Skip to main content

ImportAD utility

  1. Function description
  2. Syntax command lines
  3. Detailed description of parameters
  4. Mapping fields to AD attributes on persons
  5. Examples of use
  6. Key identifiers for creating or updating a user/PC
  7. Supported scenarios

Function description

This utility is used to import (synchronize) users and groups from Active Directory for the entire Alvao system. The utility also allows you to import objects (users, computers, and organizational divisions) into the Asset Management module.

The utility can be found in the Asset Management Console installation folder ("%ProgramFiles%\ALVAO\Asset Management Console\ImportUtilities") or you can copy it from the application server from the Alvao Service installation folder ("%ProgramFiles%\ALVAO\AlvaoService\utilities").

The account under which you run the utility must be a member of the Domain Admins group or have the delegated permission to Read all user information.

note

If members from other trusted domains appear in the imported groups, in some cases you will need to list those domains in the AdTrustedDomain table.

note

The user's language is set by the preferredLanguage attribute or countryCode when importing from Active Directory.

Command line syntax

ImportAD.exe /adpath "LDAP path" {/conn "connection string"| /server "database server name" /db "database name"}
  [/users [remove,outsidegroups]]
  [/usermap "attribute mapping"]
  [/objects {users,computers,ou,flat}]
  [/objectparentid NodeId]
  [/login "login name"]
  [/pswd "password"]
  [/log "file"]
  [/progress]
  [/wait]
  [/help]
  [/noportraits]

Parameters

ParameterDescription
/adpath <LDAP path>

An Active Directory path in LDAP format. Three variants are supported:

  1. Import DC (entire AD) - all users and groups are imported, including group and user membership settings ("copy" of the entire AD).
  2. Import of a specific OU (organizational unit) -

all users and groups within the specified OU are imported. It is possible to use the outsidegroups, see more detailed description below.

  1. Import of a specific CN (group) - all users and groups that are members of a specific group are imported (in depth - see note below).
note

If you need to use LDAPS, you must add Active Directory server hostname and port before specifying the variants: "LDAP://<AD server hostname>:636/...".

note
  • Browsing group memberships in depth involves going through all groups that are members of a particular group, then going through their members, going through their members again, etc.

Ex: Group C is a member of group B, which is a member of group A. The import imports all groups A+B+C.

  • The /objects switch (importing objects into Asset Management) does not work with a path routed from a specific group (CN).

/conn <chain>

/server<server name>

/db <database name>

These parameters are used to set the connection to the Alvao database. It is possible to use a connection string (e.g. /conn "Data source=.\sqlexpress;Initial Catalog=test;Integrated Security = True;TrustServerCertificate=True"), or simply specify a specific SQL server and DB (e.g. /server ".\sqlexpress"

/db*"test"*).

In case you use the /server parameters and /db, the database connection is made using Windows Integrated Authentication. If you specify all these parameters, only /conn is used parameter, /server and /db will be ignored.

/users <parameters>

Import users and groups to Administration. Parameters are separated by a comma.

Description of possible parameters:

ParameterSignificance
remove

Remove users it can't find in AD. This flag only works when importing a group, organizational unit, container, or the entire AD (DC).

Only accounts that were originally imported from AD are removed. Manually created accounts are not removed.

outsidegroups

If the import is running on an OU (organizational unit), import also members of groups (groups within an OU) lying outside the selected OU.<p>:::note</p><p> search for group members goes to any depth. </p><p>:::</p> Example:

We import an OU "CZ" in which the group is "CZA". The member of the group "CZA" is the group "SKA", located in another OU "SK". A member of the "SKA" group is the person "Peter".

If we use this switch, "SKA" and "Peter" are imported (even if they lie outside the imported OU "SK"). Any additional members of the "SKA" group are also imported to unlimited depth (group members).

If the switch is not used, neither the group "SKA" nor the person "Peter" will be created.

/usermap <mapping>

Use this switch to specify the mapping of certain attributes when importing users and groups into Administration. The switch works only in combination with the /users.

Supported attributes:

AttributeField name in Administration
CompanyOrganization
PersonalNumberPersonal Number
@tPersonCust.ColumnPerson custom fields - see note

Attributes can be mapped either to a constant string on the command line (e.g. you want all persons to have the same Organization entered manually), or to a specific field from AD. See the usage examples for more details.

note

Attributes can also be mapped to any existing custom fields from the tPersonCust table (except fields of type int that use a list of values, and type users). The attribute name must be "@"+[tPersonCust] +[database column name], e.g. @tPersonCust.Title.

tip

The switch can only be used when importing into Administration. To map AD attributes to object properties in Asset Management, use the article Mapping Active Directory attributes to object properties.

/objects <parameters>

Import objects to Asset Management. Parameters are separated by commas.

Description of possible parameters:

ParameterSignificance
usersImport users.
computersImport computers.
ouImport organizational breakdown.
flat

Import only objects in the specified path and do not search including subfolders.

warning

You must specify at least one of the following parameters: users, computers, ou.

note

The mapping of AD attributes to AM properties is set using the table tblADMap.

The import creates new objects in the Objects retrieved from Active Directory folder.

/objectparentid NodeId

Create new objects as child objects under an object with ID: <NodeId>. Works only in conjunction with the /objects switch.

note

You can find the NodeId value in the AM Console on the Objects tab. by displaying the NodeId system column, or in the tblNode. intNodeId table.

/noportraitsImport without portraits.
/waitWait for a keystroke at the end of the import.
/progressDisplay the progress of the import.
/login <login>

User login name. This account will be used to access AD.

note

If this parameter is not specified, the import will access AD under the account under which the utility was run (the currently logged in Windows user).

/pswd <password>

The password of the user whose account will be used to access Active Directory.

/log <file>

Specify the path and name of the log file.

note

Log will be overwritten on each run.

/datetimeformat

Date format in text strings (e.g. dd/mm/yyyy). If the parameter is not specified, the format is automatically recognized during conversion.

A detailed description of the possible formats can be found in MSDN.

Mapping fields to AD attributes on persons

Field NameAttribute name in AD
First and last name

cn

note

You can change the default user name template.

Emailemail
PhonetelephoneNumber
Mobilemobile
OfficephysicalDeliveryOfficeName
Organizationcompany
Divisiondepartment
Working positiontitle
User nameuserPrincipalName
UserName (for legacy systems)sAMaccountName
Supervisormanager
Account is blockeduserAccountControl

Examples of use

  1. Import all members of the mygroup group by entering a simple SQL server login:
ImportAD.exe /adpath "LDAP://CN=mygroup,DC=my,DC=domain" /server "server\sql2005" /db "alvao" /users
  1. Import the entire AD and specific SQL Server connection, removing users it can't find in AD:
ImportAD.exe /adpath "LDAP://DC=my,DC=domain" /conn "Data Source=.\sqlexpress;Initial Catalog=alvao;Integrated Security=True;TrustServerCertificate=True" /users remove
  1. Import a specific organizational folder and a simple SQL login. The Organization field will be set to the string Contoso for all users. The PersonalNumber field will carry the value from the AD attribute PersonalNumber. The Title custom field will carry the value from the PersonalTitle AD attribute. Groups outside the OU that are members of groups inside the OU are also imported:
ImportAD.exe /adpath "LDAP://OU=ou1,DC=my,DC=domain" /server "server1" /db alvao /users outsidegroups /usermap "Company='Contoso'" /usermap "PersonalNumber=AD.EmployeeID" /usermap "@tPersonCust.Title=AD.PersonalTitle"
  1. Import of new hires. None of them are freelancers, all are part-time, and they start on Aug. 15 at 10 a.m. in the building at 12 Waterfront St. in room 007. All will be placed in their own line items of their respective types.
ImportAD.exe /adpath "LDAP://DC=new,DC=domain" /conn "Data Source=.\sqlexpress;Initial Catalog=alvao;Integrated Security=True;TrustServerCertificate=True" /users /usermap "@tPersonCust.Externist='0'" /usermap "@tPersonCust.Part_time='0,5'" /usermap "@tPersonCust.Date_of_onboard='8/15/2015 10:00:00'" /usermap "@tPersonCust.Building_address='12 Waterfront St.'" /usermap "@tPersonCust.Room_number='007'"
  1. Import objects of type Computer and User into Asset Management:
ImportAD.exe /adpath "LDAP://OU=ou1,DC=my,DC=domain" /server "server1" /db "alvao" /objects "computers,users"
  1. Import objects of type Computer and User to Asset Management and also users and groups to Administration:
ImportAD.exe /adpath "LDAP://OU=ou1,DC=my,DC=domain" /server "server1" /db "alvao" /objects "computers,users" /users

