Join the 70K+ other members in the Zoom Community! Login with your Zoom account credentials and start collaborating.

Join the Community

For questions about the class action settlement, please visit

Managing the AD Sync Tool Follow

The AD Sync Tool is a command line tool that you can run on a Windows, Linux, or macOS system to
sync users between your Active Directory (AD) or LDAP Server and your Zoom account. With this tool, you
can automatically manage users in your Zoom account when there is a change in your LDAP/AD system for those users.

The tool runs in the console, and does not include a GUI or web interface. Settings are configured using a properties file, and you can check the log files to see the change details or to troubleshoot any

Based on changes in your LDAP/AD server, the AD Sync Tool allows you to create, update, and deactivate/delete users, update the Zoom user's email (the new email's domain must be in the associated domain), and sign users out when their password has been changed, deleted, or disabled.

The AD Sync Tool supports the following attributes:

  • First Name
  • Last Name
  • Email
  • Department
  • Job Title
  • Phone Number
  • Company
  • Cost Center
  • Employee Unique ID

This article covers:

Prerequisites for the AD Sync Tool

Quick start

  1. Install Oracle JDK version 8, then run the following command to make sure that java is installed correctly:
    java -version
  2. Obtain the file from the following location:
  3. Unzip the ad-tool-${version}.zip file.
  4. Update the file, as described in the Configuration section. Then copy the file to the same folder where adtool-${version}.jar is located.
  5. Prepare a secret code to protect the sensitive information in the tool configuration files. The secret code is required every time you run the tool.
  6. Start the tool by running the following command:
    bin/adtool.cmd start
    Caution: Running the start command can delete or deactivate existing users from your Zoom account if those users do not exist on Active Directory. Refer to the Zoom account configuration:
    • Start the AD Sync Tool as a daemon service. It will run a full synchronization for the first time and keep running incremental synchronization every 40 minutes. It will also monitor password change events.
    • To preview the synchronization result before applying any changes to your Zoom account, run the following command:
  7. Check the log file if you fail to run any command.


The file includes a set of parameters that determine how the tool will perform the synchronization.

There are two types of synchronizations you can perform:

  • Full sync: Compares all the Zoom users and AD users, and synchronizes all AD users who have different attributes to Zoom.
  • Incremental sync: Only synchronizes the changed AD users to Zoom since the last sync.

You must update the values in the following sections of the file.

Note: Credentials should not be added in this file.

Zoom setting (updated values optional)

  • zoom.vanity.url: Your Zoom vanity URL.

Sync options (updated values required)

  • zoom.default.user.type: The default user type when provisioning a new Zoom user. The user types are 1: Basic, 2: Licensed, and 3: On-Prem. The default value is 2.
  • zoom.allow.create.user: Determine if you want to create new Zoom users when these users exist in your AD. The values are true: create new users and false: do not create.
  • zoom.allow.update.user: Determine if you want to update Zoom users when these users are different from your AD. The values are true: update and false: do not update.
  • zoom.allow.delete.user: Determine if you want to delete Zoom users when the users are removed from your AD. The values are true: delete and false: do not delete.
  • zoom.default.user.delete.behavior: Determine if you want to delete or deactivate the user from Zoom when performing a "delete" action. The values are 1: deactivate or 2: delete. The default value is 1. This depends on zoom.allow.delete.user or zoom.allow.delete.missing.user.
  • zoom.allow.delete.missing.user: Determine if you want to delete users from Zoom if these users do not exist in AD when in a full synchronization command (when this tool is run for the first time). The values are true: will delete missing users from Zoom and false: will not delete missing users from Zoom. The default value is false. If you do not want to impact your existing Zoom users, choose false.
  • zoom.monitor.job.interval.minutes: The execution interval of the monitor job. The default interval is 15 minutes.
  • zoom.incremental.sync.job.interval.minutes: The execution interval of the incremental sync job. The default interval is 40 minutes.

LDAP/AD settings (updated values required)

This tool supports multiple LDAP/AD server connections. The value "n" identifies the index of the LDAP Server. The value of n starts from 0.

  • ldap.servers[n].url: The LDAP server URL for the LDAP server or Active Directory server.
  • ldap.servers[n].base: The base folder location for locating users.
  • (Optional) ldap.servers[n].groups[m]: The full DN for a user groups. If this value is empty, users from all groups will be synced to Zoom. If you specify a DN for a user group, only members in the specified group will be synced to Zoom. Set it to empty if you do not want to filter users by group. You can setup multiple groups for one server, and the value "m" identifies the index of the group. This item is empty by default.
  • (Optional) ldap.servers[n].deletedBase: The base folder location to search for deleted items. The default is: CN=Deleted Objects,{Your LDAP Base Name}. You can update the values to reflect the environment.
  • ldap.default.query.pageSize: The LDAP server return maximum users in one page/query.

