Pronestor supports Active Directory integration, so you can import your users directly from Active Directory instead of creating them inside Pronestor. This allows your IT administrators to maintain Pronestor users through Active Directory groups, simplifying their jobs.
You can have several user imports in Pronestor. You can have multiple types of user imports. The only limitation is, if you have an Exchange integration all your users have to be from the same Exchange environment.
Requirements
To fulfill this guide you need:
Know which users need access in Pronestor (though it can be changed later, all imported users will get access as part of this guide). This guide will tell you what the different access roles in Pronestor do Pronestor Roles __
The users in Active Directory need to have:
First name
Lastname
Initial
email
Mobile phone (only if you use SMSnotifications with Visitor)
Preparing Your Active Directory
Setting up Active Directory groups for Pronestor
Groups
Every access that can be given in Pronestor can also be linked to Active Directory groups.
It is possible to use whichever Organizational Unit and Active Directory group structure you prefer. This guide describes best practices for setting up your active directory. You can add additional departments and VIP groups as needed. There is a simplified setup for those who have one location and a setup for those with multiple locations.
Both setups require you to create an Organizational Unit (referred to here in the guide as PronestorOU) in your Active Directory. Please note down the path of your PronestorOU for later reference.
The next step is to create a group per role in Pronestor. The groups should be placed in the PronestorOU. A role represents permission in Pronestor for each of the following roles: secretary, facility manager, catering manager, or booker, as well as departments, secretary departments, and VIP groups.
Groups in AD can be either user or security groups.
The naming of each group is not fixed - we do however recommend a naming convention that makes it easy to read and understand the groups maintained in Active Directory.
One location only - if Pronestor is configured to manage resources on one location only:
Create in Active Directory the following groups within the PronestorOU:
Local_secretary
Local_facility_manager
Local_catering_manager
Local_booker
Department_A
Department_A_secretary
Department_B
Department_B_secretary
VIP_A
VIP_B
Your users will need more than one Active Directory group to get the necessary rights. A user is only created when they have a local booker group. The other groups add additional connections to the user. For example, a normal user might need Local_booker, Department_A and VIP_B.
Every user needs a department since departments grant Billing accounts and meeting types, which are required to complete a booking.
If you book on behalf of shared calendars, please remember to import them as if they were a regular user.
Once your users have been connected to the new groups, your Active directory is ready to be imported.
Multiple locations - if Pronestor is configured to manage resources at multiple locations:
Create in Active Directory a set of groups for each role per location and groups for departments and VIP groups as needed.
Ex. If Pronestor is configured with resources on three locations - London, Stockholm, and Copenhagen - then the following groups must be created within the PronestorOU:
User Groups and Permissions
Administrator
Global_secretary
Global_facility_manager
Global_catering_manger
Global_booker
London_secretary
London_facility_manager
London_catering_manager
London_booker
Stockholm_secretary
Stockholm_facility_manager
Stockholm_catering_manager
Stockholm_booker
Copenhagen_secretary
Copenhagen_facility_manager
Copenhagen_catering_manager
Copenhagen_booker
Department_A
Department_A_secretary
Department_B
Department_B_secretary
VIP_A
VIP_B
!! **Important ** !! Your users will need more than one Active Directory group to get the necessary rights. A user is only created when they have a local booker group. The other groups add additional connections to the user.
User Examples:
A user from Copenhagen might need Copenhagen_booker, Department_A, and VIP_B. This user will only be allowed to book meetings at the Copenhagen location.
Another user needs to book in both Copenhagen and Stockholm. This user could get Stockholm_booker, Global_Booker, and Department_A. This user can now book on every location.
If you have a user with Global_booker, department_B, and VIP_A, the user won't be created because the user doesn't have a local booker group, such as Copenhagen_booker, Stockholm_booker, and London_booker.
If you have a user who needs to be a catering manager on location London, then they need to have London_booker, London_catering_manager, and Department_A.
If you give the user Copenhagen_booker, Global_booker, London_catering_manager, and Department_A, the user won't get the catering manager access. This is because the user's "Home" location is Copenhagen, and you can't get a local right on a location that isn't your home location. If you want the user to have Catering manager access on London, then give them London_booker, Global_booker, London_catering_manager, and Department_A instead.
Additional Notes:
If you book on behalf of shared calendars, please remember to import them as if they were a regular user.
Once your users have been connected to the new groups, your Active directory is ready to be imported.
First Import
For cloud customers, this will happen automatically when you trigger the PowerShell script.
For on-premise customers, this can be triggered manually. This can take some time, depending on the size of your Active directory. Open your import by pressing the pencil.
Importing Data in Pronestor
!! Note: The import process may take a long time.
To import data in Pronestor:
Choose the tab called Sessions
Press "Perform import"
After the import, users won't enter Pronestor until after the groups are linked as shown in the next chapter.
Group Linking in Pronestor
After the first import of your Active Directory, you need to link the Active Directory groups to Pronestor rights. This is handled inside Pronestor's administration module.
Click "Settings"
Click "Import users"
Find your import job
Click "Edit"
Click "Linking"
Here you can see all the accesses within Pronestor and you can connect them to a group. Please note that these pictures are from a demo solution with just one location and no departments or VIP groups, so yours might have a lot more access here.
Click "Load AD structure"
Please link your Active Directory groups to the accesses you want them to give, by clicking the drop-down menu.
Active Directory Integration
Link the groups as desired - Remember the rules about what accesses are needed for users to be imported as described in the chapter called Setting up active directory
Do another import
Scheduled Task - for On-Premise Customers Only
Once the active directory import is set up properly, it's time to make a scheduled task of it. If you are a cloud customer, you can skip this step as it's set up as part of the PowerShell script.
This is done here by clicking the box for "Enable automatic scheduling" and choosing a time for the import to run. Don't forget to press "Save schedule".
Automating User Import
Now you're all done and the users will be imported daily.
!! Tip: Give new employees the relevant active directory groups to avoid editing their rights or creating them inside Pronestor.