Sign in

Introducing

Ideagen Community

Introducing

Ideagen Community

Articles in this section

See more
  1. Q-Pulse
  2. Q-Pulse Windows
  3. Admin Guide
  4. User Management

How to Import Users and Groups from Active Directory

Alan Blair
  • Updated
Follow
Who is this article for?

 Q-Pulse Administrators managing user access.

 Administration module access and an understanding of AD is needed.

Q-Pulse users can be created manually but if you have a lot of users to manage then you may want to consider importing them from active directory.

This article outlines how to perform the import and provides additional guidance and links to LDAP resources. It does not teach you how to use LDAP as this is not part of Q-Pulse but it does provide links to third party resources to help you.

To make the process easier to follow the article has been split into the following sections:

  1. Preparing to Import from Active Directory
  2. How to Import Users from Active Directory
  3. Additional Notes
  4. Further Reading
Important Note: This import is intended as a one-time import. This is not a regular sync with active directory.

1. Preparing to Import from Active Directory

Users and groups can be imported into Q-Pulse from Microsoft's Active Directory (AD) service. In addition to improving security, AD was introduced to reduce the management overhead of Windows networks. Importing allows for a faster and more convenient way of establishing your Q-Pulse configuration and saves you the trouble of manually creating users and groups.

Once imported, AD users become Q-Pulse users and AD security groups become Q-Pulse static security groups.

Users and groups are imported using standardised Lightweight Directory Access Protocol (LDAP) URLs and search filters. You may need assistance from your IT department to import from AD.

Before performing an import it is strongly recommended you review the considerations below: 

Consideration Details
Populated AD Fields To be imported all users must have populated First Name (givenName) and Last Name (sn) attributes in AD. If present, middle names are imported and are taken from the initials attribute in AD.
Simultaneous Group and User Import If both users and groups are imported at the same time, the import tool will set a user's Group Membership in the Administration module to match the user's group membership in AD. For example, if User A is a member of Group B in AD and you import both User A and Group B during the same import, User A will automatically become a member of Group B in Q-Pulse.
Departments Departments are imported as Q-Pulse account properties taken from a user's Department attribute in AD. Departments are optional and aren't required for importing users. If departments are imported, they are added to the top-level of the Department managed list within Q-Pulse.
AD Username Maps to Q-Pulse Username If the Enable Login option is used when importing users, a user's AD username (if present) will become their Q-Pulse username and they will be assigned a Primary licence.
Existing Users Users will not be imported if the username generated during the import already exists within Q-Pulse. For example, if a Q-Pulse user already has the username MikeJ, a user with an AD username of MikeJ will not import.
Existing Email Addresses If users have an email address associated with their AD account, this email address will be imported from the E-mail (mail) AD attribute as part of the user's Q-Pulse account in the People and Administration modules.
Organisational Units Only AD security groups can be imported. Organizational Units (OUs) can't be imported.
Access to AD
The Q-Pulse client PC where the import is being performed must have both network connectivity and security clearance to reach and access AD. If there is no connectivity or if security systems in place restrict access, it will not be possible to import. In most cases, this will not be a problem if the PC is a member of the domain where users/groups will be imported from.
 
It may not be possible to import from AD if there are security systems in place such as LDAP over SSL (LDAPS) running on port 636. Further investigation may be required to allow such imports.
Version of AD Q-Pulse can import from full-blown Windows Server AD and the free (but limited) ADAM / AD LDS.
Multiple AD Sources
Users and groups can be imported from all AD sources that Q-Pulse can reach and access. For example, a user from the a.com domain can specify to import users from the b.com domain as long as the logged on user can reach and access AD running on the b.com domain.
 
It may also be possible to import from non-AD and non-Windows LDAP sources. For example, importing from a Linux based LDAP directory.
Import Limit There is a limitation that restricts a maximum of 1,000 users to be imported in a single import. For example, if you attempt to import from an OU containing over 1,000 users, some users may not show in the list of users available to be imported as the extra users have been 'cut off' due to the limit.

