Advanced setup and troubleshooting (Optional)
Groups and the Dropbox Active Directory Connector
Groups in Active Directory sync with Dropbox, but Dropbox groups don’t sync with AD. Changes from Dropbox Business do not sync back to Active Directory. Deleting a group from Dropbox Business does not delete the group from Active Directory. To delete a group in both Dropbox Business and Active Directory, you’ll need to:
- Remove all members from the sync group in Active Directory
- Remove the sync group from the configuration step
Keep in mind:
- If you have multiple groups with the same name between Active Directory and Dropbox Business, group sync fails. An error is also logged.
- You cannot nest groups inside other groups in Dropbox. Groups cannot have multiple layers in Dropbox Business. Each group is flat and does not contain other groups.
What happens when you select a single group to sync both your users and groups?
For groups with users that aren't in the sync group, the group fails to sync to Dropbox Business.
How do groups sync to Dropbox if I use a different Active Directory group to sync user accounts?
All users in the user sync group are synced. Any groups in the user sync group are ignored. Users placed in the group sync group are ignored unless also in the user group. Groups placed in the user sync group are ignored unless also in the group sync group.
Account transfers and the Dropbox Active Directory Connector
The AD Connector does not support the automatic transfer of an account to a different team member. However, deleted accounts (and any associated files) are held in the Admin Console. These accounts can then be transferred or permanently deleted from the Dropbox admin console. Team admins can transfer an account via the Dropbox Admin Console.
Remote wipe and the Dropbox Active Directory Connector
When suspending or deleting users with the AD Connector, all devices are automatically remotely wiped. Use the Admin Console to remove a user or device without remotely wiping all content.
What should I do if the Active Directory Connector sync failed?
Each time the AD Connector runs, an exit code is added to the end of the log file. This code attributes the reason for the failure, and/or determines what part of the process failed. This table provides examples of reasons a failure could occur.
- Note: The AD Connector logs a 0 when the run completes successfully
Code
|
Reason for failure
|
How to correct this error
|
-1
|
Powershell version not supported
|
- Upgrade to Powershell versions 4, 5, or higher
|
-10
|
Unable to read configuration file
|
- If you manually edited the config file, there may a file error that our script cannot read. Rerun the config script to overwrite manual edits
- Check config file permission—the run script should have permission to run this file
- Re-run the config file to save new file
|
-11
|
Script must be run with admin privileges
|
- When selecting the script, right-click and choose run with admin privileges
|
-12
|
Could not initialize Active Directory module
|
- Ensure AD is up, and on the same machine as AD Connector
- Ensure script privileges to AD
- Ensure you have no more than 5000 members in your sync group, including sub groups (v2.0 doesn't support more users)
|
-13
|
Failed to initialize Dropbox Business API
|
|
-14
|
Failed to fetch team info from Dropbox Business API
|
- Check the error code
- Verify OAuth token is valid (rerun the config script to get a new OAuth token)
- Ensure that the admin was successfully authenticated, and that the team still exists
- Verify dropbox.com is accessible at status.dropbox.com
|
-15
|
No users found in configured Active Directory group
|
- Verify that the chosen group contains the users you wanted to sync (only users in this group sync to your Dropbox Business team)
|
-16
|
Failed to get team members from Dropbox Business API
|
- Try again—you may have encountered a temporary network issue
- Verify dropbox.com is accessible at status.dropbox.com
|
-17
|
Failed while syncing
|
- Try again—you may have encountered a temporary network issue
- Check to see if the machine was interrupted by another process or error
- Ensure you have no more than 5000 members in your sync group, including sub groups (v2.0 doesn't support more users)
- We suggest limiting synced group size to 2000 users with current version (v2.0)—try to limit your group size to 2000 or fewer users
- Contact Dropbox support
|
What are the stages of the AD Connector running process?
Stage 1: Identify managed users.
The AD Connector only updates managed users. Managed users are identified when the following criteria are met:
- The AD Connector first completes the provisioning. Provisioning happens when a) a user email address is added to the configured Active Directory group, and b) this email address is not found in Dropbox Business.
- The user is an existing user on your Dropbox Business team. "Existing users" means that the email addresses match between the team and the configured Active Directory group.
Notes:
- This check only happens if Manage existing users is checked in the AD Connector configuration.
- If either of these two conditions aren't met, the user is considered unmanaged. The AD Connector doesn't update unmanaged users. For most administrators, Manage existing users is the best option.
Stage 2: Update user information for managed users only.
- User first name
- User last name
- User email address
The AD Connector ensures that the external ID for the user matches between Dropbox Business and AD for managed users from Stage 1.
Exception: The AD Connector does not update information for users who are in the “Invited” state in Dropbox Business. The AD Connector reattempts the update on subsequent runs.
Stage 3: Update user state for managed users only.
- Disabling managed users doesn't delete them from your Dropbox Business team. Neither does removing users from the Active Directory sync group. Instead, these users are suspended in your Dropbox Business team.
- For managed users identified in the first step: The AD Connector updates user state (active, disabled, or deleted) in Dropbox Business to match the user state in AD.
Back to menu
Identity management partners (Optional)
To integrate with Active Directory, you need:
- To be the team admin of a Dropbox Business account
- Either an account with one of our identity management partners or an integration you've implemented using the Dropbox Business API
You can contact our identity management partners to find out more about their special Dropbox plans:
- Ping Identity
- OneLogin
- Okta
- Centrify
Dropbox Active Directory integration provides control over account provisioning and supports single sign-on(SSO). For more questions regarding integration, please contact the Dropbox sales team or technical support at Okta or OneLogin.
Back to menu