Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

Analytics and Notifications for PI System Explorer (PI Server 2018)

TABLE OF CONTENTS

Configure Active Directory access for contacts

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 24, 2025
  • 4 minute read

When you use notifications with PI AF server, you may need to specify how to access Microsoft’s Active Directory to retrieve contact names for the PI Notifications Service Contacts lists.

Each PI AF server provides the option to specify the domain and contact sub-folder, as well as the account needed to access Active Directory and retrieve contact names. By default, the account under which the PI AF server application service is running is used for Active Directory access. To use a different account or to access an Active Directory in a different domain, configure access from the Configure Active Directory Access for Contacts window.

Note: Beginning with PI AF 2017 R2, an Active Directory group is shown by default under Contacts in PI System Explorer once it is configured.

Notifications 2016 R2 or later will automatically handle a change in email address of the user or a group in Active Directory by contacting the domain controller before sending an email each time.

  1. Open PI System Explorer and connect to a database on the PI AF server for which you want to configure Active Directory access.

  2. Click File > Server Properties.

  3. In the PI AF Server Properties window, click the Configure Active Directory Access for Contacts link.

  4. In the Active Directory Domain Name text box, enter the full DNS name of the Active Directory domain from which the contact names will be retrieved for the PI Notifications Service Contacts (for example, contoso.com).

    If this field is left blank, the domain in which the PI AF application service resides will be used.

  5. In the Active Directory Contact Sub-Folder text box, enter the path to the folder containing the list of contacts for this domain.

    In larger Active Directory domains, contacts may be organized within sub-folders. The use of sub-folders can allow for faster retrieval of a list of Active Directory contacts.

    Use the following structure for the sub-folder:

    DomainUserFolder/SubDomainUserFolder/Sub-SubDomainUserFolder

  6. Choose an option for Active Directory Access Account:

    • Use the account the PI AF Server runs as

      This is the default option. Select it to access Access Directory using the account under which the PI AF application service runs. By default, the PI AF server is installed using a virtual account, NT SERVICE\AFService. However, the PI AF server service account can be changed. If the PI AF server service account does not have the necessary permission to read the Active Directory, no contact names will be retrieved in the Contacts list. If your Active Directory security is configured to allow the PI AF server service account to read the Active Directory, this is the simplest option.

    • Use the account the AF Client is running as

      Select this option to use the credentials of the user account under which the connecting client application is running. If the PI AF server service is running under an account (a virtual account, NT SERVICE\AFService is the default account) that does not have permission to read the Active Directory, this option can be used. As long as the user account under which the connecting client application is running has permission to read Active Directory, a list of contact names is returned to the Contacts list. The contents of the Contacts list may vary, depending upon the access account used, since the security to read the contact list is determined by Active Directory.

      Note: Specifying this option may require Kerberos configuration if a PI AF SDK application will be using impersonation in a middle tier, such as a Web Service.

    • Use the specified account

      This option allows you to specify an account to use to read the Active Directory. This can be useful when the Active Directory and PI AF server are in different domains or when the accounts in the first two options have no permission to read the Active Directory. For Account Name, use the format Domain\User. Make sure the specified account has the appropriate permission to read the target Active Directory.

  7. Check Use Active Directory's locally cached Global Catalog to use the global catalog for Active Directory domain controller searches. Otherwise searches must go to the owning domain controller.

    Active Directory holds information in a distributed data repository called a global catalog. For installations where there are multiple, distributed domain controllers, each domain controller has a cache of the portions of the global catalog for which it is not responsible, so that Active Directory searches do not have to be referred to the owning domain controller. This improves performance for queries that must otherwise have to access a remote domain controller.

  8. Choose a setting for Return All Persons.

    Active Directory objects are derived from one another as follows:

    Top>Persons>OrganizationalPerson>Contact

    and

    Top>Persons>OrganizationalPerson>User

    • Select this check box to return Persons, Organizational Persons, Contacts and Users from the target Active Directory.

    • Clear the check box to return only Users.

TitleResults for “How to create a CRG?”Also Available in