Skip to main content


Add an Internal system

The Internal system is a special system. It does not connect to a third-party IT application. Rather, it can be used as a target system to store & use data for certain special purposes.

Follow steps (1) - (6) to add an Internal system. Then choose one of the tutorials below to continue.

  1. Go to Systems > Overview.

  2. Click Add.

  3. Accept the default System Name.

  4. Click Save.

  5. The new System is added to the Configured Systems pane.

  6. Click configure_tables.pngConfigure for the system.

  7. Continue with one of the following tutorials:

Active Directory can be configured to allow users in certain groups to have a weaker password than is required by the domain-level policy. For example, in K-12 education settings, students in lower grades may be allowed to have simpler, easier-to-remember passwords.

The key feature is the passwords table of the Internal system, in conjunction with a custom AD attribute (by default, msDS-cloudExtensionAttribute1). The Internal system lets you store up to 4 encrypted passwords per user, of varying complexity. Then, based on group membership, you choose which password to map. The custom account attribute stores the assigned password complexity level.


These instructions will help you set up & test this feature in isolation. Some of these filters/mappings/etc. may duplicate the functionality of similar objects already in your NIM environment.

Therefore, after you get this functionality working, you may want to eliminate redundancies. For example, you may already have suitable filters. Or, you may already be handling account creation and group assignments elsewhere. Or, you may want to perform these operations in an existing job.

Customize your environment as needed after setting up this functionality.

  1. A configured and functioning source system. For example, an HR system.

  2. A configured and functioning Active Directory system, which will be the target system. See Add an Active Directory system.

    • A group in Active Directory that has been configured to allow a weaker password than the domain policy. For this example, this group is called SimplePasswordGroup.

  3. A new, unconfigured Internal system. See Add an Internal system.

  4. A password generator that generates two passwords: a simple one and a complex one. See Password generators.

    For example:

  1. In the Internal system, choose to collect its Passwords table. See Choose tables to collect.

  2. In the Users table of the Active Directory system, choose to collect its msDS-cloudExtensionAttribute1 attribute. See Choose columns to collect.

  3. Collect and load data from the Active Directory system. See Collect and load a system.

  4. Create an inter-system relation between the unique user identifier field of your HR/source system, and the id field of the Internal system's Passwords table. (Since there are no passwords in the Internal system yet, there will be no records shown on the Common tab.)

    For example:

  5. Create the following filters:

    1. passwordCreate: All users who do not already have passwords in the Internal system, but should have one.

      In other words, include all users who may potentially need a simple password. Don't include users who will never potentially have a simple password.

      For this example, we'll simply include everyone in our HR system:

    2. accountCreate: All users who have a password in the Internal system, but do not have an Active Directory account.

      For example:

    3. simplePasswordUsers: All users who have an Active Directory account and should receive a simple password.

      For this example, we'll arbitrarily pick the subset of users with an "a" in their first name. In a real-life scenario, you might instead pick (for example) students in lower grades.

    4. passwordUpdate: All users who have an Active Directory account, and are members of the simple password group, and have a password in the Internal system, but have not yet been assigned a simple password (as determined by the msDS-cloudExtensionAttribute1 attribute).

      For example:

  6. Create the following three mappings and one role, using the above filters:

    1. Mapping passwordCreate: Use your passwordCreate filter and your password generator to map a complex password to the password_1 attribute of the Internal system, and a simple password to the password_2 attribute. Map the unique user identifier onto the id attribute.

      For example:

    2. Mapping accountCreate: Use your accountCreate filter to create Active Directory accounts for users who don't have one. It should map password_1 (the complex password) onto the AD account's accountPassword attribute. Map other attributes as desired.

      For example:

    3. Role simplePasswordUsers: Use your simplePasswordUsers filter to add users who should receive a simple password to the appropriate Active Directory group.

      For example:

    4. Mapping passwordUpdate: Finally, use your passwordUpdate filter to assign simple passwords (password_2) to eligible users. Mark the msDS-cloudExtensionAttribute1 attribute accordingly.

  7. Add those three mappings and one role to a job:

  8. Optional: Execute or schedule the job. See Evaluate and execute a job or Create a sync task.

  9. Optional: To verify the results:

    1. Create a filter called exportPasswords. Filter all users who have a password in the Internal system, as well as an AD account with the msDS-cloudExtensionAttribute1 set to simple.

      For example:

    2. Create a task called exportPasswords which exports a report based on the exportPasswords filter.

      For example:

    3. Run the task.

    4. The resulting CSV file contains the decrypted passwords: