Skip Navigation LinksALVAO 11.2 / Admin guide / User management / User authentication in applications / Active Directory authentication / ImportAD utility
ImportAD utility
Navigation:
- Function description
- Syntax command lines
- Detailed description of parameters
- Mapping fields to AD attributes on persons
- Examples of use
- Key identifiers for creating or updating a user/PC
- Supported scenarios
Function description
This utility is used to import (synchronize) users and groups from Active Directory for the entire Alvao system. The utility also allows you to import objects (users, computers, and organizational divisions) into the Asset Management module.
The utility can be found in the Asset Management Console installation folder ("%ProgramFiles%\ALVAO\Asset Management Console\ImportUtilities")
or you can copy it from the application server from the Alvao Service installation folder ("%ProgramFiles%\ALVAO\AlvaoService\utilities").
The account under which you run the utility must be a member of the Domain Admins group
or have the delegated permission to Read all user information.
Note:
If members from other trusted domains appear in the imported groups, in some cases you will need to list those domains in the
AdTrustedDomain table.
Note:
The user's language is set by the
preferredLanguage attribute or
countryCode when importing from
Active Directory.
Syntax command lines
ImportAD.exe /adpath "LDAP path" {/conn "connection string" | /server
"database server name" /db "database name"} [/users [remove,outsidegroups]]
[/usermap "attribute mapping"] [/objects
{users,computers,ou,flat}] [/objectparentid "NodeId"] [/login "login name"] [/pswd "password"] [/log
"file"] [/progress] [/wait]
[/help]
[/noportraits]
Detailed description of parameters
Parameter |
Description |
/adpath <LDAP path> |
An Active Directory path in LDAP format. Three variants are supported:
- Import DC (entire AD) - all users and groups are imported, including group and user membership settings ("copy" of the entire AD).
- Import of a specific OU (organizational unit) -
all users and groups within the specified OU are imported. It is possible to use the outsidegroups, see more detailed description below.
- Import of a specific CN (group) - all users and groups that are members of a specific group are imported (in depth - see note below).
Note:
If you need to use LDAPS, you must add Active Directory server hostname and port before specifying the variants: "LDAP:// <AD server hostname>:636/...".
Note:
- Browsing group memberships in depth involves going through all groups that are members of a particular group, then going through their members, going through their members again, etc.
Ex: Group C is a member of group B, which is a member of group A. The import imports all groups A+B+C.
- The /objects switch (importing objects into Asset Management) does not work with a path routed from a specific group (CN).
|
/conn <chain>
/server<server name>
/db <database name> |
These parameters are used to set the connection to the Alvao database. It is possible to use a connection string (e.g. /conn "Data source=.\sqlexpress;Initial Catalog=test;Integrated Security = True;TrustServerCertificate=True"), or simply specify a specific SQL server and DB (e.g. /server ".\sqlexpress"
/db"test").
In case you use the /server parameters
and /db, the database connection is made using Windows Integrated Authentication. If you specify all these parameters, only /conn is used
parameter, /server and /db
will be ignored. |
/users <parameters> |
Import users and groups to Administration. Parameters are separated by a comma.
Description of possible parameters:
Parameter |
Significance |
remove |
Remove users it can't find in AD. This flag only works when importing a group, organizational unit, container, or the entire AD (DC).
Only accounts that were originally imported from AD are removed. Manually created accounts are not removed. |
outsidegroups |
If the import is running on an OU (organizational unit), import also members of groups (groups within an OU) lying outside the selected OU.
Note:
search for group members goes to any depth.
Example:
We import an OU "CZ" in which the group is "CZA". The member of the group "CZA" is the group "SKA",
located in another OU "SK". A member of the "SKA" group is the person "Peter".
If we use this switch, "SKA" and "Peter" are imported (even if they lie outside the imported OU "SK"). Any additional members of the "SKA" group are also imported to unlimited depth (group members).
If the switch is not used, neither the group "SKA" nor the person "Peter" will be created. |
|
/usermap <mapping> |
Use this switch to specify the mapping of certain attributes when importing users and groups into Administration. The switch works only in combination with the /users.
