Importing users and roles from Active Directory
This page describes how to import users and roles from Active Directory into Kentico Xperience using the wizard interface of the Kentico Xperience AD Import Utility.
To launch the utility, run the ADImport.exe file located in the bin folder of your downloaded ADImport project. If the executable is not present, you first need to build the project by running build.cmd in the root directory.
Choose if you want to create a new import profile or use an existing XML profile. If you select an existing profile, values will be pre-filled in the following steps based on the profile settings.
Specify the target Xperience database, where the users and roles will be imported:
- SQL Server name or IP address - name or IP address of the server where the target database is stored.
- Use integrated Windows authentication - choose if you want to log on to the server using Windows authentication.
- Use SQL Server account - choose if you want to log on to the server using credentials filled in the fields below.
Click Establish connection and enter the Database name of the target Xperience database.
Specify the source AD domain controller:
- Use current user account - uses the domain where the current Windows user belongs.
- Specify domain controller and logon credentials - if you choose this option, you can enter the logon details manually.
We recommend testing the specified connection by clicking Test connection.
Configure the general settings of the import process:
- Import users/groups - determines which users or groups (roles) the wizard preselects in Step 6:
- All - the wizard preselects all users or groups.
- Only selected - when using an existing import profile, the wizard uses the selection stored in the profile. Otherwise the preselection is empty.
- Update selected and import all new - same as Only selected, but also selects all new users or groups.
You can also adjust the behavior of the import by enabling or disabling the following options:
- Import new users only from selected groups - if enabled, only those new users who belong to at least one role (group) selected in Step 6 or 8 of the wizard will be imported.
- Import all users from selected groups and ignore other users - if enabled, the import automatically selects all users belonging to the selected groups, regardless of the user selection options.
- Update data of existing users and roles - if enabled, properties of users and roles already imported from AD will be updated in Xperience based on the current values in AD. The update does not change the unique identifiers (GUIDs) of objects.
-
Delete users and roles that do not exist in the Active Directory - if enabled, the utility deletes users and roles in Xperience marked with the is domain flag whose unique identifier (GUID) does not match the identifier of an object in AD. The deletion occurs before the start of the import process and can affect the following types of users and roles:
- Objects manually created in Xperience and marked as is domain
- Objects previously imported from AD that were since then deleted on the source server
- Update roles for existing Active Directory users - if enabled, the import updates the user-role relationships of existing Xperience users who were previously imported from AD (based on the current membership status in AD).
- Log import process to file - if enabled, you can specify a file where the tool stores the import log.
- Select sites - choose the sites to which the imported users and roles will be assigned.
Note: If you do not choose a site in this step, the rest of the wizard will leave out steps related to the import of roles (groups). This happens because it is currently not possible to import roles from AD into Xperience as global objects and they must be assigned to a specific site.
Define the user name and role name format and bind AD user properties to Xperience user properties:
-
User name format - choose one of the three possible formats:
- Domain\SAM (e.g., intranet\joe)
- SAM account name (e.g., joe)
- UPN (joe@intranet.mycompany.com)
-
Configure new users as Xperience editors - select to grant the imported users the Editor privilege level.
-
Target/Source - you can choose how attributes from the AD users (Source) will be mapped to the fields of Xperience users (CMS_User columns).
-
Show all attributes - allows all attributes from your AD schema to be selected as a Source, including custom attributes.
- Note: You can import attributes of any data type, but their values are always imported to Target as string.
-
Role display name format:
- Domain\SAM (intranet\DB Admins)
- SAM (DB Admins)
-
Role code name format:
- Domain\SAM (intranet\DB Admins)
- SAM (DB Admins)
- Guid (16-byte number)
-
Import description - indicates if role descriptions are imported from AD.
Select the roles and users that will be imported. It is possible to adjust the settings made here in the following two steps.
On the left, you can see all groups (roles) found on the source server. If you select a group, its members are displayed in the list on the right. You can define which users and roles will be imported using the appropriate check boxes.
By right-clicking a group, you can perform the following actions:
- Select all - selects all child groups directly under the selected group.
- Select all recursively - selects all child groups under the selected group until the last level.
- Deselect all - selects all groups directly under the selected group.
- Deselect all recursively - selects all group under the selected group until the last level.
All users in a group or all groups can be selected or deselected by clicking Select all or Deselect all.
Adjust the users to be imported using the check boxes. Users are selected according to the settings made in the previous step. You can filter the listed users by Display name and User name.
Adjust the groups (roles) to be imported using the check boxes. You can filter the listed groups by Group name using the filter above the list.
Select the Xperience roles to which the imported users will be assigned. If you are importing to multiple sites, first choose the site whose roles should be displayed using the Site selector.
You have configured your import profile.
You can now execute the import immediately, save the profile into a file or perform both of these actions (select the Import now and Save import profile to file check boxes respectively).
The last step displays an import log, showing the progress of the import process. When the import finishes, click Finish to close the wizard.