How to Integrate ManageEngine ServiceDesk Plus with Active Directory?
Quick Summary: Managing users across two disconnected systems wastes time and creates security gaps. When you connect ManageEngine ServiceDesk Plus with Microsoft Active Directory (AD), your IT team gains a single, synchronized source of truth for user data — eliminating manual account creation, enabling Single Sign-On (SSO), and keeping requester records automatically up to date. In this article, we cover everything you need to complete the integration: prerequisites, LDAP configuration, user import settings, SSO setup, and ongoing synchronization best practices.
Why Does Integrating ManageEngine ITSM with Active Directory Matter?
What Problems Does the Integration Solve?
Most organizations already store authoritative user data in Active Directory — names, email addresses, department assignments, manager hierarchies, and group memberships. Without an AD integration, IT teams must duplicate all of that information manually inside ManageEngine ServiceDesk Plus. That duplication creates three immediate problems:
- Data drift — When users change roles or leave the company, their ServiceDesk Plus profiles don’t update automatically, leading to misrouted tickets and security risks
- Onboarding friction — IT staff must create accounts in multiple systems every time a new employee joins
- Authentication overhead — Users need separate credentials for the ITSM portal, increasing password reset volume and reducing adoption
What Does the Integration Enable?
Connecting ManageEngine ServiceDesk Plus with Active Directory eliminates all three problems at once. Specifically, the integration enables:
| Capability | Business Benefit |
|---|---|
| Automatic user import from AD | No manual account creation for new hires |
| Scheduled AD synchronization | User profiles stay current without IT intervention |
| Single Sign-On (SSO) via AD credentials | One set of credentials for all enterprise tools |
| Group-based role mapping | AD security groups drive ServiceDesk Plus permissions |
| Requester auto-population | Ticket fields fill from AD attributes automatically |
According to Microsoft’s own enterprise identity management guidance, organizations that centralize identity through AD and extend it to downstream applications reduce identity-related helpdesk tickets by up to 30%. The ManageEngine AD integration delivers exactly that outcome.
What Do You Need Before Starting the Integration?
What Are the Technical Prerequisites?
Before you open a single configuration screen, confirm that your environment meets these requirements:
ManageEngine ServiceDesk Plus requirements:
- ServiceDesk Plus version 9.0 or later (on-premises) or the cloud edition with AD connector enabled
- Administrator access to the ServiceDesk Plus admin panel
- Network connectivity from the ServiceDesk Plus server to your AD domain controllers on port 389 (LDAP) or port 636 (LDAPS for secure connections)
Active Directory requirements:
- A dedicated service account in AD with read-only access to the relevant Organizational Units (OUs)
- The service account must have permission to perform LDAP queries against the directory
- Domain Controller hostname or IP address, and your AD domain name (e.g.,
corp.example.com)
Security recommendation: Always use a dedicated, least-privilege service account for this integration — never use a domain admin account. Read-only LDAP access is sufficient, and limiting scope reduces your attack surface significantly.
What Information Should You Gather in Advance?
Collect the following details before starting configuration:
| Required Value | Where to Find It |
|---|---|
| Domain Controller hostname or IP | Your network team or AD admin |
| LDAP port (389 or 636) | IT security policy |
| Base DN (distinguished name) | AD admin (e.g., DC=corp,DC=example,DC=com) |
| Service account username | Created by your AD admin |
| Service account password | Set during account creation |
| OU paths to import from | AD structure diagram or admin |
Having these values ready before you start saves significant time and prevents half-completed configurations.
How Do You Configure the LDAP Connection in ServiceDesk Plus?
How Do You Access LDAP Settings?
ManageEngine ServiceDesk Plus manages the AD integration through its Active Directory / LDAP settings panel. To reach it:
- Log in as an Administrator
- Navigate to Admin → User Management → Active Directory
- Click Add Domain to begin a new integration
How Do You Complete the LDAP Configuration Form?
Fill in each field as follows:
Step 1 — Domain Details Enter your AD domain name (e.g., corp.example.com) and a friendly display name for this connection. If you manage multiple domains, this label helps distinguish them later.
Step 2 — Domain Controller Settings Enter the hostname or IP address of your primary Domain Controller. Add a secondary DC as a fallback to prevent authentication failures during maintenance windows.
Step 3 — Port and Security
- Use port 389 for standard LDAP
- Use port 636 for LDAPS (SSL-encrypted) — strongly recommended for production environments
- Enable SSL if using port 636 and ensure the DC’s SSL certificate is trusted by the ServiceDesk Plus server
Step 4 — Service Account Credentials Enter the username and password for your dedicated service account. ServiceDesk Plus stores these credentials securely and uses them for all subsequent LDAP queries.
