How to Create Active Directory User Accounts and Set Passwords Using the V1 Data Sync Connector
To create users in Active Directory there are a few steps you need to follow. The following documentation relates to any version released after 3.0.1314 and covers how to add the user, enable the account, set a manager and set a default password.
You can find a copy of the data we are using in this example in the zip folder of the sample project available here: Download Create Users Project
The DataSet we are using looks like this:
Connect to your Source and Target
Once you have your Data connect to this as your source in the Data Sync project and then connect to Active Directory as your target.
Edit the Connection Properties
You will first need to edit the AccountName and LogonName attributes with the below properties in the ADproperty collection editor.
ReadOnly=False
TryParseValue=False
To do this go to the connection properties window and locate Properties, then click onto the ellipsis (...) to open the properties collection manager.
Locate the AccountName and LogonName attributes in the list and set ReadOnly=False. Make sure to refresh your Data Source after making the changes.
You will also want to ensure that
TryParseValueis set toFalseas this specifies if Data Sync should try and parse the value to extract a friendly (formatted) value or return the raw value. If you set this as true, it is likely your records will show up as update actions every time you run the compare as the formatted value does not match the data you are supplying.
You now need to set SchemaClassName to User, you can find this property under the Connection.Writer header in the connection properties window.
Then set SchemaItemFormat to have the format you require new users to be added to AD with, for this example we have set the value to $First Name$.$Surname$.
And finally make sure to set EnableAdd to True so then you can add your new users.
Formating AccountName and LogonName
You then need to format your incoming data to be in the format you want users to be added to AD in, this is what we set earlier for SchemaItemFormat.
This is so that the values match in AD and users will not be continuously added or appear as updates unless they actually need to be.
For this example our fields are going to be similar to the following:
LogonName = firstname.lastname@demo.simego.com
AccountName = firstname.lastname
If your data is not already in this format you can do this with a couple of functions in calculated columns.
For example, for LogonName, you might concatenate the first name and last name of the user with a ".", and include the domain of choice.
CONCAT(FirstName,".",LastName,"@demo.simego.com")
This would join the first and last name column with the text you want for each record.
For the AccountName you could use the concatenate function as above, or alternatively you could split the LogonName result. For example the expression below will return everything before the "@".
SPLIT(LogonName, "@", 1)
You may also want to create a calculated column for
DisplayNameif you do not already have a field suitable in your source data.
Defining a Default Value for UserAccountControl
Now we need to enable the user account of the new users. To do this you can set a default value for the UserAccountControl (UAC) attribute, but this must be set using project automation as it cannot be set before a password is applied to the account.
You will need to add your UAC column from your source and make sure it is mapped to UAC on the target. If you do not already have a column stating the value you want userAccountControl to have then you can create one using Calculated Columns.
For this example our accounts have the value 512, which corresponds to a normal account that is enabled.
Please see the Microsoft page here for the explanations of the codes used for UserAccountControl as you may want to use a different value.
We then update this using the following code in project automation.
public override void AfterAddItem(object sender, DataCompareItemInvariant item, object identity)
{
Trace.WriteLine("AfterAddItem->{0}", identity);
var values = item.ToAddItemDictionary(TargetMapping); //Gets column names from the target
using(var entry = DataSourceB.GetDirectoryEntry(identity))
{
entry.Properties["pwdLastSet"].Value = 0; //Set user must change password at next logon
entry.Properties["userAccountControl"].Value = values["userAccountControl"]; //Set Normal Enabled Account
entry.CommitChanges();
}
}
For existing users we can update the UserAccountControl value using calculated columns and lookups. We handle enabling and disabling existing users in a different article here.
Setting the Manager Field
If your data specifies the user's manager you can include this in the user account creation. Alternatively this can be set at a later date using the details here.
By default the Manager attribute is set to ReadOnly=True, in order to update this you need to set ReadOnly to False.
To do this open the Property Collection, find the manager attribute in the list and then change ReadOnly and TryParseValue to False.
Once you are done, please refresh your target data source by using the refresh button.
If you preview the data you will notice that the distinguished name of the manager is returned e.g. CN=User,OU=Test,DC=demo,DC=simego,DC=com. This is how we need to present the manager record in Data Sync to Active Directory. We can return the distinguished name by using a lookup to AD in a calculated column.
Manager Lookup
An example of a lookup function to find the Distinguished Name of the manager is:
LOOKUPB("Distinguished Name", "", WHEN("EmployeeID", ReportsTo))
This function looks up the distinguished name when the EmployeeID attribute matches the value in the ReportsTo (manager) column of the source data.
You can find more details on Lookups in Active Directory here, such as looking up managers in different OUs.
You then need to map this result to the Manager record in the schema map.
Set a Default Password
Finally you will want to set a the password for the user account. To do this we need to extend the code we wrote for the UserAccountControl earlier.
You need to add the userPassword column to the properties collection, and then add it to the schema. This is so that the column can be targeted by Project Automation.
Map this column to the corresponding column in your source. You also need to edit the schema properties, setting the Data Compare property Ignore to True, so that the password field does not trigger update events.
On any other update field password will also appear in the updates as an update action but nothing will actually happen when the sync is run, unless you have written additional code to update the password for updates.
Then in Project Automation add the following line to the AfterAddItem method to set the password:
entry.Invoke("SetPassword", values["UserPassword"]);
As defining a password for users will not be very secure you will want users to have to change their password when they login, this has been set in the code below using pwdLastSet.
Your full Project Automation code should now look similar to:
public override void AfterAddItem(object sender, DataCompareItemInvariant item, object identity)
{
Trace.WriteLine("AfterAddItem->{0}", identity);
var values = item.ToAddItemDictionary(TargetMapping); //Gets column names from the target
using(var entry = DataSourceB.GetDirectoryEntry(identity))
{
entry.Invoke("SetPassword", values["UserPassword"]); //Set the password
entry.Properties["pwdLastSet"].Value = 0; //Set user must change password at next logon
entry.Properties["userAccountControl"].Value = values["userAccountControl"]; //Set Normal Enabled Account
entry.CommitChanges();
}
}
Schema Map
At the end of the steps above you should have a schema map similar to:
Your's may differ due to different column names and you may also have addition fields added. But please make sure to select a unique key that can link your source data to your target data, in this example we have used employeeID but we could have used LogonName.
Compare & Sync
Once you have everything in place and are ready to run the sync you need to set EnableAdd on the target to True, if you have not yet done so, to add your new users to Active Directory.
By default this is set to False to prevent accidental additions during your normal synchronisations.
Once this has been done, click Compare A-> B to run the comparison. You can preview the results to make sure the data presents as you expect.
If you want to test the creation on one account simply deselect the checkboxes using the Clear All button and check the checkbox next to the record you want to add.
Once you are satisfied, click Synchronise to start the sync.
Once it has run you can either look for the users in AD or you can preview your target dataset to ensure that everything has run as expected.