not support single sign-on (SSO).
  • You can integrate only one Active Directory domain into PRTG.
  • PRTG does not support trusted domains or Active Directory subdomains.
  • For very large Active Directories, you see an input field instead of a dropdown menu when you add or modify a user group. In this case, you can only enter the name of the user group in your Active Directory, and PRTG automatically adds the domain name prefix.
  • A local user account for an Active Directory user is only created if this Active Directory user has successfully logged in to PRTG. If you want to send email notifications to an Active Directory group in PRTG, using the option Send to User Group in the notification settings, a member of this Active Directory group has to log in to PRTG at least once to receive email notifications. To avoid this, enter the email address of the Active Directory group in the Send to Email Address field in the notification settings and select None for the Send to User Group option.
  • If you want to delete an Active Directory group from PRTG because of some changes to the Active Directory, for example, you have to delete all users that are in this user group first. This is because Active Directory users always have this user group set as their primary group, and user accounts cannot be without a primary group.
  • If you change the group membership of an Active Directory user, this change is only reflected in the respective user groups in PRTG if this Active Directory user has logged in to PRTG again.
  • If you delete an Active Directory user from all user groups in the Active Directory that are related to PRTG access, this user cannot log in to PRTG anymore. However, you still see the user in the user account list in PRTG

Advanced Topics