C1 provides identity governance and just-in-time provisioning for Active Directory. Integrate your on-prem Active Directory domains with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.
The connector syncs each user’s primary group membership (for example, Domain Users) via the primaryGroupID attribute. AD does not include primary groups in memberOf, so the connector resolves these automatically.
The connector supports syncing across multiple AD domains and forests in a single run via additional-domains configuration.
gMSA sync is opt-in and requires the enable-gmsa-sync flag. gMSA provisioning modifies the msDS-GroupMSAMembership security descriptor ACL.
The connector supports two connection modes: LDAP (default on Linux) and WinLDAP (default on Windows, uses wldap32.dll for Kerberos/GSSAPI).
Connector actions are custom capabilities that extend C1 automations with app-specific operations. You can use connector actions in the Perform connector action automation step.Global actions (connector-level):
Action name
Additional fields
Description
enable_user
resource_id (resource ID, required)
Enable a disabled AD account (clears ACCOUNTDISABLE flag)
disable_user
resource_id (resource ID, required)
Disable an active AD account (sets ACCOUNTDISABLE flag)
lock_account
resource_id (resource ID, required)
Lock an AD account — alias for disable_user, sets the ACCOUNTDISABLE UAC flag. AD has no separate lock state.
unlock_account
resource_id (resource ID, required)
Unlock an AD account — alias for enable_user, clears the ACCOUNTDISABLE UAC flag.
Update user attributes. Known names (for example, first_name) are mapped to AD attributes; unknown names are passed through as raw AD attribute names. Empty values clear the attribute. Uses StringField for resource_id (not ResourceIdField) because it is invoked by the SDK profile push pipeline.
lookup_user
At least one of: upn (string), sam_account_name (string), employee_id (string)
Look up a user by UPN, SAM Account Name, or Employee ID and return their DN, SAM Account Name, UPN, display name, employee ID, and objectGUID
set_manager
resource_id (resource ID, required), plus exactly one of: manager_resource_id (resource ID) or clear_manager (bool)
Set or clear the manager attribute on a user. The handler returns the resulting manager_dn as an output for observability; manager_dn is not an input.
Resource actions (on user resources):
Action name
Additional fields
Description
update_profile
user_id (resource ID, required), plus optional string fields (see Profile push attributes below), and custom_attributes (map of raw AD attribute names to values)
Update a user’s profile attributes. Empty values clear the attribute in AD.
To configure the Active Directory connector, you need an Active Directory service account with appropriate permissions. The specific permissions depend on your intended use:
Sync only: Read access to AD objects
Entitlement provisioning: Delegated rights to modify group membership
Account provisioning: Delegated rights to create, delete, and manage user accounts, plus LDAPS enabled
gMSA provisioning: Permission to modify msDS-GroupMSAMembership on gMSA objects
The service account also needs Log on as a service permission and Modify access to C:\ProgramData\ConductorOne.
Create a dedicated AD service account for the connector (for example, svc-baton). A standard domain user account with read access is sufficient for sync-only operation.
2
Grant the service account Log on as a service permission via local or domain Group Policy, depending on your environment.
For entitlement provisioning support, the service account needs delegated rights to manage group membership.
1
Open Active Directory Users and Computers (ADUC) or run dsa.msc from the command line.
2
Right-click on your forest root (or a specific OU if you only want to provision into groups in that OU) and select Delegate Control.
3
Add the service account running the baton-active-directory service.
4
From the tasks to delegate, check the box for Modify the membership of a group.
5
Click Next, then Finish.
This delegation grants the service account the ability to provision and deprovision access from Active Directory groups, but it excludes special built-in groups like Administrators, Domain Admins, Enterprise Admins, and Schema Admins.To manage those protected groups, you must grant explicit Write Members permission on each group and update AdminSDHolder to prevent the permission from being removed:
1
For each protected group: right-click the group, click the Security tab, click Advanced, click Add, select the service account as the principal, and grant Write Members permission.
2
Run the following PowerShell script from a domain controller with domain admin credentials to ensure AdminSDHolder does not remove the permission after 60 minutes:
The Connector Administrator or Super Administrator role in C1
An Active Directory service account with the appropriate permissions (see above)
Cloud-hosted
Self-hosted
The Active Directory connector is self-hosted only. It runs on a Windows or Linux server in your environment with direct network access to your domain controllers.To get started, follow the Self-hosted tab instructions.
Follow these instructions to use the Active Directory connector, hosted and run in your own environment.Once installed and configured, Baton runs as a Windows service (or Linux daemon). The service maintains contact with C1, syncs and uploads data at regular intervals, and passes that data to the C1 UI for access reviews and access requests.
Step 1: Set up a new Active Directory connector in C1
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new Active Directory connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. You will need them when configuring the connector.
