Auto Account Management

Note: The automatic Active Directory account management feature is only available in MassTransit HP.

MassTransit implements the automatic Active Directory account management feature that allows setting up MassTransit contacts, forwarding privileges and so on, automatically based on existing Active Directory groups.

Since MassTransit 6.0, you are allowed to leverage the groups in your Active Directory tree to automatically create accounts and assign forwarding privileges. Any existing Active Directory group can be designated as a part of the MassTransit Master List (MML) or the MassTransit Distribution List (MDL) or both.

MassTransit will automatically create contacts for Master List members. MassTransit will create contacts for Distribution List members when those members attempt to log in to MassTransit or when they are forwarding files. The Distribution List defines forwarding privileges – contacts who are members of an Active Directory group included into the Distribution List are automatically allowed to forward files to all other members of the same Active Directory group and all its subgroups, if any. MassTransit contacts for Distribution List members are created dynamically when they are needed and are set to expire 7 days after the creation date. Any file transfer related operation that involves a Distribution List contact, such as files being added to that contact’s mailbox or forwarded from another contact, will extend its expiration date to be at least 7 days from the time the operation occurred.

MassTransit polls Active Directory periodically to synchronize both Master and Distribution List membership. Automatically created MassTransit contacts that no longer have a membership in either of the Lists will be automatically deleted from the contacts database.

All automatically created MassTransit contacts will be of the Web client type.

Configuring Auto Account Management

To configure the automatic Active Directory account management, follow the instructions bellow:

If you need to, you can configure automatic removing of queued (To Send) file entries when the files cannot be found. Enabling automatic removing can avoid repeated errors if forwarded or programmatically added files are removed from their source locations.

1. Open the MassTransit.cfg in an application suitable for plain text editing. By default, this file is placed on the system drive in:
   1. for MassTransit 7.6 and later:
      • on 64-bit machines:

      C:\Program Files (x86)\Acronis\MassTransit Server

   2. for MassTransit 7.1 to 7.6:
      • on 32-bit machines:

      C:\Program Files\Group Logic\MassTransit Server

      • on 64-bit machines:

      C:\Program Files (x86)\Group Logic\MassTransit Server

   3. for MassTransit 7.0.x:
      • on 32-bit machines:

      C:\Program Files\Group Logic\MassTransit Server 7

      • on 64-bit machines:
      • C:\Program Files (x86)\Group Logic\MassTransit Server 7
2. Locate the Missing Queued Files Settings section.

   Note: Settings with a '%%' preceding them are not enabled. Delete the '%%' symbols at the front of the line in order to activate the settings.

3. Configure the following setting:

   PURGE_TO_SEND_RECORDS = TRUE – setting this option to TRUE enables the automatic removing of missing queued file entries from the Files window; when set to FALSE, MassTransit will not remove the file entries from the To Send queue.

   Note: If the queued files are on remote volumes, enabling this will unqueue the files permanently if the remote volume is inaccessible.

4. Save and close the MassTransit.cfg file.
5. Restart the MassTransit services in order to apply the changes immediately:
   1. Go to Start → Control Panel → Administrative Tools → Services;
   2. Highlight the MassTransit (for MasTransit SFTP, the service name is MassTransit SFTP) service and click on the Stop button from the Services tool bar, or select the Stop option from the context menu of the service.
   3. Highlight the MassTransit Transporter service and click on the Restart button from the Services tool bar, or select the Restart option from the context menu of the service;
   • Highlight the MassTransit (for MassTransit SFTP, the service name is MassTransit SFTP) service and click on the Start button from the Services tool bar, or select the Start option from the context menu of the service.

     Note: All lines beginning with "%%" in the MassTransitEngine.cfg file are considered commented and therefore ignored. Please ensure that all settings you change are uncommented (if you see "%%" characters at the beginning of any of the settings you modify, delete them)

6. There is a master switch that enables or disables the whole feature:

• LDAP_AUTO_ACCOUNT_MANAGEMENT_ENABLED. Accepted values are TRUE or FALSE; the default is FALSE. Set the value to TRUE as shown below:
           LDAP_AUTO_ACCOUNT_MANAGEMENT_ENABLED=TRUE

  Note: This parameter will be ignored and the feature will be disabled if the core Directory Services feature is disabled or fails to initialize.

1. Enter a valid Active Directory group(s) that you want to include in the MassTransit Master List as a value of the LDAP_MML_GROUPS= setting. A group must be specified by its distinguished name, such as CN=Group Name,CN=Users,DC=domain,DC=com. When you want to set more than one group, enter a semicolon (;) between the groups to be used as a separator.

   Note: Duplicate, nested, or recursively nested groups are acceptable and will not result in any issues at run time. However, only manually created Active Directory groups with explicitly defined user account membership can be designated as entries in the Master List. Built-in Active Directory security principals that establish implicit group membership, such as Domain Users, will be ignored by the automatic Active Directory account management.

2. Enter a valid Active Directory group(s) that you want to included in the MassTransit Distribution List as a value of the LDAP_MDL_GROUPS= setting. To enter more than one group in the Distribution List, use a semicolon between the groups to separate them. Same requirements and limitations apply to this parameter as the Master List set in the previous step.

   Note: MassTransit 7.2 and later offers new option to allow members of different MDL groups to send files to each other.

