HR Sync Agent watches BambooHR and keeps your on-prem Active Directory in lockstep. Joiners, movers, leavers, and group memberships — handled without the Monday-morning ticket.
On a schedule you choose, the agent reads BambooHR, compares it to AD, and makes the difference disappear. No scripts to maintain, no JSON to edit.
New hires appear in AD the moment they're added in BambooHR. Account created, groups assigned, OU placed — ready on day one.
Department changes, title changes, name changes. All flow straight through and group membership re-syncs automatically.
Terminations disable the account on the right date, move it to the disabled OU, and close access the same night it's entered in HR.
No platform, no middleman, no tenant. It runs as a scheduled task on a server you already own, with support for multiple AD domains from a single BambooHR connection.
On the cadence you set, the agent asks BambooHR what has changed since last sync.
Each change is matched to the right AD domain by location, division, or any field you choose. Unmatched records are flagged for review, never silently dropped.
Standard PowerShell RSAT cmdlets write the change directly to your domain controller — CREATE, UPDATE, DISABLE, or ENABLE — with your group rules applied.
INFO / WARN / ERROR to a daily log. Any conflict that needs human judgement is flagged, not guessed.
There is no cloud platform between BambooHR and your DC. The agent runs on a server you own, credentials are encrypted at rest with DPAPI, and there is no shared tenant that could be breached.
On-prem or hybrid AD. Already on BambooHR, already running a Windows server. Tired of the joiner/leaver ticket queue.
Automate joiner/mover/leaver across your book of business. One install per client, same configuration pattern, predictable support surface.
No. The agent runs on your server and communicates only with BambooHR (outbound HTTPS) and your domain controllers (local). There is no cloud platform that receives your employee data.
Fill out a short intake form with your domain details and group mappings. We generate your configuration file and deliver it to you. Your IT team drops it onto a Windows server, runs the installer, and enters credentials at first-run setup. No call required.
The agent runs under a dedicated service account with no Domain Admin rights. On the host it needs read/write access to its installation directory and permission to run as a scheduled task. In Active Directory, it requires delegated permissions to create, modify, and disable accounts within your specified OUs, and to manage membership in your mapped security groups. In multi-domain environments, each domain gets its own isolated service account with credentials encrypted separately on the host. Full delegation steps are covered in the deployment guide.
Yes, on the Professional plan. If your environment spans more than one AD domain or forest, the agent targets each from a single BambooHR connection. Employees are routed to the right domain automatically — location is the default routing field. Each domain gets its own service account, group mappings, and encrypted credentials.
HR Sync Agent sits between BambooHR and your on-prem AD. If your cloud identity syncs from AD (via Azure AD Connect, Okta AD agent, or similar), the changes made upstream flow to the cloud automatically through your existing sync.
Annual subscription — $960/year for Standard (single domain) and $1,800/year for Professional (unlimited domains). Flat rate regardless of headcount. All plans include a 30-day money-back guarantee. MSP volume pricing is available on request.
BambooHR is the focus. Additional HRIS integrations are on the roadmap.
Fill out a short intake form, receive your pre-built config, and deploy when you're ready. No calls, no back-and-forth.
Get started — $960/year →