The Dropbox Active Directory Connector

Admins can manage Dropbox Business team membership using an Active Directory. With the Dropbox Active Directory Connector, any changes made to the Active Directory sync automatically to Dropbox. 

The AD Connector doesn’t apply changes made in the Dropbox admin console to AD. The AD Connector overrides changes made to a managed user in the Admin Console.

You can reach out to our identity management partners for additional help setting up the AD Connector for your Dropbox Business account.

Sections in this article:

Step 1: Review the AD Connector best practices.

Required:

  • All users you'd like to sync from Active Directory must be active users in a single AD domain
  • PowerShell 4.0 or higher
  • Windows Server 2008 (or later)
  • Remote Server Administration Tools

Recommended:

  • Create a single group called "Dropbox" that contains all the members you’d like to provision. You can place both users and groups within the Dropbox group.
  • Install the AD Connector on a server with read-only access (the AD Connector only syncs changes that originate from AD).
  • Upgrading from previous versions of the AD Connector: A simple installation usually updates correctly when upgrading from version 2.0.1 to version 2.0.2. However, when upgrading between major versions (from 1.0 to 2.0), uninstall the current version before updating to the new one.
  • For the current release of the AD Connector, we recommend syncing no more than 10,000 users from Active Directory. Check with your Dropbox Customer Success team if you’d like to use the AD Connector with more than 10,000 users.

Back to menu

Step 2: Download the AD Connector Microsoft Installer (MSI).

Back to menu

Step 3: Install the AD Connector.

  1. Locate and run the Dropbox-AD-Connector.msi installer.
  2. Click Next to continue through the install wizard.
  3. Check the box to accept the terms, and click Next.
  4. Click Next to install to the default path.
  5. Click Install, and then choose Yes if User Account Control (UAC) prompts you.
  6. Getting Started is checked by default—if you already have this guide open, uncheck it.
  7. Select Finish to complete the installation.

Back to menu

Step 4: Set up the Configure AD Connector tool.

There are five steps in the process of completing the AD Connector configuration:

  1. Setup.
  2. Active Directory users sync.
  3. Active Directory groups sync.
  4. Log.
  5. Email notifications.

To complete configuration, carefully follow each step:

Setup

  1. Locate and open the Configure AD Connector shortcut on your desktop.
  2. Click Get OAuth2 Token to connect to the team admin of your Dropbox Business team.
    • If needed, sign in to Dropbox as an Admin of the Dropbox Business team
    • If needed, approve the AD Connector app permissions
  3. Copy the token.
  4. Paste the copied token into the OAuth 2 DfB Token field.
  5. If you'd like to run setup tests, select the Simulation Mode checkbox.
    • Note: In Simulation Mode, no changes are made to your Dropbox Business team

AD Connector configuration

Active Directory sync users

  1. Select the Active Directory group you'd like to sync with your Dropbox Business team.
    • It's easiest to create an Active Directory group called "Dropbox"
  2. Check that Email Attribute is set to Email Address.
  3. Check Manage existing users to sync changes to users that were manually created through the Dropbox Business admin console.

Active Directory sync groups

  1. Choose whether you'd like to sync groups to your Dropbox Business team (syncing groups is optional).
  2. To sync groups, select whether you'd like to use the same group you chose to sync individual users.
  3. If you chose to use a different group to sync groups, select the name of the group.

Log

  1. If you wish to provide a different path for the log file, click Change.
    • Note: If you don't provide a different file path, the log is saved to the default location: C:\ProgramData\Dropbox\AD Connector\db_ad_connector.log

Email notifications

  1. If you’d like to receive email notifications, click Settings.
    • Note: Use port 587 or port 25 (unencrypted); port 465 is not currently supported
  2. After finishing each section, use Test Connection to verify that the configuration is correct.
  3. Click OK when finished configuring the email options.

Email notification settings

Finish

  1. Click Save to save all configuration settings.

Back to menu

Step 5: Perform a test run with Run AD Connector, and verify that it's working successfully.

  1. Locate the Run AD Connector shortcut on the desktop.
  2. Right-click the Run AD Connector tool and Run as Administrator.
  3. Review the results to ensure that the expected users are listed.
  4. If yes, reopen the Config AD Connector tool and uncheck Simulation Mode.
  5. Use the Run AD Connector tool to sync new members to your Dropbox Business team.

Back to menu

Step 6: Locate the scheduled task, and enable it to run.

  1. Browse to Program Files \ Dropbox \ AD Connector \ Helpers.
  2. Right-click on the file AD-Connector-CreateTask.bat and Run as Administrator.
  3. Open the Task Scheduler application for Windows Server.
  4. Open the Dropbox Tasks folder.
  5. Right-click on the Dropbox AD Connector task, and choose Enable.
    • Note: If you can't find this task, right-click the Task Scheduler Library and choose Refresh.
  6. Right-click on the task, and choose Run.
  7. Ensure that the test ran successfully: locate and review the AD Connector sync log.
  8. Verify that invites were sent to team members: Review the Members page of the Dropbox Business Admin Console.