Supported attributes:
Attribute |
Field name in Administration |
Company |
Organization |
PersonalNumber |
Personal Number |
@tPersonCust.Column |
Person's own items - see note |
Attributes can be mapped either to a constant string on the command line (e.g. you want all persons to have the same Organization entered manually), or to a specific field from AD. See the usage examples for more details.
Note:
Attributes can also be mapped to any existing custom fields from the tPersonCust table (except fields of type int that use a list of values, and type users). The attribute name must be "@"+[tPersonCust] +[database column name], e.g. @tPersonCust.Title.
|
/objects <parameters> |
Import objects to Asset Management. Parameters are separated by commas.
Description of possible parameters:
Parameter |
Significance |
users |
Import users. |
computers |
Import computers. |
ou |
Import organizational breakdown. |
flat |
Import only objects in the specified path and do not search including subfolders. |
Caution:
You must specify at least one of the following parameters: users, computers, ou.
Note:
The mapping of AD attributes to AM properties is set using the table
tblADMap.
The import creates new objects in the Objects retrieved from Active Directory folder.
|
/objectparentid <NodeId> |
Create new objects as child objects under an object with ID: <NodeId>. Works only in conjunction with the /objects switch.
Note:
You can find the NodeId value in the AM Console on the Objects tab.
by displaying the NodeId system column, or in the tblNode. intNodeId table.
|
/noportraits |
Import without portraits. |
/wait |
Wait for a keystroke at the end of the import. |
/progress |
Display the progress of the import. |
/login <login> |
User login name. This account will be used to access AD.
Note:
If this parameter is not specified, the import will access AD under the account under which the utility was run (the currently logged in Windows user).
|
/pswd <password> |
The password of the user whose account will be used to access Active Directory. |
/log <file> |
Specify the path and name of the log file.
Note:
Log will be overwritten on each run.
|
/datetimeformat |
Date format in text strings (e.g. dd/mm/yyyy).
If the parameter is not specified, the format is automatically recognized during conversion.
A detailed description of the possible formats can be found in MSDN. |
Mapping fields to AD attributes on persons
Field Name |
Attribute name in AD |
First and last name |
cn
|
Email |
email |
Phone |
telephoneNumber |
Mobile |
mobile |
Office |
physicalDeliveryOfficeName |
Organization |
company |
Division |
department |
Working position |
title |
User name |
userPrincipalName |
UserName (for legacy systems) |
sAMaccountName |
Supervisor |
manager |
Account is blocked |
userAccountControl |
Examples of use
-
Import all members of the mygroup group by entering a simple SQL server login:
ImportAD.exe /adpath "LDAP://CN=mygroup,DC=my,DC=domain" /server "server\sql2005" /db "alvao" /users
-
Import the entire AD and specific SQL Server connection, removing users it can't find in AD:
ImportAD.exe /adpath
"LDAP://DC=my,DC=domain" /conn "Data Source=.\sqlexpress;Initial Catalog=alvao;Integrated Security=True;TrustServerCertificate=True" /users remove
-
Import a specific organizational folder and a simple SQL login. The Organization field will be set to the string ALVAO for all users. The PersonalNumber field will carry the value from the AD attribute PersonalNumber. The Title custom field will carry the value from the PersonalTitle AD attribute. Groups outside the OU that are members of groups inside the OU are also imported:
ImportAD.exe /adpath
"LDAP://OU=ou1,DC=my,DC=domain" /server server1 /db alvao /users outsidegroups /usermap
"Company='ALVAO'" /usermap
"PersonalNumber=AD.EmployeeID" /usermap
"@tPersonCust.Title=AD.PersonalTitle"
-
Import of new hires. None of them are freelancers, all are part-time, and they start on Aug. 15 at 10 a.m. in the building at 12 Waterfront St. in room 007. All will be placed in their own line items of their respective types.
