Add an Active Directory group

Active Directory (AD) group members can log in to the management console and perform tasks based on the permissions assigned to the group. The group can authenticate against either a domain or domain controller. Upon logging into BeyondInsight, users can select a domain from the Log in to list on the Login page.

The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.

AD users must log in to the management console at least once to receive email notifications.

To create an Active Directory group in BeyondInsight:

  1. Navigate to Configuration > Role Based Access > User Management.

Create a New Group in BeyondInsight

  1. From the Groups tab, click + Create New Group.


  1. Select Add an Active Directory Group.



Active Directory Group Search to add an AD group in BeyondInsight.

  1. Select a credential from the list.

If you require a new credential, click Create New Credential to create one. The new credential is added to the list of available credentials.

  1. If the Domain field is not automatically populated, enter the name of a domain or domain controller.
  2. After you enter the domain or domain controller credential information, click Search Active Directory. A list of security groups in the selected domain is displayed.


The default filter is an asterisk (*), which is a wild card filter that returns all groups. For performance reasons, a maximum of 250 groups from Active Directory is retrieved.

  1. Set a filter on the groups to refine the list, and then click Search Active Directory.
Sample filters:
  • a* returns all group names that start with "a"
  • *d returns all group names that end with "d"
  • *sql* returns all groups that contain "sql" in the name

Select Active Directory group and Add Group

  1. Select a group, and then click Add Group.


  1. The group is added and set to Active but not provisioned or synchronized with AD. Synchronization with AD to retrieve users begins immediately.


Newly added Active Directory group synced and users populated.

  1. Once the group has been synced with AD, you can view the users assigned to the group by selecting Users from the Group Details pane.

Use the filters above the grid to narrow down the list of users displayed in the grid by Type, Username, Name, Email, or Domain, or to show users not assigned to the group.


By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group. For more information on permissions and how to assign them, please see Assign group permissions.

For more information on creating and editing directory credentials, please see Create and edit directory credentials.


Propagate domain changes to group members

Edit Group Settings to propagate domain changes to all users in the group

Domain changes can be propagated to all users in a group by enabling the Propagate this change to all group members option for the group. By default, this is set to OFF. When enabled, changes to the preferred domain controller at the group level are applied to all group members.

When creating a new group, we advise turning this setting on by editing the new group details. This ensures that all users in the new group get a preferred domain controller from the initial setup of the group.

Configure Active Directory group synchronization

Enable Active Directory Group Synchronization inBeyondInsight

Create and enable a recurring schedule for AD groups to automatically synchronize at a specified time and frequency. This ensures your AD groups are up to date with the latest users added to that group in Active Directory. This schedule applies globally to all AD groups in your BeyondInsight instance; however, the global schedule can be overridden at the group level and a group can be configured to be excluded from the synchronization process.

To enable Active Directory Group Synchronization:

  1. Navigate to Configuration > Role Based Access > Active Directory Group Synchronization.
  2. Check the Enable AD Group Synchronization option.
  3. Specify a Start Time. Time is UTC.
  4. Select your desired frequency of Daily, Weekly, or Monthly.
  5. Click Save Configuration.


For more information on overriding the global AD synchronization schedule and excluding a group from the synchronization process, please see Edit basic group details.