What is a one sentence summary of your feature request?
We would like to be able to sync Users in AD groups with the corresponding “Administrator Groups” in EPP
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
The manual explain how to create a local administrator account on the server and assign roles. However, this approach does not seem particularly practical for us, especially given the number of administrators and types of administrators in our global environment.
Our current setup:
We have different AD groups in our Active Directory, each containing users who have been approved through a predefined process in our IAM system. For example our Service Desk uses Admin Groups like “Helpdesk”. Audit Team uses Admin Groups like “Reports and Analysis”. and so on…
EDC-PR-ServiceDesk
EDC-PR-Reports
EDC-PR-EasyLockAdministrators
The question is: How can these AD groups be mapped to the corresponding Admin Groups on the EPP server? For example, users in the “EDC-PR-ServiceDesk” AD group should automatically be assigned to the “Helpdesk” admin group on the EPP server.
At the moment, users must be manually added and assigned to groups on the server. Given the existing AD groups and our IAM processes, this manual approach feels inefficient and impractical and has a lot of possibilites to assign wrong or unapproved users.
The best solution would be to implement a sync mechanism between AD-Groups and EPP “Administrators Groups”.
How do you currently solve the challenges you have by not having this feature?
We constantly have to manually compare the AD groups with the EPP groups. The entire process, from requesting permissions to approval by supervisors, is largely automated through our IAM system. However, at the end of the process, significant manual effort is required to assign users to the appropriate groups in the EPP.
This is neither user-friendly nor efficient and is highly prone to errors.
Welcome to the Netwrix Community, and thank you for submitting your request!
We truly appreciate sharing your idea about synchronizing users in AD groups to be automatically mapped to the corresponding EPP Administrator Groups.
Even tough we see the value in adding this, at this point, we want to be transparent in setting expectations — this functionality would require significant architectural changes within our platform, particularly in how roles and group mappings are managed. Because of this complexity, it is not something we can accommodate in the short or even mid-term roadmap. That said, our development team will be conducting a technical assessment to explore the feasibility and determine the most effective approach for this capability.
In the meantime, we sincerely value your input and patience. Your feedback helps guide our future direction, and we’ll be sure to keep you informed when progress is made on this topic.
We would like to inform you that your item is still on our desk, and we will update you as soon as the investigation is complete, at the appropriate time. As previously mentioned, given the architectural changes involved, this will require some time.
We appreciate your patience and understanding while we work through our current loaded agenda with high priority items.
I would also like to add my support to this request. The ability to synchronize multiple AD groups with EPP Administrator Groups would significantly reduce manual effort and help maintain correct, compliant access assignments. This is a capability that would benefit environments with structured IAM processes, and it would greatly improve operational efficiency and accuracy.
I hope this feature can be considered as a higher priority in future planning.
Thank you for sharing your feedback—we truly understand how important this request is to you.
At this time, the feature remains under review as our team is working through current priorities. As soon as we have more clarity or it is scheduled, we will make sure to update you. Please rest assured that your remark will be taken into consideration.
Hi, we’re sufferring with this same limitation and would like to see this. Another potential option that may be quicker to implement, when new admins are synced, they should not be Super Administrators, but instead some other permissions level, like Helpdesk. Especially as bulk editing users is not possible. Getting support to change this with back end commands gets tiring (especially when they don’t have the commands ready!)
Thank you for being an active member of the Netwrix Community.
We’ve received your suggestion and carefully reviewed your use case. Please be assured that your feedback is important to us and will be taken into consideration as we continue to enhance this feature.
We understand the value this brings to your workflow, and our team is committed to delivering the best possible solution. At the same time, due to several high-priority initiatives currently in progress, implementation may take some time.
We truly appreciate your patience and continued support.