Import from Active Directory

3470
6
02-17-2011 06:45 AM
WilliamCraft
MVP Regular Contributor
Workflow Manager for 10 Desktop is supposed to allow for importing of users and user groups from Active Directory on your Domain.  Has anyone tried this?  No matter what I plug in as parameters, I cannot get this operation to work.  What is the correct syntax for inputting an existing user group?  I am wondering if this is perhaps an incompatibility issue.  I am using Workflow Manager desktop for 10 and I have Active Directory 2000/2003 mixed.  The ESRI help files provide very little guidance on what to input and how to input the correct values.  Does the user performing these steps need to be a domain administrator for this to even work?
0 Kudos
6 Replies
WilliamCraft
MVP Regular Contributor
One caveat with the Workflow Manager Administrator application is that any attempt to import users and groups (either failed or successful) will eliminate any Users and Groups that you already have stored in your JTX tables within SDE.  It will wipe everything out; so make sure you save a configuration file of your setup before you attempt this process. 

I believe I was able to resolve this issue for the most part.  With using Workflow Manager Administrator desktop for AGS 10 and Active Directory 2000/2003 mixed, I have figured out that the Import Users and Groups option will only search within the "builtin" folder in Active Directory. 

Your domain name can include the .com or .org part of the fully qualified name (but it doesn't have to).  The application requires you to input an AD group name (can be Domain Local, Global or Universal) that exists within the "builtin" folder.  This group name can be different for the users and for the groups.  For example, if you are importing users from an AD group under "builtin" called "GIS_Users", actual domain user accounts must exist within the "GIS_Users" group or the application will tell you that the group you inputted doesn't exist.  The same theory applies for importing groups.  For example, if you are importing a bunch of groups from an AD group under "builtin" called "GIS_Groups", actual domain groups (of any security type) must exist within the "GIS_Groups" group or the application will tell you that the group you inputted doesn't exist.  Spaces are permitted for group names and user names. 

To understand your AD structure and to know which groups and users reside within "builtin", you should talk to your system administrator or run Microsoft Management Console.
0 Kudos
TopeBello
Occasional Contributor III
Hi William,

I see you have this figured out. Yes, importing from the active directory will clean up your existing users when you run the import tool. You can manually add users/groups later using the "add user" or "add group" command.

The parameters required as input is the domain, group of users and a group of groups
The group of users is usually a group that contains a list of valid users that are categorized under one umbrella. For example - user1, user2, user3 all belong to a group called "GIS" on a domain called "myDomain"
The group of groups is a collection of groups that help you further categorize certain users. These groups are created on your domain similar to how you create users. For example "managers" and "technicians" can be categorized as a "GISGroup" on the domain.
The input parameters on the import AD users will be something like this based on the example above -
Domain = myDomain
Active Directory Group (for Users) = GIS
Active Directory Group (for groups) = GISGroup

If you are running this on a different domain other than the users that you are importing, you will specify a valid username and password.

You get a summary on the users and groups that are imported to the system.


I hope this helps! I like the comment about contacting your system administrator with regards to the AD structure, you got the words out of my mouth!

Thanks,
Tope
0 Kudos
LukeBehling
Occasional Contributor
Hello Tope,

I've contacted my Network Administrator and sent him this thread. We do not have our GIS groups in another group. So what would I put in here:

Active Directory Group (for groups) = GISGroup
To make the AD import work?

Thanks,
Luke
0 Kudos
BrianDemers
Esri Contributor
Hi Luke,

To use the Workflow Manager quick start database as an example -- 3 users (amiller, cjones, and jrobinson) and 3 groups (Managers, QA/QC, and Technicians) -- you'd want your AD groups to look like the following:

[INDENT]YOURDOMAIN\AllWmxUsers
YOURDOMAIN\amiller
YOURDOMAIN\cjones
YOURDOMAIN\jrobinson

YOURDOMAIN\AllWmxGroups
YOURDOMAIN\Managers
YOURDOMAIN\QAQC     (the "/" will almost surely cause problems, so I'd drop it from the group name)
YOURDOMAIN\Technicians

YOURDOMAIN\Managers
YOURDOMAIN\cjones

YOURDOMAIN\QAQC
<empty>

YOURDOMAIN\Technicians
YOURDOMAIN\jrobinson
[/INDENT]

One last note: when you initially import the AD info, if your groups don't exist in your Workflow Manager database, you'll have to assign all the group privileges manually.  (I think the privileges will remain unchanged for any groups that already exist.)

I hope that helps,

Brian D.
0 Kudos
GregDreaper
New Contributor II
OK, so what is the import users / groups dialog actually doing?

Domain: ABC (Does this have to be IP/fully qualified?)
username: blank because I exist in the domain

Active Directory Group (for users): abc\XXX (XXX already belongs to "Groupname" in AD)

Active Directory Group (for groups): groupname

This fails every time. 

I want to add two AD groups (Viewers and editors).  What am I doing wrong?

Thanks.
0 Kudos
BrianDemers
Esri Contributor
Hi Greg,

Referring back to an earlier post, you need to have the equivalent of the "AllWmxUsers" and "AllWmxGroups" AD groups defined in your domain.  Once they're defined, you would specify those two groups in the "Active Directory Group (for users)" and "Active Directory Group (for groups)" fields, respectively.

If I'm following your example, "XXX" would need to be a group name as opposed to a user name.  (I don't know offhand if the "abc\" prefix would cause any trouble; I'm pretty certain you could leave it out.)  Also, "groupname" would need to be an AD group containing the two other AD groups, "Viewers" and "editors".

I hope that helps.

Brian D.
0 Kudos