Key identifiers for creating or updating a user/PC

EntityIdentifier
Administration - Persons

  • AD GUID

  • login name without domain (and the AD GIUD of the person is also NULL - i.e. a manually created user)

Administration - Groups

  • AD GUID

  • Group (name)

AM - Users/Computers/Folders

  • AD GUID

  • key attribute according to tblAdMap (and the AD GUID of the object is also NULL)

Supported scenarios

Synchronization with the whole AD (including deleting users)

Execute an AD-wide import (LDAP://DC=...) and use the remove parameter when importing groups and users into Administration. (/users remove).

Importing a few selected AD groups into Alvao

  1. Create a new group Alvao in AD and set all the selected groups you want to import into Alvao as members.

  2. Set the import and path in the /adpath parameter. set Alvao to this group.

    Ex: /adpath "LDAP://CN=alvao,OU=import,DC=domain"

  3. All selected groups and their members (including users) will appear in Administration. The membership of the groups will be set correctly.

Import without photos directly from AD

When importing users from AD, portraits are also loaded by default from the thumbnailPhoto and jpegPhoto properties. User portraits are stored in the Alvao database. If you don't want to retrieve portraits from AD, then run the import from the command line and add the /noportraits.

For example:

ImportAD.exe /adpath"LDAP://OU=ou1,DC=my,DC=domain" /server server1 /db alvao /objects computers,users /users /portraits
note

Thus, to automatically load a scheduled job, it is necessary to modify the ImportAD command by adding the /noportraits parameter.

Import objects to Asset Management

Start the import on the entire AD (cannot import blocked accounts) or selected OU and use the Switch /objects switch to specify what to import. Use the /objectparentid switch to define where to import the objects (optional).

Find blocked users from Active Directory

  1. In the tree in the main AM Console window, select the entire organization and click the Objects - All tab.

  2. Show the Account is blocked column.

  3. Set the filter in the Type column to User and set the filter for the Account is blocked column to Yes.

  4. After creating a list of blocked users, use the Show in object lists command to more easily navigate through the list items.

  5. The filtered list contains users who have a blocked account in Active Directory. Move these users to the folder for excluded users.

Removing old users

If you want to delete old users who have not been found in Active Directory for some time, follow this procedure:

  1. In the Administration page, on the Users page, sort the users by the Last Imported from AD column in ascending order.

  2. Select and delete users who have not been found in AD for a long time.

Remove old objects from Asset Management

To remove old objects that have not been found in Active Directory for some time, follow this procedure:

  1. In the AM Console, select the entire organization in the object tree and go to the Objects tab.

  2. Show the Last Imported from AD column.

  3. Use the filter in the Type column to display only computers or users.

  4. Set the filter on the Update imported from AD column to not "" and sort the table in ascending order.

  5. From the local menu, use the Show in object lists command.

  6. In the Object Lists window, step through the old objects. If the user had an asset, complete the user's return.

  7. Move the objects to the Classified Assets folder.

Rename the computer

If a computer is loaded from Active Directory (AD) and you need to rename it:

  1. Rename the computer in Windows (the computer will remain the same GUID in AD).
note

The next time you import from AD, the ImportAD utility will automatically rename the computer in Asset Management as well.

Reinstall (reimage) a computer with name preservation

If a computer is loaded from Active Directory (AD) and you need to reinstall its operating system or restore it from a disk image and preserve its name on the network:

  1. Remove the computer from AD.

  2. Go to the Object properties and delete the Active Directory object GUID object property of the object.

  3. Reinstall the operating system or restore it from an image disk. Give the computer its original name.

  4. Register the computer in AD again (the computer gets a new GUID in AD).

note

The next time you import from AD, the ImportAD utility will automatically pair the new AD computer with the computer in Asset Management according to the Network Name property.