Active Directory objects can be used to create security groups based on user identity, and identity-based firewall rules.

Note: For Identity Firewall rule enforcement, Windows Time service should be on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a log out when group membership is modified. This behavior is a limitation of Active Directory.


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to System > Active Directory.
  3. Click the three button menu icon next to the Active Directory that you want to synchronize, and select one of the following:
    Sync Delta Perform a delta synchronization, where local AD objects that have changed since the last synchronization are updated.
    Sync All Perform a full synchronization, where the local state of all AD objects is updated.
  4. Click View Sync Status to see the current state of the Active Directory, the previous synchronization state, the synchronization status, and the last synchronization time.