User sync discovery rules

Discovery rules determine how users are synced from Active Directory (AD) and assigned to Advanced Server Access. Only one discovery rule can be created per AD job.

Discovery rules consist of the following parts:

  • Base DN: Controls where the rule searches for users
  • LDAP Query: Controls the specified criteria to filter users

Common Base DN settings

You can use the Base DN setting to control where the LDAP query searches for users. By default, the search scope uses the domain information you specified when creating the connection.

Usage Example
Search the consumer organizational unit within the domain cn=users,dc=ocorp,DC=com
Search the privileged-accounts organizational unit within the domain


Search the admins object located in the eng organizational unit within the domain

CN=admins,OU=eng,DC=test, DC=ocorp,DC=edu

Common LDAP queries

You can adjust the LDAP query to locate users that meets the specified criteria. You may need to modify the following examples to fit your specific needs. By default, discovery rules include an LDAP query to locate every user within the search scope.

Usage Example
Locate every user (objectclass=user)