Schedule Import of Users from CSV
With Adaxes you can automate the provisioning of user accounts by importing data from a CSV file into Active Directory on a regular basis. To schedule the import process you need to create a Scheduled Task that will periodically execute a PowerShell script. The script will read in a CSV file using the Import-Csv cmdlet and pass the data to the New-AdmUser cmdlet to create users in Active Directory.
The New-AdmUser cmdlet is included in Adaxes PowerShell Module for Active Directory. To use the cmdlet in a Scheduled Task, you need to install Adaxes PowerShell Module on the computer, where your Adaxes service is running.
Perform the following steps to schedule the import of user accounts from a CSV file:
-
Create a CSV file with user data.
ColumnsBy default, Adaxes will expect the columns in the CSV file to be named like in the table below. If the columns in your CSV file are named differently, you will need to use column mapping.
Column Name Description Example Type AccountExpirationDate The expiration date for the account. When set to 0, the account never expires. 4/17/2006
Monday, April 17, 2006
Monday, April 17, 2006 2:22 PM
Mon, 17 Apr 2006 21:22:48 GMT
05/01/2012 5:00:00 PMDate AccountNotDelegated Specifies whether the security context of the user is delegated to a service. true
falseBoolean AccountPassword The user password. secret Secure String AllowReversiblePassword
EncryptionSpecifies whether reversible password encryption is allowed for the account. true
falseBoolean CannotChangePassword Specifies whether the account password can be changed. true
falseBoolean ChangePasswordAtLogon Specifies whether the password must be changed during the first logon. true
falseBoolean City The user's town or city. London String Company The user's company. Acme String Country The country or region code for the user's language of choice. US
FRString Department The user's department. Sales String Description The description of the user. External subcontractor String DisplayName The display name of the user. John Smith String Division The user's division. Software String EmailAddress The user's e-mail address. johndoe@example.com String EmployeeID The user's employee ID. A123321 String EmployeeNumber The user's employee number. 112233 String Enabled Specifies if the account is enabled. true
falseBoolean Fax The user's fax phone number. +1 (999) 555 1122 String GivenName The user's first name. John String HomeDirectory The user's home directory. \\SERVER\johnsmith String HomeDrive The drive that is associated with the UNC path defined by the HomeDirectory property. D: String HomePage The URL of the home page of the user. http://example.com/jsmith String HomePhone The user's home telephone number. +1 (999) 555 2222 String Initials The initials that represent part of the user's name. L String LogonWorkstations The computers that the user can access. COMP1,COMP2.example.com String Manager The user's manager. john.doe
CN=Doe,CN=Users,DC=acme,DC=com
7D1D1508-2A07-47D8-8933-C9E557ED86D0
S-1-5-21-1233211223-291919
ADUser MobilePhone The user's mobile phone number. +1 (999) 555 3333 String Name The user's full name. John Smith String Office The location of the user's office or place of business. B1021 String OfficePhone The user's office telephone number. +1 (999) 555 4444 String Organization The user's organization. Accounting String OtherAttributes Values for user properties that cannot be specified in the CSV file columns. 'extensionAttribute1'=value
'customAttribute'=value1,value2
'attr1'=val; 'attr2'=val1,val2TTT OtherName The name in addition to a user's given name and surname, such as the user's middle name. Peter String PasswordNeverExpires Specifies whether the password of the account can expire. true
falseBoolean PasswordNotRequired Specifies whether the account requires a password. true
falseBoolean Path The DN of the Organizational Unit (OU) or container where the new user will be created. CN=Users,DC=acme,DC=com String POBox The user's post office box number. 25656 String PostalCode The user's postal code or zip code. 18711 String ProfilePath The path to the user's profile. \\SERVER\profiles\johndoe String ProtectedFromAccidental
DeletionSpecifies whether an object is protected from accidental deletion. true
falseBoolean SamAccountName The user's logon name (pre-Windows 2000). johnsmith String ScriptPath The path to the user's log on script. \\SCRIPTS\johnsmithLogin String SmartcardLogonRequired Specifies whether a smart card is required to logon. true
falseBoolean State The user's state or province. Nevada String StreetAddress The user's street address. 100 Main Street String Surname The user's last name or surname. Smith String Title The user's title. Sales Manager String TrustedForDelegation Specifies whether an account is trusted for Kerberos delegation. true
falseBoolean UserPrincipalName The user's logon name. johnsmith@example.com String -
Launch Adaxes Administration Console, expand your Adaxes service, right-click Scheduled Tasks, point to New and click Scheduled Task.
Enter a name for the new Scheduled Task, and click Next.