Step 5 — Base DN Enter your Base Distinguished Name — this tells ManageEngine where in the AD tree to start searching for users. For example: DC=corp,DC=example,DC=com
Step 6 — Test the Connection Click Test Connection before saving. ServiceDesk Plus attempts an LDAP bind using your credentials and confirms whether the connection succeeds. If it fails, double-check port accessibility, credentials, and Base DN formatting.
How Do You Import Users from Active Directory into ManageEngine?
What Import Options Does ServiceDesk Plus Offer?
Once the LDAP connection is active, ManageEngine ServiceDesk Plus gives you granular control over which users to import and how their AD attributes map to ServiceDesk Plus fields.
You can import users in two ways:
- Manual import — Run an on-demand import to pull users immediately, useful during initial setup or when onboarding a batch of new employees
- Scheduled import — Configure automatic synchronization on a recurring schedule (hourly, daily, or weekly) so the system stays current without manual intervention
How Do You Map AD Attributes to ServiceDesk Plus Fields?
Attribute mapping defines how data flows from AD into ServiceDesk Plus. The table below shows the most commonly mapped fields:
| Active Directory Attribute | ServiceDesk Plus Field |
|---|---|
displayName | Full Name |
mail | Email Address |
telephoneNumber | Phone |
department | Department |
manager | Reporting Manager |
title | Job Title |
sAMAccountName | Login Name |
memberOf | Role / User Group |
To configure mapping:
- Go to Admin → Active Directory → Field Mapping
- Use the dropdown menus to pair each AD attribute with its ServiceDesk Plus counterpart
- Mark which fields are required — unmapped required fields block the import
- Save the mapping configuration
How Do You Filter Which Users to Import?
Rather than importing every user in your AD, use OU-based filtering to import only the relevant groups:
- In the AD settings, click Select OUs
- Browse the AD tree and check the OUs you want to include (e.g.,
OU=Staff,DC=corp,DC=example,DC=com) - Exclude service accounts, shared mailboxes, or disabled accounts using LDAP filter syntax (e.g.,
(!userAccountControl:1.2.840.113556.1.4.803:=2)filters out disabled accounts)
Keeping your import scope tight improves performance and prevents inactive accounts from cluttering the requester list.
How Do You Set Up Single Sign-On (SSO) with Active Directory?
What Is SSO and Why Does It Matter for ServiceDesk Plus?
Single Sign-On lets users authenticate to ManageEngine ServiceDesk Plus using their existing Windows credentials — without typing a separate username and password. From a user experience perspective, SSO eliminates a barrier to portal adoption. From a security perspective, it centralizes authentication policy enforcement: password complexity, expiry rules, and multi-factor authentication all come from AD and apply automatically.
How Do You Enable SSO in ServiceDesk Plus?
ManageEngine ServiceDesk Plus supports two SSO methods:
| SSO Method | How It Works | Best For |
|---|---|---|
| Windows Authentication (NTLM/Kerberos) | Browser passes Windows session token to ServiceDesk Plus | Users on domain-joined Windows machines |
| SAML 2.0 with AD FS | AD Federation Services issues SAML tokens | Mixed environments, cloud deployments |
To enable Windows Authentication SSO:
- Go to Admin → User Management → Active Directory
- Select your configured domain and click Enable Single Sign-On
- Choose Windows Authentication
- Configure the SSO URL (typically the ServiceDesk Plus portal URL)
- Test by opening the portal in Internet Explorer or Edge on a domain-joined machine — the browser should authenticate silently without a login prompt
To enable SAML-based SSO:
- Set up AD Federation Services (AD FS) on your Windows Server
- In ServiceDesk Plus, go to Admin → Authentication → SAML Single Sign-On
- Download the ServiceDesk Plus metadata file and import it into AD FS as a Relying Party Trust
- Enter your AD FS metadata URL in ServiceDesk Plus
- Map the SAML claim for username to
sAMAccountNameor UPN
How Do You Map Active Directory Groups to ManageEngine Roles and Permissions?
Why Does Group-Based Role Mapping Matter?
Manually assigning roles to hundreds of technicians and requesters in ServiceDesk Plus is time-consuming and error-prone. Group-based role mapping solves this by linking AD security groups directly to ServiceDesk Plus roles — so when someone joins an AD group, they automatically inherit the corresponding permissions in the ITSM platform.
How Do You Configure Group-to-Role Mapping?
