The Dropbox Active Directory Connector

Certain types of admins can manage Dropbox team memberships using the Active Directory. With the Dropbox Active Directory (AD) Connector, any changes made to the Active Directory sync automatically to Dropbox.

You can reach out to our identity management partners for additional help setting up the AD Connector for your Dropbox team.

Step 1: Review the AD Connector best practices

Required

• All users you'd like to sync from Active Directory must be active users in a single AD domain
• PowerShell 4.0 or later
• Windows Server 2008 (or later)
• Remote Server Administration Tools

Recommended

• Create a single group called "Dropbox" that contains all the members you’d like to provision. You can place both users and groups within the Dropbox group.
• Install the AD Connector on a server with read-only access (the AD Connector only syncs changes that originate from AD).
• Upgrading from previous versions of the AD Connector: A simple installation usually updates correctly when upgrading from version 2.0.1 to version 2.0.2. However, when upgrading between major versions (from 1.0 to 2.0), uninstall the current version before updating to the newer one.
• For the current release of the AD Connector, we recommend syncing no more than 10,000 users from Active Directory. Check with your Dropbox Customer Success team if you’d like to use the AD Connector with more than 10,000 users.

Step 2: Download the AD Connector Microsoft Installer (MSI)

Step 3: Install the AD Connector

1. Locate and run the Dropbox-AD-Connector.msi installer.
2. Click Next to continue through the install wizard.
3. Check the box to accept the terms, and click Next.
4. Click Next to install to the default path.
5. Click Install, and then choose Yes if User Account Control (UAC) prompts you.
6. Getting Started is checked by default—if you already have this guide open, uncheck it.
7. Select Finish to complete the installation.

Step 4: Complete the AD Connector configuration

Setup

1. Locate and open the Configure AD Connector shortcut on your desktop.
2. Click Get OAuth2 Token to connect to your Dropbox account.
   • If needed, log in to Dropbox with your admin credentials
   • If needed, approve the AD Connector app permissions
3. Copy the token.
4. Paste the copied token into the OAuth 2 DfB Token field.
5. If you'd like to run setup tests, select the Simulation Mode checkbox.
   •  Note: In Simulation Mode, no changes are made to your Dropbox team.

Active Directory sync users

1. Select the Active Directory group you'd like to sync with your Dropbox team.
   • It's easiest to create an Active Directory group called "Dropbox"
2. Check that Email Attribute is set to Email Address.
3. Check Manage existing users to sync changes to users that were manually created through the admin console.

Active Directory sync groups

1. Choose whether you'd like to sync groups to your Dropbox team (syncing groups is optional).
2. To sync groups, select whether you'd like to use the same group you chose to sync individual users.
3. If you chose to use a different group to sync groups, select the name of the group.

Log

1. If you wish to provide a different path for the log file, click Change.
   • Note: If you don't provide a different file path, the log is saved to the default location: C:\ProgramData\Dropbox\AD Connector\db_ad_connector.log

Email notifications

1. If you’d like to receive email notifications about any errors with sync, click Settings.
   • Note: Use port 587 or port 25 (unencrypted); port 465 isn't currently supported.
2. After finishing each section, use Test Connection to verify that the configuration is correct.
3. Click OK when finished configuring the email options.

Finish

4. Click Save to save all configuration settings.

Step 5: Perform a test run with Run AD Connector, and verify that it's working successfully

To perform a test run:

1. Locate the Run AD Connector shortcut on the desktop.
2. Right-click the Run AD Connector tool and Run as Administrator.
3. Review the results to ensure that the expected users are listed.
4. If yes, reopen the Config AD Connector tool and uncheck Simulation Mode.
5. Use the Run AD Connector tool to sync new members to your Dropbox team.

Step 6: Locate the scheduled task, and enable it to run

To do so:

1. Browse to Program Files \ Dropbox \ AD Connector \ Helpers.
2. Right-click on the file AD-Connector-CreateTask.bat and Run as Administrator.
3. Open the Task Scheduler application for Windows Server.
4. Open the Dropbox Tasks folder.
5. Right-click on the Dropbox AD Connector task, and choose Enable.
   • Note: If you can't find this task, right-click the Task Scheduler Library and choose Refresh.
6. Right-click on the task, and choose Run.
7. Locate and review the AD Connector sync log to ensure that the test ran successfully.
8. Review the Members page of the admin console to verify that invites were sent to team members.

