CreateADUsers Tool

/adpath "LDAP path"

Path to the AD where the users will be created. You can use values from the request to determine parts of the path, for example the organizational units, see the following chapter.

Example: "LDAP://server/OU=TestDepartment,DC=acme,DC=com"

/conn "Connection string"

/server "server name"

"DB name"

These parameters contain connection settings for the ALVAO database. You can use connection strings (e.g. /conn "Data source=.\sqlexpress;Initial Catalog=ALVAO;Integrated Security = True"), or enter a specific SQL server and database (e.g. /server ".\sqlexpress" /db "test").

If you use the /server and /db parameters, the system will connect to the database using Integrated Windows Authentication. If you specify all parameters, only the /conn parameter will be used. The parameters /server and /db will be ignored.

You can not use values from the request in these parameters.

/service "Service name"

Name of the service in which the assigning requests are searched. The name must be entered including the parent services. We recommend to create this requests to this service using the custom form for request submission. By this you ensure the individual items in the request creating report will always be written correctly. You can not use values from the request in this parameter.

Example: "Internal IT/User creation"

/beginstate "request status"

Name of the request status in which the user should be created in the AD. You can not use values from the request in this parameter.

Example: "Account creation"

/endstate "request status"

Name of the request status to which the request should be changed after creating the user. If this status corresponds with the request closure, the request will be closed after creating the user.

Example: "Communicating password to the user"

/failedstate "request status"

Name of the request status in which the request is being changed if the user creation failed. For example if the username is already in use. When there is an error with user creation, the note with error message is written into the request and then the status is changed. The system account is the author of the note. The error text in written in the manner it is returned by AD.

Example: "Manual account creation"

/grouplist "group name"

Name of the group in AD to which the created users will be assigned. The group is searched in the domain or sub-domain which the user is created in. If you want to assign user into more groups in the same time, write the group names separated by a semi-colon character.

Example: "Employees;Administrative"

/propmap "attributes mapping"

Mapping in the form propertyAD=text. When the user is created, it sets his property in AD according to the assignment. In this parameter it is very suitable to use values from the request, see the following chapter. The parameter can exist multiple times, once for every property.

Except the usual properties provided from AD the "password" property setting the user password is also permitted.

The Active Directory requires filling in the "sAMAccountName" and "cn" properties. Otherwise it does not allow the user creation. Therefore you must always map these properties.

Example: sAMAccountName={Login}

If the user property in Active Directory is numeric, you can use 2 types of notation:

• Usual number notation in decimal system.
• Hexadecimal number notation. The notation must begin with "0x" characters.

Manipulation with the properties of bit field type, for example the "userAccountControl":
Bit fields are considered to be numbers, therefore you can use the decimal and hexadecimal number notation. If you want to change only specific bits of the property, you can insert the "&" or "|" character in front of "=" character. The "&" character makes a bit multiplication (AND operation) of the entered number and the original value. The "|" character makes a bit sum (OR operation) of the entered number and the original value.

Example for account unblocking: "userAccountControl&=0xFFFFFFFD"

/loginmutations "number"

If the login is already in use, it will try to add numbers from 1 to the entered number behind the login. If this parameter is not set, then the entered login name will not change, and if it is already in use, the user creation ends with an error.

User login in AD is in the sAMAccountName property.

/help

Returns help for the program parameters.