LogMeIn support sites no longer support Microsoft's Internet Explorer (IE) browser. Please use a supported browser to ensure all features perform as they should (Chrome / FireFox / Edge).

The GoTo support site no longer supports Safari 15. Please upgrade your browser to Safari 16 (or newer) or switch to a supported browser such as Google Chrome, Mozilla Firefox, or Microsoft Edge.

Looking to add seats to your Rescue subscription or get a demo of Mobile Support or Camera Sharing? Request a quote.

We are currently experiencing an unplanned outage for this product. View Service Status
  • Support
  • Products

    Explore support by product

    GoTo Connect

    All-in-one phone, meeting and messaging software

    GoTo Meeting

    Video and audio meeting software

    GoTo Webinar

    All-in-one webinar and virtual events software

    GoTo Room

    Conference room hardware

    GoTo Training

    Online training software

    OpenVoice

    Audio conferencing software

    Grasshopper

    Lightweight virtual phone system

    join.me

    Video conferencing software

    LogMeIn Resolve

    IT management & support

    LogMeIn Resolve MDM

    Mobile device management

    LogMeIn Pro

    Remote device access

    LogMeIn Central

    Remote monitoring & management

    LogMeIn Rescue

    Remote IT support

    GoToMyPC

    Remote desktop access

    GoToAssist

    Remote support software

    Hamachi

    Hosted VPN service

    RemotelyAnywhere

    On-prem remote access solution
  • Community
  • Trainings
  • Service Status

  • Want to try a download free option?

    Try the new web console experience!

    Rescue WebTC
  • Language selector icon Language selector icon
    • English
    • Français
    • Italiano
    • Deutsch
    • Español
    • Português
    • Nederlands
  • Contact Support
  • Service Status
  • User Avatar User Avatar
    • Support
    • Contact Support
    • Browse Products
    • Service Status
    • Community
    • Trainings
    • Sign in
    • User Avatar
    • My Account
    • Personal Info
    • Sign In & Security
    • Billing Center
    • https://link.goto.com/myaccount-billing
    • My GoTo Connect
    • My Meetings
    • My Webinars
    • My Trainings
    • My Conferences
    • My Resolutions
    • My Mobile Devices
    • My Sessions
    • My Sessions
    • My Incidents
    • Sign out
  • Administrator Content
  • Setup
  • Set up Administration Center Fundamentals
  • Set up Your Organization
product logo
Back button image Back
Back button image
product logo

Synchronize a Rescue Admin group with Active Directory user groups (on-prem)

Master Account Holders can import Active Directory users as Rescue Admins into their organization. Key user data in Rescue will be automatically updated when those change in Active Directory.

  1. Generate a service token and default password for new users in the Admin Center.
    1. Select the Global Settings tab.
    2. To generate a service token, click Generate and Copy under Active Directory Synchronization.

      Result: A service token is generated and copied to your clipboard.

    3. Define the default password you want your new admins to use for their first login.
      Note: Users are required to change this password upon their first login.
    4. At the bottom of the page click Save.
  2. Download and extract the server application.
    1. In the LogMeIn Rescue Administration Center, under Active Directory Synchronization, click Download to download the service installer.

      Result: The service installer is downloaded to your computer in a zip file.

    2. Extract the zip file to a folder.
  3. Run the server application, and configure synchronization behavior.
    Important: You need privileges to run the application as a system service. The computer running the application must be connected to Active Directory with sufficient permissions to access and query all Active Directory groups and users.
    1. Submit the following credentials:
      • Master Account Holder LogMeIn Rescue credentials
        • Email
        • Password
      • The service token you previously generated on the Global Settings tab of the Admin Center.
      • Region
      Note: Enabling Dry Run mode generates an Excel file previewing potential synchronization changes to your LogMeIn Rescue hierarchy tree.
      Important: If you select Dry Run mode, synchronization can ONLY be used as a Windows terminal application.
    2. Click Next.
      Note: The application runs in Admin mode.
    3. Enter your Entra App credentials, and click Next.
      Note: Create a Client ID, Tenant and Client Secret in Entra.
    4. Enter a search criteria (for example 'support').
    5. Enter a search term (for example 'aid'). Make sure to use your own domain in the Domain field.

      Result: AdSync searches for this term between the configured AD groups.

