Managing the AD Sync Tool

The AD Sync Tool is a command line tool that you can run on a Windows, Linux, or macOS system to sync users and groups between your Active Directory (AD) or LDAP Server and your Zoom account. With this tool, you can automatically manage users and groups in your Zoom account when there is a change in your LDAP/AD system for those users and groups.

The tool runs in the console, and does not include a GUI or web interface. Settings are configured using a properties file, and you can check the log files to see the change details or to troubleshoot any errors.

Based on changes in your LDAP/AD server, the AD Sync Tool allows you to create, update, and deactivate/delete users, update the Zoom user's email (the new email's domain must be in the associated domain), and sign users out when their password has been changed, deleted, or disabled. This tool also allows you to create, update, and delete Zoom groups as well as add or remove group members.

Note: The AD Sync Tool versions 1.5 and higher can’t use the database file generated by previous versions. To use version 1.5 or higher successfully, admins must reconfigure the tool. This includes initializing the file, running the set up command to complete the configuration, then performing a full sync to complete the initialization. We recommend that you keep your previous AD Sync Tool and related database files to prevent any issues when using the new version.

The AD Sync Tool supports the following attributes.



This article covers:

Prerequisites for the AD Sync Tool

How to create a Server-to-Server OAuth app for the AD Sync Tool

Verify permissions to edit users

To create this app, the user must have User:Edit permissions.

  1. Sign in to the Zoom web portal as an admin or user with role management edit permissions.
  2. In the navigation menu, click User Management then Roles.
  3. On the All tab, click the name of the role type you want to check, such as Admin.
  4. Under User and Permission Management, verify that this role has Edit permissions for Users.

Learn more about role management.

Create the app

You must create a Server-to-Server OAuth app for the tool on the Zoom App Marketplace. Only users with User:Edit permissions can complete this task.

  1. Sign in to the Zoom App Marketplace.
  2. In the top-right corner, click Develop then Build Server-to-Server App.
  3. Enter a name for your app and click Create.
  4. On the App credentials tab, view your account ID, client ID, and client secret. You'll use these credentials to authenticate with Zoom.
  5. On the Information tab, add information about your app, such as short description, company name, and developer contact information (name and email address required for activation).
  6. On the Scopes tab, click Add Scopes, then add the following scopes:
    1. Click User, then click View users information and manage users and select the Remove a user's token scope.
    2. Click SCIM2, then click Call Zoom SCIM2 API and select the Call Zoom SCIM2 API scope.
    3. Click Done.
    4. Click Continue.
  7. On the Activation tab, activate your app.

Quick start of the AD Sync Tool

  1. Install JDK version 8, then run the following command to make sure that java is installed correctly:
    java -version
  2. Obtain the file from the following location:
  3. Unzip the ad-tool-${version}.zip file.
  4. Update the file, as described in the Configuration section. Then copy the file to the same folder where adtool-${version}.jar is located.
  5. Prepare a secret code to protect the sensitive information in the tool configuration files. The secret code is required every time you run the tool.
  6. Start the tool by running the following command:
    bin/adtool.cmd start
    Caution: Running the start command can delete or deactivate existing users from your Zoom account if those users do not exist on Active Directory. Refer to the Zoom account configuration:
    • Start the AD Sync Tool as a daemon service. It will run a full synchronization for the first time and keep running incremental synchronization every 40 minutes. It will also monitor password change events.
    • To preview the synchronization result before applying any changes to your Zoom account, run the following command:
  7. Check the log file if you fail to run any command.

How to configure the AD Sync Tool

The file includes a set of parameters that determine how the tool will perform the synchronization. There are two types of synchronizations you can perform:

You must update the values in the following sections of the file.

Note: Credentials should not be added in this file.

Zoom setting (updated values required)

Sync options (updated values required)

LDAP/AD settings (updated values required)

This tool supports multiple LDAP/AD server connections. The value "n" identifies the index of the LDAP Server. The value of n starts from 0.

Attribute mapping (updated values optional)


Logging setting

Sync commands


Configure the credentials for Zoom authentication and LDAP authentication. If you want to change some
credentials, you can run the setup command to update. When running this command, you will be
asked to enter the Zoom Account ID, Client ID and Client secret, AD username and password.

Setup flow:

  1. Enter the secret code.
  2. Confirm the secret code.
  3. Enter the Zoom Account ID (Copy from Server-to-Server OAuth app).
  4. Enter the Zoom Client ID (Copy from Server-to-Server OAuth app).
  5. Enter the Zoom Client Secret (Copy from Server-to-Server OAuth app).
  6. Enter the user DN (distinguishedName) of the LDAP server.
  7. Enter the user password of the LDAP server.
    Note: The secret code, Client Secret, and password are not visible when editing.


Start the AD Sync Tool as a service. It will run a full synchronization for the first time and start a job to run incremental synchronization every 40 minutes until you shut down the tool. Additionally, the tool will monitor the password change event. By using this command, you don't have to create Task Scheduler or CRON in the system.