Notes on creating scheduled tasks:

  • By default, this task is set to run once a day at 2:00 am (local time)
  • You can increase the frequency of this task, but we recommend running it no more than once every three hours
  • Ensure that scheduled tasks don't interrupt each other: select Do not start a new instance in the Settings tab:

Back to menu

Scheduled tasks settings

Advanced setup and troubleshooting (Optional)

Groups and the Dropbox Active Directory Connector

Groups in Active Directory sync with Dropbox, but Dropbox groups don’t sync with AD. Changes from Dropbox Business do not sync back to Active Directory. Deleting a group from Dropbox Business does not delete the group from Active Directory. To delete a group in both Dropbox Business and Active Directory, you’ll need to:

  • Remove all members from the sync group in Active Directory
  • Remove the sync group from the configuration step

Keep in mind:

  • If you have multiple groups with the same name between Active Directory and Dropbox Business, group sync fails. An error is also logged.
  • You cannot nest groups inside other groups in Dropbox. Groups cannot have multiple layers in Dropbox Business. Each group is flat and does not contain other groups.

What happens when you select a single group to sync both your users and groups?

For groups with users that aren't in the sync group, the group fails to sync to Dropbox Business.

How do groups sync to Dropbox if I use a different Active Directory group to sync user accounts?

All users in the user sync group are synced. Any groups in the user sync group are ignored. Users placed in the group sync group are ignored unless also in the user group. Groups placed in the user sync group are ignored unless also in the group sync group.

Account transfers and the Dropbox Active Directory Connector

The AD Connector does not support the automatic transfer of an account to a different team member. However, deleted accounts (and any associated files) are held in the Admin Console. These accounts can then be transferred or permanently deleted from the Dropbox admin console. Team admins can transfer an account via the Dropbox Admin Console.

Remote wipe and the Dropbox Active Directory Connector

When suspending or deleting users with the AD Connector, all devices are automatically remotely wiped. Use the Admin Console to remove a user or device without remotely wiping all content.

What should I do if the Active Directory Connector sync failed?

Each time the AD Connector runs, an exit code is added to the end of the log file. This code attributes the reason for the failure, and/or determines what part of the process failed. This table provides examples of reasons a failure could occur.

  • Note: The AD Connector logs a 0 when the run completes successfully

Code

Reason for failure

How to correct this error

-1

Powershell version not supported

  • Upgrade to Powershell versions 4, 5, or higher

-10

Unable to read configuration file

  • If you manually edited the config file, there may a file error that our script cannot read. Rerun the config script to overwrite manual edits
  • Check config file permission—the run script should have permission to run this file
  • Re-run the config file to save new file

-11

Script must be run with admin privileges

  • When selecting the script, right-click and choose run with admin privileges

-12

Could not initialize Active Directory module

  • Ensure AD is up, and on the same machine as AD Connector
  • Ensure script privileges to AD
  • Ensure you have no more than 5000 members in your sync group, including sub groups (v2.0 doesn't support more users)

-13

Failed to initialize Dropbox Business API

-14

Failed to fetch team info from Dropbox Business API

  • Check the error code
  • Verify OAuth token is valid (rerun the config script to get a new OAuth token)
  • Ensure that the admin was successfully authenticated, and that the team still exists
  • Verify dropbox.com is accessible at status.dropbox.com

-15

No users found in configured Active Directory group

  • Verify that the chosen group contains the users you wanted to sync (only users in this group sync to your Dropbox Business team)

-16

Failed to get team members from Dropbox Business API

  • Try again—you may have encountered a temporary network issue
  • Verify dropbox.com is accessible at status.dropbox.com

-17

Failed while syncing

  • Try again—you may have encountered a temporary network issue
  • Check to see if the machine was interrupted by another process or error
  • Ensure you have no more than 5000 members in your sync group, including sub groups (v2.0 doesn't support more users)
  • We suggest limiting synced group size to 2000 users with current version (v2.0)—try to limit your group size to 2000 or fewer users
  • Contact Dropbox support

What are the stages of the AD Connector running process?

Stage 1: Identify managed users. 

The AD Connector only updates managed users. Managed users are identified when the following criteria are met:

  1.  The AD Connector first completes the provisioning. Provisioning happens when a) a user email address is added to the configured Active Directory group, and b) this email address is not found in Dropbox Business.
  2. The user is an existing user on your Dropbox Business team. "Existing users" means that the email addresses match between the team and the configured Active Directory group.

Notes

  • This check only happens if Manage existing users is checked in the AD Connector configuration.
  • If either of these two conditions aren't met, the user is considered unmanaged. The AD Connector doesn't update unmanaged users. For most administrators, Manage existing users is the best option.

Stage 2: Update user information for managed users only.

  • User first name
  • User last name
  • User email address

The AD Connector ensures that the external ID for the user matches between Dropbox Business and AD for managed users from Stage 1.

Exception: The AD Connector does not update information for users who are in the “Invited” state in Dropbox Business. The AD Connector reattempts the update on subsequent runs.

Stage 3: Update user state for managed users only. 

  • Disabling managed users doesn't delete them from your Dropbox Business team. Neither does removing users from the Active Directory sync group. Instead, these users are suspended in your Dropbox Business team.
  • For managed users identified in the first step: The AD Connector updates user state (active, disabled, or deleted) in Dropbox Business to match the user state in AD.

Back to menu

Identity management partners (Optional)

To integrate with Active Directory, you need:

  • To be the team admin of a Dropbox Business account
  • Either an account with one of our identity management partners or an integration you've implemented using the Dropbox Business API

You can contact our identity management partners to find out more about their special Dropbox plans:

Dropbox Active Directory integration provides control over account provisioning and supports single sign-on(SSO). For more questions regarding integration, please contact the Dropbox sales team or technical support at Okta or OneLogin.

Back to menu

How helpful was this article?

We’re sorry to hear that.
Let us know how we can improve:

Thanks for your feedback!
Let us know how this article helped:

Thanks for your feedback!

Community answers