ImportAD.exe /adpath
"LDAP://DC=new,DC=domain" /conn "Data Source=.\sqlexpress;Initial Catalog=alvao;Integrated Security=True;TrustServerCertificate=True" /users /usermap "@tPersonCust.Externist='0'" /usermap "@tPersonCust.Part_time='0,5'" /usermap
"@tPersonCust.Date_of_onboard='8/15/2015 10:00:00'" /usermap
"@tPersonCust.Building_address='Nábřežní 12'" /usermap
"@tPersonCust.Room_number='007'"
-
Import objects of type Computer and User into Asset Management:
ImportAD.exe /adpath
"LDAP://OU=ou1,DC=my,DC=domain" /server server1 /db alvao /objects computers,users
-
Import objects of type Computer and User to Asset Management and also users and groups to Administration:
ImportAD.exe /adpath
"LDAP://OU=ou1,DC=my,DC=domain" /server server1 /db alvao /objects computers,users /users
Key identifiers for creating or updating a user/PC
Entity |
Identifier |
Administration - Persons |
- AD GUID
- login name without domain (and the AD GIUD of the person is also NULL - i.e. a manually created user)
|
Administration - Groups |
|
AM - Users/Computers/Folders |
- AD GUID
- key attribute according to tblAdMap (and the AD GUID of the object is also NULL)
|
Supported scenarios
Synchronization with the whole AD (including deleting users)
Execute an AD-wide import (LDAP://DC=...) and use the remove parameter when importing groups and users into Administration.
(/users remove).
Importing a few selected AD groups into Alvao
- Create a new group ALVAO in AD and set all the selected groups you want to import into Alvao as members.
- Set the import and path in the /adpath parameter.
set ALVAO to this group.
Ex: /adpath
"LDAP://CN=alvao,OU=import,DC=domain"
- All selected groups and their members (including users) will appear in Administration. The membership of the groups will be set correctly.
Import without photos directly from AD
When importing users from AD, portraits are also loaded by default from the thumbnailPhoto and jpegPhoto properties.
User portraits are stored in the Alvao database.
If you don't want to retrieve portraits from AD, then run the import from the command line and add the /noportraits.
For example:
ImportAD.exe /adpath
"LDAP://OU=ou1,DC=my,DC=domain" /server server1 /db alvao /objects
computers,users /users /portraits
Note:
Thus, to automatically load a scheduled job, it is necessary to modify the
ImportAD command by adding the /noportraits parameter.
Import objects to Asset Management
Start the import on the entire AD (cannot import blocked accounts) or selected OU and use the Switch
/objects switch to specify what to import. Use the /objectparentid switch to define where to import the objects (optional).
Find blocked users from Active Directory
- In the tree in the main AM Console window, select the entire organization and click the Objects - All tab.
- Show the Account is blocked column.
- Set the filter in the Type column to User
and set the filter for the Account is blocked column to Yes.
- After creating a list of blocked users, use the Show in object lists command to more easily navigate through the list items.
- The filtered list contains users who have a blocked account in Active Directory. Move these users to the folder for excluded users.
Removing old users
If you want to delete old users who have not been found in Active Directory for some time, follow this procedure:
- In the Administration page, on the Users page, sort the users by the Last Imported from AD column in ascending order.
- Select and delete users who have not been found in AD for a long time.
Remove old objects from Asset Management
To remove old objects that have not been found in Active Directory for some time, follow this procedure:
- In the AM Console, select the entire organization in the object tree and go to the Objects tab.
- Show the Last Imported from AD column.
- Use the filter in the Type column to display only computers or users.
- Set the filter on the Update imported from AD column to not "" and sort the table in ascending order.
- From the local menu, use the Show in object lists command.
- In the Object Lists window, step through the old objects. If the user had an asset, complete the user's return.
- Move the objects to the Classified Assets folder.
Rename the computer
If a computer is loaded from Active Directory (AD) and you need to rename it:
- Rename the computer in Windows (the computer will remain the same GUID in AD).
Note:
The next time you import from AD, the ImportAD utility will automatically rename the computer in
Asset Management as well.
Reinstall (reimage) a computer with name preservation
If a computer is loaded from Active Directory (AD) and you need to reinstall its operating system or restore it from a disk image and preserve its name on the network:
- Remove the computer from AD.
- Go to the AM Console, find the computer in the tree, and use the Edit command from the local menu.
Delete the value in the GUID field of the object in Active Directory.
- Reinstall the operating system or restore it from an image disk. Give the computer its original name.
- Register the computer in AD again (the computer gets a new GUID in AD).
Note:
The next time you import from AD, the ImportAD utility will automatically pair the new AD computer with the computer in
Asset Management according to the
Network Name property.
Did not find what you were looking for? Ask our technical support team.