3. To allow members of different MDL groups to send files to each other set the LDAP_ALLOW_USERS_TO_SEND_BETWEEN_MDL_GROUPS= value to true, the default is false.
4. Set a profile account name whose settings will be propagated to all automatically created accounts as a value of the LDAP_AUTO_ACCOUNT_PROFILE= setting. The specified account should be the name of an existing Web client contact. If the profile contact is not specified, does not exist, or is not a Web client, MassTransit will use the default Web client contact settings when automatically creating contacts. The following profile settings are overridden for automatically created contacts:
            a. Authentication type – always set to Active Directory;
            b. Contact information block (first name, last name, e-mail, etc.) – populated from the respective Active Directory account;
            c. Account expiration time – not set for Master List contacts; for Distribution List contacts it is set to either the profile expiration time or 7 days from the current time, whichever is greater, or based on the LDAP_MDL_ACCOUNT_EXPIRATION=7 setting, if set.
            d. Accept Calls From User – always on;
            e. Receive Files From User – always on;
            f. Send Files To User – always on;
            g. Allow Connect Via Web To Transfer Files – always on;
            h. Manually assigned forwarding privileges – only propagated to Master List contacts.
5. For contacts that belong to the MML you can use a separate profile account rather than using the LDAP_AUTO_ACCOUNT_PROFILE= setting. You can specify it using the LDAP_MML_PROFILES= value. Use any existing MassTransit web contact account for this value. When setting up this contact in the MassTransit Administrator under the Mailbox tab you MUST choose the Default Mailbox option. Only settings found in the Contact Information Security tab are propagated to new contacts.
            a. If LDAP_MML_PROFILES is not specified, MML contacts will be created with the account profile set under the LDAP_AUTO_ACCOUNT_PROFILE setting;
            b. If a single profile is specified, all MML contacts will be created with that profile;
            c. If different MML groups should use different profiles, a semicolon separated list of profiles can be specified that will be used on a one-to-one relationship with the lists specified in LDAP_MML_GROUPS=.
6. Set the polling interval (specified in minutes) for the Master List as a value of the LDAP_MML_POLLING_INTERVAL= setting. The default value for this parameter is 30 minutes; using shorter intervals is not recommended.
7. Set a valid integer number that will represent the polling interval (specified in minutes) for the Distribution List as a value of the LDAP_MDL_POLLING_INTERVAL setting. The default is 60; using polling intervals less than 30 minutes is not recommended.
8. Set the maximum number of Web client contacts to maintain in the database at any given time as a value of the LDAP_MAX_WC_ACCOUNTS setting. Set this to a valid integer number; the default is 3000; the minimum is 3000 (values below the minimum will be overridden); for Ad hoc delivery, this maximum is observed with or without AD services. The set number includes both automatically and manually created contacts. This parameter is provided to avoid accidentally creating very large numbers of contacts due to various configuration errors.
9. Set the maximum number of forwarding contacts to be displayed in the Web client (and/or Ad hoc contact) user interface in the LDAP_MAX_FWD_CONTACTS setting. Set this to a valid integer number; the default value is 3000.
10. When you are ready with configuring the automatic account management, save and close the MassTransitEngine.cfg configuration file.
11. In order to apply the saved changes immediately, you need to restart the MassTransit Engine.

The configuration of the automatic Active Directory account management is completed.

Different Configurations of MassTransit Distribution List

The new MassTransit Distribution List (MDL) capability defines who can send files to whom. The MDL is a regular Active Directory Security Group containing users and other groups. It can be an existing group or a specially created group. For members of the MDL MassTransit creates accounts on demand, only when they are needed, and makes these users available as valid destinations for files to be transferred. These on demand accounts are automatically purged after a period of time and are recreated when needed.

Users that are members of an AD group, which is part of the MDL, can send files to the other members of the same AD group and to any users on child levels by default. MassTransit 7.2 and later allows users that are members of MDL group to send files to any member of the other MDL groups.
Below are three examples of MDL configuration that will help you understand how this feature works.

Example1:

In the first example, the MassTransit Distribution List – “MDL Group A” contains two AD groups – “Group Dog” and “Group Cat”. Each of the two groups has two members. The members of “Group Dog” can send files only to each other. The same is valid for the members of “Group Cat”.
For example: “Gracy AD user” can send files only to “Bob AD user”.

Example2:

In the second example, the MassTransit Distribution List – “MDL Group A” contains two AD groups – “Group Dog” and “Group Cat” and two AD users – “Jake AD user” and “Rex AD user”. These users can send files to each other, as well as to all users that are on child tree levels – the members of “Group Dog” and “Group Cat”. The members of “Group Dog” can send files only to each other. The same is valid for the members of “Group Cat”.
For example: “Rex AD user” can send files to ” Jake AD user”, “Gracy AD user”, “Bob AD user”, “Tim AD user”, and “John AD user”. “Tim AD user” can send files only to “John AD user”.

Example3:

In the third example, there is one additional AD group – “Group Snake” which belongs to “Group Dog”. “Sammy AD user” and “Sally AD user” are on the lowest tree level of the MDL, so they can send files only to each other. In contrast to the previous example, users from “Group Dog” can send files not only to each other but to members of “Group Snake” as well, since it is also a member of “Group Dog”. “Rex AD user” and “Jake AD user” can send to all users.
For example: “Bob AD user” can send files to “Gracy AD user”, “Sammy AD user” and “Sally AD user”. “Tim AD user” can send files only to “John AD user”, since “Sammy AD user” and “Sally AD user” are not on a child tree level.