You can add users or groups to an existing Active Directory connection.

About this task

The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities. As a result, import operations may require a significant amount of time depending on the number of groups and users being added. To minimize the potential for delays or problems, limit the number of groups and users to only those required for vRealize Automation operation. If performance degrades or if errors occur, close any unneeded applications and ensure that your deployment has appropriate memory allocated to Active Directory. If problems persist, increase the Active Directory memory allocation as needed. For deployments with large numbers of users and groups, you may need to increase the Active Directory memory allocation to as much as 24 GB.

When running a synchronize operation for a vRealize Automation deployment with a many users and groups, there may be a delay after the Sync is in progress message disappears before the Sync Log details are displayed. Also, the time stamp on the log file may differ from the time that the user interface indicates that the synchronize operation completed.

When you add a group from Active Directory, if members of that group are not in the Users list, they are added. When you sync a group, any users that lack Domain Users as their primary group in Active Directory are not synced.


You cannot cancel a synchronize operation after it has been initiated.


  • Connector installed and the activation code activated. Select the required default attributes and add additional attributes on the User Attributes page.

    See Select Attributes to Sync with Directory.

  • List of the Active Directory groups and users to sync from Active Directory.

  • For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN password.

  • For Active Directory Integrated Windows Authentication, the information required includes the domain's Bind user UPN address and password.

  • If Active Directory is accessed over SSL, a copy of the SSL certificate is required.

  • For Active Directory Integrated Windows Authentication, when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.

  • Log in to the vRealize Automation console as a tenant administrator.


  1. Select Administration > Directories Management > Directories.
  2. Click the desired directory name.
  3. Click Sync Settings to open a dialog with synchronization options.
  4. Click the appropriate icon depending on whether you want to change the user or group configuration.

    To edit the group configuration:

    • To add groups, click the + icon to add a new line for group DN definitions and enter the appropriate group DN.

    • If you want to delete a group DN definition, click the x icon for the desired group DN.

    To edit the user configuration:

    • To add users, click the + icon to add a new line for user DN definition and enter the appropriate user DN.

    If you want to delete a user DN definition, click the x icon for the desired user DN.

  5. Click Save to save your changes without synchronizing to make your updates immediately, or click Save & Sync to save your changes and synchronize to implement your updates immediately.