It is recommended to use nouns to name Scheduled Tasks (e.g. CSV Importer, Membership Manager), because tasks will appear as operation initiators in the Adaxes Log and approval email notifications. -
Specify how often the task should run and click Next.
-
To import user accounts into an Organizational Unit, select the Organizational Unit object type.
Click Next.
-
Click Add an action and select Run a program or PowerShell script.
Click the
button to provide a custom description for the action.
-
Click the Edit button to open the script editor.
-
If your CSV file doesn't contain any special columns and all columns are named exactly as in the table from Step 1 of this tutorial, use the below script to import new users.
Import-Module Adaxes $file = "\\SERVER\Share\users.csv" $targetDN = "%distinguishedName%" $domain = $Context.GetObjectDomain($targetDN) Import-CSV $file | New-AdmUser -Path $targetDN -Server $domain ` -AdaxesService localhost
The -Path parameter specifies the distinguished name (DN) of the Organizational Unit or container where to create user accounts. Value reference %distinguishedName% will be replaced with the DN of the Organizational Unit included in the activity scope of the task.
If your CSV file contains columns with the following data types, they need to be processed in the script:
- Password e.g. AccountPassword
- Boolean e.g. ChangePasswordAtLogon, Enabled
- DN e.g. Manager
Processing columns with specific data types
Import-Module Adaxes $file = "\\SERVER\Share\users.csv" $targetDN = "%distinguishedName%" $domain = $Context.GetObjectDomain($targetDN) $importedUsers = Import-Csv $file foreach ($user in $importedUsers) { # Password column $user.AccountPassword = ` ConvertTo-SecureString -AsPlainText $user.AccountPassword -Force # Boolean columns $user.Enabled = [System.Boolean]::Parse($user.Enabled) $user.ChangePasswordAtLogon = [System.Boolean]::Parse($user.ChangePasswordAtLogon) # DN syntax column $managerID = $user.Manager $manager = Get-ADmObject -Filter {(employeeID -eq $managerID)} ` -AdaxesService localhost -ErrorAction SilentlyContinue $user.Manager = $manager.DistinguishedName $user | New-AdmUser -Path $targetDN -AdaxesService localhost -Server $domain }
The columns have to be processed because Active Directory expects data of a specific type. For example, to specify a manager, you need to pass the manager's distinguished name (DN). This means you need to obtain the DN in the script if the column in your CSV contains some other unique identifier, like employee ID.
You need to use column mapping in the script if your CSV file has custom column names.
Column mappingIf the columns in your CSV file have names that don't match AD property names, the CSV file has to be processed differently. Use the below script that maps custom column names to LDAP properties.
The $columnMap variable specifies a hashtable that maps column names from your file to property names of the new user accounts.
Import-Module Adaxes $file = "\\SERVER\Share\users.csv" $targetDN = "%distinguishedName%" $domain = $Context.GetObjectDomain($targetDN) $columnMap = @{ "First Name" = "givenName"; "Last Name" = "sn"; "EmpID" = "employeeID"; "EmpRole" = "adm-CustomAttributeText1"; } $importedUsers = Import-Csv $file foreach ($user in $importedUsers) { $propertyToValue = @{} foreach ($property in $user.PSObject.Properties) { # Get AD property name $propertyName = $columnMap[$property.Name] $value = $property.Value if ($NULL -eq $value) { continue } $propertyToValue.Add($propertyName, $value) } New-AdmUser -Path $targetDN -Server $domain -Name $name ` -AdaxesService localhost -Enabled $True -OtherAttributes $propertyToValue }
Error Email Notifications
If you want the script to send an email notification if an error occurred during user account creation, you can use the following code:
... try { $user | New-AdmUser -Path $targetDN -AdaxesService localhost -Server $domain` -ErrorAction Stop } catch [System.Exception] { $to = "admin@company.com" $subj = "Failed to Import User from CSV" $bodyText = "Adaxes failed to import user " + $user.Name + " from $file."` + "`nError: " + $_.Exception.Message $bodyHtml = $NULL $Context.SendMail($to, $subj, $bodyText, $bodyHtml) $Context.LogMessage($bodyText, "Error") }For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.
When finished, click OK two times and then click Next.
-
On the Activity Scope page, specify the Organizational Unit where imported user accounts will be created.
- Click the Add button.
-
Select the target Organizational Unit.
-
In the Assignment Options dialog, check the The Organizational Unit object checkbox and uncheck the Objects located in the Organizational Unit checkbox.
- Click OK two times.
Using Business Rules you can automatically move newly created users to appropriate Organizational Units based on certain rules. For more details, see Automatically Move Users between Organizational Units. -
The activity scope of the Scheduled Task must include a single Organizational Unit! Otherwise the task will import user accounts to each OU included in the activity scope.
Click Finish.