Ensure that scheduled tasks don't interrupt each other by selecting Do not start a new instance in the Settings tab:

Advanced setup and troubleshooting (Optional)

Groups and the Dropbox Active Directory Connector

Groups in the Active Directory sync with Dropbox, but Dropbox groups don’t sync with AD. Changes from Dropbox don't sync back to the Active Directory. Deleting a group from Dropbox doesn't delete the group from the Active Directory.

To delete a group in both Dropbox and the Active Directory, you’ll need to:

• Remove all members from the sync group in the Active Directory
• Remove the sync group from the configuration step

 

What happens when you select a single group to sync both your users and groups?

For groups with users that aren't in the sync group, the group fails to sync to Dropbox.

How do groups sync to Dropbox if I use a different Active Directory group to sync user accounts?

All users in the user sync group are synced. Any groups in the user sync group are ignored. Users placed in the group sync group are ignored unless also in the user sync group. Groups placed in the user sync group are ignored unless also in the group sync group.

Account transfers and the Dropbox Active Directory Connector

The AD Connector doesn't support the automatic transfer of an account to a different team member. However, deleted accounts (and any associated files) are held in the admin console. These accounts can then be transferred or permanently deleted. 

Learn how to transfer a deleted user’s files.

Remote wipe and the Dropbox Active Directory Connector

When suspending or deleting users with the AD Connector, all devices are automatically remotely wiped. Use the admin console to remove a user or device without remotely wiping all content.

What should I do if the Active Directory Connector sync failed?

Each time the AD Connector runs, an exit code is added to the end of the log file. This code attributes the reason for the failure, and/or determines which part of the process failed. This table provides examples of reasons a failure could occur.

The AD Connector logs a 0 when the run completes successfully.

Code	Reason for failure	How to correct this error
Couldn't create SSL/TLS secure channel	The server or the client doesn't support TLS 1.2	Update to the newest version of the AD Connector (see step 2 above) and verify the server supports TLS 1.2
-1	Powershell version not supported	Upgrade to Powershell versions 4, 5, or higher
-10	Unable to read configuration file	If you manually edited the config file, there may be a file error that our script can't read. Re-run the config script to overwrite manual edits Check config file permission—the run script should have permission to run this file Re-run the config file to save new file
-11	Script must be run with admin privileges	When selecting the script, right-click and choose run with admin privileges
-12	Couldn't initialize Active Directory module	Ensure AD is up, and on the same machine as AD Connector Ensure script privileges to AD Ensure you have no more than 5000 members in your sync group, including sub groups (v2.0 doesn't support more users)
-13	Failed to initialize Dropbox API	Verify dropbox.com is accessible at status.dropbox.com
-14	Failed to fetch team info from Dropbox API	Check the error code Verify OAuth token is valid (re-run the config script to get a new OAuth token) Ensure that the admin was successfully authenticated, and that the team still exists Verify dropbox.com is accessible at status.dropbox.com
-15	No users found in configured Active Directory group	Verify that the chosen group contains the users you wanted to sync (only users in this group sync to your Dropbox team account)
-16	Failed to get team members from Dropbox API	Try again—you may have encountered a temporary network issue Verify dropbox.com is accessible at status.dropbox.com
-17	Failed while syncing	Try again—you may have encountered a temporary network issue Check to see if the machine was interrupted by another process or error Ensure you have no more than 5000 members in your sync group, including sub groups (v2.0 doesn't support more users) We suggest limiting synced group size to 2000 users with current version (v2.0)—try to limit your group size to 2000 or fewer users Contact Dropbox support

What are the stages of the AD Connector running process?

Stage 1: Identify managed users

The AD Connector only updates managed users. Managed users are identified when the following criteria are met:

1.  The AD Connector first completes the provisioning. Provisioning happens when
   • A user email address is added to the configured Active Directory group
   • This email address isn't found in Dropbox
2. The user is an existing user on your Dropbox team. "Existing users" means that the email addresses match between the team and the configured Active Directory group.

Stage 2: Update user information for managed users only

• User first name
• User last name
• User email address

The AD Connector ensures that the external ID for the user matches between Dropbox and the AD for managed users from Stage 1.

Exception: The AD Connector doesn't update information for users who are in the “Invited” state in Dropbox. The AD Connector reattempts the update on subsequent runs.

Stage 3: Update user state for managed users only

Disabling managed users doesn't delete them from your Dropbox team. Neither does removing users from the Active Directory sync group. Instead, these users are suspended in your Dropbox team.

For managed users identified in the first step: The AD Connector updates the user state (active, disabled, or deleted) in Dropbox to match the user state in the AD.