Preview the synchronization result without making changes to your Zoom account. This is helpful if you want to ensure options in the tool work as expected.


Reset the settings for this tool. It will clean all of your local configuration and cached data for the tool. If you fail to run this tool for any reason, you can run the reset command to make it work again.


Run one full or incremental synchronization from LDAP to Zoom. We recommend running preview to check the result before running a full sync. If a full synchronization has ever been executed, it will run an incremental synchronization. If you want to run a full sync, append "--all" for the sync command.


Monitor the user's password change event and force logout the Zoom user from all devices when the password in LDAP/AD changed. This tool monitors the event that the LDAP/AD user password has been changed, and it cannot obtain the passwords of the LDAP/AD users.


Test if the configuration is working. It will use the credential to test the connection and authentication for LDAP/AD server and Zoom.

Examples of command executions for the AD Sync Tool

The common execution script pattern is: bin/{script file} {command}.

Examples for help/version information of the tool

Display help information of the tool:

bin/{script file} -h
bin/{script file} --help

Display version information of the tool:

bin/{script file} -v
bin/{script file} --version

Display help information of the setup command:

bin/{script file} setup -h
bin/{script file} setup --help

Examples for set up the tool

Set up the tool in the default mode:

bin/{script file} setup

Set up the tool in the service mode:

bin/{script file} setup --service

Reset the tool:

bin/{script file} reset

Examples for run the tool

Run the tool in default mode:

bin/{script file} start
bin/{script file} sync
bin/{script file} preview
bin/{script file} monitor
bin/{script file} test

Run the tool in service mode:

bin/{script file} {command} --service

How to run the tool as a service (Windows)


Run the following command to set the service mode (Note: Running "bin/adtool.cmd setup" will remove the service mode):

bin/adtool.cmd setup --service

How to start automatically after system startup (Windows)

  1. From the Start menu, go to Windows Administrative Tools, then click Task Scheduler.
  2. On the Action menu, click Create Task.
  3. On the General tab, do the following:
    1. Enter a name for the task, for example "ADSyncToolTask".
    2. Under Security options, select the Run whether user is logged in or not option and the Run with the highest privileges check box.
  4. Click the Triggers tab and do the following:
    1. Click New.
    2. On the Begin the task drop-down, select At startup.
    3. Click OK.
  5. Click the Actions tab and do the following:
    1. Click New.
    2. On the Action drop-down, select Start a program.
    3. Click Browse, choose the start.bat file in the bin directory, and click Open.
    4. Click OK.
  6. Click the Conditions tab and do the following:
    1. Under Power, clear the check box next to Start the task only if the computer is on AC Power.
    2. Click OK.
  7. Click the Settings tab and do the following:
    1. Leave the Allow task to be run on demand check box selected, and clear all other check boxes.
    2. Click OK.
      The tool will start automatically after the next system restart.

AD Sync Tool log files

Use the log files to see the details of the records that were synchronized and to help with debugging any sync failures. A maximum of one of each type of log file is generated each day. If you run the Zoom AD Sync tool multiple times in the same day, the information from that run is appended to the file that was previously generated for that day.

Abnormal data files

Use the abnormal data file to view details about abnormal user/group data during the full synchronization.

AD Sync Tool security

Enabling SSL/TLS connection for ADFS

If you are using LDAPS via port 636 to connect to an Active Directory server using SSL, the SSL certificate must be retrieved and installed, or you may receive the following errors:

"The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection..."


" unable to find valid certification path to requested target."

Retrieving and installing the SSL certificate

To import the SSL certificate and connect the AD Sync tool via TLS:

  1. Open the Windows Management Server Manager.
  2. Under Tools, open the Certification Authority.
  3. Under Issued Certifications, right-click on the desired certificate.
  4. Click Properties.
  5. Click the Details tab.
  6. Click Copy to File, and choose the Base-64 encoded x.509 (.cer) for exporting.
  7. Click Next to export the certificate.
  8. Copy the exported certification to your local device storage (ex. D:\ca.cert).
  9. Open the Command Console, and run the following change directory command to access the Java JDK bin location: 
    cd C:\Program Files\Java\Jdk1.8.0_201\bin
    Note: This folder may not be in the exact path as above, and the command will need to be altered if the actual folder path is different.
  10. Run the following command to copy the certificate to the new location:
    keytool.exe -importcert -keystore ..\jre\lib\security\cacerts -storepass changeit -file D:\ca.cer -alias myca
    Note: The command structure is based on the following:
    • **-keystore**: Where the new certification stored. No need to change this.
    • **-storepass**: The certification's password. 
    • **-file**: The certification location you just exported.
    • **-alias**: The alias of the new certification.
  11. Once complete, the certificate will be imported and installed. Update the LDAP/AD URL to the ldaps://[address]:636.