8
Next to the Not Connected label, click on the word Baton to navigate to the application page. Click the pencil icon at the top of the page and rename the application to Active Directory. This updates the application name, connector name, and icon.
Download the latest baton-ad-setup-*.exe installer from C1.
2
Run the installer on the host designated to run the connector. The installer prompts for your AD domain, C1 credentials, and connection settings.
3
The installer writes a YAML config file (with optional DPAPI encryption for secrets), registers a Windows service with auto-restart recovery, and creates Start Menu shortcuts for the GUI Configuration Editor and uninstall.
On the host designated to run the connector, create a folder: C:\Program Files\ConductorOne.
2
Copy baton-active-directory.exe to the ConductorOne folder.
3
Install and set up the connector by running (from an elevated command prompt):
baton-active-directory.exe setup
The setup process checks for a config file, opens the GUI config editor if none exists, offers to copy the binary to Program Files, optionally configures a service account, and registers the Windows service with auto-start and recovery.For non-interactive setup, use: baton-active-directory.exe setup -y
4
Grant the service account Modify folder permissions to C:\ProgramData\ConductorOne so it can write to the log file.
Failing to grant this permission results in a service start error.
5
Launch the Services console, locate the service named baton-active-directory, and configure it:
Double-click to open properties
Change the Startup type to Automatic
Navigate to the Log On tab and click This account
Click Browse, enter your service account name, and click Check Names
Enter the service account password and confirm it
Click Apply
Navigate back to the General tab and click Start
The config file is written to C:\ProgramData\ConductorOne\baton-active-directory\config.yaml:
base-dn: DC=example,DC=comdomain: example.commode: winldapldaps: trueclient-id: <C1 client ID>client-secret: <C1 client secret># Include this line to enable provisioningprovisioning: true
If you make changes to the config file, a service restart is required for the changes to take effect.
The log file is written to C:\ProgramData\ConductorOne\baton-active-directory\baton.log.
Each gMSA exposes a password_retrieval entitlement representing which principals are authorized to retrieve the managed password. Grant and Revoke operations modify the gMSA’s msDS-GroupMSAMembership security descriptor ACL.
You can restrict which Organizational Units the connector syncs by using skip-ous or only-ous (mutually exclusive):
# Exclude specific OUsskip-ous: - "OU=Test,DC=example,DC=com" - "OU=Disabled,DC=example,DC=com"# Or include only specific OUsonly-ous: - "OU=Engineering,DC=example,DC=com" - "OU=Sales,DC=example,DC=com"
By default, the connector syncs a standard set of AD user attributes. Use custom-user-attributes to include additional AD attributes in the user profile for account correlation:
Once synced, the specified attributes appear as profile fields on the user in C1 and can be configured as additional usernames for account correlation.
The update_profile resource action declares the following 23 named string fields in its schema. The platform’s schema-driven UI shows a dedicated input for each. Attributes outside this list (including extensionAttribute1 through extensionAttribute15) must be set via the custom_attributes map field on update_profile, or via the update_user_attrs global action.
Field name
AD attribute
Category
first_name
givenName
Identity
middle_name
middleName
Identity
last_name
sn
Identity
display_name
displayName
Identity
sam_account_name
sAMAccountName
Identity
user_principal_name
userPrincipalName
Identity
email
mail
Contact
phone_number
telephoneNumber
Contact
mobile_phone
mobile
Contact
job_title
title
Organization
department
department
Organization
division
division
Organization
company
company
Organization
description
description
Organization
employee_id
employeeID
Organization
employee_number
employeeNumber
Organization
employment_type
employeeType
Organization
city
l
Address
state
st
Address
street_address
streetAddress
Address
postal_code
postalCode
Address
country
c
Address
physical_delivery_office_name
physicalDeliveryOfficeName
Address
AD enforces schema constraints on attribute values. For example, the c (country) attribute has a maximum length of 3 characters and expects ISO 3166-1 alpha-2 codes (for example, US, not United States). Constraint violations are logged with each attribute name and value length to aid debugging.
The update_user_attrs global action recognizes the 23 named fields above plus 15 additional aliases (extension_attribute_1 through extension_attribute_15 mapping to extensionAttribute1–extensionAttribute15). Any attribute name not in the combined list is passed through as a raw AD attribute name, allowing direct access to any writable AD attribute.
To enable LDAPS, add the following to your config:
ldaps: trueldaps-port: 636 # default; use 3269 for Global Catalog over LDAPSldaps-skip-verify: true # default; set to false to enforce certificate validation (go-ldap mode only)
The ldaps-skip-verify flag only affects go-ldap mode. WinLDAP mode uses the Windows certificate store for certificate validation and is not affected by this setting.
