Auto Sync Projects
When you set up IdentityCenter through the Quick Config Wizard or create a new connection, the system can automatically generate sync projects for all 24 supported Active Directory object classes. This means you get comprehensive directory coverage without manually configuring individual sync projects.
How Auto Sync Works
- You create a connection to Active Directory
- IdentityCenter detects the available object types
- Sync projects are automatically created for each supported object class
- Each project comes pre-configured with the correct LDAP filters and attribute mappings
- You can run all of them immediately or customize them first
Supported Object Classes
IdentityCenter supports syncing 24 AD object classes, organized into categories:
People & Accounts
| Object Class |
What It Syncs |
LDAP Filter |
| Users |
Employee accounts, admin accounts, service accounts |
(&(objectClass=user)(objectCategory=person)) |
| Contacts |
External contacts (typically mail-enabled) |
(objectClass=contact) |
| InetOrgPerson |
RFC 2798 person objects (some environments use these instead of users) |
(objectClass=inetOrgPerson) |
Groups
| Object Class |
What It Syncs |
LDAP Filter |
| Groups |
Security groups, distribution lists |
(&(objectClass=group)(objectCategory=group)) |
Computers & Devices
| Object Class |
What It Syncs |
LDAP Filter |
| Computers |
Domain-joined workstations and servers |
(&(objectClass=computer)(objectCategory=computer)) |
| Printers |
Network printers published in AD |
(objectClass=printQueue) |
Service Accounts
| Object Class |
What It Syncs |
LDAP Filter |
| gMSA |
Group Managed Service Accounts |
(objectClass=msDS-GroupManagedServiceAccount) |
| MSA |
Traditional Managed Service Accounts |
(objectClass=msDS-ManagedServiceAccount) |
Organizational Structure
| Object Class |
What It Syncs |
LDAP Filter |
| Organizational Units |
OU hierarchy |
(objectClass=organizationalUnit) |
Infrastructure & Networking
| Object Class |
What It Syncs |
LDAP Filter |
| Sites |
AD replication sites |
(objectClass=site) |
| Subnets |
AD site subnets |
(objectClass=subnet) |
| Site Links |
Replication topology links |
(objectClass=siteLink) |
Security & Trust
| Object Class |
What It Syncs |
LDAP Filter |
| Trusts |
Domain and forest trust relationships |
(objectClass=trustedDomain) |
| Foreign Security Principals |
Cross-domain/forest security principals |
(objectClass=foreignSecurityPrincipal) |
DNS
| Object Class |
What It Syncs |
LDAP Filter |
| DNS Zones |
AD-integrated DNS zones |
(objectClass=dnsZone) |
| DNS Nodes |
Individual DNS records |
(objectClass=dnsNode) |
Group Policy
| Object Class |
What It Syncs |
LDAP Filter |
| GPOs |
Group Policy Objects |
(objectClass=groupPolicyContainer) |
Certificate Services
| Object Class |
What It Syncs |
LDAP Filter |
| PKI Certificate Templates |
Certificate templates |
(objectClass=pKICertificateTemplate) |
| PKI Enrollment Services |
Certificate enrollment points |
(objectClass=pKIEnrollmentService) |
Schema
| Object Class |
What It Syncs |
LDAP Filter |
| Schema Classes |
AD schema class definitions |
(objectClass=classSchema) |
| Schema Attributes |
AD schema attribute definitions |
(objectClass=attributeSchema) |
Other
| Object Class |
What It Syncs |
LDAP Filter |
| Shared Folders |
Published file shares |
(objectClass=volume) |
| Service Connection Points |
Service discovery objects |
(objectClass=serviceConnectionPoint) |
Attribute Mappings
Each auto-generated sync project comes with pre-configured attribute mappings tailored to that object class. For example:
User Attribute Mappings
The user sync project automatically maps:
displayName, givenName, sn (surname), mailsAMAccountName, userPrincipalNamedepartment, title, company, managertelephoneNumber, mobile, streetAddress, l (city), st (state), postalCodeemployeeID, employeeType, divisionuserAccountControl (for account status detection)lastLogon, lastLogonTimestamp, pwdLastSet, accountExpireswhenCreated, whenChanged, objectGUID, objectSid
Group Attribute Mappings
cn, description, mail, managedBygroupType (security vs. distribution, scope)member (group membership list)memberOf (nested group memberships)whenCreated, whenChanged
Computer Attribute Mappings
cn, dNSHostName, operatingSystem, operatingSystemVersionservicePrincipalName (SPNs)lastLogon, lastLogonTimestamp, pwdLastSetmanagedBy, location, description
Managing Auto Sync Projects
Viewing Projects
Navigate to Synchronization > Projects to see all auto-created sync projects. Each project is named with the format: [Connection Name] - [Object Class]
For example:
- "Corporate AD - Users"
- "Corporate AD - Groups"
- "Corporate AD - Computers"
Customizing Projects
You can modify any auto-generated project:
- Click on the project name to open it
- Adjust the LDAP filter to narrow the scope (e.g., add an OU filter)
- Add or remove attributes from the mapping
- Change the sync schedule
- Save your changes
Disabling Unnecessary Projects
Not every organization needs all 24 object classes. To disable a sync project you don't need:
- Open the sync project
- Set the schedule to Manual (or disable the schedule)
- The project will only run when you manually trigger it
Tip: Most organizations only need 5-6 sync projects active: Users, Groups, Computers, Contacts, OUs, and possibly gMSAs. Start with these and enable others as needed.
Running Sync Projects
- Run All — Click the "Sync All" button to run every project for a connection
- Run Individual — Click "Run Now" on a specific project
- Scheduled — Projects run automatically on their configured schedule
Best Practices
- Start with the essentials — Users, Groups, Computers, and OUs cover 90% of use cases
- Add service accounts early — gMSAs and MSAs are critical for security audits
- Review before scheduling — Run each project manually first to verify the results look correct
- Customize filters for large environments — If you have 50,000+ objects, filter by OU to sync only what you need
- Monitor sync history — Check Synchronization > History regularly for errors or unexpected object counts
Next Steps