单组织跟Active Directory集成，调整为多组织跟AD域控各分支分开集成疑问解答

JS_7872303 · ‎Jun 25, 2025

I am using Windchill PDMLink Release 12.1 and Datecode with CPS 12.1.0.2

单组织跟Active Directory集成，调整为多组织跟AD域控各分支分开集成疑问解答
1、现有系统单组织跟Active Directory的顶层OU集成,同步更新所有分子公司的用户到Windchill的单组织下
2、先需要基于多组织，Active Directory怎么根据各子公司树分支OU的用户同步更新到对应组织下

avillanueva · ‎Jun 25, 2025

Not quite following but let me paraphrase. You have changing coming to your AD system that might impact where users are located, essentially a reshuffling inside of AD. I am not sure its necessary to update AD at all since we just need to react to those changes. Not seeing a question here. The path that Windchill captures in the database needs to match or you will have a disconnected user which can be repaired but takes time. Assuming in the new configuration, your starting point still includes the possibility to find all users, they should still be able to login. If you are seeing a split to multiple domain controllers, that each have a portion of your users, then it would follow that you would have to add those connections to the other controllers to check there if the first one was not able to find the user.

This is one of the main reasons early on we opted to authenticate to AD but used the WindchillLDAP to manage Windchill users. The local LDAP was static and under the control of Windchill admins. They can shuffle AD all they want since we only needed to match the userID to complete the log in process.

jbailey · ‎Jun 26, 2025

So it depends on if you are assigning an org automatically, and how you choose to do that.

This article describes how to assign users automatically to an org using an ldap attribute or based on a specific adapter:

https://www.ptc.com/en/support/article/CS133561

Some considerations on multiple adapters:

You can't have two adapters that map to the same part of AD to do different things, the search base MUST be unique (Which sounds like what you could accomplish with your orgs/divisions set by distinct OU's).
Multiple adapters gives you a little more granularity on control, you can set different properties based on the org if needed.
If it is a large globally dispersed architecture, and you want to point users of a certain org to a local domain controller instead of a global one, you can assign users of an org to their own DC.
If you don't have an attribute on the users in AD that would define what WC ORG they need to be assigned to, you would need to manually assign users to an org, or have distinct adapters and let the adapter assign the org.

JS_7872303 · ‎Jun 26, 2025

您好

背景:

基于现有单组织跟顶层OU=精科及下层OU的用户同步到乐士股份组织下，现需要基于单组织实施为多组织并按AD域控中各子OU的用户同步更新到各自组织下

技术疑问：

1、基于多组织各自组织对应同步AD域控的分支OU

2、技术上是否可以实现，需要怎么配置才能到达要求？

upload_-aW1hZ2UwMDEucG5n-7049715510687262723..png

mmeadows-3 · ‎Jun 27, 2025

Wish the community forum translated images. This is what I got out of Google Translate.

Sure, that is possible. Fun and easy, maybe not, but possible. It depends if you want to flip the switch over a weekend or you want to unravel these one 'organization' at a time.

Each base DN will need a JNDI Adapter setup.

The user migration process varies. The rule is Windchill can't see the same username through two different JNDI Adapters.

Isolation is possible by using different unique ID mapping attributes: sAMAccountName and userPrincipalName.

Not changing the unique ID, if doing it one organization at a time, define security groups for all existing users and for each of the new organizations/LDAP servers. Remove users from the old 'filter group' and add them to the new filter group. Then repair their accounts.

jbailey · ‎Jun 27, 2025

Also requires Apache configs for each adapter to lookup for login, unless they are using SAML or OIDC