Active Directory Connector (AD Connector) - TeamViewer Support
<main> <article class="userContent"> <p><br></p><h2 data-id="general">General</h2><div class="blockquote"><div class="blockquote-content"><p class="blockquote-line"><em>This article applies to TeamViewer customers with a Premium, Corporate, or Tensor </em><a href="https://www.teamviewer.com/en/buy-now/" rel="nofollow noreferrer ugc"><em>license</em></a><em>.</em></p></div></div><p>The <strong>TeamViewer Active Directory Connector</strong> (AD Connector) helps administrators to create and setup TeamViewer accounts easily and centrally for all employees in a company via Active Directory without the need of adapting and using scripts and programming knowledge.</p><p><br></p><h3></h3><h2 data-id="requirements">Requirements</h2><p>To use this feature you need</p><ul><li>a TeamViewer company profile (<a href="https://community.teamviewer.com/t5/Knowledge-Base/All-about-the-TeamViewer-company-profile/ta-p/3573#toc-hId-678419261" rel="nofollow noreferrer ugc">How to create your company profile</a>)</li><li>a valid TeamViewer Premium, Corporate, or Enterprise license for TeamViewer </li><li>to download the AD Connector from our <a href="https://www.teamviewer.com/en/integrations/active-directory/" rel="nofollow noreferrer ugc">Integrations site</a></li><li><em>an API token from the </em><a href="https://login.teamviewer.com/" rel="nofollow noreferrer ugc">Management Console</a></li><li><em>Windows Server 2012 or higher with Windows Powershell 4.0 or higher</em></li></ul><p><br></p><h3 data-id="-1"></h3><h2 data-id="download-the-ad-connector">Download the AD Connector</h2><p>You can download the AD Connector from our website <a href="https://www.teamviewer.com/en/integrations/active-directory/" rel="nofollow noreferrer ugc">here</a>.</p><p><br></p><h3 data-id="-2"></h3><h2 data-id="run-the-ad-connector">Run the AD Connector</h2><p>To run the program, please un-zip the file and double-click the <strong>Configure TeamViewer AD Connector.bat</strong> file.</p><p><br></p><h3 data-id="-3"></h3><h2 data-id="getting-started">Getting started</h2><p>The TeamViewer AD Connector has two main areas such as <strong>Configuration</strong> and <strong>Scheduled task</strong>.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/LLIM2ZLYFZVN/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/LLIM2ZLYFZVN/image.png" alt="image.png" height="763" width="606" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p><em>The configuration UI provides the following features:</em></p><ul><li>Show and adapt the sync configuration.</li><li>Validate the entered TeamViewer API token.</li><li>Manually trigger a run of the synchronization script.</li><li>Install/Uninstall a scheduled task to run the synchronization script automatically.</li></ul><p>The configuration UI requires to be run with elevated user rights to be able to install and uninstall the scheduled task. The script automatically asks for elevated rights (if required).</p><p><br></p><h3 data-id="-4"></h3><h2 data-id="configuration-(3-tabs)">Configuration (3 tabs)</h2><p>These are the available configuration parameters of the TeamViewer AD Connector.</p><h2 data-id="synchronization">Synchronization</h2><p><strong>Setting: </strong>API token</p><p><strong>Description:</strong> The TeamViewer API access token is used for accessing the TeamViewer company user management. You can create the script token in the Management Console --> <strong>Apps </strong>--> <strong>Create script token</strong>.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/E556OWRXVOLR/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/E556OWRXVOLR/image.png" alt="image.png" height="747" width="1458" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p>You only need the following permissions that you can open via the little arrow left to the options name: </p><ul><li><strong>View, create, and edit</strong> for <strong>User Management</strong></li><li><strong>View full profile</strong> for <strong>Account Management</strong> -> Used to skip possible deactivation of API token owner</li><li><strong><em>Optional:</em></strong> <strong>View, create, delete, edit and share groups</strong> for <strong>Group Management</strong> -> required when conditional access synchronization is enabled</li></ul><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/6IDMMFETK9KJ/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/6IDMMFETK9KJ/image.png" alt="image.png" height="709" width="534" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p><em>_____</em></p><p><strong>Setting: </strong>AD groups</p><p><strong>Description: </strong>The LDAP identifier (without the leading `LDAP://` protocol scheme) of the AD groups used for the synchronization.</p><p>You do not need to run the AD Connector on a Domain Controller. All computers that are part of the domain can access the list of AD groups. </p><p>_____</p><p><strong>Setting: </strong>Test run</p><p><strong>Description: </strong>If set to `true` the synchronization will not modify any TeamViewer user resources but instead only log the actions that would have been executed.