Attribute mapping (updated values optional)

  • The email field name in AD. The default value is userPrincipalName.
  • ldap.user.firstname: The first name field name in AD. The default value is givenName.
  • ldap.user.lastname: The last name field name in AD. The default value is sn.
  • ldap.user.department: The department field name in AD. The default value is department.
  • ldap.user.phoneNumber (disabled by default):  The telephone number field name in AD. The default value is telephoneNumber.
  • ldap.user.jobTitle (disabled by default): The job title field name in AD. The default value is title.
  • (disabled by default): The company field name in AD. The default value is company.
  • ldap.user.employeeId (disabled by default): The employee unique ID field name in AD. The default value is employeeID.
  • ldap.user.costCenter (disabled by default): The cost center field name in AD. There is no default value. You must choose the attribute.

Logging setting

  • log.dir: Set the base directory for log files. You can use a relative path like . or .., or an absolute path like C: or D:. The default is .(current adtool- ${version} .jar file location).

Sync commands

The common execution script pattern is: bin/adtool.cmd command. For example:

  • For a Windows system:
    bin/adtool.cmd setup
  • For a Linux or macOS system:
    bin/ setup


Configure the credentials for Zoom authentication and LDAP authentication. If you want to change some
credentials, you can run the setup command to update. When running this command, you will be
asked to enter the Zoom API key, API secret, AD username and password.

Setup flow:

  1. Enter the secret code.
  2. Confirm the secret code.
  3. Enter the Zoom API key.
  4. Enter the Zoom API secret.
  5. Enter the user DN (distinguishedName) of the LDAP server.
  6. Enter the user password of the LDAP server.
    Note: The secret code, API secret, and password are not visible when editing.


Start the AD Sync Tool as a service. It will run a full synchronization for the first time and start a job to run incremental synchronization every 40 minutes until you shut down the tool. Additionally, the tool will monitor the password change event. By using this command, you don't have to create Task Scheduler or CRON in the system.


Preview the synchronization result without making changes to your Zoom account. This is helpful if you want to ensure options in the tool work as expected.


Reset the settings for this tool. It will clean all of your local configuration and cached data for the tool. If you fail to run this tool for any reason, you can run the reset command to make it work again.


Run one full or incremental synchronization from LDAP to Zoom. We recommend running preview to check the result before running a full sync. If a full synchronization has ever been executed, it will run an incremental synchronization. If you want to run a full sync, append "--all" for the sync command.


Monitor the user's password change event and force logout the Zoom user from all devices when the password in LDAP/AD changed. This tool monitors the event that the LDAP/AD user password has been changed, and it cannot obtain the passwords of the LDAP/AD users.


Migrate the legacy configuration file (less than version 1.0) to the latest format. If you fail to migrate the setting, run the setup command to configure the setting manually.


Test if the configuration is working. It will use the credential to test the connection and authentication for LDAP/AD server and Zoom.

Log files

Use the log files to see the details of the records that were synchronized and to help with debugging any sync failures. A maximum of one of each type of log file is generated each day. If you run the Zoom AD Sync tool multiple times in the same day, the information from that run is appended to the file that was previously generated for that day.

  • zoomadtool-sync.yyyy-MM--dd.{num}.log: This is the common log for the tool to check for errors.


Enabling SSL/TLS connection for ADFS

If you are using LDAPS via port 636 to connect to an Active Directory server using SSL, the SSL certificate must be retrieved and installed, or you may receive the following errors:

"The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection..."


" unable to find valid certification path to requested target."

Retrieving and installing the SSL certificate

To import the SSL certificate and connect the AD Sync tool via TLS:

  1. Open the Windows Management Server Manager.
  2. Under Tools, open the Certification Authority.
  3. Under Issued Certifications, right-click on the desired certificate.
  4. Click Properties.
  5. Click the Details tab.
  6. Click Copy to File, and choose the Base-64 encoded x.509 (.cer) for exporting.
  7. Click Next to export the certificate.
  8. Copy the exported certification to your local device storage (ex. D:\ca.cert).
  9. Open the Command Console, and run the following change directory command to access the Java JDK bin location: 
    cd C:\Program Files\Java\Jdk1.8.0_201\bin
    Note: This folder may not be in the exact path as above, and the command will need to be altered if the actual folder path is different.
  10. Run the following command to copy the certificate to the new location:
    keytool.exe -importcert -keystore ..\jre\lib\security\cacerts -storepass changeit -file D:\ca.cer -alias myca
    Note: The command structure is based on the following:
    • -keystore: Where the new certification stored. No need to change this.
    • -storepass: The certification's password. 
    • -file: The certification location you just exported.
    • -alias: The alias of the new certification.
  11. Once complete, the certificate will be imported and installed. Update the LDAP/AD URL to the ldaps://[address]:636.