To diagnose LDAPS connectivity issues, use the built-in diagnostic command:
baton-active-directory.exe test-ldaps
This tests DC resolution, TLS handshake, certificate validation, and LDAP bind for all configured domains with detailed error reporting.
On Windows, the connector can encrypt sensitive config values (client-id, client-secret, and bind-password) using Windows DPAPI machine-scoped encryption. Encrypted values are prefixed dpapi: in the YAML config and are decrypted transparently at startup. The installer encrypts by default; you can also encrypt an existing config manually:
The connector supports two authentication methods, configured via bind-type:
external (default): Uses Kerberos/GSSAPI. The connector authenticates as the service account running the Windows service. No bind-user or bind-password needed.
simple: Uses username/password bind. Requires bind-user (the full DN) and bind-password.
Use the following commands to manage the service (all require administrator privileges):
To start the service: baton-active-directory.exe start
To stop the service: baton-active-directory.exe stop
To check the status: baton-active-directory.exe status
To remove the service: baton-active-directory.exe remove (config and binary are preserved)
2
The connector syncs current data, uploads it to C1, and prints a Task complete! message when finished.
3
Check that the connector data uploaded correctly. In C1, click Apps. On the Managed apps tab, locate and click the name of the application you added the Active Directory connector to. Active Directory data should be found on the Entitlements and Accounts tabs.
Done. Your Active Directory connector is now pulling access data into C1.
Once your Active Directory connector is synced, you can use C1 to run user access reviews on AD group memberships, enable just-in-time access requests for AD groups and gMSAs, and automate provisioning workflows using connector actions.
In C1, navigate to Apps > Managed apps and click the name of your Active Directory application.
2
Under Accounts management, click Edit next to Provisioning.
3
From the Connector dropdown, select your Active Directory connector.The mapping fields defined by the connector’s schema appear below the dropdown.
4
Enter a CEL expression for each field. See Provisioning field reference below for guidance.Click Test next to any field to validate the expression against an existing C1 user.
5
Under Password storage, select the vault where generated passwords should be stored.
The fields below are defined by the AD connector’s account creation schema. CEL expressions reference profile attributes accumulated from connected directory and HR apps using the pattern subject.attributes.<attribute_name>. To see which attributes are available for a given user, navigate to that user’s profile page in C1.The DN of the new account is assembled by the connector as: CN=<commonName>,<organizationalUnit>,<domain>
The CN component of the user’s Distinguished Name. Typically the user’s full name or display name.
subject.attributes.display_name
Organizational Unit
The OU path where the account will be created, without DC components. The OU must already exist in AD.
"OU=Users,OU=Corp"
Domain
The domain as DC components. Must match an existing domain in your AD forest.
"DC=example,DC=com"
Object Class(es)
One or more LDAP object classes for the new user object.
["user"]
Organizational Unit and Domain are almost always static strings — they don’t vary per user. Enter them as quoted literals unless your organization places users in different OUs based on a profile attribute such as department.
The Additional Attributes field accepts a map of raw LDAP attribute names to CEL expressions. Use this to set user attributes beyond what the named fields cover. Common examples:
LDAP attribute
Description
Example
givenName
First name
subject.attributes.first_name
sn
Last name (surname)
subject.attributes.last_name
displayName
Display name
subject.attributes.display_name
mail
Email address
subject.attributes.email
department
Department
subject.attributes.department
title
Job title
subject.attributes.job_title
company
Company name
subject.attributes.company
manager
Manager (must be full DN)
(see note below)
The manager attribute must be the full Distinguished Name of the manager’s AD account — for example, CN=Jane Doe,OU=Users,DC=example,DC=com. If your source directory exposes the manager’s DN directly, you can map it here. Otherwise, omit it at creation time and set it later using the set_managerconnector action.
sAMAccountName has a 20-character limit and cannot contain these characters: / \ [ ] : ; | = , + * ? < > @. If your naming convention could produce values longer than 20 characters, truncate or use an alternative expression.
userPrincipalName must be unique across the entire AD forest. A duplicate UPN causes provisioning to fail with an LDAP constraint violation error.
Accounts are created disabled by default. Setting Enabled to false is intentional — C1 sets the account password in a separate LDAP operation after creation. If you set Enabled to true, the account will be enabled at creation but will still have a system-generated password sent to your vault.
The target OU must already exist. C1 will not create missing OUs. If the OU specified in Organizational Unit doesn’t exist when provisioning runs, the request will fail.
objectClass order matters in LDAP. For standard AD users, ["user"] is sufficient. If your schema requires additional classes, list them in structural hierarchy order (for example, ["top", "person", "organizationalPerson", "user"]).
Global Catalog scope disables provisioning. If the connector’s sync-scope is set to GlobalCatalog, account provisioning is not supported. Use the default scope instead.