In ManageEngine ServiceDesk Plus:
- Go to Admin → User Management → Active Directory → Group Mapping
- Click Add Mapping
- Select the AD group (e.g.,
IT-HelpDesk-Tier1) - Assign the corresponding ServiceDesk Plus role (e.g., “Technician — Tier 1”)
- Optionally assign to a specific support group within ServiceDesk Plus
- Save the mapping
Recommended mappings for a typical IT department:
| Active Directory Group | ServiceDesk Plus Role |
|---|---|
| IT-HelpDesk-Tier1 | Technician (limited scope) |
| IT-HelpDesk-Tier2 | Technician (full scope) |
| IT-Management | IT Manager |
| IT-Admins | Administrator |
| All-Staff | Requester |
When you run the next AD synchronization, group memberships update automatically — no manual role changes needed.
How Do You Maintain and Troubleshoot the AD Integration Over Time?
What Maintenance Does the Integration Require?
Once the integration is live, it largely runs itself — but a few routine maintenance tasks keep it reliable:
- Review sync logs monthly — ManageEngine logs every import operation. Review them to catch failed imports or attribute mismatches before they affect ticket routing.
- Update service account credentials promptly — If the service account password rotates, update it in ServiceDesk Plus immediately to prevent sync failures.
- Audit OU scope quarterly — As your AD structure evolves, new OUs may need inclusion or old ones may become obsolete.
- Test SSO after server changes — Any change to your Domain Controllers or AD FS configuration can break SSO. Test authentication after infrastructure changes.
How Do You Troubleshoot Common Integration Issues?
| Problem | Likely Cause | Fix |
|---|---|---|
| Connection test fails | Firewall blocking LDAP port | Open port 389 or 636 from ServiceDesk Plus server to DC |
| Users not importing | OU not selected or LDAP filter too restrictive | Review OU selection and filter syntax |
| SSO not working | SPNs missing or browser not domain-joined | Check Kerberos SPN configuration on the DC |
| Wrong role assigned | Group mapping misconfigured | Verify AD group DN in mapping settings |
| Duplicate accounts | User exists in multiple OUs | Use LDAP filter to deduplicate by sAMAccountName |
Conclusion: Is the ManageEngine AD Integration Worth the Setup Effort?
Without doubt. Integrating ManageEngine ServiceDesk Plus with Active Directory is one of the highest-return configuration tasks available to an IT administrator. The upfront effort — gathering credentials, configuring LDAP, mapping attributes, and enabling SSO — pays off immediately through eliminated manual work and improved data accuracy.
Beyond the operational gains, the integration strengthens security by centralizing authentication, enforcing AD password policies across the ITSM portal, and ensuring that deprovisioned accounts lose access to ServiceDesk Plus automatically at the next synchronization cycle.
As your organization scales, the integration scales with it. New employees appear in ServiceDesk Plus the moment AD imports run. Role changes propagate automatically through group mappings. And your IT team focuses on resolving incidents — not managing duplicate user records in disconnected systems.
Start with the LDAP connection, validate the user import, and layer in SSO once the foundation is stable. ManageEngine ITSM makes every subsequent configuration step straightforward — and the results are immediately visible in cleaner data, faster onboarding, and fewer authentication-related helpdesk tickets.
Frequently Asked Questions
Yes. In addition to on-premises Active Directory, ManageEngine ServiceDesk Plus supports integration with Azure Active Directory (now Microsoft Entra ID) for cloud-hosted or hybrid environments. The Azure AD integration uses the Microsoft Graph API and OAuth 2.0 rather than LDAP, and it supports SAML-based SSO through Azure AD’s enterprise application gallery. ManageEngine lists ServiceDesk Plus as a supported application in the Azure AD app gallery, which simplifies SSO configuration significantly. User import and synchronization work similarly to the on-premises integration, with attribute mapping and scheduled sync both available in the cloud setup.
When AD synchronization runs, ManageEngine ServiceDesk Plus checks the status of each imported user against their AD record. If an AD account is disabled, ServiceDesk Plus marks the corresponding user as inactive — they can no longer log in, but their ticket history and data remain intact for audit purposes. If the AD account is permanently deleted, the next sync flags the user for deactivation. This automatic lifecycle management is one of the strongest security benefits of the integration, since it eliminates the risk of former employees retaining access to the ITSM portal after offboarding.
Yes. ManageEngine ServiceDesk Plus supports multi-domain AD integration, which is particularly valuable for organizations that have grown through acquisitions or maintain separate AD forests for different business units. Each domain requires its own LDAP connection configuration, service account, and attribute mapping. Once configured, users from all domains can log in using SSO, and administrators can manage role mappings per domain. Cross-domain trust relationships in AD also work with the integration — provided the service accounts have appropriate query permissions across the relevant OUs in each domain.
You may also be interested in How to Implement ManageEngine ServiceDesk Plus Step-by-Step
