Set up PowerShell AD Connector for SyncPortal

Learn how to set up PowerShell AD Connector for SyncPortal. You need the IT Support user role to access these settings in MRI OnLocation. 

How it works

Active Directory (AD) is an employee directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. This script is intended to query on-premises Active Directory, see here for AzureAD/Office365 export.

Your unique script will import selected users from your AD to your OnLocation account, using the PowerShell Get-ADUser cmdlet, via secure upload to our server. The script is written in the PowerShell language, is fully auditable by the customer, and will work seamlessly with a web proxy if you use one.

How the script works: 

  1. The script is run periodically from one of your computers under an account that can query the directory. Your system administrator will set this up.
  2. The script runs Get-ADUser and converts to CSV format.
  3. An encrypted HTTPS connection is made to our systems.
  4. The data is sent and merged with our database, new users are added, modified users are updated, and removed users are set to disabled.

Requirements:

  • Windows PowerShell 4.0 or greater.
  • LDAP SearchBase, specifies the Active Directory path to export users from (example: "CN=Users,DC=example,DC=com").

Download the script

You can download your unique script from your sync profile:

  1. Go to Tools > Account.
  2. Select Integrations from the left-hand menu.
  3. Select the Enabled Integrations tab.
  4. Click Manage Settings next to SyncPortal.
  5. Click Settings next to your sync profile.
  6. Select the Connectors tab. 
  7. Select PowerShell AD.
  8. Click Download Script.

    SyncPortals-connectors.png

This script will import data to the sync profile to be managed and monitored through your rules and logs.

Determine your search base

The search base is the location within Active Directory where the user export begins, all matching user objects under this location will be exported. The path is in LDAP Distinguished Name syntax.

If you do not know your user OU then a LDAP browser such as http://www.ldapadmin.org/ can be invaluable. You can also run a query from any member server on your Windows domain using the dsquery tool.

To find the User Base DN:

  • Open a Windows command prompt.
  • Type the command: dsquery user -name <known account name>
    (Example: If I were searching for all users named John, I could enter the username as John* to get a list of all users who's name is John)
  • The result will look like: "CN=John Smith,CN=Users,DC=Example,DC=com"
  • For your $searchbase variable in the script you would enter: CN=Users,DC=Example,DC=com

Set your schedule 

Once the sync is working, it would typically be set to run on a regular schedule. To set up your scheduling, follow the below steps:

Step 1: Open task scheduler

Open Task Scheduler and Create a new task. Name it and set the user account to one that is able to query Active Directory to extract the staff list. Enable the 'Run whether user is logged on or not' radio button.

sptask2.png 

Stape 2: Set the triggers

Click on the Triggers tab and set your schedule or event that will trigger the running of your PowerShell script. This is typically run once per day but can be any schedule.

sptrigger.png

Step 3: Create your action

Click on the Actions tab and click on New.

Action: Start a program

Program/script: Powershell.exe

Argument: This is the path to your PowerShell script, ie c:\temp\wol2-adsync.ps1