</p><p>_____</p><p><strong>Setting: </strong>Deactivate TeamViewer Users that are not members of the AD group</p><p><strong>Description: </strong>If set to `true` TeamViewer users that are not a member of the selected AD group will be disabled.</p><p>_____</p><p><strong>Setting: </strong>Include users of nested AD groups</p><p><strong>Description: </strong>If set to `true` users of nested AD groups will be included.</p><p>_____</p><p><strong>Setting: </strong>Include secondary email addresses for synchronization</p><p><strong>Description: </strong>If set to `true` secondary email addresses will be included.</p><p>_____</p><p><strong>Setting: </strong>Include secondary email addresses for synchronization</p><p><strong>Description: </strong>If set to `true` secondary email addresses will be included.</p><p>_____</p><h2 data-id="teamviewer-accounts">TeamViewer Accounts</h2><p><strong>Setting: </strong>Language</p><p><strong>Description: </strong>The two-letter language identifier used as the default language for newly created TeamViewer users. For example, it is used to localize the "Welcome" email.</p><p>_____</p><h2 data-id="accounts-type">Accounts Type</h2><p><strong>Setting: </strong>Create accounts with predefined password</p><p><strong>Description: </strong>The initial password used for newly created TeamViewer users to be changed by the user when logging in the first time.</p><p>_____</p><p><strong>Setting: </strong>Create accounts with generated password</p><p><strong>Description: </strong>A random password will be generated by the system. A password reset mail will be sent to the user automatically so that the user can change the password.</p><p>_____</p><p><strong>Setting: </strong>Use Single Sign-On --> <em>Included with Tensor license only</em></p><p><strong>Description: </strong>Users can login with via SSO. The admin needs to add the Identifier he got whilst activating SSO for your company.</p><p>_____</p><h2 data-id="conditional-access">Conditional Access</h2><p><strong>Setting: </strong>Enable TeamViewer Conditional Access group synchronization --> <em>Included with Tensor license only</em></p><p><strong>Description: </strong>Users can synchronize the given AD groups and their respective users with the directory groups for conditional access in TeamViewer. Those groups can then be used to restrict/allow TeamViewer functionality for certain users.</p><p>_____</p><h2 data-id="scheduled-task">Scheduled task</h2><p>The scheduled task will be created with the specified interval as:</p><pre class="code codeBlock" spellcheck="false" tabindex="0">...\TeamViewer\TeamViewer AD Connector </pre><p>The output of the scheduled task is redirected to the specified log file location.</p><p>You can set the interval for the task as you like. The interval is currently on an hourly base.</p><h4 data-id="change-user-for-scheduled-task%3A">Change user for scheduled task:</h4><p>You might need to modify the user in order to have the necessary execution permissions for the scheduled task. To change the user of the scheduled task:</p><ol><li>Go to <strong>Start</strong> --> <strong>Administrative Tools</strong> --> <strong>Task Scheduler</strong></li><li><em>Select </em><strong>Task Scheduler Library</strong></li><li><em>Right-click the scheduled task to modify, select </em><strong>Properties</strong>, and select the <strong>General</strong> tab or double click the scheduled task.</li><li>Click the <strong>Change User or Group...</strong> button</li><li>Enter <USER> in <strong>Enter the object name to select</strong> text box and press <strong>Check Names</strong></li><li><em>Press </em><strong>OK</strong> button</li><li>Under <strong>When running the task, use the following user account:</strong> you should now see this user.</li><li>Click <strong>OK</strong>, then quit Scheduled Tasks.</li></ol><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/6L1L995BJ55V/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/6L1L995BJ55V/image.png" alt="image.png" height="304" width="400" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p></p><p><br></p><h2 data-id="user-synchronization-logic">User Synchronization Logic</h2><p>The actual synchronization is done by the <strong>Invoke-Sync.ps1</strong> script in the <strong>TeamViewerADConnector </strong>directory using the following logic:</p><ul><li>Users of the configured AD group that are not yet part of the configured TeamViewer company (identified by the API token) will be created with the specified initial password.</li><li>Users of the configured AD group that are already part of the configured TeamViewer company will be activated and/or updated if the name of the user has been changed or the TeamViewer user is deactivated.</li><li>If configured, users of the TeamViewer company that are not present in the configured AD group will be deactivated.</li></ul><p>Identification of users is done based on the email addresses. If configured, the secondary email addresses of AD users are also taken into account for the mapping between AD users and TeamViewer users.</p> </article> </main>