  4. Run the server application, and configure synchronization behavior.
    Important: You need privileges to run the application as a system service. The computer running the application must be connected to Active Directory with sufficient permissions to access and query all Active Directory groups and users.
  5. Select the Admin Groups/Master Admin Groups you want to synchronize.
    1. Click the Admin Groups/Master Admin radio button under Technician Groups/Admin Groups
    2. Select groups to synchronize:
      • The first column contains the Microsoft Entra AD Groups, select one Active Directory group you want to synchronize with a Rescue Admin Group.
      • The second column contains the Rescue Admin Groups, select one group that will be synchronized with the AD group.
      • Click the right arrow to confirm the paring.
      Note: Users in the selected AD group will receive corresponding admin privileges in LogMeIn Rescue.
    3. Optional: To synchronize multiple groups, repeat the previous step.
      Note: To remove a pairing, select it in the third column and click the left arrow.
    4. Configure synchronization settings:
      Enable Full Group synchronization (default: enabled)
      • Enabled: Performs one-to-one synchronization (groups, users, and hierarchies match Entra AD exactly)
      • Disabled: Only synchronizes user status updates; users in different groups remain in place
    5. Configure group-specific settings:
      • Mobile license: Assigns mobile licenses to group members if available.
      • Mapping UPN to SSOID (Entra AD only): Maps SSO IDs directly to UPNs.
      • Use Email address as a SSO ID (Entra AD only): Sets email addresses as SSO IDs.
      • Edit Preferences: Select specific user attributes to synchronize.
    6. Set Global settings:
      • Use UPN instead of Email address: When checked, you can use "UserPrincipalName" instead of an email address in LogMeIn Rescue.
      • Use Email address as a SSO ID: When checked, the SSO ID in LogMeIn Rescue gets the email address.
    7. Select Next and confirm the synchronization.
    8. A warning pops up asking you whether you want to proceed with counting the number of users in the group.
      Note: The maximum limit is 999 groups, with up to 999 members per group. The wizard loads previously configured groups for easier reconfiguration.
  6. Select Next.
  7. In the resulting pop-up window click Yes to continue with the synchronization.
  8. Select how AdSync will run:
    1. Select a synchronization mode:
      • Start Active Directory Synchronizer as a service
      • Start Active Directory Synchronizer as a Windows terminal application
      Important: Running the synchronizer as a Windows app will also place an icon resembling to the LogMeIn Rescue logo in the System tray. You can hide or unhide the application by right-clicking on it. If you want to the stop the synchronization process, use the Close the program option.
    2. Configure settings:
      • Interval to send changes (minutes): You can enter your preferred frequency of the synchronization operation.
      • For Windows terminal application only:
        • Start immediately (optional)
        • Hide terminal window at startup (optional)
    3. Select Install service or Start App.
      Note: When running AdSync as a Windows terminal application, the program places a LogMeIn Rescue logo icon in your System tray. Right-clicking this icon allows you to hide or unhide the application window or close the program completely. If you're using Dry Run mode, an Excel file is generated in the same directory as the .exe file, providing detailed synchronization results.
      Important: Use the Close the program option only when you want to stop the synchronization process entirely.
  9. If the installation was successful, click Finish, and close the installer.

Results:

Restriction: It is not possible to delete an admin from the LogMeIn Rescue Admin Center by using the Active Directory synchronization service. When a user is deleted or moved in Active Directory, the corresponding LogMeIn Rescue admin is disabled.
Note: If an admin is moved to another LogMeIn Rescue Admin Group, subsequent synchronization will update the user's status and move the user back to its initial synchronization group.
Note: If a user is disabled, deleted, or moved in Active Directory, the admin's mobile license is freed up, and becomes available for other members of the LogMeIn Rescue organization.
Troubleshooting: If the synchronization service fails, you can get an error log by clicking Active Directory Logger at the bottom of the Active Directory Synchronization section on the Global Settings tab of the Admin Center.

Create a Client ID, Tenant and Client Secret in Entra
  1. Sign in to Microsoft Azure.
  2. Select Entra Active Directory.
  3. Click Add on the ribbon and select App registration.
  4. Enter the name of your application and click Add.
  5. Select Accounts in this organizational directory only (Default Directory only - Single tenant) option under Supported account types.
  6. Note your Application Client ID and Directory tenant ID, as you will need them later on for AdSync.
  7. Select Certificates & Secrets from the sidebar on the left, and click the New client secret option.
  8. Enter the description and expiry of the Client secret in the Add a client secret dialog on the top of the screen.
  9. Save the value of the Client secret.
  10. Select API permission from the sidebar on the left, and click the Add a permission option.
  11. Select Microsoft Graph, and click the Application permissions tab.
  12. Scroll down to User and check in the User.Read.All option.
  13. Scroll to Group, and check in the Group.Read.All option.
  14. Scroll to Directory and check in the Directory.Read.All option.
  15. Click Add permissions at the bottom of the page.
  16. Click Grant admin consent for Default Directory, and click Yes, when prompted.
  17. Close the Microsoft Azure portal.

    Result: The Client ID, Tenant and Client Secret is populated in AdSync.

Stop the AD Sync service
Click Terminate Service after having relaunched the application to stop running the service.

Result: A confirmation window pops up, asking if you want to stop the service. Click Yes. Now the service is stopped, and you will see the starting window of Rescue AD Sync.

Article last updated: 21 March, 2025

Need more help?

Contact icon Contact support
Community icon Ask the Community
Training icon Attend trainings
Video icon Watch videos
  • Language selector icon Language selector icon
    • English
    • Français
    • Italiano
    • Deutsch
    • Español
    • Português
    • Nederlands
  • About Us
  • Terms of Service
  • Privacy Policy
  • Trademark
  • Do Not Sell or Share My Personal Info
  • Browse Products
  • Copyright © 2025 GoTo Group, Inc. All rights reserved

Collaboration Products

GoTo Connect

GoTo Meeting

GoTo Webinar

GoTo Training

join.me

Grasshopper

OpenVoice

Remote Solutions Products

GoTo Resolve

Rescue

GoToAssist

Access Products

Pro

Central

GoToMyPC