How it works
Active Directory (AD) is an employee directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. This script is intended to query on-premises Active Directory, see here for AzureAD/Office365 export.
Your unique script will import selected users from your AD to your OnLocation account, using the PowerShell Get-ADUser cmdlet, via secure upload to our server. The script is written in the PowerShell language, is fully auditable by the customer, and will work seamlessly with a web proxy if you use one.
How the script works:
- The script is run periodically from one of your computers under an account that can query the directory. Your system administrator will set this up.
- The script runs Get-ADUser and converts to CSV format.
- An encrypted HTTPS connection is made to our systems.
- The data is sent and merged with our database, new users are added, modified users are updated, and removed users are set to disabled.
- Windows PowerShell 4.0 or greater.
- LDAP SearchBase, specifies the Active Directory path to export users from (example: "CN=Users,DC=example,DC=com").
Download the script
You can download your unique script from your sync profile:
- Go to Tools > Account.
- Select Integrations from the left-hand menu.
- Select the Enabled Integrations tab.
- Click Manage Settings next to SyncPortal.
- Click Settings next to your sync profile.
- Select the Connectors tab.
- Select PowerShell AD.
- Click Download Script.
This script will import data to the sync profile to be managed and monitored through your rules and logs.
Determine your search base
The search base is the location within Active Directory where the user export begins, all matching user objects under this location will be exported. The path is in LDAP Distinguished Name syntax.
If you do not know your user OU then a LDAP browser such as http://www.ldapadmin.org/ can be invaluable. You can also run a query from any member server on your Windows domain using the dsquery tool.
To find the User Base DN:
- Open a Windows command prompt.
- Type the command: dsquery user -name <known account name>
(Example: If I were searching for all users named John, I could enter the username as John* to get a list of all users who's name is John)
- The result will look like: "CN=John Smith,CN=Users,DC=Example,DC=com"
- For your $searchbase variable in the script you would enter: CN=Users,DC=Example,DC=com
Set your schedule
Once the sync is working, it would typically be set to run on a regular schedule. To set up your scheduling, follow the below steps:
Step 1: Open task scheduler
Open Task Scheduler and Create a new task. Name it and set the user account to one that is able to query Active Directory to extract the staff list. Enable the 'Run whether user is logged on or not' radio button.
Stape 2: Set the triggers
Click on the Triggers tab and set your schedule or event that will trigger the running of your PowerShell script. This is typically run once per day but can be any schedule.
Step 3: Create your action
Click on the Actions tab and click on New.
Action: Start a program
Argument: This is the path to your PowerShell script, ie c:\temp\wol2-adsync.ps1