ShoreTel Active Directory Integration

Active Directory Integration is a really useful feature that the ShoreTel phone system makes available. I believe the feature was introduced in ShoreTel 9 or 10. This will let you tie a user to their Active Directory account. You want to do this if you can because it will allow you to make changes in Active Directory and the changes persist to the phones. It will also make adding new users a lot quicker.

Configuring Windows

Joining your ShoreTel server to your domain first is necessary. This goes against some conventional wisdom that ShoreTel used to put out. You might want to do this after hours as it will need at least one reboot.
Please note that the sub numbers are just notes on the step.

  1. Join your ShoreTel server to your domain.
    1. Make sure your server has a good descriptive computer name first. This helps a lot with DNS entries. Some partners don’t really set ShoreTel servers up with anything but a random name if they don’t join it to a domain. This will make setting up Communicator for new users so much easier, especially remotely as they only have to put in the server name.
  2. Open Active Directory Users and Computers. Find your ShoreTel server and right click on it and hit “Properties”.
    Click on the “Delegation” tab and select the radio button that says “Trust this computer for delegation to any service (Kerberos only). Click OK.
  3. Open Shoreware Director and log in as an administrator. If you named your ShoreTel server “SHORETEL” like I did you can go to http://shoretel/shorewaredirector.
  4. Go to System Parameters and click “Administrators” under Administrative Permissions. Make sure that  you’ve got an administrator set up that isn’t tied to a windows user. You’ll note in the picture we’ve got a public phone user and a fax server user on the list. You just need one and it has to be tied to an extension. The reason is if you have to log into ShoreTel from a non-administrative user’s computer you’ll need a non-AD login name to log in with.
  5. Now go into the “Other” section under System Parameters and scroll all the way to the bottom. Check the “Enable AD Integration” box. Fill in the AD Path box.
    1. It gives some suggestions on how to go about this. I tried them, and at least on our environment it didn’t work. I found that just putting in “LDAP://fqdn” in worked perfect. Yes it will include everyone in your domain. I can’t come  up with a scenario where this is a problem. You could include the entire forest this way.
  6. Click Save. If there are errors, it will tell you. The times I’ve done this it was usually a mistyped string in the AD Path field. Some of the errors will just mean you need to wait a few minutes for changes to propagate in AD.
  7. To enable auto-login to the Shoreware Director and to the Web Based Call Manager you need to make sure a few settings are enabled in IIS. My ShoreTel server runs on Server 2003, so I only have pictures for IIS 6, but I can post how to do this on 2008 if there’s interest.
    1. Open Internet Information Services Manager – This is under your Administrative Tools menu. You can get to this menu through Control Panel if it isn’t already on your Start Menu.
    2. Expand Web Sites -> Default Website
    3. Right click on ShorewareDirector and click Properties.
    4. Select the Directory Security Tab
    5. Click on the Edit button under “Authentication and Access Control”
    6. Make sure the “Integrated Windows Authentication” box is check and hit OK. Hit OK on the Properties box too.
    7. Note that you may have to restart IIS. You can do this by clicking on the Server Name under the IIS Manager, select All Tasks and hit Restart IIS.

Adding Users With AD Integration

Adding a user is a lot simpler now. All you need to do is make a new user, click the “AD” user checkbox, add their domain user name (domainusername), click the “Synch from AD” button. It will fill most of their information. I typically only have to select the right extension, DID and what sort of license they use. I have noticed that sometimes you have to wait a bit for Active Directory to catch up. This only happened to me when entering an AD user to another AD site than the one that the ShoreTel server was located in.

The coolest part of this now is that your users don’t have to remember a ShoreTel password for their Communicator when they set it up. All they have to do is put in the server name when they first run Communicator, and everything else is filled in for them.  Doing this alone has reduced the time needed to set up a new user by about 20 minutes.
If you find any of this information useful, do me a huge favor and like it on Facebook or Google+. I’d really appreciate it.

Join the Conversation


  1. Another great post! I actually just used this to join my Director to AD, the one thing I noticed that actually scared me for a second was that (dependent on what your default AD GPO) as soon as you add your ShoreWare server to AD it will likely re-enable Windows Firewall which ends up affecting Callmanager Access. Also, another thing I noticed (that makes total sense) is that you have to be logged in as an AD user in ShoreWare director in order to use the “Show From AD/Sync From AD” features when adding a user, otherwise the buttons are grayed-out.
    Keep up the good work, I’ve been lovin’ this blog.

    1. Dmitry,
      Yeah that is definitely something I overlooked in the Configuring Windows section. I’ll note to update that in the guide, it’s very important for a new install actually. Thanks for the catch.
      I didn’t have that problem as I was already set up as an Administrator when I put my domain login information in my Shoretel account. So when I did that it updated my login information. I was actually surprised when it logged into the Director automatically from my PC.

      1. This is a great post. I appreciate this. What I am now trying to find and was hoping someone might know the answer to where the field information which are being pulled over from AD to Shoretel. I am particularly interested in looking for the email field. Our email addresses are being pulled over incorrectly because our AD UID’s are not the same as our Email addresses or login ID’s here. Where might I find the setting to change the field being pulled over from AD for email?

        1. If I’m not mistaken the e-mail address is basically the userPrincipalName/email field in AD so the “User logon name” from AD is what it’s pulling. If you have an Exchange server this is likely not an issue as they’ll still get the notifications but, I take it you don’t use Exchange?

    1. Justin, Im having the same email issue and the link you posted does not word. Do you remember what you did to fix it?

  2. Ok I’m a newbie and I Setup active Directory Integration without enabling my domain user as an active directory user within shortel. Is there a way I can get back into Shortel Director to enable that checkbox?

    1. You can log back into the ShoreTel server with your regular Shoretel Admin account that you used before AD integration by remoting into your ShoreTel server and just entering it. Hopefully you didn’t delete it. When you do this, go ahead and make a backup admin account just in case, this is something that happens pretty often. Also if your ShoreTel server gets kicked from the domain you might not be able to get into it without a “local admin account”.

  3. Curious to implement this..
    We’ve been running Shoretel for years, with the client on the desktops.. and don’t know why this never got setup! Anyway, its a pain to have to manage the users in multiple places.
    Questions though:
    What happens to existing users if you enable AD integration after they’ve already been using the system for years? Does it link their manually created shoretel accounts to their AD equivalents?
    Does it negate whatever password they had setup in shoretel when they first logged into the client and overwrite it with their AD one? Another caveat I just thought of.. I know the Shoretel requires them to use a 6 character password.. if the AD password is shorter, does it complain?
    Any other gotchas introducing AD integration to a system already up and running with hundreds of users? 🙂
    Thanks, good article

Leave a comment

Your email address will not be published. Required fields are marked *