# Active Directory Integration for OS Deployer **Last Updated On**: 17 Apr 2026 **12 minutes read** Active Directory (Active Directory) is a directory service developed by Microsoft that provides centralized management of network resources such as users, computers, printers, and security groups within a domain-based network. It is designed to help IT administrators efficiently manage and secure an organization's network infrastructure by controlling user access, enforcing policies, and maintaining resource integrity. At its core, Active Directory acts as a centralized database where all information about network resources is stored, allowing administrators to organize access efficiently, and manage these resources through a single interface, streamlining IT operations across the enterprise. ## Functionalities of Active Directory in OS Deployer ### Active Directory based Technician Login Active Directory integration supports Active Directory user-based login to Server console. This allows the technicians to use a single password to access both Active Directory resources and the server. ## Pre-Requisites for Setup - **Administrative Rights:** Ensure that the account used to add the domain has appropriate **administrative rights** across all client systems in the domain. This permission is required to use the credential for **onboarding of computers and fetching all objects in Active Directory** (computers, users, containers, groups, GPO, and OUs). - **Service Account Access:** If using a service account, it must have **view access (Read permission) to all objects in Active Directory (computers, users, containers, groups, GPO, and OUs)**. Lack of view access will cause Active Directory synchronization to fail. This account also should have access to install agent software in computers. - **Access to Attributes:** The service account should have access to important object attributes like `whenChanged`, `whenCreated`, `objectGUID`, `Name`, `distinguishedName`, etc. Additionally, for deleted object retrieval, ensure credentials have access to the Active Directory recycle bin. - **Data Collection via Command Prompt:** - Run `set L` in Command Prompt to get the Domain Controller name (`Logonserver = Domain Controller Name`). - Run `set U` to retrieve the Domain Name and Active Directory Domain Name (`Userdomain = Domain Name`, `Userdnsdomain = Active Directory Domain Name`). ## Steps to Add a Domain 1. Navigate to the *Admin > Domain > Add Domain*. 2. Choose **Active Directory** from the drop down. 3. Enter the details collected from the Command Prompt (from the `set L` and `set U` commands) in the appropriate fields. ![OS Deployer: Adding domain](https://cdn.manageengine.com/sites/meweb/images/os-deployer/help/device-onboarding/add-domain.webp) 4. **Note:** 1. If the Central Server cannot directly reach the Domain Controller, enable the **Domain controller is not directly reachable** option. Then, choose a Distribution Server—located close to the Active Directory Domain Controller—as the Active Directory connector. The Active Directory connector should have reachability to both Central Server and Active Directory Domain Controller. 2. Distribution server must be configured for the remote office where the domain controller is located to configure Active Directory connector. 5. Select the Active Directory connector from the drop down. Active Directory Connector acts as a communicator between Central Server and Domain Controller to fetch the Active Directory objects. Distribution Server configured for the location where Domain Controller present can be used as an Active Directory Connector. You can also refresh or add a new Active Directory Connector. 6. Enable **LDAP SSL** to encrypt communication between and Active Directory. This requires uploading an SSL certificate to the Active Directory. By default, LDAP SSL uses port 636, which can be modified based on your requirements. 7. Click **Validate and Proceed**. ## Managing Domains in OS Deployer Once a domain is added, you can manage it through the Actions menu. ![domain-addition-in-endpoint-central](https://cdn.manageengine.com/sites/meweb/images/os-deployer/help/device-onboarding/add-managedomain.webp) - **Sync Now:** To initiate a domain sync immediately, navigate to the actions menu of the corresponding domain and click sync now. - **Modify Domain:** To edit domain details, such as domain controller or Active Directory connector, navigate to the actions menu of corresponding domain and click Modify Domain. - **Delete:** To delete a domain, navigate to Actions for the corresponding domain and click Delete. Kindly note that deleting the domain will erase the domain’s data and related Active Directory reports data. A domain cannot be deleted unless all the computers are removed from Scope of Management. - **Change to Workgroup:** To change a domain-based device to a workgroup, select the domain, click the corresponding action, and choose **Change to Workgroup**. **Note:** Changing the Domain type from Workgroup to Active Directory will disable all other Active Directory functionalities configured with this Active Directory. **Note:** When changing the Active Directory to Workgroup, the DNS Suffix will be required. To find the DNS Suffix, enter `ipconfig /all` in the command prompt and locate the data corresponding to **Primary DNS Suffix**. ## Troubleshooting Domain Configuration in DEX Manager Plus For any issues during domain setup or synchronization, review your administrative credentials, access rights, and Active Directory object permissions. Ensure proper configuration of sync frequency and domain connectivity to avoid disruptions. ## Related Articles 1. [Adding WorkGroup](https://www.manageengine.com/products/os-deployer/help/integrating-directory-services/how-to-configure-workgroup.html) 2. [Credential Manager](https://www.manageengine.com/products/os-deployer/help/device-onboarding/credential-manager.html)