We recommend performing a number of smaller more specific imports to import more than 1,000 users.
Apostrophe You may encounter an error when attempting to import AD users that have an apostrophe (') in AD attributes such as logon name (sAMAccountName). We recommend omitting such users from imports and manually creating them instead.
Filter Out Inactive AD users By default, both enabled (active) and disabled (inactive) AD accounts are imported. However, you can filter to import only active or inactive accounts by using search filters as outlined in the Advanced Import Options section of this article.

2. How to Import Users from Active Directory

2.1. The Import Feature

  1. Open the Administration module.
  2. Navigate to Security and then to People.
  3. Click Import, and then From Active Directory.

mceclip0.png

  1. Enter the LDAP URL into the Active Directory Node Path.

mceclip1.png

Notes:
  • Global Catalog (GC) node paths can also be entered into this field to automatically generate LDAP URLs when clicking the ellipsis [] button to the right of the field.
  • If you click the [OK] button without entering anything into this field, the import utility will attempt to retrieve a list of users and groups from the local Windows domain. The image below shows the import utility configured to import users and groups from the GC of the dwm.local domain.
  • When entering LDAP URLs, ensure LDAP is entered using capital letters to prevent errors.

2.2. Example LDAP URLs for Domain dwm.local

All users and security groups on the dc01.dwm.local server using the default LDAP port (389).

LDAP://dc01.dwm.local/DC=dwm,DC=local

All users and security groups in the Accounts OU located within the Departments OU at the top-level of AD on the dc01.dwm.local server using a non-default LDAP port (765).

LDAP://dc01.dwm.local:765/OU=Accounts,OU=Departments,DC=dwm,DC=local

Import just the user with the Common Name (CN) Mike Jones found within the IT OU within the Departments OU at the top-level of AD on the dc01.dwm.local server using the default port (389).

LDAP://dc01.dwm.local/CN=Mike Jones,OU=IT,OU=Departments,DC=dwm,DC=local

2.3. Advanced Import Options

Additional import options can be accessed using the Advanced>> button. These options are highlighted in the image below and allow for additional filtering and querying of users and groups using LDAP search filters.
 

mceclip2.png
 

Before using the advanced options shown above, the Active Directory Node Path field should be populated. If it isn’t, the import utility will attempt to apply the filters against the local Windows domain.

Need more help with LDAP queries? Ideagen cannot support you in writing queries but additional information about search filters can be found in the LDAP Query Basics article published by Microsoft.

3. Additional Notes 

  • Under certain circumstances, not all users may be available for import even when they have first and last names in AD. In this case, it may be easier to import the users from Microsoft Exchange or to manually create the users. For example, an enabled user already in Q-Pulse may have the same full name as a user to be imported. This AD user won’t show on the import results screen.
  • There is no technical difference between users created manually and users that have been imported. For example, you can manually create users and add a CN and email address to their account.
  • The Specify Default Password option can be used to set a default Q-Pulse password for all imported users. This Q-Pulse password will only be used when logging into Q-Pulse using Q-Pulse authentication and when signing back in to Q-Pulse after a session timeout (if the Session Timeout add-on has been purchased and enabled).
  • Be careful to import only the users and groups you wish to import. Otherwise, you could import many users and groups not required resulting in a negative impact on your Q-Pulse configuration. Ensure you have full, up-to-date and clean database backups before importing. This allows your Q-Pulse database to be restored if an error occurs or if a mistake is made during the import.
  • Q-Pulse groups can be associated with AD groups using Active Directory Group Integration and importing users allows for an easier transition to Q-Pulse’s Windows authentication methods as accounts will automatically be configured with a CN.
  • Q-Pulse users imported from AD are not synchronised with AD. For example, if a user’s name or email address is changed in AD, this information won’t change automatically in Q-Pulse. A manual update is required.
  • Users imported are imported as Employee users of Q-Pulse.

4. Further Reading

Article Comments

0 comments